diff --git a/policy-F13.patch b/policy-F13.patch
index a954e02..b0b3a13 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -244,8 +244,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.te serefpolicy-3.7.19/policy/modules/admin/accountsd.te
--- nsaserefpolicy/policy/modules/admin/accountsd.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/admin/accountsd.te 2010-06-01 13:50:27.639177903 +0200
-@@ -0,0 +1,64 @@
++++ serefpolicy-3.7.19/policy/modules/admin/accountsd.te 2010-08-24 15:44:39.211083773 +0200
+@@ -0,0 +1,62 @@
+policy_module(accountsd,1.0.0)
+
+########################################
@@ -257,8 +257,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account
+type accountsd_exec_t;
+dbus_system_domain(accountsd_t, accountsd_exec_t)
+
-+permissive accountsd_t;
-+
+type accountsd_var_lib_t;
+files_type(accountsd_var_lib_t)
+
@@ -2361,8 +2359,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.7.19/policy/modules/admin/shutdown.te
--- nsaserefpolicy/policy/modules/admin/shutdown.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2010-08-09 14:15:21.106085482 +0200
-@@ -0,0 +1,68 @@
++++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2010-08-24 15:45:05.100083585 +0200
+@@ -0,0 +1,66 @@
+policy_module(shutdown,1.0.0)
+
+########################################
@@ -2381,8 +2379,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
+type shutdown_var_run_t;
+files_pid_file(shutdown_var_run_t)
+
-+permissive shutdown_t;
-+
+########################################
+#
+# shutdown local policy
@@ -3354,8 +3350,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.
+sysnet_read_config(gitosis_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.19/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/gnome.fc 2010-05-28 09:41:59.976610853 +0200
-@@ -1,8 +1,28 @@
++++ serefpolicy-3.7.19/policy/modules/apps/gnome.fc 2010-08-24 15:33:52.995335336 +0200
+@@ -1,8 +1,31 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
@@ -3365,6 +3361,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
+HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0)
+/HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
++/HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
++
+
+/root/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+/root/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
@@ -3373,6 +3371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
+/root/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0)
+/root/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
++/root/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
@@ -4152,7 +4151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.19/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/gpg.te 2010-05-28 09:41:59.979610866 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/gpg.te 2010-08-24 14:03:22.764083542 +0200
@@ -5,6 +5,7 @@
#
# Declarations
@@ -4400,7 +4399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(gpg_pinentry_t)
')
-@@ -271,5 +363,46 @@
+@@ -271,5 +363,49 @@
')
optional_policy(`
@@ -4426,7 +4425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
+optional_policy(`
+ xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
+
-+')
+ ')
+
+#############################
+#
@@ -4437,6 +4436,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
+
+can_exec(gpg_web_t, gpg_exec_t)
+
++dev_read_rand(gpg_web_t)
++dev_read_urand(gpg_web_t)
++
+files_read_usr_files(gpg_web_t)
+
+miscfiles_read_localization(gpg_web_t)
@@ -4446,7 +4448,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
+
+tunable_policy(`gpg_web_anon_write',`
+ miscfiles_manage_public_files(gpg_web_t)
- ')
++')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc serefpolicy-3.7.19/policy/modules/apps/irc.fc
--- nsaserefpolicy/policy/modules/apps/irc.fc 2010-04-13 20:44:37.000000000 +0200
@@ -6903,8 +6905,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-08-17 15:43:17.915085143 +0200
-@@ -0,0 +1,393 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-08-24 14:07:38.336335117 +0200
+@@ -0,0 +1,397 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -7127,6 +7129,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ sssd_dontaudit_search_lib(sandbox_x_domain)
+')
+
++optional_policy(`
++ udev_read_db(sandbox_x_domain)
++')
++
+userdom_dontaudit_use_user_terminals(sandbox_x_domain)
+userdom_read_user_home_content_symlinks(sandbox_x_domain)
+
@@ -14488,7 +14494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.19/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-08-04 15:15:10.969085367 +0200
++++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-08-24 14:04:00.070084847 +0200
@@ -13,17 +13,13 @@
#
template(`apache_content_template',`
@@ -14734,7 +14740,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_search_var($1)
')
-@@ -841,6 +897,54 @@
+@@ -836,11 +892,60 @@
+ ')
+
+ files_search_var($1)
++ apache_search_sys_content($1)
+ manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+ manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
@@ -14789,7 +14801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
##
## Execute all web scripts in the system
-@@ -858,6 +962,11 @@
+@@ -858,6 +963,11 @@
gen_require(`
attribute httpdcontent;
type httpd_sys_script_t;
@@ -14801,7 +14813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -945,7 +1054,7 @@
+@@ -945,7 +1055,7 @@
type httpd_squirrelmail_t;
')
@@ -14810,7 +14822,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -985,6 +1094,24 @@
+@@ -985,6 +1095,24 @@
allow $1 httpd_sys_content_t:dir search_dir_perms;
')
