[selinux-policy] - label dead.letter as mail_home_t
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Aug 17 11:22:23 UTC 2010
commit 3798ee962aa9263c03e2483e0458cbb1fc732722
Author: Dan Walsh <dwalsh at redhat.com>
Date: Tue Aug 17 07:22:11 2010 -0400
- label dead.letter as mail_home_t
policy-F14.patch | 609 +++++++++++++++++++++++++++++++++++++++++----------
selinux-policy.spec | 11 +-
2 files changed, 501 insertions(+), 119 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index 855dace..06cd7c3 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -1346,8 +1346,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.8.8/policy/modules/admin/firstboot.te
--- nsaserefpolicy/policy/modules/admin/firstboot.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/firstboot.te 2010-07-30 14:06:53.000000000 -0400
-@@ -121,6 +121,7 @@
++++ serefpolicy-3.8.8/policy/modules/admin/firstboot.te 2010-08-11 09:17:15.000000000 -0400
+@@ -91,6 +91,10 @@
+ userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
+
+ optional_policy(`
++ consoletype_domtrans(firstboot_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(firstboot_t)
+
+ optional_policy(`
+@@ -121,6 +125,7 @@
')
optional_policy(`
@@ -1452,7 +1463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.8.8/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/logwatch.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/logwatch.te 2010-08-17 07:18:59.000000000 -0400
@@ -19,6 +19,9 @@
type logwatch_tmp_t;
files_tmp_file(logwatch_tmp_t)
@@ -1473,7 +1484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
kernel_read_fs_sysctls(logwatch_t)
kernel_read_kernel_sysctls(logwatch_t)
kernel_read_system_state(logwatch_t)
-@@ -92,8 +98,15 @@
+@@ -92,8 +98,16 @@
sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t)
@@ -1487,6 +1498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
+logging_read_all_logs(logwatch_mail_t)
+manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t)
+allow logwatch_mail_t self:capability { dac_read_search dac_override };
++mta_read_home(logwatch_mail_t)
ifdef(`distro_redhat',`
files_search_all(logwatch_t)
@@ -1771,7 +1783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.8.8/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/prelink.te 2010-08-11 08:24:20.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/prelink.te 2010-08-13 11:29:37.000000000 -0400
@@ -59,6 +59,7 @@
manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
@@ -1825,6 +1837,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
+@@ -148,7 +159,7 @@
+ files_read_etc_files(prelink_cron_system_t)
+ files_search_var_lib(prelink_cron_system_t)
+
+- init_exec(prelink_cron_system_t)
++ init_telinit(prelink_cron_system_t)
+
+ libs_exec_ld_so(prelink_cron_system_t)
+
@@ -158,6 +169,8 @@
cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
@@ -2317,8 +2338,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sectool
mount_exec(sectoolm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.8.8/policy/modules/admin/shorewall.if
--- nsaserefpolicy/policy/modules/admin/shorewall.if 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/shorewall.if 2010-07-30 14:06:53.000000000 -0400
-@@ -134,9 +134,10 @@
++++ serefpolicy-3.8.8/policy/modules/admin/shorewall.if 2010-08-17 06:09:36.000000000 -0400
+@@ -18,6 +18,24 @@
+ domtrans_pattern($1, shorewall_exec_t, shorewall_t)
+ ')
+
++######################################
++## <summary>
++## Execute a domain transition to run shorewall.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`shorewall_domtrans_lib',`
++ gen_require(`
++ type shorewall_t, shorewall_var_lib_t;
++ ')
++
++ domtrans_pattern($1, shorewall_var_lib_t, shorewall_t)
++')
++
+ #######################################
+ ## <summary>
+ ## Read shorewall etc configuration files.
