[selinux-policy/f13/master] - Fixes for cgroup policy - Fixes for ncftool policy - Add ncftool_read_user_content boolean - Fix l
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Aug 10 17:27:50 UTC 2010
commit e9bf41c5af5065f594ba531bc97acb28bf270eeb
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Aug 10 19:27:43 2010 +0200
- Fixes for cgroup policy
- Fixes for ncftool policy
- Add ncftool_read_user_content boolean
- Fix label for boinc init script
- Fix label for fence_tool
- Allow vhostmd to write virt content
- Allow ricci domtrans ot shutdown
policy-F13.patch | 1222 +++++++++++++++++++++++++++------------------------
selinux-policy.spec | 11 +-
2 files changed, 669 insertions(+), 564 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index ccd98ff..8d86409 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -791,8 +791,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.te serefpolicy-3.7.19/policy/modules/admin/ncftool.te
--- nsaserefpolicy/policy/modules/admin/ncftool.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/admin/ncftool.te 2010-08-06 12:08:25.383084696 +0200
-@@ -0,0 +1,85 @@
++++ serefpolicy-3.7.19/policy/modules/admin/ncftool.te 2010-08-10 17:56:29.555085094 +0200
+@@ -0,0 +1,99 @@
+
+policy_module(ncftool,1.0.0)
+
@@ -801,6 +801,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
+# Declarations
+#
+
++## <desc>
++## <p>
++## Allow ncftool to read user content.
++## </p>
++## </desc>
++gen_tunable(ncftool_read_user_content, false)
++
+type ncftool_t;
+type ncftool_exec_t;
+application_domain(ncftool_t, ncftool_exec_t)
@@ -840,6 +847,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
+
+dev_read_sysfs(ncftool_t)
+
++files_manage_system_conf_files(ncftool_t)
++files_relabelto_system_conf_files(ncftool_t)
+files_read_etc_files(ncftool_t)
+files_read_etc_runtime_files(ncftool_t)
+files_read_usr_files(ncftool_t)
@@ -864,11 +873,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
+sysnet_read_dhcpc_pid(ncftool_t)
+sysnet_signal_dhcpc(ncftool_t)
+
-+userdom_read_user_tmp_files(ncftool_t)
++tunable_policy(`ncftool_read_user_content',`
++ allow ncftool_t self: capability dac_override;
++ userdom_read_user_home_content_files(ncftool_t)
++ userdom_read_user_tmp_files(ncftool_t)
++')
+
-+#optional_policy(`
-+# brctl_domtrans(ncftool_t)
-+#')
++userdom_read_user_tmp_files(ncftool_t)
+
+optional_policy(`
+ dbus_system_bus_client(ncftool_t)
@@ -878,6 +889,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
+ iptables_initrc_domtrans(ncftool_t)
+')
+
++optional_policy(`
++ netutils_domtrans(ncftool_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.7.19/policy/modules/admin/netutils.fc
--- nsaserefpolicy/policy/modules/admin/netutils.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/admin/netutils.fc 2010-05-28 09:41:59.953610894 +0200
@@ -1061,7 +1075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.19/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/prelink.te 2010-07-19 15:48:21.071151654 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/prelink.te 2010-08-10 16:41:00.472085275 +0200
@@ -21,8 +21,21 @@
type prelink_tmp_t;
files_tmp_file(prelink_tmp_t)
@@ -1134,10 +1148,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
optional_policy(`
amanda_manage_lib(prelink_t)
-@@ -99,5 +119,59 @@
+@@ -99,5 +119,63 @@
')
optional_policy(`
++ nsplugin_manage_rw_files(prelink_t)
++')
++
++optional_policy(`
+ rpm_manage_tmp_files(prelink_t)
+')
+
@@ -1207,7 +1225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.t
dev_getattr_all_blk_files(quota_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.19/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/readahead.te 2010-05-28 09:41:59.957610702 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/readahead.te 2010-08-10 16:20:02.216085125 +0200
@@ -52,6 +52,7 @@
files_list_non_security(readahead_t)
@@ -1220,7 +1238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahe
fs_search_auto_mountpoints(readahead_t)
fs_getattr_all_pipes(readahead_t)
fs_getattr_all_files(readahead_t)
-+fs_read_cgroupfs_files(readahead_t)
++fs_read_cgroup_files(readahead_t)
+fs_read_tmpfs_files(readahead_t)
fs_read_tmpfs_symlinks(readahead_t)
fs_list_inotifyfs(readahead_t)
@@ -2296,8 +2314,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.7.19/policy/modules/admin/shutdown.te
--- nsaserefpolicy/policy/modules/admin/shutdown.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2010-05-28 09:41:59.963611216 +0200
-@@ -0,0 +1,63 @@
++++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2010-08-09 14:15:21.106085482 +0200
+@@ -0,0 +1,68 @@
+policy_module(shutdown,1.0.0)
+
+########################################
@@ -2359,6 +2377,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
+')
+
+optional_policy(`
++ oddjob_dontaudit_rw_fifo_file(shutdown_t)
++ oddjob_sigchld(shutdown_t)
++')
++
++optional_policy(`
+ xserver_dontaudit_write_log(shutdown_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.19/policy/modules/admin/sudo.if
@@ -6118,7 +6141,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.7.19/policy/modules/apps/podsleuth.te
--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/podsleuth.te 2010-07-19 16:31:06.162151600 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/podsleuth.te 2010-08-09 15:09:14.103084679 +0200
+@@ -28,7 +28,7 @@
+ # podsleuth local policy
+ #
+ allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
+-allow podsleuth_t self:process { ptrace signal getsched execheap execmem execstack };
++allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
+ allow podsleuth_t self:fifo_file rw_file_perms;
+ allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
+ allow podsleuth_t self:sem create_sem_perms;
@@ -50,6 +50,7 @@
fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file })
@@ -7326,8 +7358,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.19/policy/modules/apps/seunshare.te
--- nsaserefpolicy/policy/modules/apps/seunshare.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/seunshare.te 2010-05-28 09:42:00.006611051 +0200
-@@ -6,40 +6,39 @@
++++ serefpolicy-3.7.19/policy/modules/apps/seunshare.te 2010-08-10 16:20:13.598085356 +0200
+@@ -6,40 +6,45 @@
# Declarations
#
@@ -7341,8 +7373,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
#
# seunshare local policy
#
-+allow seunshare_domain self:capability { setuid dac_override setpcap sys_admin };
-+allow seunshare_domain self:process { fork setexec signal getcap setcap };
++allow seunshare_domain self:capability { setuid dac_override setpcap sys_admin sys_nice };
++allow seunshare_domain self:process { fork setexec signal getcap setcap setsched };
-allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
-allow seunshare_t self:process { setexec signal getcap setcap };
@@ -7351,28 +7383,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
-allow seunshare_t self:fifo_file rw_file_perms;
-allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
-+corecmd_exec_shell(seunshare_domain)
-+corecmd_exec_bin(seunshare_domain)
++kernel_read_system_state(seunshare_domain)
-corecmd_exec_shell(seunshare_t)
-corecmd_exec_bin(seunshare_t)
-+files_search_all(seunshare_domain)
-+files_read_etc_files(seunshare_domain)
-+files_mounton_all_poly_members(seunshare_domain)
++corecmd_exec_shell(seunshare_domain)
++corecmd_exec_bin(seunshare_domain)
-files_read_etc_files(seunshare_t)
-files_mounton_all_poly_members(seunshare_t)
-+auth_use_nsswitch(seunshare_domain)
++files_search_all(seunshare_domain)
++files_read_etc_files(seunshare_domain)
++files_mounton_all_poly_members(seunshare_domain)
-auth_use_nsswitch(seunshare_t)
-+logging_send_syslog_msg(seunshare_domain)
++fs_manage_cgroup_dirs(seunshare_domain)
++fs_manage_cgroup_files(seunshare_domain)
-logging_send_syslog_msg(seunshare_t)
-+miscfiles_read_localization(seunshare_domain)
++auth_use_nsswitch(seunshare_domain)
-miscfiles_read_localization(seunshare_t)
--
++logging_send_syslog_msg(seunshare_domain)
+
-userdom_use_user_terminals(seunshare_t)
++miscfiles_read_localization(seunshare_domain)
++
+userdom_use_user_terminals(seunshare_domain)
ifdef(`hide_broken_symptoms', `
@@ -7385,6 +7421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
+ mozilla_dontaudit_manage_user_home_files(seunshare_domain)
')
')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.7.19/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/apps/slocate.te 2010-05-28 09:42:00.007614268 +0200
@@ -9423,7 +9460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.19/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-08-04 14:39:59.845084944 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-08-09 14:32:12.282084745 +0200
@@ -1053,10 +1053,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -9791,7 +9828,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