@@ -14835,7 +14847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
##
## Read apache system content.
-@@ -1086,6 +1213,25 @@
+@@ -1086,6 +1214,25 @@
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -14861,7 +14873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
##
## Dontaudit attempts to write
-@@ -1102,7 +1248,7 @@
+@@ -1102,7 +1249,7 @@
type httpd_tmp_t;
')
@@ -14870,7 +14882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -1172,7 +1318,7 @@
+@@ -1172,7 +1319,7 @@
type httpd_modules_t, httpd_lock_t;
type httpd_var_run_t, httpd_php_tmp_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
@@ -14879,7 +14891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
allow $1 httpd_t:process { getattr ptrace signal_perms };
-@@ -1202,12 +1348,62 @@
+@@ -1202,12 +1349,62 @@
kernel_search_proc($1)
allow $1 httpd_t:dir list_dir_perms;
@@ -14945,7 +14957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-08-11 13:56:26.586085235 +0200
++++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-08-24 14:39:54.754083905 +0200
@@ -19,11 +19,13 @@
# Declarations
#
@@ -14989,7 +15001,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Allow HTTPD scripts and modules to connect to databases over the network.
##
##
-@@ -101,6 +117,20 @@
+@@ -72,6 +88,13 @@
+
+ ##
+ ##
++## Allow http daemon to check spam
++##
++##
++gen_tunable(httpd_can_check_spam, false)
++
++##
++##
+ ## Allow Apache to communicate with avahi service via dbus
+ ##
+ ##
+@@ -101,6 +124,20 @@
##
##
@@ -15010,7 +15036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
##
##
-@@ -108,6 +138,13 @@
+@@ -108,6 +145,13 @@
##
##
@@ -15024,7 +15050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Unify HTTPD to communicate with the terminal.
## Needed for entering the passphrase for certificates at
## the terminal.
-@@ -131,7 +168,7 @@
+@@ -131,7 +175,7 @@
##
##
@@ -15033,7 +15059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
##
##
gen_tunable(httpd_use_gpg, false)
-@@ -143,6 +180,13 @@
+@@ -143,6 +187,13 @@
##
gen_tunable(httpd_use_nfs, false)
@@ -15047,7 +15073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
attribute httpdcontent;
attribute httpd_user_content_type;
-@@ -218,6 +262,10 @@
+@@ -218,6 +269,10 @@
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -15058,7 +15084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -226,6 +274,10 @@
+@@ -226,6 +281,10 @@
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -15069,7 +15095,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +285,7 @@
+@@ -233,6 +292,7 @@
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -15077,7 +15103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -286,6 +339,7 @@
+@@ -286,6 +346,7 @@
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
@@ -15085,7 +15111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -355,6 +409,7 @@
+@@ -355,6 +416,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -15093,7 +15119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,8 +420,10 @@
+@@ -365,8 +427,10 @@
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -15104,7 +15130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
corenet_sendrecv_http_server_packets(httpd_t)
# Signal self for shutdown
corenet_tcp_connect_http_port(httpd_t)
-@@ -378,12 +435,12 @@
+@@ -378,12 +442,12 @@
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -15120,7 +15146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
domain_use_interactive_fds(httpd_t)
-@@ -402,6 +459,10 @@
+@@ -402,6 +466,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -15131,7 +15157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
libs_read_lib_files(httpd_t)
-@@ -420,12 +481,23 @@
+@@ -420,12 +488,23 @@
miscfiles_manage_public_files(httpd_t)
')
@@ -15157,7 +15183,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -446,6 +518,16 @@
+@@ -439,6 +518,7 @@
+ corenet_tcp_connect_ftp_port(httpd_t)
+ corenet_tcp_connect_http_port(httpd_t)
+ corenet_tcp_connect_http_cache_port(httpd_t)
++ corenet_tcp_connect_squid_port(httpd_t)
+ corenet_tcp_connect_memcache_port(httpd_t)
+ corenet_sendrecv_gopher_client_packets(httpd_t)
+ corenet_sendrecv_ftp_client_packets(httpd_t)
+@@ -446,6 +526,16 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
@@ -15174,7 +15208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
')
-@@ -456,6 +538,10 @@
+@@ -456,6 +546,10 @@
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -15185,7 +15219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -470,11 +556,25 @@
+@@ -470,11 +564,25 @@
userdom_read_user_home_content_files(httpd_t)
')
