[selinux-policy/f14/master] * Tue Aug 10 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-12 - Fix devicekit_power bug - Allow policykit
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Aug 11 11:53:32 UTC 2010
commit 26a21399376d2624ea8ce5fac27378c891f84001
Author: Dan Walsh <dwalsh at redhat.com>
Date: Wed Aug 11 07:53:30 2010 -0400
* Tue Aug 10 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-12
- Fix devicekit_power bug
- Allow policykit_auth_t more access.
policy-F14.patch | 687 +++++++++++++++++++++++++++++++++++++++------------
selinux-policy.spec | 6 +-
2 files changed, 539 insertions(+), 154 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index 7d4f405..bb9a0b2 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -1034,6 +1034,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloa
## </summary>
## </param>
#
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.if serefpolicy-3.8.8/policy/modules/admin/brctl.if
+--- nsaserefpolicy/policy/modules/admin/brctl.if 2010-07-27 16:06:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/brctl.if 2010-08-10 05:23:35.000000000 -0400
+@@ -17,3 +17,22 @@
+
+ domtrans_pattern($1, brctl_exec_t, brctl_t)
+ ')
++
++#####################################
++## <summary>
++## Execute brctl in the brctl domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`brctl_run',`
++ gen_require(`
++ type brctl_t, brctl_exec_t;
++ ')
++
++ brctl_domtrans($1)
++ role $2 types brctl_t;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.if serefpolicy-3.8.8/policy/modules/admin/certwatch.if
--- nsaserefpolicy/policy/modules/admin/certwatch.if 2010-07-27 16:12:33.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/admin/certwatch.if 2010-07-30 14:06:53.000000000 -0400
@@ -1483,8 +1509,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
+/usr/bin/ncftool -- gen_context(system_u:object_r:ncftool_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.if serefpolicy-3.8.8/policy/modules/admin/ncftool.if
--- nsaserefpolicy/policy/modules/admin/ncftool.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/admin/ncftool.if 2010-07-30 14:06:53.000000000 -0400
-@@ -0,0 +1,74 @@
++++ serefpolicy-3.8.8/policy/modules/admin/ncftool.if 2010-08-10 05:23:35.000000000 -0400
+@@ -0,0 +1,78 @@
+
+## <summary>policy for ncftool</summary>
+
@@ -1529,6 +1555,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
+
+ ncftool_domtrans($1)
+ role $2 types ncftool_t;
++
++ optional_policy(`
++ brctl_run(ncftool_t, $2)
++ ')
+')
+
+########################################
@@ -1561,8 +1591,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.te serefpolicy-3.8.8/policy/modules/admin/ncftool.te
--- nsaserefpolicy/policy/modules/admin/ncftool.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/admin/ncftool.te 2010-07-30 14:06:53.000000000 -0400
-@@ -0,0 +1,79 @@
++++ serefpolicy-3.8.8/policy/modules/admin/ncftool.te 2010-08-10 05:23:35.000000000 -0400
+@@ -0,0 +1,87 @@
+policy_module(ncftool, 1.0.0)
+
+########################################
@@ -1608,6 +1638,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
+
+dev_read_sysfs(ncftool_t)
+
++files_manage_system_conf_files(ncftool_t)
++files_relabelto_system_conf_files(ncftool_t)
+files_read_etc_files(ncftool_t)
+files_read_etc_runtime_files(ncftool_t)
+files_read_usr_files(ncftool_t)
@@ -1628,19 +1660,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
+sysnet_read_dhcpc_state(ncftool_t)
+sysnet_relabelfrom_net_conf(ncftool_t)
+sysnet_relabelto_net_conf(ncftool_t)
++sysnet_read_dhcpc_pid(ncftool_t)
++sysnet_signal_dhcpc(ncftool_t)
+
+userdom_read_user_tmp_files(ncftool_t)
+
+optional_policy(`
-+ brctl_domtrans(ncftool_t)
++ consoletype_exec(ncftool_t)
+')
+
+optional_policy(`
-+ consoletype_exec(ncftool_t)
++ dbus_system_bus_client(ncftool_t)
+')
+
+optional_policy(`
-+ dbus_system_bus_client(ncftool_t)
++ iptables_initrc_domtrans(ncftool_t)
++')
++
++optional_policy(`
++ iptables_initrc_domtrans(ncftool_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.8.8/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2010-07-27 16:06:04.000000000 -0400
@@ -1729,7 +1767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.8.8/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/prelink.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/prelink.te 2010-08-10 07:29:36.000000000 -0400
@@ -59,6 +59,7 @@
manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
@@ -1764,7 +1802,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
optional_policy(`
amanda_manage_lib(prelink_t)
-@@ -129,6 +135,7 @@
+@@ -109,6 +115,10 @@
+ ')
+
+ optional_policy(`
++ nsplugin_manage_rw_files(prelink_t)
++')
++
++optional_policy(`
+ rpm_manage_tmp_files(prelink_t)
+ ')
+
+@@ -129,6 +139,7 @@
read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
allow prelink_cron_system_t prelink_cache_t:file unlink;
@@ -1814,7 +1863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahe
fs_dontaudit_read_ramfs_files(readahead_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.8.8/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/rpm.fc 2010-07-30 14:08:20.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/rpm.fc 2010-08-06 11:14:58.000000000 -0400
@@ -7,6 +7,7 @@
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -1833,12 +1882,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
')
/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-@@ -35,7 +39,7 @@
-
+@@ -36,6 +40,8 @@
/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
--
-+/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_log_t,s0)
+
++/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
++
/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
