[selinux-policy/f14/master] - Add matahari policy - Allow shutdown setsched and sys_nice - Add port definition for dogtag, matah
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Mar 18 14:50:22 UTC 2011
commit 98092fb96094fc52e6d7ac09e5cfb06a30aa11bd
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Mar 18 15:50:13 2011 +0000
- Add matahari policy
- Allow shutdown setsched and sys_nice
- Add port definition for dogtag, matahari, movaz ports
- Add label for /etc/securetty
- Fixes for pirahna-pulse policy
- Fixes for mock policy
- Add support for KDE ksysguardprocesslist_helper
- Add support for a new cluster service - foghorn
- Add support for xfce4-notifyd
- Add support for kcmdatetimehelper
- Fixes for spice-vdagent policy
- Fixes for ssh-keygen policy
modules-mls.conf | 8 +
modules-targeted.conf | 7 +
policy-F14.patch | 1504 +++++++++++++++++++++++++++++++++++++++----------
selinux-policy.spec | 16 +-
4 files changed, 1244 insertions(+), 291 deletions(-)
---
diff --git a/modules-mls.conf b/modules-mls.conf
index e5bd84d..ae5846b 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -2089,3 +2089,11 @@ shutdown = module
# policy for namespace.init script
#
namespace = module
+
+# Layer: services
+# Module: matahari
+#
+#
+#
+matahari = module
+
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 9c29617..b57aa71 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2306,3 +2306,10 @@ namespace = module
# /etc/sysconfig/keyboard and writes out an xorg.conf.d snippet
#
keyboardd = module
+
+# Layer: services
+# Module: matahari
+#
+#
+#
+matahari = module
diff --git a/policy-F14.patch b/policy-F14.patch
index b4ed255..b5b0f88 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -1738,7 +1738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.9.7/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2010-10-12 20:42:51.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/admin/rpm.te 2011-02-25 17:40:39.019547541 +0000
++++ serefpolicy-3.9.7/policy/modules/admin/rpm.te 2011-03-04 14:46:49.003413001 +0000
@@ -1,10 +1,11 @@
policy_module(rpm, 1.11.2)
@@ -1787,7 +1787,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
fs_getattr_all_dirs(rpm_t)
fs_list_inotifyfs(rpm_t)
-@@ -207,6 +214,7 @@
+@@ -178,6 +185,7 @@
+
+ init_domtrans_script(rpm_t)
+ init_use_script_ptys(rpm_t)
++init_signull_script(rpm_t)
+
+ libs_exec_ld_so(rpm_t)
+ libs_exec_lib_files(rpm_t)
+@@ -207,6 +215,7 @@
optional_policy(`
networkmanager_dbus_chat(rpm_t)
')
@@ -1795,7 +1803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
')
optional_policy(`
-@@ -214,7 +222,7 @@
+@@ -214,7 +223,7 @@
')
optional_policy(`
@@ -1804,7 +1812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
# yum-updatesd requires this
unconfined_dbus_chat(rpm_t)
unconfined_dbus_chat(rpm_script_t)
-@@ -261,6 +269,7 @@
+@@ -261,6 +270,7 @@
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
kernel_read_network_state(rpm_script_t)
@@ -1812,7 +1820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
kernel_read_software_raid_state(rpm_script_t)
dev_list_sysfs(rpm_script_t)
-@@ -308,6 +317,8 @@
+@@ -308,6 +318,8 @@
auth_relabel_shadow(rpm_script_t)
corecmd_exec_all_executables(rpm_script_t)
@@ -1821,7 +1829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
-@@ -338,12 +349,15 @@
+@@ -338,12 +350,15 @@
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
@@ -1837,7 +1845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
')
')
-@@ -377,8 +391,9 @@
+@@ -377,8 +392,9 @@
')
optional_policy(`
@@ -2083,7 +2091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.9.7/policy/modules/admin/shutdown.te
--- nsaserefpolicy/policy/modules/admin/shutdown.te 2010-10-12 20:42:51.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/admin/shutdown.te 2011-03-01 12:29:00.418574587 +0000
++++ serefpolicy-3.9.7/policy/modules/admin/shutdown.te 2011-03-16 13:24:12.335107000 +0000
@@ -7,6 +7,7 @@
type shutdown_t;
@@ -2092,6 +2100,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
application_domain(shutdown_t, shutdown_exec_t)
role system_r types shutdown_t;
+@@ -21,8 +22,8 @@
+ # shutdown local policy
+ #
+
+-allow shutdown_t self:capability { dac_override kill setuid sys_tty_config };
+-allow shutdown_t self:process { fork signal signull };
++allow shutdown_t self:capability { dac_override kill setuid sys_nice sys_tty_config };
++allow shutdown_t self:process { fork setsched signal signull };
+
+ allow shutdown_t self:fifo_file manage_fifo_file_perms;
+ allow shutdown_t self:unix_stream_socket create_stream_socket_perms;
@@ -33,18 +34,21 @@
manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t)
files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)
@@ -3008,7 +3027,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.9.7/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/apps/gnome.fc 2011-02-25 17:40:39.096545644 +0000
++++ serefpolicy-3.9.7/policy/modules/apps/gnome.fc 2011-03-18 13:32:25.005630001 +0000
@@ -1,9 +1,31 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
@@ -3042,7 +3061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
+/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
+
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
-+
++/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.9.7/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2010-10-12 20:42:51.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/apps/gnome.if 2011-02-25 17:40:39.098545596 +0000
@@ -6745,8 +6764,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.9.7/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/apps/sandbox.te 2011-03-04 13:43:02.570413001 +0000
-@@ -0,0 +1,472 @@
++++ serefpolicy-3.9.7/policy/modules/apps/sandbox.te 2011-03-18 13:30:06.493630001 +0000
+@@ -0,0 +1,478 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -6883,6 +6902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+manage_sock_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
+manage_fifo_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
+manage_lnk_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
++dontaudit sandbox_domain sandbox_file_t:dir mounton;
+
+gen_require(`
+ type usr_t, lib_t, locale_t;
@@ -6964,6 +6984,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+fs_getattr_tmpfs(sandbox_x_domain)
+fs_getattr_xattr_fs(sandbox_x_domain)
+fs_list_inotifyfs(sandbox_x_domain)
++fs_dontaudit_getattr_xattr_fs(sandbox_x_domain)
+
+auth_dontaudit_read_login_records(sandbox_x_domain)
+auth_dontaudit_write_login_records(sandbox_x_domain)
@@ -6984,7 +7005,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+selinux_compute_user_contexts(sandbox_x_domain)
+seutil_read_default_contexts(sandbox_x_domain)
+
-+
+term_getattr_pty_fs(sandbox_x_domain)
+term_use_ptmx(sandbox_x_domain)
+term_search_ptys(sandbox_x_domain)
@@ -6997,6 +7017,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+miscfiles_read_fonts(sandbox_x_domain)
+
++mta_dontaudit_read_spool_symlinks(sandbox_x_domain)
++
+storage_dontaudit_rw_fuse(sandbox_x_domain)
+
+optional_policy(`
@@ -7091,6 +7113,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+#
+typeattribute sandbox_web_client_t sandbox_web_type;
+
++# cjp: for old sandbox
++typeattribute sandbox_web_t sandbox_web_type;
++
+allow sandbox_web_type self:capability { setuid setgid };
+allow sandbox_web_type self:netlink_audit_socket nlmsg_relay;
+dontaudit sandbox_web_type self:process setrlimit;
@@ -7313,8 +7338,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.9.7/policy/modules/apps/seunshare.te
--- nsaserefpolicy/policy/modules/apps/seunshare.te 2010-10-12 20:42:51.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/apps/seunshare.te 2011-03-04 14:09:25.591413001 +0000
-@@ -5,40 +5,48 @@
++++ serefpolicy-3.9.7/policy/modules/apps/seunshare.te 2011-03-18 13:26:26.561630001 +0000
+@@ -5,40 +5,59 @@
# Declarations
#
@@ -7380,6 +7405,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
')
')
+
++tunable_policy(`use_nfs_home_dirs',`
++ fs_mounton_nfs(seunshare_domain)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_mounton_cifs(seunshare_domain)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_mounton_fusefs(seunshare_domain)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.9.7/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te 2010-10-12 20:42:50.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/apps/slocate.te 2011-02-25 17:40:39.305540501 +0000
@@ -8296,7 +8332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
dbus_session_bus_client($1_wm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.9.7/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/kernel/corecommands.fc 2011-02-25 17:40:39.335539762 +0000
++++ serefpolicy-3.9.7/policy/modules/kernel/corecommands.fc 2011-03-18 15:10:04.615630000 +0000
@@ -9,8 +9,11 @@
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -8382,7 +8418,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -205,7 +223,8 @@
+@@ -190,6 +208,8 @@
+ /usr/lib(64)?/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
+
++/usr/lib(64)?/xfce4/notifyd/xfce4-notifyd -- gen_context(system_u:object_r:bin_t,s0)
++
+ /usr/lib(64)?/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+@@ -205,7 +225,8 @@
/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -8392,7 +8437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-@@ -218,8 +237,11 @@
+@@ -218,8 +239,11 @@
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -8404,7 +8449,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/denyhosts/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -228,6 +250,8 @@
+@@ -228,6 +252,8 @@
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -8413,7 +8458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,6 +338,7 @@
+@@ -314,6 +340,7 @@
/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0)
@@ -8421,7 +8466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
ifdef(`distro_suse', `
-@@ -340,3 +365,28 @@
+@@ -340,3 +367,28 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -8515,7 +8560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
+/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.9.7/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/kernel/corenetwork.te.in 2011-02-25 17:40:39.339539664 +0000
++++ serefpolicy-3.9.7/policy/modules/kernel/corenetwork.te.in 2011-03-18 15:05:56.787630000 +0000
@@ -24,6 +24,7 @@
#
type tun_tap_device_t;
@@ -8558,9 +8603,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(comsat, udp,512,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
-@@ -97,7 +104,9 @@
+@@ -96,8 +103,11 @@
+ network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
++network_port(dogtag, tcp,7390,s0)
network_port(epmap, tcp,135,s0, udp,135,s0)
+network_port(festival, tcp,1314,s0)
network_port(fingerd, tcp,79,s0)
@@ -8568,7 +8615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -111,7 +120,7 @@
+@@ -111,7 +121,7 @@
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
@@ -8577,7 +8624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-@@ -125,43 +134,56 @@
+@@ -125,43 +135,58 @@
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -8596,10 +8643,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(lmtp, tcp,24,s0, udp,24,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
network_port(mail, tcp,2000,s0, tcp,3905,s0)
++network_port(matahari, tcp,49000,s0, udp,49000,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
+network_port(mpd, tcp,6600,s0)
++network_port(movaz_ssc, tcp,5252,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
-network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0)
+network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
@@ -8638,7 +8687,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -176,24 +198,28 @@
+@@ -176,24 +201,28 @@
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -8671,7 +8720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -203,16 +229,17 @@
+@@ -203,16 +232,17 @@
network_port(ups, tcp,3493,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -8692,7 +8741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