## <summary>
## Mount a filesystem on /mnt.
-@@ -3520,6 +3765,64 @@
+@@ -3229,6 +3474,24 @@
+ read_files_pattern($1, mnt_t, mnt_t)
+ ')
+
++#######################################
++## <summary>
++## Read symbolic links in /mnt.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_read_mnt_symlinks',`
++ gen_require(`
++ type mnt_t;
++ ')
++
++ read_lnk_files_pattern($1, mnt_t, mnt_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Create, read, write, and delete symbolic links in /mnt.
+@@ -3520,6 +3783,82 @@
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -9834,6 +9896,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
+')
+
++#######################################
++## <summary>
++## Relabel manageable system configuration files in /etc.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_relabelto_system_conf_files',`
++ gen_require(`
++ type usr_t;
++ ')
++
++ relabelto_files_pattern($1, system_conf_t, system_conf_t)
++')
++
+###################################
+## <summary>
+## Create files in /etc with the type used for
@@ -9856,12 +9936,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
## <summary>
## Allow the specified type to associate
-@@ -3705,6 +4008,32 @@
+@@ -3705,25 +4044,51 @@
########################################
## <summary>
+-## Manage temporary files and directories in /tmp.
+## Allow shared library text relocations in tmp files.
-+## </summary>
+ ## </summary>
+## <desc>
+## <p>
+## Allow shared library text relocations in tmp files.
@@ -9870,26 +9951,50 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+## This is added to support java policy.
+## </p>
+## </desc>
+ ## <param name="domain">
+ ## <summary>
+-## The type of the process performing this action.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_tmp_files',`
++interface(`files_execmod_tmp',`
+ gen_require(`
+- type tmp_t;
++ attribute tmpfile;
+ ')
+
+- manage_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmpfile:file execmod;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read symbolic links in the tmp directory (/tmp).
++## Manage temporary files and directories in /tmp.
++## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## The type of the process performing this action.
+## </summary>
+## </param>
+#
-+interface(`files_execmod_tmp',`
++interface(`files_manage_generic_tmp_files',`
+ gen_require(`
-+ attribute tmpfile;
++ type tmp_t;
+ ')
+
-+ allow $1 tmpfile:file execmod;
++ manage_files_pattern($1, tmp_t, tmp_t)
+')
+
+########################################
+## <summary>
- ## Manage temporary files and directories in /tmp.
++## Read symbolic links in the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -3918,6 +4247,13 @@
+ ## <summary>
+@@ -3918,6 +4283,13 @@
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -9903,7 +10008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -4013,6 +4349,24 @@
+@@ -4013,6 +4385,24 @@
########################################
## <summary>
@@ -9928,7 +10033,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Delete generic files in /usr in the caller domain.
## </summary>
## <param name="domain">
-@@ -4026,7 +4380,7 @@
+@@ -4026,7 +4416,7 @@
type usr_t;
')
@@ -9937,7 +10042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -4107,6 +4461,24 @@
+@@ -4107,6 +4497,24 @@
########################################
## <summary>
@@ -9962,7 +10067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## dontaudit write of /usr files
## </summary>
## <param name="domain">
-@@ -5032,6 +5404,43 @@
+@@ -5032,6 +5440,43 @@
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -10006,7 +10111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
## <summary>
## Do not audit attempts to search
-@@ -5091,6 +5500,24 @@
+@@ -5091,6 +5536,24 @@
########################################
## <summary>
@@ -10031,7 +10136,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Create an object in the process ID directory, with a private type.
## </summary>
## <desc>
-@@ -5238,6 +5665,7 @@
+@@ -5238,6 +5701,7 @@
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -10039,7 +10144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -5306,6 +5734,24 @@
+@@ -5306,6 +5770,24 @@
########################################
## <summary>
@@ -10064,7 +10169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
-@@ -5494,12 +5940,15 @@
+@@ -5494,12 +5976,15 @@
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -10081,7 +10186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
')
-@@ -5520,3 +5969,229 @@
+@@ -5520,3 +6005,229 @@
typeattribute $1 files_unconfined_type;
')
@@ -10359,133 +10464,79 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
#
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.7.19/policy/modules/kernel/filesystem.fc
+--- nsaserefpolicy/policy/modules/kernel/filesystem.fc 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.fc 2010-08-10 16:17:05.636084991 +0200
+@@ -1 +1,3 @@
+ /dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
++
++/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.19/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-06-03 16:42:26.247159863 +0200
-@@ -559,7 +559,7 @@
-
- ########################################
- ## <summary>
--## Mount a cgroup filesystem.
-+## Delete directories on cgroupfs.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -567,18 +567,17 @@
- ## </summary>
- ## </param>
- #
--interface(`fs_mount_cgroup', `
-+interface(`fs_delete_cgroupfs_dirs', `
- gen_require(`
-- type cgroup_t;
-+ type cgroupfs_t;
- ')
-
-- allow $1 cgroup_t:filesystem mount;
-+ delete_dirs_pattern($1, cgroupfs_t, cgroupfs_t)
- ')
-
- ########################################
- ## <summary>
--## Remount a cgroup filesystem This allows
--## some mount options to be changed.
-+## Mount a cgroup filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -586,17 +585,18 @@
- ## </summary>
- ## </param>
- #
--interface(`fs_remount_cgroup', `
-+interface(`fs_mount_cgroupfs', `
- gen_require(`
-- type cgroup_t;
-+ type cgroupfs_t;
- ')
-
-- allow $1 cgroup_t:filesystem remount;
-+ allow $1 cgroupfs_t:filesystem mount;
- ')
++++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-08-10 16:52:17.722085152 +0200
+@@ -559,6 +559,24 @@
########################################
## <summary>
--## Unmount a cgroup file system.
-+## Remount a cgroup filesystem This allows
-+## some mount options to be changed.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -604,70 +604,67 @@
- ## </summary>
- ## </param>
- #
--interface(`fs_unmount_cgroup', `
-+interface(`fs_remount_cgroupfs', `
- gen_require(`
-- type cgroup_t;
-+ type cgroupfs_t;
- ')
-
-- allow $1 cgroup_t:filesystem unmount;
-+ allow $1 cgroupfs_t:filesystem remount;
- ')
-
- ########################################
- ## <summary>
--## Get the attributes of a cgroup filesystem.
-+## Unmount a cgroup file system.
++## Delete directories on cgroup.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_delete_cgroup_dirs', `
++ gen_require(`
++ type cgroup_t;
++ ')
++
++ delete_dirs_pattern($1, cgroup_t, cgroup_t)
++')
++
++########################################
++## <summary>
+ ## Mount a cgroup filesystem.