@@ -2405,7 +2454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.8.8/policy/modules/admin/shutdown.te
--- nsaserefpolicy/policy/modules/admin/shutdown.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/shutdown.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/shutdown.te 2010-08-10 05:23:35.000000000 -0400
@@ -36,6 +36,8 @@
files_read_etc_files(shutdown_t)
files_read_generic_pids(shutdown_t)
@@ -2415,6 +2464,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
term_use_all_terms(shutdown_t)
auth_use_nsswitch(shutdown_t)
+@@ -55,5 +57,10 @@
+ ')
+
+ optional_policy(`
++ oddjob_dontaudit_rw_fifo_file(shutdown_t)
++ oddjob_sigchld(shutdown_t)
++')
++
++optional_policy(`
+ xserver_dontaudit_write_log(shutdown_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.8.8/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2010-07-27 16:06:04.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/admin/sudo.if 2010-07-30 14:06:53.000000000 -0400
@@ -4720,7 +4780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.8.8/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.if 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.if 2010-08-10 07:28:28.000000000 -0400
@@ -0,0 +1,391 @@
+
+## <summary>policy for nsplugin</summary>
@@ -5115,8 +5175,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.8.8/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te 2010-08-04 10:07:33.000000000 -0400
-@@ -0,0 +1,299 @@
++++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te 2010-08-10 11:45:49.000000000 -0400
+@@ -0,0 +1,300 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
@@ -5274,6 +5334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+
+optional_policy(`
+ alsa_read_rw_config(nsplugin_t)
++ alsa_read_home_files(nsplugin_t)
+')
+
+optional_policy(`
@@ -6626,8 +6687,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.8.8/policy/modules/apps/seunshare.te
--- nsaserefpolicy/policy/modules/apps/seunshare.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te 2010-07-30 14:06:53.000000000 -0400
-@@ -5,40 +5,41 @@
++++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te 2010-08-06 12:05:20.000000000 -0400
+@@ -5,40 +5,45 @@
# Declarations
#
@@ -6641,8 +6702,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
#
# seunshare local policy
#
-+allow seunshare_domain self:capability { setuid dac_override setpcap sys_admin };
-+allow seunshare_domain self:process { fork setexec signal getcap setcap };
++allow seunshare_domain self:capability { setuid dac_override setpcap sys_admin sys_nice };
++allow seunshare_domain self:process { fork setexec signal getcap setcap setsched };
-allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
-allow seunshare_t self:process { setexec signal getcap setcap };
@@ -6651,29 +6712,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
-allow seunshare_t self:fifo_file rw_file_perms;
-allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
-+corecmd_exec_shell(seunshare_domain)
-+corecmd_exec_bin(seunshare_domain)
++kernel_read_system_state(seunshare_domain)
-corecmd_exec_shell(seunshare_t)
-corecmd_exec_bin(seunshare_t)
-+files_search_all(seunshare_domain)
-+files_read_etc_files(seunshare_domain)
-+files_mounton_all_poly_members(seunshare_domain)
++corecmd_exec_shell(seunshare_domain)
++corecmd_exec_bin(seunshare_domain)
-files_read_etc_files(seunshare_t)
-files_mounton_all_poly_members(seunshare_t)
-+fs_manage_cgroup_dirs(seunshare_domain)
++files_search_all(seunshare_domain)
++files_read_etc_files(seunshare_domain)
++files_mounton_all_poly_members(seunshare_domain)
-auth_use_nsswitch(seunshare_t)
-+auth_use_nsswitch(seunshare_domain)
++fs_manage_cgroup_dirs(seunshare_domain)
++fs_manage_cgroup_files(seunshare_domain)
-logging_send_syslog_msg(seunshare_t)
-+logging_send_syslog_msg(seunshare_domain)
++auth_use_nsswitch(seunshare_domain)
-miscfiles_read_localization(seunshare_t)
-+miscfiles_read_localization(seunshare_domain)
++logging_send_syslog_msg(seunshare_domain)
-userdom_use_user_terminals(seunshare_t)
++miscfiles_read_localization(seunshare_domain)
++
+userdom_use_user_terminals(seunshare_domain)
ifdef(`hide_broken_symptoms', `
@@ -6686,6 +6750,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
+ mozilla_dontaudit_manage_user_home_files(seunshare_domain)
')
')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathy.fc serefpolicy-3.8.8/policy/modules/apps/telepathy.fc
--- nsaserefpolicy/policy/modules/apps/telepathy.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.8/policy/modules/apps/telepathy.fc 2010-07-30 14:06:53.000000000 -0400
@@ -7397,8 +7462,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc
/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.8.8/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/wine.if 2010-08-04 14:27:03.000000000 -0400
-@@ -35,6 +35,8 @@
++++ serefpolicy-3.8.8/policy/modules/apps/wine.if 2010-08-05 17:18:31.000000000 -0400
+@@ -29,12 +29,16 @@
+ #
+ template(`wine_role',`
+ gen_require(`
++ type wine_t;
++ type wine_home_t;
+ type wine_exec_t;
+ ')
+
role $1 types wine_t;
domain_auto_trans($2, wine_exec_t, wine_t)
@@ -7407,26 +7480,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if
allow wine_t $2:fd use;
allow wine_t $2:process { sigchld signull };
allow wine_t $2:unix_stream_socket connectto;
-@@ -101,9 +103,16 @@
+@@ -86,6 +90,7 @@
+ #
+ template(`wine_role_template',`
+ gen_require(`
++ type wine_t;
+ type wine_exec_t;
+ ')
+
+@@ -101,9 +106,16 @@
corecmd_bin_domtrans($1_wine_t, $1_t)
userdom_unpriv_usertype($1, $1_wine_t)
- userdom_manage_user_tmpfs_files($1_wine_t)
+ userdom_manage_tmpfs_role($2, $1_wine_t)
-
-- domain_mmap_low($1_wine_t)
++
+ domain_mmap_low_type($1_wine_t)
+ tunable_policy(`mmap_low_allowed',`