-@@ -274,5 +301,5 @@
+@@ -274,5 +304,5 @@
allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
# Bind to any network address.
@@ -9385,7 +9434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+dontaudit can_change_object_identity can_change_object_identity:key link;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.9.7/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/kernel/files.fc 2011-02-25 17:40:39.350539392 +0000
++++ serefpolicy-3.9.7/policy/modules/kernel/files.fc 2011-03-16 13:09:36.739107001 +0000
@@ -18,6 +18,7 @@
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -9394,8 +9443,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
ifdef(`distro_suse',`
-@@ -64,6 +65,13 @@
+@@ -62,8 +63,16 @@
+ /etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/reader\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
++/etc/securetty -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/smartd\.conf.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0)
@@ -9408,7 +9460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
/etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0)
-@@ -74,7 +82,8 @@
+@@ -74,7 +83,8 @@
/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -9418,7 +9470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
ifdef(`distro_gentoo', `
/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -95,7 +104,7 @@
+@@ -95,7 +105,7 @@
# HOME_ROOT
# expanded by genhomedircon
#
@@ -9427,7 +9479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
HOME_ROOT/\.journal <<none>>
HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
HOME_ROOT/lost\+found/.* <<none>>
-@@ -159,6 +168,12 @@
+@@ -159,6 +169,12 @@
/proc -d <<none>>
/proc/.* <<none>>
@@ -9440,7 +9492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
#
# /selinux
#
-@@ -172,12 +187,6 @@
+@@ -172,12 +188,6 @@
/srv/.* gen_context(system_u:object_r:var_t,s0)
#
@@ -9453,7 +9505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
# /tmp
#
/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
-@@ -217,7 +226,6 @@
+@@ -217,7 +227,6 @@
ifndef(`distro_redhat',`
/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
@@ -9461,7 +9513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -233,6 +241,8 @@
+@@ -233,6 +242,8 @@
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -9470,7 +9522,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
-@@ -249,7 +259,7 @@
+@@ -249,7 +260,7 @@
/var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
/var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -9479,7 +9531,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
-@@ -258,3 +268,7 @@
+@@ -258,3 +269,7 @@
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
@@ -9489,7 +9541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+/usr/lib/debug(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.9.7/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/kernel/files.if 2011-03-04 14:15:47.796413001 +0000
++++ serefpolicy-3.9.7/policy/modules/kernel/files.if 2011-03-18 15:21:15.468630000 +0000
@@ -1053,10 +1053,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -9589,7 +9641,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## List the contents of the root directory.
## </summary>
## <param name="domain">
-@@ -1836,6 +1906,25 @@
+@@ -1713,6 +1783,24 @@
+ allow $1 boot_t:dir list_dir_perms;
+ ')
+
++######################################
++## <summary>
++## Dontaudit List the /boot directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_list_boot',`
++ gen_require(`
++ type boot_t;
++ ')
++
++ dontaudit $1 boot_t:dir list_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Create directories in /boot
+@@ -1836,6 +1924,25 @@
relabelfrom_files_pattern($1, boot_t, boot_t)
')
@@ -9615,7 +9692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
## <summary>
## Read and write symbolic links
-@@ -2435,6 +2524,24 @@
+@@ -2435,6 +2542,24 @@
########################################
## <summary>
@@ -9640,7 +9717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2605,6 +2712,24 @@
+@@ -2605,6 +2730,24 @@
########################################
## <summary>
@@ -9665,7 +9742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
-@@ -3086,6 +3211,7 @@
+@@ -3086,6 +3229,7 @@
')
allow $1 home_root_t:dir getattr;
@@ -9673,7 +9750,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -3106,6 +3232,7 @@
+@@ -3106,6 +3250,7 @@
')
dontaudit $1 home_root_t:dir getattr;
@@ -9681,7 +9758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -3347,6 +3474,24 @@
+@@ -3347,6 +3492,24 @@
allow $1 mnt_t:dir list_dir_perms;
')
@@ -9706,7 +9783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
## <summary>
## Mount a filesystem on /mnt.
-@@ -3420,6 +3565,24 @@
+@@ -3420,6 +3583,24 @@
read_files_pattern($1, mnt_t, mnt_t)
')
@@ -9731,7 +9808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
## <summary>
## Create, read, write, and delete symbolic links in /mnt.
-@@ -3711,6 +3874,100 @@
+@@ -3711,6 +3892,100 @@
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -9832,7 +9909,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
## <summary>
## Allow the specified type to associate
-@@ -3896,6 +4153,32 @@
+@@ -3896,6 +4171,32 @@
########################################
## <summary>
@@ -9865,7 +9942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -3948,6 +4231,42 @@
+@@ -3948,6 +4249,42 @@
rw_sock_files_pattern($1, tmp_t, tmp_t)
')
@@ -9908,7 +9985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
## <summary>
## Set the attributes of all tmp directories.
-@@ -4109,6 +4428,13 @@
+@@ -4109,6 +4446,13 @@
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -9922,7 +9999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -4716,9 +5042,27 @@
+@@ -4716,9 +5060,27 @@
read_files_pattern($1, var_t, var_t)
')
@@ -9951,7 +10028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## </summary>
## <param name="domain">
## <summary>
-@@ -4726,54 +5070,54 @@
+@@ -4726,54 +5088,54 @@
## </summary>
## </param>
#
@@ -10018,7 +10095,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## </summary>
## <param name="domain">
## <summary>
-@@ -4781,12 +5125,12 @@
+@@ -4781,12 +5143,12 @@
## </summary>
## </param>
#
@@ -10033,32 +10110,70 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -5053,6 +5397,24 @@
+@@ -5053,7 +5415,7 @@
########################################
## <summary>
+-## Search the locks directory (/var/lock).
+## List generic lock directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5061,28 +5423,46 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_search_locks',`
+interface(`files_list_locks',`
-+ gen_require(`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+- search_dirs_pattern($1, var_t, var_lock_t)
++ list_dirs_pattern($1, var_t, var_lock_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search the
+-## locks directory (/var/lock).
++## Search the locks directory (/var/lock).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_locks',`
++interface(`files_search_locks',`
+ gen_require(`
+- type var_lock_t;
+ type var_t, var_lock_t;
+ ')
+
-+ list_dirs_pattern($1, var_t, var_lock_t)
++ search_dirs_pattern($1, var_t, var_lock_t)
+')
+
+########################################
+## <summary>
- ## Search the locks directory (/var/lock).
- ## </summary>
- ## <param name="domain">
-@@ -5138,12 +5500,12 @@
++## Do not audit attempts to search the
++## locks directory (/var/lock).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_search_locks',`
++ gen_require(`
++ type var_lock_t;
+ ')
+
+ dontaudit $1 var_lock_t:dir search_dir_perms;
+@@ -5138,12 +5518,12 @@
## </param>
#
interface(`files_delete_generic_locks',`
@@ -10075,11 +10190,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -5189,7 +5551,28 @@
+@@ -5189,6 +5569,27 @@
########################################
## <summary>
--## Read all lock files.
+## Relabel all lock files.
+## </summary>
+## <param name="domain">
@@ -10101,11 +10215,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+
+########################################
+## <summary>
-+## Read all lock files.
+ ## Read all lock files.
## </summary>
## <param name="domain">
- ## <summary>
-@@ -5317,6 +5700,43 @@
+@@ -5317,6 +5718,43 @@
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -10149,7 +10262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
## <summary>
## Do not audit attempts to search
-@@ -5524,6 +5944,62 @@
+@@ -5524,6 +5962,62 @@
########################################
## <summary>
@@ -10212,7 +10325,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5541,6 +6017,44 @@
+@@ -5541,6 +6035,44 @@
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -10257,7 +10370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -5826,3 +6340,247 @@
+@@ -5826,3 +6358,247 @@
typeattribute $1 files_unconfined_type;
')
@@ -10561,7 +10674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+/dev/hugepages(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.9.7/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/kernel/filesystem.if 2011-02-25 17:40:39.361539122 +0000
++++ serefpolicy-3.9.7/policy/modules/kernel/filesystem.if 2011-03-18 15:28:29.957630000 +0000
@@ -646,11 +646,31 @@
')
@@ -10710,7 +10823,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
#######################################
## <summary>
## Create, read, write, and delete dirs
-@@ -1890,6 +1954,26 @@
+@@ -1754,6 +1818,24 @@
+ allow $1 fusefs_t:filesystem mount;
+ ')
+
++#######################################
++## <summary>
++## Mounton a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_mounton_fusefs',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 fusefs_t:dir mounton;
++')
++
+ ########################################
+ ## <summary>
+ ## Unmount a FUSE filesystem.
+@@ -1890,6 +1972,26 @@
manage_files_pattern($1, fusefs_t, fusefs_t)
')
@@ -10737,7 +10875,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
########################################
## <summary>
## Do not audit attempts to create,
-@@ -1931,7 +2015,26 @@
+@@ -1931,7 +2033,26 @@
########################################
## <summary>
@@ -10765,7 +10903,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## </summary>
## <param name="domain">
## <summary>
-@@ -1946,6 +2049,41 @@
+@@ -1946,6 +2067,41 @@
rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
')
@@ -10807,7 +10945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
########################################
## <summary>
-@@ -1999,6 +2137,7 @@
+@@ -1999,6 +2155,7 @@
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -10815,7 +10953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
########################################
-@@ -2395,6 +2534,25 @@
+@@ -2395,6 +2552,25 @@
########################################
## <summary>
@@ -10841,7 +10979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2435,6 +2593,24 @@
+@@ -2435,6 +2611,24 @@
########################################
## <summary>
@@ -10866,7 +11004,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
-@@ -2449,7 +2625,7 @@
+@@ -2449,7 +2643,7 @@
type nfs_t;
')
@@ -10875,7 +11013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
########################################
-@@ -2637,6 +2813,24 @@
+@@ -2637,6 +2831,24 @@
########################################
## <summary>
@@ -10900,7 +11038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Read removable storage symbolic links.