## </summary>
## <param name="domain">
- ## <summary>
+@@ -621,53 +639,32 @@
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
--interface(`fs_getattr_cgroup',`
-+interface(`fs_unmount_cgroupfs', `
+ interface(`fs_getattr_cgroup',`
gen_require(`
- type cifs_t;
-+ type cgroupfs_t;
++ type cgroup_t;
')
- allow $1 cifs_t:filesystem getattr;
-+ allow $1 cgroupfs_t:filesystem unmount;
++ allow $1 cgroup_t:filesystem getattr;
')
########################################
## <summary>
-## list dirs on cgroup
-## file systems.
-+## Get the attributes of a cgroup filesystem.
- ## </summary>
- ## <param name="domain">
+-## </summary>
+-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-+## <summary>
-+## Domain allowed access.
-+## </summary>
- ## </param>
- #
+-## </param>
+-#
-interface(`fs_list_cgroup_dirs', `
- gen_require(`
- type cgroup_t;
-
- ')
-+interface(`fs_getattr_cgroupfs',`
-+ gen_require(`
-+ type cgroupfs_t;
-+ ')
-
+-
- list_dirs_pattern($1, cgroup_t, cgroup_t)
-+ allow $1 cgroupfs_t:filesystem getattr;
- ')
-
- ########################################
- ## <summary>
+-')
+-
+-########################################
+-## <summary>
-## Do not audit attempts to read
-## dirs on a CIFS or SMB filesystem.
+## list dirs on cgroup
@@ -10499,103 +10550,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## </param>
#
-interface(`fs_dontaudit_list_cifs_dirs',`
-+interface(`fs_list_cgroupfs_dirs', `
++interface(`fs_list_cgroup_dirs', `
gen_require(`
- type cifs_t;
-+ type cgroupfs_t;
++ type cgroup_t;
')
- dontaudit $1 cifs_t:dir list_dir_perms;
-+ list_dirs_pattern($1, cgroupfs_t, cgroupfs_t)
- ')
-
- ########################################
-@@ -680,13 +677,13 @@
- ## </summary>
- ## </param>
- #
--interface(`fs_manage_cgroup_dirs',`
-+interface(`fs_manage_cgroupfs_dirs',`
- gen_require(`
-- type cgroup_t;
-+ type cgroupfs_t;
-
- ')
-
-- manage_dirs_pattern($1, cgroup_t, cgroup_t)
-+ manage_dirs_pattern($1, cgroupfs_t, cgroupfs_t)
- ')
-
- ########################################
-@@ -700,13 +697,13 @@
- ## </summary>
- ## </param>
- #
--interface(`fs_setattr_cgroup_files',`
-+interface(`fs_setattr_cgroupfs_files',`
- gen_require(`
-- type cgroup_t;
-+ type cgroupfs_t;
-
- ')
-
-- setattr_files_pattern($1, cgroup_t, cgroup_t)
-+ setattr_files_pattern($1, cgroupfs_t, cgroupfs_t)
- ')
-
- ########################################
-@@ -720,13 +717,13 @@
- ## </summary>
- ## </param>
- #
--interface(`fs_read_cgroup_files',`
-+interface(`fs_read_cgroupfs_files',`
- gen_require(`
-- type cgroup_t;
-+ type cgroupfs_t;
-
- ')
-
-- read_files_pattern($1, cgroup_t, cgroup_t)
-+ read_files_pattern($1, cgroupfs_t, cgroupfs_t)
++ list_dirs_pattern($1, cgroup_t, cgroup_t)
')
########################################
-@@ -740,13 +737,12 @@
- ## </summary>
- ## </param>
- #
--interface(`fs_write_cgroup_files', `
-+interface(`fs_write_cgroupfs_files', `
+@@ -743,7 +740,6 @@
+ interface(`fs_write_cgroup_files', `
gen_require(`
-- type cgroup_t;
+ type cgroup_t;
-
-+ type cgroupfs_t;
')
-- write_files_pattern($1, cgroup_t, cgroup_t)
-+ write_files_pattern($1, cgroupfs_t, cgroupfs_t)
- ')
+ write_files_pattern($1, cgroup_t, cgroup_t)
+@@ -771,6 +767,82 @@
########################################
-@@ -760,13 +756,52 @@
- ## </summary>
- ## </param>
- #
--interface(`fs_rw_cgroup_files',`
-+interface(`fs_rw_cgroupfs_files',`
- gen_require(`
-- type cgroup_t;
-+ type cgroupfs_t;
-
- ')
-
-- rw_files_pattern($1, cgroup_t, cgroup_t)
-+ rw_files_pattern($1, cgroupfs_t, cgroupfs_t)
-+')
-+
-+########################################
-+## <summary>
+ ## <summary>
+## Do not audit attempts to getattr,
+## open, read and write files on cgroup
+## file systems.
@@ -10606,12 +10583,49 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+## </summary>
+## </param>
+#
-+interface(`fs_dontaudit_rw_cgroupfs_files',`
++interface(`fs_dontaudit_rw_cgroup_files',`
+ gen_require(`
-+ type cgroupfs_t;
++ type cgroup_t;
+ ')
+
-+ dontaudit $1 cgroupfs_t:file rw_file_perms;
++ dontaudit $1 cgroup_t:file rw_file_perms;
++')
++
++#######################################
++## <summary>
++## Manage cgroup files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_manage_cgroup_files',`
++ gen_require(`
++ type cgroup_t;
++
++ ')
++
++ manage_files_pattern($1, cgroup_t, cgroup_t)
++')
++
++#######################################
++## <summary>
++## Mount on cgroup directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_mounton_cgroup', `
++ gen_require(`
++ type cgroup_t;
++ ')
++
++ allow $1 cgroup_t:dir mounton;
+')
+
+########################################
@@ -10631,10 +10645,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+ ')
+
+ dontaudit $1 cifs_t:dir list_dir_perms;
- ')
-
- ########################################
-@@ -1141,7 +1176,7 @@
++')
++
++########################################
++## <summary>
+ ## Mount a CIFS or SMB network filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -1141,7 +1213,7 @@
type cifs_t;
')
@@ -10643,7 +10661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
########################################
-@@ -1404,6 +1439,25 @@
+@@ -1404,6 +1476,25 @@
domain_auto_transition_pattern($1, cifs_t, $2)
')
@@ -10669,7 +10687,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
#######################################
## <summary>
## Create, read, write, and delete dirs
-@@ -1831,6 +1885,25 @@
+@@ -1831,6 +1922,25 @@
########################################
## <summary>
@@ -10695,7 +10713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Read and write hugetlbfs files.
## </summary>
## <param name="domain">
-@@ -1899,6 +1972,7 @@
+@@ -1899,6 +2009,7 @@
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -10703,7 +10721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
########################################
-@@ -2295,6 +2369,25 @@
+@@ -2295,6 +2406,25 @@
########################################
## <summary>
@@ -10729,7 +10747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2349,7 +2442,7 @@
+@@ -2349,7 +2479,7 @@
type nfs_t;
')
@@ -10738,7 +10756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
########################################
-@@ -2537,6 +2630,24 @@
+@@ -2537,6 +2667,24 @@
########################################
## <summary>
@@ -10763,7 +10781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Read removable storage symbolic links.
