rpms/selinux-policy/devel modules-targeted.conf, 1.127, 1.128 policy-20090105.patch, 1.116, 1.117 selinux-policy.spec, 1.854, 1.855

Daniel J Walsh dwalsh at fedoraproject.org
Mon May 18 18:41:03 UTC 2009 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv29272

Modified Files:
	modules-targeted.conf policy-20090105.patch 
	selinux-policy.spec 
Log Message:
* Mon May 18 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-38
- Add varnishd policy



Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.127
retrieving revision 1.128
diff -u -p -r1.127 -r1.128
--- modules-targeted.conf	2 May 2009 11:52:11 -0000	1.127
+++ modules-targeted.conf	18 May 2009 18:41:01 -0000	1.128
@@ -1450,6 +1450,13 @@ usernetctl = module
 xen = module
 
 # Layer: services
+# Module: varnishd
+#
+# Varnishd http accelerator daemon
+# 
+varnishd = module
+
+# Layer: services
 # Module: virt
 #
 # Virtualization libraries
@@ -1633,6 +1640,13 @@ portreserve = module
 rpcbind = module
 
 # Layer: apps
+# Module: rssh
+#
+#  Restricted (scp/sftp) only shell
+# 
+rssh = module
+
+# Layer: apps
 # Module: vmware
 #
 # VMWare Workstation virtual machines

policy-20090105.patch:

Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.116
retrieving revision 1.117
diff -u -p -r1.116 -r1.117
--- policy-20090105.patch	14 May 2009 18:53:39 -0000	1.116
+++ policy-20090105.patch	18 May 2009 18:41:01 -0000	1.117
@@ -603,7 +603,7 @@ diff -b -B --ignore-all-space --exclude-
 +userdom_read_user_tmpfs_files(kismet_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.12/policy/modules/admin/logrotate.te
 --- nsaserefpolicy/policy/modules/admin/logrotate.te	2009-04-07 15:53:36.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/admin/logrotate.te	2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/logrotate.te	2009-05-18 08:21:37.000000000 -0400
 @@ -116,8 +116,9 @@
  seutil_dontaudit_read_config(logrotate_t)
  
@@ -626,6 +626,14 @@ diff -b -B --ignore-all-space --exclude-
  	consoletype_exec(logrotate_t)
  ')
  
+@@ -189,3 +194,7 @@
+ optional_policy(`
+ 	squid_domtrans(logrotate_t)
+ ')
++
++optional_policy(`
++	varnishlog_manage_log(logrotate_t)
++')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.12/policy/modules/admin/logwatch.te
 --- nsaserefpolicy/policy/modules/admin/logwatch.te	2009-03-20 12:39:40.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/admin/logwatch.te	2009-05-12 15:30:13.000000000 -0400
@@ -5068,7 +5076,7 @@ diff -b -B --ignore-all-space --exclude-
  ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.6.12/policy/modules/kernel/corenetwork.if.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in	2009-02-03 22:50:50.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.if.in	2009-05-12 16:34:51.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.if.in	2009-05-18 09:34:14.000000000 -0400
 @@ -1612,6 +1612,24 @@
  
  ########################################
@@ -5121,7 +5129,7 @@ diff -b -B --ignore-all-space --exclude-
  ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2009-03-23 13:47:10.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in	2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in	2009-05-18 08:21:37.000000000 -0400
 @@ -65,10 +65,12 @@
  type server_packet_t, packet_type, server_packet_type;
  
@@ -5225,7 +5233,7 @@ diff -b -B --ignore-all-space --exclude-
  network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
  type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
  type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
-@@ -173,14 +197,17 @@
+@@ -173,14 +197,18 @@
  network_port(syslogd, udp,514,s0)
  network_port(telnetd, tcp,23,s0)
  network_port(tftp, udp,69,s0)
@@ -5235,6 +5243,7 @@ diff -b -B --ignore-all-space --exclude-
  network_port(transproxy, tcp,8081,s0)
  type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
  network_port(uucpd, tcp,540,s0)
++network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
 +network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
  network_port(vnc, tcp,5900,s0)
  network_port(wccp, udp,2048,s0)
@@ -5245,7 +5254,7 @@ diff -b -B --ignore-all-space --exclude-
  network_port(xdmcp, udp,177,s0, tcp,177,s0)
  network_port(xen, tcp,8002,s0)
  network_port(xfs, tcp,7100,s0)
-@@ -209,6 +236,8 @@
+@@ -209,6 +237,8 @@
  type node_t, node_type;
  sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
  
@@ -5277,7 +5286,7 @@ diff -b -B --ignore-all-space --exclude-
  /dev/cpu.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.12/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2009-03-05 12:28:56.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/devices.if	2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/devices.if	2009-05-18 09:09:23.000000000 -0400
 @@ -2268,6 +2268,25 @@
  