@@ -15211,7 +15245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,9 +584,22 @@
+@@ -484,9 +592,22 @@
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -15234,7 +15268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -500,8 +613,11 @@
+@@ -500,8 +621,11 @@
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
userdom_use_user_terminals(httpd_t)
@@ -15246,7 +15280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -514,6 +630,9 @@
+@@ -514,6 +638,9 @@
optional_policy(`
cobbler_search_lib(httpd_t)
@@ -15256,7 +15290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -528,7 +647,7 @@
+@@ -528,7 +655,7 @@
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -15265,7 +15299,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +656,12 @@
+@@ -537,8 +664,12 @@
')
optional_policy(`
@@ -15279,7 +15313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -557,6 +680,7 @@
+@@ -557,6 +688,7 @@
optional_policy(`
# Allow httpd to work with mysql
@@ -15287,7 +15321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +691,7 @@
+@@ -567,6 +699,7 @@
optional_policy(`
nagios_read_config(httpd_t)
@@ -15295,7 +15329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -577,12 +702,23 @@
+@@ -577,12 +710,23 @@
')
optional_policy(`
@@ -15319,7 +15353,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -591,6 +727,11 @@
+@@ -591,6 +735,11 @@
')
optional_policy(`
@@ -15331,7 +15365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -618,6 +759,10 @@
+@@ -618,6 +767,10 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -15342,7 +15376,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -699,17 +844,18 @@
+@@ -699,17 +852,18 @@
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -15364,7 +15398,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +886,21 @@
+@@ -740,10 +894,21 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -15387,7 +15421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +926,12 @@
+@@ -769,6 +934,12 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -15400,7 +15434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache system script local policy
-@@ -792,9 +955,13 @@
+@@ -792,9 +963,13 @@
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -15414,10 +15448,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +970,22 @@
+@@ -803,6 +978,28 @@
mta_send_mail(httpd_sys_script_t)
')
++optional_policy(`
++ tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
++ spamassassin_domtrans_client(httpd_t)
++ ')
++')
++
+fs_cifs_entry_type(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+fs_nfs_entry_type(httpd_sys_script_t)
@@ -15437,7 +15477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -830,6 +1013,16 @@
+@@ -830,6 +1027,16 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -15454,7 +15494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,6 +1035,7 @@
+@@ -842,6 +1049,7 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -15462,7 +15502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -891,11 +1085,33 @@
+@@ -891,11 +1099,33 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -15485,11 +15525,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_user_script_t)
+ userdom_read_user_home_content_files(httpd_suexec_t)
- ')
++')
+
+tunable_policy(`httpd_read_user_content && httpd_builtin_scripting',`
+ userdom_read_user_home_content_files(httpd_t)
-+')
+ ')
+
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
@@ -15877,7 +15917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.fc serefpolicy-3.7.19/policy/modules/services/boinc.fc
--- nsaserefpolicy/policy/modules/services/boinc.fc 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/boinc.fc 2010-08-09 14:45:31.106085169 +0200
++++ serefpolicy-3.7.19/policy/modules/services/boinc.fc 2010-08-24 11:08:39.309083977 +0200
@@ -0,0 +1,8 @@
+
+/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
@@ -16044,8 +16084,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.19/policy/modules/services/boinc.te
--- nsaserefpolicy/policy/modules/services/boinc.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-08-20 13:54:00.869085496 +0200
-@@ -0,0 +1,153 @@
++++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-08-24 14:44:00.443083769 +0200
+@@ -0,0 +1,160 @@
+
+policy_module(boinc,1.0.0)
+
@@ -16076,18 +16116,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+domain_type(boinc_project_t)
+role system_r types boinc_project_t;
+
-+permissive boinc_project_t;
-+
+type boinc_project_var_lib_t;
+files_type(boinc_project_var_lib_t)
+
++permissive boinc_project_t;
++
+########################################
+#
+# boinc local policy
+#
+
+allow boinc_t self:capability { kill };