+ allow $1_wine_t self:memprotect mmap_zero;
+ ')
-+
+
+- domain_mmap_low($1_wine_t)
+ tunable_policy(`wine_mmap_zero_ignore',`
+ dontaudit $1_wine_t self:memprotect mmap_zero;
+ ')
optional_policy(`
xserver_role($1_r, $1_wine_t)
-@@ -136,7 +145,7 @@
+@@ -136,7 +148,7 @@
## </summary>
## <param name="domain">
## <summary>
@@ -8394,7 +8475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.8.8/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/files.if 2010-08-05 14:54:37.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/files.if 2010-08-10 05:23:35.000000000 -0400
@@ -1053,10 +1053,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -8499,7 +8580,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
## <summary>
## Mount a filesystem on /mnt.
-@@ -3711,6 +3765,64 @@
+@@ -3420,6 +3474,24 @@
+ read_files_pattern($1, mnt_t, mnt_t)
+ ')
+
++######################################
++## <summary>
++## Read symbolic links in /mnt.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_read_mnt_symlinks',`
++ gen_require(`
++ type mnt_t;
++ ')
++
++ read_lnk_files_pattern($1, mnt_t, mnt_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Create, read, write, and delete symbolic links in /mnt.
+@@ -3711,6 +3783,82 @@
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -8542,6 +8648,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
+')
+
++######################################
++## <summary>
++## Relabel manageable system configuration files in /etc.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_relabelto_system_conf_files',`
++ gen_require(`
++ type usr_t;
++ ')
++
++ relabelto_files_pattern($1, system_conf_t, system_conf_t)
++')
++
+###################################
+## <summary>
+## Create files in /etc with the type used for
@@ -8564,7 +8688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
## <summary>
## Allow the specified type to associate
-@@ -3896,6 +4008,32 @@
+@@ -3896,6 +4044,32 @@
########################################
## <summary>
@@ -8597,7 +8721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4109,6 +4247,13 @@
+@@ -4109,6 +4283,13 @@
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -8611,10 +8735,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -5298,6 +5443,25 @@
+@@ -5298,6 +5479,43 @@
search_dirs_pattern($1, var_t, var_run_t)
')
++######################################
++## <summary>
++## Add and remove entries from pid directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_rw_pid_dirs',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ allow $1 var_run_t:dir rw_dir_perms;
++')
++
+#######################################
+## <summary>
+## Create generic pid directory.
@@ -8637,7 +8779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
## <summary>
## Do not audit attempts to search
-@@ -5505,6 +5669,26 @@
+@@ -5505,6 +5723,26 @@
########################################
## <summary>
@@ -8664,7 +8806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5522,6 +5706,7 @@
+@@ -5522,6 +5760,7 @@
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -8672,7 +8814,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -5807,3 +5992,229 @@
+@@ -5807,3 +6046,229 @@
typeattribute $1 files_unconfined_type;
')
@@ -10783,8 +10925,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te 2010-08-04 16:24:57.000000000 -0400
-@@ -0,0 +1,449 @@
++++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te 2010-08-11 07:44:10.000000000 -0400
+@@ -0,0 +1,453 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -11050,6 +11192,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+ ')
+
+ optional_policy(`
++ ipsec_mgmt_dbus_chat(unconfined_usertype)
++ ')
++
++ optional_policy(`
+ kerneloops_dbus_chat(unconfined_usertype)
+ ')
+
@@ -11297,7 +11443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.8.8/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/xguest.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/xguest.te 2010-08-06 11:01:58.000000000 -0400
@@ -14,7 +14,7 @@
## <desc>
@@ -11379,10 +11525,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
+
+optional_policy(`
+ nsplugin_role(xguest_r, xguest_t)
-+')
-+
-+optional_policy(`
-+ telepathy_dbus_session_role(xguest_r, xguest_t)
')
optional_policy(`
@@ -11423,18 +11565,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
+ corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
+ corenet_tcp_connect_transproxy_port(xguest_usertype)
+ ')
-+')
+
++ optional_policy(`
++ telepathy_dbus_session_role(xguest_r, xguest_t)
+ ')
+ ')
+
+-#gen_user(xguest_u,, xguest_r, s0, s0)
+optional_policy(`
+ gen_require(`
+ type mozilla_t;
- ')
++ ')
+
+ allow xguest_t mozilla_t:process transition;
+ role xguest_r types mozilla_t;
- ')
-
--#gen_user(xguest_u,, xguest_r, s0, s0)
++')
++
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.8.8/policy/modules/services/abrt.fc
--- nsaserefpolicy/policy/modules/services/abrt.fc 2010-07-27 16:06:05.000000000 -0400
@@ -11449,7 +11595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.8.8/policy/modules/services/abrt.if
--- nsaserefpolicy/policy/modules/services/abrt.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/abrt.if 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/abrt.if 2010-08-10 07:15:12.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -12443,7 +12589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.8.8/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/apache.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/apache.te 2010-08-10 11:21:49.000000000 -0400
@@ -18,6 +18,8 @@
# Declarations
#
@@ -12729,7 +12875,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_ssi_exec',`
-@@ -513,7 +625,13 @@
+@@ -500,8 +612,10 @@
+ # are dontaudited here.