  ########################################
@@ -9152,7 +9161,7 @@ diff -b -B --ignore-all-space --exclude-
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.12/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/apache.te	2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/apache.te	2009-05-18 09:16:47.000000000 -0400
 @@ -19,6 +19,8 @@
  # Declarations
  #
@@ -11721,7 +11730,7 @@ diff -b -B --ignore-all-space --exclude-
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.12/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/cups.te	2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/cups.te	2009-05-18 14:39:34.000000000 -0400
 @@ -20,9 +20,18 @@
  type cupsd_etc_t;
  files_config_file(cupsd_etc_t)
@@ -11925,8 +11934,11 @@ diff -b -B --ignore-all-space --exclude-
  
  logging_send_audit_msgs(cupsd_t)
  logging_send_syslog_msg(cupsd_t)
-@@ -217,17 +264,21 @@
+@@ -215,19 +262,24 @@
+ miscfiles_read_localization(cupsd_t)
+ # invoking ghostscript needs to read fonts
  miscfiles_read_fonts(cupsd_t)
++miscfiles_setattr_fonts(cupsd_t)
  
  seutil_read_config(cupsd_t)
 +sysnet_exec_ifconfig(cupsd_t)
@@ -11950,7 +11962,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  optional_policy(`
-@@ -244,8 +295,16 @@
+@@ -244,8 +296,16 @@
  	userdom_dbus_send_all_users(cupsd_t)
  
  	optional_policy(`
@@ -11967,7 +11979,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  optional_policy(`
-@@ -261,6 +320,10 @@
+@@ -261,6 +321,10 @@
  ')
  
  optional_policy(`
@@ -11978,7 +11990,7 @@ diff -b -B --ignore-all-space --exclude-
  	# cups execs smbtool which reads samba_etc_t files
  	samba_read_config(cupsd_t)
  	samba_rw_var_files(cupsd_t)
-@@ -279,7 +342,7 @@
+@@ -279,7 +343,7 @@
  # Cups configuration daemon local policy
  #
  
@@ -11987,7 +11999,7 @@ diff -b -B --ignore-all-space --exclude-
  dontaudit cupsd_config_t self:capability sys_tty_config;
  allow cupsd_config_t self:process signal_perms;
  allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
-@@ -302,8 +365,10 @@
+@@ -302,8 +366,10 @@
  
  allow cupsd_config_t cupsd_log_t:file rw_file_perms;
  
@@ -12000,7 +12012,7 @@ diff -b -B --ignore-all-space --exclude-
  
  allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
  
-@@ -311,7 +376,7 @@
+@@ -311,7 +377,7 @@
  files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
  
  kernel_read_system_state(cupsd_config_t)
@@ -12009,7 +12021,7 @@ diff -b -B --ignore-all-space --exclude-
  
  corenet_all_recvfrom_unlabeled(cupsd_config_t)
  corenet_all_recvfrom_netlabel(cupsd_config_t)
-@@ -324,6 +389,7 @@
+@@ -324,6 +390,7 @@
  dev_read_sysfs(cupsd_config_t)
  dev_read_urand(cupsd_config_t)
  dev_read_rand(cupsd_config_t)
@@ -12017,7 +12029,7 @@ diff -b -B --ignore-all-space --exclude-
  
  fs_getattr_all_fs(cupsd_config_t)
  fs_search_auto_mountpoints(cupsd_config_t)
-@@ -341,13 +407,14 @@
+@@ -341,13 +408,14 @@
  files_read_var_symlinks(cupsd_config_t)
  
  # Alternatives asks for this
@@ -12033,7 +12045,7 @@ diff -b -B --ignore-all-space --exclude-
  
  seutil_dontaudit_search_config(cupsd_config_t)
  
-@@ -359,14 +426,16 @@
+@@ -359,14 +427,16 @@
  lpd_read_config(cupsd_config_t)
  
  ifdef(`distro_redhat',`
@@ -12052,7 +12064,7 @@ diff -b -B --ignore-all-space --exclude-
  	cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
  ')
  
-@@ -382,6 +451,7 @@
+@@ -382,6 +452,7 @@
  optional_policy(`
  	hal_domtrans(cupsd_config_t)
  	hal_read_tmp_files(cupsd_config_t)
@@ -12060,7 +12072,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  optional_policy(`
-@@ -491,7 +561,10 @@
+@@ -491,7 +562,10 @@
  allow hplip_t self:udp_socket create_socket_perms;
  allow hplip_t self:rawip_socket create_socket_perms;
  
@@ -12072,7 +12084,7 @@ diff -b -B --ignore-all-space --exclude-
  
  cups_stream_connect(hplip_t)
  
-@@ -500,6 +573,13 @@
+@@ -500,6 +574,13 @@
  read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
  files_search_etc(hplip_t)
  
@@ -12086,7 +12098,7 @@ diff -b -B --ignore-all-space --exclude-
  manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
  files_pid_filetrans(hplip_t, hplip_var_run_t, file)
  
-@@ -529,7 +609,8 @@
+@@ -529,7 +610,8 @@
  dev_read_urand(hplip_t)
  dev_read_rand(hplip_t)
  dev_rw_generic_usb_dev(hplip_t)
@@ -12096,7 +12108,7 @@ diff -b -B --ignore-all-space --exclude-
  
  fs_getattr_all_fs(hplip_t)
  fs_search_auto_mountpoints(hplip_t)
-@@ -553,7 +634,9 @@
+@@ -553,7 +635,9 @@
  userdom_dontaudit_search_user_home_dirs(hplip_t)
  userdom_dontaudit_search_user_home_content(hplip_t)
  
@@ -12107,7 +12119,7 @@ diff -b -B --ignore-all-space --exclude-
  
  optional_policy(`
  	dbus_system_bus_client(hplip_t)
-@@ -635,3 +718,49 @@
+@@ -635,3 +719,49 @@
  optional_policy(`
  	udev_read_db(ptal_t)
  ')
@@ -13663,7 +13675,7 @@ diff -b -B --ignore-all-space --exclude-
  /var/run/fail2ban.*		gen_context(system_u:object_r:fail2ban_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.6.12/policy/modules/services/fail2ban.if
 --- nsaserefpolicy/policy/modules/services/fail2ban.if	2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/fail2ban.if	2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/fail2ban.if	2009-05-18 08:59:04.000000000 -0400
 @@ -20,6 +20,25 @@
  
