[selinux-policy] MCS fixes quota fixes
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Nov 4 20:40:42 UTC 2011
commit 653590a3f20d6ab6c4244840c5a18c1f4ef85ff3
Author: Dan Walsh <dwalsh at redhat.com>
Date: Fri Nov 4 16:40:38 2011 -0400
MCS fixes
quota fixes
ptrace.patch | 853 +++++++++++++++----------------
selinux-policy.spec | 2 -
userdomain.patch | 1407 ---------------------------------------------------
3 files changed, 413 insertions(+), 1849 deletions(-)
---
diff --git a/ptrace.patch b/ptrace.patch
index 9896ac2..01d3d72 100644
--- a/ptrace.patch
+++ b/ptrace.patch
@@ -1,6 +1,6 @@
diff -up serefpolicy-3.10.0/policy/global_tunables.ptrace serefpolicy-3.10.0/policy/global_tunables
---- serefpolicy-3.10.0/policy/global_tunables.ptrace 2011-11-04 16:06:58.329887718 -0400
-+++ serefpolicy-3.10.0/policy/global_tunables 2011-11-04 16:06:59.048889557 -0400
+--- serefpolicy-3.10.0/policy/global_tunables.ptrace 2011-11-04 16:32:07.055065168 -0400
++++ serefpolicy-3.10.0/policy/global_tunables 2011-11-04 16:32:07.756066508 -0400
@@ -6,6 +6,13 @@
## <desc>
@@ -16,8 +16,8 @@ diff -up serefpolicy-3.10.0/policy/global_tunables.ptrace serefpolicy-3.10.0/pol
## </p>
## </desc>
diff -up serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace serefpolicy-3.10.0/policy/modules/admin/kdump.if
---- serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace 2011-11-04 16:06:58.348887767 -0400
-+++ serefpolicy-3.10.0/policy/modules/admin/kdump.if 2011-11-04 16:06:59.049889560 -0400
+--- serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace 2011-11-04 16:32:07.074065202 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/kdump.if 2011-11-04 16:32:07.756066508 -0400
@@ -140,8 +140,11 @@ interface(`kdump_admin',`
type kdump_initrc_exec_t;
')
@@ -33,7 +33,7 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace serefpolicy-3.1
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/admin/kismet.if.ptrace serefpolicy-3.10.0/policy/modules/admin/kismet.if
--- serefpolicy-3.10.0/policy/modules/admin/kismet.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/admin/kismet.if 2011-11-04 16:06:59.050889562 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/kismet.if 2011-11-04 16:32:07.757066511 -0400
@@ -239,7 +239,10 @@ interface(`kismet_admin',`
')
@@ -47,8 +47,8 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/kismet.if.ptrace serefpolicy-3.
kismet_manage_pid_files($1)
kismet_manage_lib($1)
diff -up serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace serefpolicy-3.10.0/policy/modules/admin/kudzu.te
---- serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace 2011-11-04 16:06:58.350887773 -0400
-+++ serefpolicy-3.10.0/policy/modules/admin/kudzu.te 2011-11-04 16:06:59.051889564 -0400
+--- serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace 2011-11-04 16:32:07.077065210 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/kudzu.te 2011-11-04 16:32:07.758066513 -0400
@@ -20,7 +20,7 @@ files_pid_file(kudzu_var_run_t)
# Local policy
#
@@ -59,8 +59,8 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace serefpolicy-3.1
allow kudzu_t self:process { signal_perms execmem };
allow kudzu_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace serefpolicy-3.10.0/policy/modules/admin/logrotate.te
---- serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace 2011-11-04 16:06:58.352887779 -0400
-+++ serefpolicy-3.10.0/policy/modules/admin/logrotate.te 2011-11-04 16:06:59.053889568 -0400
+--- serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace 2011-11-04 16:32:07.077065210 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/logrotate.te 2011-11-04 16:32:07.759066514 -0400
@@ -30,8 +30,6 @@ files_type(logrotate_var_lib_t)
# Change ownership on log files.
@@ -71,8 +71,8 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace serefpolicy
allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
diff -up serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace serefpolicy-3.10.0/policy/modules/admin/ncftool.te
---- serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace 2011-11-04 16:06:58.357887790 -0400
-+++ serefpolicy-3.10.0/policy/modules/admin/ncftool.te 2011-11-04 16:06:59.054889571 -0400
+--- serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace 2011-11-04 16:32:07.082065219 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/ncftool.te 2011-11-04 16:32:07.759066514 -0400
@@ -17,8 +17,7 @@ role system_r types ncftool_t;
# ncftool local policy
#
@@ -84,8 +84,8 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace serefpolicy-3
allow ncftool_t self:fifo_file manage_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace serefpolicy-3.10.0/policy/modules/admin/rpm.te
---- serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace 2011-11-04 16:06:58.979889380 -0400
-+++ serefpolicy-3.10.0/policy/modules/admin/rpm.te 2011-11-04 16:06:59.056889577 -0400
+--- serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace 2011-11-04 16:32:07.716066432 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/rpm.te 2011-11-04 16:32:07.760066516 -0400
@@ -250,7 +250,8 @@ optional_policy(`
# rpm-script Local policy
#
@@ -97,8 +97,8 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace serefpolicy-3.10.
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace serefpolicy-3.10.0/policy/modules/admin/sectoolm.te
---- serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace 2011-11-04 16:06:58.374887833 -0400
-+++ serefpolicy-3.10.0/policy/modules/admin/sectoolm.te 2011-11-04 16:06:59.057889580 -0400
+--- serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace 2011-11-04 16:32:07.102065257 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/sectoolm.te 2011-11-04 16:32:07.761066518 -0400
@@ -23,7 +23,7 @@ files_tmp_file(sectool_tmp_t)
# sectool local policy
#
@@ -109,8 +109,8 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace serefpolicy-
dontaudit sectoolm_t self:process { execstack execmem };
allow sectoolm_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace serefpolicy-3.10.0/policy/modules/admin/shorewall.if
---- serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace 2011-11-04 16:06:58.374887833 -0400
-+++ serefpolicy-3.10.0/policy/modules/admin/shorewall.if 2011-11-04 16:06:59.058889583 -0400
+--- serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace 2011-11-04 16:32:07.103065259 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/shorewall.if 2011-11-04 16:32:07.762066520 -0400
@@ -139,8 +139,11 @@ interface(`shorewall_admin',`
type shorewall_tmp_t, shorewall_etc_t;
')
@@ -125,8 +125,8 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace serefpolicy
init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace serefpolicy-3.10.0/policy/modules/admin/shorewall.te
---- serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace 2011-11-04 16:06:58.375887836 -0400
-+++ serefpolicy-3.10.0/policy/modules/admin/shorewall.te 2011-11-04 16:06:59.059889585 -0400
+--- serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace 2011-11-04 16:32:07.104065261 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/shorewall.te 2011-11-04 16:32:07.762066520 -0400
@@ -37,7 +37,7 @@ logging_log_file(shorewall_log_t)
# shorewall local policy
#
@@ -137,8 +137,8 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace serefpolicy
allow shorewall_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace serefpolicy-3.10.0/policy/modules/admin/sosreport.te
---- serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace 2011-11-04 16:06:58.379887848 -0400
-+++ serefpolicy-3.10.0/policy/modules/admin/sosreport.te 2011-11-04 16:06:59.060889587 -0400
+--- serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace 2011-11-04 16:32:07.108065268 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/sosreport.te 2011-11-04 16:32:07.763066522 -0400
@@ -21,7 +21,7 @@ files_tmpfs_file(sosreport_tmpfs_t)
# sosreport local policy
#
@@ -149,8 +149,8 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace serefpolicy
allow sosreport_t self:fifo_file rw_fifo_file_perms;
allow sosreport_t self:tcp_socket create_stream_socket_perms;
diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace serefpolicy-3.10.0/policy/modules/admin/usermanage.te
---- serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace 2011-11-04 16:06:59.008889453 -0400
-+++ serefpolicy-3.10.0/policy/modules/admin/usermanage.te 2011-11-04 16:06:59.061889589 -0400
+--- serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace 2011-11-04 16:32:07.689066381 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/usermanage.te 2011-11-04 16:32:07.764066524 -0400
@@ -439,7 +439,8 @@ optional_policy(`
# Useradd local policy
#
@@ -162,8 +162,8 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace serefpolic
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
diff -up serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace serefpolicy-3.10.0/policy/modules/apps/chrome.te
---- serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace 2011-11-04 16:06:58.394887885 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/chrome.te 2011-11-04 16:06:59.062889591 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace 2011-11-04 16:32:07.123065298 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/chrome.te 2011-11-04 16:32:07.765066525 -0400
@@ -26,7 +26,7 @@ role system_r types chrome_sandbox_nacl_
#
# chrome_sandbox local policy
@@ -174,20 +174,9 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace serefpolicy-3.1
allow chrome_sandbox_t self:process setsched;
allow chrome_sandbox_t self:fifo_file manage_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.if.ptrace serefpolicy-3.10.0/policy/modules/apps/execmem.if
---- serefpolicy-3.10.0/policy/modules/apps/execmem.if.ptrace 2011-11-04 16:06:59.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/execmem.if 2011-11-04 16:09:43.642308361 -0400
-@@ -60,7 +60,7 @@ template(`execmem_role_template',`
- userdom_common_user($1_execmem_t)
-
- allow $1_execmem_t self:process { execmem execstack };
-- allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
-+ allow $3 $1_execmem_t:process { getattr noatsecure signal_perms };
- domtrans_pattern($3, execmem_exec_t, $1_execmem_t)
-
- files_execmod_tmp($1_execmem_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace serefpolicy-3.10.0/policy/modules/apps/gnome.if
---- serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace 2011-11-04 16:06:58.401887902 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/gnome.if 2011-11-04 16:06:59.064889597 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace 2011-11-04 16:32:07.131065312 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/gnome.if 2011-11-04 16:32:07.769066534 -0400
@@ -91,8 +91,7 @@ interface(`gnome_role_gkeyringd',`
auth_use_nsswitch($1_gkeyringd_t)
@@ -199,8 +188,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace serefpolicy-3.10
stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace serefpolicy-3.10.0/policy/modules/apps/irc.if
---- serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace 2011-11-04 16:06:58.406887917 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/irc.if 2011-11-04 16:06:59.065889600 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace 2011-11-04 16:32:07.136065322 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/irc.if 2011-11-04 16:32:07.770066536 -0400
@@ -33,7 +33,7 @@ interface(`irc_role',`
domtrans_pattern($2, irssi_exec_t, irssi_t)
@@ -211,25 +200,9 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace serefpolicy-3.10.0
manage_dirs_pattern($2, irssi_home_t, irssi_home_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/java.if.ptrace serefpolicy-3.10.0/policy/modules/apps/java.if
---- serefpolicy-3.10.0/policy/modules/apps/java.if.ptrace 2011-11-04 16:06:59.009889456 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/java.if 2011-11-04 16:06:59.066889603 -0400
-@@ -76,11 +76,11 @@ template(`java_role_template',`
- userdom_manage_tmpfs_role($2)
- userdom_manage_tmpfs($1_java_t)
-
-- allow $1_java_t self:process { ptrace signal getsched execmem execstack };
-+ allow $1_java_t self:process { signal getsched execmem execstack };
-
- dontaudit $1_java_t $3:tcp_socket { read write };
-
-- allow $3 $1_java_t:process { getattr ptrace noatsecure signal_perms };
-+ allow $3 $1_java_t:process { getattr noatsecure signal_perms };
-
- domtrans_pattern($3, java_exec_t, $1_java_t)
-
diff -up serefpolicy-3.10.0/policy/modules/apps/kde.te.ptrace serefpolicy-3.10.0/policy/modules/apps/kde.te
---- serefpolicy-3.10.0/policy/modules/apps/kde.te.ptrace 2011-11-04 16:06:58.411887928 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/kde.te 2011-11-04 16:06:59.066889603 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/kde.te.ptrace 2011-11-04 16:32:07.140065330 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/kde.te 2011-11-04 16:32:07.772066539 -0400
@@ -13,9 +13,6 @@ dbus_system_domain(kdebacklighthelper_t,
#
# backlighthelper local policy
@@ -241,8 +214,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/kde.te.ptrace serefpolicy-3.10.0
kernel_read_system_state(kdebacklighthelper_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace serefpolicy-3.10.0/policy/modules/apps/livecd.te
---- serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace 2011-11-04 16:06:58.413887934 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/livecd.te 2011-11-04 16:06:59.067889606 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace 2011-11-04 16:32:07.142065333 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/livecd.te 2011-11-04 16:32:07.773066541 -0400
@@ -20,7 +20,10 @@ files_tmp_file(livecd_tmp_t)
dontaudit livecd_t self:capability2 mac_admin;
@@ -256,8 +229,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace serefpolicy-3.1
manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace serefpolicy-3.10.0/policy/modules/apps/mono.if
---- serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace 2011-11-04 16:06:59.010889459 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/mono.if 2011-11-04 16:06:59.068889608 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace 2011-11-04 16:32:07.145065339 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/mono.if 2011-11-04 16:32:07.773066541 -0400
@@ -40,8 +40,8 @@ template(`mono_role_template',`
domain_interactive_fd($1_mono_t)
application_type($1_mono_t)
@@ -271,7 +244,7 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace serefpolicy-3.10.
diff -up serefpolicy-3.10.0/policy/modules/apps/mono.te.ptrace serefpolicy-3.10.0/policy/modules/apps/mono.te
--- serefpolicy-3.10.0/policy/modules/apps/mono.te.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/mono.te 2011-11-04 16:06:59.069889610 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/mono.te 2011-11-04 16:32:07.774066543 -0400
@@ -15,7 +15,7 @@ init_system_domain(mono_t, mono_exec_t)
# Local policy
#
@@ -282,8 +255,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/mono.te.ptrace serefpolicy-3.10.
init_dbus_chat_script(mono_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace serefpolicy-3.10.0/policy/modules/apps/mozilla.if
---- serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace 2011-11-04 16:06:59.011889462 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/mozilla.if 2011-11-04 16:06:59.070889612 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace 2011-11-04 16:32:07.146065342 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/mozilla.if 2011-11-04 16:32:07.775066545 -0400
@@ -221,7 +221,7 @@ interface(`mozilla_domtrans_plugin',`
allow mozilla_plugin_t $1:sem create_sem_perms;
@@ -294,8 +267,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace serefpolicy-3.
########################################
diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.te.ptrace serefpolicy-3.10.0/policy/modules/apps/mozilla.te
---- serefpolicy-3.10.0/policy/modules/apps/mozilla.te.ptrace 2011-11-04 16:06:58.982889387 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/mozilla.te 2011-11-04 16:06:59.071889614 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/mozilla.te.ptrace 2011-11-04 16:32:07.720066438 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/mozilla.te 2011-11-04 16:32:07.776066546 -0400
@@ -301,7 +301,7 @@ optional_policy(`
# mozilla_plugin local policy
#
@@ -306,8 +279,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.te.ptrace serefpolicy-3.
allow mozilla_plugin_t self:process { setsched signal_perms execmem };
allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace serefpolicy-3.10.0/policy/modules/apps/nsplugin.if
---- serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace 2011-11-04 16:06:59.012889465 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.if 2011-11-04 16:06:59.072889617 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace 2011-11-04 16:32:07.152065353 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.if 2011-11-04 16:32:07.777066547 -0400
@@ -93,7 +93,7 @@ ifdef(`hide_broken_symptoms', `
dontaudit nsplugin_t $2:shm destroy;
allow $2 nsplugin_t:sem rw_sem_perms;
@@ -318,8 +291,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace serefpolicy-3
# Connect to pulseaudit server
diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace serefpolicy-3.10.0/policy/modules/apps/nsplugin.te
---- serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace 2011-11-04 16:06:59.013889468 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.te 2011-11-04 16:06:59.072889617 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace 2011-11-04 16:32:07.153065355 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.te 2011-11-04 16:32:07.778066549 -0400
@@ -54,7 +54,7 @@ application_executable_file(nsplugin_con
#
dontaudit nsplugin_t self:capability { sys_nice sys_tty_config };
@@ -330,8 +303,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace serefpolicy-3
allow nsplugin_t self:sem create_sem_perms;
allow nsplugin_t self:shm create_shm_perms;
diff -up serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace serefpolicy-3.10.0/policy/modules/apps/openoffice.if
---- serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace 2011-11-04 16:06:58.424887963 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/openoffice.if 2011-11-04 16:06:59.073889620 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace 2011-11-04 16:32:07.154065356 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/openoffice.if 2011-11-04 16:32:07.779066552 -0400
@@ -69,7 +69,7 @@ interface(`openoffice_role_template',`
allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack };
@@ -342,8 +315,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace serefpolicy
domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace serefpolicy-3.10.0/policy/modules/apps/podsleuth.te
---- serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace 2011-11-04 16:06:58.983889390 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/podsleuth.te 2011-11-04 16:06:59.074889623 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace 2011-11-04 16:32:07.721066440 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/podsleuth.te 2011-11-04 16:32:07.780066555 -0400
@@ -27,7 +27,8 @@ ubac_constrained(podsleuth_tmpfs_t)
# podsleuth local policy
#
@@ -356,7 +329,7 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace serefpolicy-
allow podsleuth_t self:sem create_sem_perms;
diff -up serefpolicy-3.10.0/policy/modules/apps/uml.if.ptrace serefpolicy-3.10.0/policy/modules/apps/uml.if
--- serefpolicy-3.10.0/policy/modules/apps/uml.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/uml.if 2011-11-04 16:06:59.075889626 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/uml.if 2011-11-04 16:32:07.780066555 -0400
@@ -31,9 +31,9 @@ interface(`uml_role',`
allow $2 uml_t:unix_dgram_socket sendto;
allow uml_t $2:unix_dgram_socket sendto;
@@ -370,8 +343,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/uml.if.ptrace serefpolicy-3.10.0
allow $2 uml_ro_t:dir list_dir_perms;
read_files_pattern($2, uml_ro_t, uml_ro_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace serefpolicy-3.10.0/policy/modules/apps/uml.te
---- serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace 2011-11-04 16:06:58.441888006 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/uml.te 2011-11-04 16:06:59.076889629 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace 2011-11-04 16:32:07.170065388 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/uml.te 2011-11-04 16:32:07.781066557 -0400
@@ -53,7 +53,7 @@ files_pid_file(uml_switch_var_run_t)
#
@@ -382,8 +355,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace serefpolicy-3.10.0
allow uml_t self:unix_dgram_socket create_socket_perms;
# Use the network.
diff -up serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace serefpolicy-3.10.0/policy/modules/apps/wine.if
---- serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace 2011-11-04 16:06:59.017889476 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/wine.if 2011-11-04 16:06:59.077889631 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace 2011-11-04 16:32:07.178065401 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/wine.if 2011-11-04 16:32:07.782066558 -0400
@@ -100,7 +100,7 @@ template(`wine_role_template',`
role $2 types $1_wine_t;
@@ -394,8 +367,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace serefpolicy-3.10.
corecmd_bin_domtrans($1_wine_t, $1_t)
diff -up serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace serefpolicy-3.10.0/policy/modules/kernel/domain.te
---- serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace 2011-11-04 16:06:58.467888071 -0400
-+++ serefpolicy-3.10.0/policy/modules/kernel/domain.te 2011-11-04 16:06:59.078889633 -0400
+--- serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace 2011-11-04 16:32:07.196065437 -0400
++++ serefpolicy-3.10.0/policy/modules/kernel/domain.te 2011-11-04 16:32:07.783066560 -0400
@@ -181,7 +181,10 @@ allow unconfined_domain_type domain:fifo
allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
@@ -414,8 +387,8 @@ diff -up serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace serefpolicy-3
dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
+dontaudit domain self:capability sys_ptrace;
diff -up serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace serefpolicy-3.10.0/policy/modules/kernel/kernel.te
---- serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace 2011-11-04 16:06:58.479888103 -0400
-+++ serefpolicy-3.10.0/policy/modules/kernel/kernel.te 2011-11-04 16:06:59.079889635 -0400
+--- serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace 2011-11-04 16:32:07.208065460 -0400
++++ serefpolicy-3.10.0/policy/modules/kernel/kernel.te 2011-11-04 16:32:07.784066562 -0400
@@ -191,7 +191,11 @@ sid tcp_socket gen_context(system_u:obj
# kernel local policy
#
@@ -439,8 +412,8 @@ diff -up serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace serefpolicy-3
gen_require(`
bool secure_mode_insmod;
diff -up serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/dbadm.te
---- serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace 2011-11-04 16:06:58.491888133 -0400
-+++ serefpolicy-3.10.0/policy/modules/roles/dbadm.te 2011-11-04 16:06:59.079889635 -0400
+--- serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace 2011-11-04 16:32:07.220065483 -0400
++++ serefpolicy-3.10.0/policy/modules/roles/dbadm.te 2011-11-04 16:32:07.784066562 -0400
@@ -28,7 +28,7 @@ userdom_base_user_template(dbadm)
# database admin local policy
#
@@ -452,7 +425,7 @@ diff -up serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace serefpolicy-3.1
files_delete_generic_locks(dbadm_t)
diff -up serefpolicy-3.10.0/policy/modules/roles/logadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/logadm.te
--- serefpolicy-3.10.0/policy/modules/roles/logadm.te.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/roles/logadm.te 2011-11-04 16:06:59.080889637 -0400
++++ serefpolicy-3.10.0/policy/modules/roles/logadm.te 2011-11-04 16:32:07.785066564 -0400
@@ -14,6 +14,5 @@ userdom_base_user_template(logadm)
# logadmin local policy
#
@@ -462,8 +435,8 @@ diff -up serefpolicy-3.10.0/policy/modules/roles/logadm.te.ptrace serefpolicy-3.
+allow logadm_t self:capability { dac_override dac_read_search kill sys_nice };
logging_admin(logadm_t, logadm_r)
diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/sysadm.te
---- serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace 2011-11-04 16:06:59.018889479 -0400
-+++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te 2011-11-04 16:06:59.081889640 -0400
+--- serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace 2011-11-04 16:32:07.723066445 -0400
++++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te 2011-11-04 16:32:07.786066566 -0400
@@ -5,13 +5,6 @@ policy_module(sysadm, 2.2.1)
# Declarations
#
@@ -478,7 +451,7 @@ diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace serefpolicy-3.
role sysadm_r;
userdom_admin_user_template(sysadm)
-@@ -91,7 +84,7 @@ ifndef(`enable_mls',`
+@@ -90,7 +83,7 @@ ifndef(`enable_mls',`
logging_stream_connect_syslog(sysadm_t)
')
@@ -488,8 +461,8 @@ diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace serefpolicy-3.
')
diff -up serefpolicy-3.10.0/policy/modules/roles/webadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/webadm.te
---- serefpolicy-3.10.0/policy/modules/roles/webadm.te.ptrace 2011-11-04 16:06:58.498888152 -0400
-+++ serefpolicy-3.10.0/policy/modules/roles/webadm.te 2011-11-04 16:06:59.082889643 -0400
+--- serefpolicy-3.10.0/policy/modules/roles/webadm.te.ptrace 2011-11-04 16:32:07.226065494 -0400
++++ serefpolicy-3.10.0/policy/modules/roles/webadm.te 2011-11-04 16:32:07.787066568 -0400
@@ -28,7 +28,7 @@ userdom_base_user_template(webadm)
# webadmin local policy
#
@@ -500,8 +473,8 @@ diff -up serefpolicy-3.10.0/policy/modules/roles/webadm.te.ptrace serefpolicy-3.
files_dontaudit_search_all_dirs(webadm_t)
files_manage_generic_locks(webadm_t)
diff -up serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace serefpolicy-3.10.0/policy/modules/services/abrt.if
---- serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace 2011-11-04 16:06:58.500888156 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/abrt.if 2011-11-04 16:06:59.083889646 -0400
+--- serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace 2011-11-04 16:32:07.229065500 -0400
++++ serefpolicy-3.10.0/policy/modules/services/abrt.if 2011-11-04 16:32:07.788066569 -0400
@@ -336,9 +336,13 @@ interface(`abrt_admin',`
type abrt_initrc_exec_t;
')
@@ -518,8 +491,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace serefpolicy-3
domain_system_change_exemption($1)
role_transition $2 abrt_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/accountsd.if.ptrace serefpolicy-3.10.0/policy/modules/services/accountsd.if
---- serefpolicy-3.10.0/policy/modules/services/accountsd.if.ptrace 2011-11-04 16:06:58.502888160 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/accountsd.if 2011-11-04 16:06:59.083889646 -0400
+--- serefpolicy-3.10.0/policy/modules/services/accountsd.if.ptrace 2011-11-04 16:32:07.231065504 -0400
++++ serefpolicy-3.10.0/policy/modules/services/accountsd.if 2011-11-04 16:32:07.788066569 -0400
@@ -138,8 +138,12 @@ interface(`accountsd_admin',`
type accountsd_t;
')
@@ -535,8 +508,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/accountsd.if.ptrace serefpol
accountsd_manage_lib_files($1)
')
diff -up serefpolicy-3.10.0/policy/modules/services/accountsd.te.ptrace serefpolicy-3.10.0/policy/modules/services/accountsd.te
---- serefpolicy-3.10.0/policy/modules/services/accountsd.te.ptrace 2011-11-04 16:06:58.503888163 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/accountsd.te 2011-11-04 16:06:59.084889649 -0400
+--- serefpolicy-3.10.0/policy/modules/services/accountsd.te.ptrace 2011-11-04 16:32:07.232065506 -0400
++++ serefpolicy-3.10.0/policy/modules/services/accountsd.te 2011-11-04 16:32:07.789066570 -0400
@@ -19,7 +19,7 @@ files_type(accountsd_var_lib_t)
# accountsd local policy
#
@@ -547,8 +520,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/accountsd.te.ptrace serefpol
allow accountsd_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace serefpolicy-3.10.0/policy/modules/services/afs.if
---- serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace 2011-11-04 16:06:58.504888166 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/afs.if 2011-11-04 16:06:59.086889654 -0400
+--- serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace 2011-11-04 16:32:07.232065506 -0400
++++ serefpolicy-3.10.0/policy/modules/services/afs.if 2011-11-04 16:32:07.791066575 -0400
@@ -97,9 +97,13 @@ interface(`afs_admin',`
type afs_t, afs_initrc_exec_t;
')
@@ -566,7 +539,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace serefpolicy-3.