## </summary>
## <param name="domain">
-@@ -2745,7 +2856,7 @@
+@@ -2745,7 +2893,7 @@
#########################################
## <summary>
## Create, read, write, and delete symbolic links
@@ -10772,7 +10790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## </summary>
## <param name="domain">
## <summary>
-@@ -3870,6 +3981,24 @@
+@@ -3870,6 +4018,24 @@
########################################
## <summary>
@@ -10797,7 +10815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4432,6 +4561,44 @@
+@@ -4432,6 +4598,44 @@
########################################
## <summary>
@@ -10842,7 +10860,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Do not audit attempts to get the attributes
## of all files with a filesystem type.
## </summary>
-@@ -4549,3 +4716,24 @@
+@@ -4549,3 +4753,24 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
')
@@ -10869,7 +10887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.19/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.te 2010-05-28 09:42:00.036611249 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.te 2010-08-10 16:16:53.228335467 +0200
@@ -53,6 +53,7 @@
fs_type(anon_inodefs_t)
files_mountpoint(anon_inodefs_t)
@@ -10878,23 +10896,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
type bdev_t;
fs_type(bdev_t)
-@@ -68,6 +69,15 @@
+@@ -68,6 +69,12 @@
files_mountpoint(capifs_t)
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
-+#
-+# cgroup fs
-+#
-+
-+type cgroupfs_t;
-+fs_type(cgroupfs_t)
-+files_type(cgroupfs_t)
-+genfscon cgroup / gen_context(system_u:object_r:cgroupfs_t,s0)
++type cgroup_t alias cgroupfs_t;
++fs_type(cgroup_t)
++files_type(cgroup_t)
++files_mountpoint(cgroup_t)
++genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
+
type configfs_t;
fs_type(configfs_t)
genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
-@@ -243,6 +253,7 @@
+@@ -243,6 +250,7 @@
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -12626,8 +12641,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-06-16 22:06:20.880860249 +0200
-@@ -0,0 +1,443 @@
++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-08-10 16:44:03.298084894 +0200
+@@ -0,0 +1,444 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -13032,6 +13047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+ unconfined_domain_noaudit(unconfined_execmem_t)
+ allow unconfined_execmem_t unconfined_t:process transition;
+ rpm_transition_script(unconfined_execmem_t)
++ role system_r types unconfined_execmem_t;
+
+ optional_policy(`
+ init_dbus_chat_script(unconfined_execmem_t)
@@ -13129,7 +13145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.19/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/roles/xguest.te 2010-07-21 16:02:06.136385109 +0200
++++ serefpolicy-3.7.19/policy/modules/roles/xguest.te 2010-08-09 15:04:33.114085099 +0200
@@ -15,7 +15,7 @@
## <desc>
@@ -13188,7 +13204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
')
')
-@@ -81,19 +89,74 @@
+@@ -81,19 +89,75 @@
')
optional_policy(`
@@ -13254,6 +13270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
+ corenet_tcp_connect_speech_port(xguest_usertype)
+ corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
+ corenet_tcp_connect_transproxy_port(xguest_usertype)
++ corenet_tcp_connect_jabber_client_port(xguest_usertype)
')
')
@@ -14824,7 +14841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-07-13 09:39:10.362502734 +0200
++++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-08-10 17:36:26.308085089 +0200
@@ -19,11 +19,13 @@
# Declarations
#
@@ -15231,7 +15248,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +883,21 @@
+@@ -724,6 +867,8 @@
+ miscfiles_read_localization(httpd_suexec_t)
+ miscfiles_read_public_files(httpd_suexec_t)
+
++userdom_dontaudit_use_user_terminals(httpd_suexec_t)
++
+ tunable_policy(`httpd_can_network_connect',`
+ allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_suexec_t self:udp_socket create_socket_perms;
+@@ -740,10 +885,21 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -15254,7 +15280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +923,12 @@
+@@ -769,6 +925,12 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -15267,7 +15293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache system script local policy
-@@ -792,9 +952,13 @@
+@@ -792,9 +954,13 @@
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -15281,7 +15307,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +967,22 @@
+@@ -803,6 +969,22 @@
mta_send_mail(httpd_sys_script_t)
')
@@ -15304,7 +15330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -830,6 +1010,16 @@
+@@ -830,6 +1012,16 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -15321,7 +15347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,6 +1032,7 @@
+@@ -842,6 +1034,7 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -15329,7 +15355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -891,11 +1082,33 @@
+@@ -891,11 +1084,33 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -15705,10 +15731,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.fc serefpolicy-3.7.19/policy/modules/services/boinc.fc
--- nsaserefpolicy/policy/modules/services/boinc.fc 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/boinc.fc 2010-07-28 14:59:48.452071586 +0200
++++ serefpolicy-3.7.19/policy/modules/services/boinc.fc 2010-08-09 14:45:31.106085169 +0200
@@ -0,0 +1,8 @@
+
-+/etc/rc\.d/init\.d/boinc_client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
+
+/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
+
@@ -16695,34 +16721,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.19/policy/modules/services/cgroup.fc
--- nsaserefpolicy/policy/modules/services/cgroup.fc 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/cgroup.fc 2010-05-28 09:42:00.075610786 +0200
-@@ -0,0 +1,12 @@
-+/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0)
-+
-+/etc/cgconfig.conf -- gen_context(system_u:object_r:cgconfig_etc_t,s0)
-+/etc/cgrules.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0)
++++ serefpolicy-3.7.19/policy/modules/services/cgroup.fc 2010-08-10 16:13:34.251005312 +0200
+@@ -0,0 +1,10 @@
++/etc/cgconfig.conf -- gen_context(system_u:object_r:cgconfig_etc_t,s0)
++/etc/cgrules.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0)
+
+/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t,s0)
+
-+/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfigparser_exec_t,s0)
++/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0)
+/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
+
-+/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0)
++/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.19/policy/modules/services/cgroup.if
--- nsaserefpolicy/policy/modules/services/cgroup.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/cgroup.if 2010-06-30 14:34:47.947618029 +0200
-@@ -0,0 +1,244 @@
++++ serefpolicy-3.7.19/policy/modules/services/cgroup.if 2010-08-10 16:13:34.251334760 +0200
+@@ -0,0 +1,147 @@
+## <summary>libcg is a library that abstracts the control group file system in Linux.</summary>
-+## <desc>
-+## <p>
-+## libcg aims to provide programmers easily usable APIs to use the control group file system.
-+## </p>
-+## </desc>
+
+########################################
+## <summary>
-+## Execute a domain transition to run cgconfig.
++## Execute a domain transition to run
++## CG config parser.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -16730,19 +16750,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+## </summary>
+## </param>
+#
-+interface(`cgroup_domtrans_cgconfigparser',`
++interface(`cgroup_domtrans_cgconfig',`
+ gen_require(`
-+ type cgconfigparser_t, cgconfigparser_exec_t;
++ type cgconfig_t, cgconfig_exec_t;
+ ')
+
-+ domtrans_pattern($1, cgconfigparser_exec_t, cgconfigparser_t)
++ domtrans_pattern($1, cgconfig_exec_t, cgconfig_t)
+ corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
-+## Execute cgconfigparser server in the
-+## cgconfigparser domain.
++## Execute a domain transition to run
++## CG config parser.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -16750,7 +16770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+## </summary>
+## </param>
+#
-+interface(`cgroup_initrc_domtrans_cgconfigparser',`
++interface(`cgroup_initrc_domtrans_cgconfig',`
+ gen_require(`
+ type cgconfig_initrc_exec_t;
+ ')
@@ -16761,7 +16781,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+
+########################################
+## <summary>
-+## Execute a domain transition to run cgred.
++## Execute a domain transition to run
++## CG rules engine daemon.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -16780,8 +16801,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+
+########################################
+## <summary>
-+## Execute cgred server in the
-+## cgred domain.
++## Execute a domain transition to run
++## CG rules engine daemon.
++## domain.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -16794,104 +16816,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+ type cgred_initrc_exec_t;
+ ')
+
-+ files_search_etc($1)
+ init_labeled_script_domtrans($1, cgred_initrc_exec_t)
+')
+
+########################################
+## <summary>
-+## Delete cgroup directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`cgroup_delete_cgroup_dirs', `
-+ gen_require(`
-+ type cgroup_t;
-+ ')
-+
-+ delete_dirs_pattern($1, cgroup_t, cgroup_t)
-+ cgroup_search_cgroup_dirs($1)
-+')
-+
-+########################################
-+## <summary>
-+## List cgroup directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`cgroup_list_cgroup_dirs', `
-+ gen_require(`
-+ type cgroup_t;
-+ ')
-+
-+ allow $1 cgroup_t:dir list_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Manage cgroup directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`cgroup_manage_cgroup_dirs', `
-+ gen_require(`
-+ type cgroup_t;
-+ ')
-+
-+ allow $1 cgroup_t:dir manage_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Read and write cgroup directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`cgroup_rw_cgroup_dirs', `
-+ gen_require(`
-+ type cgroup_t;
-+ ')
-+
-+ allow $1 cgroup_t:dir rw_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Search cgroup directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`cgroup_search_cgroup_dirs', `
-+ gen_require(`
-+ type cgroup_t;
-+ ')
-+
-+ allow $1 cgroup_t:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Read and write cgred sock file in /var/run.
