diff --git a/policy-20071130.patch b/policy-20071130.patch
index 1edc290..4e6fa77 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -106,12 +106,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsaf
+system_r:unconfined_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.3.1/config/appconfig-mcs/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/config/appconfig-mcs/guest_u_default_contexts 2008-07-15 14:02:51.000000000 -0400
-@@ -0,0 +1,4 @@
++++ serefpolicy-3.3.1/config/appconfig-mcs/guest_u_default_contexts 2008-08-13 13:50:55.000000000 -0400
+@@ -0,0 +1,6 @@
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
+system_r:sshd_t:s0 guest_r:guest_t:s0
+system_r:crond_t:s0 guest_r:guest_crond_t:s0
++system_r:initrc_su_t:s0 guest_r:guest_t:s0
++guest_r:guest_t:s0 guest_r:guest_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.3.1/config/appconfig-mcs/root_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/config/appconfig-mcs/root_default_contexts 2008-07-15 14:02:51.000000000 -0400
@@ -128,10 +130,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_de
#
-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.3.1/config/appconfig-mcs/staff_u_default_contexts
+--- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 2008-06-12 23:38:01.000000000 -0400
++++ serefpolicy-3.3.1/config/appconfig-mcs/staff_u_default_contexts 2008-08-13 13:50:13.000000000 -0400
+@@ -5,6 +5,8 @@
+ system_r:xdm_t:s0 staff_r:staff_t:s0
+ staff_r:staff_su_t:s0 staff_r:staff_t:s0
+ staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
++system_r:initrc_su_t:s0 staff_r:staff_t:s0
++staff_r:staff_t:s0 staff_r:staff_t:s0
+ sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
+ sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.3.1/config/appconfig-mcs/unconfined_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/config/appconfig-mcs/unconfined_u_default_contexts 2008-07-15 14:02:51.000000000 -0400
-@@ -0,0 +1,9 @@
++++ serefpolicy-3.3.1/config/appconfig-mcs/unconfined_u_default_contexts 2008-08-13 13:49:38.000000000 -0400
+@@ -0,0 +1,11 @@
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0
+system_r:initrc_t:s0 unconfined_r:unconfined_t:s0
+system_r:local_login_t:s0 unconfined_r:unconfined_t:s0
@@ -140,7 +154,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfi
+system_r:sshd_t:s0 unconfined_r:unconfined_t:s0
+system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0
+system_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
++system_r:initrc_su_t:s0 unconfined_r:unconfined_t:s0
++unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
+system_r:xdm_t:s0 unconfined_r:unconfined_t:s0
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.3.1/config/appconfig-mcs/user_u_default_contexts
+--- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2008-06-12 23:38:01.000000000 -0400
++++ serefpolicy-3.3.1/config/appconfig-mcs/user_u_default_contexts 2008-08-13 13:52:58.000000000 -0400
+@@ -5,4 +5,5 @@
+ system_r:xdm_t:s0 user_r:user_t:s0
+ user_r:user_su_t:s0 user_r:user_t:s0
+ user_r:user_sudo_t:s0 user_r:user_t:s0
+-
++system_r:initrc_su_t:s0 user_r:user_t:s0
++user_r:user_t:s0 user_r:user_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.3.1/config/appconfig-mcs/userhelper_context
--- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/config/appconfig-mcs/userhelper_context 2008-07-15 14:02:51.000000000 -0400
@@ -341,13 +367,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/x_conte
+event * system_u:object_r:default_xevent_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.3.1/config/appconfig-mcs/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/config/appconfig-mcs/xguest_u_default_contexts 2008-07-15 14:02:51.000000000 -0400
-@@ -0,0 +1,5 @@
++++ serefpolicy-3.3.1/config/appconfig-mcs/xguest_u_default_contexts 2008-08-13 13:50:37.000000000 -0400
+@@ -0,0 +1,7 @@
+system_r:local_login_t xguest_r:xguest_t:s0
+system_r:remote_login_t xguest_r:xguest_t:s0
+system_r:sshd_t xguest_r:xguest_t:s0
+system_r:crond_t xguest_r:xguest_crond_t:s0
+system_r:xdm_t xguest_r:xguest_t:s0
++system_r:initrc_su_t:s0 xguest_r:xguest_t:s0
++xguest_r:xguest_t:s0 xguest_r:xguest_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.3.1/config/appconfig-mls/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.3.1/config/appconfig-mls/guest_u_default_contexts 2008-07-15 14:02:51.000000000 -0400
@@ -1718,19 +1746,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo
') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.fc serefpolicy-3.3.1/policy/modules/admin/kismet.fc
--- nsaserefpolicy/policy/modules/admin/kismet.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/kismet.fc 2008-07-15 14:02:51.000000000 -0400
-@@ -0,0 +1,5 @@
-+
-+/usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0)
-+/var/run/kismet_server.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0)
++++ serefpolicy-3.3.1/policy/modules/admin/kismet.fc 2008-08-29 16:39:13.000000000 -0400
+@@ -0,0 +1,4 @@
++/usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0)
+/var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0)
+/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0)
++/var/run/kismet_server.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.3.1/policy/modules/admin/kismet.if
--- nsaserefpolicy/policy/modules/admin/kismet.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/kismet.if 2008-07-15 14:02:51.000000000 -0400
-@@ -0,0 +1,275 @@
-+
-+## policy for kismet
++++ serefpolicy-3.3.1/policy/modules/admin/kismet.if 2008-08-29 16:38:53.000000000 -0400
+@@ -0,0 +1,252 @@
++## Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.
+
+########################################
+##
@@ -1744,13 +1770,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
+#
+interface(`kismet_domtrans',`
+ gen_require(`
-+ type kismet_t;
-+ type kismet_exec_t;
++ type kismet_t, kismet_exec_t;
+ ')
+
-+ domtrans_pattern($1,kismet_exec_t,kismet_t)
++ domtrans_pattern($1, kismet_exec_t, kismet_t)
+')
+
++########################################
++##
++## Execute kismet in the kismet domain, and
++## allow the specified role the kismet domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the kismet domain.
++##
++##
++##
++##
++## The type of the role's terminal.
++##
++##
++#
++interface(`kismet_run',`
++ gen_require(`
++ type kismet_t;
++ ')
++
++ kismet_domtrans($1)
++ role $2 types kismet_t;
++ allow kismet_t $3:chr_file rw_term_perms;
++')
+
+########################################
+##
@@ -1767,8 +1822,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
+ type kismet_var_run_t;
+ ')
+
-+ files_search_pids($1)
+ allow $1 kismet_var_run_t:file read_file_perms;
++ files_search_pids($1)
+')
+
+########################################
@@ -1781,17 +1836,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
+##
+##
+#
-+interface(`kismet_manage_var_run',`
++interface(`kismet_manage_pid_files',`
+ gen_require(`
+ type kismet_var_run_t;
+ ')
+
-+ manage_dirs_pattern($1,kismet_var_run_t,kismet_var_run_t)
-+ manage_files_pattern($1,kismet_var_run_t,kismet_var_run_t)
-+ manage_lnk_files_pattern($1,kismet_var_run_t,kismet_var_run_t)
++ allow $1 kismet_var_run_t:file manage_file_perms;
++ files_search_pids($1)
+')
+
-+
+########################################
+##
+## Search kismet lib directories.
@@ -1847,8 +1900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
+ type kismet_var_lib_t;
+ ')
+
-+ allow $1 kismet_var_lib_t:file manage_file_perms;
-+ allow $1 kismet_var_lib_t:dir rw_dir_perms;
++ manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
+ files_search_var_lib($1)
+')
+
@@ -1862,17 +1914,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
+##
+##
+#
-+interface(`kismet_manage_var_lib',`
++interface(`kismet_manage_lib',`
+ gen_require(`
+ type kismet_var_lib_t;
+ ')
+
-+ manage_dirs_pattern($1,kismet_var_lib_t,kismet_var_lib_t)
-+ manage_files_pattern($1,kismet_var_lib_t,kismet_var_lib_t)
-+ manage_lnk_files_pattern($1,kismet_var_lib_t,kismet_var_lib_t)
++ manage_dirs_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
++ manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
++ manage_lnk_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
+')
+
-+
+########################################
+##
+## Allow the specified domain to read kismet's log files.
@@ -1899,14 +1950,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
+## kismet log files.
+##
+##
-+##
++##
+## Domain allowed to transition.