+@@ -134,9 +152,10 @@
#
interface(`shorewall_admin',`
gen_require(`
@@ -2331,7 +2377,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa
')
allow $1 shorewall_t:process { ptrace signal_perms };
-@@ -153,12 +154,12 @@
+@@ -153,12 +172,12 @@
files_search_locks($1)
admin_pattern($1, shorewall_lock_t)
@@ -2349,8 +2395,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.8.8/policy/modules/admin/shorewall.te
--- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/shorewall.te 2010-07-30 14:06:53.000000000 -0400
-@@ -80,13 +80,14 @@
++++ serefpolicy-3.8.8/policy/modules/admin/shorewall.te 2010-08-17 06:09:36.000000000 -0400
+@@ -58,6 +58,9 @@
+ manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+ manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+ files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
++allow shorewall_t shorewall_var_lib_t:file entrypoint;
++
++allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
+
+ kernel_read_kernel_sysctls(shorewall_t)
+ kernel_read_network_state(shorewall_t)
+@@ -80,13 +83,18 @@
init_rw_utmp(shorewall_t)
@@ -2363,6 +2419,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa
-userdom_dontaudit_list_user_home_dirs(shorewall_t)
+userdom_dontaudit_list_admin_dir(shorewall_t)
++
++optional_policy(`
++ brctl_domtrans(shorewall_t)
++')
optional_policy(`
hostname_exec(shorewall_t)
@@ -3020,8 +3080,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqs
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.8.8/policy/modules/apps/execmem.fc
--- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/execmem.fc 2010-07-30 14:06:53.000000000 -0400
-@@ -0,0 +1,49 @@
++++ serefpolicy-3.8.8/policy/modules/apps/execmem.fc 2010-08-13 16:54:24.000000000 -0400
+@@ -0,0 +1,48 @@
+
+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/compiz -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -3029,7 +3089,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
+/usr/bin/dosbox -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/mutter -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/plasma-desktop -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -4379,8 +4438,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.8.8/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/java.te 2010-07-30 14:06:53.000000000 -0400
-@@ -82,6 +82,7 @@
++++ serefpolicy-3.8.8/policy/modules/apps/java.te 2010-08-13 15:48:49.000000000 -0400
+@@ -82,12 +82,12 @@
dev_read_rand(java_t)
dev_dontaudit_append_rand(java_t)
@@ -4388,7 +4447,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te
files_read_usr_files(java_t)
files_search_home(java_t)
files_search_var_lib(java_t)
-@@ -143,12 +144,15 @@
+ files_read_etc_runtime_files(java_t)
+ # Read global fonts and font config
+-files_read_etc_files(java_t)
+
+ fs_getattr_xattr_fs(java_t)
+ fs_dontaudit_rw_tmpfs_files(java_t)
+@@ -143,12 +143,15 @@
# execheap is needed for itanium/BEA jrocket
allow unconfined_java_t self:process { execstack execmem execheap };
@@ -4491,7 +4556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.8.8/policy/modules/apps/livecd.if
--- nsaserefpolicy/policy/modules/apps/livecd.if 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/livecd.if 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/livecd.if 2010-08-12 08:05:10.000000000 -0400
@@ -41,6 +41,8 @@
livecd_domtrans($1)
@@ -4526,6 +4591,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.i
## Read livecd temporary files.
## </summary>
## <param name="domain">
+@@ -82,7 +102,7 @@
+ ')
+
+ files_search_tmp($1)
+- allow $1 livecd_tmp_t:file rw_file_perms;
++ rw_files_pattern($1, livecd_tmp_t, livecd_tmp_t)
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.8.8/policy/modules/apps/livecd.te
--- nsaserefpolicy/policy/modules/apps/livecd.te 2010-07-27 16:06:04.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/apps/livecd.te 2010-07-30 14:06:53.000000000 -0400
@@ -5189,7 +5263,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.8.8/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te 2010-08-11 08:01:15.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te 2010-08-13 15:48:58.000000000 -0400
@@ -0,0 +1,301 @@
+policy_module(nsplugin, 1.0.0)
+
@@ -5310,8 +5384,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+
+files_dontaudit_getattr_lost_found_dirs(nsplugin_t)
+files_dontaudit_list_home(nsplugin_t)
-+files_read_usr_files(nsplugin_t)
+files_read_etc_files(nsplugin_t)
++files_read_usr_files(nsplugin_t)
+files_read_config_files(nsplugin_t)
+
+fs_getattr_tmpfs(nsplugin_t)
@@ -5870,7 +5944,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.8.8/policy/modules/apps/sambagui.te
--- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/sambagui.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/sambagui.te 2010-08-13 15:50:28.000000000 -0400
@@ -0,0 +1,66 @@
+policy_module(sambagui,1.0.0)
+
@@ -5906,8 +5980,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui
+corecmd_exec_bin(sambagui_t)
+
+files_read_etc_files(sambagui_t)
++files_read_usr_files(sambagui_t)
+files_search_var_lib(sambagui_t)
-+files_search_usr(sambagui_t)
+
+# reading shadow by pdbedit
+#auth_read_shadow(sambagui_t)
@@ -6263,8 +6337,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.8.8/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/sandbox.te 2010-08-03 13:19:32.000000000 -0400
-@@ -0,0 +1,390 @@
++++ serefpolicy-3.8.8/policy/modules/apps/sandbox.te 2010-08-16 07:01:26.000000000 -0400
+@@ -0,0 +1,392 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -6464,6 +6538,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+miscfiles_read_fonts(sandbox_x_domain)
+
++storage_dontaudit_rw_fuse(sandbox_x_domain)
++
+optional_policy(`
+ cups_stream_connect(sandbox_x_domain)
+ cups_read_rw_config(sandbox_x_domain)
@@ -7441,6 +7517,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
+optional_policy(`
+ xserver_stream_connect(consolehelper_domain)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.8.8/policy/modules/apps/vmware.fc
+--- nsaserefpolicy/policy/modules/apps/vmware.fc 2010-07-27 16:06:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/vmware.fc 2010-08-13 14:51:09.000000000 -0400
+@@ -66,5 +66,6 @@
+ /var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
+ /var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0)
+
++/var/run/vmnet.* gen_context(system_u:object_r:vmware_var_run_t,s0)
+ /var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0)
+ /var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.8.8/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2010-07-27 16:06:04.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/apps/vmware.te 2010-07-30 14:06:53.000000000 -0400
@@ -7942,7 +8028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.8.8/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/devices.if 2010-08-04 12:08:01.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/devices.if 2010-08-16 07:06:37.000000000 -0400
@@ -461,6 +461,24 @@
########################################
@@ -8065,7 +8151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
########################################
## <summary>
-+## Relableto the autofs device node.