  ########################################
@@ -13690,6 +13702,15 @@ diff -b -B --ignore-all-space --exclude-
  ##	Allow the specified domain to read fail2ban's log files.
  ## </summary>
  ## <param name="domain">
+@@ -105,7 +124,7 @@
+ 	allow $1 fail2ban_t:process { ptrace signal_perms };
+ 	ps_process_pattern($1, fail2ban_t)
+ 
+-	init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
++	init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 fail2ban_initrc_exec_t system_r;
+ 	allow $2 system_r;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.6.12/policy/modules/services/fail2ban.te
 --- nsaserefpolicy/policy/modules/services/fail2ban.te	2009-01-19 11:06:49.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/services/fail2ban.te	2009-05-12 15:30:13.000000000 -0400
@@ -14417,7 +14438,7 @@ diff -b -B --ignore-all-space --exclude-
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.12/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/hal.te	2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/hal.te	2009-05-18 13:42:49.000000000 -0400
 @@ -49,6 +49,15 @@
  type hald_var_lib_t;
  files_type(hald_var_lib_t)
@@ -14434,8 +14455,11 @@ diff -b -B --ignore-all-space --exclude-
  ########################################
  #
  # Local policy
-@@ -143,11 +152,16 @@
+@@ -141,13 +150,19 @@
+ # hal is now execing pm-suspend
+ files_create_boot_flag(hald_t)
  files_getattr_all_dirs(hald_t)
++files_getattr_all_files(hald_t)
  files_read_kernel_img(hald_t)
  files_rw_lock_dirs(hald_t)
 +files_read_generic_pids(hald_t)
@@ -14451,7 +14475,7 @@ diff -b -B --ignore-all-space --exclude-
  files_getattr_all_mountpoints(hald_t)
  
  mls_file_read_all_levels(hald_t)
-@@ -195,6 +209,7 @@
+@@ -195,6 +210,7 @@
  seutil_read_file_contexts(hald_t)
  
  sysnet_read_config(hald_t)
@@ -14459,7 +14483,7 @@ diff -b -B --ignore-all-space --exclude-
  
  userdom_dontaudit_use_unpriv_user_fds(hald_t)
  userdom_dontaudit_search_user_home_dirs(hald_t)
-@@ -277,6 +292,17 @@
+@@ -277,6 +293,17 @@
  ')
  
  optional_policy(`
@@ -14477,7 +14501,7 @@ diff -b -B --ignore-all-space --exclude-
  	rpc_search_nfs_state_data(hald_t)
  ')
  
-@@ -298,7 +324,11 @@
+@@ -298,7 +325,11 @@
  ')
  
  optional_policy(`
@@ -14490,7 +14514,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
-@@ -306,7 +336,7 @@
+@@ -306,7 +337,7 @@
  # Hal acl local policy
  #
  
@@ -14499,7 +14523,7 @@ diff -b -B --ignore-all-space --exclude-
  allow hald_acl_t self:process { getattr signal };
  allow hald_acl_t self:fifo_file rw_fifo_file_perms;
  
-@@ -321,6 +351,7 @@
+@@ -321,6 +352,7 @@
  manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
  manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
  files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
@@ -14507,7 +14531,7 @@ diff -b -B --ignore-all-space --exclude-
  
  corecmd_exec_bin(hald_acl_t)
  
-@@ -339,6 +370,8 @@
+@@ -339,6 +371,8 @@
  
  storage_getattr_removable_dev(hald_acl_t)
  storage_setattr_removable_dev(hald_acl_t)
@@ -14516,7 +14540,7 @@ diff -b -B --ignore-all-space --exclude-
  
  auth_use_nsswitch(hald_acl_t)
  
-@@ -346,12 +379,18 @@
+@@ -346,12 +380,18 @@
  
  miscfiles_read_localization(hald_acl_t)
  
@@ -14536,7 +14560,7 @@ diff -b -B --ignore-all-space --exclude-
  
  domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
  allow hald_t hald_mac_t:process signal;
-@@ -374,6 +413,8 @@
+@@ -374,6 +414,8 @@
  
  auth_use_nsswitch(hald_mac_t)
  
@@ -14545,7 +14569,7 @@ diff -b -B --ignore-all-space --exclude-
  miscfiles_read_localization(hald_mac_t)
  
  ########################################
-@@ -415,6 +456,55 @@
+@@ -415,6 +457,55 @@
  
  dev_rw_input_dev(hald_keymap_t)
  
@@ -14920,8 +14944,15 @@ diff -b -B --ignore-all-space --exclude-
  ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.6.12/policy/modules/services/kerberos.fc
 --- nsaserefpolicy/policy/modules/services/kerberos.fc	2009-03-23 13:47:11.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/kerberos.fc	2009-05-14 13:29:16.000000000 -0400
-@@ -6,13 +6,14 @@
++++ serefpolicy-3.6.12/policy/modules/services/kerberos.fc	2009-05-18 13:00:35.000000000 -0400
+@@ -1,3 +1,6 @@
++HOME_DIR/\.k5login		--	gen_context(system_u:object_r:krb5_home_t,s0)
++/root/\.k5login			--	gen_context(system_u:object_r:krb5_home_t,s0)
++
+ /etc/krb5\.conf			--	gen_context(system_u:object_r:krb5_conf_t,s0)
+ /etc/krb5\.keytab			gen_context(system_u:object_r:krb5_keytab_t,s0)
+ 
+@@ -6,13 +9,14 @@
  /etc/krb5kdc/principal.*		gen_context(system_u:object_r:krb5kdc_principal_t,s0)
  