-+allow boinc_t self:process { setsched };
++allow boinc_t self:process { setsched sigkill };
+
+allow boinc_t self:fifo_file rw_fifo_file_perms;
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
@@ -16105,7 +16145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-+files_var_lib_filetrans(boinc_t, boinc_var_lib_t, { file dir } )
++filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, { dir })
+
+allow boinc_t boinc_project_t:process sigkill;
+
@@ -16166,6 +16206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+#
+
+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
++allow boinc_t boinc_project_t:process sigkill;
+
+allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigstop };
+allow boinc_project_t self:process { execmem execstack };
@@ -16178,7 +16219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { file dir })
++files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { dir } )
+
+allow boinc_project_t boinc_project_var_lib_t:file execmod;
+
@@ -16186,8 +16227,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+allow boinc_project_t boinc_t:shm rw_shm_perms;
+allow boinc_project_t boinc_tmpfs_t:file { read write };
+
++list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
+rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
+
++corecmd_exec_bin(boinc_project_t)
++corecmd_exec_shell(boinc_project_t)
++
+kernel_read_system_state(boinc_project_t)
+kernel_read_kernel_sysctls(boinc_project_t)
+kernel_search_vm_sysctl(boinc_project_t)
@@ -16197,6 +16242,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+
+dev_rw_xserver_misc(boinc_project_t)
+
++files_read_etc_files(boinc_project_t)
++
+miscfiles_read_localization(boinc_project_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.fc serefpolicy-3.7.19/policy/modules/services/bugzilla.fc
@@ -16793,8 +16840,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.19/policy/modules/services/certmonger.te
--- nsaserefpolicy/policy/modules/services/certmonger.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/certmonger.te 2010-05-28 09:42:00.074610853 +0200
-@@ -0,0 +1,75 @@
++++ serefpolicy-3.7.19/policy/modules/services/certmonger.te 2010-08-24 15:45:24.605099189 +0200
+@@ -0,0 +1,73 @@
+policy_module(certmonger,1.0.0)
+
+########################################
@@ -16806,8 +16853,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+type certmonger_exec_t;
+init_daemon_domain(certmonger_t, certmonger_exec_t)
+
-+permissive certmonger_t;
-+
+type certmonger_initrc_exec_t;
+init_script_file(certmonger_initrc_exec_t)
+
@@ -18605,7 +18650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.19/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/cron.te 2010-05-28 09:42:00.091610700 +0200
++++ serefpolicy-3.7.19/policy/modules/services/cron.te 2010-08-24 15:32:42.307335306 +0200
@@ -38,8 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -18670,7 +18715,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
allow crond_t self:process { setexec setfscreate };
allow crond_t self:fd use;
allow crond_t self:fifo_file rw_fifo_file_perms;
-@@ -194,6 +209,8 @@
+@@ -168,6 +183,9 @@
+ list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+ read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+
++read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
++
++
+ kernel_read_kernel_sysctls(crond_t)
+ kernel_read_fs_sysctls(crond_t)
+ kernel_search_key(crond_t)
+@@ -194,6 +212,8 @@
corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
@@ -18679,7 +18734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
files_read_usr_files(crond_t)
files_read_etc_runtime_files(crond_t)
-@@ -209,7 +226,9 @@
+@@ -209,7 +229,9 @@
auth_use_nsswitch(crond_t)
@@ -18689,7 +18744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
-@@ -220,8 +239,10 @@
+@@ -220,8 +242,10 @@
userdom_use_unpriv_users_fds(crond_t)
# Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
@@ -18700,7 +18755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
ifdef(`distro_debian',`
# pam_limits is used
-@@ -241,8 +262,17 @@
+@@ -241,8 +265,17 @@
')
')
@@ -18720,7 +18775,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -251,6 +281,20 @@
+@@ -251,6 +284,20 @@
')
optional_policy(`
@@ -18741,7 +18796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
amanda_search_var_lib(crond_t)
')
-@@ -260,6 +304,8 @@
+@@ -260,6 +307,8 @@
optional_policy(`
hal_dbus_chat(crond_t)
@@ -18750,7 +18805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -291,6 +337,8 @@
+@@ -291,6 +340,8 @@
#
allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