++## Relable the autofs device node.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -8073,12 +8159,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
+## </summary>
+## </param>
+#
-+interface(`dev_relabelto_autofs_dev',`
++interface(`dev_relabel_autofs_dev',`
+ gen_require(`
+ type autofs_device_t;
+ ')
+
-+ allow $1 autofs_device_t:chr_file relabelto;
++ allow $1 autofs_device_t:chr_file relabel_chr_file_perms;
+')
+
+########################################
@@ -8499,7 +8585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.8.8/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/files.if 2010-08-10 05:23:35.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/files.if 2010-08-11 09:28:41.000000000 -0400
@@ -1053,10 +1053,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -9112,7 +9198,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.8.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.if 2010-08-04 13:24:15.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.if 2010-08-13 10:09:00.000000000 -0400
@@ -1233,7 +1233,7 @@
type cifs_t;
')
@@ -9593,7 +9679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
+/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.8.8/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/storage.if 2010-08-05 14:41:46.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/storage.if 2010-08-16 07:00:32.000000000 -0400
@@ -101,6 +101,8 @@
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
@@ -13367,8 +13453,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
kernel_read_kernel_sysctls(avahi_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.8.8/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/bind.if 2010-07-30 14:06:53.000000000 -0400
-@@ -359,9 +359,9 @@
++++ serefpolicy-3.8.8/policy/modules/services/bind.if 2010-08-12 16:43:18.000000000 -0400
+@@ -308,6 +308,27 @@
+
+ ########################################
+ ## <summary>
++## Read BIND zone files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`bind_read_log',`
++ gen_require(`
++ type named_zone_t;
++ type named_log_t;
++ ')
++
++ files_search_var($1)
++ allow $1 named_zone_t:dir search_dir_perms;
++ read_files_pattern($1, named_log_t, named_log_t)
++')
++
++########################################
++## <summary>
+ ## Manage BIND zone files.
+ ## </summary>
+ ## <param name="domain">
+@@ -359,9 +380,9 @@
interface(`bind_admin',`
gen_require(`
type named_t, named_tmp_t, named_log_t;
@@ -13380,7 +13494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
type named_initrc_exec_t;
')
-@@ -391,8 +391,7 @@
+@@ -391,8 +412,7 @@
admin_pattern($1, named_zone_t)
admin_pattern($1, dnssec_t)
@@ -14473,7 +14587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
corenet_udp_bind_chronyd_port(chronyd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.8.8/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/clamav.te 2010-08-11 08:54:31.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/clamav.te 2010-08-16 07:42:43.000000000 -0400
@@ -80,6 +80,7 @@
files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
@@ -14494,16 +14608,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
-@@ -182,6 +184,8 @@
+@@ -182,6 +184,9 @@
allow freshclam_t clamd_var_log_t:dir search_dir_perms;
logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
+kernel_read_kernel_sysctls(freshclam_t)
++kernel_read_system_state(freshclam_t)
+
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +193,7 @@
+@@ -189,6 +194,7 @@
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
@@ -14511,7 +14626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -207,6 +212,8 @@
+@@ -207,6 +213,8 @@
clamav_stream_connect(freshclam_t)
@@ -15735,7 +15850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.8.8/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cron.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cron.te 2010-08-13 11:29:11.000000000 -0400
@@ -63,9 +63,12 @@
type crond_tmp_t;
@@ -16400,7 +16515,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.8.8/policy/modules/services/denyhosts.te
--- nsaserefpolicy/policy/modules/services/denyhosts.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/denyhosts.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/denyhosts.te 2010-08-13 13:33:16.000000000 -0400