## </summary>
## <param name="domain">
-@@ -2653,6 +2847,25 @@
+@@ -2653,6 +2865,25 @@
read_lnk_files_pattern($1, removable_t, removable_t)
')
@@ -10926,7 +11064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
########################################
## <summary>
## Read and write block nodes on removable filesystems.
-@@ -2845,7 +3058,7 @@
+@@ -2845,7 +3076,7 @@
#########################################
## <summary>
## Create, read, write, and delete symbolic links
@@ -10935,7 +11073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## </summary>
## <param name="domain">
## <summary>
-@@ -3970,6 +4183,42 @@
+@@ -3970,6 +4201,42 @@
########################################
## <summary>
@@ -10978,7 +11116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4252,6 +4501,8 @@
+@@ -4252,6 +4519,8 @@
')
allow $1 filesystem_type:filesystem mount;
@@ -10987,7 +11125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
########################################
-@@ -4662,3 +4913,24 @@
+@@ -4662,3 +4931,24 @@
typeattribute $1 filesystem_unconfined_type;
')
@@ -11099,7 +11237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.9.7/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/kernel/kernel.if 2011-02-25 17:40:39.363539072 +0000
++++ serefpolicy-3.9.7/policy/modules/kernel/kernel.if 2011-03-18 15:18:42.215630000 +0000
@@ -698,6 +698,46 @@
########################################
@@ -11147,7 +11285,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
## Mount a kernel VM filesystem.
## </summary>
## <param name="domain">
-@@ -1977,7 +2017,7 @@
+@@ -732,6 +772,25 @@
+ allow $1 proc_t:filesystem unmount;
+ ')
+
++#######################################
++## <summary>
++## Do not audit attempts to setattr
++## directories in /proc.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`kernel_dontaudit_setattr_proc_dirs',`
++ gen_require(`
++ type proc_t;
++ ')
++
++ dontaudit $1 proc_t:dir setattr;
++')
++
+ ########################################
+ ## <summary>
+ ## Get the attributes of the proc filesystem.
+@@ -1977,7 +2036,7 @@
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -11156,7 +11320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
')
########################################
-@@ -2378,6 +2418,24 @@
+@@ -2378,6 +2437,24 @@
allow $1 unlabeled_t:blk_file getattr;
')
@@ -11181,7 +11345,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
########################################
## <summary>
## Do not audit attempts by caller to get attributes for
-@@ -2701,6 +2759,33 @@
+@@ -2701,6 +2778,33 @@
########################################
## <summary>
@@ -11215,7 +11379,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
## Do not audit attempts to receive Raw IP packets from an unlabeled
## connection.
## </summary>
-@@ -2828,16 +2913,24 @@
+@@ -2828,16 +2932,24 @@
gen_require(`
type unlabeled_t;
class db_database { setattr relabelfrom };
@@ -11240,7 +11404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
allow $1 unlabeled_t:db_column { setattr relabelfrom };
allow $1 unlabeled_t:db_tuple { update relabelfrom };
allow $1 unlabeled_t:db_blob { setattr relabelfrom };
-@@ -2845,6 +2938,24 @@
+@@ -2845,6 +2957,24 @@
########################################
## <summary>
@@ -11265,7 +11429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2860,3 +2971,23 @@
+@@ -2860,3 +2990,23 @@
typeattribute $1 kern_unconfined;
')
@@ -11570,8 +11734,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.9.7/policy/modules/kernel/terminal.fc
--- nsaserefpolicy/policy/modules/kernel/terminal.fc 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/kernel/terminal.fc 2011-02-25 17:40:39.411537891 +0000
-@@ -40,3 +40,5 @@
++++ serefpolicy-3.9.7/policy/modules/kernel/terminal.fc 2011-03-09 15:21:04.154980000 +0000
+@@ -6,6 +6,7 @@
+ /dev/console -c gen_context(system_u:object_r:console_device_t,s0)
+ /dev/cu.* -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/dcbri[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
++/dev/hpilo/[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/hvc.* -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/hvsi.* -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/i2c[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+@@ -18,6 +19,7 @@
+ /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
+ /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
++/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
+ /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+
+ /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
+@@ -40,3 +42,5 @@
# used by init scripts to initally populate udev /dev
/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
')
@@ -11579,7 +11759,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.9.7/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/kernel/terminal.if 2011-02-25 17:40:39.412537866 +0000
++++ serefpolicy-3.9.7/policy/modules/kernel/terminal.if 2011-03-09 15:12:33.420980002 +0000
@@ -292,9 +292,11 @@
interface(`term_dontaudit_use_console',`
gen_require(`
@@ -11674,9 +11854,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
')
########################################
+@@ -1468,3 +1474,22 @@
+ refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
+ term_dontaudit_use_all_ttys($1)
+ ')
++
++####################################
++## <summary>
++## Read from and write to the virtio console.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`term_use_virtio_console',`
++ gen_require(`
++ type virtio_device_t;
++ ')
++
++ dev_list_all_dev_nodes($1)
++ allow $1 virtio_device_t:chr_file rw_chr_file_perms;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-3.9.7/policy/modules/kernel/terminal.te
--- nsaserefpolicy/policy/modules/kernel/terminal.te 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/kernel/terminal.te 2011-02-25 17:40:39.439537201 +0000
++++ serefpolicy-3.9.7/policy/modules/kernel/terminal.te 2011-03-09 15:10:05.378980002 +0000
@@ -29,6 +29,7 @@
fs_associate_tmpfs(devpts_t)
fs_type(devpts_t)
@@ -11685,6 +11888,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
#
# devtty_t is the type of /dev/tty.
+@@ -56,3 +57,9 @@
+ #
+ type usbtty_device_t, serial_device;
+ dev_node(usbtty_device_t)
++
++#
++# virtio_device_t is the type of /dev/vport[0-9]p[0-9]
++#
++type virtio_device_t, serial_device;
++dev_node(virtio_device_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.9.7/policy/modules/roles/auditadm.te
--- nsaserefpolicy/policy/modules/roles/auditadm.te 2010-10-12 20:42:51.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/roles/auditadm.te 2011-02-25 17:40:39.439537201 +0000
@@ -15203,7 +15416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.9.7/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/apache.te 2011-02-25 17:40:39.624532649 +0000
++++ serefpolicy-3.9.7/policy/modules/services/apache.te 2011-03-18 15:15:13.372630000 +0000
@@ -18,130 +18,195 @@
# Declarations
#
@@ -15654,7 +15867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -466,8 +602,12 @@
+@@ -466,15 +602,28 @@
corenet_tcp_bind_ftp_port(httpd_t)
')
@@ -15669,11 +15882,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -475,6 +615,12 @@
++ fs_list_auto_mountpoints(httpd_t)
+ fs_read_nfs_files(httpd_t)
fs_read_nfs_symlinks(httpd_t)
')
+tunable_policy(`httpd_use_nfs',`
++ fs_list_auto_mountpoints(httpd_t)
++ fs_list_auto_mountpoints(httpd_t)
+ fs_manage_nfs_dirs(httpd_t)
+ fs_manage_nfs_files(httpd_t)
+ fs_manage_nfs_symlinks(httpd_t)
@@ -15682,7 +15898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +630,16 @@
+@@ -484,7 +633,16 @@
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -15699,7 +15915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_ssi_exec',`
-@@ -500,8 +655,10 @@
+@@ -500,8 +658,10 @@
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
userdom_use_user_terminals(httpd_t)
@@ -15710,7 +15926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -513,7 +670,13 @@
+@@ -513,7 +673,13 @@
')
optional_policy(`
@@ -15725,7 +15941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -528,7 +691,19 @@
+@@ -528,7 +694,19 @@
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -15746,7 +15962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +712,13 @@
+@@ -537,8 +715,13 @@
')
optional_policy(`
@@ -15761,7 +15977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -556,7 +736,13 @@
+@@ -556,7 +739,13 @@
')
optional_policy(`
@@ -15775,7 +15991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +753,7 @@
+@@ -567,6 +756,7 @@
optional_policy(`
nagios_read_config(httpd_t)
@@ -15783,7 +15999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -577,6 +764,16 @@
+@@ -577,6 +767,16 @@
')
optional_policy(`
@@ -15800,7 +16016,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +788,11 @@
+@@ -591,6 +791,11 @@
')
optional_policy(`
@@ -15812,7 +16028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +805,11 @@
+@@ -603,6 +808,11 @@
yam_read_content(httpd_t)
')
@@ -15824,7 +16040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache helper local policy
-@@ -618,6 +825,10 @@
+@@ -618,6 +828,10 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -15835,7 +16051,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -654,28 +865,29 @@
+@@ -654,28 +868,29 @@
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -15878,7 +16094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -699,17 +911,22 @@
+@@ -699,17 +914,22 @@
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -15904,7 +16120,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +957,22 @@
+@@ -740,13 +960,26 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -15928,7 +16144,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +998,25 @@
++ fs_list_auto_mountpoints(httpd_suexec_t)
+ fs_read_nfs_files(httpd_suexec_t)
+ fs_read_nfs_symlinks(httpd_suexec_t)
+ fs_exec_nfs_files(httpd_suexec_t)
+@@ -769,6 +1002,25 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -15954,7 +16174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache system script local policy