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/aiccu.if.ptrace serefpolicy-3.10.0/policy/modules/services/aiccu.if
--- serefpolicy-3.10.0/policy/modules/services/aiccu.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/aiccu.if 2011-11-04 16:06:59.087889656 -0400
++++ serefpolicy-3.10.0/policy/modules/services/aiccu.if 2011-11-04 16:32:07.792066578 -0400
@@ -79,9 +79,13 @@ interface(`aiccu_admin',`
type aiccu_var_run_t;
')
@@ -583,8 +556,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/aiccu.if.ptrace serefpolicy-
domain_system_change_exemption($1)
role_transition $2 aiccu_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace serefpolicy-3.10.0/policy/modules/services/aide.if
---- serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace 2011-11-04 16:06:58.507888175 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/aide.if 2011-11-04 16:06:59.088889658 -0400
+--- serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace 2011-11-04 16:32:07.235065510 -0400
++++ serefpolicy-3.10.0/policy/modules/services/aide.if 2011-11-04 16:32:07.793066580 -0400
@@ -61,9 +61,13 @@ interface(`aide_admin',`
type aide_t, aide_db_t, aide_log_t;
')
@@ -601,8 +574,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace serefpolicy-3
admin_pattern($1, aide_db_t)
diff -up serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace serefpolicy-3.10.0/policy/modules/services/aisexec.if
---- serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace 2011-11-04 16:06:58.509888179 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/aisexec.if 2011-11-04 16:06:59.089889660 -0400
+--- serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace 2011-11-04 16:32:07.237065515 -0400
++++ serefpolicy-3.10.0/policy/modules/services/aisexec.if 2011-11-04 16:32:07.794066581 -0400
@@ -82,9 +82,13 @@ interface(`aisexecd_admin',`
type aisexec_initrc_exec_t;
')
@@ -619,8 +592,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace serefpolic
domain_system_change_exemption($1)
role_transition $2 aisexec_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace serefpolicy-3.10.0/policy/modules/services/ajaxterm.if
---- serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace 2011-11-04 16:06:58.510888181 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ajaxterm.if 2011-11-04 16:06:59.089889660 -0400
+--- serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace 2011-11-04 16:32:07.239065520 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ajaxterm.if 2011-11-04 16:32:07.795066583 -0400
@@ -76,9 +76,13 @@ interface(`ajaxterm_admin',`
type ajaxterm_t, ajaxterm_initrc_exec_t;
')
@@ -638,7 +611,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace serefpoli
role_transition $2 ajaxterm_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/amavis.if.ptrace serefpolicy-3.10.0/policy/modules/services/amavis.if
--- serefpolicy-3.10.0/policy/modules/services/amavis.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/amavis.if 2011-11-04 16:06:59.090889663 -0400
++++ serefpolicy-3.10.0/policy/modules/services/amavis.if 2011-11-04 16:32:07.796066585 -0400
@@ -231,9 +231,13 @@ interface(`amavis_admin',`
type amavis_initrc_exec_t;
')
@@ -655,8 +628,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/amavis.if.ptrace serefpolicy
domain_system_change_exemption($1)
role_transition $2 amavis_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace serefpolicy-3.10.0/policy/modules/services/apache.if
---- serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace 2011-11-04 16:06:59.039889534 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/apache.if 2011-11-04 16:06:59.092889669 -0400
+--- serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace 2011-11-04 16:32:07.746066489 -0400
++++ serefpolicy-3.10.0/policy/modules/services/apache.if 2011-11-04 16:32:07.798066589 -0400
@@ -1297,9 +1297,13 @@ interface(`apache_admin',`
type httpd_unit_file_t;
')
@@ -674,7 +647,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace serefpolicy
role_transition $2 httpd_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/apcupsd.if.ptrace serefpolicy-3.10.0/policy/modules/services/apcupsd.if
--- serefpolicy-3.10.0/policy/modules/services/apcupsd.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/apcupsd.if 2011-11-04 16:06:59.093889672 -0400
++++ serefpolicy-3.10.0/policy/modules/services/apcupsd.if 2011-11-04 16:32:07.799066590 -0400
@@ -146,9 +146,13 @@ interface(`apcupsd_admin',`
type apcupsd_initrc_exec_t;
')
@@ -691,8 +664,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/apcupsd.if.ptrace serefpolic
domain_system_change_exemption($1)
role_transition $2 apcupsd_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/apm.te.ptrace serefpolicy-3.10.0/policy/modules/services/apm.te
---- serefpolicy-3.10.0/policy/modules/services/apm.te.ptrace 2011-11-04 16:06:58.520888206 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/apm.te 2011-11-04 16:06:59.094889675 -0400
+--- serefpolicy-3.10.0/policy/modules/services/apm.te.ptrace 2011-11-04 16:32:07.249065538 -0400
++++ serefpolicy-3.10.0/policy/modules/services/apm.te 2011-11-04 16:32:07.800066591 -0400
@@ -60,7 +60,7 @@ logging_send_syslog_msg(apm_t)
# mknod: controlling an orderly resume of PCMCIA requires creating device
# nodes 254,{0,1,2} for some reason.
@@ -703,8 +676,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/apm.te.ptrace serefpolicy-3.
allow apmd_t self:fifo_file rw_fifo_file_perms;
allow apmd_t self:netlink_socket create_socket_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace serefpolicy-3.10.0/policy/modules/services/arpwatch.if
---- serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace 2011-11-04 16:06:58.521888209 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/arpwatch.if 2011-11-04 16:06:59.095889677 -0400
+--- serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace 2011-11-04 16:32:07.249065538 -0400
++++ serefpolicy-3.10.0/policy/modules/services/arpwatch.if 2011-11-04 16:32:07.800066591 -0400
@@ -137,9 +137,13 @@ interface(`arpwatch_admin',`
type arpwatch_initrc_exec_t;
')
@@ -721,8 +694,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace serefpoli
domain_system_change_exemption($1)
role_transition $2 arpwatch_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace serefpolicy-3.10.0/policy/modules/services/asterisk.if
---- serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace 2011-11-04 16:06:58.522888212 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/asterisk.if 2011-11-04 16:06:59.096889679 -0400
+--- serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace 2011-11-04 16:32:07.251065543 -0400
++++ serefpolicy-3.10.0/policy/modules/services/asterisk.if 2011-11-04 16:32:07.801066593 -0400
@@ -64,9 +64,13 @@ interface(`asterisk_admin',`
type asterisk_initrc_exec_t;
')
@@ -739,8 +712,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace serefpoli
domain_system_change_exemption($1)
role_transition $2 asterisk_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace serefpolicy-3.10.0/policy/modules/services/automount.if
---- serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace 2011-11-04 16:06:58.523888215 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/automount.if 2011-11-04 16:06:59.096889679 -0400
+--- serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace 2011-11-04 16:32:07.253065546 -0400
++++ serefpolicy-3.10.0/policy/modules/services/automount.if 2011-11-04 16:32:07.802066596 -0400
@@ -150,9 +150,13 @@ interface(`automount_admin',`
type automount_var_run_t, automount_initrc_exec_t;
')
@@ -757,8 +730,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace serefpol
domain_system_change_exemption($1)
role_transition $2 automount_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace serefpolicy-3.10.0/policy/modules/services/avahi.if
---- serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace 2011-11-04 16:06:58.525888221 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/avahi.if 2011-11-04 16:06:59.097889681 -0400
+--- serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace 2011-11-04 16:32:07.254065548 -0400
++++ serefpolicy-3.10.0/policy/modules/services/avahi.if 2011-11-04 16:32:07.803066599 -0400
@@ -154,9 +154,13 @@ interface(`avahi_admin',`
type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
')
@@ -775,8 +748,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace serefpolicy-
domain_system_change_exemption($1)
role_transition $2 avahi_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace serefpolicy-3.10.0/policy/modules/services/bind.if
---- serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace 2011-11-04 16:06:58.527888225 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/bind.if 2011-11-04 16:06:59.098889683 -0400
+--- serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace 2011-11-04 16:32:07.256065552 -0400
++++ serefpolicy-3.10.0/policy/modules/services/bind.if 2011-11-04 16:32:07.804066601 -0400
@@ -408,12 +408,20 @@ interface(`bind_admin',`
type dnssec_t, ndc_t, named_keytab_t;
')
@@ -802,7 +775,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace serefpolicy-3
init_labeled_script_domtrans($1, named_initrc_exec_t)
diff -up serefpolicy-3.10.0/policy/modules/services/bitlbee.if.ptrace serefpolicy-3.10.0/policy/modules/services/bitlbee.if
--- serefpolicy-3.10.0/policy/modules/services/bitlbee.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/bitlbee.if 2011-11-04 16:06:59.100889689 -0400
++++ serefpolicy-3.10.0/policy/modules/services/bitlbee.if 2011-11-04 16:32:07.806066604 -0400
@@ -43,9 +43,13 @@ interface(`bitlbee_admin',`
type bitlbee_initrc_exec_t;
')
@@ -819,8 +792,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/bitlbee.if.ptrace serefpolic
domain_system_change_exemption($1)
role_transition $2 bitlbee_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace serefpolicy-3.10.0/policy/modules/services/bluetooth.if
---- serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace 2011-11-04 16:06:58.530888232 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/bluetooth.if 2011-11-04 16:06:59.101889692 -0400
+--- serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace 2011-11-04 16:32:07.259065556 -0400
++++ serefpolicy-3.10.0/policy/modules/services/bluetooth.if 2011-11-04 16:32:07.807066606 -0400
@@ -28,7 +28,11 @@ interface(`bluetooth_role',`
# allow ps to show cdrecord and allow the user to kill it
@@ -850,8 +823,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace serefpol
domain_system_change_exemption($1)
role_transition $2 bluetooth_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace serefpolicy-3.10.0/policy/modules/services/boinc.if
---- serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace 2011-11-04 16:06:58.533888241 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/boinc.if 2011-11-04 16:06:59.102889695 -0400
+--- serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace 2011-11-04 16:32:07.262065564 -0400
++++ serefpolicy-3.10.0/policy/modules/services/boinc.if 2011-11-04 16:32:07.808066608 -0400
@@ -137,9 +137,13 @@ interface(`boinc_admin',`
type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
')
@@ -868,8 +841,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace serefpolicy-
domain_system_change_exemption($1)
role_transition $2 boinc_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace serefpolicy-3.10.0/policy/modules/services/boinc.te
---- serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace 2011-11-04 16:06:58.988889403 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/boinc.te 2011-11-04 16:06:59.102889695 -0400
+--- serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace 2011-11-04 16:32:07.726066451 -0400
++++ serefpolicy-3.10.0/policy/modules/services/boinc.te 2011-11-04 16:32:07.809066610 -0400
@@ -121,9 +121,13 @@ mta_send_mail(boinc_t)
domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
allow boinc_t boinc_project_t:process sigkill;
@@ -886,8 +859,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace serefpolicy-
allow boinc_project_t self:sem create_sem_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace serefpolicy-3.10.0/policy/modules/services/bugzilla.if
---- serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace 2011-11-04 16:06:58.536888248 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/bugzilla.if 2011-11-04 16:06:59.103889698 -0400
+--- serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace 2011-11-04 16:32:07.264065567 -0400
++++ serefpolicy-3.10.0/policy/modules/services/bugzilla.if 2011-11-04 16:32:07.809066610 -0400
@@ -62,9 +62,13 @@ interface(`bugzilla_admin',`
type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t;
')
@@ -904,8 +877,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace serefpoli
admin_pattern($1, httpd_bugzilla_tmp_t)
diff -up serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace serefpolicy-3.10.0/policy/modules/services/callweaver.if
---- serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace 2011-11-04 16:06:58.539888255 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/callweaver.if 2011-11-04 16:06:59.104889700 -0400
+--- serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace 2011-11-04 16:32:07.268065575 -0400
++++ serefpolicy-3.10.0/policy/modules/services/callweaver.if 2011-11-04 16:32:07.810066612 -0400
@@ -336,9 +336,13 @@ interface(`callweaver_admin',`
type callweaver_spool_t;
')
@@ -923,7 +896,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace serefpo
role_transition $2 callweaver_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/canna.if.ptrace serefpolicy-3.10.0/policy/modules/services/canna.if
--- serefpolicy-3.10.0/policy/modules/services/canna.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/canna.if 2011-11-04 16:06:59.105889702 -0400
++++ serefpolicy-3.10.0/policy/modules/services/canna.if 2011-11-04 16:32:07.811066613 -0400
@@ -42,9 +42,13 @@ interface(`canna_admin',`
type canna_var_run_t, canna_initrc_exec_t;
')
@@ -940,8 +913,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/canna.if.ptrace serefpolicy-
domain_system_change_exemption($1)
role_transition $2 canna_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace serefpolicy-3.10.0/policy/modules/services/certmaster.if
---- serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace 2011-11-04 16:06:58.544888269 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/certmaster.if 2011-11-04 16:06:59.106889704 -0400
+--- serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace 2011-11-04 16:32:07.273065585 -0400
++++ serefpolicy-3.10.0/policy/modules/services/certmaster.if 2011-11-04 16:32:07.812066614 -0400
@@ -119,9 +119,13 @@ interface(`certmaster_admin',`
type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
')
@@ -958,8 +931,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace serefpo
domain_system_change_exemption($1)
role_transition $2 certmaster_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/certmonger.if.ptrace serefpolicy-3.10.0/policy/modules/services/certmonger.if
---- serefpolicy-3.10.0/policy/modules/services/certmonger.if.ptrace 2011-11-04 16:06:58.546888273 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/certmonger.if 2011-11-04 16:06:59.107889706 -0400
+--- serefpolicy-3.10.0/policy/modules/services/certmonger.if.ptrace 2011-11-04 16:32:07.275065588 -0400
++++ serefpolicy-3.10.0/policy/modules/services/certmonger.if 2011-11-04 16:32:07.814066619 -0400
@@ -158,7 +158,11 @@ interface(`certmonger_admin',`
')
@@ -974,8 +947,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/certmonger.if.ptrace serefpo
# Allow certmonger_t to restart the apache service
certmonger_initrc_domtrans($1)
diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace serefpolicy-3.10.0/policy/modules/services/cgroup.if
---- serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace 2011-11-04 16:06:58.549888281 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/cgroup.if 2011-11-04 16:06:59.108889709 -0400
+--- serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace 2011-11-04 16:32:07.278065594 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cgroup.if 2011-11-04 16:32:07.815066622 -0400
@@ -171,15 +171,27 @@ interface(`cgroup_admin',`
type cgrules_etc_t, cgclear_t;
')
@@ -1008,8 +981,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace serefpolicy
admin_pattern($1, cgrules_etc_t)
files_list_etc($1)
diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.te.ptrace serefpolicy-3.10.0/policy/modules/services/cgroup.te
---- serefpolicy-3.10.0/policy/modules/services/cgroup.te.ptrace 2011-11-04 16:06:58.550888284 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/cgroup.te 2011-11-04 16:06:59.109889712 -0400
+--- serefpolicy-3.10.0/policy/modules/services/cgroup.te.ptrace 2011-11-04 16:32:07.278065594 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cgroup.te 2011-11-04 16:32:07.815066622 -0400
@@ -76,7 +76,8 @@ fs_unmount_cgroup(cgconfig_t)
# cgred personal policy.
#
@@ -1021,8 +994,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.te.ptrace serefpolicy
allow cgred_t self:unix_dgram_socket { write create connect };
diff -up serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace serefpolicy-3.10.0/policy/modules/services/chronyd.if
---- serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace 2011-11-04 16:06:58.551888287 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/chronyd.if 2011-11-04 16:06:59.109889712 -0400
+--- serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace 2011-11-04 16:32:07.280065598 -0400
++++ serefpolicy-3.10.0/policy/modules/services/chronyd.if 2011-11-04 16:32:07.816066624 -0400
@@ -217,9 +217,13 @@ interface(`chronyd_admin',`
type chronyd_keys_t;
')
@@ -1039,8 +1012,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace serefpolic
domain_system_change_exemption($1)
role_transition $2 chronyd_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace serefpolicy-3.10.0/policy/modules/services/clamav.if
---- serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace 2011-11-04 16:06:58.553888292 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/clamav.if 2011-11-04 16:06:59.110889715 -0400
+--- serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace 2011-11-04 16:32:07.282065600 -0400
++++ serefpolicy-3.10.0/policy/modules/services/clamav.if 2011-11-04 16:32:07.817066625 -0400
@@ -176,13 +176,19 @@ interface(`clamav_admin',`
type freshclam_t, freshclam_var_log_t;
')
@@ -1065,8 +1038,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace serefpolicy
init_labeled_script_domtrans($1, clamd_initrc_exec_t)
diff -up serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace serefpolicy-3.10.0/policy/modules/services/cmirrord.if
---- serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace 2011-11-04 16:06:58.560888310 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/cmirrord.if 2011-11-04 16:06:59.111889718 -0400
+--- serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace 2011-11-04 16:32:07.289065615 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cmirrord.if 2011-11-04 16:32:07.818066627 -0400
@@ -101,9 +101,13 @@ interface(`cmirrord_admin',`
type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
')
@@ -1083,8 +1056,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace serefpoli
domain_system_change_exemption($1)
role_transition $2 cmirrord_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/cobbler.if.ptrace serefpolicy-3.10.0/policy/modules/services/cobbler.if
---- serefpolicy-3.10.0/policy/modules/services/cobbler.if.ptrace 2011-11-04 16:06:58.561888313 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/cobbler.if 2011-11-04 16:06:59.112889721 -0400
+--- serefpolicy-3.10.0/policy/modules/services/cobbler.if.ptrace 2011-11-04 16:32:07.290065617 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cobbler.if 2011-11-04 16:32:07.819066629 -0400
@@ -189,9 +189,13 @@ interface(`cobblerd_admin',`
type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t;
')
@@ -1101,8 +1074,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cobbler.if.ptrace serefpolic
admin_pattern($1, cobbler_etc_t)
diff -up serefpolicy-3.10.0/policy/modules/services/cobbler.te.ptrace serefpolicy-3.10.0/policy/modules/services/cobbler.te
---- serefpolicy-3.10.0/policy/modules/services/cobbler.te.ptrace 2011-11-04 16:06:58.562888315 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/cobbler.te 2011-11-04 16:06:59.113889723 -0400
+--- serefpolicy-3.10.0/policy/modules/services/cobbler.te.ptrace 2011-11-04 16:32:07.291065619 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cobbler.te 2011-11-04 16:32:07.820066631 -0400
@@ -60,7 +60,7 @@ files_tmp_file(cobbler_tmp_t)
#
@@ -1113,8 +1086,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cobbler.te.ptrace serefpolic
allow cobblerd_t self:process { getsched setsched signal };
allow cobblerd_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace serefpolicy-3.10.0/policy/modules/services/collectd.if
---- serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace 2011-11-04 16:06:58.563888317 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/collectd.if 2011-11-04 16:06:59.113889723 -0400
+--- serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace 2011-11-04 16:32:07.292065620 -0400
++++ serefpolicy-3.10.0/policy/modules/services/collectd.if 2011-11-04 16:32:07.821066633 -0400
@@ -142,9 +142,13 @@ interface(`collectd_admin',`
type collectd_var_lib_t;
')
@@ -1131,8 +1104,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace serefpoli
domain_system_change_exemption($1)
role_transition $2 collectd_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/consolekit.te.ptrace serefpolicy-3.10.0/policy/modules/services/consolekit.te
---- serefpolicy-3.10.0/policy/modules/services/consolekit.te.ptrace 2011-11-04 16:06:58.566888324 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/consolekit.te 2011-11-04 16:06:59.114889725 -0400
+--- serefpolicy-3.10.0/policy/modules/services/consolekit.te.ptrace 2011-11-04 16:32:07.295065626 -0400
++++ serefpolicy-3.10.0/policy/modules/services/consolekit.te 2011-11-04 16:32:07.822066635 -0400
@@ -23,7 +23,8 @@ files_tmpfs_file(consolekit_tmpfs_t)
# consolekit local policy
#
@@ -1154,8 +1127,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/consolekit.te.ptrace serefpo
unconfined_stream_connect(consolekit_t)
')
diff -up serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace serefpolicy-3.10.0/policy/modules/services/corosync.if
---- serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace 2011-11-04 16:06:58.567888327 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/corosync.if 2011-11-04 16:06:59.115889727 -0400
+--- serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace 2011-11-04 16:32:07.297065631 -0400
++++ serefpolicy-3.10.0/policy/modules/services/corosync.if 2011-11-04 16:32:07.823066636 -0400
@@ -101,9 +101,13 @@ interface(`corosyncd_admin',`
type corosync_initrc_exec_t;
')
@@ -1172,8 +1145,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace serefpoli
domain_system_change_exemption($1)
role_transition $2 corosync_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/corosync.te.ptrace serefpolicy-3.10.0/policy/modules/services/corosync.te
---- serefpolicy-3.10.0/policy/modules/services/corosync.te.ptrace 2011-11-04 16:06:58.568888330 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/corosync.te 2011-11-04 16:06:59.116889729 -0400
+--- serefpolicy-3.10.0/policy/modules/services/corosync.te.ptrace 2011-11-04 16:32:07.297065631 -0400
++++ serefpolicy-3.10.0/policy/modules/services/corosync.te 2011-11-04 16:32:07.823066636 -0400
@@ -33,7 +33,7 @@ files_pid_file(corosync_var_run_t)
# corosync local policy
#
@@ -1184,8 +1157,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/corosync.te.ptrace serefpoli
allow corosync_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace serefpolicy-3.10.0/policy/modules/services/cron.if
---- serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace 2011-11-04 16:06:58.573888342 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/cron.if 2011-11-04 16:06:59.117889732 -0400
+--- serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace 2011-11-04 16:32:07.303065642 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cron.if 2011-11-04 16:32:07.825066639 -0400
@@ -140,7 +140,11 @@ interface(`cron_role',`
# crontab shows up in user ps
@@ -1224,8 +1197,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace serefpolicy-3
# Run helper programs as the user domain
#corecmd_bin_domtrans(admin_crontab_t, $2)
diff -up serefpolicy-3.10.0/policy/modules/services/cron.te.ptrace serefpolicy-3.10.0/policy/modules/services/cron.te
---- serefpolicy-3.10.0/policy/modules/services/cron.te.ptrace 2011-11-04 16:06:58.989889405 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/cron.te 2011-11-04 16:06:59.118889735 -0400
+--- serefpolicy-3.10.0/policy/modules/services/cron.te.ptrace 2011-11-04 16:32:07.727066453 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cron.te 2011-11-04 16:32:07.826066642 -0400
@@ -350,7 +350,6 @@ optional_policy(`
#
@@ -1235,8 +1208,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cron.te.ptrace serefpolicy-3
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/ctdbd.if.ptrace serefpolicy-3.10.0/policy/modules/services/ctdbd.if
---- serefpolicy-3.10.0/policy/modules/services/ctdbd.if.ptrace 2011-11-04 16:06:58.576888350 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ctdbd.if 2011-11-04 16:06:59.119889738 -0400
+--- serefpolicy-3.10.0/policy/modules/services/ctdbd.if.ptrace 2011-11-04 16:32:07.306065646 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ctdbd.if 2011-11-04 16:32:07.827066644 -0400
@@ -236,8 +236,11 @@ interface(`ctdbd_admin',`
type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t;
')
@@ -1251,8 +1224,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ctdbd.if.ptrace serefpolicy-
ctdbd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/ctdbd.te.ptrace serefpolicy-3.10.0/policy/modules/services/ctdbd.te
---- serefpolicy-3.10.0/policy/modules/services/ctdbd.te.ptrace 2011-11-04 16:06:58.576888350 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ctdbd.te 2011-11-04 16:06:59.120889741 -0400
+--- serefpolicy-3.10.0/policy/modules/services/ctdbd.te.ptrace 2011-11-04 16:32:07.307065649 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ctdbd.te 2011-11-04 16:32:07.828066646 -0400
@@ -33,7 +33,7 @@ files_pid_file(ctdbd_var_run_t)
# ctdbd local policy
#
@@ -1263,8 +1236,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ctdbd.te.ptrace serefpolicy-
allow ctdbd_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace serefpolicy-3.10.0/policy/modules/services/cups.if
---- serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace 2011-11-04 16:06:58.578888356 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/cups.if 2011-11-04 16:06:59.121889744 -0400
+--- serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace 2011-11-04 16:32:07.308065651 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cups.if 2011-11-04 16:32:07.828066646 -0400
@@ -327,9 +327,13 @@ interface(`cups_admin',`
type ptal_var_run_t;
')
@@ -1281,8 +1254,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace serefpolicy-3
domain_system_change_exemption($1)
role_transition $2 cupsd_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace serefpolicy-3.10.0/policy/modules/services/cvs.if
---- serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace 2011-11-04 16:06:58.580888361 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/cvs.if 2011-11-04 16:06:59.122889746 -0400
+--- serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace 2011-11-04 16:32:07.310065655 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cvs.if 2011-11-04 16:32:07.830066650 -0400
@@ -80,9 +80,13 @@ interface(`cvs_admin',`
type cvs_data_t, cvs_var_run_t;
')
@@ -1300,7 +1273,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace serefpolicy-3.