+ tunable_policy(`httpd_tty_comm',`
+ userdom_use_user_terminals(httpd_t)
++ userdom_use_user_terminals(httpd_suexec_t)
+ ',`
+ userdom_dontaudit_use_user_terminals(httpd_t)
++ userdom_dontaudit_use_user_terminals(httpd_suexec_t)
+ ')
+
+ optional_policy(`
+@@ -513,7 +627,13 @@
')
optional_policy(`
@@ -12744,7 +12901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -528,7 +646,7 @@
+@@ -528,7 +648,7 @@
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -12753,7 +12910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +655,12 @@
+@@ -537,8 +657,12 @@
')
optional_policy(`
@@ -12767,7 +12924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -557,6 +679,7 @@
+@@ -557,6 +681,7 @@
optional_policy(`
# Allow httpd to work with mysql
@@ -12775,7 +12932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +690,7 @@
+@@ -567,6 +692,7 @@
optional_policy(`
nagios_read_config(httpd_t)
@@ -12783,7 +12940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -577,12 +701,23 @@
+@@ -577,12 +703,23 @@
')
optional_policy(`
@@ -12807,7 +12964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -591,6 +726,11 @@
+@@ -591,6 +728,11 @@
')
optional_policy(`
@@ -12819,7 +12976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +743,10 @@
+@@ -603,6 +745,10 @@
yam_read_content(httpd_t)
')
@@ -12830,7 +12987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache helper local policy
-@@ -618,6 +762,10 @@
+@@ -618,6 +764,10 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -12841,7 +12998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -699,17 +847,18 @@
+@@ -699,17 +849,18 @@
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -12863,7 +13020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +889,21 @@
+@@ -740,10 +891,21 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -12886,7 +13043,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +929,12 @@
+@@ -769,6 +931,12 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -12899,7 +13056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache system script local policy
-@@ -792,9 +958,13 @@
+@@ -792,9 +960,13 @@
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -12913,7 +13070,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +973,22 @@
+@@ -803,6 +975,22 @@
mta_send_mail(httpd_sys_script_t)
')
@@ -12936,7 +13093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -830,6 +1016,16 @@
+@@ -830,6 +1018,16 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -12953,7 +13110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,6 +1038,7 @@
+@@ -842,6 +1040,7 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -12961,7 +13118,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -891,11 +1088,33 @@
+@@ -891,11 +1090,33 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -13318,10 +13475,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.fc serefpolicy-3.8.8/policy/modules/services/boinc.fc
--- nsaserefpolicy/policy/modules/services/boinc.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/boinc.fc 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/boinc.fc 2010-08-10 07:13:34.000000000 -0400
@@ -0,0 +1,8 @@
+
-+/etc/rc\.d/init\.d/boinc_client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
+
+/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
+
@@ -13485,8 +13642,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.8.8/policy/modules/services/boinc.te
--- nsaserefpolicy/policy/modules/services/boinc.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/boinc.te 2010-07-30 14:06:53.000000000 -0400
-@@ -0,0 +1,143 @@
++++ serefpolicy-3.8.8/policy/modules/services/boinc.te 2010-08-11 07:44:10.000000000 -0400
+@@ -0,0 +1,145 @@
+policy_module(boinc,1.0.0)
+
+########################################
@@ -13606,6 +13763,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigstop };
+allow boinc_project_t self:process { execmem execstack };
+
++allow boinc_project_t self:fifo_file rw_fifo_file_perms;
++
+allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
+exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
@@ -14105,7 +14264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.8.8/policy/modules/services/cgroup.te
--- nsaserefpolicy/policy/modules/services/cgroup.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cgroup.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cgroup.te 2010-08-10 07:20:55.000000000 -0400
@@ -18,8 +18,8 @@
type cgrules_etc_t;
files_config_file(cgrules_etc_t)
@@ -14117,6 +14276,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
init_daemon_domain(cgconfig_t, cgconfig_exec_t)
type cgconfig_initrc_exec_t;
+@@ -33,7 +33,7 @@
+ # cgconfig personal policy.