++## Connect to CG rules engine daemon
++## over unix stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -16910,8 +16841,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+
+########################################
+## <summary>
-+## All of the rules required to administrate
-+## an cgroup environment
++## All of the rules required to administrate
++## an cgroup environment.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -16927,29 +16858,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+#
+interface(`cgroup_admin',`
+ gen_require(`
-+ type cgred_t, cgconfigparser_t, cgred_var_run_t;
++ type cgred_t, cgconfig_t, cgred_var_run_t;
+ type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t;
-+ type cgroup_t, cgroupfs_t;
+ type cgrules_etc_t;
+ ')
+
-+ allow $1 cgconfigparser_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, cgconfigparser_t, cgconfigparser_t)
++ allow $1 cgconfig_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, cgconfig_t, cgconfig_t)
+
+ allow $1 cgred_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, cgred_t, cgred_t)
+
-+ admin_pattern($1, cgroup_t)
-+ admin_pattern($1, cgroupfs_t)
-+
-+ files_search_etc($1)
+ admin_pattern($1, cgconfig_etc_t)
+ admin_pattern($1, cgrules_etc_t)
++ files_search_etc($1)
+
-+ files_list_var($1)
+ admin_pattern($1, cgred_var_run_t)
++ files_search_pids($1)
+
-+ cgroup_initrc_domtrans_cgconfigparser($1)
++ cgroup_initrc_domtrans_cgconfig($1)
+ domain_system_change_exemption($1)
+ role_transition $2 cgconfig_initrc_exec_t system_r;
+ allow $2 system_r;
@@ -16959,22 +16886,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.19/policy/modules/services/cgroup.te
--- nsaserefpolicy/policy/modules/services/cgroup.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/cgroup.te 2010-05-28 09:42:00.076610720 +0200
-@@ -0,0 +1,102 @@
-+
++++ serefpolicy-3.7.19/policy/modules/services/cgroup.te 2010-08-10 16:14:55.451084972 +0200
+@@ -0,0 +1,79 @@
+policy_module(cgroup, 1.0.0)
+
+########################################
+#
-+# cgroup global declarations.
-+#
-+
-+type cgroup_t;
-+files_mountpoint(cgroup_t)
-+
-+########################################
-+#
-+# cgred personal declarations.
++# Declarations
+#
+
+type cgred_t;
@@ -16990,14 +16908,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+type cgrules_etc_t;
+files_config_file(cgrules_etc_t)
+
-+########################################
-+#
-+# cgconfig personal declarations.
-+#
-+
-+type cgconfigparser_t;
-+type cgconfigparser_exec_t;
-+init_daemon_domain(cgconfigparser_t, cgconfigparser_exec_t)
++type cgconfig_t alias cgconfigparser_t;
++type cgconfig_exec_t alias cgconfigparser_exec_t;
++init_daemon_domain(cgconfig_t, cgconfig_exec_t)
+
+type cgconfig_initrc_exec_t;
+init_script_file(cgconfig_initrc_exec_t)
@@ -17007,10 +16920,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+
+########################################
+#
++# cgconfig personal policy.
++#
++
++allow cgconfig_t self:capability { dac_override fowner chown sys_admin };
++
++allow cgconfig_t cgconfig_etc_t:file read_file_perms;
++
++kernel_list_unlabeled(cgconfig_t)
++kernel_read_system_state(cgconfig_t)
++
++files_read_etc_files(cgconfig_t)
++
++fs_manage_cgroup_dirs(cgconfig_t)
++fs_manage_cgroup_files(cgconfig_t)
++fs_mount_cgroup(cgconfig_t)
++fs_mounton_cgroup(cgconfig_t)
++fs_unmount_cgroup(cgconfig_t)
++
++########################################
++#
+# cgred personal policy.
+#
+
-+allow cgred_t self:capability { net_admin sys_ptrace dac_override };
++allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override };
+allow cgred_t self:netlink_socket { write bind create read };
+allow cgred_t self:unix_dgram_socket { write create connect };
+
@@ -17022,47 +16955,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+kernel_read_system_state(cgred_t)
+
+domain_read_all_domains_state(cgred_t)
++domain_setpriority_all_domains(cgred_t)
+
-+files_search_all(cgred_t)
+files_getattr_all_files(cgred_t)
-+files_getattr_all_dirs(cgred_t)
+files_getattr_all_sockets(cgred_t)
-+files_getattr_all_pipes(cgred_t)
+files_read_all_symlinks(cgred_t)
-+
-+# /etc/group
+files_read_etc_files(cgred_t)
+
-+fs_write_cgroupfs_files(cgred_t)
++fs_write_cgroup_files(cgred_t)
+
+logging_send_syslog_msg(cgred_t)
+
+miscfiles_read_localization(cgred_t)
-+
-+########################################
-+#
-+# cgconfig personal policy.
-+#
-+
-+allow cgconfigparser_t self:capability { chown sys_admin };
-+
-+allow cgconfigparser_t cgconfig_etc_t:file read_file_perms;
-+
-+manage_dirs_pattern(cgconfigparser_t, cgroup_t, cgroup_t)
-+manage_files_pattern(cgconfigparser_t, cgroup_t, cgroup_t)
-+allow cgconfigparser_t cgroup_t:dir mounton;
-+
-+kernel_list_unlabeled(cgconfigparser_t)
-+kernel_read_system_state(cgconfigparser_t)
-+
-+# /etc/nsswitch.conf
-+files_read_etc_files(cgconfigparser_t)
-+
-+fs_manage_cgroupfs_dirs(cgconfigparser_t)
-+fs_mount_cgroupfs(cgconfigparser_t)
-+fs_rw_cgroupfs_files(cgconfigparser_t)
-+fs_unmount_cgroupfs(cgconfigparser_t)
-+fs_setattr_cgroupfs_files(cgconfigparser_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.19/policy/modules/services/chronyd.if
--- nsaserefpolicy/policy/modules/services/chronyd.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/chronyd.if 2010-06-28 18:44:16.191151821 +0200
@@ -17222,7 +17126,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.19/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-06-28 16:21:55.618400228 +0200
++++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-08-10 19:19:30.062085271 +0200
@@ -1,6 +1,13 @@
policy_module(clamav, 1.7.1)
@@ -17245,7 +17149,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow clamd_t self:unix_dgram_socket create_socket_perms;
-@@ -177,8 +185,11 @@
+@@ -75,6 +83,7 @@
+ # var/lib files for clamd
+ manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
+ manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
++manage_sock_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
+
+ # log files
+ manage_dirs_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
+@@ -170,6 +179,8 @@
+ allow freshclam_t clamd_var_log_t:dir search_dir_perms;
+ logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
+
++kernel_read_kernel_sysctls(freshclam_t)
++
+ corenet_all_recvfrom_unlabeled(freshclam_t)
+ corenet_all_recvfrom_netlabel(freshclam_t)
+ corenet_tcp_sendrecv_generic_if(freshclam_t)
+@@ -177,8 +188,11 @@
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
@@ -17257,7 +17178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
dev_read_rand(freshclam_t)
dev_read_urand(freshclam_t)
-@@ -189,10 +200,14 @@
+@@ -189,10 +203,14 @@
auth_use_nsswitch(freshclam_t)
@@ -17272,7 +17193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
optional_policy(`
cron_system_entry(freshclam_t, freshclam_exec_t)
')
-@@ -246,6 +261,14 @@
+@@ -246,6 +264,14 @@
mta_send_mail(clamscan_t)
@@ -19709,7 +19630,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
allow $1 devicekit_t:process { ptrace signal_perms getattr };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.19/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/devicekit.te 2010-05-28 09:42:00.100610800 +0200
++++ serefpolicy-3.7.19/policy/modules/services/devicekit.te 2010-08-10 17:16:41.979085228 +0200
@@ -42,6 +42,8 @@
files_read_etc_files(devicekit_t)
@@ -19864,7 +19785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
-allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice sys_ptrace };
+allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
-+allow devicekit_disk_t self:process { getsched signal_perms };
++allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
+allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -25425,8 +25346,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.19/policy/modules/services/oddjob.if
--- nsaserefpolicy/policy/modules/services/oddjob.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/oddjob.if 2010-05-28 09:42:00.145610598 +0200
-@@ -44,6 +44,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/oddjob.if 2010-08-09 14:17:22.876085247 +0200
+@@ -22,6 +22,25 @@
+ domtrans_pattern($1, oddjob_exec_t, oddjob_t)
+ ')
+
++######################################
++## <summary>
++## Do not audit attempts to read and write
++## oddjob fifo file.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`oddjob_dontaudit_rw_fifo_file',`
++ gen_require(`
++ type shutdown_t;
++ ')
++
++ dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Make the specified program domain accessable
+@@ -44,6 +63,7 @@
')
domtrans_pattern(oddjob_t, $2, $1)
@@ -25434,6 +25381,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj
')
########################################
+@@ -67,6 +87,24 @@
+ allow oddjob_t $1:dbus send_msg;
+ ')
+
++#####################################
++## <summary>
++## Send a SIGCHLD signal to oddjob.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`oddjob_sigchld',`
++ gen_require(`
++ type oddjob_t;
++ ')
++
++ allow $1 oddjob_t:process sigchld;
++')
++
+ ########################################
+ ## <summary>
+ ## Execute a domain transition to run oddjob_mkhomedir.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.7.19/policy/modules/services/oddjob.te
--- nsaserefpolicy/policy/modules/services/oddjob.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/oddjob.te 2010-05-28 09:42:00.145610598 +0200
@@ -25786,8 +25758,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.te serefpolicy-3.7.19/policy/modules/services/piranha.te
--- nsaserefpolicy/policy/modules/services/piranha.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/piranha.te 2010-08-05 10:47:23.099085304 +0200
-@@ -0,0 +1,225 @@
++++ serefpolicy-3.7.19/policy/modules/services/piranha.te 2010-08-09 14:39:37.318084747 +0200
+@@ -0,0 +1,226 @@
+
+policy_module(piranha,1.0.0)
+
@@ -25862,7 +25834,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+allow piranha_web_t self:capability dac_override;
+
+allow piranha_web_t self:capability { setuid sys_nice kill setgid };
-+allow piranha_web_t self:process { getsched setsched signal ptrace };
++allow piranha_web_t self:process { getsched setsched signal signull ptrace };
+allow piranha_web_t self:rawip_socket create_socket_perms;
+
+allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms;
@@ -25894,8 +25866,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+
+kernel_read_kernel_sysctls(piranha_web_t)
+
-+corenet_tcp_bind_piranha_port(piranha_web_t)
++corenet_tcp_bind_http_cache_port(piranha_web_t)
+corenet_tcp_bind_luci_port(piranha_web_t)
++corenet_tcp_bind_piranha_port(piranha_web_t)
+corenet_tcp_connect_ricci_port(piranha_web_t)
+
+dev_read_urand(piranha_web_t)
@@ -26889,7 +26862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.19/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/postfix.if 2010-06-25 15:34:21.259137720 +0200
++++ serefpolicy-3.7.19/policy/modules/services/postfix.if 2010-08-10 16:47:59.294085327 +0200
@@ -46,6 +46,7 @@
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
@@ -27125,7 +27098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
########################################
-@@ -500,3 +603,156 @@
+@@ -500,3 +603,158 @@
typeattribute $1 postfix_user_domtrans;
')
@@ -27204,6 +27177,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+
+ postfix_domtrans_postdrop($1)
+ role $2 types postfix_postdrop_t;
++
++ allow postfix_postdrop_t $1:unix_stream_socket { getattr read write ioctl };
+')
+
+########################################
@@ -28890,11 +28865,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.19/policy/modules/services/rhcs.fc
--- nsaserefpolicy/policy/modules/services/rhcs.fc 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/rhcs.fc 2010-06-15 18:40:09.966019131 +0200
-@@ -0,0 +1,23 @@
++++ serefpolicy-3.7.19/policy/modules/services/rhcs.fc 2010-08-10 16:35:38.723085246 +0200
+@@ -0,0 +1,24 @@
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
+/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
@@ -29619,7 +29595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
/usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-3.7.19/policy/modules/services/ricci.if
--- nsaserefpolicy/policy/modules/services/ricci.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/ricci.if 2010-08-04 15:00:06.454085086 +0200
++++ serefpolicy-3.7.19/policy/modules/services/ricci.if 2010-08-09 14:36:06.787334935 +0200
@@ -18,6 +18,24 @@
domtrans_pattern($1, ricci_exec_t, ricci_t)
')
@@ -29671,7 +29647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
########################################
## <summary>
## Execute a domain transition to run ricci_modlog.
-@@ -165,3 +202,67 @@
+@@ -165,3 +202,87 @@
domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
')
@@ -29696,6 +29672,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
+ read_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
+')
+
++#####################################
++## <summary>
++## Allow the specified domain to manage ricci's lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ricci_manage_lib_files',`
++ gen_require(`
++ type ricci_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
++ manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
++')
++
+########################################
+## <summary>
+## All of the rules required to administrate
@@ -29741,7 +29737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.19/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/ricci.te 2010-08-04 14:57:19.868085260 +0200
++++ serefpolicy-3.7.19/policy/modules/services/ricci.te 2010-08-09 14:14:31.795085246 +0200
@@ -11,6 +11,9 @@
domain_type(ricci_t)
init_daemon_domain(ricci_t, ricci_exec_t)
@@ -29762,7 +29758,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
type ricci_modlog_t;
type ricci_modlog_exec_t;
domain_type(ricci_modlog_t)
-@@ -194,12 +200,21 @@
+@@ -117,6 +123,7 @@
+ files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file })
+
+ kernel_read_kernel_sysctls(ricci_t)
++kernel_read_system_state(ricci_t)
+
+ corecmd_exec_bin(ricci_t)
+
+@@ -182,6 +189,10 @@
+ ')
+
+ optional_policy(`
++ shutdown_domtrans(ricci_t)
++')
++
++optional_policy(`
+ unconfined_use_fds(ricci_t)
+ ')
+
+@@ -194,12 +205,21 @@
# ricci_modcluster local policy
#
@@ -29785,7 +29800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
corecmd_exec_shell(ricci_modcluster_t)
corecmd_exec_bin(ricci_modcluster_t)
-@@ -227,6 +242,11 @@
+@@ -227,6 +247,11 @@
ricci_stream_connect_modclusterd(ricci_modcluster_t)
optional_policy(`
@@ -29797,7 +29812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
ccs_stream_connect(ricci_modcluster_t)
ccs_domtrans(ricci_modcluster_t)
ccs_manage_config(ricci_modcluster_t)
-@@ -245,6 +265,10 @@
+@@ -245,6 +270,10 @@
')