  /etc/rc\.d/init\.d/kadmind	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
@@ -14937,7 +14968,7 @@ diff -b -B --ignore-all-space --exclude-
  
  /usr/local/var/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
  /usr/local/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-@@ -21,7 +22,7 @@
+@@ -21,7 +25,7 @@
  /var/kerberos/krb5kdc/from_master.*	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
  /var/kerberos/krb5kdc/kadm5\.keytab --	gen_context(system_u:object_r:krb5_keytab_t,s0)
  /var/kerberos/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
@@ -14946,9 +14977,20 @@ diff -b -B --ignore-all-space --exclude-
  
  /var/log/krb5kdc\.log			gen_context(system_u:object_r:krb5kdc_log_t,s0)
  /var/log/kadmin(d)?\.log		gen_context(system_u:object_r:kadmind_log_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.12/policy/modules/services/kerberos.if
+--- nsaserefpolicy/policy/modules/services/kerberos.if	2009-01-19 11:07:34.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/services/kerberos.if	2009-05-18 13:00:14.000000000 -0400
+@@ -128,6 +128,7 @@
+ 
+ 	files_search_etc($1)
+ 	allow $1 krb5_conf_t:file read_file_perms;
++	allow $1 krb5_home_t:file read_file_perms;
+ ')
+ 
+ ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.12/policy/modules/services/kerberos.te
 --- nsaserefpolicy/policy/modules/services/kerberos.te	2009-03-23 13:47:11.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/kerberos.te	2009-05-14 13:28:31.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/kerberos.te	2009-05-18 12:59:46.000000000 -0400
 @@ -33,6 +33,7 @@
  type kpropd_t;
  type kpropd_exec_t;
@@ -14957,7 +14999,17 @@ diff -b -B --ignore-all-space --exclude-
  
  type krb5_conf_t;
  files_type(krb5_conf_t)
-@@ -281,6 +282,7 @@
+@@ -69,6 +70,9 @@
+ type krb5kdc_var_run_t;
+ files_pid_file(krb5kdc_var_run_t)
+ 
++type krb5_home_t;
++userdom_user_home_content(krb5_home_t)
++
+ ########################################
+ #
+ # kadmind local policy
+@@ -281,6 +285,7 @@
  
  allow kpropd_t krb5_keytab_t:file read_file_perms;
  
@@ -17602,8 +17654,8 @@ diff -b -B --ignore-all-space --exclude-
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.if serefpolicy-3.6.12/policy/modules/services/pads.if
 --- nsaserefpolicy/policy/modules/services/pads.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/pads.if	2009-05-12 15:30:13.000000000 -0400
-@@ -0,0 +1,10 @@
++++ serefpolicy-3.6.12/policy/modules/services/pads.if	2009-05-18 08:59:32.000000000 -0400
+@@ -0,0 +1,44 @@
 +## <summary>SELinux policy for PADS daemon.</summary>
 +## <desc>
 +##	<p>
@@ -17614,6 +17666,40 @@ diff -b -B --ignore-all-space --exclude-
 +##	</p>
 +## </desc>
 +
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an pads environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed to manage the pads domain.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`pads_admin', `
++	gen_require(`
++		type pads_t, pads_config_t;
++		type pads_var_run_t, pads_initrc_exec_t;
++	')
++
++	allow $1 pads_t:process { ptrace signal_perms };
++	ps_process_pattern($1, pads_t)
++
++	init_labeled_script_domtrans($1, pads_initrc_exec_t)
++	domain_system_change_exemption($1)
++	role_transition $2 pads_initrc_exec_t system_r;
++	allow $2 system_r;
++
++	admin_pattern($1, pads_var_run_t)
++	admin_pattern($1, pads_config_t)
++')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.6.12/policy/modules/services/pads.te
 --- nsaserefpolicy/policy/modules/services/pads.te	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/services/pads.te	2009-05-12 15:30:13.000000000 -0400
@@ -20863,6 +20949,90 @@ diff -b -B --ignore-all-space --exclude-
  optional_policy(`
  	ccs_stream_connect(ricci_modstorage_t)
  	ccs_read_config(ricci_modstorage_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.fc serefpolicy-3.6.12/policy/modules/services/rlogin.fc
+--- nsaserefpolicy/policy/modules/services/rlogin.fc	2008-08-07 11:15:11.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/rlogin.fc	2009-05-18 12:57:27.000000000 -0400
+@@ -4,3 +4,5 @@
+ /usr/lib(64)?/telnetlogin	--	gen_context(system_u:object_r:rlogind_exec_t,s0)
+ 
+ /usr/sbin/in\.rlogind		--	gen_context(system_u:object_r:rlogind_exec_t,s0)
++
++HOME_DIR/\.rlogin		--	gen_context(system_u:object_r:rlogind_home_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.if serefpolicy-3.6.12/policy/modules/services/rlogin.if
+--- nsaserefpolicy/policy/modules/services/rlogin.if	2008-08-07 11:15:11.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/rlogin.if	2009-05-18 12:51:14.000000000 -0400
+@@ -18,3 +18,49 @@
+ 	corecmd_search_bin($1)
+ 	domtrans_pattern($1, rlogind_exec_t, rlogind_t)
+ ')
++
++########################################
++## <summary>
++##	Execute rlogind in the rlogin domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`rlogin_domtrans',`
++	gen_require(`
++		type rlogind_t, rlogind_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, rlogind_exec_t, rlogind_t)
++')
++
++########################################
++## <summary>
++##	read rlogin homedir content (.config)
++## </summary>
++## <param name="userdomain_prefix">
++##	<summary>
++##	The prefix of the user domain (e.g., user
++##	is the prefix for user_t).
++##	</summary>
++## </param>
++## <param name="user_domain">
++##	<summary>
++##	The type of the user domain.
++##	</summary>
++## </param>
++#
++template(`rlogin_read_config',`
++	gen_require(`
++		type rlogind_home_t;
++	')
++
++	userdom_search_user_home_dirs($1)
++	list_dirs_pattern($1, rlogind_home_t, rlogind_home_t)
++	read_files_pattern($1, rlogind_home_t, rlogind_home_t)
++	read_lnk_files_pattern($1, rlogind_home_t, rlogind_home_t)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.6.12/policy/modules/services/rlogin.te
+--- nsaserefpolicy/policy/modules/services/rlogin.te	2009-03-23 13:47:11.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/rlogin.te	2009-05-18 12:59:52.000000000 -0400
+@@ -20,6 +20,9 @@
+ type rlogind_var_run_t;
+ files_pid_file(rlogind_var_run_t)
+ 
++type rlogind_home_t;
++userdom_user_home_content(rlogind_home_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -79,6 +82,8 @@
+ 
+ logging_send_syslog_msg(rlogind_t)
+ 
++rlogin_read_config(rlogind_t)
++
+ miscfiles_read_localization(rlogind_t)
+ 
+ seutil_read_config(rlogind_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.6.12/policy/modules/services/rpcbind.te
 --- nsaserefpolicy/policy/modules/services/rpcbind.te	2009-01-19 11:06:49.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/services/rpcbind.te	2009-05-12 15:30:13.000000000 -0400
@@ -20978,7 +21148,7 @@ diff -b -B --ignore-all-space --exclude-
  	userdom_read_user_tmp_files(gssd_t) 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.6.12/policy/modules/services/rshd.te
 --- nsaserefpolicy/policy/modules/services/rshd.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/rshd.te	2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/rshd.te	2009-05-18 12:52:41.000000000 -0400
 @@ -51,7 +51,7 @@
  