@@ -25,7 +25,8 @@
#
# DenyHosts personal policy.
@@ -16411,7 +16526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
allow denyhosts_t self:tcp_socket create_socket_perms;
allow denyhosts_t self:udp_socket create_socket_perms;
-@@ -53,6 +54,7 @@
+@@ -53,20 +54,28 @@
corenet_tcp_sendrecv_generic_node(denyhosts_t)
corenet_tcp_bind_generic_node(denyhosts_t)
corenet_tcp_connect_smtp_port(denyhosts_t)
@@ -16419,7 +16534,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
corenet_sendrecv_smtp_client_packets(denyhosts_t)
dev_read_urand(denyhosts_t)
-@@ -61,12 +63,18 @@
+
+ files_read_etc_files(denyhosts_t)
++files_read_usr_files(denyhosts_t)
# /var/log/secure
logging_read_generic_logs(denyhosts_t)
@@ -16621,7 +16738,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.8.8/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/dovecot.te 2010-08-03 15:18:00.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/dovecot.te 2010-08-16 07:30:39.000000000 -0400
+@@ -18,7 +18,7 @@
+ files_tmp_file(dovecot_auth_tmp_t)
+
+ type dovecot_cert_t;
+-files_type(dovecot_cert_t)
++miscfiles_cert_type(dovecot_cert_t)
+
+ type dovecot_deliver_t;
+ type dovecot_deliver_exec_t;
@@ -58,7 +58,7 @@
allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
@@ -16631,16 +16757,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
allow dovecot_t self:fifo_file rw_fifo_file_perms;
allow dovecot_t self:tcp_socket create_stream_socket_perms;
allow dovecot_t self:unix_dgram_socket create_socket_perms;
-@@ -72,7 +72,7 @@
+@@ -72,7 +72,8 @@
read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
-allow dovecot_t dovecot_etc_t:file read_file_perms;
++allow dovecot_t dovecot_etc_t:dir list_dir_perms;
+read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
files_search_etc(dovecot_t)
can_exec(dovecot_t, dovecot_exec_t)
-@@ -94,10 +94,11 @@
+@@ -94,10 +95,11 @@
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
@@ -16653,7 +16780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)
-@@ -242,6 +243,7 @@
+@@ -242,6 +244,7 @@
')
optional_policy(`
@@ -16661,7 +16788,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
postfix_search_spool(dovecot_auth_t)
')
-@@ -253,19 +255,25 @@
+@@ -253,19 +256,26 @@
allow dovecot_deliver_t dovecot_t:process signull;
@@ -16670,6 +16797,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
++allow dovecot_deliver_t dovecot_var_log_t:dir search_dir_perms;
+
+can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
+
@@ -16689,7 +16817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
miscfiles_read_localization(dovecot_deliver_t)
-@@ -302,4 +310,5 @@
+@@ -302,4 +312,5 @@
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
@@ -18248,7 +18376,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.8.8/policy/modules/services/ldap.te
--- nsaserefpolicy/policy/modules/services/ldap.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ldap.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ldap.te 2010-08-12 15:47:23.000000000 -0400
+@@ -10,7 +10,7 @@
+ init_daemon_domain(slapd_t, slapd_exec_t)
+
+ type slapd_cert_t;
+-files_type(slapd_cert_t)
++miscfiles_cert_type(slapd_cert_t)
+
+ type slapd_db_t;
+ files_type(slapd_db_t)
@@ -27,9 +27,15 @@
type slapd_replog_t;
files_type(slapd_replog_t)
@@ -19306,8 +19443,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.8.8/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/mta.fc 2010-07-30 14:06:53.000000000 -0400
-@@ -13,6 +13,8 @@
++++ serefpolicy-3.8.8/policy/modules/services/mta.fc 2010-08-17 07:18:28.000000000 -0400
+@@ -1,4 +1,7 @@
+-HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
++HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
++HOME_DIR/dead.letter -- gen_context(system_u:object_r:mail_home_t,s0)
++/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
++/root/dead.letter -- gen_context(system_u:object_r:mail_home_t,s0)
+
+ /bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+@@ -13,6 +16,8 @@
/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -19318,7 +19464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.8.8/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/mta.if 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mta.if 2010-08-17 07:17:30.000000000 -0400
@@ -220,6 +220,25 @@
application_executable_file($1)
')
@@ -19406,7 +19552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -899,3 +920,23 @@
+@@ -899,3 +920,43 @@
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -19430,15 +19576,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
+interface(`mta_filetrans_aliases',`
+ filetrans_pattern($1, $2, etc_aliases_t, file)
+')
++
++######################################
++## <summary>
++## ALlow domain to read mail content in the homedir
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mta_read_home',`
++ gen_require(`
++ type mail_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ userdom_search_admin_dir($1)