optional_policy(`
@@ -29808,7 +29823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
# XXX This has got to go.
unconfined_domain(ricci_modcluster_t)
')
-@@ -259,11 +283,11 @@
+@@ -259,11 +288,11 @@
allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms;
allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms;
@@ -29821,7 +29836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
# log files
allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
-@@ -294,6 +318,8 @@
+@@ -294,6 +323,8 @@
fs_getattr_xattr_fs(ricci_modclusterd_t)
@@ -29830,7 +29845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
init_stream_connect_script(ricci_modclusterd_t)
locallogin_dontaudit_use_fds(ricci_modclusterd_t)
-@@ -303,7 +329,11 @@
+@@ -303,7 +334,11 @@
miscfiles_read_localization(ricci_modclusterd_t)
sysnet_domtrans_ifconfig(ricci_modclusterd_t)
@@ -29843,7 +29858,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
optional_policy(`
ccs_domtrans(ricci_modclusterd_t)
-@@ -312,6 +342,10 @@
+@@ -312,6 +347,10 @@
')
optional_policy(`
@@ -29854,7 +29869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
unconfined_use_fds(ricci_modclusterd_t)
')
-@@ -440,6 +474,12 @@
+@@ -440,6 +479,12 @@
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
@@ -29867,7 +29882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
storage_raw_read_fixed_disk(ricci_modstorage_t)
term_dontaudit_use_console(ricci_modstorage_t)
-@@ -457,6 +497,11 @@
+@@ -457,6 +502,11 @@
mount_domtrans(ricci_modstorage_t)
optional_policy(`
@@ -30212,8 +30227,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.19/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/samba.fc 2010-05-28 09:42:00.178610776 +0200
-@@ -51,3 +51,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/samba.fc 2010-08-10 16:58:12.349085082 +0200
+@@ -36,13 +36,16 @@
+
+ /var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
+
+-/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
++/var/run/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
++/var/run/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
++
++/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+ /var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+ /var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+ /var/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+ /var/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+ /var/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+-/var/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
++/var/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+ /var/run/samba/sessionid\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+ /var/run/samba/share_info\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+ /var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+@@ -51,3 +54,7 @@
/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
@@ -32629,7 +32663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
allow $2 system_r;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.7.19/policy/modules/services/vhostmd.te
--- nsaserefpolicy/policy/modules/services/vhostmd.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/vhostmd.te 2010-07-21 16:30:52.823400881 +0200
++++ serefpolicy-3.7.19/policy/modules/services/vhostmd.te 2010-08-10 16:37:30.997085210 +0200
@@ -45,6 +45,8 @@
corenet_tcp_connect_soundd_port(vhostmd_t)
@@ -32639,6 +32673,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
files_read_etc_files(vhostmd_t)
files_read_usr_files(vhostmd_t)
+@@ -67,6 +69,8 @@
+
+ optional_policy(`
+ virt_stream_connect(vhostmd_t)
++ # 618236
++ virt_write_content(vhostmd_t)
+ ')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.19/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/virt.fc 2010-05-28 09:42:00.200610708 +0200
@@ -32664,7 +32707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.19/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/virt.if 2010-07-21 09:14:25.275134957 +0200
++++ serefpolicy-3.7.19/policy/modules/services/virt.if 2010-08-10 16:36:52.708085543 +0200
@@ -21,6 +21,7 @@
type $1_t, virt_domain;
domain_type($1_t)
@@ -32728,7 +32771,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
########################################
-@@ -306,6 +297,24 @@
+@@ -229,6 +220,24 @@
+ ')
+ ')
+
++#######################################
++## <summary>
++## Allow domain to write virt image files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`virt_write_content',`
++ gen_require(`
++ type virt_content_t;
++ ')
++
++ allow $1 virt_content_t:file write_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Read virt PID files.
+@@ -306,6 +315,24 @@
read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
')
@@ -32753,7 +32821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
########################################
## <summary>
## Create, read, write, and delete
-@@ -433,15 +442,15 @@
+@@ -433,15 +460,15 @@
## </summary>
## </param>
#
@@ -32774,7 +32842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
########################################
-@@ -516,3 +525,49 @@
+@@ -516,3 +543,49 @@
virt_manage_log($1)
')
@@ -32826,7 +32894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.19/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-08-04 15:20:48.325085430 +0200
++++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-08-10 16:18:48.565085270 +0200
@@ -1,5 +1,5 @@
-policy_module(virt, 1.3.2)
@@ -32972,7 +33040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
-@@ -248,25 +272,41 @@
+@@ -248,18 +272,25 @@
dev_rw_kvm(virtd_t)
dev_getattr_all_chr_files(virtd_t)
dev_rw_mtrr(virtd_t)
@@ -32999,13 +33067,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
- fs_rw_anon_inodefs_files(virtd_t)
- fs_list_inotifyfs(virtd_t)
--fs_manage_cgroup_dirs(virtd_t)
--fs_rw_cgroup_files(virtd_t)
-+fs_manage_cgroupfs_dirs(virtd_t)
-+fs_rw_cgroupfs_files(virtd_t)
-+
+@@ -268,6 +299,15 @@
+ fs_manage_cgroup_dirs(virtd_t)
+ fs_rw_cgroup_files(virtd_t)
+
+mls_fd_share_all_levels(virtd_t)
+mls_file_read_to_clearance(virtd_t)
+mls_file_write_to_clearance(virtd_t)
@@ -33014,9 +33079,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+mls_socket_write_to_clearance(virtd_t)
+mls_socket_read_to_clearance(virtd_t)
+mls_rangetrans_source(virtd_t)
-
++
mcs_process_set_categories(virtd_t)
+ storage_manage_fixed_disk(virtd_t)
@@ -291,15 +331,22 @@
logging_send_syslog_msg(virtd_t)
@@ -33076,7 +33142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -434,6 +496,7 @@
+@@ -434,10 +496,12 @@
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -33084,7 +33150,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
domain_use_interactive_fds(virt_domain)
-@@ -445,6 +508,11 @@
+ files_read_etc_files(virt_domain)
++files_read_mnt_symlinks(virt_domain)
+ files_read_usr_files(virt_domain)
+ files_read_var_files(virt_domain)
+ files_search_all(virt_domain)
+@@ -445,6 +509,11 @@
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -33096,7 +33167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -462,8 +530,13 @@
+@@ -462,8 +531,13 @@
')
optional_policy(`
@@ -33879,7 +33950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.19/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-08-06 12:35:56.607334166 +0200
++++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-08-10 16:24:14.554085406 +0200
@@ -1,5 +1,5 @@
-policy_module(xserver, 3.3.2)
@@ -34204,7 +34275,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -326,32 +436,53 @@
+@@ -326,32 +436,55 @@
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -34234,6 +34305,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+fs_list_inotifyfs(xdm_t)
+fs_read_noxattr_fs_files(xdm_t)
+fs_dontaudit_list_fusefs(xdm_t)
++fs_manage_cgroup_dirs(xdm_t)
++fs_rw_cgroup_files(xdm_t)
+
+manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
+
@@ -34263,7 +34336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t xserver_t:unix_stream_socket connectto;
allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
-@@ -359,10 +490,13 @@
+@@ -359,10 +492,13 @@
# transition to the xdm xserver
domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
@@ -34277,7 +34350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -371,15 +505,21 @@
+@@ -371,15 +507,21 @@
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -34300,7 +34373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
-@@ -394,11 +534,14 @@
+@@ -394,11 +536,14 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -34315,7 +34388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -406,6 +549,7 @@
+@@ -406,6 +551,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -34323,7 +34396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -414,18 +558,22 @@
+@@ -414,18 +560,22 @@
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -34349,7 +34422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -436,9 +584,17 @@
+@@ -436,9 +586,17 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -34367,7 +34440,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -447,14 +603,21 @@