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/cyrus.if.ptrace serefpolicy-3.10.0/policy/modules/services/cyrus.if
--- serefpolicy-3.10.0/policy/modules/services/cyrus.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/cyrus.if 2011-11-04 16:06:59.122889746 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cyrus.if 2011-11-04 16:32:07.830066650 -0400
@@ -62,9 +62,13 @@ interface(`cyrus_admin',`
type cyrus_var_run_t, cyrus_initrc_exec_t;
')
@@ -1317,8 +1290,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cyrus.if.ptrace serefpolicy-
domain_system_change_exemption($1)
role_transition $2 cyrus_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/dbus.if.ptrace serefpolicy-3.10.0/policy/modules/services/dbus.if
---- serefpolicy-3.10.0/policy/modules/services/dbus.if.ptrace 2011-11-04 16:06:58.585888373 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/dbus.if 2011-11-04 16:06:59.124889750 -0400
+--- serefpolicy-3.10.0/policy/modules/services/dbus.if.ptrace 2011-11-04 16:32:07.316065665 -0400
++++ serefpolicy-3.10.0/policy/modules/services/dbus.if 2011-11-04 16:32:07.831066652 -0400
@@ -71,7 +71,11 @@ template(`dbus_role_template',`
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
@@ -1333,8 +1306,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/dbus.if.ptrace serefpolicy-3
# cjp: this seems very broken
corecmd_bin_domtrans($1_dbusd_t, $1_t)
diff -up serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace serefpolicy-3.10.0/policy/modules/services/ddclient.if
---- serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace 2011-11-04 16:06:58.589888384 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ddclient.if 2011-11-04 16:06:59.124889750 -0400
+--- serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace 2011-11-04 16:32:07.319065673 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ddclient.if 2011-11-04 16:32:07.832066654 -0400
@@ -68,9 +68,13 @@ interface(`ddclient_admin',`
type ddclient_var_run_t;
')
@@ -1351,8 +1324,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace serefpoli
domain_system_change_exemption($1)
role_transition $2 ddclient_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace serefpolicy-3.10.0/policy/modules/services/denyhosts.if
---- serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace 2011-11-04 16:06:58.591888388 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/denyhosts.if 2011-11-04 16:06:59.125889752 -0400
+--- serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace 2011-11-04 16:32:07.320065675 -0400
++++ serefpolicy-3.10.0/policy/modules/services/denyhosts.if 2011-11-04 16:32:07.833066656 -0400
@@ -67,9 +67,13 @@ interface(`denyhosts_admin',`
type denyhosts_var_log_t, denyhosts_initrc_exec_t;
')
@@ -1369,8 +1342,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace serefpol
domain_system_change_exemption($1)
role_transition $2 denyhosts_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace serefpolicy-3.10.0/policy/modules/services/devicekit.if
---- serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace 2011-11-04 16:06:58.593888393 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/devicekit.if 2011-11-04 16:06:59.126889755 -0400
+--- serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace 2011-11-04 16:32:07.323065680 -0400
++++ serefpolicy-3.10.0/policy/modules/services/devicekit.if 2011-11-04 16:32:07.834066657 -0400
@@ -308,13 +308,18 @@ interface(`devicekit_admin',`
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
')
@@ -1394,8 +1367,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace serefpol
admin_pattern($1, devicekit_tmp_t)
diff -up serefpolicy-3.10.0/policy/modules/services/devicekit.te.ptrace serefpolicy-3.10.0/policy/modules/services/devicekit.te
---- serefpolicy-3.10.0/policy/modules/services/devicekit.te.ptrace 2011-11-04 16:06:58.594888396 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/devicekit.te 2011-11-04 16:06:59.127889758 -0400
+--- serefpolicy-3.10.0/policy/modules/services/devicekit.te.ptrace 2011-11-04 16:32:07.324065682 -0400
++++ serefpolicy-3.10.0/policy/modules/services/devicekit.te 2011-11-04 16:32:07.835066658 -0400
@@ -65,7 +65,8 @@ optional_policy(`
# DeviceKit disk local policy
#
@@ -1416,8 +1389,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/devicekit.te.ptrace serefpol
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace serefpolicy-3.10.0/policy/modules/services/dhcp.if
---- serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace 2011-11-04 16:06:58.595888399 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/dhcp.if 2011-11-04 16:06:59.128889761 -0400
+--- serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace 2011-11-04 16:32:07.325065684 -0400
++++ serefpolicy-3.10.0/policy/modules/services/dhcp.if 2011-11-04 16:32:07.836066660 -0400
@@ -105,8 +105,11 @@ interface(`dhcpd_admin',`
type dhcpd_var_run_t, dhcpd_initrc_exec_t;
')
@@ -1433,7 +1406,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace serefpolicy-3
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/dictd.if.ptrace serefpolicy-3.10.0/policy/modules/services/dictd.if
--- serefpolicy-3.10.0/policy/modules/services/dictd.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/dictd.if 2011-11-04 16:06:59.129889764 -0400
++++ serefpolicy-3.10.0/policy/modules/services/dictd.if 2011-11-04 16:32:07.837066663 -0400
@@ -38,8 +38,11 @@ interface(`dictd_admin',`
type dictd_var_run_t, dictd_initrc_exec_t;
')
@@ -1448,8 +1421,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/dictd.if.ptrace serefpolicy-
init_labeled_script_domtrans($1, dictd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/dnsmasq.if.ptrace serefpolicy-3.10.0/policy/modules/services/dnsmasq.if
---- serefpolicy-3.10.0/policy/modules/services/dnsmasq.if.ptrace 2011-11-04 16:06:58.603888419 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/dnsmasq.if 2011-11-04 16:06:59.130889767 -0400
+--- serefpolicy-3.10.0/policy/modules/services/dnsmasq.if.ptrace 2011-11-04 16:32:07.333065699 -0400
++++ serefpolicy-3.10.0/policy/modules/services/dnsmasq.if 2011-11-04 16:32:07.838066666 -0400
@@ -298,8 +298,11 @@ interface(`dnsmasq_admin',`
type dnsmasq_initrc_exec_t;
')
@@ -1464,8 +1437,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/dnsmasq.if.ptrace serefpolic
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/dovecot.if.ptrace serefpolicy-3.10.0/policy/modules/services/dovecot.if
---- serefpolicy-3.10.0/policy/modules/services/dovecot.if.ptrace 2011-11-04 16:06:58.606888428 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/dovecot.if 2011-11-04 16:06:59.131889769 -0400
+--- serefpolicy-3.10.0/policy/modules/services/dovecot.if.ptrace 2011-11-04 16:32:07.335065703 -0400
++++ serefpolicy-3.10.0/policy/modules/services/dovecot.if 2011-11-04 16:32:07.839066668 -0400
@@ -119,8 +119,11 @@ interface(`dovecot_admin',`
type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t;
')
@@ -1480,8 +1453,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/dovecot.if.ptrace serefpolic
init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/drbd.if.ptrace serefpolicy-3.10.0/policy/modules/services/drbd.if
---- serefpolicy-3.10.0/policy/modules/services/drbd.if.ptrace 2011-11-04 16:06:58.608888432 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/drbd.if 2011-11-04 16:06:59.132889771 -0400
+--- serefpolicy-3.10.0/policy/modules/services/drbd.if.ptrace 2011-11-04 16:32:07.338065708 -0400
++++ serefpolicy-3.10.0/policy/modules/services/drbd.if 2011-11-04 16:32:07.840066669 -0400
@@ -120,8 +120,11 @@ interface(`drbd_admin',`
type drbd_var_lib_t;
')
@@ -1496,8 +1469,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/drbd.if.ptrace serefpolicy-3
files_search_var_lib($1)
admin_pattern($1, drbd_var_lib_t)
diff -up serefpolicy-3.10.0/policy/modules/services/dspam.if.ptrace serefpolicy-3.10.0/policy/modules/services/dspam.if
---- serefpolicy-3.10.0/policy/modules/services/dspam.if.ptrace 2011-11-04 16:06:58.610888436 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/dspam.if 2011-11-04 16:06:59.133889773 -0400
+--- serefpolicy-3.10.0/policy/modules/services/dspam.if.ptrace 2011-11-04 16:32:07.340065711 -0400
++++ serefpolicy-3.10.0/policy/modules/services/dspam.if 2011-11-04 16:32:07.841066671 -0400
@@ -244,8 +244,11 @@ interface(`dspam_admin',`
type dspam_var_run_t;
')
@@ -1512,8 +1485,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/dspam.if.ptrace serefpolicy-
dspam_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/exim.if.ptrace serefpolicy-3.10.0/policy/modules/services/exim.if
---- serefpolicy-3.10.0/policy/modules/services/exim.if.ptrace 2011-11-04 16:06:58.611888439 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/exim.if 2011-11-04 16:06:59.134889775 -0400
+--- serefpolicy-3.10.0/policy/modules/services/exim.if.ptrace 2011-11-04 16:32:07.342065717 -0400
++++ serefpolicy-3.10.0/policy/modules/services/exim.if 2011-11-04 16:32:07.842066673 -0400
@@ -260,8 +260,11 @@ interface(`exim_admin',`
type exim_tmp_t, exim_spool_t, exim_var_run_t;
')
@@ -1528,8 +1501,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/exim.if.ptrace serefpolicy-3
exim_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/fail2ban.if.ptrace serefpolicy-3.10.0/policy/modules/services/fail2ban.if
---- serefpolicy-3.10.0/policy/modules/services/fail2ban.if.ptrace 2011-11-04 16:06:58.614888448 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/fail2ban.if 2011-11-04 16:06:59.134889775 -0400
+--- serefpolicy-3.10.0/policy/modules/services/fail2ban.if.ptrace 2011-11-04 16:32:07.344065720 -0400
++++ serefpolicy-3.10.0/policy/modules/services/fail2ban.if 2011-11-04 16:32:07.843066675 -0400
@@ -199,8 +199,11 @@ interface(`fail2ban_admin',`
type fail2ban_client_t;
')
@@ -1544,8 +1517,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/fail2ban.if.ptrace serefpoli
init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/fcoemon.if.ptrace serefpolicy-3.10.0/policy/modules/services/fcoemon.if
---- serefpolicy-3.10.0/policy/modules/services/fcoemon.if.ptrace 2011-11-04 16:06:58.616888453 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/fcoemon.if 2011-11-04 16:06:59.135889778 -0400
+--- serefpolicy-3.10.0/policy/modules/services/fcoemon.if.ptrace 2011-11-04 16:32:07.346065724 -0400
++++ serefpolicy-3.10.0/policy/modules/services/fcoemon.if 2011-11-04 16:32:07.843066675 -0400
@@ -81,8 +81,11 @@ interface(`fcoemon_admin',`
type fcoemon_var_run_t;
')
@@ -1560,8 +1533,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/fcoemon.if.ptrace serefpolic
files_search_pids($1)
admin_pattern($1, fcoemon_var_run_t)
diff -up serefpolicy-3.10.0/policy/modules/services/fetchmail.if.ptrace serefpolicy-3.10.0/policy/modules/services/fetchmail.if
---- serefpolicy-3.10.0/policy/modules/services/fetchmail.if.ptrace 2011-11-04 16:06:58.618888457 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/fetchmail.if 2011-11-04 16:06:59.136889781 -0400
+--- serefpolicy-3.10.0/policy/modules/services/fetchmail.if.ptrace 2011-11-04 16:32:07.349065730 -0400
++++ serefpolicy-3.10.0/policy/modules/services/fetchmail.if 2011-11-04 16:32:07.844066677 -0400
@@ -18,8 +18,11 @@ interface(`fetchmail_admin',`
type fetchmail_var_run_t;
')
@@ -1576,8 +1549,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/fetchmail.if.ptrace serefpol
files_list_etc($1)
admin_pattern($1, fetchmail_etc_t)
diff -up serefpolicy-3.10.0/policy/modules/services/firewalld.if.ptrace serefpolicy-3.10.0/policy/modules/services/firewalld.if
---- serefpolicy-3.10.0/policy/modules/services/firewalld.if.ptrace 2011-11-04 16:06:58.620888462 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/firewalld.if 2011-11-04 16:06:59.137889784 -0400
+--- serefpolicy-3.10.0/policy/modules/services/firewalld.if.ptrace 2011-11-04 16:32:07.352065734 -0400
++++ serefpolicy-3.10.0/policy/modules/services/firewalld.if 2011-11-04 16:32:07.845066679 -0400
@@ -62,8 +62,11 @@ interface(`firewalld_admin',`
type firewalld_initrc_exec_t;
')
@@ -1592,8 +1565,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/firewalld.if.ptrace serefpol
firewalld_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/fprintd.te.ptrace serefpolicy-3.10.0/policy/modules/services/fprintd.te
---- serefpolicy-3.10.0/policy/modules/services/fprintd.te.ptrace 2011-11-04 16:06:58.622888468 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/fprintd.te 2011-11-04 16:06:59.138889787 -0400
+--- serefpolicy-3.10.0/policy/modules/services/fprintd.te.ptrace 2011-11-04 16:32:07.354065739 -0400
++++ serefpolicy-3.10.0/policy/modules/services/fprintd.te 2011-11-04 16:32:07.846066680 -0400
@@ -17,7 +17,8 @@ files_type(fprintd_var_lib_t)
# Local policy
#
@@ -1605,8 +1578,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/fprintd.te.ptrace serefpolic
allow fprintd_t self:process { getsched setsched signal };
diff -up serefpolicy-3.10.0/policy/modules/services/ftp.if.ptrace serefpolicy-3.10.0/policy/modules/services/ftp.if
---- serefpolicy-3.10.0/policy/modules/services/ftp.if.ptrace 2011-11-04 16:06:58.624888474 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ftp.if 2011-11-04 16:06:59.139889790 -0400
+--- serefpolicy-3.10.0/policy/modules/services/ftp.if.ptrace 2011-11-04 16:32:07.355065741 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ftp.if 2011-11-04 16:32:07.847066681 -0400
@@ -237,8 +237,11 @@ interface(`ftp_admin',`
type ftpd_initrc_exec_t;
')
@@ -1621,8 +1594,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ftp.if.ptrace serefpolicy-3.
init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/git.if.ptrace serefpolicy-3.10.0/policy/modules/services/git.if
---- serefpolicy-3.10.0/policy/modules/services/git.if.ptrace 2011-11-04 16:06:58.627888480 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/git.if 2011-11-04 16:06:59.140889792 -0400
+--- serefpolicy-3.10.0/policy/modules/services/git.if.ptrace 2011-11-04 16:32:07.359065749 -0400
++++ serefpolicy-3.10.0/policy/modules/services/git.if 2011-11-04 16:32:07.848066683 -0400
@@ -42,8 +42,11 @@ interface(`git_session_role',`
domtrans_pattern($2, gitd_exec_t, git_session_t)
@@ -1637,8 +1610,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/git.if.ptrace serefpolicy-3.
########################################
diff -up serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace serefpolicy-3.10.0/policy/modules/services/glance.if
---- serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace 2011-11-04 16:06:58.630888488 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/glance.if 2011-11-04 16:06:59.141889794 -0400
+--- serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace 2011-11-04 16:32:07.361065752 -0400
++++ serefpolicy-3.10.0/policy/modules/services/glance.if 2011-11-04 16:32:07.849066686 -0400
@@ -245,10 +245,14 @@ interface(`glance_admin',`
type glance_api_initrc_exec_t;
')
@@ -1657,8 +1630,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace serefpolicy
init_labeled_script_domtrans($1, glance_registry_initrc_exec_t)
diff -up serefpolicy-3.10.0/policy/modules/services/gnomeclock.te.ptrace serefpolicy-3.10.0/policy/modules/services/gnomeclock.te
---- serefpolicy-3.10.0/policy/modules/services/gnomeclock.te.ptrace 2011-11-04 16:06:58.632888494 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/gnomeclock.te 2011-11-04 16:06:59.141889794 -0400
+--- serefpolicy-3.10.0/policy/modules/services/gnomeclock.te.ptrace 2011-11-04 16:32:07.364065758 -0400
++++ serefpolicy-3.10.0/policy/modules/services/gnomeclock.te 2011-11-04 16:32:07.850066688 -0400
@@ -14,7 +14,7 @@ dbus_system_domain(gnomeclock_t, gnomecl
# gnomeclock local policy
#
@@ -1669,8 +1642,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/gnomeclock.te.ptrace serefpo
allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/gpsd.te.ptrace serefpolicy-3.10.0/policy/modules/services/gpsd.te
---- serefpolicy-3.10.0/policy/modules/services/gpsd.te.ptrace 2011-11-04 16:06:58.634888499 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/gpsd.te 2011-11-04 16:06:59.142889796 -0400
+--- serefpolicy-3.10.0/policy/modules/services/gpsd.te.ptrace 2011-11-04 16:32:07.366065763 -0400
++++ serefpolicy-3.10.0/policy/modules/services/gpsd.te 2011-11-04 16:32:07.851066690 -0400
@@ -25,7 +25,7 @@ files_pid_file(gpsd_var_run_t)
#
@@ -1681,8 +1654,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/gpsd.te.ptrace serefpolicy-3
allow gpsd_t self:shm create_shm_perms;
allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
diff -up serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace serefpolicy-3.10.0/policy/modules/services/hadoop.if
---- serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace 2011-11-04 16:06:58.990889407 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/hadoop.if 2011-11-04 16:06:59.143889798 -0400
+--- serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace 2011-11-04 16:32:07.728066455 -0400
++++ serefpolicy-3.10.0/policy/modules/services/hadoop.if 2011-11-04 16:32:07.852066692 -0400
@@ -222,14 +222,21 @@ interface(`hadoop_role',`
hadoop_domtrans($2)
role $1 types hadoop_t;
@@ -1708,8 +1681,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace serefpolicy
########################################
diff -up serefpolicy-3.10.0/policy/modules/services/hal.if.ptrace serefpolicy-3.10.0/policy/modules/services/hal.if
---- serefpolicy-3.10.0/policy/modules/services/hal.if.ptrace 2011-11-04 16:06:58.638888508 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/hal.if 2011-11-04 16:06:59.144889801 -0400
+--- serefpolicy-3.10.0/policy/modules/services/hal.if.ptrace 2011-11-04 16:32:07.370065770 -0400
++++ serefpolicy-3.10.0/policy/modules/services/hal.if 2011-11-04 16:32:07.853066694 -0400
@@ -70,7 +70,9 @@ interface(`hal_ptrace',`
type hald_t;
')
@@ -1722,8 +1695,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/hal.if.ptrace serefpolicy-3.
########################################
diff -up serefpolicy-3.10.0/policy/modules/services/hal.te.ptrace serefpolicy-3.10.0/policy/modules/services/hal.te
---- serefpolicy-3.10.0/policy/modules/services/hal.te.ptrace 2011-11-04 16:06:58.639888511 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/hal.te 2011-11-04 16:06:59.145889804 -0400
+--- serefpolicy-3.10.0/policy/modules/services/hal.te.ptrace 2011-11-04 16:32:07.371065772 -0400
++++ serefpolicy-3.10.0/policy/modules/services/hal.te 2011-11-04 16:32:07.854066696 -0400
@@ -64,7 +64,7 @@ typealias hald_var_run_t alias pmtools_v
# execute openvt which needs setuid
@@ -1734,8 +1707,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/hal.te.ptrace serefpolicy-3.
allow hald_t self:fifo_file rw_fifo_file_perms;
allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
diff -up serefpolicy-3.10.0/policy/modules/services/hddtemp.if.ptrace serefpolicy-3.10.0/policy/modules/services/hddtemp.if
---- serefpolicy-3.10.0/policy/modules/services/hddtemp.if.ptrace 2011-11-04 16:06:58.640888514 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/hddtemp.if 2011-11-04 16:06:59.146889807 -0400
+--- serefpolicy-3.10.0/policy/modules/services/hddtemp.if.ptrace 2011-11-04 16:32:07.371065772 -0400
++++ serefpolicy-3.10.0/policy/modules/services/hddtemp.if 2011-11-04 16:32:07.855066698 -0400
@@ -60,8 +60,11 @@ interface(`hddtemp_admin',`
type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t;
')
@@ -1750,8 +1723,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/hddtemp.if.ptrace serefpolic
init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/icecast.if.ptrace serefpolicy-3.10.0/policy/modules/services/icecast.if
---- serefpolicy-3.10.0/policy/modules/services/icecast.if.ptrace 2011-11-04 16:06:58.641888517 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/icecast.if 2011-11-04 16:06:59.147889810 -0400
+--- serefpolicy-3.10.0/policy/modules/services/icecast.if.ptrace 2011-11-04 16:32:07.373065775 -0400
++++ serefpolicy-3.10.0/policy/modules/services/icecast.if 2011-11-04 16:32:07.856066700 -0400
@@ -173,8 +173,11 @@ interface(`icecast_admin',`
type icecast_t, icecast_initrc_exec_t;
')
@@ -1766,8 +1739,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/icecast.if.ptrace serefpolic
# Allow icecast_t to restart the apache service
icecast_initrc_domtrans($1)
diff -up serefpolicy-3.10.0/policy/modules/services/ifplugd.if.ptrace serefpolicy-3.10.0/policy/modules/services/ifplugd.if
---- serefpolicy-3.10.0/policy/modules/services/ifplugd.if.ptrace 2011-11-04 16:06:58.643888522 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ifplugd.if 2011-11-04 16:06:59.148889813 -0400
+--- serefpolicy-3.10.0/policy/modules/services/ifplugd.if.ptrace 2011-11-04 16:32:07.374065776 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ifplugd.if 2011-11-04 16:32:07.856066700 -0400
@@ -117,7 +117,7 @@ interface(`ifplugd_admin',`
type ifplugd_initrc_exec_t;
')
@@ -1778,8 +1751,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ifplugd.if.ptrace serefpolic
init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
diff -up serefpolicy-3.10.0/policy/modules/services/ifplugd.te.ptrace serefpolicy-3.10.0/policy/modules/services/ifplugd.te
---- serefpolicy-3.10.0/policy/modules/services/ifplugd.te.ptrace 2011-11-04 16:06:58.644888524 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ifplugd.te 2011-11-04 16:06:59.148889813 -0400
+--- serefpolicy-3.10.0/policy/modules/services/ifplugd.te.ptrace 2011-11-04 16:32:07.375065778 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ifplugd.te 2011-11-04 16:32:07.857066701 -0400
@@ -26,7 +26,7 @@ files_pid_file(ifplugd_var_run_t)
#
@@ -1790,8 +1763,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ifplugd.te.ptrace serefpolic
allow ifplugd_t self:fifo_file rw_fifo_file_perms;
allow ifplugd_t self:tcp_socket create_stream_socket_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/inn.if.ptrace serefpolicy-3.10.0/policy/modules/services/inn.if
---- serefpolicy-3.10.0/policy/modules/services/inn.if.ptrace 2011-11-04 16:06:58.647888531 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/inn.if 2011-11-04 16:06:59.149889815 -0400
+--- serefpolicy-3.10.0/policy/modules/services/inn.if.ptrace 2011-11-04 16:32:07.378065785 -0400
++++ serefpolicy-3.10.0/policy/modules/services/inn.if 2011-11-04 16:32:07.859066704 -0400
@@ -202,8 +202,11 @@ interface(`inn_admin',`
type innd_initrc_exec_t;
')
@@ -1806,8 +1779,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/inn.if.ptrace serefpolicy-3.