++ read_files_pattern($1, mail_home_t, mail_home_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.8.8/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/mta.te 2010-07-30 14:06:53.000000000 -0400
-@@ -21,7 +21,7 @@
++++ serefpolicy-3.8.8/policy/modules/services/mta.te 2010-08-17 07:17:58.000000000 -0400
+@@ -20,8 +20,8 @@
+ type etc_mail_t;
files_config_file(etc_mail_t)
- type mail_forward_t;
+-type mail_forward_t;
-files_type(mail_forward_t)
-+userdom_user_home_content(mail_forward_t)
++type mail_home_t alias mail_forward_t;
++userdom_user_home_content(mail_home_t)
type mqueue_spool_t;
files_mountpoint(mqueue_spool_t)
@@ -19564,15 +19732,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
smartmon_read_tmp_files(system_mail_t)
')
-@@ -220,6 +215,7 @@
+@@ -220,7 +215,8 @@
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+-read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t)
+userdom_search_admin_dir(mailserver_delivery)
- read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t)
++read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t)
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -292,3 +288,42 @@
+
+@@ -249,6 +245,10 @@
+ mailman_read_data_symlinks(mailserver_delivery)
+ ')
+
++optional_policy(`
++ uucp_domtrans_uux(mailserver_delivery)
++')
++
+ ########################################
+ #
+ # User send mail local policy
+@@ -292,3 +292,42 @@
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -20580,7 +20761,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
kernel_list_proc(openct_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.8.8/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/openvpn.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/openvpn.te 2010-08-12 16:38:44.000000000 -0400
@@ -24,6 +24,9 @@
type openvpn_etc_rw_t;
files_config_file(openvpn_etc_rw_t)
@@ -20605,7 +20786,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
-@@ -113,6 +120,7 @@
+@@ -68,6 +75,7 @@
+ kernel_read_net_sysctls(openvpn_t)
+ kernel_read_network_state(openvpn_t)
+ kernel_read_system_state(openvpn_t)
++kernel_request_load_module(openvpn_t)
+
+ corecmd_exec_bin(openvpn_t)
+ corecmd_exec_shell(openvpn_t)
+@@ -113,6 +121,7 @@
sysnet_etc_filetrans_config(openvpn_t)
userdom_use_user_terminals(openvpn_t)
@@ -21296,7 +21485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.8.8/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/policykit.te 2010-08-11 08:57:21.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/policykit.te 2010-08-11 09:09:19.000000000 -0400
@@ -24,6 +24,9 @@
type policykit_reload_t alias polkit_reload_t;
files_type(policykit_reload_t)
@@ -21324,7 +21513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
policykit_domtrans_auth(policykit_t)
-@@ -56,10 +60,16 @@
+@@ -56,56 +60,107 @@
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
@@ -21340,8 +21529,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
+fs_list_inotifyfs(policykit_t)
auth_use_nsswitch(policykit_t)
++auth_read_var_auth(policykit_t)
-@@ -67,45 +77,89 @@
+ logging_send_syslog_msg(policykit_t)
miscfiles_read_localization(policykit_t)
@@ -21437,7 +21627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -118,6 +172,14 @@
+@@ -118,6 +173,14 @@
hal_read_state(policykit_auth_t)
')
@@ -21452,7 +21642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
########################################
#
# polkit_grant local policy
-@@ -125,7 +187,8 @@
+@@ -125,7 +188,8 @@
allow policykit_grant_t self:capability setuid;
allow policykit_grant_t self:process getattr;
@@ -21462,7 +21652,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -155,9 +218,12 @@
+@@ -155,9 +219,12 @@
userdom_read_all_users_state(policykit_grant_t)
optional_policy(`
@@ -21476,7 +21666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -169,7 +235,8 @@
+@@ -169,7 +236,8 @@
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
allow policykit_resolve_t self:process getattr;
@@ -24271,7 +24461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.8.8/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/samba.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/samba.te 2010-08-12 16:45:59.000000000 -0400
@@ -152,9 +152,6 @@
type winbind_log_t;
logging_log_file(winbind_log_t)
@@ -24361,7 +24551,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -692,6 +687,7 @@
+@@ -677,7 +672,7 @@
+ allow swat_t nmbd_t:process { signal signull };
+ allow nmbd_t swat_t:process signal;
+
+-allow swat_t smbd_var_run_t:file { lock unlink };
++allow swat_t nmbd_var_run_t:file read_file_perms;
+
+ allow swat_t smbd_port_t:tcp_socket name_bind;
+
+@@ -692,12 +687,14 @@
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -24369,7 +24568,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t smbd_exec_t:file mmap_file_perms ;
-@@ -710,6 +706,7 @@
+ allow swat_t smbd_t:process signull;
+
+ allow swat_t smbd_var_run_t:file read_file_perms;