@@ -18759,7 +18814,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-@@ -302,10 +350,17 @@
+@@ -302,10 +353,17 @@
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
@@ -18778,7 +18833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -325,6 +380,7 @@
+@@ -325,6 +383,7 @@
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
@@ -18786,7 +18841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -336,9 +392,13 @@
+@@ -336,9 +395,13 @@
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -18801,7 +18856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -361,6 +421,7 @@
+@@ -361,6 +424,7 @@
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
@@ -18809,7 +18864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
-@@ -387,6 +448,7 @@
+@@ -387,6 +451,7 @@
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
@@ -18817,7 +18872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
-@@ -411,6 +473,8 @@
+@@ -411,6 +476,8 @@
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
@@ -18826,7 +18881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
-@@ -435,6 +499,8 @@
+@@ -435,6 +502,8 @@
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
@@ -18835,7 +18890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -442,6 +508,14 @@
+@@ -442,6 +511,14 @@
')
optional_policy(`
@@ -18850,7 +18905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
ftp_read_log(system_cronjob_t)
')
-@@ -452,15 +526,24 @@
+@@ -452,15 +529,24 @@
')
optional_policy(`
@@ -18875,7 +18930,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -476,7 +559,7 @@
+@@ -476,7 +562,7 @@
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -18884,7 +18939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -491,6 +574,7 @@
+@@ -491,6 +577,7 @@
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -18892,7 +18947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -498,6 +582,9 @@
+@@ -498,6 +585,9 @@
')
optional_policy(`
@@ -18902,7 +18957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
unconfined_domain(system_cronjob_t)
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -591,6 +678,7 @@
+@@ -591,6 +681,7 @@
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -19291,7 +19346,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.19/policy/modules/services/cyrus.te
--- nsaserefpolicy/policy/modules/services/cyrus.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/cyrus.te 2010-05-28 09:42:00.094610780 +0200
++++ serefpolicy-3.7.19/policy/modules/services/cyrus.te 2010-08-24 14:09:21.658222360 +0200
+@@ -27,7 +27,7 @@
+ # Local policy
+ #
+
+-allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
++allow cyrus_t self:capability { dac_override fsetid net_bind_service setgid setuid sys_resource };
+ dontaudit cyrus_t self:capability sys_tty_config;
+ allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow cyrus_t self:process setrlimit;
@@ -75,6 +75,7 @@
corenet_tcp_bind_mail_port(cyrus_t)
corenet_tcp_bind_lmtp_port(cyrus_t)
@@ -20259,7 +20323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.19/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-08-17 15:14:20.563085303 +0200
++++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-08-24 14:32:28.482083467 +0200
@@ -9,6 +9,9 @@
type dovecot_exec_t;
init_daemon_domain(dovecot_t, dovecot_exec_t)
@@ -20342,10 +20406,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
fs_search_auto_mountpoints(dovecot_t)
fs_list_inotifyfs(dovecot_t)
-@@ -142,6 +160,10 @@
+@@ -142,6 +160,16 @@
')
optional_policy(`
++ postfix_manage_private_sockets(dovecot_t)
++ postfix_search_spool(dovecot_t)
++')
++
++
++optional_policy(`
+ postgresql_stream_connect(dovecot_t)
+')
+
@@ -20353,7 +20423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
seutil_sigchld_newrole(dovecot_t)
')
-@@ -172,11 +194,6 @@
+@@ -172,11 +200,6 @@
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
@@ -20365,7 +20435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
dovecot_stream_connect_auth(dovecot_auth_t)
-@@ -197,11 +214,13 @@
+@@ -197,11 +220,13 @@
files_search_pids(dovecot_auth_t)
files_read_usr_files(dovecot_auth_t)
files_read_usr_symlinks(dovecot_auth_t)
@@ -20380,7 +20450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
miscfiles_read_localization(dovecot_auth_t)
seutil_dontaudit_search_config(dovecot_auth_t)
-@@ -225,6 +244,7 @@
+@@ -225,6 +250,7 @@
')
optional_policy(`
@@ -20388,7 +20458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
postfix_search_spool(dovecot_auth_t)
')
-@@ -234,18 +254,28 @@
+@@ -234,18 +260,28 @@
#
allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
@@ -20417,7 +20487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