init_labeled_script_domtrans($1, innd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace serefpolicy-3.10.0/policy/modules/services/jabber.if
---- serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace 2011-11-04 16:06:58.650888540 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/jabber.if 2011-11-04 16:06:59.150889817 -0400
+--- serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace 2011-11-04 16:32:07.381065791 -0400
++++ serefpolicy-3.10.0/policy/modules/services/jabber.if 2011-11-04 16:32:07.860066707 -0400
@@ -143,10 +143,14 @@ interface(`jabber_admin',`
type jabberd_initrc_exec_t, jabberd_router_t;
')
@@ -1826,8 +1799,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace serefpolicy
init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
diff -up serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace serefpolicy-3.10.0/policy/modules/services/kerberos.if
---- serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace 2011-11-04 16:06:58.653888547 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/kerberos.if 2011-11-04 16:06:59.151889819 -0400
+--- serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace 2011-11-04 16:32:07.383065795 -0400
++++ serefpolicy-3.10.0/policy/modules/services/kerberos.if 2011-11-04 16:32:07.861066710 -0400
@@ -340,13 +340,18 @@ interface(`kerberos_admin',`
type krb5kdc_var_run_t, krb5_host_rcache_t;
')
@@ -1851,8 +1824,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace serefpoli
init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
diff -up serefpolicy-3.10.0/policy/modules/services/kerneloops.if.ptrace serefpolicy-3.10.0/policy/modules/services/kerneloops.if
---- serefpolicy-3.10.0/policy/modules/services/kerneloops.if.ptrace 2011-11-04 16:06:58.654888549 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/kerneloops.if 2011-11-04 16:06:59.152889821 -0400
+--- serefpolicy-3.10.0/policy/modules/services/kerneloops.if.ptrace 2011-11-04 16:32:07.385065797 -0400
++++ serefpolicy-3.10.0/policy/modules/services/kerneloops.if 2011-11-04 16:32:07.862066712 -0400
@@ -101,8 +101,11 @@ interface(`kerneloops_admin',`
type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t;
')
@@ -1867,8 +1840,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/kerneloops.if.ptrace serefpo
init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/ksmtuned.if.ptrace serefpolicy-3.10.0/policy/modules/services/ksmtuned.if
---- serefpolicy-3.10.0/policy/modules/services/ksmtuned.if.ptrace 2011-11-04 16:06:58.657888557 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ksmtuned.if 2011-11-04 16:06:59.153889824 -0400
+--- serefpolicy-3.10.0/policy/modules/services/ksmtuned.if.ptrace 2011-11-04 16:32:07.388065805 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ksmtuned.if 2011-11-04 16:32:07.863066713 -0400
@@ -58,8 +58,11 @@ interface(`ksmtuned_admin',`
type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t;
')
@@ -1883,8 +1856,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ksmtuned.if.ptrace serefpoli
files_list_pids($1)
admin_pattern($1, ksmtuned_var_run_t)
diff -up serefpolicy-3.10.0/policy/modules/services/ksmtuned.te.ptrace serefpolicy-3.10.0/policy/modules/services/ksmtuned.te
---- serefpolicy-3.10.0/policy/modules/services/ksmtuned.te.ptrace 2011-11-04 16:06:58.658888560 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ksmtuned.te 2011-11-04 16:06:59.153889824 -0400
+--- serefpolicy-3.10.0/policy/modules/services/ksmtuned.te.ptrace 2011-11-04 16:32:07.389065807 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ksmtuned.te 2011-11-04 16:32:07.863066713 -0400
@@ -23,7 +23,7 @@ files_pid_file(ksmtuned_var_run_t)
# ksmtuned local policy
#
@@ -1895,8 +1868,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ksmtuned.te.ptrace serefpoli
manage_dirs_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
diff -up serefpolicy-3.10.0/policy/modules/services/l2tpd.if.ptrace serefpolicy-3.10.0/policy/modules/services/l2tpd.if
---- serefpolicy-3.10.0/policy/modules/services/l2tpd.if.ptrace 2011-11-04 16:06:58.659888563 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/l2tpd.if 2011-11-04 16:06:59.154889827 -0400
+--- serefpolicy-3.10.0/policy/modules/services/l2tpd.if.ptrace 2011-11-04 16:32:07.391065810 -0400
++++ serefpolicy-3.10.0/policy/modules/services/l2tpd.if 2011-11-04 16:32:07.864066715 -0400
@@ -101,8 +101,11 @@ interface(`l2tpd_admin',`
type l2tpd_var_run_t;
')
@@ -1911,8 +1884,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/l2tpd.if.ptrace serefpolicy-
l2tpd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/ldap.if.ptrace serefpolicy-3.10.0/policy/modules/services/ldap.if
---- serefpolicy-3.10.0/policy/modules/services/ldap.if.ptrace 2011-11-04 16:06:58.662888570 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ldap.if 2011-11-04 16:06:59.155889830 -0400
+--- serefpolicy-3.10.0/policy/modules/services/ldap.if.ptrace 2011-11-04 16:32:07.393065814 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ldap.if 2011-11-04 16:32:07.865066717 -0400
@@ -174,8 +174,11 @@ interface(`ldap_admin',`
type slapd_initrc_exec_t;
')
@@ -1928,7 +1901,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ldap.if.ptrace serefpolicy-3
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/lircd.if.ptrace serefpolicy-3.10.0/policy/modules/services/lircd.if
--- serefpolicy-3.10.0/policy/modules/services/lircd.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/lircd.if 2011-11-04 16:06:59.156889833 -0400
++++ serefpolicy-3.10.0/policy/modules/services/lircd.if 2011-11-04 16:32:07.866066719 -0400
@@ -80,8 +80,11 @@ interface(`lircd_admin',`
type lircd_initrc_exec_t, lircd_etc_t;
')
@@ -1943,8 +1916,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/lircd.if.ptrace serefpolicy-
init_labeled_script_domtrans($1, lircd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/lldpad.if.ptrace serefpolicy-3.10.0/policy/modules/services/lldpad.if
---- serefpolicy-3.10.0/policy/modules/services/lldpad.if.ptrace 2011-11-04 16:06:58.666888580 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/lldpad.if 2011-11-04 16:06:59.157889836 -0400
+--- serefpolicy-3.10.0/policy/modules/services/lldpad.if.ptrace 2011-11-04 16:32:07.398065822 -0400
++++ serefpolicy-3.10.0/policy/modules/services/lldpad.if 2011-11-04 16:32:07.867066721 -0400
@@ -180,8 +180,11 @@ interface(`lldpad_admin',`
type lldpad_var_run_t;
')
@@ -1959,8 +1932,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/lldpad.if.ptrace serefpolicy
lldpad_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/lpd.if.ptrace serefpolicy-3.10.0/policy/modules/services/lpd.if
---- serefpolicy-3.10.0/policy/modules/services/lpd.if.ptrace 2011-11-04 16:06:58.668888586 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/lpd.if 2011-11-04 16:06:59.158889838 -0400
+--- serefpolicy-3.10.0/policy/modules/services/lpd.if.ptrace 2011-11-04 16:32:07.399065825 -0400
++++ serefpolicy-3.10.0/policy/modules/services/lpd.if 2011-11-04 16:32:07.868066723 -0400
@@ -28,7 +28,10 @@ interface(`lpd_role',`
dontaudit lpr_t $2:unix_stream_socket { read write };
@@ -1974,8 +1947,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/lpd.if.ptrace serefpolicy-3.
optional_policy(`
cups_read_config($2)
diff -up serefpolicy-3.10.0/policy/modules/services/mailscanner.if.ptrace serefpolicy-3.10.0/policy/modules/services/mailscanner.if
---- serefpolicy-3.10.0/policy/modules/services/mailscanner.if.ptrace 2011-11-04 16:06:58.672888595 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/mailscanner.if 2011-11-04 16:06:59.159889840 -0400
+--- serefpolicy-3.10.0/policy/modules/services/mailscanner.if.ptrace 2011-11-04 16:32:07.404065835 -0400
++++ serefpolicy-3.10.0/policy/modules/services/mailscanner.if 2011-11-04 16:32:07.869066724 -0400
@@ -47,8 +47,11 @@ interface(`mailscanner_admin',`
role_transition $2 mscan_initrc_exec_t system_r;
allow $2 system_r;
@@ -1990,8 +1963,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mailscanner.if.ptrace serefp
admin_pattern($1, mscan_etc_t)
files_list_etc($1)
diff -up serefpolicy-3.10.0/policy/modules/services/matahari.te.ptrace serefpolicy-3.10.0/policy/modules/services/matahari.te
---- serefpolicy-3.10.0/policy/modules/services/matahari.te.ptrace 2011-11-04 16:06:58.675888603 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/matahari.te 2011-11-04 16:06:59.159889840 -0400
+--- serefpolicy-3.10.0/policy/modules/services/matahari.te.ptrace 2011-11-04 16:32:07.406065839 -0400
++++ serefpolicy-3.10.0/policy/modules/services/matahari.te 2011-11-04 16:32:07.870066725 -0400
@@ -25,9 +25,6 @@ files_pid_file(matahari_var_run_t)
#
# matahari_hostd local policy
@@ -2003,8 +1976,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/matahari.te.ptrace serefpoli
dev_read_sysfs(matahari_hostd_t)
diff -up serefpolicy-3.10.0/policy/modules/services/memcached.if.ptrace serefpolicy-3.10.0/policy/modules/services/memcached.if
---- serefpolicy-3.10.0/policy/modules/services/memcached.if.ptrace 2011-11-04 16:06:58.676888606 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/memcached.if 2011-11-04 16:06:59.160889842 -0400
+--- serefpolicy-3.10.0/policy/modules/services/memcached.if.ptrace 2011-11-04 16:32:07.407065841 -0400
++++ serefpolicy-3.10.0/policy/modules/services/memcached.if 2011-11-04 16:32:07.871066727 -0400
@@ -59,8 +59,11 @@ interface(`memcached_admin',`
type memcached_t, memcached_initrc_exec_t, memcached_var_run_t;
')
@@ -2019,8 +1992,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/memcached.if.ptrace serefpol
init_labeled_script_domtrans($1, memcached_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace serefpolicy-3.10.0/policy/modules/services/mock.if
---- serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace 2011-11-04 16:06:58.680888616 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/mock.if 2011-11-04 16:06:59.161889844 -0400
+--- serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace 2011-11-04 16:32:07.412065851 -0400
++++ serefpolicy-3.10.0/policy/modules/services/mock.if 2011-11-04 16:32:07.872066730 -0400
@@ -245,7 +245,10 @@ interface(`mock_role',`
mock_run($2, $1)
@@ -2051,8 +2024,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace serefpolicy-3
files_list_var_lib($1)
diff -up serefpolicy-3.10.0/policy/modules/services/mock.te.ptrace serefpolicy-3.10.0/policy/modules/services/mock.te
---- serefpolicy-3.10.0/policy/modules/services/mock.te.ptrace 2011-11-04 16:06:58.681888618 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/mock.te 2011-11-04 16:06:59.162889847 -0400
+--- serefpolicy-3.10.0/policy/modules/services/mock.te.ptrace 2011-11-04 16:32:07.412065851 -0400
++++ serefpolicy-3.10.0/policy/modules/services/mock.te 2011-11-04 16:32:07.873066732 -0400
@@ -41,7 +41,7 @@ files_config_file(mock_etc_t)
# mock local policy
#
@@ -2072,8 +2045,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mock.te.ptrace serefpolicy-3
allow mock_build_t self:process { fork setsched setpgid signal_perms };
allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
diff -up serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace serefpolicy-3.10.0/policy/modules/services/mojomojo.if
---- serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace 2011-11-04 16:06:58.683888623 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/mojomojo.if 2011-11-04 16:06:59.163889850 -0400
+--- serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace 2011-11-04 16:32:07.414065855 -0400
++++ serefpolicy-3.10.0/policy/modules/services/mojomojo.if 2011-11-04 16:32:07.873066732 -0400
@@ -24,8 +24,11 @@ interface(`mojomojo_admin',`
type httpd_mojomojo_script_exec_t;
')
@@ -2089,7 +2062,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace serefpoli
admin_pattern($1, httpd_mojomojo_tmp_t)
diff -up serefpolicy-3.10.0/policy/modules/services/mpd.if.ptrace serefpolicy-3.10.0/policy/modules/services/mpd.if
--- serefpolicy-3.10.0/policy/modules/services/mpd.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/mpd.if 2011-11-04 16:06:59.164889853 -0400
++++ serefpolicy-3.10.0/policy/modules/services/mpd.if 2011-11-04 16:32:07.874066734 -0400
@@ -244,8 +244,11 @@ interface(`mpd_admin',`
type mpd_tmpfs_t;
')
@@ -2104,8 +2077,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mpd.if.ptrace serefpolicy-3.
mpd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/munin.if.ptrace serefpolicy-3.10.0/policy/modules/services/munin.if
---- serefpolicy-3.10.0/policy/modules/services/munin.if.ptrace 2011-11-04 16:06:58.689888639 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/munin.if 2011-11-04 16:06:59.165889856 -0400
+--- serefpolicy-3.10.0/policy/modules/services/munin.if.ptrace 2011-11-04 16:32:07.421065866 -0400
++++ serefpolicy-3.10.0/policy/modules/services/munin.if 2011-11-04 16:32:07.875066736 -0400
@@ -183,8 +183,11 @@ interface(`munin_admin',`
type httpd_munin_content_t, munin_initrc_exec_t;
')
@@ -2120,8 +2093,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/munin.if.ptrace serefpolicy-
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/mysql.if.ptrace serefpolicy-3.10.0/policy/modules/services/mysql.if
---- serefpolicy-3.10.0/policy/modules/services/mysql.if.ptrace 2011-11-04 16:06:58.691888643 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/mysql.if 2011-11-04 16:06:59.166889859 -0400
+--- serefpolicy-3.10.0/policy/modules/services/mysql.if.ptrace 2011-11-04 16:32:07.423065872 -0400
++++ serefpolicy-3.10.0/policy/modules/services/mysql.if 2011-11-04 16:32:07.876066738 -0400
@@ -389,8 +389,11 @@ interface(`mysql_admin',`
type mysqld_etc_t;
')
@@ -2136,8 +2109,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mysql.if.ptrace serefpolicy-
init_labeled_script_domtrans($1, mysqld_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/mysql.te.ptrace serefpolicy-3.10.0/policy/modules/services/mysql.te
---- serefpolicy-3.10.0/policy/modules/services/mysql.te.ptrace 2011-11-04 16:06:58.692888646 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/mysql.te 2011-11-04 16:06:59.167889861 -0400
+--- serefpolicy-3.10.0/policy/modules/services/mysql.te.ptrace 2011-11-04 16:32:07.423065872 -0400
++++ serefpolicy-3.10.0/policy/modules/services/mysql.te 2011-11-04 16:32:07.877066740 -0400
@@ -158,7 +158,6 @@ optional_policy(`
#
@@ -2147,8 +2120,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mysql.te.ptrace serefpolicy-
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/nagios.if.ptrace serefpolicy-3.10.0/policy/modules/services/nagios.if
---- serefpolicy-3.10.0/policy/modules/services/nagios.if.ptrace 2011-11-04 16:06:58.694888652 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/nagios.if 2011-11-04 16:06:59.167889861 -0400
+--- serefpolicy-3.10.0/policy/modules/services/nagios.if.ptrace 2011-11-04 16:32:07.425065875 -0400
++++ serefpolicy-3.10.0/policy/modules/services/nagios.if 2011-11-04 16:32:07.878066742 -0400
@@ -225,8 +225,11 @@ interface(`nagios_admin',`
type nagios_etc_t, nrpe_etc_t, nagios_spool_t;
')
@@ -2163,8 +2136,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/nagios.if.ptrace serefpolicy
init_labeled_script_domtrans($1, nagios_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/networkmanager.te.ptrace serefpolicy-3.10.0/policy/modules/services/networkmanager.te
---- serefpolicy-3.10.0/policy/modules/services/networkmanager.te.ptrace 2011-11-04 16:06:58.698888662 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/networkmanager.te 2011-11-04 16:06:59.168889863 -0400
+--- serefpolicy-3.10.0/policy/modules/services/networkmanager.te.ptrace 2011-11-04 16:32:07.430065884 -0400
++++ serefpolicy-3.10.0/policy/modules/services/networkmanager.te 2011-11-04 16:32:07.879066744 -0400
@@ -44,13 +44,17 @@ init_system_domain(wpa_cli_t, wpa_cli_ex
# networkmanager will ptrace itself if gdb is installed
@@ -2187,8 +2160,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/networkmanager.te.ptrace ser
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/nis.if.ptrace serefpolicy-3.10.0/policy/modules/services/nis.if
---- serefpolicy-3.10.0/policy/modules/services/nis.if.ptrace 2011-11-04 16:06:58.699888664 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/nis.if 2011-11-04 16:06:59.169889865 -0400
+--- serefpolicy-3.10.0/policy/modules/services/nis.if.ptrace 2011-11-04 16:32:07.431065885 -0400
++++ serefpolicy-3.10.0/policy/modules/services/nis.if 2011-11-04 16:32:07.880066745 -0400
@@ -390,16 +390,22 @@ interface(`nis_admin',`
type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t;
')
@@ -2217,8 +2190,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/nis.if.ptrace serefpolicy-3.
nis_initrc_domtrans($1)
diff -up serefpolicy-3.10.0/policy/modules/services/nscd.if.ptrace serefpolicy-3.10.0/policy/modules/services/nscd.if
---- serefpolicy-3.10.0/policy/modules/services/nscd.if.ptrace 2011-11-04 16:06:58.703888675 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/nscd.if 2011-11-04 16:06:59.170889867 -0400
+--- serefpolicy-3.10.0/policy/modules/services/nscd.if.ptrace 2011-11-04 16:32:07.435065895 -0400
++++ serefpolicy-3.10.0/policy/modules/services/nscd.if 2011-11-04 16:32:07.882066748 -0400
@@ -321,8 +321,11 @@ interface(`nscd_admin',`
type nscd_initrc_exec_t;
')
@@ -2233,8 +2206,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/nscd.if.ptrace serefpolicy-3
init_labeled_script_domtrans($1, nscd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/nscd.te.ptrace serefpolicy-3.10.0/policy/modules/services/nscd.te
---- serefpolicy-3.10.0/policy/modules/services/nscd.te.ptrace 2011-11-04 16:06:58.704888678 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/nscd.te 2011-11-04 16:06:59.171889870 -0400
+--- serefpolicy-3.10.0/policy/modules/services/nscd.te.ptrace 2011-11-04 16:32:07.436065896 -0400
++++ serefpolicy-3.10.0/policy/modules/services/nscd.te 2011-11-04 16:32:07.882066748 -0400
@@ -40,7 +40,7 @@ logging_log_file(nscd_log_t)
# Local policy
#
@@ -2245,8 +2218,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/nscd.te.ptrace serefpolicy-3
allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
allow nscd_t self:fifo_file read_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/nslcd.if.ptrace serefpolicy-3.10.0/policy/modules/services/nslcd.if
---- serefpolicy-3.10.0/policy/modules/services/nslcd.if.ptrace 2011-11-04 16:06:58.704888678 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/nslcd.if 2011-11-04 16:06:59.172889873 -0400
+--- serefpolicy-3.10.0/policy/modules/services/nslcd.if.ptrace 2011-11-04 16:32:07.437065898 -0400
++++ serefpolicy-3.10.0/policy/modules/services/nslcd.if 2011-11-04 16:32:07.883066751 -0400
@@ -98,7 +98,10 @@ interface(`nslcd_admin',`
')
@@ -2260,8 +2233,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/nslcd.if.ptrace serefpolicy-
# Allow nslcd_t to restart the apache service
nslcd_initrc_domtrans($1)
diff -up serefpolicy-3.10.0/policy/modules/services/ntp.if.ptrace serefpolicy-3.10.0/policy/modules/services/ntp.if
---- serefpolicy-3.10.0/policy/modules/services/ntp.if.ptrace 2011-11-04 16:06:58.707888685 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ntp.if 2011-11-04 16:06:59.173889876 -0400
+--- serefpolicy-3.10.0/policy/modules/services/ntp.if.ptrace 2011-11-04 16:32:07.440065904 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ntp.if 2011-11-04 16:32:07.884066754 -0400
@@ -204,8 +204,11 @@ interface(`ntp_admin',`
type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t;
')
@@ -2276,8 +2249,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ntp.if.ptrace serefpolicy-3.
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace serefpolicy-3.10.0/policy/modules/services/oident.if
---- serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace 2011-11-04 16:06:58.714888704 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/oident.if 2011-11-04 16:06:59.174889879 -0400
+--- serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace 2011-11-04 16:32:07.447065918 -0400
++++ serefpolicy-3.10.0/policy/modules/services/oident.if 2011-11-04 16:32:07.885066756 -0400
@@ -89,8 +89,11 @@ interface(`oident_admin',`
type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t;
')
@@ -2293,7 +2266,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace serefpolicy
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/openvpn.if.ptrace serefpolicy-3.10.0/policy/modules/services/openvpn.if
--- serefpolicy-3.10.0/policy/modules/services/openvpn.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/openvpn.if 2011-11-04 16:06:59.174889879 -0400
++++ serefpolicy-3.10.0/policy/modules/services/openvpn.if 2011-11-04 16:32:07.886066757 -0400
@@ -144,8 +144,11 @@ interface(`openvpn_admin',`
type openvpn_var_run_t, openvpn_initrc_exec_t;
')
@@ -2308,8 +2281,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/openvpn.if.ptrace serefpolic
init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/pads.if.ptrace serefpolicy-3.10.0/policy/modules/services/pads.if
---- serefpolicy-3.10.0/policy/modules/services/pads.if.ptrace 2011-11-04 16:06:58.718888712 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/pads.if 2011-11-04 16:06:59.175889882 -0400
+--- serefpolicy-3.10.0/policy/modules/services/pads.if.ptrace 2011-11-04 16:32:07.451065925 -0400
++++ serefpolicy-3.10.0/policy/modules/services/pads.if 2011-11-04 16:32:07.887066759 -0400
@@ -31,8 +31,11 @@ interface(`pads_admin',`
type pads_var_run_t;
')
@@ -2324,8 +2297,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/pads.if.ptrace serefpolicy-3
init_labeled_script_domtrans($1, pads_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/pingd.if.ptrace serefpolicy-3.10.0/policy/modules/services/pingd.if
---- serefpolicy-3.10.0/policy/modules/services/pingd.if.ptrace 2011-11-04 16:06:58.722888724 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/pingd.if 2011-11-04 16:06:59.176889884 -0400
+--- serefpolicy-3.10.0/policy/modules/services/pingd.if.ptrace 2011-11-04 16:32:07.455065931 -0400
++++ serefpolicy-3.10.0/policy/modules/services/pingd.if 2011-11-04 16:32:07.888066761 -0400
@@ -80,8 +80,11 @@ interface(`pingd_admin',`
type pingd_initrc_exec_t;
')
@@ -2340,8 +2313,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/pingd.if.ptrace serefpolicy-
init_labeled_script_domtrans($1, pingd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/piranha.te.ptrace serefpolicy-3.10.0/policy/modules/services/piranha.te
---- serefpolicy-3.10.0/policy/modules/services/piranha.te.ptrace 2011-11-04 16:06:58.725888731 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/piranha.te 2011-11-04 16:06:59.177889886 -0400
+--- serefpolicy-3.10.0/policy/modules/services/piranha.te.ptrace 2011-11-04 16:32:07.458065938 -0400
++++ serefpolicy-3.10.0/policy/modules/services/piranha.te 2011-11-04 16:32:07.889066763 -0400
@@ -65,7 +65,11 @@ init_domtrans_script(piranha_fos_t)
#
@@ -2356,8 +2329,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/piranha.te.ptrace serefpolic
allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms;
allow piranha_web_t self:sem create_sem_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/plymouthd.if.ptrace serefpolicy-3.10.0/policy/modules/services/plymouthd.if
---- serefpolicy-3.10.0/policy/modules/services/plymouthd.if.ptrace 2011-11-04 16:06:58.727888735 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/plymouthd.if 2011-11-04 16:06:59.178889888 -0400
+--- serefpolicy-3.10.0/policy/modules/services/plymouthd.if.ptrace 2011-11-04 16:32:07.460065942 -0400
++++ serefpolicy-3.10.0/policy/modules/services/plymouthd.if 2011-11-04 16:32:07.890066765 -0400
@@ -291,8 +291,11 @@ interface(`plymouthd_admin',`
type plymouthd_var_run_t;
')
@@ -2372,8 +2345,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/plymouthd.if.ptrace serefpol
files_list_var_lib($1)
admin_pattern($1, plymouthd_spool_t)
diff -up serefpolicy-3.10.0/policy/modules/services/policykit.te.ptrace serefpolicy-3.10.0/policy/modules/services/policykit.te
---- serefpolicy-3.10.0/policy/modules/services/policykit.te.ptrace 2011-11-04 16:06:58.730888744 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/policykit.te 2011-11-04 16:06:59.179889890 -0400
+--- serefpolicy-3.10.0/policy/modules/services/policykit.te.ptrace 2011-11-04 16:32:07.463065948 -0400
++++ serefpolicy-3.10.0/policy/modules/services/policykit.te 2011-11-04 16:32:07.890066765 -0400
@@ -38,7 +38,7 @@ files_pid_file(policykit_var_run_t)
# policykit local policy
#
@@ -2393,8 +2366,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/policykit.te.ptrace serefpol
allow policykit_resolve_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace serefpolicy-3.10.0/policy/modules/services/polipo.if
---- serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace 2011-11-04 16:06:58.731888747 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/polipo.if 2011-11-04 16:06:59.180889893 -0400
+--- serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace 2011-11-04 16:32:07.464065950 -0400
++++ serefpolicy-3.10.0/policy/modules/services/polipo.if 2011-11-04 16:32:07.891066767 -0400
@@ -32,8 +32,11 @@ template(`polipo_role',`
# Policy
#
@@ -2423,7 +2396,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace serefpolicy
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/portreserve.if.ptrace serefpolicy-3.10.0/policy/modules/services/portreserve.if
--- serefpolicy-3.10.0/policy/modules/services/portreserve.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/portreserve.if 2011-11-04 16:06:59.181889896 -0400
++++ serefpolicy-3.10.0/policy/modules/services/portreserve.if 2011-11-04 16:32:07.892066768 -0400
@@ -104,8 +104,11 @@ interface(`portreserve_admin',`
type portreserve_initrc_exec_t;
')
@@ -2438,8 +2411,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/portreserve.if.ptrace serefp
portreserve_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace serefpolicy-3.10.0/policy/modules/services/postfix.if
---- serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace 2011-11-04 16:06:58.736888758 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/postfix.if 2011-11-04 16:06:59.182889899 -0400
+--- serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace 2011-11-04 16:32:07.469065960 -0400
++++ serefpolicy-3.10.0/policy/modules/services/postfix.if 2011-11-04 16:32:07.894066771 -0400
@@ -729,25 +729,36 @@ interface(`postfix_admin',`
type postfix_smtpd_t, postfix_var_run_t;
')
@@ -2485,8 +2458,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace serefpolic
postfix_run_map($1, $2)
diff -up serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if.ptrace serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if
---- serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if.ptrace 2011-11-04 16:06:58.739888767 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if 2011-11-04 16:06:59.183889902 -0400
+--- serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if.ptrace 2011-11-04 16:32:07.471065963 -0400
++++ serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if 2011-11-04 16:32:07.894066771 -0400
@@ -23,8 +23,11 @@ interface(`postfixpolicyd_admin',`
type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t;
')
@@ -2501,8 +2474,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if.ptrace ser
init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/postgresql.if.ptrace serefpolicy-3.10.0/policy/modules/services/postgresql.if
---- serefpolicy-3.10.0/policy/modules/services/postgresql.if.ptrace 2011-11-04 16:06:58.741888773 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/postgresql.if 2011-11-04 16:06:59.184889905 -0400
+--- serefpolicy-3.10.0/policy/modules/services/postgresql.if.ptrace 2011-11-04 16:32:07.474065969 -0400
++++ serefpolicy-3.10.0/policy/modules/services/postgresql.if 2011-11-04 16:32:07.895066774 -0400
@@ -541,8 +541,11 @@ interface(`postgresql_admin',`
typeattribute $1 sepgsql_admin_type;
@@ -2517,8 +2490,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/postgresql.if.ptrace serefpo
init_labeled_script_domtrans($1, postgresql_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/postgrey.if.ptrace serefpolicy-3.10.0/policy/modules/services/postgrey.if
---- serefpolicy-3.10.0/policy/modules/services/postgrey.if.ptrace 2011-11-04 16:06:58.743888777 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/postgrey.if 2011-11-04 16:06:59.184889905 -0400
+--- serefpolicy-3.10.0/policy/modules/services/postgrey.if.ptrace 2011-11-04 16:32:07.476065973 -0400
++++ serefpolicy-3.10.0/policy/modules/services/postgrey.if 2011-11-04 16:32:07.896066776 -0400
@@ -62,8 +62,11 @@ interface(`postgrey_admin',`
type postgrey_var_lib_t, postgrey_var_run_t;
')
@@ -2533,8 +2506,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/postgrey.if.ptrace serefpoli
init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/ppp.if.ptrace serefpolicy-3.10.0/policy/modules/services/ppp.if
---- serefpolicy-3.10.0/policy/modules/services/ppp.if.ptrace 2011-11-04 16:06:58.745888781 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ppp.if 2011-11-04 16:06:59.185889907 -0400
+--- serefpolicy-3.10.0/policy/modules/services/ppp.if.ptrace 2011-11-04 16:32:07.478065975 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ppp.if 2011-11-04 16:32:07.897066778 -0400
@@ -386,10 +386,14 @@ interface(`ppp_admin',`
type pppd_initrc_exec_t, pppd_etc_rw_t;
')
@@ -2553,8 +2526,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ppp.if.ptrace serefpolicy-3.