-+##
++##
+##
+#
+interface(`kismet_append_log',`
+ gen_require(`
-+ type var_log_t, kismet_log_t;
++ type kismet_log_t;
+ ')
+
+ logging_search_logs($1)
@@ -1928,64 +1979,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
+ type kismet_log_t;
+ ')
+
-+ logging_search_logs($1)
-+ manage_dirs_pattern($1,kismet_log_t,kismet_log_t)
-+ manage_files_pattern($1,kismet_log_t,kismet_log_t)
-+ manage_lnk_files_pattern($1,kismet_log_t,kismet_log_t)
-+')
-+
-+########################################
-+##
-+## Execute kismet in the kismet domain, and
-+## allow the specified role the kismet domain.
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+##
-+##
-+## The role to be allowed the kismet domain.
-+##
-+##
-+##
-+##
-+## The type of the role's terminal.
-+##
-+##
-+#
-+interface(`kismet_run',`
-+ gen_require(`
-+ type kismet_t;
-+ ')
-+
-+ kismet_domtrans($1)
-+ role $2 types kismet_t;
-+ allow kismet_t $3:chr_file rw_term_perms;
++ manage_dirs_pattern($1, kismet_log_t, kismet_log_t)
++ manage_files_pattern($1, kismet_log_t, kismet_log_t)
++ manage_lnk_files_pattern($1, kismet_log_t, kismet_log_t)
++ logging_search_logs($1)
+')
+
-+
+########################################
+##
+## All of the rules required to administrate an kismet environment
+##
-+##
-+##
-+## Prefix of the domain. Example, user would be
-+## the prefix for the uder_t domain.
-+##
-+##
+##
+##
+## Domain allowed access.
+##
+##
-+##
-+##
-+## The role to be allowed to manage the kismet domain.
-+##
-+##
+##
+#
+interface(`kismet_admin',`
@@ -1993,23 +2001,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
+ type kismet_t;
+ ')
+
-+ allow $1 kismet_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, kismet_t, kismet_t)
-+
-+
-+ kismet_manage_var_run($1)
-+
-+ kismet_manage_var_lib($1)
++ ps_process_pattern($1, kismet_t)
++ allow $1 kismet_t:process { ptrace signal_perms };
+
++ kismet_manage_pid_files($1)
++ kismet_manage_lib($1)
+ kismet_manage_log($1)
-+
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.3.1/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/kismet.te 2008-07-24 13:59:46.000000000 -0400
-@@ -0,0 +1,56 @@
++++ serefpolicy-3.3.1/policy/modules/admin/kismet.te 2008-08-29 16:38:30.000000000 -0400
+@@ -0,0 +1,57 @@
+
-+policy_module(kismet,1.0.0)
++policy_module(kismet, 1.0.2)
+
+########################################
+#
@@ -2036,14 +2040,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
+#
+
+allow kismet_t self:capability { net_admin net_raw setuid setgid };
++allow kismet_t self:fifo_file rw_file_perms;
++allow kismet_t self:packet_socket create_socket_perms;
++allow kismet_t self:unix_dgram_socket create_socket_perms;
++allow kismet_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
++allow kismet_t kismet_log_t:dir setattr;
++logging_log_filetrans(kismet_t, kismet_log_t, { file dir })
++
++allow kismet_t kismet_var_lib_t:file manage_file_perms;
++allow kismet_t kismet_var_lib_t:dir manage_dir_perms;
++files_var_lib_filetrans(kismet_t, kismet_var_lib_t, { file dir })
++
++allow kismet_t kismet_var_run_t:file manage_file_perms;
++allow kismet_t kismet_var_run_t:dir manage_dir_perms;
++files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir })
+
+corecmd_exec_bin(kismet_t)
+
-+auth_use_nsswitch(kismet_t)
++kernel_search_debugfs(kismet_t)
+
-+allow kismet_t self:fifo_file rw_file_perms;
-+allow kismet_t self:unix_stream_socket create_stream_socket_perms;
-+allow kismet_t self:packet_socket create_socket_perms;
++auth_use_nsswitch(kismet_t)
+
+files_read_etc_files(kismet_t)
+
@@ -2051,19 +2069,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
+libs_use_shared_libs(kismet_t)
+
+miscfiles_read_localization(kismet_t)
-+
-+allow kismet_t kismet_var_run_t:file manage_file_perms;
-+allow kismet_t kismet_var_run_t:dir manage_dir_perms;
-+files_pid_filetrans(kismet_t,kismet_var_run_t, { file dir })
-+
-+allow kismet_t kismet_var_lib_t:file manage_file_perms;
-+allow kismet_t kismet_var_lib_t:dir manage_dir_perms;
-+files_var_lib_filetrans(kismet_t,kismet_var_lib_t, { file dir })
-+
-+allow kismet_t kismet_log_t:file manage_file_perms;
-+allow kismet_t kismet_log_t:dir { rw_dir_perms setattr };
-+logging_log_filetrans(kismet_t,kismet_log_t,{ file dir })
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.3.1/policy/modules/admin/kudzu.te
--- nsaserefpolicy/policy/modules/admin/kudzu.te 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/admin/kudzu.te 2008-07-15 14:02:51.000000000 -0400
@@ -2862,7 +2867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.3.1/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/admin/su.if 2008-08-12 12:08:28.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/admin/su.if 2008-08-12 17:05:02.000000000 -0400
@@ -41,15 +41,13 @@
allow $2 $1_su_t:process signal;
@@ -2881,7 +2886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
domtrans_pattern($2, su_exec_t, $1_su_t)
# By default, revert to the calling domain when a shell is executed.
-@@ -89,28 +87,16 @@
+@@ -89,28 +87,24 @@
libs_use_ld_so($1_su_t)
libs_use_shared_libs($1_su_t)
@@ -2894,17 +2899,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
- domain_role_change_exemption($1_su_t)
- domain_subj_id_change_exemption($1_su_t)
- domain_obj_id_change_exemption($1_su_t)
--
++ auth_login_pgm_domain($1_su_t)
+
- selinux_get_fs_mount($1_su_t)
- selinux_validate_context($1_su_t)
- selinux_compute_access_vector($1_su_t)
- selinux_compute_create_context($1_su_t)
- selinux_compute_relabel_context($1_su_t)
- selinux_compute_user_contexts($1_su_t)
--
++ seutil_read_config($1_su_t)
++ seutil_read_default_contexts($1_su_t)
+
- seutil_read_config($1_su_t)
- seutil_read_default_contexts($1_su_t)
-+ auth_login_pgm_domain($1_su_t)
++ # Only allow transitions to unprivileged user domains.
++ userdom_spec_domtrans_unpriv_users($1_su_t)
- # Only allow transitions to unprivileged user domains.
- userdom_spec_domtrans_unpriv_users($1_su_t)
@@ -2912,22 +2921,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
+ # Deal with unconfined_terminals.
+ term_use_all_user_ttys($1_su_t)
+ term_use_all_user_ptys($1_su_t)
++ term_relabel_all_user_ttys($1_su_t)
++ term_relabel_all_user_ptys($1_su_t)
optional_policy(`
cron_read_pipes($1_su_t)
-@@ -119,11 +105,6 @@
- optional_policy(`
+@@ -120,10 +114,17 @@
kerberos_use($1_su_t)
')
--
+
- ifdef(`TODO',`
- # Caused by su - init scripts
- dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
- ') dnl end TODO
++ optional_policy(`
++ xserver_domtrans_user_xauth($1, $1_su_t)
++ ')
++
++ tunable_policy(`use_nfs_home_dirs',`
++ fs_search_nfs($1_su_t)
++ ')
++
++ tunable_policy(`use_samba_home_dirs',`
++ fs_search_cifs($1_su_t)
++ ')
')
#######################################
-@@ -172,14 +153,14 @@
+@@ -172,14 +173,14 @@
domain_interactive_fd($1_su_t)
role $3 types $1_su_t;
