++## Allow Apache to execute tmp content. ++##
++##
+ ## Unify HTTPD to communicate with the terminal.
+ ## Needed for entering the passphrase for certificates at
+ ## the terminal.
+@@ -519,6 +526,14 @@
+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
+ ')
+
++tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
++ can_exec(httpd_t, httpd_tmp_t)
++')
++
++tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
++ can_exec(httpd_sys_script_t, httpd_tmp_t)
++')
++
+ tunable_policy(`httpd_enable_ftp_server',`
+ corenet_tcp_bind_ftp_port(httpd_t)
+ ')
+@@ -681,6 +696,7 @@
unconfined_domain(httpd_unconfined_script_t)
role system_r types httpd_unconfined_script_t;
@@ -3581,18 +3651,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.12/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/services/networkmanager.fc 2009-12-09 16:25:03.000000000 +0100
-@@ -12,6 +12,7 @@
++++ serefpolicy-3.6.12/policy/modules/services/networkmanager.fc 2010-01-06 11:15:05.000000000 +0100
+@@ -12,7 +12,9 @@
/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
++/etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0)
+ /var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.12/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/services/networkmanager.te 2009-12-09 16:22:09.000000000 +0100
++++ serefpolicy-3.6.12/policy/modules/services/networkmanager.te 2010-01-06 16:11:15.000000000 +0100
@@ -57,7 +57,9 @@
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file)
@@ -3603,6 +3675,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+@@ -148,6 +150,7 @@
+ userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
+ userdom_dontaudit_use_user_ttys(NetworkManager_t)
+ # Read gnome-keyring
++userdom_read_home_certs(NetworkManager_t)
+ userdom_read_user_home_content_files(NetworkManager_t)
+ userdom_dgram_send(NetworkManager_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.12/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/nis.te 2009-06-26 15:48:39.000000000 +0200
@@ -4034,7 +4114,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.12/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/services/postfix.te 2009-07-31 13:05:36.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/postfix.te 2010-01-05 18:40:19.000000000 +0100
@@ -42,9 +42,6 @@
mta_manage_spool(postfix_local_t)
')
@@ -4081,7 +4161,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
locallogin_dontaudit_use_fds(postfix_map_t)
')
-@@ -508,7 +490,7 @@
+@@ -469,6 +451,7 @@
+
+ optional_policy(`
+ spamassassin_domtrans_client(postfix_pipe_t)
++ spamassassin_kill_client(postfix_pipe_t)
+ ')
+
+ optional_policy(`
+@@ -508,7 +491,7 @@
')
optional_policy(`
@@ -4090,7 +4178,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -640,7 +622,7 @@
+@@ -640,7 +623,7 @@
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
@@ -4099,7 +4187,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -665,10 +647,6 @@
+@@ -665,10 +648,6 @@
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
@@ -4307,16 +4395,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_read_all_symlinks_except_shadow(rsync_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.12/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/services/samba.te 2009-09-22 17:53:46.000000000 +0200
-@@ -280,6 +280,7 @@
++++ serefpolicy-3.6.12/policy/modules/services/samba.te 2010-01-06 13:53:59.000000000 +0100
+@@ -280,6 +280,9 @@
files_pid_filetrans(smbd_t, smbd_var_run_t, file)
allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms;
+allow smbd_t winbind_t:process { signal signull };
++
++allow smbd_t swat_t:process signal;
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
-@@ -342,6 +343,8 @@
+@@ -342,6 +345,8 @@
miscfiles_read_localization(smbd_t)
miscfiles_read_public_files(smbd_t)
@@ -4325,7 +4415,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_use_unpriv_users_fds(smbd_t)
userdom_dontaudit_search_user_home_dirs(smbd_t)
-@@ -924,3 +927,6 @@
+@@ -472,6 +477,8 @@
+
+ manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+
++allow nmbd_t swat_t:process signal;
++
+ allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
+
+ kernel_getattr_core_if(nmbd_t)
+@@ -622,7 +629,8 @@
+ allow swat_t smbd_var_run_t:file { lock unlink };
+
+ allow swat_t nmbd_exec_t:file mmap_file_perms;
+-can_exec(swat_t, nmbd_exec_t)
++samba_domtrans_nmb(swat_t)
++#can_exec(swat_t, nmbd_exec_t)
+ allow swat_t nmbd_port_t:udp_socket name_bind;
+ allow swat_t nmbd_t:process { signal signull };
+ allow swat_t nmbd_var_run_t:file { lock read unlink };
+@@ -924,3 +932,6 @@
allow winbind_t smbcontrol_t:process signal;
allow smbcontrol_t nmbd_var_run_t:file { read lock };
@@ -4823,7 +4932,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.12/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/services/snmp.te 2009-09-16 13:08:08.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/snmp.te 2010-01-05 18:41:36.000000000 +0100
+@@ -27,7 +27,7 @@
+ #
+ allow snmpd_t self:capability { dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
+ dontaudit snmpd_t self:capability { sys_module sys_tty_config };
+-allow snmpd_t self:process { getsched setsched };
++allow snmpd_t self:process { signal getsched setsched };
+ allow snmpd_t self:fifo_file rw_fifo_file_perms;
+ allow snmpd_t self:unix_dgram_socket create_socket_perms;
+ allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
@@ -71,6 +71,8 @@
corenet_tcp_bind_snmp_port(snmpd_t)
corenet_udp_bind_snmp_port(snmpd_t)
@@ -4861,6 +4979,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.12/policy/modules/services/spamassassin.if
+--- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-06-25 10:19:44.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/spamassassin.if 2010-01-05 18:39:03.000000000 +0100
+@@ -246,6 +246,24 @@
+ stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
+ ')
+
++#######################################
++##