ppp_initrc_domtrans($1)
diff -up serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace serefpolicy-3.10.0/policy/modules/services/prelude.if
---- serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace 2011-11-04 16:06:58.747888787 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/prelude.if 2011-11-04 16:06:59.186889909 -0400
+--- serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace 2011-11-04 16:32:07.480065980 -0400
++++ serefpolicy-3.10.0/policy/modules/services/prelude.if 2011-11-04 16:32:07.898066780 -0400
@@ -118,13 +118,18 @@ interface(`prelude_admin',`
type prelude_lml_t;
')
@@ -2579,7 +2552,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace serefpolic
init_labeled_script_domtrans($1, prelude_initrc_exec_t)
diff -up serefpolicy-3.10.0/policy/modules/services/privoxy.if.ptrace serefpolicy-3.10.0/policy/modules/services/privoxy.if
--- serefpolicy-3.10.0/policy/modules/services/privoxy.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/privoxy.if 2011-11-04 16:06:59.187889911 -0400
++++ serefpolicy-3.10.0/policy/modules/services/privoxy.if 2011-11-04 16:32:07.899066782 -0400
@@ -23,8 +23,11 @@ interface(`privoxy_admin',`
type privoxy_etc_rw_t, privoxy_var_run_t;
')
@@ -2594,8 +2567,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/privoxy.if.ptrace serefpolic
init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/psad.if.ptrace serefpolicy-3.10.0/policy/modules/services/psad.if
---- serefpolicy-3.10.0/policy/modules/services/psad.if.ptrace 2011-11-04 16:06:58.751888798 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/psad.if 2011-11-04 16:06:59.188889913 -0400
+--- serefpolicy-3.10.0/policy/modules/services/psad.if.ptrace 2011-11-04 16:32:07.484065988 -0400
++++ serefpolicy-3.10.0/policy/modules/services/psad.if 2011-11-04 16:32:07.900066784 -0400
@@ -295,8 +295,11 @@ interface(`psad_admin',`
type psad_tmp_t;
')
@@ -2610,8 +2583,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/psad.if.ptrace serefpolicy-3
init_labeled_script_domtrans($1, psad_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/puppet.te.ptrace serefpolicy-3.10.0/policy/modules/services/puppet.te
---- serefpolicy-3.10.0/policy/modules/services/puppet.te.ptrace 2011-11-04 16:06:58.754888804 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/puppet.te 2011-11-04 16:06:59.189889916 -0400
+--- serefpolicy-3.10.0/policy/modules/services/puppet.te.ptrace 2011-11-04 16:32:07.488065995 -0400
++++ serefpolicy-3.10.0/policy/modules/services/puppet.te 2011-11-04 16:32:07.901066786 -0400
@@ -62,7 +62,7 @@ files_tmp_file(puppetmaster_tmp_t)
# Puppet personal policy
#
@@ -2622,8 +2595,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/puppet.te.ptrace serefpolicy
allow puppet_t self:fifo_file rw_fifo_file_perms;
allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/pyzor.if.ptrace serefpolicy-3.10.0/policy/modules/services/pyzor.if
---- serefpolicy-3.10.0/policy/modules/services/pyzor.if.ptrace 2011-11-04 16:06:58.757888813 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/pyzor.if 2011-11-04 16:06:59.190889919 -0400
+--- serefpolicy-3.10.0/policy/modules/services/pyzor.if.ptrace 2011-11-04 16:32:07.490065998 -0400
++++ serefpolicy-3.10.0/policy/modules/services/pyzor.if 2011-11-04 16:32:07.902066788 -0400
@@ -29,7 +29,10 @@ interface(`pyzor_role',`
# allow ps to show pyzor and allow the user to kill it
@@ -2650,8 +2623,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/pyzor.if.ptrace serefpolicy-
init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace serefpolicy-3.10.0/policy/modules/services/qpid.if
---- serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace 2011-11-04 16:06:58.761888823 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/qpid.if 2011-11-04 16:06:59.190889919 -0400
+--- serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace 2011-11-04 16:32:07.495066009 -0400
++++ serefpolicy-3.10.0/policy/modules/services/qpid.if 2011-11-04 16:32:07.903066789 -0400
@@ -177,8 +177,11 @@ interface(`qpidd_admin',`
type qpidd_t, qpidd_initrc_exec_t;
')
@@ -2667,7 +2640,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace serefpolicy-3
qpidd_initrc_domtrans($1)
diff -up serefpolicy-3.10.0/policy/modules/services/radius.if.ptrace serefpolicy-3.10.0/policy/modules/services/radius.if
--- serefpolicy-3.10.0/policy/modules/services/radius.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/radius.if 2011-11-04 16:06:59.191889922 -0400
++++ serefpolicy-3.10.0/policy/modules/services/radius.if 2011-11-04 16:32:07.904066790 -0400
@@ -38,8 +38,11 @@ interface(`radius_admin',`
type radiusd_initrc_exec_t;
')
@@ -2682,8 +2655,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/radius.if.ptrace serefpolicy
init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/radvd.if.ptrace serefpolicy-3.10.0/policy/modules/services/radvd.if
---- serefpolicy-3.10.0/policy/modules/services/radvd.if.ptrace 2011-11-04 16:06:58.765888833 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/radvd.if 2011-11-04 16:06:59.192889925 -0400
+--- serefpolicy-3.10.0/policy/modules/services/radvd.if.ptrace 2011-11-04 16:32:07.499066017 -0400
++++ serefpolicy-3.10.0/policy/modules/services/radvd.if 2011-11-04 16:32:07.905066792 -0400
@@ -23,8 +23,11 @@ interface(`radvd_admin',`
type radvd_var_run_t;
')
@@ -2698,8 +2671,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/radvd.if.ptrace serefpolicy-
init_labeled_script_domtrans($1, radvd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/razor.if.ptrace serefpolicy-3.10.0/policy/modules/services/razor.if
---- serefpolicy-3.10.0/policy/modules/services/razor.if.ptrace 2011-11-04 16:06:58.767888839 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/razor.if 2011-11-04 16:06:59.193889928 -0400
+--- serefpolicy-3.10.0/policy/modules/services/razor.if.ptrace 2011-11-04 16:32:07.500066018 -0400
++++ serefpolicy-3.10.0/policy/modules/services/razor.if 2011-11-04 16:32:07.906066795 -0400
@@ -132,7 +132,10 @@ interface(`razor_role',`
# allow ps to show razor and allow the user to kill it
@@ -2713,8 +2686,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/razor.if.ptrace serefpolicy-
manage_dirs_pattern($2, razor_home_t, razor_home_t)
manage_files_pattern($2, razor_home_t, razor_home_t)
diff -up serefpolicy-3.10.0/policy/modules/services/rgmanager.if.ptrace serefpolicy-3.10.0/policy/modules/services/rgmanager.if
---- serefpolicy-3.10.0/policy/modules/services/rgmanager.if.ptrace 2011-11-04 16:06:58.770888846 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/rgmanager.if 2011-11-04 16:06:59.194889930 -0400
+--- serefpolicy-3.10.0/policy/modules/services/rgmanager.if.ptrace 2011-11-04 16:32:07.504066026 -0400
++++ serefpolicy-3.10.0/policy/modules/services/rgmanager.if 2011-11-04 16:32:07.907066798 -0400
@@ -117,8 +117,11 @@ interface(`rgmanager_admin',`
type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t;
')
@@ -2729,8 +2702,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/rgmanager.if.ptrace serefpol
init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/rgmanager.te.ptrace serefpolicy-3.10.0/policy/modules/services/rgmanager.te
---- serefpolicy-3.10.0/policy/modules/services/rgmanager.te.ptrace 2011-11-04 16:06:58.771888848 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/rgmanager.te 2011-11-04 16:06:59.195889932 -0400
+--- serefpolicy-3.10.0/policy/modules/services/rgmanager.te.ptrace 2011-11-04 16:32:07.505066028 -0400
++++ serefpolicy-3.10.0/policy/modules/services/rgmanager.te 2011-11-04 16:32:07.907066798 -0400
@@ -37,7 +37,6 @@ files_pid_file(rgmanager_var_run_t)
#
@@ -2740,8 +2713,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/rgmanager.te.ptrace serefpol
dontaudit rgmanager_t self:process ptrace;
diff -up serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if.ptrace serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if
---- serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if.ptrace 2011-11-04 16:06:58.778888867 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if 2011-11-04 16:06:59.196889934 -0400
+--- serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if.ptrace 2011-11-04 16:32:07.513066042 -0400
++++ serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if 2011-11-04 16:32:07.908066800 -0400
@@ -284,8 +284,11 @@ interface(`rhsmcertd_admin',`
type rhsmcertd_var_run_t;
')
@@ -2756,8 +2729,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if.ptrace serefpol
rhsmcertd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace serefpolicy-3.10.0/policy/modules/services/ricci.if
---- serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace 2011-11-04 16:06:58.781888873 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ricci.if 2011-11-04 16:06:59.197889936 -0400
+--- serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace 2011-11-04 16:32:07.515066048 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ricci.if 2011-11-04 16:32:07.909066801 -0400
@@ -245,8 +245,11 @@ interface(`ricci_admin',`
type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t;
')
@@ -2773,7 +2746,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace serefpolicy-
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/roundup.if.ptrace serefpolicy-3.10.0/policy/modules/services/roundup.if
--- serefpolicy-3.10.0/policy/modules/services/roundup.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/roundup.if 2011-11-04 16:06:59.198889939 -0400
++++ serefpolicy-3.10.0/policy/modules/services/roundup.if 2011-11-04 16:32:07.910066803 -0400
@@ -23,8 +23,11 @@ interface(`roundup_admin',`
type roundup_initrc_exec_t;
')
@@ -2788,8 +2761,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/roundup.if.ptrace serefpolic
init_labeled_script_domtrans($1, roundup_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/rpcbind.if.ptrace serefpolicy-3.10.0/policy/modules/services/rpcbind.if
---- serefpolicy-3.10.0/policy/modules/services/rpcbind.if.ptrace 2011-11-04 16:06:58.788888892 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/rpcbind.if 2011-11-04 16:06:59.198889939 -0400
+--- serefpolicy-3.10.0/policy/modules/services/rpcbind.if.ptrace 2011-11-04 16:32:07.522066061 -0400
++++ serefpolicy-3.10.0/policy/modules/services/rpcbind.if 2011-11-04 16:32:07.911066805 -0400
@@ -155,8 +155,11 @@ interface(`rpcbind_admin',`
type rpcbind_initrc_exec_t;
')
@@ -2804,8 +2777,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/rpcbind.if.ptrace serefpolic
init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/rtkit.te.ptrace serefpolicy-3.10.0/policy/modules/services/rtkit.te
---- serefpolicy-3.10.0/policy/modules/services/rtkit.te.ptrace 2011-11-04 16:06:58.792888902 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/rtkit.te 2011-11-04 16:06:59.199889942 -0400
+--- serefpolicy-3.10.0/policy/modules/services/rtkit.te.ptrace 2011-11-04 16:32:07.527066070 -0400
++++ serefpolicy-3.10.0/policy/modules/services/rtkit.te 2011-11-04 16:32:07.912066807 -0400
@@ -15,7 +15,7 @@ init_system_domain(rtkit_daemon_t, rtkit
# rtkit_daemon local policy
#
@@ -2816,8 +2789,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/rtkit.te.ptrace serefpolicy-
kernel_read_system_state(rtkit_daemon_t)
diff -up serefpolicy-3.10.0/policy/modules/services/rwho.if.ptrace serefpolicy-3.10.0/policy/modules/services/rwho.if
---- serefpolicy-3.10.0/policy/modules/services/rwho.if.ptrace 2011-11-04 16:06:58.793888905 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/rwho.if 2011-11-04 16:06:59.200889945 -0400
+--- serefpolicy-3.10.0/policy/modules/services/rwho.if.ptrace 2011-11-04 16:32:07.528066072 -0400
++++ serefpolicy-3.10.0/policy/modules/services/rwho.if 2011-11-04 16:32:07.913066809 -0400
@@ -138,8 +138,11 @@ interface(`rwho_admin',`
type rwho_initrc_exec_t;
')
@@ -2832,8 +2805,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/rwho.if.ptrace serefpolicy-3
init_labeled_script_domtrans($1, rwho_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/samba.if.ptrace serefpolicy-3.10.0/policy/modules/services/samba.if
---- serefpolicy-3.10.0/policy/modules/services/samba.if.ptrace 2011-11-04 16:06:58.795888911 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/samba.if 2011-11-04 16:06:59.201889948 -0400
+--- serefpolicy-3.10.0/policy/modules/services/samba.if.ptrace 2011-11-04 16:32:07.530066076 -0400
++++ serefpolicy-3.10.0/policy/modules/services/samba.if 2011-11-04 16:32:07.914066811 -0400
@@ -784,13 +784,18 @@ interface(`samba_admin',`
type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t;
')
@@ -2858,7 +2831,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/samba.if.ptrace serefpolicy-
samba_run_smbcontrol($1, $2, $3)
diff -up serefpolicy-3.10.0/policy/modules/services/samhain.if.ptrace serefpolicy-3.10.0/policy/modules/services/samhain.if
--- serefpolicy-3.10.0/policy/modules/services/samhain.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/samhain.if 2011-11-04 16:06:59.202889951 -0400
++++ serefpolicy-3.10.0/policy/modules/services/samhain.if 2011-11-04 16:32:07.915066812 -0400
@@ -271,10 +271,14 @@ interface(`samhain_admin',`
type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
')
@@ -2877,8 +2850,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/samhain.if.ptrace serefpolic
files_list_var_lib($1)
diff -up serefpolicy-3.10.0/policy/modules/services/sanlock.if.ptrace serefpolicy-3.10.0/policy/modules/services/sanlock.if
---- serefpolicy-3.10.0/policy/modules/services/sanlock.if.ptrace 2011-11-04 16:06:58.799888919 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/sanlock.if 2011-11-04 16:06:59.203889953 -0400
+--- serefpolicy-3.10.0/policy/modules/services/sanlock.if.ptrace 2011-11-04 16:32:07.533066082 -0400
++++ serefpolicy-3.10.0/policy/modules/services/sanlock.if 2011-11-04 16:32:07.916066813 -0400
@@ -99,8 +99,11 @@ interface(`sanlock_admin',`
type sanlock_initrc_exec_t;
')
@@ -2893,8 +2866,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/sanlock.if.ptrace serefpolic
sanlock_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/sasl.if.ptrace serefpolicy-3.10.0/policy/modules/services/sasl.if
---- serefpolicy-3.10.0/policy/modules/services/sasl.if.ptrace 2011-11-04 16:06:58.800888922 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/sasl.if 2011-11-04 16:06:59.204889955 -0400
+--- serefpolicy-3.10.0/policy/modules/services/sasl.if.ptrace 2011-11-04 16:32:07.535066084 -0400
++++ serefpolicy-3.10.0/policy/modules/services/sasl.if 2011-11-04 16:32:07.916066813 -0400
@@ -42,8 +42,11 @@ interface(`sasl_admin',`
type saslauthd_initrc_exec_t;
')
@@ -2909,8 +2882,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/sasl.if.ptrace serefpolicy-3
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace serefpolicy-3.10.0/policy/modules/services/sblim.if
---- serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace 2011-11-04 16:06:58.803888931 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/sblim.if 2011-11-04 16:06:59.205889957 -0400
+--- serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace 2011-11-04 16:32:07.536066086 -0400
++++ serefpolicy-3.10.0/policy/modules/services/sblim.if 2011-11-04 16:32:07.917066815 -0400
@@ -65,11 +65,15 @@ interface(`sblim_admin',`
type sblim_var_run_t;
')
@@ -2931,8 +2904,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace serefpolicy-
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff -up serefpolicy-3.10.0/policy/modules/services/sblim.te.ptrace serefpolicy-3.10.0/policy/modules/services/sblim.te
---- serefpolicy-3.10.0/policy/modules/services/sblim.te.ptrace 2011-11-04 16:06:58.803888931 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/sblim.te 2011-11-04 16:06:59.205889957 -0400
+--- serefpolicy-3.10.0/policy/modules/services/sblim.te.ptrace 2011-11-04 16:32:07.537066089 -0400
++++ serefpolicy-3.10.0/policy/modules/services/sblim.te 2011-11-04 16:32:07.918066818 -0400
@@ -24,7 +24,7 @@ files_pid_file(sblim_var_run_t)
#
@@ -2943,8 +2916,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/sblim.te.ptrace serefpolicy-
allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace serefpolicy-3.10.0/policy/modules/services/sendmail.if
---- serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace 2011-11-04 16:06:58.805888936 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/sendmail.if 2011-11-04 16:06:59.206889959 -0400
+--- serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace 2011-11-04 16:32:07.538066092 -0400
++++ serefpolicy-3.10.0/policy/modules/services/sendmail.if 2011-11-04 16:32:07.919066820 -0400
@@ -334,10 +334,14 @@ interface(`sendmail_admin',`
type mail_spool_t;
')
@@ -2963,8 +2936,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace serefpoli
sendmail_initrc_domtrans($1)
diff -up serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if.ptrace serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if
---- serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if.ptrace 2011-11-04 16:06:58.807888940 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if 2011-11-04 16:06:59.207889962 -0400
+--- serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if.ptrace 2011-11-04 16:32:07.540066095 -0400
++++ serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if 2011-11-04 16:32:07.920066822 -0400
@@ -140,8 +140,11 @@ interface(`setroubleshoot_admin',`
type setroubleshoot_var_lib_t;
')
@@ -2979,8 +2952,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if.ptrace ser
logging_list_logs($1)
admin_pattern($1, setroubleshoot_var_log_t)
diff -up serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace serefpolicy-3.10.0/policy/modules/services/smartmon.if
---- serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace 2011-11-04 16:06:58.809888945 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/smartmon.if 2011-11-04 16:06:59.208889965 -0400
+--- serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace 2011-11-04 16:32:07.543066101 -0400
++++ serefpolicy-3.10.0/policy/modules/services/smartmon.if 2011-11-04 16:32:07.921066824 -0400
@@ -42,8 +42,11 @@ interface(`smartmon_admin',`
type fsdaemon_initrc_exec_t;
')
@@ -2996,7 +2969,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace serefpoli
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/smokeping.if.ptrace serefpolicy-3.10.0/policy/modules/services/smokeping.if
--- serefpolicy-3.10.0/policy/modules/services/smokeping.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/smokeping.if 2011-11-04 16:06:59.209889968 -0400
++++ serefpolicy-3.10.0/policy/modules/services/smokeping.if 2011-11-04 16:32:07.921066824 -0400
@@ -153,8 +153,11 @@ interface(`smokeping_admin',`
type smokeping_t, smokeping_initrc_exec_t;
')
@@ -3011,8 +2984,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/smokeping.if.ptrace serefpol
smokeping_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/snmp.if.ptrace serefpolicy-3.10.0/policy/modules/services/snmp.if
---- serefpolicy-3.10.0/policy/modules/services/snmp.if.ptrace 2011-11-04 16:06:58.812888954 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/snmp.if 2011-11-04 16:06:59.209889968 -0400
+--- serefpolicy-3.10.0/policy/modules/services/snmp.if.ptrace 2011-11-04 16:32:07.546066106 -0400
++++ serefpolicy-3.10.0/policy/modules/services/snmp.if 2011-11-04 16:32:07.922066826 -0400
@@ -168,8 +168,11 @@ interface(`snmp_admin',`
type snmpd_var_lib_t, snmpd_var_run_t;
')
@@ -3027,8 +3000,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/snmp.if.ptrace serefpolicy-3
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/snmp.te.ptrace serefpolicy-3.10.0/policy/modules/services/snmp.te
---- serefpolicy-3.10.0/policy/modules/services/snmp.te.ptrace 2011-11-04 16:06:58.813888957 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/snmp.te 2011-11-04 16:06:59.210889971 -0400
+--- serefpolicy-3.10.0/policy/modules/services/snmp.te.ptrace 2011-11-04 16:32:07.547066107 -0400
++++ serefpolicy-3.10.0/policy/modules/services/snmp.te 2011-11-04 16:32:07.923066828 -0400
@@ -26,7 +26,8 @@ files_type(snmpd_var_lib_t)
# Local policy
#
@@ -3040,8 +3013,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/snmp.te.ptrace serefpolicy-3
allow snmpd_t self:process { signal_perms getsched setsched };
allow snmpd_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/snort.if.ptrace serefpolicy-3.10.0/policy/modules/services/snort.if
---- serefpolicy-3.10.0/policy/modules/services/snort.if.ptrace 2011-11-04 16:06:58.813888957 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/snort.if 2011-11-04 16:06:59.211889974 -0400
+--- serefpolicy-3.10.0/policy/modules/services/snort.if.ptrace 2011-11-04 16:32:07.547066107 -0400
++++ serefpolicy-3.10.0/policy/modules/services/snort.if 2011-11-04 16:32:07.924066830 -0400
@@ -41,8 +41,11 @@ interface(`snort_admin',`
type snort_etc_t, snort_initrc_exec_t;
')
@@ -3056,8 +3029,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/snort.if.ptrace serefpolicy-
init_labeled_script_domtrans($1, snort_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/soundserver.if.ptrace serefpolicy-3.10.0/policy/modules/services/soundserver.if
---- serefpolicy-3.10.0/policy/modules/services/soundserver.if.ptrace 2011-11-04 16:06:58.815888961 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/soundserver.if 2011-11-04 16:06:59.212889976 -0400
+--- serefpolicy-3.10.0/policy/modules/services/soundserver.if.ptrace 2011-11-04 16:32:07.549066112 -0400
++++ serefpolicy-3.10.0/policy/modules/services/soundserver.if 2011-11-04 16:32:07.925066832 -0400
@@ -37,8 +37,11 @@ interface(`soundserver_admin',`
type soundd_tmp_t, soundd_var_run_t;
')
@@ -3072,8 +3045,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/soundserver.if.ptrace serefp
init_labeled_script_domtrans($1, soundd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/spamassassin.if.ptrace serefpolicy-3.10.0/policy/modules/services/spamassassin.if
---- serefpolicy-3.10.0/policy/modules/services/spamassassin.if.ptrace 2011-11-04 16:06:58.816888963 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/spamassassin.if 2011-11-04 16:06:59.213889978 -0400
+--- serefpolicy-3.10.0/policy/modules/services/spamassassin.if.ptrace 2011-11-04 16:32:07.551066116 -0400
++++ serefpolicy-3.10.0/policy/modules/services/spamassassin.if 2011-11-04 16:32:07.927066834 -0400
@@ -27,12 +27,12 @@ interface(`spamassassin_role',`
domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
@@ -3103,8 +3076,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/spamassassin.if.ptrace seref
init_labeled_script_domtrans($1, spamd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/squid.if.ptrace serefpolicy-3.10.0/policy/modules/services/squid.if
---- serefpolicy-3.10.0/policy/modules/services/squid.if.ptrace 2011-11-04 16:06:58.819888971 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/squid.if 2011-11-04 16:06:59.214889980 -0400
+--- serefpolicy-3.10.0/policy/modules/services/squid.if.ptrace 2011-11-04 16:32:07.553066120 -0400
++++ serefpolicy-3.10.0/policy/modules/services/squid.if 2011-11-04 16:32:07.928066836 -0400
@@ -209,8 +209,11 @@ interface(`squid_admin',`
type squid_log_t, squid_var_run_t, squid_initrc_exec_t;
')
@@ -3119,8 +3092,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/squid.if.ptrace serefpolicy-
init_labeled_script_domtrans($1, squid_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/ssh.if.ptrace serefpolicy-3.10.0/policy/modules/services/ssh.if
---- serefpolicy-3.10.0/policy/modules/services/ssh.if.ptrace 2011-11-04 16:06:59.021889488 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ssh.if 2011-11-04 16:06:59.215889982 -0400
+--- serefpolicy-3.10.0/policy/modules/services/ssh.if.ptrace 2011-11-04 16:32:07.556066126 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ssh.if 2011-11-04 16:32:07.929066839 -0400
@@ -367,7 +367,7 @@ template(`ssh_role_template',`
# allow ps to show ssh
@@ -3140,8 +3113,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ssh.if.ptrace serefpolicy-3.