@@ -2946,7 +2967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
# Transition from the user domain to this domain.
domtrans_pattern($2, su_exec_t, $1_su_t)
-@@ -188,7 +169,7 @@
+@@ -188,7 +189,7 @@
corecmd_shell_domtrans($1_su_t,$2)
allow $2 $1_su_t:fd use;
allow $2 $1_su_t:fifo_file rw_file_perms;
@@ -2955,7 +2976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
kernel_read_system_state($1_su_t)
kernel_read_kernel_sysctls($1_su_t)
-@@ -203,15 +184,15 @@
+@@ -203,15 +204,15 @@
# needed for pam_rootok
selinux_compute_access_vector($1_su_t)
@@ -2974,7 +2995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
files_read_etc_files($1_su_t)
files_read_etc_runtime_files($1_su_t)
files_search_var_lib($1_su_t)
-@@ -226,12 +207,14 @@
+@@ -226,12 +227,14 @@
libs_use_ld_so($1_su_t)
libs_use_shared_libs($1_su_t)
@@ -2990,7 +3011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
ifdef(`distro_rhel4',`
domain_role_change_exemption($1_su_t)
-@@ -295,13 +278,7 @@
+@@ -295,13 +298,7 @@
xserver_domtrans_user_xauth($1, $1_su_t)
')
@@ -4559,7 +4580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc
+/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.3.1/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/apps/java.if 2008-07-15 14:02:51.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/apps/java.if 2008-08-15 14:47:26.000000000 -0400
@@ -32,7 +32,7 @@
##
##
@@ -4740,7 +4761,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if
')
########################################
-@@ -219,3 +269,67 @@
+@@ -219,3 +269,84 @@
corecmd_search_bin($1)
domtrans_pattern($1, java_exec_t, java_t)
')
@@ -4808,6 +4829,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if
+ allow java_t $3:chr_file rw_term_perms;
+')
+
++########################################
++##
++## Execute the java program in the java domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`java_exec',`
++ gen_require(`
++ type java_exec_t;
++ ')
++
++ ca_exec($1, java_exec_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.3.1/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2008-06-12 23:38:02.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/apps/java.te 2008-07-15 14:02:51.000000000 -0400
@@ -6212,8 +6250,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-07-29 13:22:00.000000000 -0400
-@@ -0,0 +1,227 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-08-13 13:26:58.000000000 -0400
+@@ -0,0 +1,228 @@
+
+policy_module(nsplugin,1.0.0)
+
@@ -6291,6 +6329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+dev_write_sound(nsplugin_t)
+dev_read_video_dev(nsplugin_t)
+dev_write_video_dev(nsplugin_t)
++dev_getattr_dri_dev(nsplugin_t)
+
+kernel_read_kernel_sysctls(nsplugin_t)
+kernel_read_system_state(nsplugin_t)
@@ -7357,7 +7396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-08-01 11:18:03.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-08-15 15:31:02.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(corenetwork,1.2.15)
@@ -7381,15 +7420,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dbskkd, tcp,1178,s0)
-@@ -91,6 +93,7 @@
+@@ -90,7 +92,9 @@
+ network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
++network_port(dogtag, tcp,9080,s0, tcp,9443,s0)
network_port(fingerd, tcp,79,s0)
+network_port(flash, tcp,1935,s0, udp,1935,s0)
network_port(ftp_data, tcp,20,s0)
network_port(ftp, tcp,21,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -109,11 +112,13 @@
+@@ -109,11 +113,13 @@
network_port(ircd, tcp,6667,s0)
network_port(isakmp, udp,500,s0)
network_port(iscsi, tcp,3260,s0)
@@ -7403,7 +7444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
-@@ -122,6 +127,8 @@
+@@ -122,6 +128,8 @@
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
@@ -7412,7 +7453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
-@@ -133,10 +140,13 @@
+@@ -133,10 +141,13 @@
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(postfix_policyd, tcp,10031,s0)
@@ -7426,7 +7467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pxe, udp,4011,s0)
-@@ -148,11 +158,11 @@
+@@ -148,11 +159,11 @@
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -7440,11 +7481,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
network_port(spamd, tcp,783,s0)
-@@ -165,12 +175,17 @@
+@@ -165,12 +176,18 @@
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0)
++network_port(tomcat, tcp,1701,s0)
+network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0)
network_port(transproxy, tcp,8081,s0)
@@ -9621,7 +9663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.3.1/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-08-11 15:42:35.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-08-29 14:16:36.000000000 -0400
@@ -13,21 +13,16 @@
#
template(`apache_content_template',`
@@ -10059,7 +10101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -1088,3 +1029,169 @@
+@@ -1088,3 +1029,202 @@
allow httpd_t $1:process signal;
')
@@ -10229,9 +10271,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ delete_sock_files_pattern($1,httpd_sys_content_rw_t,httpd_sys_content_rw_t)
+')
+
++########################################
++##
++## Mark content as being readable by standard apache processes
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++template(`apache_ro_content',`
++ gen_require(`
++ attribute httpd_ro_content;
++ ')
++ typeattribute $1 httpd_ro_content;
++')
++
++########################################
++##
++## Mark content as being read/write by standard apache processes
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++template(`apache_rw_content',`
++ gen_require(`
++ attribute httpd_rw_content;
++ ')
++ typeattribute $1 httpd_rw_content;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-07-29 13:26:28.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-08-29 14:24:41.000000000 -0400
@@ -20,6 +20,8 @@
# Declarations
#
@@ -10288,7 +10363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## the terminal.
##
##
-@@ -109,14 +125,33 @@
+@@ -109,14 +125,35 @@
##
gen_tunable(httpd_unified,false)
@@ -10313,6 +10388,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+##
+gen_tunable(allow_httpd_sys_script_anon_write,false)
+
++attribute httpd_ro_content;
++attribute httpd_rw_content;
attribute httpdcontent;
-attribute httpd_user_content_type;
@@ -10324,7 +10401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# user script domains
attribute httpd_script_domains;
-@@ -147,6 +182,9 @@
+@@ -147,6 +184,9 @@
type httpd_log_t;
logging_log_file(httpd_log_t)
@@ -10334,17 +10411,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# httpd_modules_t is the type given to module files (libraries)
# that come with Apache /etc/httpd/modules and /usr/lib/apache
type httpd_modules_t;
-@@ -180,6 +218,9 @@
+@@ -180,6 +220,9 @@
# setup the system domain for system CGI scripts
apache_content_template(sys)
-+typeattribute httpd_sys_content_t httpdcontent; # customizable
-+typeattribute httpd_sys_content_rw_t httpdcontent; # customizable
++typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable
++typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable
+typeattribute httpd_sys_content_ra_t httpdcontent; # customizable
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -202,12 +243,16 @@
+@@ -202,12 +245,16 @@
prelink_object_file(httpd_modules_t)
')
@@ -10362,7 +10439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
-@@ -249,6 +294,7 @@
+@@ -249,6 +296,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
@@ -10370,7 +10447,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -289,6 +335,7 @@
+@@ -260,9 +308,9 @@
+
+ allow httpd_t httpd_suexec_exec_t:file { getattr read };
+
+-allow httpd_t httpd_sys_content_t:dir list_dir_perms;
+-read_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
+-read_lnk_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
++allow httpd_t httpd_ro_content:dir list_dir_perms;
++read_files_pattern(httpd_t,httpd_ro_content,httpd_ro_content)
++read_lnk_files_pattern(httpd_t,httpd_ro_content,httpd_ro_content)
+
+ manage_dirs_pattern(httpd_t,httpd_tmp_t,httpd_tmp_t)
+ manage_files_pattern(httpd_t,httpd_tmp_t,httpd_tmp_t)
+@@ -289,6 +337,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -10378,7 +10468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -315,9 +362,7 @@
+@@ -315,9 +364,7 @@
auth_use_nsswitch(httpd_t)
@@ -10389,7 +10479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
domain_use_interactive_fds(httpd_t)
-@@ -335,6 +380,10 @@
+@@ -335,6 +382,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -10400,7 +10490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -351,25 +400,50 @@
+@@ -351,25 +402,50 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -10455,7 +10545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_can_network_relay',`
# allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
-@@ -382,12 +456,22 @@
+@@ -382,12 +458,22 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
@@ -10483,7 +10573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_ftp_server',`
-@@ -399,11 +483,21 @@
+@@ -399,11 +485,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -10505,7 +10595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -437,8 +531,13 @@
+@@ -437,8 +533,13 @@
')
optional_policy(`
@@ -10521,7 +10611,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -450,19 +549,13 @@
+@@ -450,19 +551,13 @@
')
optional_policy(`
@@ -10542,7 +10632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -472,13 +565,22 @@
+@@ -472,13 +567,22 @@
openca_kill(httpd_t)
')
@@ -10569,7 +10659,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -486,6 +588,7 @@
+@@ -486,6 +590,7 @@
')
optional_policy(`
@@ -10577,7 +10667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -521,6 +624,22 @@
+@@ -521,6 +626,22 @@
userdom_use_sysadm_terms(httpd_helper_t)
')
@@ -10600,7 +10690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -550,18 +669,26 @@