  files_list_home(rshd_t)
@@ -20988,6 +21158,17 @@ diff -b -B --ignore-all-space --exclude-
  
  auth_login_pgm_domain(rshd_t)
  auth_write_login_records(rshd_t)
+@@ -84,6 +84,10 @@
+ ')
+ 
+ optional_policy(`
++	rlogin_read_config(rlogind_t)
++')
++
++optional_policy(`
+ 	tcpd_wrapped_domain(rshd_t, rshd_exec_t)
+ ')
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.12/policy/modules/services/rsync.te
 --- nsaserefpolicy/policy/modules/services/rsync.te	2009-03-23 13:47:11.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/services/rsync.te	2009-05-12 15:30:13.000000000 -0400
@@ -22799,6 +22980,17 @@ diff -b -B --ignore-all-space --exclude-
  
  dev_list_sysfs(snmpd_t)
  dev_read_sysfs(snmpd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.if serefpolicy-3.6.12/policy/modules/services/snort.if
+--- nsaserefpolicy/policy/modules/services/snort.if	2008-10-10 15:53:03.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/snort.if	2009-05-18 08:57:28.000000000 -0400
+@@ -38,6 +38,7 @@
+ interface(`snort_admin',`
+ 	gen_require(`
+ 		type snort_t, snort_var_run_t, snort_log_t;
++		type snort_etc_t;
+ 		type snort_initrc_exec_t;
+ 	')
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.6.12/policy/modules/services/snort.te
 --- nsaserefpolicy/policy/modules/services/snort.te	2009-01-19 11:06:49.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/services/snort.te	2009-05-12 15:30:13.000000000 -0400
@@ -23318,7 +23510,7 @@ diff -b -B --ignore-all-space --exclude-
 -') dnl end TODO
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.12/policy/modules/services/ssh.fc
 --- nsaserefpolicy/policy/modules/services/ssh.fc	2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/ssh.fc	2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/ssh.fc	2009-05-16 08:22:41.000000000 -0400
 @@ -14,3 +14,5 @@
  /usr/sbin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
  
@@ -23327,7 +23519,7 @@ diff -b -B --ignore-all-space --exclude-
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:home_ssh_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.12/policy/modules/services/ssh.if
 --- nsaserefpolicy/policy/modules/services/ssh.if	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/ssh.if	2009-05-14 14:05:37.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/ssh.if	2009-05-18 12:55:03.000000000 -0400
 @@ -36,6 +36,7 @@
  	gen_require(`
  		attribute ssh_server;
@@ -23466,7 +23658,7 @@ diff -b -B --ignore-all-space --exclude-
  
  	fs_dontaudit_getattr_all_fs($1_t)
  
-@@ -245,6 +243,8 @@
+@@ -245,18 +243,23 @@
  
  	files_read_etc_files($1_t)
  	files_read_etc_runtime_files($1_t)
@@ -23475,8 +23667,10 @@ diff -b -B --ignore-all-space --exclude-
  
  	logging_search_logs($1_t)
  
-@@ -254,9 +254,14 @@
+ 	miscfiles_read_localization($1_t)
  