# allow ps to show ssh
ps_process_pattern($3, $1_ssh_agent_t)
diff -up serefpolicy-3.10.0/policy/modules/services/sssd.if.ptrace serefpolicy-3.10.0/policy/modules/services/sssd.if
---- serefpolicy-3.10.0/policy/modules/services/sssd.if.ptrace 2011-11-04 16:06:58.824888984 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/sssd.if 2011-11-04 16:06:59.216889985 -0400
+--- serefpolicy-3.10.0/policy/modules/services/sssd.if.ptrace 2011-11-04 16:32:07.558066128 -0400
++++ serefpolicy-3.10.0/policy/modules/services/sssd.if 2011-11-04 16:32:07.930066842 -0400
@@ -234,8 +234,11 @@ interface(`sssd_admin',`
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
')
@@ -3156,8 +3129,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/sssd.if.ptrace serefpolicy-3
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff -up serefpolicy-3.10.0/policy/modules/services/tcsd.if.ptrace serefpolicy-3.10.0/policy/modules/services/tcsd.if
---- serefpolicy-3.10.0/policy/modules/services/tcsd.if.ptrace 2011-11-04 16:06:58.829888997 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/tcsd.if 2011-11-04 16:06:59.216889985 -0400
+--- serefpolicy-3.10.0/policy/modules/services/tcsd.if.ptrace 2011-11-04 16:32:07.563066139 -0400
++++ serefpolicy-3.10.0/policy/modules/services/tcsd.if 2011-11-04 16:32:07.931066844 -0400
@@ -137,8 +137,11 @@ interface(`tcsd_admin',`
type tcsd_var_lib_t;
')
@@ -3172,8 +3145,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/tcsd.if.ptrace serefpolicy-3
tcsd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/tftp.if.ptrace serefpolicy-3.10.0/policy/modules/services/tftp.if
---- serefpolicy-3.10.0/policy/modules/services/tftp.if.ptrace 2011-11-04 16:06:58.832889005 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/tftp.if 2011-11-04 16:06:59.217889988 -0400
+--- serefpolicy-3.10.0/policy/modules/services/tftp.if.ptrace 2011-11-04 16:32:07.566066145 -0400
++++ serefpolicy-3.10.0/policy/modules/services/tftp.if 2011-11-04 16:32:07.931066844 -0400
@@ -109,8 +109,11 @@ interface(`tftp_admin',`
type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
')
@@ -3188,8 +3161,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/tftp.if.ptrace serefpolicy-3
files_list_var_lib($1)
admin_pattern($1, tftpdir_rw_t)
diff -up serefpolicy-3.10.0/policy/modules/services/tor.if.ptrace serefpolicy-3.10.0/policy/modules/services/tor.if
---- serefpolicy-3.10.0/policy/modules/services/tor.if.ptrace 2011-11-04 16:06:58.835889011 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/tor.if 2011-11-04 16:06:59.218889991 -0400
+--- serefpolicy-3.10.0/policy/modules/services/tor.if.ptrace 2011-11-04 16:32:07.569066150 -0400
++++ serefpolicy-3.10.0/policy/modules/services/tor.if 2011-11-04 16:32:07.932066845 -0400
@@ -42,8 +42,11 @@ interface(`tor_admin',`
type tor_initrc_exec_t;
')
@@ -3204,8 +3177,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/tor.if.ptrace serefpolicy-3.
init_labeled_script_domtrans($1, tor_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace serefpolicy-3.10.0/policy/modules/services/tuned.if
---- serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace 2011-11-04 16:06:58.836889014 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/tuned.if 2011-11-04 16:06:59.219889994 -0400
+--- serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace 2011-11-04 16:32:07.570066151 -0400
++++ serefpolicy-3.10.0/policy/modules/services/tuned.if 2011-11-04 16:32:07.933066847 -0400
@@ -115,8 +115,11 @@ interface(`tuned_admin',`
type tuned_t, tuned_var_run_t, tuned_initrc_exec_t;
')
@@ -3221,7 +3194,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace serefpolicy-
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/ulogd.if.ptrace serefpolicy-3.10.0/policy/modules/services/ulogd.if
--- serefpolicy-3.10.0/policy/modules/services/ulogd.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ulogd.if 2011-11-04 16:06:59.220889997 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ulogd.if 2011-11-04 16:32:07.934066849 -0400
@@ -123,8 +123,11 @@ interface(`ulogd_admin',`
type ulogd_var_log_t, ulogd_initrc_exec_t;
')
@@ -3237,7 +3210,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ulogd.if.ptrace serefpolicy-
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/uucp.if.ptrace serefpolicy-3.10.0/policy/modules/services/uucp.if
--- serefpolicy-3.10.0/policy/modules/services/uucp.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/uucp.if 2011-11-04 16:06:59.221889999 -0400
++++ serefpolicy-3.10.0/policy/modules/services/uucp.if 2011-11-04 16:32:07.935066851 -0400
@@ -99,8 +99,11 @@ interface(`uucp_admin',`
type uucpd_var_run_t;
')
@@ -3252,8 +3225,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/uucp.if.ptrace serefpolicy-3
logging_list_logs($1)
admin_pattern($1, uucpd_log_t)
diff -up serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace serefpolicy-3.10.0/policy/modules/services/uuidd.if
---- serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace 2011-11-04 16:06:58.843889032 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/uuidd.if 2011-11-04 16:06:59.221889999 -0400
+--- serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace 2011-11-04 16:32:07.577066166 -0400
++++ serefpolicy-3.10.0/policy/modules/services/uuidd.if 2011-11-04 16:32:07.936066853 -0400
@@ -177,8 +177,11 @@ interface(`uuidd_admin',`
type uuidd_var_run_t;
')
@@ -3269,7 +3242,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace serefpolicy-
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/varnishd.if.ptrace serefpolicy-3.10.0/policy/modules/services/varnishd.if
--- serefpolicy-3.10.0/policy/modules/services/varnishd.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/varnishd.if 2011-11-04 16:06:59.222890001 -0400
++++ serefpolicy-3.10.0/policy/modules/services/varnishd.if 2011-11-04 16:32:07.936066853 -0400
@@ -155,8 +155,11 @@ interface(`varnishd_admin_varnishlog',`
type varnishlog_var_run_t;
')
@@ -3297,8 +3270,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/varnishd.if.ptrace serefpoli
init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/vdagent.if.ptrace serefpolicy-3.10.0/policy/modules/services/vdagent.if
---- serefpolicy-3.10.0/policy/modules/services/vdagent.if.ptrace 2011-11-04 16:06:58.846889040 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/vdagent.if 2011-11-04 16:06:59.223890003 -0400
+--- serefpolicy-3.10.0/policy/modules/services/vdagent.if.ptrace 2011-11-04 16:32:07.580066172 -0400
++++ serefpolicy-3.10.0/policy/modules/services/vdagent.if 2011-11-04 16:32:07.937066855 -0400
@@ -118,8 +118,11 @@ interface(`vdagent_admin',`
type vdagent_var_run_t;
')
@@ -3313,8 +3286,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/vdagent.if.ptrace serefpolic
files_search_pids($1)
admin_pattern($1, vdagent_var_run_t)
diff -up serefpolicy-3.10.0/policy/modules/services/vhostmd.if.ptrace serefpolicy-3.10.0/policy/modules/services/vhostmd.if
---- serefpolicy-3.10.0/policy/modules/services/vhostmd.if.ptrace 2011-11-04 16:06:58.847889043 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/vhostmd.if 2011-11-04 16:06:59.224890005 -0400
+--- serefpolicy-3.10.0/policy/modules/services/vhostmd.if.ptrace 2011-11-04 16:32:07.581066174 -0400
++++ serefpolicy-3.10.0/policy/modules/services/vhostmd.if 2011-11-04 16:32:07.938066856 -0400
@@ -210,8 +210,11 @@ interface(`vhostmd_admin',`
type vhostmd_t, vhostmd_initrc_exec_t;
')
@@ -3329,8 +3302,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/vhostmd.if.ptrace serefpolic
vhostmd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace serefpolicy-3.10.0/policy/modules/services/virt.if
---- serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace 2011-11-04 16:06:58.849889049 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/virt.if 2011-11-04 16:06:59.225890008 -0400
+--- serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace 2011-11-04 16:32:07.584066180 -0400
++++ serefpolicy-3.10.0/policy/modules/services/virt.if 2011-11-04 16:32:07.939066857 -0400
@@ -620,10 +620,14 @@ interface(`virt_admin',`
type virt_lxc_t;
')
@@ -3358,8 +3331,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace serefpolicy-3
########################################
diff -up serefpolicy-3.10.0/policy/modules/services/virt.te.ptrace serefpolicy-3.10.0/policy/modules/services/virt.te
---- serefpolicy-3.10.0/policy/modules/services/virt.te.ptrace 2011-11-04 16:06:58.960889332 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/virt.te 2011-11-04 16:06:59.226890011 -0400
+--- serefpolicy-3.10.0/policy/modules/services/virt.te.ptrace 2011-11-04 16:32:07.695066392 -0400
++++ serefpolicy-3.10.0/policy/modules/services/virt.te 2011-11-04 16:32:07.941066862 -0400
@@ -250,7 +250,7 @@ optional_policy(`
# virtd local policy
#
@@ -3378,8 +3351,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/virt.te.ptrace serefpolicy-3
allow virtd_t svirt_lxc_domain:process { signal_perms };
allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
diff -up serefpolicy-3.10.0/policy/modules/services/vnstatd.if.ptrace serefpolicy-3.10.0/policy/modules/services/vnstatd.if
---- serefpolicy-3.10.0/policy/modules/services/vnstatd.if.ptrace 2011-11-04 16:06:58.852889055 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/vnstatd.if 2011-11-04 16:06:59.227890014 -0400
+--- serefpolicy-3.10.0/policy/modules/services/vnstatd.if.ptrace 2011-11-04 16:32:07.587066186 -0400
++++ serefpolicy-3.10.0/policy/modules/services/vnstatd.if 2011-11-04 16:32:07.942066864 -0400
@@ -136,8 +136,11 @@ interface(`vnstatd_admin',`
type vnstatd_t, vnstatd_var_lib_t;
')
@@ -3394,8 +3367,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/vnstatd.if.ptrace serefpolic
files_list_var_lib($1)
admin_pattern($1, vnstatd_var_lib_t)
diff -up serefpolicy-3.10.0/policy/modules/services/wdmd.if.ptrace serefpolicy-3.10.0/policy/modules/services/wdmd.if
---- serefpolicy-3.10.0/policy/modules/services/wdmd.if.ptrace 2011-11-04 16:06:58.855889063 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/wdmd.if 2011-11-04 16:06:59.228890017 -0400
+--- serefpolicy-3.10.0/policy/modules/services/wdmd.if.ptrace 2011-11-04 16:32:07.589066189 -0400
++++ serefpolicy-3.10.0/policy/modules/services/wdmd.if 2011-11-04 16:32:07.943066866 -0400
@@ -62,8 +62,11 @@ interface(`wdmd_admin',`
type wdmd_initrc_exec_t;
')
@@ -3410,8 +3383,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/wdmd.if.ptrace serefpolicy-3
wdmd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/xserver.te.ptrace serefpolicy-3.10.0/policy/modules/services/xserver.te
---- serefpolicy-3.10.0/policy/modules/services/xserver.te.ptrace 2011-11-04 16:06:59.024889495 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/xserver.te 2011-11-04 16:06:59.230890022 -0400
+--- serefpolicy-3.10.0/policy/modules/services/xserver.te.ptrace 2011-11-04 16:32:07.731066459 -0400
++++ serefpolicy-3.10.0/policy/modules/services/xserver.te 2011-11-04 16:32:07.944066868 -0400
@@ -417,8 +417,13 @@ optional_policy(`
# XDM Local policy
#
@@ -3439,8 +3412,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/xserver.te.ptrace serefpolic
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
diff -up serefpolicy-3.10.0/policy/modules/services/zabbix.if.ptrace serefpolicy-3.10.0/policy/modules/services/zabbix.if
---- serefpolicy-3.10.0/policy/modules/services/zabbix.if.ptrace 2011-11-04 16:06:58.863889083 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/zabbix.if 2011-11-04 16:06:59.230890022 -0400
+--- serefpolicy-3.10.0/policy/modules/services/zabbix.if.ptrace 2011-11-04 16:32:07.597066205 -0400
++++ serefpolicy-3.10.0/policy/modules/services/zabbix.if 2011-11-04 16:32:07.945066870 -0400
@@ -142,8 +142,11 @@ interface(`zabbix_admin',`
type zabbix_initrc_exec_t;
')
@@ -3455,8 +3428,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/zabbix.if.ptrace serefpolicy
init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/zebra.if.ptrace serefpolicy-3.10.0/policy/modules/services/zebra.if
---- serefpolicy-3.10.0/policy/modules/services/zebra.if.ptrace 2011-11-04 16:06:58.866889092 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/zebra.if 2011-11-04 16:06:59.231890024 -0400
+--- serefpolicy-3.10.0/policy/modules/services/zebra.if.ptrace 2011-11-04 16:32:07.601066212 -0400
++++ serefpolicy-3.10.0/policy/modules/services/zebra.if 2011-11-04 16:32:07.946066872 -0400
@@ -64,8 +64,11 @@ interface(`zebra_admin',`
type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t;
')
@@ -3471,8 +3444,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/zebra.if.ptrace serefpolicy-
init_labeled_script_domtrans($1, zebra_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/system/hotplug.te.ptrace serefpolicy-3.10.0/policy/modules/system/hotplug.te
---- serefpolicy-3.10.0/policy/modules/system/hotplug.te.ptrace 2011-11-04 16:06:58.880889126 -0400
-+++ serefpolicy-3.10.0/policy/modules/system/hotplug.te 2011-11-04 16:06:59.232890026 -0400
+--- serefpolicy-3.10.0/policy/modules/system/hotplug.te.ptrace 2011-11-04 16:32:07.615066238 -0400
++++ serefpolicy-3.10.0/policy/modules/system/hotplug.te 2011-11-04 16:32:07.946066872 -0400
@@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t)
#
@@ -3483,8 +3456,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/hotplug.te.ptrace serefpolicy-
dontaudit hotplug_t self:capability { dac_override dac_read_search };
allow hotplug_t self:process { setpgid getsession getattr signal_perms };
diff -up serefpolicy-3.10.0/policy/modules/system/init.if.ptrace serefpolicy-3.10.0/policy/modules/system/init.if
---- serefpolicy-3.10.0/policy/modules/system/init.if.ptrace 2011-11-04 16:06:58.882889132 -0400
-+++ serefpolicy-3.10.0/policy/modules/system/init.if 2011-11-04 16:06:59.233890028 -0400
+--- serefpolicy-3.10.0/policy/modules/system/init.if.ptrace 2011-11-04 16:32:07.618066244 -0400
++++ serefpolicy-3.10.0/policy/modules/system/init.if 2011-11-04 16:32:07.948066876 -0400
@@ -1123,7 +1123,9 @@ interface(`init_ptrace',`
type init_t;
')
@@ -3497,8 +3470,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/init.if.ptrace serefpolicy-3.1
########################################
diff -up serefpolicy-3.10.0/policy/modules/system/init.te.ptrace serefpolicy-3.10.0/policy/modules/system/init.te
---- serefpolicy-3.10.0/policy/modules/system/init.te.ptrace 2011-11-04 16:06:58.994889419 -0400
-+++ serefpolicy-3.10.0/policy/modules/system/init.te 2011-11-04 16:06:59.235890034 -0400
+--- serefpolicy-3.10.0/policy/modules/system/init.te.ptrace 2011-11-04 16:32:07.732066461 -0400
++++ serefpolicy-3.10.0/policy/modules/system/init.te 2011-11-04 16:32:07.950066880 -0400
@@ -121,7 +121,7 @@ ifdef(`enable_mls',`
#
@@ -3519,8 +3492,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/init.te.ptrace serefpolicy-3.1
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
diff -up serefpolicy-3.10.0/policy/modules/system/ipsec.te.ptrace serefpolicy-3.10.0/policy/modules/system/ipsec.te
---- serefpolicy-3.10.0/policy/modules/system/ipsec.te.ptrace 2011-11-04 16:06:58.887889145 -0400
-+++ serefpolicy-3.10.0/policy/modules/system/ipsec.te 2011-11-04 16:06:59.236890037 -0400
+--- serefpolicy-3.10.0/policy/modules/system/ipsec.te.ptrace 2011-11-04 16:32:07.622066252 -0400
++++ serefpolicy-3.10.0/policy/modules/system/ipsec.te 2011-11-04 16:32:07.951066882 -0400
@@ -73,7 +73,7 @@ role system_r types setkey_t;
#
@@ -3552,8 +3525,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/ipsec.te.ptrace serefpolicy-3.
domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t)
diff -up serefpolicy-3.10.0/policy/modules/system/iscsi.te.ptrace serefpolicy-3.10.0/policy/modules/system/iscsi.te
---- serefpolicy-3.10.0/policy/modules/system/iscsi.te.ptrace 2011-11-04 16:06:58.890889152 -0400
-+++ serefpolicy-3.10.0/policy/modules/system/iscsi.te 2011-11-04 16:06:59.237890040 -0400
+--- serefpolicy-3.10.0/policy/modules/system/iscsi.te.ptrace 2011-11-04 16:32:07.625066258 -0400
++++ serefpolicy-3.10.0/policy/modules/system/iscsi.te 2011-11-04 16:32:07.952066884 -0400
@@ -31,7 +31,6 @@ files_pid_file(iscsi_var_run_t)
#
@@ -3563,8 +3536,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/iscsi.te.ptrace serefpolicy-3.
allow iscsid_t self:fifo_file rw_fifo_file_perms;
allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
diff -up serefpolicy-3.10.0/policy/modules/system/locallogin.te.ptrace serefpolicy-3.10.0/policy/modules/system/locallogin.te
---- serefpolicy-3.10.0/policy/modules/system/locallogin.te.ptrace 2011-11-04 16:06:58.895889166 -0400
-+++ serefpolicy-3.10.0/policy/modules/system/locallogin.te 2011-11-04 16:06:59.237890040 -0400
+--- serefpolicy-3.10.0/policy/modules/system/locallogin.te.ptrace 2011-11-04 16:32:07.630066268 -0400
++++ serefpolicy-3.10.0/policy/modules/system/locallogin.te 2011-11-04 16:32:07.953066886 -0400
@@ -35,7 +35,7 @@ role system_r types sulogin_t;
# Local login local policy
#
@@ -3575,8 +3548,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/locallogin.te.ptrace serefpoli
allow local_login_t self:fd use;
allow local_login_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace serefpolicy-3.10.0/policy/modules/system/logging.if
---- serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace 2011-11-04 16:06:58.897889170 -0400
-+++ serefpolicy-3.10.0/policy/modules/system/logging.if 2011-11-04 16:06:59.238890043 -0400
+--- serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace 2011-11-04 16:32:07.632066271 -0400
++++ serefpolicy-3.10.0/policy/modules/system/logging.if 2011-11-04 16:32:07.954066888 -0400
@@ -1095,9 +1095,13 @@ interface(`logging_admin_audit',`
type auditd_initrc_exec_t;
')
@@ -3610,8 +3583,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace serefpolicy-
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
diff -up serefpolicy-3.10.0/policy/modules/system/mount.te.ptrace serefpolicy-3.10.0/policy/modules/system/mount.te
---- serefpolicy-3.10.0/policy/modules/system/mount.te.ptrace 2011-11-04 16:06:58.907889195 -0400
-+++ serefpolicy-3.10.0/policy/modules/system/mount.te 2011-11-04 16:06:59.239890045 -0400
+--- serefpolicy-3.10.0/policy/modules/system/mount.te.ptrace 2011-11-04 16:32:07.643066293 -0400
++++ serefpolicy-3.10.0/policy/modules/system/mount.te 2011-11-04 16:32:07.954066888 -0400
@@ -48,7 +48,11 @@ role system_r types showmount_t;
# setuid/setgid needed to mount cifs
@@ -3626,8 +3599,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/mount.te.ptrace serefpolicy-3.