+@@ -550,18 +671,26 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -10630,7 +10720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -585,6 +712,8 @@
+@@ -585,6 +714,8 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -10639,7 +10729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -593,9 +722,7 @@
+@@ -593,9 +724,7 @@
fs_search_auto_mountpoints(httpd_suexec_t)
@@ -10650,7 +10740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -628,6 +755,7 @@
+@@ -628,6 +757,7 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -10658,7 +10748,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
-@@ -638,6 +766,12 @@
+@@ -638,6 +768,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -10671,7 +10761,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -655,10 +789,6 @@
+@@ -655,10 +791,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -10682,7 +10772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache system script local policy
-@@ -668,7 +798,8 @@
+@@ -668,7 +800,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -10692,7 +10782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -682,15 +813,44 @@
+@@ -682,15 +815,44 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -10704,15 +10794,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+tunable_policy(`httpd_use_nfs', `
-+ fs_read_nfs_files(httpd_sys_script_t)
-+ fs_read_nfs_symlinks(httpd_sys_script_t)
-+')
-+
-+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
fs_read_nfs_files(httpd_sys_script_t)
fs_read_nfs_symlinks(httpd_sys_script_t)
')
++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
++ fs_read_nfs_files(httpd_sys_script_t)
++ fs_read_nfs_symlinks(httpd_sys_script_t)
++')
++
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
@@ -10738,7 +10828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -703,6 +863,10 @@
+@@ -703,6 +865,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -10749,7 +10839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -724,3 +888,60 @@
+@@ -724,3 +890,68 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -10810,6 +10900,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ userdom_search_user_home_dirs(user,httpd_user_script_t)
+ userdom_search_user_home_dirs(user,httpd_sys_script_t)
+')
++
++manage_dirs_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content)
++manage_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content)
++manage_lnk_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content)
++
++manage_dirs_pattern(httpd_t,httpdcontent,httpd_rw_content)
++manage_files_pattern(httpd_t,httpdcontent,httpd_rw_content)
++manage_lnk_files_pattern(httpd_t,httpdcontent,httpd_rw_content)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.3.1/policy/modules/services/apcupsd.fc
--- nsaserefpolicy/policy/modules/services/apcupsd.fc 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/apcupsd.fc 2008-07-15 14:02:51.000000000 -0400
@@ -12500,7 +12598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.fc serefpolicy-3.3.1/policy/modules/services/courier.fc
--- nsaserefpolicy/policy/modules/services/courier.fc 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/courier.fc 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/courier.fc 2008-08-26 20:27:44.000000000 -0400
@@ -1,4 +1,5 @@
/etc/courier(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
+/etc/authlib(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
@@ -12527,15 +12625,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cour
/usr/lib(64)?/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib(64)?/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib(64)?/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
-@@ -19,3 +28,5 @@
+@@ -19,3 +28,6 @@
/var/lib/courier(/.*)? -- gen_context(system_u:object_r:courier_var_lib_t,s0)
/var/run/courier(/.*)? -- gen_context(system_u:object_r:courier_var_run_t,s0)
+
+/var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0)
++/var/spool/authdaemon(/.*)? gen_context(system_u:object_r:courier_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.3.1/policy/modules/services/courier.if
--- nsaserefpolicy/policy/modules/services/courier.if 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/courier.if 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/courier.if 2008-08-18 06:32:58.000000000 -0400
@@ -123,3 +123,77 @@
domtrans_pattern($1, courier_pop_exec_t, courier_pop_t)
@@ -12616,7 +12715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cour
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.3.1/policy/modules/services/courier.te
--- nsaserefpolicy/policy/modules/services/courier.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/courier.te 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/courier.te 2008-08-26 20:28:45.000000000 -0400
@@ -9,7 +9,10 @@
courier_domain_template(authdaemon)
@@ -12637,6 +12736,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cour
courier_domain_template(sqwebmail)
typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t;
+@@ -69,6 +73,9 @@
+
+ courier_domtrans_pop(courier_authdaemon_t)
+
++files_search_spool(courier_authdaemon_t, courier_spool_t, courier_spool_t)
++manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
++
+ ########################################
+ #
+ # Calendar (PCP) local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.3.1/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2008-06-12 23:38:02.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/cron.fc 2008-07-15 14:02:52.000000000 -0400
@@ -12656,7 +12765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.3.1/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/cron.if 2008-07-28 08:35:13.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/cron.if 2008-08-26 20:19:09.000000000 -0400
@@ -35,38 +35,23 @@
#
template(`cron_per_role_template',`
@@ -12834,7 +12943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
domtrans_pattern($2, crontab_exec_t, $1_crontab_t)
+ allow $2 $1_crontab_t:fd use;
+
-+ auth_domtrans_chk_passwd($1_crontab_t)
++ auth_run_chk_passwd($1_crontab_t, $3, { $1_devpts_t $1_tty_device_t })
# crontab shows up in user ps
ps_process_pattern($2,$1_crontab_t)
@@ -13500,7 +13609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.3.1/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-08-29 15:20:30.000000000 -0400
@@ -43,14 +43,13 @@
type cupsd_var_run_t;
@@ -13724,6 +13833,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
+@@ -281,7 +324,7 @@
+ # Cups configuration daemon local policy
+ #
+
+-allow cupsd_config_t self:capability { chown sys_tty_config };
++allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
+ dontaudit cupsd_config_t self:capability sys_tty_config;
+ allow cupsd_config_t self:process signal_perms;
+ allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
@@ -326,6 +369,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
@@ -15730,7 +15848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.3.1/policy/modules/services/exim.if
--- nsaserefpolicy/policy/modules/services/exim.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/exim.if 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/exim.if 2008-08-14 12:48:28.000000000 -0400
@@ -97,6 +97,26 @@
########################################
@@ -15758,9 +15876,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
## Allow the specified domain to append
## exim log files.
##
+@@ -154,3 +174,23 @@
+ manage_files_pattern($1, exim_spool_t, exim_spool_t)
+ files_search_spool($1)
+ ')
++
++########################################
++##
++## Create, read, write, and delete
++## exim spool dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`exim_manage_spool_dirs',`
++ gen_require(`
++ type exim_spool_t;
++ ')
++
++ manage_dirs_pattern($1, exim_spool_t, exim_spool_t)
++ files_search_spool($1)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.3.1/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/exim.te 2008-08-08 10:12:38.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/exim.te 2008-08-13 13:26:38.000000000 -0400
@@ -21,9 +21,20 @@
##
gen_tunable(exim_manage_user_files,false)
@@ -15845,7 +15987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
files_read_etc_files(exim_t)
auth_use_nsswitch(exim_t)
-@@ -92,14 +125,14 @@
+@@ -92,14 +125,15 @@
logging_send_syslog_msg(exim_t)
miscfiles_read_localization(exim_t)
@@ -15856,6 +15998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
-userdom_dontaudit_search_sysadm_home_dirs(exim_t)
-userdom_dontaudit_search_generic_user_home_dirs(exim_t)
+fs_getattr_xattr_fs(exim_t)
++fs_list_inotifyfs(exim_t)
mta_read_aliases(exim_t)
-mta_rw_spool(exim_t)
@@ -15865,7 +16008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
tunable_policy(`exim_read_user_files',`
userdom_read_unpriv_users_home_content_files(exim_t)
-@@ -111,3 +144,80 @@
+@@ -111,3 +145,80 @@
userdom_read_unpriv_users_tmp_files(exim_t)
userdom_write_unpriv_users_tmp_files(exim_t)
')
@@ -18064,7 +18207,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.3.1/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/mailman.te 2008-08-11 10:57:59.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/mailman.te 2008-08-28 09:25:02.000000000 -0400
@@ -53,10 +53,9 @@
apache_use_fds(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t)
@@ -18082,7 +18225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
#
allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
-+allow mailman_mail_t initrc_t:process signal;
++allow mailman_mail_t self:process { signal signull };
+allow mailman_mail_t self:process signal;
+allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
+
@@ -21068,7 +21211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.3.1/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/postfix.te 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/postfix.te 2008-08-29 15:46:12.000000000 -0400
@@ -6,6 +6,14 @@
# Declarations
#
@@ -21141,7 +21284,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