-@@ -791,10 +1039,15 @@
+@@ -791,10 +1043,15 @@
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -15970,7 +16190,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +1056,35 @@
+@@ -803,6 +1060,37 @@
mta_send_mail(httpd_sys_script_t)
')
@@ -15992,11 +16212,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+fs_nfs_entry_type(httpd_sys_script_t)
+
+tunable_policy(`httpd_use_nfs',`
++ fs_list_auto_mountpoints(httpd_sys_script_t)
+ fs_manage_nfs_dirs(httpd_sys_script_t)
+ fs_manage_nfs_files(httpd_sys_script_t)
+ fs_manage_nfs_symlinks(httpd_sys_script_t)
+ fs_exec_nfs_files(httpd_sys_script_t)
+
++ fs_list_auto_mountpoints(httpd_suexec_t)
+ fs_manage_nfs_dirs(httpd_suexec_t)
+ fs_manage_nfs_files(httpd_suexec_t)
+ fs_manage_nfs_symlinks(httpd_suexec_t)
@@ -16006,7 +16228,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -822,7 +1104,7 @@
+@@ -822,14 +1110,29 @@
')
tunable_policy(`httpd_enable_homedirs',`
@@ -16015,7 +16237,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -830,6 +1112,20 @@
++ fs_list_auto_mountpoints(httpd_sys_script_t)
+ fs_read_nfs_files(httpd_sys_script_t)
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -16036,7 +16259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1138,20 @@
+@@ -842,10 +1145,20 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -16057,7 +16280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -891,11 +1197,21 @@
+@@ -891,11 +1204,21 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -18039,7 +18262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.9.7/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/clamav.te 2011-02-25 17:40:39.711530507 +0000
++++ serefpolicy-3.9.7/policy/modules/services/clamav.te 2011-03-15 15:00:02.248107001 +0000
@@ -1,9 +1,9 @@
policy_module(clamav, 1.8.1)
@@ -18082,7 +18305,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
-@@ -147,8 +151,10 @@
+@@ -110,6 +114,7 @@
+ corenet_tcp_bind_clamd_port(clamd_t)
+ corenet_tcp_bind_generic_port(clamd_t)
+ corenet_tcp_connect_generic_port(clamd_t)
++corenet_tcp_connect_clamd_port(clamd_t)
+ corenet_sendrecv_clamd_server_packets(clamd_t)
+
+ dev_read_rand(clamd_t)
+@@ -147,8 +152,10 @@
tunable_policy(`clamd_use_jit',`
allow clamd_t self:process execmem;
@@ -18094,7 +18325,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
')
########################################
-@@ -178,10 +184,16 @@
+@@ -178,10 +185,16 @@
# log files (own logfiles only)
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
@@ -18113,7 +18344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +201,7 @@
+@@ -189,6 +202,7 @@
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
@@ -18121,7 +18352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -207,16 +220,18 @@
+@@ -207,16 +221,18 @@
clamav_stream_connect(freshclam_t)
@@ -18144,7 +18375,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
########################################
#
# clamscam local policy
-@@ -248,9 +263,11 @@
+@@ -248,9 +264,11 @@
corenet_tcp_sendrecv_generic_node(clamscan_t)
corenet_tcp_sendrecv_all_ports(clamscan_t)
corenet_tcp_sendrecv_clamd_port(clamscan_t)
@@ -18156,7 +18387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
-@@ -265,6 +282,9 @@
+@@ -265,6 +283,9 @@
clamav_stream_connect(clamscan_t)
mta_send_mail(clamscan_t)
@@ -21327,8 +21558,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv.te serefpolicy-3.9.7/policy/modules/services/dirsrv.te
--- nsaserefpolicy/policy/modules/services/dirsrv.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/dirsrv.te 2011-02-25 17:40:39.872526544 +0000
-@@ -0,0 +1,185 @@
++++ serefpolicy-3.9.7/policy/modules/services/dirsrv.te 2011-03-16 13:34:02.671107000 +0000
+@@ -0,0 +1,187 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
@@ -21412,6 +21643,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs
+
+manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
++manage_lnk_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+
+manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
@@ -21428,6 +21660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs
+corenet_tcp_sendrecv_all_ports(dirsrv_t)
+corenet_tcp_bind_all_nodes(dirsrv_t)
+corenet_tcp_bind_ldap_port(dirsrv_t)
++corenet_tcp_bind_dogtag_port(dirsrv_t)
+corenet_tcp_bind_all_rpc_ports(dirsrv_t)
+corenet_udp_bind_all_rpc_ports(dirsrv_t)
+corenet_tcp_connect_all_ports(dirsrv_t)
@@ -21600,8 +21833,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.9.7/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/dnsmasq.te 2011-03-01 12:38:15.115920211 +0000
-@@ -96,7 +96,16 @@
++++ serefpolicy-3.9.7/policy/modules/services/dnsmasq.te 2011-03-18 14:17:25.483630000 +0000
+@@ -96,7 +96,20 @@
')
optional_policy(`
@@ -21614,6 +21847,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
+')
+
+optional_policy(`
++ networkmanager_read_pid_files(dnsmasq_t)
++')
++
++optional_policy(`
+ ppp_read_pid_files(dnsmasq_t)
')
@@ -22425,6 +22662,53 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
+/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.9.7/policy/modules/services/ftp.if
+--- nsaserefpolicy/policy/modules/services/ftp.if 2010-10-12 20:42:48.000000000 +0000
++++ serefpolicy-3.9.7/policy/modules/services/ftp.if 2011-03-16 14:35:07.621107002 +0000
+@@ -1,5 +1,43 @@
+ ## <summary>File transfer protocol service</summary>
+
++#####################################
++## <summary>
++## Execute a domain transition to run ftpd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ftp_domtrans',`
++ gen_require(`
++ type ftpd_t, ftpd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1,ftpd_exec_t, ftpd_t)
++
++')
++
++######################################
++## <summary>
++## Execute ftpd server in the ftpd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`ftp_initrc_domtrans',`
++ gen_require(`
++ type ftp_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, ftp_initrc_exec_t)
++')
++
+ #######################################
+ ## <summary>
+ ## Allow domain dyntransition to sftpd_anon domain.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.9.7/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2010-10-12 20:42:49.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/services/ftp.te 2011-02-25 17:40:39.956524475 +0000
@@ -23344,12 +23628,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+gen_user(git_shell_u, user, git_shell_r, s0, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.9.7/policy/modules/services/gnomeclock.fc
--- nsaserefpolicy/policy/modules/services/gnomeclock.fc 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/gnomeclock.fc 2011-02-25 17:40:39.960524378 +0000
-@@ -1,2 +1,4 @@
++++ serefpolicy-3.9.7/policy/modules/services/gnomeclock.fc 2011-03-18 13:31:53.557630001 +0000
+@@ -1,2 +1,5 @@
/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
++/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.9.7/policy/modules/services/gnomeclock.if
--- nsaserefpolicy/policy/modules/services/gnomeclock.if 2010-10-12 20:42:48.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/services/gnomeclock.if 2011-02-25 17:40:39.960524378 +0000
@@ -25204,6 +25489,369 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
-')
\ No newline at end of file
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/matahari.fc serefpolicy-3.9.7/policy/modules/services/matahari.fc
+--- nsaserefpolicy/policy/modules/services/matahari.fc 1970-01-01 00:00:00.000000000 +0000
++++ serefpolicy-3.9.7/policy/modules/services/matahari.fc 2011-03-18 13:21:49.470630001 +0000
+@@ -0,0 +1,15 @@
++/etc/rc\.d/init\.d/matahari-host gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/matahari-net gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/matahari-service gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
++
++/usr/sbin/matahari-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
++
++/usr/sbin/matahari-netd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0)
++
++/usr/sbin/matahari-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0)
++
++/var/lib/matahari(/.*)? gen_context(system_u:object_r:matahari_var_lib_t,s0)
++
++/var/run/matahari(/.*)? gen_context(system_u:object_r:matahari_var_run_t,s0)
++/var/run/matahari.pid gen_context(system_u:object_r:matahari_var_run_t,s0)
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/matahari.if serefpolicy-3.9.7/policy/modules/services/matahari.if
+--- nsaserefpolicy/policy/modules/services/matahari.if 1970-01-01 00:00:00.000000000 +0000
++++ serefpolicy-3.9.7/policy/modules/services/matahari.if 2011-03-18 13:21:49.488630001 +0000
+@@ -0,0 +1,220 @@
++## <summary>policy for matahari</summary>
++
++########################################
++## <summary>
++## Search matahari lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`matahari_search_lib',`
++ gen_require(`
++ type matahari_var_lib_t;
++ ')
++
++ allow $1 matahari_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read matahari lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`matahari_read_lib_files',`
++ gen_require(`
++ type matahari_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, matahari_var_lib_t, matahari_var_lib_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## matahari lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`matahari_manage_lib_files',`
++ gen_require(`
++ type matahari_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, matahari_var_lib_t, matahari_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage matahari lib dirs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`matahari_manage_lib_dirs',`
++ gen_require(`
++ type matahari_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, matahari_var_lib_t, matahari_var_lib_t)
++')
++
++
++########################################
++## <summary>
++## Read matahari PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`matahari_read_pid_files',`
++ gen_require(`
++ type matahari_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 matahari_var_run_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Read matahari PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`matahari_manage_pid_files',`