allow mount_t self:unix_stream_socket create_stream_socket_perms;
allow mount_t self:unix_dgram_socket create_socket_perms;
diff -up serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.ptrace serefpolicy-3.10.0/policy/modules/system/sysnetwork.te
---- serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.ptrace 2011-11-04 16:06:58.918889224 -0400
-+++ serefpolicy-3.10.0/policy/modules/system/sysnetwork.te 2011-11-04 16:06:59.240890047 -0400
+--- serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.ptrace 2011-11-04 16:32:07.654066313 -0400
++++ serefpolicy-3.10.0/policy/modules/system/sysnetwork.te 2011-11-04 16:32:07.955066890 -0400
@@ -51,10 +51,13 @@ files_config_file(net_conf_t)
# DHCP client local policy
#
@@ -3645,8 +3618,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.ptrace serefpoli
allow dhcpc_t self:fifo_file rw_fifo_file_perms;
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
diff -up serefpolicy-3.10.0/policy/modules/system/udev.te.ptrace serefpolicy-3.10.0/policy/modules/system/udev.te
---- serefpolicy-3.10.0/policy/modules/system/udev.te.ptrace 2011-11-04 16:06:58.922889235 -0400
-+++ serefpolicy-3.10.0/policy/modules/system/udev.te 2011-11-04 16:06:59.241890049 -0400
+--- serefpolicy-3.10.0/policy/modules/system/udev.te.ptrace 2011-11-04 16:32:07.659066323 -0400
++++ serefpolicy-3.10.0/policy/modules/system/udev.te 2011-11-04 16:32:07.956066892 -0400
@@ -34,7 +34,7 @@ ifdef(`enable_mcs',`
# Local policy
#
@@ -3670,8 +3643,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/udev.te.ptrace serefpolicy-3.1
allow udev_t self:fd use;
allow udev_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace serefpolicy-3.10.0/policy/modules/system/unconfined.if
---- serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace 2011-11-04 16:06:58.944889290 -0400
-+++ serefpolicy-3.10.0/policy/modules/system/unconfined.if 2011-11-04 16:06:59.242890051 -0400
+--- serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace 2011-11-04 16:32:07.680066363 -0400
++++ serefpolicy-3.10.0/policy/modules/system/unconfined.if 2011-11-04 16:32:07.957066893 -0400
@@ -18,7 +18,12 @@ interface(`unconfined_domain_noaudit',`
')
@@ -3687,11 +3660,11 @@ diff -up serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace serefpoli
allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace serefpolicy-3.10.0/policy/modules/system/userdomain.if
---- serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace 2011-11-04 16:06:59.027889502 -0400
-+++ serefpolicy-3.10.0/policy/modules/system/userdomain.if 2011-11-04 16:06:59.244890057 -0400
-@@ -40,7 +40,10 @@ template(`userdom_base_user_template',`
- role $1_r types $1_t;
- allow system_r $1_r;
+--- serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace 2011-11-04 16:32:07.735066469 -0400
++++ serefpolicy-3.10.0/policy/modules/system/userdomain.if 2011-11-04 16:32:07.960066899 -0400
+@@ -47,7 +47,10 @@ template(`userdom_base_user_template',`
+ term_user_tty($1_t, user_tty_device_t)
+ term_dontaudit_getattr_generic_ptys($1_t)
- allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
+ allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
@@ -3699,9 +3672,9 @@ diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace serefpoli
+ allow $1_usertype $1_usertype:process ptrace;
+ ')
allow $1_usertype $1_usertype:fd use;
- allow $1_usertype $1_usertype:key { create view read write search link setattr };
+ allow $1_usertype $1_t:key { create view read write search link setattr };
-@@ -594,7 +597,7 @@ template(`userdom_login_user_template',
+@@ -903,7 +906,7 @@ template(`userdom_login_user_template',
allow $1_t self:capability { setgid chown fowner };
dontaudit $1_t self:capability { sys_nice fsetid };
@@ -3710,7 +3683,7 @@ diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace serefpoli
dontaudit $1_t self:process setrlimit;
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
-@@ -1052,7 +1055,10 @@ template(`userdom_admin_user_template',`
+@@ -1364,7 +1367,10 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
@@ -3722,7 +3695,7 @@ diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace serefpoli
allow $1_t self:capability2 syslog;
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
-@@ -3693,7 +3699,9 @@ interface(`userdom_ptrace_all_users',`
+@@ -4001,7 +4007,9 @@ interface(`userdom_ptrace_all_users',`
attribute userdomain;
')
@@ -3734,8 +3707,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace serefpoli
########################################
diff -up serefpolicy-3.10.0/policy/modules/system/xen.te.ptrace serefpolicy-3.10.0/policy/modules/system/xen.te
---- serefpolicy-3.10.0/policy/modules/system/xen.te.ptrace 2011-11-04 16:06:58.932889260 -0400
-+++ serefpolicy-3.10.0/policy/modules/system/xen.te 2011-11-04 16:06:59.245890060 -0400
+--- serefpolicy-3.10.0/policy/modules/system/xen.te.ptrace 2011-11-04 16:32:07.669066342 -0400
++++ serefpolicy-3.10.0/policy/modules/system/xen.te 2011-11-04 16:32:07.961066900 -0400
@@ -206,7 +206,6 @@ tunable_policy(`xend_run_qemu',`
#
diff --git a/selinux-policy.spec b/selinux-policy.spec
index fd06d08..01633d5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -26,7 +26,6 @@ patch1: unconfined_permissive.patch
patch2: passwd.patch
patch3: thumb.patch
patch4: execmem.patch
-patch5: userdomain.patch
patch6: apache.patch
patch7: ptrace.patch
patch8: qemu.patch
@@ -249,7 +248,6 @@ Based off of reference policy: Checked out revision 2.20091117
%patch2 -p1 -b .passwd
%patch3 -p1
%patch4 -p1 -b .execmem
-%patch5 -p1 -b .userdomain
%patch6 -p1 -b .apache
%patch7 -p1 -b .ptrace
%patch8 -p1 -b .qemu
diff --git a/userdomain.patch b/userdomain.patch
index ede7164..e69de29 100644
--- a/userdomain.patch
+++ b/userdomain.patch
@@ -1,1407 +0,0 @@
-diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.if.userdomain serefpolicy-3.10.0/policy/modules/admin/usermanage.if
---- serefpolicy-3.10.0/policy/modules/admin/usermanage.if.userdomain 2011-11-04 16:05:53.310721291 -0400
-+++ serefpolicy-3.10.0/policy/modules/admin/usermanage.if 2011-11-04 16:05:53.930722881 -0400
-@@ -308,7 +308,7 @@ interface(`usermanage_run_useradd',`
- role $2 types useradd_t;
-
- # Add/remove user home directories
-- userdom_manage_home_role($2, useradd_t)
-+ userdom_manage_home_role($2)
-
- seutil_run_semanage(useradd_t, $2)
-
-diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.te.userdomain serefpolicy-3.10.0/policy/modules/admin/usermanage.te
---- serefpolicy-3.10.0/policy/modules/admin/usermanage.te.userdomain 2011-11-04 16:05:53.876722742 -0400
-+++ serefpolicy-3.10.0/policy/modules/admin/usermanage.te 2011-11-04 16:05:53.931722884 -0400
-@@ -517,7 +517,7 @@ seutil_domtrans_setfiles(useradd_t)
- userdom_use_unpriv_users_fds(useradd_t)
- # Add/remove user home directories
- userdom_home_filetrans_user_home_dir(useradd_t)
--userdom_manage_home_role(system_r, useradd_t)
-+userdom_manage_home(useradd_t)
-
- mta_manage_spool(useradd_t)
-
-diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.if.userdomain serefpolicy-3.10.0/policy/modules/apps/execmem.if
---- serefpolicy-3.10.0/policy/modules/apps/execmem.if.userdomain 2011-11-04 16:05:53.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/execmem.if 2011-11-04 16:06:10.897766368 -0400
-@@ -58,8 +58,6 @@ template(`execmem_role_template',`
-
- userdom_unpriv_usertype($1, $1_execmem_t)
- userdom_common_user($1_execmem_t)
-- userdom_manage_tmp_role($2, $1_execmem_t)
-- userdom_manage_tmpfs_role($2, $1_execmem_t)
-
- allow $1_execmem_t self:process { execmem execstack };
- allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
-diff -up serefpolicy-3.10.0/policy/modules/apps/java.if.userdomain serefpolicy-3.10.0/policy/modules/apps/java.if
---- serefpolicy-3.10.0/policy/modules/apps/java.if.userdomain 2011-11-04 16:05:53.331721346 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/java.if 2011-11-04 16:05:53.933722889 -0400
-@@ -73,7 +73,8 @@ template(`java_role_template',`
- domain_interactive_fd($1_java_t)
-
- userdom_unpriv_usertype($1, $1_java_t)
-- userdom_manage_tmpfs_role($2, $1_java_t)
-+ userdom_manage_tmpfs_role($2)
-+ userdom_manage_tmpfs($1_java_t)
-
- allow $1_java_t self:process { ptrace signal getsched execmem execstack };
-
-diff -up serefpolicy-3.10.0/policy/modules/apps/mono.if.userdomain serefpolicy-3.10.0/policy/modules/apps/mono.if
---- serefpolicy-3.10.0/policy/modules/apps/mono.if.userdomain 2011-11-04 16:05:53.338721365 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/mono.if 2011-11-04 16:05:53.934722892 -0400
-@@ -49,7 +49,8 @@ template(`mono_role_template',`
- corecmd_bin_domtrans($1_mono_t, $1_t)
-
- userdom_unpriv_usertype($1, $1_mono_t)
-- userdom_manage_tmpfs_role($2, $1_mono_t)
-+ userdom_manage_tmpfs_role($2)
-+ userdom_manage_tmpfs($1_mono_t)
-
- optional_policy(`
- xserver_role($1_r, $1_mono_t)
-diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.if.userdomain serefpolicy-3.10.0/policy/modules/apps/mozilla.if
---- serefpolicy-3.10.0/policy/modules/apps/mozilla.if.userdomain 2011-11-04 16:05:53.340721370 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/mozilla.if 2011-11-04 16:05:53.935722894 -0400
-@@ -51,7 +51,7 @@ interface(`mozilla_role',`
- mozilla_run_plugin(mozilla_t, $1)
- mozilla_dbus_chat($2)
-
-- userdom_manage_tmp_role($1, mozilla_t)
-+ userdom_manage_tmp_role($1)
-
- optional_policy(`
- nsplugin_role($1, mozilla_t)
-diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.userdomain serefpolicy-3.10.0/policy/modules/apps/nsplugin.if
---- serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.userdomain 2011-11-04 16:05:53.345721381 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.if 2011-11-04 16:05:53.936722896 -0400
-@@ -103,7 +103,7 @@ ifdef(`hide_broken_symptoms', `
- userdom_use_inherited_user_terminals(nsplugin_t)
- userdom_use_inherited_user_terminals(nsplugin_config_t)
- userdom_dontaudit_setattr_user_home_content_files(nsplugin_t)
-- userdom_manage_tmpfs_role($1, nsplugin_t)
-+ userdom_manage_tmpfs_role($1)
-
- optional_policy(`
- pulseaudio_role($1, nsplugin_t)
-diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.userdomain serefpolicy-3.10.0/policy/modules/apps/nsplugin.te
---- serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.userdomain 2011-11-04 16:05:53.346721384 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.te 2011-11-04 16:05:53.937722899 -0400
-@@ -281,6 +281,7 @@ userdom_search_user_home_content(nsplugi
- userdom_read_user_home_content_symlinks(nsplugin_config_t)
- userdom_read_user_home_content_files(nsplugin_config_t)
- userdom_dontaudit_search_admin_dir(nsplugin_config_t)
-+userdom_manage_tmpfs(nsplugin_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_getattr_nfs(nsplugin_t)
-diff -up serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if.userdomain serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if
---- serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if.userdomain 2011-11-04 16:05:53.350721394 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if 2011-11-04 16:05:53.937722899 -0400
-@@ -35,9 +35,9 @@ interface(`pulseaudio_role',`
- allow pulseaudio_t $2:unix_stream_socket connectto;
- allow $2 pulseaudio_t:unix_stream_socket connectto;
-
-- userdom_manage_home_role($1, pulseaudio_t)
-- userdom_manage_tmp_role($1, pulseaudio_t)
-- userdom_manage_tmpfs_role($1, pulseaudio_t)
-+ userdom_manage_home_role($1)
-+ userdom_manage_tmp_role($1)
-+ userdom_manage_tmpfs_role($1)
-
- allow $2 pulseaudio_t:dbus send_msg;
- allow pulseaudio_t $2:dbus { acquire_svc send_msg };
-diff -up serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te.userdomain serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te
---- serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te.userdomain 2011-11-04 16:05:53.350721394 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te 2011-11-04 16:05:53.938722902 -0400
-@@ -95,6 +95,10 @@ logging_send_syslog_msg(pulseaudio_t)
-
- miscfiles_read_localization(pulseaudio_t)
-
-+userdom_manage_home(pulseaudio_t)
-+userdom_manage_tmp(pulseaudio_t)
-+userdom_manage_tmpfs(pulseaudio_t)
-+
- optional_policy(`
- alsa_read_rw_config(pulseaudio_t)
- ')
-diff -up serefpolicy-3.10.0/policy/modules/apps/userhelper.if.userdomain serefpolicy-3.10.0/policy/modules/apps/userhelper.if
---- serefpolicy-3.10.0/policy/modules/apps/userhelper.if.userdomain 2011-11-04 16:05:53.368721439 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/userhelper.if 2011-11-04 16:05:53.939722905 -0400
-@@ -294,7 +294,7 @@ template(`userhelper_console_role_templa
-
- auth_use_pam($1_consolehelper_t)
-
-- userdom_manage_tmpfs_role($2, $1_consolehelper_t)
-+ userdom_manage_tmpfs_role($2)
-
- optional_policy(`
- dbus_connect_session_bus($1_consolehelper_t)
-diff -up serefpolicy-3.10.0/policy/modules/apps/userhelper.te.userdomain serefpolicy-3.10.0/policy/modules/apps/userhelper.te
---- serefpolicy-3.10.0/policy/modules/apps/userhelper.te.userdomain 2011-11-04 16:05:53.369721443 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/userhelper.te 2011-11-04 16:05:53.940722908 -0400
-@@ -65,6 +65,7 @@ userhelper_exec(consolehelper_domain)
- userdom_use_user_ptys(consolehelper_domain)
- userdom_use_user_ttys(consolehelper_domain)
- userdom_read_user_home_content_files(consolehelper_domain)
-+userdom_manage_tmpfs(consolehelper_domain)
-
- optional_policy(`
- gnome_read_gconf_home_files(consolehelper_domain)
-diff -up serefpolicy-3.10.0/policy/modules/apps/wine.if.userdomain serefpolicy-3.10.0/policy/modules/apps/wine.if
---- serefpolicy-3.10.0/policy/modules/apps/wine.if.userdomain 2011-11-04 16:05:53.374721456 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/wine.if 2011-11-04 16:05:53.940722908 -0400
-@@ -105,7 +105,8 @@ template(`wine_role_template',`
- corecmd_bin_domtrans($1_wine_t, $1_t)
-
- userdom_unpriv_usertype($1, $1_wine_t)
-- userdom_manage_tmpfs_role($2, $1_wine_t)
-+ userdom_manage_tmpfs_role($2)
-+ userdom_manage_tmpfs($1_wine_t)
-
- domain_mmap_low($1_wine_t)
-
-diff -up serefpolicy-3.10.0/policy/modules/apps/wm.if.userdomain serefpolicy-3.10.0/policy/modules/apps/wm.if
---- serefpolicy-3.10.0/policy/modules/apps/wm.if.userdomain 2011-11-04 16:05:53.376721460 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/wm.if 2011-11-04 16:05:53.941722910 -0400
-@@ -77,9 +77,13 @@ template(`wm_role_template',`
- miscfiles_read_fonts($1_wm_t)
- miscfiles_read_localization($1_wm_t)
-
-- userdom_manage_home_role($2, $1_wm_t)
-- userdom_manage_tmpfs_role($2, $1_wm_t)
-- userdom_manage_tmp_role($2, $1_wm_t)
-+ userdom_manage_home_role($2)
-+ userdom_manage_home($1_wm_t)
-+ userdom_manage_tmpfs_role($2)
-+ userdom_manage_tmpfs($1_wm_t)
-+ userdom_manage_tmp_role($2)
-+ userdom_manage_tmp($1_wm_t)
-+
- userdom_exec_user_tmp_files($1_wm_t)
-
- optional_policy(`
-diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.userdomain serefpolicy-3.10.0/policy/modules/roles/sysadm.te
---- serefpolicy-3.10.0/policy/modules/roles/sysadm.te.userdomain 2011-11-04 16:05:53.907722823 -0400
-+++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te 2011-11-04 16:05:53.942722912 -0400
-@@ -61,7 +61,8 @@ sysnet_filetrans_named_content(sysadm_t)
- # Add/remove user home directories
- userdom_manage_user_home_dirs(sysadm_t)
- userdom_home_filetrans_user_home_dir(sysadm_t)
--userdom_manage_tmp_role(sysadm_r, sysadm_t)
-+userdom_manage_tmp_role(sysadm_r)
-+userdom_manage_tmp(sysadm_t)
-
- optional_policy(`
- alsa_filetrans_named_content(sysadm_t)
-diff -up serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.userdomain serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te
---- serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.userdomain 2011-11-04 16:05:53.908722825 -0400
-+++ serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te 2011-11-04 16:05:53.943722914 -0400
-@@ -45,9 +45,12 @@ gen_tunable(unconfined_login, true)
- # calls is not correct, however we dont currently
- # have another method to add access to these types
- userdom_base_user_template(unconfined)
--userdom_manage_home_role(unconfined_r, unconfined_t)
--userdom_manage_tmp_role(unconfined_r, unconfined_t)
--userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
-+userdom_manage_home_role(unconfined_r)
-+userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file sock_file fifo_file })
-+userdom_manage_tmp_role(unconfined_r)
-+userdom_manage_tmp(unconfined_t)
-+userdom_manage_tmpfs_role(unconfined_r)
-+userdom_manage_tmpfs(unconfined_t)
- userdom_unpriv_usertype(unconfined, unconfined_t)
-
- type unconfined_exec_t;
-@@ -309,9 +312,13 @@ optional_policy(`
- lpd_run_checkpc(unconfined_t, unconfined_r)
- ')
-
--#optional_policy(`
--# mock_role(unconfined_r, unconfined_t)
--#')
-+optional_policy(`
-+ mock_role(unconfined_r, unconfined_t)
-+')
-+
-+optional_policy(`
-+ thumb_role(unconfined_r, unconfined_usertype)
-+')
-
- optional_policy(`
- modutils_run_update_mods(unconfined_t, unconfined_r)
-diff -up serefpolicy-3.10.0/policy/modules/services/rshd.te.userdomain serefpolicy-3.10.0/policy/modules/services/rshd.te
---- serefpolicy-3.10.0/policy/modules/services/rshd.te.userdomain 2011-11-04 16:05:53.712722323 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/rshd.te 2011-11-04 16:05:53.944722916 -0400
-@@ -66,7 +66,7 @@ seutil_read_config(rshd_t)
- seutil_read_default_contexts(rshd_t)
-
- userdom_search_user_home_content(rshd_t)
--userdom_manage_tmp_role(system_r, rshd_t)
-+userdom_manage_tmp(rshd_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(rshd_t)
-diff -up serefpolicy-3.10.0/policy/modules/services/ssh.if.userdomain serefpolicy-3.10.0/policy/modules/services/ssh.if
---- serefpolicy-3.10.0/policy/modules/services/ssh.if.userdomain 2011-11-04 16:05:53.743722402 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ssh.if 2011-11-04 16:05:53.945722918 -0400
-@@ -380,7 +380,7 @@ template(`ssh_role_template',`
- manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
- manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
- userdom_search_user_home_dirs($1_t)
-- userdom_manage_tmp_role($2, ssh_t)
-+ userdom_manage_tmp(ssh_t)
-
- ##############################
- #
-diff -up serefpolicy-3.10.0/policy/modules/services/ssh.te.userdomain serefpolicy-3.10.0/policy/modules/services/ssh.te
---- serefpolicy-3.10.0/policy/modules/services/ssh.te.userdomain 2011-11-04 16:05:53.744722405 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ssh.te 2011-11-04 16:05:53.946722921 -0400
-@@ -200,6 +200,7 @@ userdom_read_user_tmp_files(ssh_t)
- userdom_write_user_tmp_files(ssh_t)
- userdom_read_user_home_content_symlinks(ssh_t)
- userdom_read_home_certs(ssh_t)
-+userdom_manage_tmp(ssh_t)
-
- tunable_policy(`allow_ssh_keysign',`
- domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-@@ -280,7 +281,7 @@ corenet_sendrecv_xserver_server_packets(
-
- userdom_read_user_home_content_files(sshd_t)
- userdom_read_user_home_content_symlinks(sshd_t)
--userdom_manage_tmp_role(system_r, sshd_t)
-+userdom_manage_tmp(sshd_t)
- userdom_spec_domtrans_unpriv_users(sshd_t)
- userdom_signal_unpriv_users(sshd_t)
- userdom_dyntransition_unpriv_users(sshd_t)
-diff -up serefpolicy-3.10.0/policy/modules/services/sssd.te.userdomain serefpolicy-3.10.0/policy/modules/services/sssd.te
---- serefpolicy-3.10.0/policy/modules/services/sssd.te.userdomain 2011-11-04 16:05:53.746722410 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/sssd.te 2011-11-04 16:05:53.947722925 -0400
-@@ -97,7 +97,7 @@ miscfiles_read_generic_certs(sssd_t)
- sysnet_dns_name_resolve(sssd_t)
- sysnet_use_ldap(sssd_t)
-
--userdom_manage_tmp_role(system_r, sssd_t)
-+userdom_manage_tmp(sssd_t)
-
- optional_policy(`
- dbus_system_bus_client(sssd_t)
-diff -up serefpolicy-3.10.0/policy/modules/services/xserver.te.userdomain serefpolicy-3.10.0/policy/modules/services/xserver.te
---- serefpolicy-3.10.0/policy/modules/services/xserver.te.userdomain 2011-11-04 16:05:53.915722843 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/xserver.te 2011-11-04 16:05:53.948722929 -0400
-@@ -672,7 +672,7 @@ userdom_stream_connect(xdm_t)
- userdom_manage_user_tmp_dirs(xdm_t)
- userdom_manage_user_tmp_files(xdm_t)
- userdom_manage_user_tmp_sockets(xdm_t)
--userdom_manage_tmpfs_role(system_r, xdm_t)
-+userdom_manage_tmpfs(xdm_t)
-
- application_signal(xdm_t)
-
-diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.userdomain serefpolicy-3.10.0/policy/modules/system/userdomain.if
---- serefpolicy-3.10.0/policy/modules/system/userdomain.if.userdomain 2011-11-04 16:05:53.920722856 -0400
-+++ serefpolicy-3.10.0/policy/modules/system/userdomain.if 2011-11-04 16:05:53.951722936 -0400
-@@ -35,21 +35,14 @@ template(`userdom_base_user_template',`
- type $1_t, userdomain, $1_usertype;
- domain_type($1_t)
- role $1_r;
-- corecmd_shell_entry_type($1_t)
-- corecmd_bin_entry_type($1_t)
- domain_user_exemption_target($1_t)
- ubac_constrained($1_t)
- role $1_r types $1_t;
- allow system_r $1_r;
-
-- term_user_pty($1_t, user_devpts_t)
--
-- term_user_tty($1_t, user_tty_device_t)
-- term_dontaudit_getattr_generic_ptys($1_t)
--
- allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
- allow $1_usertype $1_usertype:fd use;
-- allow $1_usertype $1_t:key { create view read write search link setattr };
-+ allow $1_usertype $1_usertype:key { create view read write search link setattr };
-
- allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
- allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto };
-@@ -61,114 +54,7 @@ template(`userdom_base_user_template',`
- allow $1_usertype $1_usertype:context contains;
- dontaudit $1_usertype $1_usertype:socket create;
-
-- allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms };
-- term_create_pty($1_usertype, user_devpts_t)
-- # avoid annoying messages on terminal hangup on role change
-- dontaudit $1_usertype user_devpts_t:chr_file ioctl;
--
-- allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms };
-- # avoid annoying messages on terminal hangup on role change
-- dontaudit $1_usertype user_tty_device_t:chr_file ioctl;
--
-- application_exec_all($1_usertype)
--
-- kernel_read_kernel_sysctls($1_usertype)
-- kernel_read_all_sysctls($1_usertype)
-- kernel_dontaudit_list_unlabeled($1_usertype)
-- kernel_dontaudit_getattr_unlabeled_files($1_usertype)
-- kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype)
-- kernel_dontaudit_getattr_unlabeled_pipes($1_usertype)
-- kernel_dontaudit_getattr_unlabeled_sockets($1_usertype)
-- kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype)
-- kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype)
-- kernel_dontaudit_list_proc($1_usertype)
--
-- dev_dontaudit_getattr_all_blk_files($1_usertype)
-- dev_dontaudit_getattr_all_chr_files($1_usertype)
-- dev_getattr_mtrr_dev($1_t)
--
-- # When the user domain runs ps, there will be a number of access
-- # denials when ps tries to search /proc. Do not audit these denials.
-- domain_dontaudit_read_all_domains_state($1_usertype)
-- domain_dontaudit_getattr_all_domains($1_usertype)
-- domain_dontaudit_getsession_all_domains($1_usertype)
-- dev_dontaudit_all_access_check($1_usertype)
--
-- files_read_etc_files($1_usertype)
-- files_list_mnt($1_usertype)
-- files_list_var($1_usertype)
-- files_read_mnt_files($1_usertype)
-- files_dontaudit_access_check_mnt($1_usertype)
-- files_read_etc_runtime_files($1_usertype)
-- files_read_usr_files($1_usertype)
-- files_read_usr_src_files($1_usertype)
-- # Read directories and files with the readable_t type.
-- # This type is a general type for "world"-readable files.
-- files_list_world_readable($1_usertype)
-- files_read_world_readable_files($1_usertype)
-- files_read_world_readable_symlinks($1_usertype)
-- files_read_world_readable_pipes($1_usertype)
-- files_read_world_readable_sockets($1_usertype)
-- # old broswer_domain():
-- files_dontaudit_getattr_all_dirs($1_usertype)
-- files_dontaudit_list_non_security($1_usertype)
-- files_dontaudit_getattr_all_files($1_usertype)
-- files_dontaudit_getattr_non_security_symlinks($1_usertype)
-- files_dontaudit_getattr_non_security_pipes($1_usertype)
-- files_dontaudit_getattr_non_security_sockets($1_usertype)
-- files_dontaudit_setattr_etc_runtime_files($1_usertype)
--
-- files_exec_usr_files($1_t)
--
-- fs_list_cgroup_dirs($1_usertype)
-- fs_dontaudit_rw_cgroup_files($1_usertype)
--
-- storage_rw_fuse($1_usertype)
--
- auth_use_nsswitch($1_t)
--
-- init_stream_connect($1_usertype)
-- # The library functions always try to open read-write first,
-- # then fall back to read-only if it fails.
-- init_dontaudit_rw_utmp($1_usertype)
--
-- libs_exec_ld_so($1_usertype)
--
-- logging_send_audit_msgs($1_t)
--
-- miscfiles_read_localization($1_t)
-- miscfiles_read_generic_certs($1_t)
--
-- miscfiles_read_all_certs($1_usertype)
-- miscfiles_read_localization($1_usertype)
-- miscfiles_read_man_pages($1_usertype)
-- miscfiles_read_public_files($1_usertype)
--
-- systemd_dbus_chat_logind($1_usertype)
--
-- tunable_policy(`allow_execmem',`
-- # Allow loading DSOs that require executable stack.
-- allow $1_t self:process execmem;
-- ')
--
-- tunable_policy(`allow_execmem && allow_execstack',`
-- # Allow making the stack executable via mprotect.
-- allow $1_t self:process execstack;
-- ')
--
-- optional_policy(`
-- abrt_stream_connect($1_usertype)
-- ')
--
-- optional_policy(`
-- fs_list_cgroup_dirs($1_usertype)
-- ')
--
-- optional_policy(`
-- ssh_rw_stream_sockets($1_usertype)
-- ssh_delete_tmp($1_t)
-- ssh_signal($1_t)
-- ')
- ')
-
- #######################################
-@@ -242,6 +128,22 @@ interface(`userdom_ro_home_role',`
- ## The user role
- ## </summary>
- ## </param>
-+## <rolebase/>
-+#
-+interface(`userdom_manage_home_role',`
-+ gen_require(`
-+ type user_home_dir_t;
-+ attribute user_home_type;
-+ ')
-+
-+ role $1 types { user_home_type user_home_dir_t };
-+')
-+
-+#######################################
-+## <summary>
-+## Allow a home directory for which the
-+## role has full access.
-+## </summary>
- ## <param name="userdomain">
- ## <summary>
- ## The user domain
-@@ -249,61 +151,58 @@ interface(`userdom_ro_home_role',`
- ## </param>
- ## <rolebase/>
- #
--interface(`userdom_manage_home_role',`
-+interface(`userdom_manage_home',`
- gen_require(`
- type user_home_t, user_home_dir_t;
- attribute user_home_type;
- ')
-
-- role $1 types { user_home_type user_home_dir_t };
--
- ##############################
- #
- # Domain access to home dir
- #
--
-- type_member $2 user_home_dir_t:dir user_home_dir_t;
-+ type_member $1 user_home_dir_t:dir user_home_dir_t;
-
- # full control of the home directory
-- allow $2 user_home_t:dir mounton;
-- allow $2 user_home_t:file entrypoint;
-+ allow $1 user_home_t:dir mounton;
-+ allow $1 user_home_t:file entrypoint;
-
-- allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom };
-- allow $2 user_home_dir_t:lnk_file read_lnk_file_perms;
-- manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-- manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-- manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-- manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-- manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-- relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-- relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-- relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-- relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-- relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
-- filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
-- files_list_home($2)
-+ allow $1 user_home_type:dir_file_class_set { relabelto relabelfrom };
-+ allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
-+ manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ relabel_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ relabel_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ relabel_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ relabel_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ relabel_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
-+ files_list_home($1)
-
- # cjp: this should probably be removed:
-- allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
-+ allow $1 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
-
- tunable_policy(`use_nfs_home_dirs',`
-- fs_mount_nfs($2)
-- fs_mounton_nfs($2)
-- fs_manage_nfs_dirs($2)
-- fs_manage_nfs_files($2)
-- fs_manage_nfs_symlinks($2)
-- fs_manage_nfs_named_sockets($2)
-- fs_manage_nfs_named_pipes($2)
-+ fs_mount_nfs($1)
-+ fs_mounton_nfs($1)
-+ fs_manage_nfs_dirs($1)
-+ fs_manage_nfs_files($1)
-+ fs_manage_nfs_symlinks($1)
-+ fs_manage_nfs_named_sockets($1)
-+ fs_manage_nfs_named_pipes($1)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
-- fs_mount_cifs($2)
-- fs_mounton_cifs($2)
-- fs_manage_cifs_dirs($2)
-- fs_manage_cifs_files($2)
-- fs_manage_cifs_symlinks($2)
-- fs_manage_cifs_named_sockets($2)
-- fs_manage_cifs_named_pipes($2)
-+ fs_mount_cifs($1)
-+ fs_mounton_cifs($1)
-+ fs_manage_cifs_dirs($1)
-+ fs_manage_cifs_files($1)
-+ fs_manage_cifs_symlinks($1)
-+ fs_manage_cifs_named_sockets($1)
-+ fs_manage_cifs_named_pipes($1)
- ')
- ')
-
-@@ -316,6 +215,21 @@ interface(`userdom_manage_home_role',`
- ## Role allowed access.
- ## </summary>
- ## </param>
-+## <rolebase/>
-+#
-+interface(`userdom_manage_tmp_role',`
-+ gen_require(`
-+ attribute user_tmp_type;
-+ type user_tmp_t;
-+ ')
-+
-+ role $1 types user_tmp_t;
-+')
-+
-+#######################################
-+## <summary>
-+## Manage user temporary files
-+## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
-@@ -323,27 +237,25 @@ interface(`userdom_manage_home_role',`
- ## </param>
- ## <rolebase/>
- #
--interface(`userdom_manage_tmp_role',`
-+interface(`userdom_manage_tmp',`
- gen_require(`
- attribute user_tmp_type;
- type user_tmp_t;
- ')
-
-- role $1 types user_tmp_t;
--
-- files_poly_member_tmp($2, user_tmp_t)
-+ files_poly_member_tmp($1, user_tmp_t)
-
-- manage_dirs_pattern($2, user_tmp_type, user_tmp_type)
-- manage_files_pattern($2, user_tmp_type, user_tmp_type)
-- manage_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
-- manage_sock_files_pattern($2, user_tmp_type, user_tmp_type)
-- manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
-- files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
-- relabel_dirs_pattern($2, user_tmp_type, user_tmp_type)
-- relabel_files_pattern($2, user_tmp_type, user_tmp_type)
-- relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
-- relabel_sock_files_pattern($2, user_tmp_type, user_tmp_type)
-- relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
-+ manage_dirs_pattern($1, user_tmp_type, user_tmp_type)
-+ manage_files_pattern($1, user_tmp_type, user_tmp_type)
-+ manage_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
-+ manage_sock_files_pattern($1, user_tmp_type, user_tmp_type)
-+ manage_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
-+ files_tmp_filetrans($1, user_tmp_t, { dir file lnk_file sock_file fifo_file })
-+ relabel_dirs_pattern($1, user_tmp_type, user_tmp_type)
-+ relabel_files_pattern($1, user_tmp_type, user_tmp_type)
-+ relabel_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
-+ relabel_sock_files_pattern($1, user_tmp_type, user_tmp_type)
-+ relabel_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
- ')
-
- #######################################
-@@ -424,6 +336,21 @@ interface(`userdom_exec_user_tmp_files',
- ## Role allowed access.