# allow access to deferred queue and allow removing bogus incoming entries
manage_dirs_pattern(postfix_master_t,postfix_spool_t,postfix_spool_t)
manage_files_pattern(postfix_master_t,postfix_spool_t,postfix_spool_t)
-@@ -174,6 +195,7 @@
+@@ -135,6 +156,7 @@
+
+ delete_files_pattern(postfix_master_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t)
+ rename_files_pattern(postfix_master_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t)
++setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+
+ kernel_read_all_sysctls(postfix_master_t)
+
+@@ -174,6 +196,7 @@
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
@@ -21149,7 +21300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
optional_policy(`
cyrus_stream_connect(postfix_master_t)
-@@ -248,6 +270,10 @@
+@@ -248,6 +271,10 @@
corecmd_exec_bin(postfix_cleanup_t)
@@ -21160,7 +21311,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix local local policy
-@@ -273,18 +299,25 @@
+@@ -273,18 +300,25 @@
files_read_etc_files(postfix_local_t)
@@ -21186,7 +21337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
optional_policy(`
-@@ -295,8 +328,7 @@
+@@ -295,8 +329,7 @@
#
# Postfix map local policy
#
@@ -21196,7 +21347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
-@@ -346,8 +378,6 @@
+@@ -346,8 +379,6 @@
miscfiles_read_localization(postfix_map_t)
@@ -21205,7 +21356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
tunable_policy(`read_default_t',`
files_list_default(postfix_map_t)
files_read_default_files(postfix_map_t)
-@@ -360,6 +390,11 @@
+@@ -360,6 +391,11 @@
locallogin_dontaudit_use_fds(postfix_map_t)
')
@@ -21217,7 +21368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix pickup local policy
-@@ -384,6 +419,7 @@
+@@ -384,6 +420,7 @@
#
allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
@@ -21225,7 +21376,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)
-@@ -391,6 +427,12 @@
+@@ -391,6 +428,12 @@
rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
@@ -21238,7 +21389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
optional_policy(`
procmail_domtrans(postfix_pipe_t)
')
-@@ -400,6 +442,10 @@
+@@ -400,6 +443,10 @@
')
optional_policy(`
@@ -21249,7 +21400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
uucp_domtrans_uux(postfix_pipe_t)
')
-@@ -436,8 +482,7 @@
+@@ -436,8 +483,7 @@
')
optional_policy(`
@@ -21259,7 +21410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
#######################################
-@@ -463,6 +508,15 @@
+@@ -463,6 +509,15 @@
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
@@ -21275,7 +21426,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix qmgr local policy
-@@ -532,9 +586,6 @@
+@@ -532,9 +587,6 @@
# connect to master process
stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
@@ -21285,7 +21436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
# for prng_exch
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
-@@ -557,6 +608,10 @@
+@@ -557,6 +609,10 @@
sasl_connect(postfix_smtpd_t)
')
@@ -21296,7 +21447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix virtual local policy
-@@ -572,7 +627,7 @@
+@@ -572,7 +628,7 @@
files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
# connect to master process
@@ -21401,16 +21552,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
# Local Policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.3.1/policy/modules/services/postgresql.fc
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/postgresql.fc 2008-07-15 14:02:52.000000000 -0400
-@@ -31,6 +31,7 @@
++++ serefpolicy-3.3.1/policy/modules/services/postgresql.fc 2008-08-13 13:44:31.000000000 -0400
+@@ -6,8 +6,8 @@
+ #
+ # /usr
+ #
+-/usr/bin/initdb -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+-/usr/bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+
+ /usr/lib/pgsql/test/regres(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+ /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+@@ -30,11 +30,18 @@
+ /var/lib/pgsql/data(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
/var/lib/pgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0)
++/var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
++/var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0)
++
/var/log/postgres\.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0)
+/var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
/var/log/postgresql(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
++/var/log/sepostgresql\.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0)
ifdef(`distro_redhat', `
-@@ -38,3 +39,5 @@
+ /var/log/rhdb/rhdb(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
')
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
@@ -21418,14 +21585,290 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.3.1/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/postgresql.if 2008-07-15 14:02:52.000000000 -0400
-@@ -120,3 +120,72 @@
++++ serefpolicy-3.3.1/policy/modules/services/postgresql.if 2008-08-13 13:44:36.000000000 -0400
+@@ -1,5 +1,205 @@
+ ## PostgreSQL relational database
+
++#######################################
++##
++## The userdomain template for the SE-PostgreSQL.
++##
++##
++## This template creates a delivered types which are used
++## for given userdomains.
++##
++##
++##
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++##
++##
++##
++##
++## The type of the user domain.
++##
++##
++##
++##
++## The role associated with the user domain.
++##
++##
++#
++template(`postgresql_userdom_template',`
++ gen_require(`
++ class db_database all_db_database_perms;
++ class db_table all_db_table_perms;
++ class db_procedure all_db_procedure_perms;
++ class db_column all_db_column_perms;
++ class db_tuple all_db_tuple_perms;
++ class db_blob all_db_blob_perms;
++
++ attribute sepgsql_client_type, sepgsql_database_type;
++ attribute sepgsql_sysobj_table_type;
++
++ type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t;
++ ')
++
++ ########################################
++ #
++ # Declarations
++ #
++
++ typeattribute $2 sepgsql_client_type;
++
++ type $1_sepgsql_blob_t;
++ postgresql_blob_object($1_sepgsql_blob_t)
++
++ type $1_sepgsql_proc_exec_t;
++ postgresql_procedure_object($1_sepgsql_proc_exec_t)
++
++ type $1_sepgsql_sysobj_t;
++ postgresql_system_table_object($1_sepgsql_sysobj_t)
++
++ type $1_sepgsql_table_t;
++ postgresql_table_object($1_sepgsql_table_t)
++
++ role $3 types sepgsql_trusted_proc_t;
++
++ ##############################
++ #
++ # Client local policy
++ #
++
++ tunable_policy(`sepgsql_enable_users_ddl',`
++ allow $2 $1_sepgsql_table_t:db_table { create drop };
++ type_transition $2 sepgsql_database_type:db_table $1_sepgsql_table_t;
++
++ allow $2 $1_sepgsql_table_t:db_column { create drop };
++
++ allow $2 $1_sepgsql_sysobj_t:db_tuple { update insert delete };
++ type_transition $2 sepgsql_sysobj_table_type:db_tuple $1_sepgsql_sysobj_t;
++ ')
++
++ allow $2 $1_sepgsql_table_t:db_table { getattr setattr use select update insert delete };
++ allow $2 $1_sepgsql_table_t:db_column { getattr setattr use select update insert };
++ allow $2 $1_sepgsql_table_t:db_tuple { use select update insert delete };
++ allow $2 $1_sepgsql_sysobj_t:db_tuple { use select };
++
++ allow $2 $1_sepgsql_proc_exec_t:db_procedure { create drop getattr setattr execute };
++ type_transition $2 sepgsql_database_type:db_procedure $1_sepgsql_proc_exec_t;
++
++ allow $2 $1_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
++ type_transition $2 sepgsql_database_type:db_blob $1_sepgsql_blob_t;
++
++ allow $2 sepgsql_trusted_proc_t:process transition;
++ type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
++')
++
++########################################
++##
++## Marks as a SE-PostgreSQL loadable shared library module
++##
++##
++##
++## Type marked as a database object type.
++##
++##
++#
++interface(`postgresql_loadable_module',`
++ gen_require(`
++ attribute sepgsql_module_type;
++ ')
++
++ typeattribute $1 sepgsql_module_type;
++')
++
++########################################
++##
++## Marks as a SE-PostgreSQL database object type
++##
++##
++##
++## Type marked as a database object type.
++##
++##
++#
++interface(`postgresql_database_object',`
++ gen_require(`
++ attribute sepgsql_database_type;
++ ')
++
++ typeattribute $1 sepgsql_database_type;
++')
++
++########################################
++##
++## Marks as a SE-PostgreSQL table/column/tuple object type
++##
++##
++##
++## Type marked as a table/column/tuple object type.
++##
++##
++#
++interface(`postgresql_table_object',`
++ gen_require(`
++ attribute sepgsql_table_type;
++ ')
++
++ typeattribute $1 sepgsql_table_type;
++')
++
++########################################
++##
++## Marks as a SE-PostgreSQL system table/column/tuple object type
++##
++##
++##
++## Type marked as a table/column/tuple object type.
++##
++##
++#
++interface(`postgresql_system_table_object',`
++ gen_require(`
++ attribute sepgsql_table_type, sepgsql_sysobj_table_type;
++ ')
++
++ typeattribute $1 sepgsql_table_type;
++ typeattribute $1 sepgsql_sysobj_table_type;
++')
++
++########################################
++##
++## Marks as a SE-PostgreSQL procedure object type
++##
++##
++##
++## Type marked as a database object type.
++##
++##
++#
++interface(`postgresql_procedure_object',`
++ gen_require(`
++ attribute sepgsql_procedure_type;
++ ')
++
++ typeattribute $1 sepgsql_procedure_type;
++')
++
++########################################
++##
++## Marks as a SE-PostgreSQL binary large object type
++##
++##
++##
++## Type marked as a database binary large object type.
++##
++##
++#
++interface(`postgresql_blob_object',`
++ gen_require(`
++ attribute sepgsql_blob_type;
++ ')
++
++ typeattribute $1 sepgsql_blob_type;
++')
++
+ ########################################
+ ##
+ ## Allow the specified domain to search postgresql's database directory.