+ #
+
+-allow cgconfig_t self:capability { chown sys_admin };
++allow cgconfig_t self:capability { dac_override fowner chown sys_admin };
+
+ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
+
@@ -53,7 +53,7 @@
# cgred personal policy.
#
@@ -14277,8 +14445,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
corenet_udp_bind_chronyd_port(chronyd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.8.8/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/clamav.te 2010-07-30 14:06:53.000000000 -0400
-@@ -89,9 +89,10 @@
++++ serefpolicy-3.8.8/policy/modules/services/clamav.te 2010-08-10 08:26:22.000000000 -0400
+@@ -80,6 +80,7 @@
+ files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
+
+ # var/lib files for clamd
++manage_sock_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
+ manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
+ manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
+
+@@ -89,9 +90,10 @@
logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file })
# pid file
@@ -14290,7 +14466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
-@@ -189,6 +190,7 @@
+@@ -189,6 +191,7 @@
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
@@ -14298,7 +14474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -207,6 +209,8 @@
+@@ -207,6 +210,8 @@
clamav_stream_connect(freshclam_t)
@@ -16200,7 +16376,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.8.8/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/devicekit.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/devicekit.te 2010-08-10 11:09:06.000000000 -0400
@@ -75,10 +75,12 @@
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
@@ -16243,7 +16419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
-allow devicekit_power_t self:process getsched;
-+allow devicekit_disk_t self:process { getsched signal_perms };
++allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -19449,7 +19625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
## Append to the munin log.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.8.8/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/munin.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/munin.te 2010-08-05 16:45:38.000000000 -0400
@@ -5,6 +5,8 @@
# Declarations
#
@@ -19492,7 +19668,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
kernel_read_system_state(munin_t)
kernel_read_network_state(munin_t)
-@@ -145,6 +153,7 @@
+@@ -116,6 +124,7 @@
+
+ miscfiles_read_fonts(munin_t)
+ miscfiles_read_localization(munin_t)
++miscfiles_setattr_fonts_cache_dirs(munin_t)
+
+ sysnet_exec_ifconfig(munin_t)
+
+@@ -145,6 +154,7 @@
optional_policy(`
mta_read_config(munin_t)
mta_send_mail(munin_t)
@@ -19500,7 +19684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
mta_read_queue(munin_t)
')
-@@ -159,6 +168,7 @@
+@@ -159,6 +169,7 @@
optional_policy(`
postfix_list_spool(munin_t)
@@ -19508,7 +19692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
')
optional_policy(`
-@@ -182,6 +192,7 @@
+@@ -182,6 +193,7 @@
# local policy for disk plugins
#
@@ -19516,7 +19700,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
-@@ -190,15 +201,13 @@
+@@ -190,15 +202,13 @@
corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
@@ -19534,7 +19718,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
sysnet_read_config(disk_munin_plugin_t)
-@@ -221,19 +230,17 @@
+@@ -221,19 +231,17 @@
dev_read_urand(mail_munin_plugin_t)
@@ -19556,7 +19740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
')
optional_policy(`
-@@ -255,10 +262,6 @@
+@@ -255,10 +263,6 @@
dev_read_urand(services_munin_plugin_t)
dev_read_rand(services_munin_plugin_t)
@@ -19567,7 +19751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
sysnet_read_config(services_munin_plugin_t)
optional_policy(`
-@@ -286,6 +289,10 @@
+@@ -286,6 +290,10 @@
snmp_read_snmp_var_lib_files(services_munin_plugin_t)
')
@@ -19578,7 +19762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
##################################
#
# local policy for system plugins
-@@ -298,10 +305,6 @@
+@@ -298,10 +306,6 @@
kernel_read_network_state(system_munin_plugin_t)
kernel_read_all_sysctls(system_munin_plugin_t)
@@ -19589,7 +19773,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -313,3 +316,29 @@
+@@ -313,3 +317,29 @@
sysnet_exec_ifconfig(system_munin_plugin_t)
term_getattr_unallocated_ttys(system_munin_plugin_t)
@@ -20230,8 +20414,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.8.8/policy/modules/services/oddjob.if
--- nsaserefpolicy/policy/modules/services/oddjob.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/oddjob.if 2010-07-30 14:06:53.000000000 -0400
-@@ -44,6 +44,7 @@
++++ serefpolicy-3.8.8/policy/modules/services/oddjob.if 2010-08-10 05:23:35.000000000 -0400
+@@ -22,6 +22,25 @@
+ domtrans_pattern($1, oddjob_exec_t, oddjob_t)
+ ')
+
++#####################################
++## <summary>
++## Do not audit attempts to read and write
++## oddjob fifo file.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`oddjob_dontaudit_rw_fifo_file',`
++ gen_require(`
++ type shutdown_t;
++ ')
++
++ dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Make the specified program domain accessable
+@@ -44,6 +63,7 @@
')
domtrans_pattern(oddjob_t, $2, $1)
@@ -20239,6 +20449,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj
')
########################################
+@@ -67,6 +87,24 @@
+ allow oddjob_t $1:dbus send_msg;
+ ')
+
++######################################
++## <summary>
++## Send a SIGCHLD signal to oddjob.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`oddjob_sigchld',`
++ gen_require(`
++ type oddjob_t;
++ ')
++
++ allow $1 oddjob_t:process sigchld;
++')
++
+ ########################################
+ ## <summary>