+-	sysnet_read_config($1_t)
+-
  	userdom_dontaudit_relabelfrom_user_ptys($1_t)
  	userdom_search_user_home_dirs($1_t)
 +	userdom_read_user_home_content_files($1_t)
@@ -23490,20 +23684,25 @@ diff -b -B --ignore-all-space --exclude-
  	')
  
  	tunable_policy(`use_samba_home_dirs',`
-@@ -265,11 +270,7 @@
+@@ -265,15 +268,11 @@
  
  	optional_policy(`
  		kerberos_use($1_t)
++		kerberos_manage_host_rcache($1_t)
+ 	')
+ 
+ 	optional_policy(`
+-		# Allow checking users mail at login
+-		mta_getattr_spool($1_t)
 -	')
 -
 -	optional_policy(`
--		# Allow checking users mail at login
--		mta_getattr_spool($1_t)
-+		kerberos_manage_host_rcache($1_t)
+-		nscd_socket_use($1_t)
++		rlogin_read_config($1_t)
  	')
  
  	optional_policy(`
-@@ -345,6 +346,7 @@
+@@ -345,6 +344,7 @@
  	allow ssh_t $3:unix_stream_socket connectto;
  
  	# user can manage the keys and config
@@ -23511,7 +23710,7 @@ diff -b -B --ignore-all-space --exclude-
  	manage_files_pattern($3, home_ssh_t, home_ssh_t)
  	manage_lnk_files_pattern($3, home_ssh_t, home_ssh_t)
  	manage_sock_files_pattern($3, home_ssh_t, home_ssh_t)
-@@ -454,6 +456,24 @@
+@@ -454,6 +454,24 @@
  
  ########################################
  ## <summary>
@@ -23536,7 +23735,7 @@ diff -b -B --ignore-all-space --exclude-
  ##	Read a ssh server unnamed pipe.
  ## </summary>
  ## <param name="domain">
-@@ -469,6 +489,23 @@
+@@ -469,6 +487,23 @@
  
  	allow $1 sshd_t:fifo_file { getattr read };
  ')
@@ -23560,7 +23759,7 @@ diff -b -B --ignore-all-space --exclude-
  
  ########################################
  ## <summary>
-@@ -611,3 +648,42 @@
+@@ -611,3 +646,42 @@
  
  	dontaudit $1 sshd_key_t:file { getattr read };
  ')
@@ -23605,7 +23804,7 @@ diff -b -B --ignore-all-space --exclude-
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.12/policy/modules/services/ssh.te
 --- nsaserefpolicy/policy/modules/services/ssh.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/ssh.te	2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/ssh.te	2009-05-18 12:53:20.000000000 -0400
 @@ -41,6 +41,9 @@
  files_tmp_file(sshd_tmp_t)
  files_poly_parent(sshd_tmp_t)
@@ -23764,7 +23963,7 @@ diff -b -B --ignore-all-space --exclude-
  	unconfined_shell_domtrans(sshd_t)
  ')
  
-@@ -408,6 +424,8 @@
+@@ -408,15 +424,13 @@
  init_use_fds(ssh_keygen_t)
  init_use_script_ptys(ssh_keygen_t)
  
@@ -23773,6 +23972,15 @@ diff -b -B --ignore-all-space --exclude-
  logging_send_syslog_msg(ssh_keygen_t)
  
  userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
+ 
+ optional_policy(`
+-	nscd_socket_use(ssh_keygen_t)
+-')
+-
+-optional_policy(`
+ 	seutil_sigchld_newrole(ssh_keygen_t)
+ ')
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.12/policy/modules/services/sssd.fc
 --- nsaserefpolicy/policy/modules/services/sssd.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/services/sssd.fc	2009-05-12 15:30:13.000000000 -0400
@@ -24384,6 +24592,377 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.fc serefpolicy-3.6.12/policy/modules/services/varnishd.fc
+--- nsaserefpolicy/policy/modules/services/varnishd.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/services/varnishd.fc	2009-05-18 08:21:37.000000000 -0400
+@@ -0,0 +1,20 @@
++
++/etc/rc\.d/init\.d/varnish		--		gen_context(system_u:object_r:varnishd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/varnishlog		--		gen_context(system_u:object_r:varnishlog_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/varnishncsa		--		gen_context(system_u:object_r:varnishlog_initrc_exec_t,s0)
++
++/etc/varnish(/.*)?					gen_context(system_u:object_r:varnishd_etc_t,s0)
++
++/usr/bin/varnishlog			--		gen_context(system_u:object_r:varnishlog_exec_t,s0)
++/usr/bin/varnisncsa			--		gen_context(system_u:object_r:varnishlog_exec_t,s0)
++
++/usr/sbin/varnishd			--		gen_context(system_u:object_r:varnishd_exec_t,s0)
++
++/var/lib/varnish(/.*)?					gen_context(system_u:object_r:varnishd_var_lib_t,s0)
++
++/var/log/varnish(/.*)?					gen_context(system_u:object_r:varnishlog_log_t,s0)
++
++/var/run/varnish\.pid			--		gen_context(system_u:object_r:varnishd_var_run_t,s0)
++/var/run/varnishlog\.pid		--		gen_context(system_u:object_r:varnishlog_var_run_t,s0)
++/var/run/varnishncsa\.pid		--		gen_context(system_u:object_r:varnishlog_var_run_t,s0)
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.if serefpolicy-3.6.12/policy/modules/services/varnishd.if
+--- nsaserefpolicy/policy/modules/services/varnishd.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/services/varnishd.if	2009-05-18 08:21:37.000000000 -0400
+@@ -0,0 +1,202 @@
++## <summary>Varnishd http accelerator daemon</summary>
++
++#######################################
++## <summary>
++##      Execute varnishd in the varnishd domain.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      The type of the process performing this action.
++##      </summary>
++## </param>
++#
++interface(`varnishd_domtrans',`
++        gen_require(`
++                type varnishd_t, varnishd_exec_t;
++        ')
++
++        corecmd_search_bin($1)
++        domtrans_pattern($1, varnishd_exec_t, varnishd_t)
++')
++
++#######################################
++## <summary>
++##      Execute varnishd 
++## </summary>
++## <param name="domain">
++##      <summary>
++##      The type of the process performing this action.
++##      </summary>
++## </param>
++#
++interface(`varnishd_exec',`
++        gen_require(`
++                type varnishd_exec_t;
++        ')
++
++        can_exec($1, varnishd_exec_t)
++')
++
++######################################
++## <summary>
++##      Read varnishd configuration file.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`varnishd_read_config',`
++        gen_require(`
++                type varnishd_etc_t;
++        ')
++
++        files_search_etc($1)
++        read_files_pattern($1, varnishd_etc_t, varnishd_etc_t)
++')
++
++#######################################
++## <summary>
++##      Read varnish logs.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`varnish_read_log',`
++        gen_require(`
++                type varnishlog_log_t;
++        ')
++
++        logging_search_logs($1)
++        read_files_pattern($1, varnishlog_log_t, varnishlog_log_t)
++')
++
++######################################
++## <summary>
++##      Append varnish logs.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`varnishlog_append_log',`
++        gen_require(`
++                type varnishlog_log_t;
++        ')
++
++        logging_search_logs($1)
++        append_files_pattern($1, varnishlog_log_t, varnishlog_log_t)
++')
++
++#####################################
++## <summary>
++##      Manage varnish logs.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`varnishlog_manage_log',`
++        gen_require(`
++                type varnishlog_log_t;
++        ')
++
++        logging_search_logs($1)
++        manage_files_pattern($1, varnishlog_log_t, varnishlog_log_t)
++')
++
++#######################################
++## <summary>
++##      All of the rules required to administrate 
++##      an varnishd environment
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++## <param name="role">
++##      <summary>
++##      The role to be allowed to manage the varnishd domain.
++##      </summary>
++## </param>
++## <rolecap/>
++#
++interface(`varnishd_admin',`
++        gen_require(`
++                type varnishd_t, varnishd_var_lib_t, varnishd_etc_t;
++                type varnishd_var_run_t, varnishd_tmp_t; 
++                type varnishd_initrc_exec_t;
++	')
++
++	allow $1 varnishd_t:process { ptrace signal_perms };
++	ps_process_pattern($1, varnishd_t)
++
++	init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
++	domain_system_change_exemption($1)
++	role_transition $2 varnishd_initrc_exec_t system_r;
++	allow $2 system_r;
++
++	files_search_var_lib($1)
++	admin_pattern($1, varnishd_var_lib_t)
++
++	files_search_etc($1)
++	admin_pattern($1, varnishd_etc_t)
++
++	files_search_pids($1)
++	admin_pattern($1, varnishd_var_run_t)
++
++	files_search_tmp($1)
++	admin_pattern($1, varnishd_tmp_t)
++
++')
++
++######################################
++## <summary>
++##      All of the rules required to administrate 
++##      an varnishlog environment
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++## <param name="role">
++##      <summary>
++##      The role to be allowed to manage the varnishlog domain.
++##      </summary>
++## </param>
++## <rolecap/>
++#
++interface(`varnishlog_admin',`
++        gen_require(`
++                type varnishlog_t;
++                type varnishlog_var_run_t, varnishlog_log_t;
++                type varnishlog_initrc_exec_t;
++	')
++
++	allow $1 varnishlog_t:process { ptrace signal_perms };
++	ps_process_pattern($1, varnishlog_t)
++
++	init_labeled_script_domtrans($1, varnishlog_initrc_exec_t)
++	domain_system_change_exemption($1)
++	role_transition $2 varnishlog_initrc_exec_t system_r;
++	allow $2 system_r;
++	
++	files_search_pids($1)
++ 	admin_pattern($1, varnishlog_var_run_t)
++
++	logging_list_logs($1)
++	admin_pattern($1, varnishlog_log_t)
++
++')
++
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.te serefpolicy-3.6.12/policy/modules/services/varnishd.te
+--- nsaserefpolicy/policy/modules/services/varnishd.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/services/varnishd.te	2009-05-18 08:21:37.000000000 -0400
+@@ -0,0 +1,137 @@
++policy_module(varnishd,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++## <desc>
++## <p>
++## Allow varnishd to connect to all ports,
++## not just HTTP.
++## </p>
++## </desc>
++gen_tunable(varnishd_connect_any, false)
++
++
++type varnishd_t;
++type varnishd_exec_t;
++init_daemon_domain(varnishd_t, varnishd_exec_t)
++
++type varnishd_initrc_exec_t;
++init_script_file(varnishd_initrc_exec_t)
++
++# etc files
++type varnishd_etc_t;
++files_type(varnishd_etc_t)
++
++# tmp files
++type varnishd_tmp_t;
++files_tmp_file(varnishd_tmp_t)
++
++# var/lib files
++type varnishd_var_lib_t;
++files_type(varnishd_var_lib_t)
++
++# pid files
++type varnishd_var_run_t;
++files_pid_file(varnishd_var_run_t)
++
++
++type varnishlog_t;
++type varnishlog_exec_t;
++init_daemon_domain(varnishlog_t, varnishlog_exec_t)
++
++type varnishlog_initrc_exec_t;
++init_script_file(varnishlog_initrc_exec_t)
++
++# pid files
++type varnishlog_var_run_t;
++files_pid_file(varnishlog_var_run_t)
++
++# log files
++type varnishlog_log_t;
++files_type(varnishlog_log_t)
++
++########################################
++#
++# varnishd local policy
++#
++
++allow varnishd_t self:capability { dac_override ipc_lock setuid setgid };
++allow varnishd_t self:process signal;
++allow varnishd_t self:fifo_file rw_fifo_file_perms;
++allow varnishd_t self:tcp_socket create_stream_socket_perms;
++allow varnishd_t self:udp_socket create_socket_perms;
++
++# etc file
++read_files_pattern(varnishd_t, varnishd_etc_t, varnishd_etc_t)
++list_dirs_pattern(varnishd_t, varnishd_etc_t, varnishd_etc_t)
++
++# var/lib files for varnishd
++exec_files_pattern(varnishd_t,varnishd_var_lib_t,varnishd_var_lib_t)
++manage_dirs_pattern(varnishd_t,varnishd_var_lib_t,varnishd_var_lib_t)
++manage_files_pattern(varnishd_t,varnishd_var_lib_t,varnishd_var_lib_t)
++files_var_lib_filetrans(varnishd_t,varnishd_var_lib_t, { dir file })
++
++# tmp files for varnishd
++manage_dirs_pattern(varnishd_t,varnishd_tmp_t,varnishd_tmp_t)
++manage_files_pattern(varnishd_t,varnishd_tmp_t,varnishd_tmp_t)
++files_tmp_filetrans(varnishd_t, varnishd_tmp_t, { file dir })
++
++# pid files
++manage_files_pattern(varnishd_t, varnishd_var_run_t, varnishd_var_run_t)
++files_pid_filetrans(varnishd_t,varnishd_var_run_t,{ file })
++
++kernel_read_system_state(varnishd_t)
++
++corenet_tcp_bind_all_nodes(varnishd_t)
++corenet_tcp_bind_http_port(varnishd_t)
++corenet_tcp_bind_http_cache_port(varnishd_t)
++corenet_tcp_bind_varnishd_port(varnishd_t)
++corenet_tcp_connect_http_cache_port(varnishd_t)
++corenet_tcp_connect_http_port(varnishd_t)
++
++sysnet_read_config(varnishd_t)
++
++auth_use_nsswitch(varnishd_t)
++
++corecmd_exec_bin(varnishd_t)
++corecmd_exec_shell(varnishd_t)
++
++dev_read_urand(varnishd_t)
++
++fs_getattr_all_fs(varnishd_t)
++
++libs_use_ld_so(varnishd_t)
++libs_use_shared_libs(varnishd_t)
++
++logging_send_syslog_msg(varnishd_t)
++
++miscfiles_read_localization(varnishd_t)
++
++tunable_policy(`varnishd_connect_any',`
++        corenet_tcp_connect_all_ports(varnishd_t)
++        corenet_tcp_bind_all_ports(varnishd_t)
++')
++
++permissive varnishd_t;
++
++#######################################
++#
++# varnishlog local policy
++#
++
++# pid files
++manage_files_pattern(varnishlog_t, varnishlog_var_run_t, varnishlog_var_run_t)
++files_pid_filetrans(varnishlog_t,varnishlog_var_run_t,{ file })
++ 
++# log files
++manage_dirs_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
++manage_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
++logging_log_filetrans(varnishlog_t, varnishlog_log_t, { file dir })
++
++files_search_var_lib(varnishlog_t)
++read_files_pattern(varnishlog_t, varnishd_var_lib_t, varnishd_var_lib_t)
++
++permissive varnishlog_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.12/policy/modules/services/virt.fc
 --- nsaserefpolicy/policy/modules/services/virt.fc	2009-01-05 15:39:43.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/services/virt.fc	2009-05-12 15:30:13.000000000 -0400
@@ -28105,7 +28684,7 @@ diff -b -B --ignore-all-space --exclude-
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.12/policy/modules/system/logging.if
 --- nsaserefpolicy/policy/modules/system/logging.if	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/logging.if	2009-05-12 15:30:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/logging.if	2009-05-18 09:09:12.000000000 -0400
 @@ -623,7 +623,7 @@
  	')
  