- ## </summary>
- ## </param>
-+## <rolecap/>
-+#
-+interface(`userdom_manage_tmpfs_role',`
-+ gen_require(`
-+ attribute user_tmpfs_type;
-+ type user_tmpfs_t;
-+ ')
-+
-+ role $1 types user_tmpfs_t;
-+')
-+
-+#######################################
-+## <summary>
-+## Allow access for the user tmpfs type
-+## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
-@@ -431,25 +358,23 @@ interface(`userdom_exec_user_tmp_files',
- ## </param>
- ## <rolecap/>
- #
--interface(`userdom_manage_tmpfs_role',`
-+interface(`userdom_manage_tmpfs',`
- gen_require(`
- attribute user_tmpfs_type;
- type user_tmpfs_t;
- ')
-
-- role $1 types user_tmpfs_t;
--
-- manage_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
-- manage_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-- manage_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-- manage_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-- manage_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-- fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-- relabel_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
-- relabel_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-- relabel_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-- relabel_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-- relabel_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
-+ manage_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type)
-+ manage_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
-+ manage_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
-+ manage_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
-+ manage_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
-+ fs_tmpfs_filetrans($1, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-+ relabel_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type)
-+ relabel_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
-+ relabel_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
-+ relabel_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
-+ relabel_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
- ')
-
- #######################################
-@@ -578,260 +503,31 @@ template(`userdom_change_password_templa
- template(`userdom_common_user_template',`
- gen_require(`
- attribute unpriv_userdomain;
-+ attribute common_userdomain;
- ')
-
-- userdom_basic_networking($1_usertype)
--
-- ##############################
-- #
-- # User domain Local policy
-- #
--
-- # evolution and gnome-session try to create a netlink socket
-- dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-- dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
-- allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
-- allow $1_t self:socket create_socket_perms;
--
-- allow $1_usertype unpriv_userdomain:fd use;
--
-- kernel_read_system_state($1_usertype)
-- kernel_read_network_state($1_usertype)
-- kernel_read_software_raid_state($1_usertype)
-- kernel_read_net_sysctls($1_usertype)
-- # Very permissive allowing every domain to see every type:
-- kernel_get_sysvipc_info($1_usertype)
-- # Find CDROM devices:
-- kernel_read_device_sysctls($1_usertype)
-- kernel_request_load_module($1_usertype)
--
-- corenet_udp_bind_generic_node($1_usertype)
-- corenet_udp_bind_generic_port($1_usertype)
--
-- dev_read_rand($1_usertype)
-- dev_write_sound($1_usertype)
-- dev_read_sound($1_usertype)
-- dev_read_sound_mixer($1_usertype)
-- dev_write_sound_mixer($1_usertype)
--
-- files_exec_etc_files($1_usertype)
-- files_search_locks($1_usertype)
-- # Check to see if cdrom is mounted
-- files_search_mnt($1_usertype)
-- # cjp: perhaps should cut back on file reads:
-- files_read_var_files($1_usertype)
-- files_read_var_symlinks($1_usertype)
-- files_read_generic_spool($1_usertype)
-- files_read_var_lib_files($1_usertype)
-- # Stat lost+found.
-- files_getattr_lost_found_dirs($1_usertype)
-- files_read_config_files($1_usertype)
-- fs_read_noxattr_fs_files($1_usertype)
-- fs_read_noxattr_fs_symlinks($1_usertype)
-- fs_rw_cgroup_files($1_usertype)
--
-- application_getattr_socket($1_usertype)
--
-- logging_send_syslog_msg($1_usertype)
-- logging_send_audit_msgs($1_usertype)
-- selinux_get_enforce_mode($1_usertype)
--
-- # cjp: some of this probably can be removed
-- selinux_get_fs_mount($1_usertype)
-- selinux_validate_context($1_usertype)
-- selinux_compute_access_vector($1_usertype)
-- selinux_compute_create_context($1_usertype)
-- selinux_compute_relabel_context($1_usertype)
-- selinux_compute_user_contexts($1_usertype)
--
-- # for eject
-- storage_getattr_fixed_disk_dev($1_usertype)
-+ typeattribute $1_t common_userdomain;
-
-- auth_read_login_records($1_usertype)
-- auth_run_pam($1_t,$1_r)
-- auth_run_utempter($1_t,$1_r)
--
-- init_read_utmp($1_usertype)
--
-- seutil_read_file_contexts($1_usertype)
-- seutil_read_default_contexts($1_usertype)
-- seutil_run_newrole($1_t,$1_r)
-- seutil_exec_checkpolicy($1_t)
-- seutil_exec_setfiles($1_usertype)
-- # for when the network connection is killed
-- # this is needed when a login role can change
-- # to this one.
-- seutil_dontaudit_signal_newrole($1_t)
--
-- tunable_policy(`user_direct_mouse',`
-- dev_read_mouse($1_usertype)
-- ')
--
-- tunable_policy(`user_ttyfile_stat',`
-- term_getattr_all_ttys($1_t)
-- ')
--
-- optional_policy(`
-- # Allow graphical boot to check battery lifespan
-- apm_stream_connect($1_usertype)
-- ')
--
-- optional_policy(`
-- canna_stream_connect($1_usertype)
-- ')
--
-- optional_policy(`
-- chrome_role($1_r, $1_usertype)
-- ')
--
-- optional_policy(`
-- colord_read_lib_files($1_usertype)
-- ')
--
-- optional_policy(`
-- dbus_system_bus_client($1_usertype)
--
-- allow $1_usertype $1_usertype:dbus send_msg;
--
-- optional_policy(`
-- avahi_dbus_chat($1_usertype)
-- ')
--
-- optional_policy(`
-- policykit_dbus_chat($1_usertype)
-- ')
--
-- optional_policy(`
-- bluetooth_dbus_chat($1_usertype)
-- ')
--
-- optional_policy(`
-- consolekit_dbus_chat($1_usertype)
-- consolekit_read_log($1_usertype)
-- ')
--
-- optional_policy(`
-- devicekit_dbus_chat($1_usertype)
-- devicekit_dbus_chat_power($1_usertype)
-- devicekit_dbus_chat_disk($1_usertype)
-- ')
--
-- optional_policy(`
-- evolution_dbus_chat($1_usertype)
-- evolution_alarm_dbus_chat($1_usertype)
-- ')
--
-- optional_policy(`
-- gnome_dbus_chat_gconfdefault($1_usertype)
-- ')
--
-- optional_policy(`
-- hal_dbus_chat($1_usertype)
-- ')
--
-- optional_policy(`
-- kde_dbus_chat_backlighthelper($1_usertype)
-- ')
--
-- optional_policy(`
-- modemmanager_dbus_chat($1_usertype)
-- ')
--
-- optional_policy(`
-- networkmanager_dbus_chat($1_usertype)
-- networkmanager_read_lib_files($1_usertype)
-- ')
--
-- optional_policy(`
-- vpn_dbus_chat($1_usertype)
-- ')
-- ')
--
-- optional_policy(`
-- git_session_role($1_r, $1_usertype)
-- ')
--
-- optional_policy(`
-- inetd_use_fds($1_usertype)
-- inetd_rw_tcp_sockets($1_usertype)
-- ')
--
-- optional_policy(`
-- inn_read_config($1_usertype)
-- inn_read_news_lib($1_usertype)
-- inn_read_news_spool($1_usertype)
-- ')
--
-- optional_policy(`
-- lircd_stream_connect($1_usertype)
-- ')
--
-- optional_policy(`
-- locate_read_lib_files($1_usertype)
-- ')
--
-- # for running depmod as part of the kernel packaging process
-- optional_policy(`
-- modutils_read_module_config($1_usertype)
-- ')
--
-- optional_policy(`
-- mta_rw_spool($1_usertype)
-- mta_manage_queue($1_usertype)
-- mta_filetrans_home_content($1_usertype)
-- ')
--
-- optional_policy(`
-- nsplugin_role($1_r, $1_usertype)
-- ')
--
-- optional_policy(`
-- tunable_policy(`allow_user_mysql_connect',`
-- mysql_stream_connect($1_t)
-- ')
-- ')
--
-- optional_policy(`
-- oident_manage_user_content($1_t)
-- oident_relabel_user_content($1_t)
-- ')
--
-- optional_policy(`
-- # to allow monitoring of pcmcia status
-- pcmcia_read_pid($1_usertype)
-- ')
--
-- optional_policy(`
-- pcscd_read_pub_files($1_usertype)
-- pcscd_stream_connect($1_usertype)
-- ')
--
-- optional_policy(`
-- tunable_policy(`allow_user_postgresql_connect',`
-- postgresql_stream_connect($1_usertype)
-- postgresql_tcp_connect($1_usertype)
-- ')
-- ')
-+ userdom_basic_networking($1_usertype)
-
-- optional_policy(`
-- resmgr_stream_connect($1_usertype)
-- ')
-+ auth_run_pam(common_userdomain,$1_r)
-+ auth_run_utempter(common_userdomain,$1_r)
-+ seutil_run_newrole(common_userdomain,$1_r)
-
- optional_policy(`
-- rpc_dontaudit_getattr_exports($1_usertype)
-- rpc_manage_nfs_rw_content($1_usertype)
-+ chrome_role($1_r, common_userdomain)
- ')
-
- optional_policy(`
-- rpcbind_stream_connect($1_usertype)
-+ git_session_role($1_r, common_userdomain)
- ')
-
- optional_policy(`
-- samba_stream_connect_winbind($1_usertype)
-+ nsplugin_role($1_r, common_userdomain)
- ')
-
- optional_policy(`
-- sandbox_transition($1_usertype, $1_r)
-+ sandbox_transition(common_userdomain, $1_r)
- ')
-
- optional_policy(`
-@@ -839,11 +535,7 @@ template(`userdom_common_user_template',
- ')
-
- optional_policy(`
-- slrnpull_search_spool($1_usertype)
-- ')
--
-- optional_policy(`
-- thumb_role($1_r, $1_usertype)
-+ thumb_role($1_r, common_userdomain)
- ')
- ')
-
-@@ -872,10 +564,9 @@ template(`userdom_login_user_template',
-
- userdom_base_user_template($1)
-
-- userdom_manage_home_role($1_r, $1_usertype)
--
-- userdom_manage_tmp_role($1_r, $1_usertype)
-- userdom_manage_tmpfs_role($1_r, $1_usertype)
-+ userdom_manage_home_role($1_r)
-+ userdom_manage_tmp_role($1_r)
-+ userdom_manage_tmpfs_role($1_r)
-
- ifelse(`$1',`unconfined',`',`
- gen_tunable(allow_$1_exec_content, true)
-@@ -1010,9 +701,6 @@ template(`userdom_restricted_user_templa
- typeattribute $1_t unpriv_userdomain;
- domain_interactive_fd($1_t)
-
-- allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms;
-- dontaudit $1_usertype self:netlink_audit_socket create_socket_perms;
--
- ##############################
- #
- # Local policy
-@@ -3965,6 +3653,10 @@ template(`userdom_unpriv_usertype',`
-
- auth_use_nsswitch($2)
- ubac_constrained($2)
-+
-+ userdom_manage_home_role($1_r)
-+ userdom_manage_tmp_role($1_r)
-+ userdom_manage_tmpfs_role($1_r)
- ')
-
- ########################################
-diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.te.userdomain serefpolicy-3.10.0/policy/modules/system/userdomain.te
---- serefpolicy-3.10.0/policy/modules/system/userdomain.te.userdomain 2011-11-04 16:05:53.852722681 -0400
-+++ serefpolicy-3.10.0/policy/modules/system/userdomain.te 2011-11-04 16:05:53.953722940 -0400
-@@ -69,6 +69,8 @@ attribute userdomain;
-
- # unprivileged user domains
- attribute unpriv_userdomain;
-+# common user domains
-+attribute common_userdomain;
-
- attribute untrusted_content_type;
- attribute untrusted_content_tmp_type;
-@@ -141,22 +143,147 @@ miscfiles_cert_type(home_cert_t)
- userdom_user_home_content(home_cert_t)
- ubac_constrained(home_cert_t)
-
--tunable_policy(`allow_console_login',`
-- term_use_console(userdomain)
--')
--
--allow userdomain userdomain:process signull;
-+allow unpriv_userdomain self:netlink_kobject_uevent_socket create_socket_perms;
-+dontaudit unpriv_userdomain self:netlink_audit_socket create_socket_perms;
-
- # Nautilus causes this avc
- dontaudit unpriv_userdomain self:dir setattr;
- allow unpriv_userdomain self:key manage_key_perms;
-
-+userdom_manage_home(unpriv_userdomain)
-+userdom_manage_tmp(unpriv_userdomain)
-+userdom_manage_tmpfs(unpriv_userdomain)
-+
- optional_policy(`
- alsa_read_rw_config(unpriv_userdomain)
- alsa_manage_home_files(unpriv_userdomain)
- alsa_relabel_home_files(unpriv_userdomain)
- ')
-
-+
-+##############################
-+#
-+# User domain Local policy
-+#
-+allow userdomain userdomain:process signull;
-+
-+allow userdomain user_devpts_t:chr_file { setattr rw_chr_file_perms };
-+term_create_pty(userdomain, user_devpts_t)
-+# avoid annoying messages on terminal hangup on role change
-+dontaudit userdomain user_devpts_t:chr_file ioctl;
-+
-+allow userdomain user_tty_device_t:chr_file { setattr rw_chr_file_perms };
-+# avoid annoying messages on terminal hangup on role change
-+dontaudit userdomain user_tty_device_t:chr_file ioctl;
-+
-+corecmd_shell_entry_type(userdomain)
-+corecmd_bin_entry_type(userdomain)
-+
-+term_user_pty(userdomain, user_devpts_t)
-+
-+term_user_tty(userdomain, user_tty_device_t)
-+term_dontaudit_getattr_generic_ptys(userdomain)
-+
-+application_exec_all(userdomain)
-+
-+kernel_read_kernel_sysctls(userdomain)
-+kernel_read_all_sysctls(userdomain)
-+kernel_dontaudit_list_unlabeled(userdomain)
-+kernel_dontaudit_getattr_unlabeled_files(userdomain)
-+kernel_dontaudit_getattr_unlabeled_symlinks(userdomain)
-+kernel_dontaudit_getattr_unlabeled_pipes(userdomain)
-+kernel_dontaudit_getattr_unlabeled_sockets(userdomain)
-+kernel_dontaudit_getattr_unlabeled_blk_files(userdomain)
-+kernel_dontaudit_getattr_unlabeled_chr_files(userdomain)
-+kernel_dontaudit_list_proc(userdomain)
-+
-+dev_dontaudit_getattr_all_blk_files(userdomain)
-+dev_dontaudit_getattr_all_chr_files(userdomain)
-+dev_getattr_mtrr_dev(userdomain)
-+
-+# When the user domain runs ps, there will be a number of access
-+# denials when ps tries to search /proc. Do not audit these denials.
-+domain_dontaudit_read_all_domains_state(userdomain)
-+domain_dontaudit_getattr_all_domains(userdomain)
-+domain_dontaudit_getsession_all_domains(userdomain)
-+dev_dontaudit_all_access_check(userdomain)
-+
-+files_read_etc_files(userdomain)
-+files_list_mnt(userdomain)
-+files_list_var(userdomain)
-+files_read_mnt_files(userdomain)
-+files_dontaudit_access_check_mnt(userdomain)
-+files_read_etc_runtime_files(userdomain)
-+files_read_usr_files(userdomain)
-+files_read_usr_src_files(userdomain)
-+# Read directories and files with the readable_t type.
-+# This type is a general type for "world"-readable files.
-+files_list_world_readable(userdomain)
-+files_read_world_readable_files(userdomain)
-+files_read_world_readable_symlinks(userdomain)
-+files_read_world_readable_pipes(userdomain)
-+files_read_world_readable_sockets(userdomain)
-+# old broswer_domain():
-+files_dontaudit_getattr_all_dirs(userdomain)
-+files_dontaudit_list_non_security(userdomain)
-+files_dontaudit_getattr_all_files(userdomain)
-+files_dontaudit_getattr_non_security_symlinks(userdomain)
-+files_dontaudit_getattr_non_security_pipes(userdomain)
-+files_dontaudit_getattr_non_security_sockets(userdomain)
-+files_dontaudit_setattr_etc_runtime_files(userdomain)
-+
-+files_exec_usr_files(userdomain)
-+
-+fs_list_cgroup_dirs(userdomain)
-+fs_dontaudit_rw_cgroup_files(userdomain)
-+
-+storage_rw_fuse(userdomain)
-+
-+init_stream_connect(userdomain)
-+# The library functions always try to open read-write first,
-+# then fall back to read-only if it fails.
-+init_dontaudit_rw_utmp(userdomain)
-+libs_exec_ld_so(userdomain)
-+logging_send_audit_msgs(userdomain)
-+
-+miscfiles_read_localization(userdomain)
-+miscfiles_read_generic_certs(userdomain)
-+
-+miscfiles_read_all_certs(userdomain)
-+miscfiles_read_localization(userdomain)
-+miscfiles_read_man_pages(userdomain)
-+miscfiles_read_public_files(userdomain)
-+
-+systemd_dbus_chat_logind(userdomain)
-+
-+tunable_policy(`allow_console_login',`
-+ term_use_console(userdomain)
-+')
-+
-+tunable_policy(`allow_execmem',`
-+ # Allow loading DSOs that require executable stack.
-+ allow userdomain self:process execmem;
-+')
-+
-+tunable_policy(`allow_execmem && allow_execstack',`
-+ # Allow making the stack executable via mprotect.
-+ allow userdomain self:process execstack;
-+')
-+
-+optional_policy(`
-+ abrt_stream_connect(userdomain)
-+')
-+
-+optional_policy(`
-+ fs_list_cgroup_dirs(userdomain)
-+')
-+
-+optional_policy(`
-+ ssh_rw_stream_sockets(userdomain)
-+ ssh_delete_tmp(userdomain)
-+ ssh_signal(userdomain)
-+')
-+
- optional_policy(`
- gnome_filetrans_home_content(userdomain)
- ')
-@@ -172,3 +299,240 @@ optional_policy(`
- optional_policy(`
- xserver_filetrans_home_content(userdomain)
- ')
-+
-+##############################
-+#
-+# Common User domain Local policy
-+#
-+
-+# evolution and gnome-session try to create a netlink socket
-+dontaudit common_userdomain self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-+dontaudit common_userdomain self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
-+allow common_userdomain self:netlink_kobject_uevent_socket create_socket_perms;
-+allow common_userdomain self:socket create_socket_perms;
-+
-+allow common_userdomain unpriv_userdomain:fd use;
-+
-+kernel_read_system_state(common_userdomain)
-+kernel_read_network_state(common_userdomain)
-+kernel_read_software_raid_state(common_userdomain)
-+kernel_read_net_sysctls(common_userdomain)
-+# Very permissive allowing every domain to see every type:
-+kernel_get_sysvipc_info(common_userdomain)
-+# Find CDROM devices:
-+kernel_read_device_sysctls(common_userdomain)
-+kernel_request_load_module(common_userdomain)
-+
-+corenet_udp_bind_generic_node(common_userdomain)
-+corenet_udp_bind_generic_port(common_userdomain)
-+
-+dev_read_rand(common_userdomain)
-+dev_write_sound(common_userdomain)
-+dev_read_sound(common_userdomain)
-+dev_read_sound_mixer(common_userdomain)
-+dev_write_sound_mixer(common_userdomain)
-+
-+files_exec_etc_files(common_userdomain)
-+files_search_locks(common_userdomain)
-+# Check to see if cdrom is mounted
-+files_search_mnt(common_userdomain)
-+# cjp: perhaps should cut back on file reads:
-+files_read_var_files(common_userdomain)
-+files_read_var_symlinks(common_userdomain)
-+files_read_generic_spool(common_userdomain)
-+files_read_var_lib_files(common_userdomain)
-+# Stat lost+found.
-+files_getattr_lost_found_dirs(common_userdomain)
-+files_read_config_files(common_userdomain)
-+fs_read_noxattr_fs_files(common_userdomain)
-+fs_read_noxattr_fs_symlinks(common_userdomain)
-+fs_rw_cgroup_files(common_userdomain)
-+
-+application_getattr_socket(common_userdomain)
-+
-+logging_send_syslog_msg(common_userdomain)
-+logging_send_audit_msgs(common_userdomain)
-+selinux_get_enforce_mode(common_userdomain)
-+
-+# cjp: some of this probably can be removed
-+selinux_get_fs_mount(common_userdomain)
-+selinux_validate_context(common_userdomain)
-+selinux_compute_access_vector(common_userdomain)
-+selinux_compute_create_context(common_userdomain)
-+selinux_compute_relabel_context(common_userdomain)
-+selinux_compute_user_contexts(common_userdomain)
-+
-+# for eject
-+storage_getattr_fixed_disk_dev(common_userdomain)
-+
-+auth_read_login_records(common_userdomain)
-+
-+init_read_utmp(common_userdomain)
-+
-+seutil_read_file_contexts(common_userdomain)
-+seutil_read_default_contexts(common_userdomain)
-+seutil_exec_checkpolicy(common_userdomain)
-+seutil_exec_setfiles(common_userdomain)
-+# for when the network connection is killed
-+# this is needed when a login role can change
-+# to this one.
-+seutil_dontaudit_signal_newrole(common_userdomain)
-+
-+tunable_policy(`user_direct_mouse',`
-+ dev_read_mouse(common_userdomain)
-+')
-+
-+tunable_policy(`user_ttyfile_stat',`
-+ term_getattr_all_ttys(common_userdomain)
-+')
-+
-+optional_policy(`
-+ # Allow graphical boot to check battery lifespan
-+ apm_stream_connect(common_userdomain)
-+')
-+
-+optional_policy(`
-+ canna_stream_connect(common_userdomain)
-+')
-+
-+optional_policy(`
-+ colord_read_lib_files(common_userdomain)
-+')
-+
-+optional_policy(`
-+ dbus_system_bus_client(common_userdomain)
-+
-+ allow common_userdomain common_userdomain:dbus send_msg;
-+
-+ optional_policy(`
-+ avahi_dbus_chat(common_userdomain)
-+ ')
-+
-+ optional_policy(`
-+ policykit_dbus_chat(common_userdomain)
-+ ')
-+
-+ optional_policy(`
-+ bluetooth_dbus_chat(common_userdomain)
-+ ')
-+
-+ optional_policy(`
-+ consolekit_dbus_chat(common_userdomain)
-+ consolekit_read_log(common_userdomain)
-+ ')
-+
-+ optional_policy(`
-+ devicekit_dbus_chat(common_userdomain)
-+ devicekit_dbus_chat_power(common_userdomain)
-+ devicekit_dbus_chat_disk(common_userdomain)
-+ ')
-+
-+ optional_policy(`
-+ evolution_dbus_chat(common_userdomain)
-+ evolution_alarm_dbus_chat(common_userdomain)
-+ ')
-+
-+ optional_policy(`
-+ gnome_dbus_chat_gconfdefault(common_userdomain)
-+ ')
-+
-+ optional_policy(`
-+ hal_dbus_chat(common_userdomain)
-+ ')
-+
-+ optional_policy(`
-+ kde_dbus_chat_backlighthelper(common_userdomain)
-+ ')
-+
-+ optional_policy(`
-+ modemmanager_dbus_chat(common_userdomain)
-+ ')
-+
-+ optional_policy(`
-+ networkmanager_dbus_chat(common_userdomain)
-+ networkmanager_read_lib_files(common_userdomain)
-+ ')
-+
-+ optional_policy(`
-+ vpn_dbus_chat(common_userdomain)
-+ ')
-+')
-+
-+optional_policy(`
-+ inetd_use_fds(common_userdomain)
-+ inetd_rw_tcp_sockets(common_userdomain)
-+')
-+
-+optional_policy(`
-+ inn_read_config(common_userdomain)
-+ inn_read_news_lib(common_userdomain)
-+ inn_read_news_spool(common_userdomain)
-+')
-+
-+optional_policy(`
-+ lircd_stream_connect(common_userdomain)
-+')
-+
-+optional_policy(`
-+ locate_read_lib_files(common_userdomain)
-+')
-+
-+# for running depmod as part of the kernel packaging process
-+optional_policy(`
-+ modutils_read_module_config(common_userdomain)
-+')
-+
-+optional_policy(`
-+ mta_rw_spool(common_userdomain)
-+ mta_manage_queue(common_userdomain)
-+ mta_filetrans_home_content(common_userdomain)
-+')
-+
-+optional_policy(`
-+ tunable_policy(`allow_user_mysql_connect',`
-+ mysql_stream_connect(common_userdomain)
-+ ')
-+')
-+
-+optional_policy(`
-+ oident_manage_user_content(common_userdomain)
-+ oident_relabel_user_content(common_userdomain)
-+')
-+
-+optional_policy(`
-+ # to allow monitoring of pcmcia status
-+ pcmcia_read_pid(common_userdomain)
-+')
-+
-+optional_policy(`
-+ pcscd_read_pub_files(common_userdomain)
-+ pcscd_stream_connect(common_userdomain)
-+')
-+
-+optional_policy(`
-+ tunable_policy(`allow_user_postgresql_connect',`
-+ postgresql_stream_connect(common_userdomain)
-+ postgresql_tcp_connect(common_userdomain)
-+ ')
-+')
-+
-+optional_policy(`
-+ resmgr_stream_connect(common_userdomain)
-+')
-+
-+optional_policy(`
-+ rpc_dontaudit_getattr_exports(common_userdomain)
-+ rpc_manage_nfs_rw_content(common_userdomain)
-+')
-+
-+optional_policy(`
-+ rpcbind_stream_connect(common_userdomain)
-+')
-+
-+optional_policy(`
-+ samba_stream_connect_winbind(common_userdomain)
-+')
-+
-+optional_policy(`
-+ slrnpull_search_spool(common_userdomain)
-+')
More information about the scm-commits
mailing list