+ ## Execute a domain transition to run oddjob_mkhomedir.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.8.8/policy/modules/services/oddjob.te
--- nsaserefpolicy/policy/modules/services/oddjob.te 2010-07-27 16:06:06.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/oddjob.te 2010-07-30 14:06:53.000000000 -0400
@@ -20634,8 +20869,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.te serefpolicy-3.8.8/policy/modules/services/piranha.te
--- nsaserefpolicy/policy/modules/services/piranha.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/piranha.te 2010-08-04 16:34:08.000000000 -0400
-@@ -0,0 +1,215 @@
++++ serefpolicy-3.8.8/policy/modules/services/piranha.te 2010-08-10 05:23:35.000000000 -0400
+@@ -0,0 +1,216 @@
+policy_module(piranha,1.0.0)
+
+########################################
@@ -20733,8 +20968,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+
+kernel_read_kernel_sysctls(piranha_web_t)
+
-+corenet_tcp_bind_piranha_port(piranha_web_t)
++corenet_tcp_bind_http_cache_port(piranha_web_t)
+corenet_tcp_bind_luci_port(piranha_web_t)
++corenet_tcp_bind_piranha_port(piranha_web_t)
+corenet_tcp_connect_ricci_port(piranha_web_t)
+
+dev_read_urand(piranha_web_t)
@@ -20996,7 +21232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.8.8/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/policykit.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/policykit.te 2010-08-10 11:37:04.000000000 -0400
@@ -24,6 +24,9 @@
type policykit_reload_t alias polkit_reload_t;
files_type(policykit_reload_t)
@@ -21041,7 +21277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
auth_use_nsswitch(policykit_t)
-@@ -67,45 +77,82 @@
+@@ -67,45 +77,84 @@
miscfiles_read_localization(policykit_t)
@@ -21083,6 +21319,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
+policykit_dbus_chat(policykit_auth_t)
+
++kernel_read_system_state(policykit_auth_t)
++
can_exec(policykit_auth_t, policykit_auth_exec_t)
-corecmd_search_bin(policykit_auth_t)
+corecmd_exec_bin(policykit_auth_t)
@@ -21130,7 +21368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -118,6 +165,14 @@
+@@ -118,6 +167,14 @@
hal_read_state(policykit_auth_t)
')
@@ -21145,7 +21383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
########################################
#
# polkit_grant local policy
-@@ -125,7 +180,8 @@
+@@ -125,7 +182,8 @@
allow policykit_grant_t self:capability setuid;
allow policykit_grant_t self:process getattr;
@@ -21155,7 +21393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -155,9 +211,12 @@
+@@ -155,9 +213,12 @@
userdom_read_all_users_state(policykit_grant_t)
optional_policy(`
@@ -21169,7 +21407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -169,7 +228,8 @@
+@@ -169,7 +230,8 @@
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
allow policykit_resolve_t self:process getattr;
@@ -22790,6 +23028,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
mysql_domtrans_mysql_safe(rgmanager_t)
mysql_stream_connect(rgmanager_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.8.8/policy/modules/services/rhcs.fc
+--- nsaserefpolicy/policy/modules/services/rhcs.fc 2010-07-27 16:06:06.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rhcs.fc 2010-08-10 11:56:57.000000000 -0400
+@@ -1,6 +1,7 @@
+ /usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+ /usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
+ /usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
+ /usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+ /usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
+ /usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.8.8/policy/modules/services/rhcs.if
--- nsaserefpolicy/policy/modules/services/rhcs.if 2010-07-27 16:06:06.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/rhcs.if 2010-07-30 14:06:53.000000000 -0400
@@ -23068,7 +23317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
/usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-3.8.8/policy/modules/services/ricci.if
--- nsaserefpolicy/policy/modules/services/ricci.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ricci.if 2010-08-03 15:22:25.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ricci.if 2010-08-10 05:23:35.000000000 -0400
@@ -18,6 +18,24 @@
domtrans_pattern($1, ricci_exec_t, ricci_t)
')
@@ -23119,11 +23368,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
## Execute a domain transition to run ricci_modlog.
## </summary>
## <param name="domain">
-@@ -165,3 +201,48 @@
+@@ -165,3 +201,67 @@
domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
')
+
++####################################
++## <summary>
++## Allow the specified domain to manage ricci's lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ricci_manage_lib_files',`
++ gen_require(`
++ type ricci_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
++ manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
++')
+
+########################################
+## <summary>
@@ -23170,7 +23438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.8.8/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ricci.te 2010-08-03 09:18:13.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ricci.te 2010-08-10 05:23:35.000000000 -0400
@@ -10,6 +10,9 @@
domain_type(ricci_t)
init_daemon_domain(ricci_t, ricci_exec_t)
@@ -23191,7 +23459,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
type ricci_modlog_t;
type ricci_modlog_exec_t;
domain_type(ricci_modlog_t)
-@@ -241,6 +247,10 @@
+@@ -105,6 +111,7 @@
+ files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file })
+
+ kernel_read_kernel_sysctls(ricci_t)
++kernel_read_system_state(ricci_t)
+
+ corecmd_exec_bin(ricci_t)
+
+@@ -170,6 +177,10 @@
+ ')
+
+ optional_policy(`
++ shutdown_domtrans(ricci_t)
++')
++
++optional_policy(`
+ unconfined_use_fds(ricci_t)
+ ')
+
+@@ -241,6 +252,10 @@
')