miscfiles_read_localization(dovecot_deliver_t)
-@@ -263,15 +293,24 @@
+@@ -263,15 +299,24 @@
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
tunable_policy(`use_nfs_home_dirs',`
@@ -23047,7 +23117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.19/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/mta.te 2010-08-17 15:09:15.400085159 +0200
++++ serefpolicy-3.7.19/policy/modules/services/mta.te 2010-08-24 13:50:13.396084105 +0200
@@ -21,8 +21,8 @@
type etc_mail_t;
files_config_file(etc_mail_t)
@@ -23059,7 +23129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
type mqueue_spool_t;
files_mountpoint(mqueue_spool_t)
-@@ -57,15 +57,18 @@
+@@ -57,15 +57,14 @@
read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
@@ -23075,14 +23145,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
-kernel_request_load_module(system_mail_t)
+files_read_all_tmp_files(system_mail_t)
+files_read_usr_files(system_mail_t)
-+
-+kernel_read_system_state(user_mail_domain)
-+kernel_read_network_state(user_mail_domain)
-+kernel_request_load_module(user_mail_domain)
dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
-@@ -75,10 +78,15 @@
+@@ -75,10 +74,15 @@
selinux_getattr_fs(system_mail_t)
@@ -23098,7 +23164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
-@@ -89,6 +97,7 @@
+@@ -89,6 +93,7 @@
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@@ -23106,7 +23172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -100,6 +109,11 @@
+@@ -100,6 +105,11 @@
')
optional_policy(`
@@ -23118,7 +23184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
clamav_stream_connect(system_mail_t)
clamav_append_log(system_mail_t)
')
-@@ -107,6 +121,9 @@
+@@ -107,6 +117,9 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
@@ -23128,23 +23194,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -120,12 +137,13 @@
+@@ -120,12 +133,8 @@
')
optional_policy(`
- exim_domtrans(system_mail_t)
- exim_manage_log(system_mail_t)
-+ exim_domtrans(user_mail_domain)
-+ exim_manage_log(user_mail_domain)
- ')
-
- optional_policy(`
+-')
+-
+-optional_policy(`
fail2ban_append_log(system_mail_t)
+ fail2ban_dontaudit_leaks(system_mail_t)
')
optional_policy(`
-@@ -142,6 +160,10 @@
+@@ -142,6 +151,10 @@
')
optional_policy(`
@@ -23155,28 +23219,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
nagios_read_tmp_files(system_mail_t)
')
-@@ -156,15 +178,15 @@
- domain_use_interactive_fds(system_mail_t)
+@@ -154,18 +167,6 @@
+ files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
- # postfix needs this for newaliases
+ domain_use_interactive_fds(system_mail_t)
+-
+- # postfix needs this for newaliases
- files_getattr_tmp_dirs(system_mail_t)
-+ files_getattr_tmp_dirs(user_mail_domain)
-
+-
- postfix_exec_master(system_mail_t)
- postfix_read_config(system_mail_t)
- postfix_search_spool(system_mail_t)
-+ postfix_exec_master(user_mail_domain)
-+ postfix_read_config(user_mail_domain)
-+ postfix_search_spool(user_mail_domain)
-
- ifdef(`distro_redhat',`
- # compatability for old default main.cf
+-
+- ifdef(`distro_redhat',`
+- # compatability for old default main.cf
- postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
-+ postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
- ')
+- ')
')
-@@ -185,6 +207,10 @@
+ optional_policy(`
+@@ -185,6 +186,10 @@
')
optional_policy(`
@@ -23187,7 +23249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
smartmon_read_tmp_files(system_mail_t)
')
-@@ -216,7 +242,8 @@
+@@ -216,7 +221,8 @@
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -23197,7 +23259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -245,6 +272,10 @@
+@@ -245,6 +251,10 @@
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -23208,6 +23270,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
########################################
#
# User send mail local policy
+@@ -288,3 +298,33 @@
+ postfix_read_config(user_mail_t)
+ postfix_list_spool(user_mail_t)
+ ')
++
++#######################################
++#
++# Common user_mail_domain policy
++#
++
++read_files_pattern(user_mail_domain, etc_aliases_t, etc_aliases_t)
++
++kernel_read_system_state(user_mail_domain)
++kernel_read_network_state(user_mail_domain)
++kernel_request_load_module(user_mail_domain)
++
++optional_policy(`
++ # postfix needs this for newaliases
++ files_getattr_tmp_dirs(user_mail_domain)
++
++ postfix_exec_master(user_mail_domain)
++ postfix_read_config(user_mail_domain)
++ postfix_search_spool(user_mail_domain)
++
++ ifdef(`distro_redhat',`
++ # compatability for old default main.cf
++ postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