+@@ -52,7 +252,7 @@
+ type postgresql_t, postgresql_exec_t;
+ ')
+
+- domtrans_pattern($1,postgresql_exec_t,postgresql_t)
++ domtrans_pattern($1, postgresql_exec_t, postgresql_t)
+ ')
+
+ ########################################
+@@ -92,7 +292,7 @@
+ type postgresql_t;
+ ')
+
+- corenet_tcp_recvfrom_labeled($1,postgresql_t)
++ corenet_tcp_recvfrom_labeled($1, postgresql_t)
+ corenet_tcp_sendrecv_postgresql_port($1)
+ corenet_tcp_connect_postgresql_port($1)
+ corenet_sendrecv_postgresql_client_packets($1)
+@@ -120,3 +320,122 @@
# Some versions of postgresql put the sock file in /tmp
allow $1 postgresql_tmp_t:sock_file write;
')
+
+########################################
+##
++## Allow the specified domain unprivileged accesses to unifined database objects
++## managed by SE-PostgreSQL,
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`postgresql_unpriv_client',`
++ gen_require(`
++ class db_table all_db_table_perms;
++ class db_procedure all_db_procedure_perms;
++ class db_blob all_db_blob_perms;
++
++ attribute sepgsql_client_type;
++
++ type sepgsql_db_t, sepgsql_table_t, sepgsql_proc_t, sepgsql_blob_t;
++ type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t;
++ ')
++
++ typeattribute $1 sepgsql_client_type;
++
++ type_transition $1 sepgsql_db_t:db_table sepgsql_table_t;
++ type_transition $1 sepgsql_db_t:db_procedure sepgsql_proc_t;
++ type_transition $1 sepgsql_db_t:db_blob sepgsql_blob_t;
++
++ type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
++ allow $1 sepgsql_trusted_proc_t:process transition;
++')
++
++########################################
++##
++## Allow the specified domain unconfined accesses to any database objects
++## managed by SE-PostgreSQL,
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`postgresql_unconfined',`
++ gen_require(`
++ attribute sepgsql_unconfined_type;
++ ')
++
++ typeattribute $1 sepgsql_unconfined_type;
++')
++
++########################################
++##
+## Execute postgresql server in the posgresql domain.
+##
+##
@@ -21439,7 +21882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+ type postgresql_script_exec_t;
+ ')
+
-+ init_script_domtrans_spec($1,postgresql_script_exec_t)
++ init_script_domtrans_spec($1, postgresql_script_exec_t)
+')
+
+########################################
@@ -21465,16 +21908,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+#
+interface(`postgresql_admin',`
+ gen_require(`
-+ type postgresql_t;
-+ type postgresql_var_run_t;
-+ type postgresql_tmp_t;
-+ type postgresql_db_t;
-+ type postgresql_etc_t;
-+ type postgresql_log_t;
++ type postgresql_t, postgresql_var_run_t;
++ type postgresql_tmp_t, postgresql_db_t;
++ type postgresql_etc_t, postgresql_log_t;
++ type postgresql_script_exec_t;
+ ')
+
-+ allow $1 postgresql_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, postgresql_t, postgresql_t)
++ allow $1 postgresql_t:process { ptrace signal_perms };
++ ps_process_pattern($1, postgresql_t)
+
+ # Allow $1 to restart the apache service
+ postgresql_script_domtrans($1)
@@ -21482,37 +21923,301 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+ role_transition $2 postgresql_script_exec_t system_r;
+ allow $2 system_r;
+
-+ manage_all_pattern($1,postgresql_var_run_t)
++ admin_pattern($1, postgresql_var_run_t)
+
-+ manage_all_pattern($1,postgresql_db_t)
++ admin_pattern($1, postgresql_db_t)
+
-+ manage_all_pattern($1,postgresql_etc_t)
++ admin_pattern($1, postgresql_etc_t)
+
-+ manage_all_pattern($1,postgresql_log_t)
++ admin_pattern($1, postgresql_log_t)
+
-+ manage_all_pattern($1,postgresql_tmp_t)
++ admin_pattern($1, postgresql_tmp_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.3.1/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/postgresql.te 2008-07-15 14:02:52.000000000 -0400
-@@ -27,6 +27,9 @@
++++ serefpolicy-3.3.1/policy/modules/services/postgresql.te 2008-08-18 08:48:30.000000000 -0400
+@@ -1,13 +1,30 @@
+
+-policy_module(postgresql,1.5.0)
++policy_module(postgresql, 1.6.0)
++
++gen_require(`
++ class db_database all_db_database_perms;
++ class db_table all_db_table_perms;
++ class db_procedure all_db_procedure_perms;
++ class db_column all_db_column_perms;
++ class db_tuple all_db_tuple_perms;
++ class db_blob all_db_blob_perms;
++')
+
+ #################################
+ #
+ # Declarations
+ #
++
++##
++##
++## Allow unprived users to execute DDL statement
++##
++##
++gen_tunable(sepgsql_enable_users_ddl, true)
++
+ type postgresql_t;
+ type postgresql_exec_t;
+-init_daemon_domain(postgresql_t,postgresql_exec_t)
++init_daemon_domain(postgresql_t, postgresql_exec_t)
+
+ type postgresql_db_t;
+ files_type(postgresql_db_t)
+@@ -27,6 +44,61 @@
type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)
+type postgresql_script_exec_t;
+init_script_type(postgresql_script_exec_t)
+
++# database clients attribute
++attribute sepgsql_client_type;
++attribute sepgsql_unconfined_type;
++
++# database objects attribute
++attribute sepgsql_database_type;
++attribute sepgsql_table_type;
++attribute sepgsql_sysobj_table_type;
++attribute sepgsql_procedure_type;
++attribute sepgsql_blob_type;
++attribute sepgsql_module_type;
++
++# database object types
++type sepgsql_blob_t;
++postgresql_blob_object(sepgsql_blob_t)
++
++type sepgsql_db_t;
++postgresql_database_object(sepgsql_db_t)
++
++type sepgsql_fixed_table_t;
++postgresql_table_object(sepgsql_fixed_table_t)
++
++type sepgsql_proc_t;
++postgresql_procedure_object(sepgsql_proc_t)
++
++type sepgsql_ro_blob_t;
++postgresql_blob_object(sepgsql_ro_blob_t)
++
++type sepgsql_ro_table_t;
++postgresql_table_object(sepgsql_ro_table_t)
++
++type sepgsql_secret_blob_t;
++postgresql_blob_object(sepgsql_secret_blob_t)
++
++type sepgsql_secret_table_t;
++postgresql_table_object(sepgsql_secret_table_t)
++
++type sepgsql_sysobj_t;
++postgresql_system_table_object(sepgsql_sysobj_t)
++
++type sepgsql_table_t;
++postgresql_table_object(sepgsql_table_t)
++
++type sepgsql_trusted_proc_exec_t;
++postgresql_procedure_object(sepgsql_trusted_proc_exec_t)
++
++# Trusted Procedure Domain
++type sepgsql_trusted_proc_t;
++domain_type(sepgsql_trusted_proc_t)
++postgresql_unconfined(sepgsql_trusted_proc_t)
++role system_r types sepgsql_trusted_proc_t;
++
########################################
#
# postgresql Local policy
-@@ -100,6 +103,7 @@
+@@ -42,17 +114,34 @@
+ allow postgresql_t self:udp_socket create_stream_socket_perms;
+ allow postgresql_t self:unix_dgram_socket create_socket_perms;
+ allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
++allow postgresql_t self:netlink_selinux_socket create_socket_perms;
++
++allow postgresql_t sepgsql_database_type:db_database *;
++type_transition postgresql_t postgresql_t:db_database sepgsql_db_t;
++
++allow postgresql_t sepgsql_module_type:db_database install_module;
++# Database/Loadable module
++allow sepgsql_database_type sepgsql_module_type:db_database load_module;
++
++allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *;
++type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t;
++
++allow postgresql_t sepgsql_procedure_type:db_procedure *;
++type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_t;
++
++allow postgresql_t sepgsql_blob_type:db_blob *;
++type_transition postgresql_t sepgsql_database_type:db_blob sepgsql_blob_t;
+
+-manage_dirs_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
+-manage_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
+-manage_lnk_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
+-manage_fifo_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
+-manage_sock_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
++manage_dirs_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
++manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
++manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
++manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
++manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+ files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })
+
+ allow postgresql_t postgresql_etc_t:dir list_dir_perms;
+-read_files_pattern(postgresql_t,postgresql_etc_t,postgresql_etc_t)
+-read_lnk_files_pattern(postgresql_t,postgresql_etc_t,postgresql_etc_t)
++read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
++read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
+
+ allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
+ can_exec(postgresql_t, postgresql_exec_t )
+@@ -60,20 +149,20 @@
+ allow postgresql_t postgresql_lock_t:file manage_file_perms;
+ files_lock_filetrans(postgresql_t,postgresql_lock_t,file)
+
+-manage_files_pattern(postgresql_t,postgresql_log_t,postgresql_log_t)
+-logging_log_filetrans(postgresql_t,postgresql_log_t,{ file dir })
++manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
++logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir })
+
+-manage_dirs_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t)
+-manage_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t)
+-manage_lnk_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t)
+-manage_fifo_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t)
+-manage_sock_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t)
++manage_dirs_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
++manage_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
++manage_lnk_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
++manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
++manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
+ files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
+ fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