++ gen_require(`
++ type matahari_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, matahari_var_run_t, matahari_var_run_t)
++')
++
++########################################
++## <summary>
++## Execute a domain transition to run matahari_hostd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`matahari_hostd_domtrans',`
++ gen_require(`
++ type matahari_hostd_t, matahari_hostd_exec_t;
++ ')
++
++ domtrans_pattern($1, matahari_hostd_exec_t, matahari_hostd_t)
++')
++
++########################################
++## <summary>
++## Execute a domain transition to run matahari_netd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`matahari_netd_domtrans',`
++ gen_require(`
++ type matahari_netd_t, matahari_netd_exec_t;
++ ')
++
++ domtrans_pattern($1, matahari_netd_exec_t, matahari_netd_t)
++')
++
++########################################
++## <summary>
++## Execute a domain transition to run matahari_serviced.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`matahari_serviced_domtrans',`
++ gen_require(`
++ type matahari_serviced_t, matahari_serviced_exec_t;
++ ')
++
++ domtrans_pattern($1, matahari_serviced_exec_t, matahari_serviced_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an matahari environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`matahari_admin',`
++ gen_require(`
++ type matahari_inirc_exec_t;
++ type matahari_hostd_t;
++ type matahari_netd_t;
++ type matahari_serviced_t;
++ type matahari_var_lib_t;
++ type matahari_var_run_t;
++ ')
++
++ init_labeled_script_domtrans($1, matahari_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 matahari_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ allow $1 matahari_netd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, matahari_netd_t)
++
++ allow $1 matahari_hostd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, matahari_hostd_t)
++
++ allow $1 matahari_serviced_t:process { ptrace signal_perms };
++ ps_process_pattern($1, matahari_serviced_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, matahari_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, matahari_var_run_t)
++
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/matahari.te serefpolicy-3.9.7/policy/modules/services/matahari.te
+--- nsaserefpolicy/policy/modules/services/matahari.te 1970-01-01 00:00:00.000000000 +0000
++++ serefpolicy-3.9.7/policy/modules/services/matahari.te 2011-03-18 13:21:49.509630001 +0000
+@@ -0,0 +1,116 @@
++policy_module(matahari,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type matahari_hostd_t;
++type matahari_hostd_exec_t;
++init_daemon_domain(matahari_hostd_t, matahari_hostd_exec_t)
++
++type matahari_netd_t;
++type matahari_netd_exec_t;
++init_daemon_domain(matahari_netd_t, matahari_netd_exec_t)
++
++type matahari_serviced_t;
++type matahari_serviced_exec_t;
++init_daemon_domain(matahari_serviced_t, matahari_serviced_exec_t)
++
++type matahari_initrc_exec_t;
++init_script_file(matahari_initrc_exec_t)
++
++permissive matahari_serviced_t;
++permissive matahari_hostd_t;
++permissive matahari_netd_t;
++
++type matahari_var_lib_t;
++files_type(matahari_var_lib_t)
++
++type matahari_var_run_t;
++files_pid_file(matahari_var_run_t)
++
++########################################
++#
++# matahari_hostd local policy
++#
++allow matahari_hostd_t self:capability sys_ptrace;
++allow matahari_hostd_t self:process { signal };
++
++allow matahari_hostd_t self:fifo_file rw_fifo_file_perms;
++allow matahari_hostd_t self:unix_stream_socket create_stream_socket_perms;
++
++kernel_read_network_state(matahari_hostd_t)
++kernel_read_system_state(matahari_hostd_t)
++
++corenet_tcp_connect_matahari_port(matahari_hostd_t)
++
++dev_read_sysfs(matahari_hostd_t)
++dev_read_urand(matahari_hostd_t)
++dev_rw_mtrr(matahari_hostd_t)
++
++domain_use_interactive_fds(matahari_hostd_t)
++domain_read_all_domains_state(matahari_hostd_t)
++
++files_read_etc_files(matahari_hostd_t)
++
++logging_send_syslog_msg(matahari_hostd_t)
++
++miscfiles_read_localization(matahari_hostd_t)
++
++sysnet_dns_name_resolve(matahari_hostd_t)
++
++optional_policy(`
++ dbus_system_bus_client(matahari_hostd_t)
++')
++
++########################################
++#
++# matahari_netd local policy
++#
++allow matahari_netd_t self:process { signal };
++
++allow matahari_netd_t self:fifo_file rw_fifo_file_perms;
++allow matahari_netd_t self:unix_stream_socket create_stream_socket_perms;
++
++kernel_read_system_state(matahari_netd_t)
++
++corenet_tcp_connect_matahari_port(matahari_netd_t)
++
++dev_read_urand(matahari_netd_t)
++
++domain_use_interactive_fds(matahari_netd_t)
++
++files_read_etc_files(matahari_netd_t)
++
++logging_send_syslog_msg(matahari_netd_t)
++
++miscfiles_read_localization(matahari_netd_t)
++
++sysnet_dns_name_resolve(matahari_netd_t)
++
++########################################
++#
++# matahari_serviced local policy
++#
++allow matahari_serviced_t self:process { signal };
++
++allow matahari_serviced_t self:fifo_file rw_fifo_file_perms;
++allow matahari_serviced_t self:unix_stream_socket create_stream_socket_perms;
++
++kernel_read_system_state(matahari_serviced_t)
++
++corenet_tcp_connect_matahari_port(matahari_serviced_t)
++
++dev_read_urand(matahari_serviced_t)
++
++domain_use_interactive_fds(matahari_serviced_t)
++
++files_read_etc_files(matahari_serviced_t)
++
++logging_send_syslog_msg(matahari_serviced_t)
++
++miscfiles_read_localization(matahari_serviced_t)
++
++sysnet_dns_name_resolve(matahari_serviced_t)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.if serefpolicy-3.9.7/policy/modules/services/memcached.if
--- nsaserefpolicy/policy/modules/services/memcached.if 2010-10-12 20:42:49.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/services/memcached.if 2011-02-25 17:40:40.127520266 +0000
@@ -25348,7 +25996,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.te serefpolicy-3.9.7/policy/modules/services/milter.te
--- nsaserefpolicy/policy/modules/services/milter.te 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/milter.te 2011-02-25 17:40:40.129520217 +0000
++++ serefpolicy-3.9.7/policy/modules/services/milter.te 2011-03-15 14:58:42.887107001 +0000
@@ -9,6 +9,13 @@
attribute milter_domains;
attribute milter_data_type;
@@ -25393,7 +26041,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt
#
# It removes any existing socket (not owned by root) whilst running as root,
-@@ -52,8 +75,8 @@
+@@ -38,6 +61,12 @@
+
+ kernel_read_kernel_sysctls(greylist_milter_t)
+
++corecmd_exec_bin(greylist_milter_t)
++corecmd_exec_shell(greylist_milter_t)
++
++corenet_tcp_bind_movaz_ssc_port(greylist_milter_t)
++corenet_tcp_connect_movaz_ssc_port(greylist_milter_t)
++
+ # Allow the milter to read a GeoIP database in /usr/share
+ files_read_usr_files(greylist_milter_t)
+ # The milter runs from /var/lib/milter-greylist and maintains files there
+@@ -52,8 +81,8 @@
########################################
#
# milter-regex local policy
@@ -25404,7 +26065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt
#
# It removes any existing socket (not owned by root) whilst running as root
-@@ -72,8 +95,8 @@
+@@ -72,8 +101,8 @@
########################################
#
# spamass-milter local policy
@@ -25417,18 +26078,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt
# The milter runs from /var/lib/spamass-milter
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.fc serefpolicy-3.9.7/policy/modules/services/mock.fc
--- nsaserefpolicy/policy/modules/services/mock.fc 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/mock.fc 2011-02-25 17:40:40.129520217 +0000
++++ serefpolicy-3.9.7/policy/modules/services/mock.fc 2011-03-18 15:00:30.801630000 +0000
@@ -0,0 +1,6 @@
+
+/usr/sbin/mock -- gen_context(system_u:object_r:mock_exec_t,s0)
+
-+/var/lib/mock(/.*)? gen_context(system_u:object_r:mock_var_lib_t,s0)
-+
++/var/lib/mock -d gen_context(system_u:object_r:mock_var_lib_t,s0)
++/var/lib/mock(/.*)? <<none>>
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.if serefpolicy-3.9.7/policy/modules/services/mock.if
--- nsaserefpolicy/policy/modules/services/mock.if 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/mock.if 2011-02-25 17:40:40.147519774 +0000
-@@ -0,0 +1,236 @@
++++ serefpolicy-3.9.7/policy/modules/services/mock.if 2011-03-18 15:01:05.563630000 +0000
+@@ -0,0 +1,272 @@
+## <summary>policy for mock</summary>
+
+########################################
@@ -25489,6 +26150,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock
+
+########################################
+## <summary>
++## Getattr on mock lib file,dir,sock_file ...
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mock_getattr_lib',`
++ gen_require(`
++ type mock_var_lib_t;
++ ')
++
++ allow $1 mock_var_lib_t:dir_file_class_set getattr;
++')
++
++########################################
++## <summary>
+## Create, read, write, and delete
+## mock lib files.
+## </summary>
@@ -25564,6 +26243,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock
+ manage_chr_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
++#######################################
++## <summary>
++## Dontaudit read and write an leaked file descriptors
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mock_dontaudit_leaks',`
++ gen_require(`
++ type mock_tmp_t;
++ ')
++
++ dontaudit $1 mock_tmp_t:file rw_inherited_file_perms;
++')
++
+########################################
+## <summary>
+## Execute mock in the mock domain, and
@@ -25667,10 +26364,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.te serefpolicy-3.9.7/policy/modules/services/mock.te
--- nsaserefpolicy/policy/modules/services/mock.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/mock.te 2011-02-25 17:40:40.148519749 +0000
-@@ -0,0 +1,101 @@
++++ serefpolicy-3.9.7/policy/modules/services/mock.te 2011-03-18 14:59:55.327630000 +0000
+@@ -0,0 +1,126 @@
+policy_module(mock,1.0.0)
+
++## <desc>
++## <p>
++## Allow mock to read files in home directories.