++allow swat_t smbd_var_run_t:file { lock unlink };
+
+ manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
+ manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
+@@ -710,6 +707,7 @@
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -24377,7 +24583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -754,6 +751,8 @@
+@@ -754,6 +752,8 @@
miscfiles_read_localization(swat_t)
@@ -24386,7 +24592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -806,14 +805,14 @@
+@@ -806,14 +806,14 @@
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -24406,7 +24612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +832,7 @@
+@@ -833,6 +833,7 @@
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -24414,7 +24620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -922,6 +922,18 @@
+@@ -922,6 +923,18 @@
#
optional_policy(`
@@ -24433,7 +24639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -932,9 +944,12 @@
+@@ -932,9 +945,12 @@
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -26037,6 +26243,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucsp
+ daemontools_sigchld_run(ucspitcp_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.8.8/policy/modules/services/ulogd.te
+--- nsaserefpolicy/policy/modules/services/ulogd.te 2010-07-27 16:06:06.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ulogd.te 2010-08-17 06:53:12.000000000 -0400
+@@ -31,6 +31,7 @@
+
+ allow ulogd_t self:capability net_admin;
+ allow ulogd_t self:netlink_nflog_socket create_socket_perms;
++allow ulogd_t self:netlink_route_socket r_netlink_socket_perms;
+
+ # config files
+ read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
+@@ -43,6 +44,15 @@
+ manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
+ logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
+
+-files_search_etc(ulogd_t)
++files_read_etc_files(ulogd_t)
++files_read_usr_files(ulogd_t)
+
+ miscfiles_read_localization(ulogd_t)
++
++optional_policy(`
++ mysql_stream_connect(ulogd_t)
++')
++
++optional_policy(`
++ postgresql_stream_connect(ulogd_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.8.8/policy/modules/services/usbmuxd.fc
--- nsaserefpolicy/policy/modules/services/usbmuxd.fc 2010-07-27 16:06:06.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/usbmuxd.fc 2010-07-30 14:06:53.000000000 -0400
@@ -26179,12 +26413,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.8.8/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/virt.fc 2010-07-30 14:06:53.000000000 -0400
-@@ -13,17 +13,18 @@
++++ serefpolicy-3.8.8/policy/modules/services/virt.fc 2010-08-13 13:57:22.000000000 -0400
+@@ -13,17 +13,19 @@
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
++/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
-/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0)
+/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
@@ -28865,7 +29100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
ifdef(`distro_suse', `
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.8.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/authlogin.if 2010-08-10 11:41:52.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/authlogin.if 2010-08-13 13:17:18.000000000 -0400
@@ -91,9 +91,12 @@
interface(`auth_login_pgm_domain',`
gen_require(`
@@ -28887,7 +29122,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
files_list_var_lib($1)
manage_files_pattern($1, var_auth_t, var_auth_t)
-@@ -141,6 +145,7 @@
+@@ -126,6 +130,8 @@
+ files_read_etc_files($1)
+
+ fs_list_auto_mountpoints($1)
++ fs_manage_cgroup_dirs($1)
++ fs_manage_cgroup_files($1)
+
+ selinux_get_fs_mount($1)
+ selinux_validate_context($1)
+@@ -141,6 +147,7 @@
mls_process_set_level($1)
mls_fd_share_all_levels($1)
@@ -28895,7 +29139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
auth_use_pam($1)
init_rw_utmp($1)
-@@ -151,8 +156,38 @@
+@@ -151,8 +158,38 @@
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -28936,7 +29180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
')
-@@ -365,13 +400,15 @@
+@@ -365,13 +402,15 @@
')
optional_policy(`
@@ -28953,7 +29197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
########################################
-@@ -418,6 +455,7 @@
+@@ -418,6 +457,7 @@
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -28961,7 +29205,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
########################################
-@@ -1500,6 +1538,8 @@
+@@ -874,6 +914,26 @@
+
+ ########################################
+ ## <summary>
++## Read var auth files. Used by various other applications
++## and pam applets etc.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`auth_read_var_auth',`
++ gen_require(`
++ type var_auth_t;
++ ')
++
++ files_search_var($1)
++ read_files_pattern($1, var_auth_t, var_auth_t)
++')
++
++########################################
++## <summary>
+ ## Manage var auth files. Used by various other applications
+ ## and pam applets etc.