+
+-manage_files_pattern(postgresql_t,postgresql_var_run_t,postgresql_var_run_t)
+-manage_sock_files_pattern(postgresql_t,postgresql_var_run_t,postgresql_var_run_t)
+-files_pid_filetrans(postgresql_t,postgresql_var_run_t,file)
++manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
++manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
++files_pid_filetrans(postgresql_t, postgresql_var_run_t, file)
+
+ kernel_read_kernel_sysctls(postgresql_t)
+ kernel_read_system_state(postgresql_t)
+@@ -100,6 +189,13 @@
fs_getattr_all_fs(postgresql_t)
fs_search_auto_mountpoints(postgresql_t)
+fs_rw_hugetlbfs_files(postgresql_t)
++
++selinux_get_enforce_mode(postgresql_t)
++selinux_validate_context(postgresql_t)
++selinux_compute_access_vector(postgresql_t)
++selinux_compute_create_context(postgresql_t)
++selinux_compute_relabel_context(postgresql_t)
term_use_controlling_term(postgresql_t)
+@@ -126,14 +222,14 @@
+
+ miscfiles_read_localization(postgresql_t)
+
+-seutil_dontaudit_search_config(postgresql_t)
++seutil_libselinux_linked(postgresql_t)
+
+-userdom_dontaudit_search_sysadm_home_dirs(postgresql_t)
+-userdom_dontaudit_use_sysadm_ttys(postgresql_t)
+ userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
+
+ mta_getattr_spool(postgresql_t)
+
++userdom_dontaudit_use_sysadm_terms(postgresql_t)
++
+ tunable_policy(`allow_execmem',`
+ allow postgresql_t self:process execmem;
+ ')
+@@ -166,3 +262,81 @@
+ optional_policy(`
+ udev_read_db(postgresql_t)
+ ')
++
++########################################
++#
++# Rules common to all clients
++#
++
++allow sepgsql_client_type sepgsql_db_t:db_database { getattr access get_param set_param };
++type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t;
++
++allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert };
++allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert };
++allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert };
++
++allow sepgsql_client_type sepgsql_table_t:db_table { getattr use select update insert delete };
++allow sepgsql_client_type sepgsql_table_t:db_column { getattr use select update insert };
++allow sepgsql_client_type sepgsql_table_t:db_tuple { use select update insert delete };
++
++allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use select };
++allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select };
++allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select };
++
++allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr;
++allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr;
++
++allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use select };
++allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select };
++allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select };
++
++allow sepgsql_client_type sepgsql_proc_t:db_procedure { getattr execute };
++allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { getattr execute entrypoint };
++
++allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write };
++allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read };
++allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr;
++
++# The purpose of the dontaudit rule in row-level access control is to prevent a flood of logs.
++# If a client tries to SELECT a table including violated tuples, these are filtered from
++# the result set as if not exist, but its access denied longs can be recorded within log files.
++# In generally, the number of tuples are much larger than the number of columns, tables and so on.
++# So, it makes a flood of logs when many tuples are violated.
++#
++# The default policy does not prevent anything for sepgsql_client_type sepgsql_unconfined_type,
++# so we don't need "dontaudit" rules in Type-Enforcement. However, MLS/MCS can prevent them
++# to access classified tuples and can make a audit record.
++#
++# Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL.
++dontaudit { postgresql_t sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };
++
++tunable_policy(`sepgsql_enable_users_ddl',`
++ allow sepgsql_client_type sepgsql_table_t:db_table { create drop setattr };
++ allow sepgsql_client_type sepgsql_table_t:db_column { create drop setattr };
++ allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { update insert delete };
++')
++
++########################################
++#
++# Unconfined access to this module
++#
++
++allow sepgsql_unconfined_type sepgsql_database_type:db_database *;
++type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t;
++
++type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t;
++type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_t;
++type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t;
++
++allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *;
++
++# unconfined domain is not allowed to invoke user defined procedure directly.
++# They have to confirm and relabel it at first.
++allow sepgsql_unconfined_type { sepgsql_proc_t sepgsql_trusted_proc_exec_t }:db_procedure *;
++allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto };
++
++allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
++
++allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
++
++kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.fc serefpolicy-3.3.1/policy/modules/services/postgrey.fc
--- nsaserefpolicy/policy/modules/services/postgrey.fc 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/postgrey.fc 2008-07-15 14:02:52.000000000 -0400
@@ -21762,7 +22467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.3.1/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/ppp.te 2008-08-11 16:48:05.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/ppp.te 2008-08-14 16:08:24.000000000 -0400
@@ -71,7 +71,7 @@
# PPPD Local policy
#
@@ -21772,7 +22477,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
dontaudit pppd_t self:capability sys_tty_config;
allow pppd_t self:process signal;
allow pppd_t self:fifo_file rw_fifo_file_perms;
-@@ -196,6 +196,12 @@
+@@ -116,7 +116,7 @@
+
+ kernel_read_kernel_sysctls(pppd_t)
+ kernel_read_system_state(pppd_t)
+-kernel_read_net_sysctls(pppd_t)
++kernel_rw_net_sysctls(pppd_t)
+ kernel_read_network_state(pppd_t)
+ kernel_load_module(pppd_t)
+
+@@ -176,10 +176,9 @@
+ sysnet_etc_filetrans_config(pppd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(pppd_t)
+-userdom_dontaudit_search_sysadm_home_dirs(pppd_t)
+ # for ~/.ppprc - if it actually exists then you need some policy to read it
+ #allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
+-userdom_search_sysadm_home_dirs(pppd_t)
++userdom_dontaudit_search_sysadm_home_dirs(pppd_t)
+ userdom_search_unpriv_users_home_dirs(pppd_t)
+
+ ppp_exec(pppd_t)
+@@ -196,6 +195,12 @@
optional_policy(`
mta_send_mail(pppd_t)
@@ -21785,19 +22511,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
')
optional_policy(`
-@@ -215,9 +221,9 @@
- # PPTP Local policy
- #
+@@ -217,7 +222,7 @@
--allow pptp_t self:capability net_raw;
-+allow pptp_t self:process signal;
+ allow pptp_t self:capability net_raw;
dontaudit pptp_t self:capability sys_tty_config;
-allow pptp_t self:process signal;
-+allow pptp_t self:capability net_raw;
++allow pptp_t self:process signal;
allow pptp_t self:fifo_file { read write };
allow pptp_t self:unix_dgram_socket create_socket_perms;
allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
-@@ -287,6 +293,14 @@
+@@ -287,6 +292,14 @@
')
optional_policy(`
@@ -21814,28 +22537,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.3.1/policy/modules/services/prelude.fc
--- nsaserefpolicy/policy/modules/services/prelude.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/prelude.fc 2008-07-15 14:02:52.000000000 -0400
-@@ -0,0 +1,17 @@
-+
-+/sbin/audisp-prelude -- gen_context(system_u:object_r:audisp_prelude_exec_t,s0)
++++ serefpolicy-3.3.1/policy/modules/services/prelude.fc 2008-08-14 10:19:50.000000000 -0400
+@@ -0,0 +1,20 @@
++/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
+
+/usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0)
++/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0)
+
-+/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_script_exec_t,s0)
++/var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0)
++
++/var/log/prelude.* gen_context(system_u:object_r:prelude_log_t,s0)
+
-+/var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0)
++/var/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0)
+
-+/var/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0)
+/var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0)
-+/var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0)
-+/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0)
++/var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0)
++
+/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0)
+/var/run/prelude-lml.pid -- gen_context(system_u:object_r:prelude_lml_var_run_t,s0)
+
+/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_lml_script_exec_t,s0)
++/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_script_exec_t,s0)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.3.1/policy/modules/services/prelude.if
--- nsaserefpolicy/policy/modules/services/prelude.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/prelude.if 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/prelude.if 2008-08-29 14:42:11.000000000 -0400
@@ -0,0 +1,191 @@
+## Prelude hybrid intrusion detection system
+
@@ -21914,7 +22640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
+
+########################################
+##
-+## Read/Write to prelude-manager spool files.