++ ')
++')
++
++optional_policy(`
++ exim_domtrans(user_mail_domain)
++ exim_manage_log(user_mail_domain)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.19/policy/modules/services/munin.fc
--- nsaserefpolicy/policy/modules/services/munin.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/munin.fc 2010-05-28 09:42:00.127610888 +0200
@@ -27532,7 +27628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.19/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/postfix.te 2010-08-02 09:16:41.169891320 +0200
++++ serefpolicy-3.7.19/policy/modules/services/postfix.te 2010-08-24 14:10:06.610083596 +0200
@@ -6,6 +6,15 @@
# Declarations
#
@@ -27811,12 +27907,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -379,6 +435,12 @@
+@@ -379,6 +435,14 @@
rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+
++corecmd_exec_bin(postfix_pipe_t)
++
+optional_policy(`
+ dovecot_domtrans_deliver(postfix_pipe_t)
+')
@@ -27824,7 +27922,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
optional_policy(`
procmail_domtrans(postfix_pipe_t)
')
-@@ -388,6 +450,16 @@
+@@ -388,6 +452,16 @@
')
optional_policy(`
@@ -27841,7 +27939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
uucp_domtrans_uux(postfix_pipe_t)
')
-@@ -415,6 +487,10 @@
+@@ -415,6 +489,10 @@
mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
optional_policy(`
@@ -27852,7 +27950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
-@@ -424,8 +500,11 @@
+@@ -424,8 +502,11 @@
')
optional_policy(`
@@ -27866,7 +27964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
#######################################
-@@ -451,6 +530,17 @@
+@@ -451,6 +532,17 @@
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
@@ -27884,7 +27982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix qmgr local policy
-@@ -464,6 +554,7 @@
+@@ -464,6 +556,7 @@
manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
@@ -27892,7 +27990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
-@@ -499,13 +590,14 @@
+@@ -499,13 +592,14 @@
#
# connect to master process
@@ -27908,7 +28006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
-@@ -535,9 +627,18 @@
+@@ -535,9 +629,18 @@
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -27927,7 +28025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
mailman_read_data_files(postfix_smtpd_t)
')
-@@ -559,20 +660,22 @@
+@@ -559,20 +662,22 @@
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
@@ -28564,8 +28662,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.te serefpolicy-3.7.19/policy/modules/services/qpidd.te
--- nsaserefpolicy/policy/modules/services/qpidd.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/qpidd.te 2010-06-28 16:21:33.763401566 +0200
-@@ -0,0 +1,61 @@
++++ serefpolicy-3.7.19/policy/modules/services/qpidd.te 2010-08-24 15:45:39.029334176 +0200
+@@ -0,0 +1,59 @@
+policy_module(qpidd,1.0.0)
+
+########################################
@@ -28577,8 +28675,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid
+type qpidd_exec_t;
+init_daemon_domain(qpidd_t, qpidd_exec_t)
+
-+permissive qpidd_t;
-+
+type qpidd_initrc_exec_t;
+init_script_file(qpidd_initrc_exec_t)
+
@@ -32869,16 +32965,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucsp
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.7.19/policy/modules/services/ulogd.te
--- nsaserefpolicy/policy/modules/services/ulogd.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/ulogd.te 2010-08-18 13:20:36.768085114 +0200
-@@ -32,6 +32,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/ulogd.te 2010-08-24 14:41:34.195084825 +0200
+@@ -32,6 +32,9 @@
allow ulogd_t self:capability net_admin;
allow ulogd_t self:netlink_nflog_socket create_socket_perms;
+allow ulogd_t self:netlink_route_socket r_netlink_socket_perms;
++allow ulogd_t self:tcp_socket { create_stream_socket_perms connect };
++allow ulogd_t self:udp_socket create_socket_perms;
# config files
read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
-@@ -44,6 +45,16 @@
+@@ -44,6 +47,19 @@
manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
@@ -32888,12 +32986,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulog
miscfiles_read_localization(ulogd_t)
+
++sysnet_dns_name_resolve(ulogd_t)
++
+optional_policy(`
+ mysql_stream_connect(ulogd_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(ulogd_t)
++ postgresql_tcp_connect(ulogd_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.19/policy/modules/services/usbmuxd.fc
--- nsaserefpolicy/policy/modules/services/usbmuxd.fc 2010-04-13 20:44:36.000000000 +0200
@@ -36930,17 +37031,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.