optional_policy(`
@@ -23202,7 +23489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
# XXX This has got to go.
unconfined_domain(ricci_modcluster_t)
')
-@@ -261,6 +271,10 @@
+@@ -261,6 +276,10 @@
allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
@@ -23213,7 +23500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
-@@ -272,6 +286,7 @@
+@@ -272,6 +291,7 @@
kernel_read_kernel_sysctls(ricci_modclusterd_t)
kernel_read_system_state(ricci_modclusterd_t)
@@ -23221,7 +23508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
corecmd_exec_bin(ricci_modclusterd_t)
-@@ -444,6 +459,12 @@
+@@ -444,6 +464,12 @@
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
@@ -25803,7 +26090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
vhostmd_initrc_domtrans($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.8.8/policy/modules/services/vhostmd.te
--- nsaserefpolicy/policy/modules/services/vhostmd.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/vhostmd.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/vhostmd.te 2010-08-10 07:10:27.000000000 -0400
@@ -44,6 +44,8 @@
corenet_tcp_connect_soundd_port(vhostmd_t)
@@ -25813,6 +26100,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
files_read_etc_files(vhostmd_t)
files_read_usr_files(vhostmd_t)
+@@ -66,6 +68,7 @@
+
+ optional_policy(`
+ virt_stream_connect(vhostmd_t)
++ virt_write_content(vhostmd_t)
+ ')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.8.8/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2010-07-27 16:06:06.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/virt.fc 2010-07-30 14:06:53.000000000 -0400
@@ -25840,7 +26135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.8.8/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/virt.if 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/virt.if 2010-08-10 07:08:50.000000000 -0400
@@ -21,6 +21,7 @@
type $1_t, virt_domain;
domain_type($1_t)
@@ -25906,7 +26201,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
########################################
-@@ -308,6 +300,24 @@
+@@ -231,6 +223,24 @@
+
+ ########################################
+ ## <summary>
++## Allow domain to write virt image files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`virt_write_content',`
++ gen_require(`
++ type virt_content_t;
++ ')
++
++ allow $1 virt_content_t:file write_file_perms;
++')
++
++########################################
++## <summary>
+ ## Read virt PID files.
+ ## </summary>
+ ## <param name="domain">
+@@ -308,6 +318,24 @@
########################################
## <summary>
@@ -25931,7 +26251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
## Create, read, write, and delete
## virt lib files.
## </summary>
-@@ -433,15 +443,15 @@
+@@ -433,15 +461,15 @@
## </summary>
## </param>
#
@@ -25952,7 +26272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
########################################
-@@ -516,3 +526,51 @@
+@@ -516,3 +544,51 @@
virt_manage_log($1)
')
@@ -26006,7 +26326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.8.8/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/virt.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/virt.te 2010-08-10 05:23:35.000000000 -0400
@@ -4,6 +4,7 @@
#
# Declarations
@@ -26282,7 +26602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,6 +500,7 @@
+@@ -429,10 +500,12 @@
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -26290,7 +26610,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
domain_use_interactive_fds(virt_domain)
-@@ -440,6 +512,11 @@
+ files_read_etc_files(virt_domain)
++files_read_mnt_symlinks(virt_domain)
+ files_read_usr_files(virt_domain)
+ files_read_var_files(virt_domain)
+ files_search_all(virt_domain)
+@@ -440,6 +513,11 @@
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -26302,7 +26627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -457,8 +534,121 @@
+@@ -457,8 +535,121 @@
')
optional_policy(`
@@ -27191,7 +27516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.8.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/xserver.te 2010-08-04 11:05:05.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/xserver.te 2010-08-05 16:01:15.000000000 -0400
@@ -35,6 +35,13 @@
## <desc>
@@ -27934,7 +28259,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -669,7 +955,6 @@
+@@ -643,6 +929,7 @@
+ # Xorg wants to check if kernel is tainted
+ kernel_read_kernel_sysctls(xserver_t)
+ kernel_write_proc_files(xserver_t)
++kernel_request_load_module(xserver_t)
+
+ # Run helper programs in xserver_t.