++## Manage to prelude-manager spool files.
+##
+##
+##
@@ -21922,14 +22648,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
+##
+##
+#
-+interface(`prelude_rw_spool',`
++interface(`prelude_manage_spool',`
+ gen_require(`
+ type prelude_spool_t;
+ ')
+
+ files_search_spool($1)
-+ list_dirs_pattern($1, prelude_spool_t, prelude_spool_t)
-+ rw_files_pattern($1, prelude_spool_t, prelude_spool_t)
++ manage_dirs_pattern($1, prelude_spool_t, prelude_spool_t)
++ manage_files_pattern($1, prelude_spool_t, prelude_spool_t)
+')
+
+########################################
@@ -22030,8 +22756,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.3.1/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-07-15 14:02:52.000000000 -0400
-@@ -0,0 +1,251 @@
++++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-08-14 10:18:48.000000000 -0400
+@@ -0,0 +1,257 @@
+
+policy_module(prelude, 1.0.0)
+
@@ -22047,6 +22773,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
+type prelude_spool_t;
+files_type(prelude_spool_t)
+
++type prelude_log_t;
++logging_log_file(prelude_log_t)
++
+type prelude_var_run_t;
+files_pid_file(prelude_var_run_t)
+
@@ -22102,6 +22831,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
+manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
+files_pid_filetrans(prelude_t, prelude_var_run_t, file)
+
++manage_files_pattern(prelude_t, prelude_log_t, prelude_log_t)
++logging_log_filetrans(prelude_t, prelude_log_t, file)
++
+corecmd_search_bin(prelude_t)
+
+corenet_all_recvfrom_unlabeled(prelude_t)
@@ -22202,17 +22934,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
+allow prelude_lml_t self:unix_stream_socket connectto;
+
+files_list_tmp(prelude_lml_t)
-+manage_dirs_pattern(prelude_lml_t,prelude_lml_tmp_t,prelude_lml_tmp_t)
-+manage_files_pattern(prelude_lml_t,prelude_lml_tmp_t,prelude_lml_tmp_t)
++manage_dirs_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t)
++manage_files_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t)
+files_tmp_filetrans(prelude_lml_t, prelude_lml_tmp_t, { file dir })
+
+files_search_spool(prelude_lml_t)
-+manage_dirs_pattern(prelude_lml_t,prelude_spool_t,prelude_spool_t)
-+manage_files_pattern(prelude_lml_t,prelude_spool_t,prelude_spool_t)
++manage_dirs_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t)
++manage_files_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t)
+
+files_search_var_lib(prelude_lml_t)
-+manage_dirs_pattern(prelude_lml_t,prelude_var_lib_t,prelude_var_lib_t)
-+manage_files_pattern(prelude_lml_t,prelude_var_lib_t,prelude_var_lib_t)
++manage_dirs_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t)
++manage_files_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t)
+
+manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t)
+files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file)
@@ -22270,10 +23002,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
+
+ auth_use_nsswitch(httpd_prewikka_script_t)
+
-+ can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
-+
+ logging_send_syslog_msg(httpd_prewikka_script_t)
+
++ can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
++
+ optional_policy(`
+ mysql_search_db(httpd_prewikka_script_t)
+ mysql_stream_connect(httpd_prewikka_script_t)
@@ -24197,7 +24929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.3.1/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-08-04 14:37:13.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-08-13 13:57:39.000000000 -0400
@@ -59,6 +59,13 @@
##
gen_tunable(samba_share_nfs,false)
@@ -24518,7 +25250,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -790,3 +867,40 @@
+@@ -784,9 +861,49 @@
+ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
+ allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+
+- unconfined_domain(samba_unconfined_script_t)
++
++ optional_policy(`
++ unconfined_domain(samba_unconfined_script_t)
++ ')
+
+ tunable_policy(`samba_run_unconfined',`
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
')
')
@@ -25525,7 +26267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.3.1/policy/modules/services/snort.te
--- nsaserefpolicy/policy/modules/services/snort.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/snort.te 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/snort.te 2008-08-29 14:41:05.000000000 -0400
@@ -8,10 +8,13 @@
type snort_t;
@@ -25567,7 +26309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor
userdom_dontaudit_search_sysadm_home_dirs(snort_t)
optional_policy(`
-+ prelude_rw_spool(snort_t)
++ prelude_manage_spool(snort_t)
+')
+
+optional_policy(`
@@ -26341,7 +27083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.3.1/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/spamassassin.te 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/spamassassin.te 2008-08-14 12:48:08.000000000 -0400
@@ -21,8 +21,10 @@
gen_tunable(spamd_enable_home_dirs,true)
@@ -26420,7 +27162,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
kernel_read_all_sysctls(spamd_t)
-@@ -149,11 +172,31 @@
+@@ -149,11 +172,36 @@
userdom_search_unpriv_users_home_dirs(spamd_t)
userdom_dontaudit_search_sysadm_home_dirs(spamd_t)
@@ -26436,6 +27178,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+ evolution_home_filetrans(user,spamd_t,spamd_tmp_t,{ file sock_file })
+')
+
++optional_policy(`
++ exim_manage_spool_dirs(spamd_t)
++ exim_manage_spool_files(spamd_t)
++')
++
+tunable_policy(`spamd_enable_home_dirs',`
+ userdom_manage_user_home_content_dirs(user,spamd_t)
+ userdom_manage_user_home_content_files(user,spamd_t)
@@ -26452,7 +27199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
fs_manage_cifs_files(spamd_t)
')
-@@ -171,6 +214,7 @@
+@@ -171,6 +219,7 @@
optional_policy(`
dcc_domtrans_client(spamd_t)
@@ -26460,7 +27207,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -198,6 +242,11 @@
+@@ -198,6 +247,11 @@
optional_policy(`
razor_domtrans(spamd_t)
@@ -26472,7 +27219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
')
optional_policy(`
-@@ -212,3 +261,216 @@
+@@ -212,3 +266,216 @@
optional_policy(`
udev_read_db(spamd_t)
')
@@ -27641,7 +28388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-07-29 15:14:04.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-08-12 17:02:07.000000000 -0400
@@ -12,9 +12,15 @@
##
##
@@ -31314,12 +32061,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.3.1/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/iscsi.te 2008-07-15 14:02:52.000000000 -0400
-@@ -29,7 +29,7 @@
++++ serefpolicy-3.3.1/policy/modules/system/iscsi.te 2008-08-29 15:31:37.000000000 -0400
+@@ -28,8 +28,8 @@
+ # iscsid local policy
#
- allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource };
+-allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource };
-allow iscsid_t self:process { setrlimit setsched };
++allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_nice sys_resource };
+allow iscsid_t self:process { setrlimit setsched signal };
allow iscsid_t self:fifo_file { read write };
allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -31602,7 +32351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.3.1/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-08-29 16:21:41.000000000 -0400
@@ -213,12 +213,7 @@
##
#
@@ -31698,7 +32447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
########################################
-@@ -804,3 +838,129 @@
+@@ -804,3 +838,128 @@
logging_admin_audit($1, $2, $3)
logging_admin_syslog($1, $2, $3)
')
@@ -31804,8 +32553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+ role system_r types $1;
+
+ domtrans_pattern(audisp_t,$2,$1)
-+ allow $1 audisp_t:process signal;
-+
++ allow audisp_t $1:process { sigkill sigstop signull signal }
+ allow audisp_t $2:file getattr;
+ allow $1 audisp_t:unix_stream_socket rw_socket_perms;
+')
@@ -34821,7 +35569,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-07-29 16:49:30.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-08-12 17:31:13.000000000 -0400
@@ -6,35 +6,72 @@
# Declarations
#
@@ -35116,7 +35864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
########################################
-@@ -219,14 +281,36 @@
+@@ -219,14 +281,38 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -35140,11 +35888,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+
+optional_policy(`
+ hal_dbus_chat(unconfined_execmem_t)
- ')
++')
+
+optional_policy(`
+ xserver_xdm_rw_shm(unconfined_execmem_t)
-+')
+ ')
+
+########################################
+#
@@ -35158,6 +35906,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+rpm_transition_script(unconfined_notrans_t)
+domain_ptrace_all_domains(unconfined_notrans_t)
+
++allow unconfined_t self:process transition;
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.3.1/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/userdomain.fc 2008-07-15 14:02:52.000000000 -0400
@@ -39820,7 +40570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/file_patterns
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.3.1/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/support/obj_perm_sets.spt 2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/support/obj_perm_sets.spt 2008-08-29 16:21:06.000000000 -0400
@@ -315,3 +315,13 @@
#
define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')