++## </p>
++## </desc>
++gen_tunable(mock_enable_homedirs, false)
++
+########################################
+#
+# Declarations
@@ -25700,9 +26404,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock
+#
+
+allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
++allow mock_t self:process { siginh noatsecure signull transition rlimitinh setsched setpgid sigkill };
+# Needed because mock can run java and mono withing build environment
+allow mock_t self:process { execmem execstack };
-+allow mock_t self:process { siginh noatsecure signull transition rlimitinh setsched setpgid sigkill };
+dontaudit mock_t self:process { siginh noatsecure rlimitinh };
+allow mock_t self:fifo_file manage_fifo_file_perms;
+allow mock_t self:unix_stream_socket create_stream_socket_perms;
@@ -25710,6 +26414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock
+
+manage_dirs_pattern(mock_t, mock_cache_t, mock_cache_t)
+manage_files_pattern(mock_t, mock_cache_t, mock_cache_t)
++manage_lnk_files_pattern(mock_t, mock_cache_t, mock_cache_t)
+files_var_filetrans(mock_t, mock_cache_t, { dir file } )
+
+manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t)
@@ -25720,16 +26425,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock
+manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
++manage_blk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file })
+can_exec(mock_t, mock_var_lib_t)
+allow mock_t mock_var_lib_t:dir mounton;
++allow mock_t mock_var_lib_t:dir relabel_dir_perms;
++allow mock_t mock_var_lib_t:file relabel_file_perms;
++
+
+kernel_list_proc(mock_t)
+kernel_read_irq_sysctls(mock_t)
+kernel_read_system_state(mock_t)
+kernel_read_kernel_sysctls(mock_t)
+kernel_request_load_module(mock_t)
++kernel_dontaudit_setattr_proc_dirs(mock_t)
+
+corecmd_exec_bin(mock_t)
+corecmd_exec_shell(mock_t)
@@ -25737,20 +26447,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock
+corenet_tcp_connect_http_port(mock_t)
+
+dev_read_urand(mock_t)
++dev_read_sysfs(mock_t)
+
+domain_read_all_domains_state(mock_t)
+domain_use_interactive_fds(mock_t)
+
+files_read_etc_files(mock_t)
+files_read_usr_files(mock_t)
++files_dontaudit_list_boot(mock_t)
+
+fs_getattr_all_fs(mock_t)
++fs_manage_cgroup_dirs(mock_t)
+
+selinux_get_enforce_mode(mock_t)
+
+auth_use_nsswitch(mock_t)
+
+init_exec(mock_t)
++init_dontaudit_stream_connect(mock_t)
+
+libs_domtrans_ldconfig(mock_t)
+
@@ -25759,7 +26473,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock
+
+miscfiles_read_localization(mock_t)
+
-+mount_domtrans(mock_t)
++userdom_use_user_ptys(mock_t)
++
++tunable_policy(`mock_enable_homedirs',`
++ userdom_read_user_home_content_files(mock_t)
++')
++
++optional_policy(`
++ mount_domtrans(mock_t)
++')
+
+optional_policy(`
+ rpm_exec(mock_t)
@@ -28594,7 +29316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.9.7/policy/modules/services/pads.te
--- nsaserefpolicy/policy/modules/services/pads.te 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/pads.te 2011-02-25 17:40:40.264516894 +0000
++++ serefpolicy-3.9.7/policy/modules/services/pads.te 2011-03-16 13:25:28.889107001 +0000
@@ -1,4 +1,4 @@
-policy_module(pads, 1.0.0)
+policy_module(pads, 1.0.0)
@@ -28624,6 +29346,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads
allow pads_t pads_config_t:file manage_file_perms;
files_etc_filetrans(pads_t, pads_config_t, file)
+@@ -48,6 +47,7 @@
+
+ dev_read_rand(pads_t)
+ dev_read_urand(pads_t)
++dev_read_sysfs(pads_t)
+
+ files_read_etc_files(pads_t)
+ files_search_spool(pads_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/passenger.fc serefpolicy-3.9.7/policy/modules/services/passenger.fc
--- nsaserefpolicy/policy/modules/services/passenger.fc 1970-01-01 00:00:00.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/services/passenger.fc 2011-02-25 17:40:40.264516894 +0000
@@ -28812,7 +29542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcsc
interface(`pcscd_domtrans',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.9.7/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/pcscd.te 2011-02-25 17:40:40.285516377 +0000
++++ serefpolicy-3.9.7/policy/modules/services/pcscd.te 2011-03-16 13:35:35.704107001 +0000
@@ -7,7 +7,6 @@
type pcscd_t;
@@ -28821,6 +29551,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcsc
init_daemon_domain(pcscd_t, pcscd_exec_t)
# pid files
+@@ -25,6 +24,7 @@
+ allow pcscd_t self:unix_stream_socket create_stream_socket_perms;
+ allow pcscd_t self:unix_dgram_socket create_socket_perms;
+ allow pcscd_t self:tcp_socket create_stream_socket_perms;
++allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+ manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+@@ -77,3 +77,7 @@
+ optional_policy(`
+ rpm_use_script_fds(pcscd_t)
+ ')
++
++optional_policy(`
++ udev_read_db(pcscd_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.9.7/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2010-10-12 20:42:49.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/services/pegasus.te 2011-02-25 17:40:40.300516008 +0000
@@ -29171,8 +29917,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.te serefpolicy-3.9.7/policy/modules/services/piranha.te
--- nsaserefpolicy/policy/modules/services/piranha.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/piranha.te 2011-02-25 17:40:40.318515565 +0000
-@@ -0,0 +1,214 @@
++++ serefpolicy-3.9.7/policy/modules/services/piranha.te 2011-03-16 12:55:38.610107002 +0000
+@@ -0,0 +1,294 @@
+policy_module(piranha, 1.0.0)
+
+########################################
@@ -29265,6 +30011,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+manage_files_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
+fs_tmpfs_filetrans(piranha_web_t, piranha_web_tmpfs_t, { dir file })
+
++#cjp: adds luci.ini file
++##bug: 684198
++create_files_pattern(piranha_web_t, piranha_web_conf_t, piranha_web_conf_t)
++
+piranha_pulse_initrc_domtrans(piranha_web_t)
+
+kernel_read_kernel_sysctls(piranha_web_t)
@@ -29312,6 +30062,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+# needed by nanny
+corenet_tcp_connect_ftp_port(piranha_lvs_t)
+corenet_tcp_connect_http_port(piranha_lvs_t)
++corenet_tcp_connect_smtp_port(piranha_lvs_t)
+
+sysnet_dns_name_resolve(piranha_lvs_t)
+
@@ -29330,6 +30081,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+# piranha-pulse local policy
+#
+
++allow piranha_pulse_t self:capability net_admin;
++
+allow piranha_pulse_t self:packet_socket create_socket_perms;
+
+# pulse starts fos and lvs daemon
@@ -29339,18 +30092,91 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+domtrans_pattern(piranha_pulse_t, piranha_lvs_exec_t, piranha_lvs_t)
+allow piranha_pulse_t piranha_lvs_t:process signal;
+
++kernel_read_kernel_sysctls(piranha_pulse_t)
++kernel_read_rpc_sysctls(piranha_pulse_t)
++kernel_read_system_state(piranha_pulse_t)
++kernel_rw_rpc_sysctls(piranha_pulse_t)
++kernel_search_debugfs(piranha_pulse_t)
++kernel_search_network_state(piranha_pulse_t)
++
++corecmd_exec_bin(piranha_pulse_t)
++corecmd_exec_shell(piranha_pulse_t)
++consoletype_exec(piranha_pulse_t)
++
+corenet_udp_bind_apertus_ldp_port(piranha_pulse_t)
+
++domain_read_all_domains_state(piranha_pulse_t)
++domain_getattr_all_domains(piranha_pulse_t)
++#domain_dontaudit_ptrace_all_domains(piranha_pulse_t)
++
++fs_getattr_all_fs(piranha_pulse_t)
++
++auth_use_nsswitch(piranha_pulse_t)
++
++logging_send_syslog_msg(piranha_pulse_t)
++
++miscfiles_read_localization(piranha_pulse_t)
++
+sysnet_dns_name_resolve(piranha_pulse_t)
+
++sysnet_dns_name_resolve(piranha_pulse_t)
++
++optional_policy(`
++ apache_domtrans(piranha_pulse_t)
++ apache_signal(piranha_pulse_t)
++')
++
++optional_policy(`
++ ftp_domtrans(piranha_pulse_t)
++ ftp_initrc_domtrans(piranha_pulse_t)
++')
++
+optional_policy(`
-+ netutils_domtrans_ping(piranha_pulse_t)
++ hostname_exec(piranha_pulse_t)
+')
+
+optional_policy(`
-+ sysnet_domtrans_ifconfig(piranha_pulse_t)
++ ldap_initrc_domtrans(piranha_pulse_t)
++ ldap_domtrans(piranha_pulse_t)
+')
+
++optional_policy(`
++ mysql_domtrans_mysql_safe(piranha_pulse_t)
++ mysql_stream_connect(piranha_pulse_t)
++')
++
++optional_policy(`
++ netutils_domtrans(piranha_pulse_t)
++ netutils_domtrans_ping(piranha_pulse_t)
++')
++
++optional_policy(`
++ postgresql_domtrans(piranha_pulse_t)
++ postgresql_signal(piranha_pulse_t)
++')
++
++optional_policy(`
++ samba_initrc_domtrans(piranha_pulse_t)
++ samba_domtrans_smbd(piranha_pulse_t)
++ samba_domtrans_nmbd(piranha_pulse_t)
++ samba_manage_var_files(piranha_pulse_t)
++ samba_rw_config(piranha_pulse_t)
++ samba_signal_smbd(piranha_pulse_t)
++ samba_signal_nmbd(piranha_pulse_t)
++')
++
++optional_policy(`
++ sysnet_domtrans_ifconfig(piranha_pulse_t)
++')
++
++optional_policy(`
++ udev_read_db(piranha_pulse_t)
++')
++
++#optional_policy(`
++# unconfined_domain(piranha_pulse_t)
++#')
++
+####################################
+#
+# piranha domains common policy
@@ -29552,8 +30378,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.9.7/policy/modules/services/plymouthd.te
--- nsaserefpolicy/policy/modules/services/plymouthd.te 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/plymouthd.te 2011-02-25 17:40:40.320515515 +0000
-@@ -60,10 +60,14 @@
++++ serefpolicy-3.9.7/policy/modules/services/plymouthd.te 2011-03-04 15:23:12.090413001 +0000
+@@ -8,6 +8,7 @@
+ type plymouth_t;
+ type plymouth_exec_t;
+ application_domain(plymouth_t, plymouth_exec_t)
++role system_r types plymouth_t;
+
+ type plymouthd_t;
+ type plymouthd_exec_t;
+@@ -60,10 +61,14 @@
files_read_etc_files(plymouthd_t)
files_read_usr_files(plymouthd_t)
@@ -29568,7 +30402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym
########################################
#
# Plymouth private policy
-@@ -74,6 +78,7 @@
+@@ -74,6 +79,7 @@
allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
kernel_read_system_state(plymouth_t)
@@ -29576,7 +30410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym
domain_use_interactive_fds(plymouth_t)
-@@ -87,7 +92,7 @@
+@@ -87,7 +93,7 @@
plymouthd_stream_connect(plymouth_t)
@@ -33180,16 +34014,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.9.7/policy/modules/services/remotelogin.te
--- nsaserefpolicy/policy/modules/services/remotelogin.te 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/remotelogin.te 2011-02-25 17:40:40.429512833 +0000
-@@ -49,6 +49,7 @@
++++ serefpolicy-3.9.7/policy/modules/services/remotelogin.te 2011-03-18 14:14:10.428630000 +0000
+@@ -49,6 +49,8 @@
fs_search_auto_mountpoints(remote_login_t)
term_relabel_all_ptys(remote_login_t)
++term_setattr_all_ptys(remote_login_t)
+term_use_all_ptys(remote_login_t)
auth_rw_login_records(remote_login_t)
auth_rw_faillog(remote_login_t)
-@@ -114,7 +115,6 @@
+@@ -87,6 +89,7 @@
+ # since very weak authentication is used.
+ userdom_signal_unpriv_users(remote_login_t)
+ userdom_spec_domtrans_unpriv_users(remote_login_t)
++userdom_rw_user_tmp_files(remote_login_t)
+
+ # Search for mail spool file.