@@ -28458,6 +29037,35 @@ diff -b -B --ignore-all-space --exclude-
 +	xen_append_log(lvm_t)
 +	xen_dontaudit_rw_unix_stream_sockets(lvm_t)
 +')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.12/policy/modules/system/miscfiles.if
+--- nsaserefpolicy/policy/modules/system/miscfiles.if	2009-03-20 12:39:40.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/miscfiles.if	2009-05-18 14:39:11.000000000 -0400
+@@ -87,6 +87,25 @@
+ 
+ ########################################
+ ## <summary>
++##	Allow domaint ot setattr on fonts dir
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`miscfiles_setattr_fonts',`
++	gen_require(`
++		type fonts_t;
++	')
++
++	allow $1 fonts_t:dir setattr;
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to write fonts.
+ ## </summary>
+ ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.12/policy/modules/system/modutils.te
 --- nsaserefpolicy/policy/modules/system/modutils.te	2009-01-05 15:39:43.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/system/modutils.te	2009-05-12 15:30:13.000000000 -0400


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.854
retrieving revision 1.855
diff -u -p -r1.854 -r1.855
--- selinux-policy.spec	14 May 2009 18:53:40 -0000	1.854
+++ selinux-policy.spec	18 May 2009 18:41:02 -0000	1.855
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 37%{?dist}
+Release: 38%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -473,6 +473,9 @@ exit 0
 %endif
 
 %changelog
+* Mon May 18 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-38
+- Add varnishd policy
+
 * Thu May 14 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-37
 - Fixes for kpropd

More information about the scm-commits mailing list