+ ## </summary>
+@@ -1500,6 +1560,8 @@
#
interface(`auth_use_nsswitch',`
@@ -28970,7 +29241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
files_list_var_lib($1)
# read /etc/nsswitch.conf
-@@ -1531,7 +1571,15 @@
+@@ -1531,7 +1593,15 @@
')
optional_policy(`
@@ -29795,7 +30066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.8.8/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-08-10 05:23:35.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-08-17 06:09:36.000000000 -0400
@@ -16,6 +16,27 @@
## </desc>
gen_tunable(init_upstart, false)
@@ -29907,7 +30178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -185,15 +216,66 @@
+@@ -185,15 +216,72 @@
sysadm_shell_domtrans(init_t)
')
@@ -29928,9 +30199,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+ dev_write_kmsg(init_t)
+ dev_rw_autofs(init_t)
+ dev_manage_generic_dirs(init_t)
++ dev_manage_generic_files(init_t)
+ dev_read_generic_chr_files(init_t)
+ dev_relabelfrom_generic_chr_files(init_t)
-+ dev_relabelto_autofs_dev(init_t)
++ dev_relabel_autofs_dev(init_t)
++
+ files_mounton_all_mountpoints(init_t)
+ files_manage_all_pids_dirs(init_t)
+
@@ -29947,6 +30220,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+ init_read_script_state(init_t)
+
+ seutil_read_file_contexts(init_t)
++
++ optional_policy(`
++ udev_read_db(init_t)
++ ')
+')
+
optional_policy(`
@@ -29974,7 +30251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
nscd_socket_use(init_t)
')
-@@ -211,7 +293,7 @@
+@@ -211,7 +299,7 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -29983,7 +30260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -240,6 +322,7 @@
+@@ -240,6 +328,7 @@
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -29991,7 +30268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -257,11 +340,22 @@
+@@ -257,11 +346,22 @@
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -30014,7 +30291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corecmd_exec_all_executables(initrc_t)
-@@ -297,11 +391,13 @@
+@@ -297,11 +397,13 @@
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -30028,7 +30305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -320,8 +416,10 @@
+@@ -320,8 +422,10 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -30040,7 +30317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -337,6 +435,8 @@
+@@ -337,6 +441,8 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -30049,7 +30326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_delete_cgroup_dirs(initrc_t)
fs_list_cgroup_dirs(initrc_t)
-@@ -350,6 +450,8 @@
+@@ -350,6 +456,8 @@
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -30058,7 +30335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -362,6 +464,7 @@
+@@ -362,6 +470,7 @@
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -30066,7 +30343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
selinux_get_enforce_mode(initrc_t)
-@@ -393,13 +496,14 @@
+@@ -393,13 +502,14 @@
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -30082,7 +30359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -472,7 +576,7 @@
+@@ -472,7 +582,7 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -30091,7 +30368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -518,6 +622,19 @@
+@@ -518,6 +628,19 @@
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -30111,7 +30388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -525,10 +642,17 @@
+@@ -525,10 +648,17 @@
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -30129,7 +30406,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -543,6 +667,35 @@
+@@ -543,6 +673,35 @@
')
')
@@ -30165,7 +30442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -555,6 +708,8 @@
+@@ -555,6 +714,8 @@
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -30174,7 +30451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -571,6 +726,7 @@
+@@ -571,6 +732,7 @@
optional_policy(`
cgroup_stream_connect(initrc_t)
@@ -30182,7 +30459,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -583,6 +739,11 @@
+@@ -583,6 +745,11 @@
')
optional_policy(`
@@ -30194,7 +30471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -599,6 +760,7 @@
+@@ -599,6 +766,7 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -30202,7 +30479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -700,7 +862,12 @@
+@@ -700,7 +868,12 @@
')
optional_policy(`
@@ -30215,7 +30492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -723,6 +890,10 @@
+@@ -723,6 +896,10 @@
')
optional_policy(`
@@ -30226,7 +30503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -744,6 +915,10 @@
+@@ -744,6 +921,10 @@
')
optional_policy(`
@@ -30237,7 +30514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -765,8 +940,6 @@
+@@ -765,8 +946,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -30246,7 +30523,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -779,10 +952,12 @@
+@@ -775,14 +954,21 @@
+ ')
+
+ optional_policy(`
++ # shorewall-init script run /var/lib/shorewall/firewall
++ shorewall_domtrans_lib(initrc_t)
++')
++
++optional_policy(`
+ squid_read_config(initrc_t)
squid_manage_logs(initrc_t)
')
@@ -30259,7 +30545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -804,11 +979,19 @@
+@@ -804,11 +990,19 @@
')
optional_policy(`
@@ -30280,7 +30566,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -818,6 +1001,25 @@
+@@ -818,6 +1012,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -30306,7 +30592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -843,3 +1045,55 @@
+@@ -843,3 +1056,55 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -31737,8 +32023,76 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
/var/lib/msttcorefonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.8.8/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/miscfiles.if 2010-07-30 14:06:53.000000000 -0400
-@@ -305,9 +305,6 @@
++++ serefpolicy-3.8.8/policy/modules/system/miscfiles.if 2010-08-11 09:33:51.000000000 -0400
+@@ -2,6 +2,50 @@
+
+ ########################################
+ ## <summary>
++## Make the specified type usable as a cert file.