+ corecmd_exec_bin(xserver_t)
+@@ -669,7 +956,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -27942,7 +28275,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -679,9 +964,12 @@
+@@ -679,9 +965,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -27956,7 +28289,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -696,8 +984,13 @@
+@@ -696,8 +985,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -27970,7 +28303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -719,11 +1012,14 @@
+@@ -719,11 +1013,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -27985,7 +28318,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -775,12 +1071,28 @@
+@@ -775,12 +1072,28 @@
')
optional_policy(`
@@ -28015,7 +28348,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -804,10 +1116,10 @@
+@@ -804,10 +1117,10 @@
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -28028,7 +28361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -828,6 +1140,13 @@
+@@ -828,6 +1141,13 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -28042,7 +28375,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -843,11 +1162,14 @@
+@@ -843,11 +1163,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -28059,7 +28392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -993,3 +1315,33 @@
+@@ -993,3 +1316,33 @@
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -28463,7 +28796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
ifdef(`distro_suse', `
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.8.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/authlogin.if 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/authlogin.if 2010-08-10 11:41:52.000000000 -0400
@@ -91,9 +91,12 @@
interface(`auth_login_pgm_domain',`
gen_require(`
@@ -29390,7 +29723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.8.8/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-08-04 13:52:32.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-08-10 05:23:35.000000000 -0400
@@ -16,6 +16,27 @@
## </desc>
gen_tunable(init_upstart, false)
@@ -29821,7 +30154,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -765,8 +936,6 @@
+@@ -744,6 +915,10 @@
+ ')
+
+ optional_policy(`
++ ricci_manage_lib_files(initrc_t)
++')
++
++optional_policy(`
+ fs_write_ramfs_sockets(initrc_t)
+ fs_search_ramfs(initrc_t)
+
+@@ -765,8 +940,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -29830,7 +30174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -779,10 +948,12 @@
+@@ -779,10 +952,12 @@
squid_manage_logs(initrc_t)
')
@@ -29843,7 +30187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -804,11 +975,19 @@
+@@ -804,11 +979,19 @@
')
optional_policy(`
@@ -29864,7 +30208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -818,6 +997,25 @@
+@@ -818,6 +1001,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -29890,7 +30234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -843,3 +1041,55 @@
+@@ -843,3 +1045,55 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -29968,7 +30312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.8.8/policy/modules/system/ipsec.if
--- nsaserefpolicy/policy/modules/system/ipsec.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/ipsec.if 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/ipsec.if 2010-08-11 07:44:10.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -30072,7 +30416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
## </summary>
## </param>
#
-@@ -273,3 +291,61 @@
+@@ -273,3 +291,81 @@
ipsec_domtrans_setkey($1)
role $2 types setkey_t;
')
@@ -30134,9 +30478,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
+ allow $1 ipsec_mgmt_t:process sigkill;
+')
+
++######################################
++## <summary>
++## Send and receive messages from
++## ipsec-mgmt over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ipsec_mgmt_dbus_chat',`
++ gen_require(`
++ type ipsec_mgmt_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 ipsec_mgmt_t:dbus send_msg;
++ allow ipsec_mgmt_t $1:dbus send_msg;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.8.8/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/ipsec.te 2010-08-05 14:55:13.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/ipsec.te 2010-08-10 11:57:19.000000000 -0400
@@ -72,7 +72,7 @@
#
@@ -30158,6 +30522,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
can_exec(ipsec_t, ipsec_mgmt_exec_t)
+@@ -107,7 +108,7 @@
+ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
+ allow ipsec_mgmt_t ipsec_t:fd use;
+ allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
+-dontaudit ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
++allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
+ allow ipsec_mgmt_t ipsec_t:process sigchld;
+
+ kernel_read_kernel_sysctls(ipsec_t)
@@ -149,6 +150,7 @@
files_list_tmp(ipsec_t)
files_read_etc_files(ipsec_t)
@@ -30317,7 +30690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.8.8/policy/modules/system/iptables.if
--- nsaserefpolicy/policy/modules/system/iptables.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/iptables.if 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/iptables.if 2010-08-05 15:53:11.000000000 -0400
@@ -17,6 +17,10 @@
corecmd_search_bin($1)
@@ -33189,7 +33562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.8.8/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.if 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.if 2010-08-10 05:23:35.000000000 -0400
@@ -6,7 +6,7 @@
## </summary>
## <param name="domain">
@@ -33388,7 +33761,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
## </summary>
## </param>
#
-@@ -453,7 +524,7 @@
+@@ -444,6 +515,7 @@
+ type dhcpc_var_run_t;
+ ')
+
++ files_rw_pid_dirs($1)
+ allow $1 dhcpc_var_run_t:file unlink;
+ ')
+
+@@ -453,7 +525,7 @@
## </summary>
## <param name="domain">
## <summary>
@@ -33397,7 +33778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
## </summary>
## </param>
#
-@@ -464,6 +535,10 @@
+@@ -464,6 +536,10 @@
corecmd_search_bin($1)
domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
@@ -33408,7 +33789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
########################################
-@@ -474,7 +549,7 @@
+@@ -474,7 +550,7 @@
## </summary>
## <param name="domain">
## <summary>
@@ -33417,7 +33798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
## </summary>
## </param>
## <param name="role">
-@@ -534,6 +609,25 @@
+@@ -534,6 +610,25 @@
########################################
## <summary>
@@ -33443,7 +33824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
## Read the DHCP configuration files.
## </summary>
## <param name="domain">
-@@ -677,7 +771,10 @@
+@@ -677,7 +772,10 @@
corenet_tcp_connect_ldap_port($1)
corenet_sendrecv_ldap_client_packets($1)
@@ -33455,7 +33836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
########################################
-@@ -709,5 +806,52 @@
+@@ -709,5 +807,52 @@
corenet_tcp_connect_portmap_port($1)
corenet_sendrecv_portmap_client_packets($1)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 72a8fda..f45af40 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.8.8
-Release: 11%{?dist}
+Release: 12%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,10 @@ exit 0
%endif
%changelog
+* Tue Aug 10 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-12
+- Fix devicekit_power bug
+- Allow policykit_auth_t more access.
+
* Thu Aug 5 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-11
- Fix nis calls to allow bind to ports 512-1024
- Fix smartmon
More information about the scm-commits
mailing list