+ mta_getattr_spool(remote_login_t)
+@@ -114,7 +117,6 @@
')
optional_policy(`
@@ -33396,12 +34239,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.9.7/policy/modules/services/rhcs.fc
--- nsaserefpolicy/policy/modules/services/rhcs.fc 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/rhcs.fc 2011-02-25 17:40:40.447512390 +0000
-@@ -1,14 +1,17 @@
++++ serefpolicy-3.9.7/policy/modules/services/rhcs.fc 2011-03-18 14:42:06.491630000 +0000
+@@ -1,14 +1,18 @@
/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0)
/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
@@ -33584,7 +34428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.9.7/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/rhcs.te 2011-02-25 17:40:40.448512365 +0000
++++ serefpolicy-3.9.7/policy/modules/services/rhcs.te 2011-03-18 14:41:41.637630000 +0000
@@ -6,13 +6,15 @@
#
@@ -33604,7 +34448,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
rhcs_domain_template(dlm_controld)
-@@ -33,6 +35,10 @@
+@@ -24,6 +26,9 @@
+ type fenced_tmp_t;
+ files_tmp_file(fenced_tmp_t)
+
++rhcs_domain_template(foghorn)
++permissive foghorn_t;
++
+ rhcs_domain_template(gfs_controld)
+
+ rhcs_domain_template(groupd)
+@@ -33,6 +38,10 @@
type qdiskd_var_lib_t;
files_type(qdiskd_var_lib_t)
@@ -33615,7 +34469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
#####################################
#
# dlm_controld local policy
-@@ -55,20 +61,17 @@
+@@ -55,20 +64,17 @@
init_rw_script_tmp_files(dlm_controld_t)
@@ -33638,7 +34492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
can_exec(fenced_t, fenced_exec_t)
-@@ -82,7 +85,10 @@
+@@ -82,7 +88,10 @@
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -33649,7 +34503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
corenet_tcp_connect_http_port(fenced_t)
-@@ -104,9 +110,13 @@
+@@ -104,9 +113,13 @@
corenet_tcp_connect_all_ports(fenced_t)
')
@@ -33664,7 +34518,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
')
optional_policy(`
-@@ -120,7 +130,6 @@
+@@ -116,11 +129,23 @@
+
+ ######################################
+ #
++# foghorn local policy
++#
++
++allow foghorn_t self:process { signal };
++
++files_read_etc_files(foghorn_t)
++
++optional_policy(`
++ dbus_connect_system_bus(foghorn_t)
++')
++
++######################################
++#
+ # gfs_controld local policy
#
allow gfs_controld_t self:capability { net_admin sys_resource };
@@ -33672,7 +34543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
allow gfs_controld_t self:shm create_shm_perms;
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -139,10 +148,6 @@
+@@ -139,10 +164,6 @@
init_rw_script_tmp_files(gfs_controld_t)
optional_policy(`
@@ -33683,7 +34554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
')
-@@ -154,9 +159,10 @@
+@@ -154,9 +175,10 @@
allow groupd_t self:capability { sys_nice sys_resource };
allow groupd_t self:process setsched;
@@ -33695,7 +34566,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
dev_list_sysfs(groupd_t)
files_read_etc_files(groupd_t)
-@@ -168,8 +174,7 @@
+@@ -168,8 +190,7 @@
# qdiskd local policy
#
@@ -33705,7 +34576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;
-@@ -199,6 +204,8 @@
+@@ -199,6 +220,8 @@
files_dontaudit_getattr_all_pipes(qdiskd_t)
files_read_etc_files(qdiskd_t)
@@ -33714,7 +34585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
storage_raw_read_removable_device(qdiskd_t)
storage_raw_write_removable_device(qdiskd_t)
storage_raw_read_fixed_disk(qdiskd_t)
-@@ -207,10 +214,6 @@
+@@ -207,10 +230,6 @@
auth_use_nsswitch(qdiskd_t)
optional_policy(`
@@ -33725,7 +34596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
netutils_domtrans_ping(qdiskd_t)
')
-@@ -223,18 +226,28 @@
+@@ -223,18 +242,28 @@
# rhcs domains common policy
#
@@ -36572,7 +37443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.9.7/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/ssh.if 2011-02-25 17:40:40.571509337 +0000
++++ serefpolicy-3.9.7/policy/modules/services/ssh.if 2011-03-18 14:48:21.552630000 +0000
@@ -32,10 +32,10 @@
## </param>
#
@@ -36690,7 +37561,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
-@@ -243,9 +246,8 @@
+@@ -243,13 +246,17 @@
miscfiles_read_localization($1_t)
@@ -36701,7 +37572,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
# Allow checking users mail at login
mta_getattr_spool($1_t)
-@@ -268,6 +270,14 @@
+
++ tunable_policy(`use_fusefs_home_dirs',`
++ fs_manage_fusefs_dirs($1_t)
++ fs_manage_fusefs_files($1_t)
++ ')
++
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files($1_t)
+ fs_read_nfs_symlinks($1_t)
+@@ -268,6 +275,14 @@
files_read_var_lib_symlinks($1_t)
nx_spec_domtrans_server($1_t)
')
@@ -36716,7 +37596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
########################################
-@@ -290,11 +300,11 @@
+@@ -290,11 +305,11 @@
## User domain for the role
## </summary>
## </param>
@@ -36729,7 +37609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
type ssh_agent_tmp_t;
-@@ -327,7 +337,7 @@
+@@ -327,7 +342,7 @@
# allow ps to show ssh
ps_process_pattern($3, ssh_t)
@@ -36738,7 +37618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
# for rsync
allow ssh_t $3:unix_stream_socket rw_socket_perms;
-@@ -338,6 +348,7 @@
+@@ -338,6 +353,7 @@
manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
userdom_search_user_home_dirs($1_t)
@@ -36746,7 +37626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
##############################
#
-@@ -359,7 +370,7 @@
+@@ -359,7 +375,7 @@
stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
# Allow the user shell to signal the ssh program.
@@ -36755,7 +37635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
# allow ps to show ssh
ps_process_pattern($3, $1_ssh_agent_t)
-@@ -381,7 +392,6 @@
+@@ -381,7 +397,6 @@
files_read_etc_files($1_ssh_agent_t)
files_read_etc_runtime_files($1_ssh_agent_t)
@@ -36763,7 +37643,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
libs_read_lib_files($1_ssh_agent_t)
-@@ -398,9 +408,6 @@
+@@ -398,9 +413,6 @@
# for the transition back to normal privs upon exec
userdom_search_user_home_content($1_ssh_agent_t)
userdom_user_home_domtrans($1_ssh_agent_t, $3)
@@ -36773,7 +37653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_ssh_agent_t)
-@@ -477,8 +484,9 @@
+@@ -477,8 +489,9 @@
type sshd_t;
')
@@ -36784,7 +37664,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
########################################
## <summary>
## Read and write a ssh server unnamed pipe.
-@@ -494,7 +502,7 @@
+@@ -494,7 +507,7 @@
type sshd_t;
')
@@ -36793,7 +37673,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
########################################
-@@ -586,6 +594,24 @@
+@@ -586,6 +599,24 @@
########################################
## <summary>
@@ -36818,7 +37698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
## Execute the ssh client in the caller domain.
## </summary>
## <param name="domain">
-@@ -618,7 +644,7 @@
+@@ -618,7 +649,7 @@
type sshd_key_t;
')
@@ -36827,7 +37707,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
files_search_pids($1)
')
-@@ -695,7 +721,7 @@
+@@ -680,6 +711,32 @@
+ domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
+ ')
+
++######################################
++## <summary>
++## Execute ssh-keygen in the iptables domain, and
++## allow the specified role the ssh-keygen domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`ssh_run_keygen',`
++ gen_require(`
++ type ssh_keygen_t;
++ ')
++
++ role $2 types ssh_keygen_t;
++ ssh_domtrans_keygen($1)
++')
++
+ ########################################
+ ## <summary>
+ ## Read ssh server keys
+@@ -695,7 +752,7 @@
type sshd_key_t;
')
@@ -36836,7 +37749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
######################################
-@@ -735,3 +761,21 @@
+@@ -735,3 +792,21 @@
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -36860,7 +37773,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.9.7/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/ssh.te 2011-02-25 17:40:40.572509313 +0000
++++ serefpolicy-3.9.7/policy/modules/services/ssh.te 2011-03-18 14:47:55.862630000 +0000
@@ -6,26 +6,32 @@
#
@@ -36989,7 +37902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
dev_read_urand(ssh_t)
-@@ -169,14 +175,13 @@
+@@ -169,14 +175,18 @@
userdom_search_user_home_dirs(ssh_t)