++## </summary>
++## <desc>
++## <p>
++## Make the specified type usable for cert files.
++## This will also make the type usable for files, making
++## calls to files_type() redundant. Failure to use this interface
++## for a temporary file may result in problems with
++## cert management tools.
++## </p>
++## <p>
++## Related interfaces:
++## </p>
++## <ul>
++## <li>files_type()</li>
++## </ul>
++## <p>
++## Example:
++## </p>
++## <p>
++## type mycertfile_t;
++## cert_type(mycertfile_t)
++## allow mydomain_t mycertfile_t:file read_file_perms;
++## files_search_etc(mydomain_t)
++## </p>
++## </desc>
++## <param name="type">
++## <summary>
++## Type to be used for files.
++## </summary>
++## </param>
++## <infoflow type="none"/>
++#
++interface(`miscfiles_cert_type',`
++ gen_require(`
++ attribute cert_type;
++ ')
++
++ typeattribute $1 cert_type;
++ files_type($1)
++')
++
++########################################
++## <summary>
+ ## Read system SSL certificates.
+ ## </summary>
+ ## <param name="domain">
+@@ -13,12 +57,12 @@
+ #
+ interface(`miscfiles_read_certs',`
+ gen_require(`
+- type cert_t;
++ attribute cert_type;
+ ')
+
+- allow $1 cert_t:dir list_dir_perms;
+- read_files_pattern($1, cert_t, cert_t)
+- read_lnk_files_pattern($1, cert_t, cert_t)
++ allow $1 cert_type:dir list_dir_perms;
++ read_files_pattern($1, cert_type, cert_type)
++ read_lnk_files_pattern($1, cert_type, cert_type)
+ ')
+
+ ########################################
+@@ -305,9 +349,6 @@
allow $1 locale_t:dir list_dir_perms;
read_files_pattern($1, locale_t, locale_t)
read_lnk_files_pattern($1, locale_t, locale_t)
@@ -31748,6 +32102,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
')
########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.8.8/policy/modules/system/miscfiles.te
+--- nsaserefpolicy/policy/modules/system/miscfiles.te 2010-07-27 16:06:06.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/miscfiles.te 2010-08-11 09:33:09.000000000 -0400
+@@ -4,12 +4,13 @@
+ #
+ # Declarations
+ #
++attribute cert_type;
+
+ #
+ # cert_t is the type of files in the system certs directories.
+ #
+ type cert_t;
+-files_type(cert_t)
++miscfiles_cert_type(cert_t)
+
+ #
+ # fonts_t is the type of various font
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.8.8/policy/modules/system/modutils.if
--- nsaserefpolicy/policy/modules/system/modutils.if 2010-07-27 16:06:06.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/system/modutils.if 2010-07-30 14:06:53.000000000 -0400
@@ -32905,7 +33277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.8.8/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.te 2010-08-13 15:47:08.000000000 -0400
@@ -22,6 +22,9 @@
type selinux_config_t;
files_type(selinux_config_t)
@@ -37436,7 +37808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.8.8/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/userdomain.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/userdomain.te 2010-08-12 15:46:21.000000000 -0400
@@ -43,6 +43,13 @@
## <desc>
@@ -37490,7 +37862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
files_tmp_file(user_tmp_t)
userdom_user_home_content(user_tmp_t)
-@@ -94,3 +113,24 @@
+@@ -94,3 +113,25 @@
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
@@ -37504,6 +37876,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ubac_constrained(home_bin_t)
+
+type home_cert_t;
++miscfiles_cert_type(home_cert_t)
+userdom_user_home_content(home_cert_t)
+ubac_constrained(home_cert_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f45af40..3ec2e0a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.8.8
-Release: 12%{?dist}
+Release: 15%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,15 @@ exit 0
%endif
%changelog
+* Tue Aug 17 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-15
+- label dead.letter as mail_home_t
+
+* Fri Aug 13 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-14
+- Allow login programs to search /cgroups
+
+* Thu Aug 12 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-13
+- Fix cert handling
+
* Tue Aug 10 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-12
- Fix devicekit_power bug
- Allow policykit_auth_t more access.
More information about the scm-commits
mailing list