dev_read_sysfs(kdump_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.19/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-08-17 11:05:48.905085267 +0200
-@@ -127,17 +127,16 @@
++++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-08-24 15:43:47.418115008 +0200
+@@ -127,17 +127,19 @@
/usr/lib64/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/vlc/plugins/mmx/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/vlc/codec/plugins/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib64/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib64/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/vlc/codec/plugins/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/vlc/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -36952,7 +37056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -151,6 +150,7 @@
+@@ -151,6 +153,7 @@
/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -36960,7 +37064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -208,6 +208,7 @@
+@@ -208,6 +211,7 @@
/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -36968,7 +37072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -302,13 +303,8 @@
+@@ -302,13 +306,8 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -36984,7 +37088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
') dnl end distro_redhat
#
-@@ -319,14 +315,153 @@
+@@ -319,14 +318,153 @@
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -37057,7 +37161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+/usr/lib(64)?/yafaray/libDarkSky.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libpostproc4vlc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libpostproc.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
@@ -38100,7 +38204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.19/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-07-23 14:17:46.258138786 +0200
++++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-08-24 15:45:51.837083741 +0200
@@ -18,8 +18,15 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -38117,7 +38221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
type mount_tmp_t;
files_tmp_file(mount_tmp_t)
-@@ -29,6 +36,19 @@
+@@ -29,6 +36,17 @@
# policy--duplicate type declaration
type unconfined_mount_t;
application_domain(unconfined_mount_t, mount_exec_t)
@@ -38132,12 +38236,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+type showmount_exec_t;
+application_domain(showmount_t, showmount_exec_t)
+role system_r types showmount_t;
-+
-+permissive showmount_t;
########################################
#
-@@ -36,7 +56,11 @@
+@@ -36,7 +54,11 @@
#
# setuid/setgid needed to mount cifs
@@ -38150,7 +38252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -47,30 +71,52 @@
+@@ -47,30 +69,52 @@
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
@@ -38205,7 +38307,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
files_mount_all_file_type_fs(mount_t)
files_unmount_all_file_type_fs(mount_t)
# for when /etc/mtab loses its type
-@@ -80,15 +126,19 @@
+@@ -80,15 +124,19 @@
files_read_usr_files(mount_t)
files_list_mnt(mount_t)
@@ -38228,7 +38330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
mls_file_read_all_levels(mount_t)
mls_file_write_all_levels(mount_t)
-@@ -99,6 +149,7 @@
+@@ -99,6 +147,7 @@
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@@ -38236,7 +38338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
term_use_all_terms(mount_t)
-@@ -107,6 +158,8 @@
+@@ -107,6 +156,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -38245,7 +38347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
logging_send_syslog_msg(mount_t)
-@@ -117,6 +170,12 @@
+@@ -117,6 +168,12 @@
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -38258,7 +38360,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
ifdef(`distro_redhat',`
optional_policy(`
-@@ -132,10 +191,17 @@
+@@ -132,10 +189,17 @@
')
')
@@ -38276,7 +38378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -165,6 +231,8 @@
+@@ -165,6 +229,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -38285,7 +38387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -172,6 +240,25 @@
+@@ -172,6 +238,25 @@
')
optional_policy(`
@@ -38311,7 +38413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -179,6 +266,11 @@
+@@ -179,6 +264,11 @@
')
')
@@ -38323,7 +38425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -186,6 +278,19 @@
+@@ -186,6 +276,19 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -38343,7 +38445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
########################################
-@@ -194,6 +299,42 @@
+@@ -194,6 +297,42 @@
#
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 647c862..4005798 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 49%{?dist}
+Release: 50%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,10 @@ exit 0
%endif
%changelog
+* Tue Aug 24 2010 Miroslav Grepl 3.7.19-50
+- Fixes for boinc policy
+- Fixes for shorewall policy
+
* Fri Aug 20 2010 Miroslav Grepl 3.7.19-49
- Add label for /var/cache/rpcbind directory
- Add chrome_role for xguest