# Write to the user domain tty.
userdom_use_user_terminals(ssh_t)
@@ -37005,67 +37918,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
- allow ssh_keysign_t ssh_t:process sigchld;
- allow ssh_keysign_t ssh_t:fifo_file rw_file_perms;
+ domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_manage_fusefs_dirs(ssh_t)
++ fs_manage_fusefs_files(ssh_t)
')
tunable_policy(`use_nfs_home_dirs',`
-@@ -200,6 +205,56 @@
- xserver_domtrans_xauth(ssh_t)
- ')
-
-+########################################
-+#
-+# ssh_keygen local policy
-+#
-+
-+# ssh_keygen_t is the type of the ssh-keygen program when run at install time
-+# and by sysadm_t
-+
-+dontaudit ssh_keygen_t self:capability sys_tty_config;
-+allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
-+allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
-+
-+allow ssh_keygen_t sshd_key_t:file manage_file_perms;
-+files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
-+
-+manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
-+manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
-+
-+kernel_read_kernel_sysctls(ssh_keygen_t)
-+
-+fs_search_auto_mountpoints(ssh_keygen_t)
-+
-+dev_read_sysfs(ssh_keygen_t)
-+dev_read_urand(ssh_keygen_t)
-+
-+term_dontaudit_use_console(ssh_keygen_t)
-+
-+domain_use_interactive_fds(ssh_keygen_t)
-+
-+files_read_etc_files(ssh_keygen_t)
-+
-+init_use_fds(ssh_keygen_t)
-+init_use_script_ptys(ssh_keygen_t)
-+
-+logging_send_syslog_msg(ssh_keygen_t)
-+
-+userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
-+
-+optional_policy(`
-+ nscd_socket_use(ssh_keygen_t)
-+')
-+
-+optional_policy(`
-+ seutil_sigchld_newrole(ssh_keygen_t)
-+')
-+
-+optional_policy(`
-+ udev_read_db(ssh_keygen_t)
-+')
-+
- ##############################
- #
- # ssh_keysign_t local policy
-@@ -209,7 +264,7 @@
+@@ -209,7 +219,7 @@
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@@ -37074,7 +37935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
dev_read_urand(ssh_keysign_t)
-@@ -232,33 +287,44 @@
+@@ -232,33 +242,44 @@
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -37128,7 +37989,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
optional_policy(`
-@@ -266,11 +332,24 @@
+@@ -266,11 +287,24 @@
')
optional_policy(`
@@ -37154,7 +38015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
optional_policy(`
-@@ -284,6 +363,11 @@
+@@ -284,6 +318,11 @@
')
optional_policy(`
@@ -37166,7 +38027,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +376,26 @@
+@@ -292,26 +331,26 @@
')
ifdef(`TODO',`
@@ -37212,25 +38073,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
') dnl endif TODO
########################################
-@@ -324,7 +408,6 @@
+@@ -322,14 +361,18 @@
+ # ssh_keygen_t is the type of the ssh-keygen program when run at install time
+ # and by sysadm_t
++allow ssh_keygen_t self:capability dac_override;
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
-
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
-@@ -353,10 +436,6 @@
+ files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
+
++manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
++manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
++userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
++
+ kernel_read_kernel_sysctls(ssh_keygen_t)
+
+ fs_search_auto_mountpoints(ssh_keygen_t)
+@@ -353,7 +396,7 @@
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
optional_policy(`
- nscd_socket_use(ssh_keygen_t)
--')
--
--optional_policy(`
- seutil_sigchld_newrole(ssh_keygen_t)
++ nscd_socket_use(ssh_keygen_t)
')
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.9.7/policy/modules/services/sssd.if
--- nsaserefpolicy/policy/modules/services/sssd.if 2010-10-12 20:42:48.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/services/sssd.if 2011-02-25 17:40:40.572509313 +0000
@@ -38294,12 +39165,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varn
manage_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdagent.fc serefpolicy-3.9.7/policy/modules/services/vdagent.fc
--- nsaserefpolicy/policy/modules/services/vdagent.fc 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/vdagent.fc 2011-02-25 17:40:40.682506606 +0000
-@@ -0,0 +1,4 @@
++++ serefpolicy-3.9.7/policy/modules/services/vdagent.fc 2011-03-09 15:09:07.785980002 +0000
+@@ -0,0 +1,10 @@
+
+/sbin/vdagent -- gen_context(system_u:object_r:vdagent_exec_t,s0)
+
++/usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0)
++
+/var/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0)
++/var/run/spice-vdagentd.\pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0)
++
++/var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0)
++/var/log/spice-vdagentd\.log -- gen_context(system_u:object_r:vdagent_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdagent.if serefpolicy-3.9.7/policy/modules/services/vdagent.if
--- nsaserefpolicy/policy/modules/services/vdagent.if 1970-01-01 00:00:00.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/services/vdagent.if 2011-02-25 17:40:40.696506261 +0000
@@ -38345,8 +39222,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdag
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdagent.te serefpolicy-3.9.7/policy/modules/services/vdagent.te
--- nsaserefpolicy/policy/modules/services/vdagent.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/vdagent.te 2011-02-25 17:40:40.697506236 +0000
-@@ -0,0 +1,38 @@
++++ serefpolicy-3.9.7/policy/modules/services/vdagent.te 2011-03-09 15:08:09.881980002 +0000
+@@ -0,0 +1,57 @@
+policy_module(vdagent,1.0.0)
+
+########################################
@@ -38361,6 +39238,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdag
+type vdagent_var_run_t;
+files_pid_file(vdagent_var_run_t)
+
++type vdagent_log_t;
++logging_log_file(vdagent_log_t)
++
+permissive vdagent_t;
+
+########################################
@@ -38378,13 +39258,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdag
+manage_lnk_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
+files_pid_filetrans(vdagent_t, vdagent_var_run_t, { file dir sock_file })
+
++manage_dirs_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
++manage_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
++logging_log_filetrans(vdagent_t, vdagent_log_t, { file })
++
+domain_use_interactive_fds(vdagent_t)
+
++dev_rw_input_dev(vdagent_t)
++
++term_use_virtio_console(vdagent_t)
++
+files_read_etc_files(vdagent_t)
+
+miscfiles_read_localization(vdagent_t)
+
+userdom_use_user_ptys(vdagent_t)
++
++optional_policy(`
++ consolekit_dbus_chat(vdagent_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client(vdagent_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.9.7/policy/modules/services/vhostmd.if
--- nsaserefpolicy/policy/modules/services/vhostmd.if 2010-10-12 20:42:49.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/services/vhostmd.if 2011-02-25 17:40:40.705506039 +0000
@@ -40678,7 +41574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.9.7/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/xserver.te 2011-02-25 17:40:40.727505497 +0000
++++ serefpolicy-3.9.7/policy/modules/services/xserver.te 2011-03-18 15:11:06.321630000 +0000
@@ -26,27 +26,50 @@
#
@@ -41317,7 +42213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -516,12 +742,53 @@
+@@ -516,12 +742,59 @@
')
optional_policy(`
@@ -41328,10 +42224,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ # Use dbus to start other processes as xdm_t
+ dbus_role_template(xdm, system_r, xdm_t)
+
++ # fixes for xfce4-notifyd
++ allow xdm_dbusd_t self:unix_stream_socket connectto;
++ allow xdm_dbusd_t xserver_t:unix_stream_socket connectto;
++
+ dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms;
+ xserver_xdm_append_log(xdm_dbusd_t)
+ xserver_read_xdm_pid(xdm_dbusd_t)
+
++ miscfiles_read_fonts(xdm_dbusd_t)
++
+ corecmd_bin_entry_type(xdm_t)
+
+ dbus_system_bus_client(xdm_t)
@@ -41371,7 +42273,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
hostname_exec(xdm_t)
')
-@@ -539,28 +806,63 @@
+@@ -539,28 +812,63 @@
')
optional_policy(`
@@ -41444,10 +42346,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -572,6 +874,10 @@
+@@ -572,6 +880,14 @@
')
optional_policy(`
++ vdagent_stream_connect(xdm_t)
++')
++
++optional_policy(`
+ wm_exec(xdm_t)
+')
+
@@ -41455,7 +42361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xdm_t)
')
-@@ -596,7 +902,7 @@
+@@ -596,7 +912,7 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -41464,7 +42370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -610,6 +916,14 @@
+@@ -610,6 +926,14 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -41479,7 +42385,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -629,12 +943,19 @@
+@@ -629,12 +953,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -41501,7 +42407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -642,6 +963,7 @@
+@@ -642,6 +973,7 @@
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -41509,7 +42415,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -668,7 +990,6 @@
+@@ -668,7 +1000,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -41517,7 +42423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -678,11 +999,17 @@
+@@ -678,11 +1009,17 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -41535,7 +42441,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -693,8 +1020,13 @@
+@@ -693,8 +1030,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -41549,7 +42455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -716,11 +1048,14 @@
+@@ -716,11 +1058,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -41564,7 +42470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -773,12 +1108,28 @@
+@@ -773,12 +1118,28 @@
')
optional_policy(`
@@ -41594,7 +42500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -787,6 +1138,10 @@
+@@ -787,6 +1148,10 @@
')
optional_policy(`
@@ -41605,7 +42511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xserver_t)
')
-@@ -802,10 +1157,10 @@
+@@ -802,10 +1167,10 @@
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -41619,7 +42525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -813,7 +1168,7 @@
+@@ -813,7 +1178,7 @@
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -41628,7 +42534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -826,6 +1181,9 @@
+@@ -826,6 +1191,9 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -41638,7 +42544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -833,6 +1191,11 @@
+@@ -833,6 +1201,11 @@
fs_manage_nfs_symlinks(xserver_t)
')
@@ -41650,7 +42556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -841,11 +1204,14 @@
+@@ -841,11 +1214,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -41667,7 +42573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -853,6 +1219,10 @@
+@@ -853,6 +1229,10 @@
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -41678,7 +42584,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
########################################
#
# Rules common to all X window domains
-@@ -896,7 +1266,7 @@
+@@ -896,7 +1276,7 @@
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -41687,7 +42593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -950,11 +1320,31 @@
+@@ -950,11 +1330,31 @@
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -41719,7 +42625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -976,18 +1366,32 @@
+@@ -976,18 +1376,32 @@
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -42981,7 +43887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
# /var
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.9.7/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/system/init.if 2011-02-25 17:40:40.824503110 +0000
++++ serefpolicy-3.9.7/policy/modules/system/init.if 2011-03-18 15:25:35.837630000 +0000
@@ -105,7 +105,11 @@
role system_r types $1;
@@ -43289,7 +44195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -1748,3 +1879,74 @@
+@@ -1748,3 +1879,92 @@
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -43364,6 +44270,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
++
++######################################
++## <summary>
++## Dontaudit Connect to init with a unix socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_dontaudit_stream_connect',`
++ gen_require(`
++ type init_t;
++ ')
++
++ dontaudit $1 init_t:unix_stream_socket connectto;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.9.7/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-10-12 20:42:50.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/system/init.te 2011-02-25 17:40:40.826503061 +0000
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a233d9b..1e67446 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.7
-Release: 33%{?dist}
+Release: 34%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,20 @@ exit 0
%endif
%changelog
+* Fri Mar 18 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-34
+- Add matahari policy
+- Allow shutdown setsched and sys_nice
+- Add port definition for dogtag, matahari, movaz ports
+- Add label for /etc/securetty
+- Fixes for pirahna-pulse policy
+- Fixes for mock policy
+- Add support for KDE ksysguardprocesslist_helper
+- Add support for a new cluster service - foghorn
+- Add support for xfce4-notifyd
+- Add support for kcmdatetimehelper
+- Fixes for spice-vdagent policy
+- Fixes for ssh-keygen policy
+
* Fri Mar 4 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-33
- Backport sandbox and seunshare policy from F15
- Allow svirt to manage sock_file in ~/.libvirt directory
More information about the scm-commits
mailing list