+@@ -447,14 +605,21 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -34389,7 +34462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -465,10 +628,12 @@
+@@ -465,10 +630,12 @@
logging_read_generic_logs(xdm_t)
@@ -34404,7 +34477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -477,6 +642,12 @@
+@@ -477,6 +644,12 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -34417,7 +34490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -508,11 +679,17 @@
+@@ -508,11 +681,17 @@
')
optional_policy(`
@@ -34435,7 +34508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -520,12 +697,51 @@
+@@ -520,12 +699,51 @@
')
optional_policy(`
@@ -34487,7 +34560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
hostname_exec(xdm_t)
')
-@@ -543,20 +759,63 @@
+@@ -543,20 +761,63 @@
')
optional_policy(`
@@ -34553,7 +34626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -565,7 +824,6 @@
+@@ -565,7 +826,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -34561,7 +34634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -576,6 +834,10 @@
+@@ -576,6 +836,10 @@
')
optional_policy(`
@@ -34572,7 +34645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xdm_t)
')
-@@ -600,10 +862,9 @@
+@@ -600,10 +864,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -34584,7 +34657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -615,6 +876,18 @@
+@@ -615,6 +878,18 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -34603,7 +34676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -634,12 +907,19 @@
+@@ -634,12 +909,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -34625,7 +34698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -647,6 +927,7 @@
+@@ -647,6 +929,7 @@
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -34633,7 +34706,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -673,7 +954,6 @@
+@@ -673,7 +956,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -34641,7 +34714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -683,9 +963,12 @@
+@@ -683,9 +965,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -34655,7 +34728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +983,13 @@
+@@ -700,8 +985,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -34669,7 +34742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -723,11 +1011,14 @@
+@@ -723,11 +1013,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -34684,7 +34757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -779,12 +1070,28 @@
+@@ -779,12 +1072,28 @@
')
optional_policy(`
@@ -34714,7 +34787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -811,7 +1118,7 @@
+@@ -811,7 +1120,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -34723,7 +34796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1139,14 @@
+@@ -832,9 +1141,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -34738,7 +34811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1161,14 @@
+@@ -849,11 +1163,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -34755,7 +34828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -999,3 +1314,33 @@
+@@ -999,3 +1316,33 @@
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -35525,7 +35598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.19/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-07-13 08:43:16.462502775 +0200
++++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-08-10 16:39:52.087085427 +0200
@@ -1,5 +1,5 @@
-policy_module(init, 1.14.2)
@@ -35771,15 +35844,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_rw_tmpfs_chr_files(initrc_t)
+ # /sbin/cgclear
-+ fs_delete_cgroupfs_dirs(initrc_t)
-+ fs_list_cgroupfs_dirs(initrc_t)
++ fs_delete_cgroup_dirs(initrc_t)
++ fs_list_cgroup_dirs(initrc_t)
+ # w for /bin/cgcexec and rw for /sbin/cgclear
-+ fs_rw_cgroupfs_files(initrc_t)
++ fs_rw_cgroup_files(initrc_t)
+
storage_manage_fixed_disk(initrc_t)
storage_dev_filetrans_fixed_disk(initrc_t)
storage_getattr_removable_dev(initrc_t)
-@@ -517,6 +580,24 @@
+@@ -517,6 +580,23 @@
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -35787,7 +35860,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+ ')
+
+ optional_policy(`
-+ cgroup_delete_cgroup_dirs(initrc_t)
+ cgroup_stream_connect(initrc_t)
+ ')
+
@@ -35804,7 +35876,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -528,6 +609,8 @@
+@@ -528,6 +608,8 @@
optional_policy(`
sysnet_rw_dhcp_config(initrc_t)
sysnet_manage_config(initrc_t)
@@ -35813,7 +35885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -542,6 +625,35 @@
+@@ -542,6 +624,35 @@
')
')
@@ -35849,7 +35921,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -554,6 +666,8 @@
+@@ -554,6 +665,8 @@
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -35858,7 +35930,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -578,6 +692,11 @@
+@@ -578,6 +691,11 @@
')
optional_policy(`
@@ -35870,7 +35942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -594,6 +713,7 @@
+@@ -594,6 +712,7 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -35878,7 +35950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -695,7 +815,12 @@
+@@ -695,7 +814,12 @@
')
optional_policy(`
@@ -35891,7 +35963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -718,6 +843,10 @@
+@@ -718,6 +842,10 @@
')
optional_policy(`
@@ -35902,7 +35974,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -760,8 +889,6 @@
+@@ -739,6 +867,10 @@
+ ')
+
+ optional_policy(`
++ ricci_manage_lib_files(initrc_t)
++')
++
++optional_policy(`
+ fs_write_ramfs_sockets(initrc_t)
+ fs_search_ramfs(initrc_t)
+
+@@ -760,8 +892,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -35911,7 +35994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -774,10 +901,12 @@
+@@ -774,10 +904,12 @@
squid_manage_logs(initrc_t)
')
@@ -35924,7 +36007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -790,6 +919,7 @@
+@@ -790,6 +922,7 @@
optional_policy(`
udev_rw_db(initrc_t)
@@ -35932,7 +36015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
udev_manage_pid_files(initrc_t)
')
-@@ -798,11 +928,19 @@
+@@ -798,11 +931,19 @@
')
optional_policy(`
@@ -35953,7 +36036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -812,6 +950,25 @@
+@@ -812,6 +953,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -35979,7 +36062,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -837,3 +994,35 @@
+@@ -837,3 +997,35 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -36123,7 +36206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.19/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2010-08-06 12:09:07.432084464 +0200
++++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2010-08-10 17:44:19.793085351 +0200
@@ -73,7 +73,7 @@
#
@@ -36133,7 +36216,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
allow ipsec_t self:process { getcap setcap getsched signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:udp_socket create_socket_perms;
-@@ -150,6 +150,7 @@
+@@ -108,7 +108,8 @@
+ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
+ allow ipsec_mgmt_t ipsec_t:fd use;
+ allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
+-dontaudit ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
++# 587669
++allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
+ allow ipsec_mgmt_t ipsec_t:process sigchld;
+
+ kernel_read_kernel_sysctls(ipsec_t)
+@@ -150,6 +151,7 @@
files_list_tmp(ipsec_t)
files_read_etc_files(ipsec_t)
files_read_usr_files(ipsec_t)
@@ -36141,7 +36234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
-@@ -167,6 +168,8 @@
+@@ -167,6 +169,8 @@
miscfiles_read_localization(ipsec_t)
sysnet_domtrans_ifconfig(ipsec_t)
@@ -36150,7 +36243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -186,7 +189,9 @@
+@@ -186,7 +190,9 @@
allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
dontaudit ipsec_mgmt_t self:capability sys_tty_config;
@@ -36161,7 +36254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -225,7 +230,6 @@
+@@ -225,7 +231,6 @@
manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
@@ -36169,7 +36262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# whack needs to connect to pluto
stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
-@@ -258,7 +262,13 @@
+@@ -258,7 +263,13 @@
domain_use_interactive_fds(ipsec_mgmt_t)
# denials when ps tries to search /proc. Do not audit these denials.
@@ -36184,7 +36277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# suppress audit messages about unnecessary socket access
# cjp: this seems excessive
domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
-@@ -270,19 +280,25 @@
+@@ -270,19 +281,25 @@
files_read_usr_files(ipsec_mgmt_t)
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
@@ -36211,7 +36304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
logging_send_syslog_msg(ipsec_mgmt_t)
miscfiles_read_localization(ipsec_mgmt_t)
-@@ -291,15 +307,38 @@
+@@ -291,15 +308,38 @@
seutil_dontaudit_search_config(ipsec_mgmt_t)
@@ -36250,7 +36343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
nscd_socket_use(ipsec_mgmt_t)
')
-@@ -386,6 +425,8 @@
+@@ -386,6 +426,8 @@
sysnet_exec_ifconfig(racoon_t)
@@ -36259,7 +36352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -412,6 +453,7 @@
+@@ -412,6 +454,7 @@
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
@@ -36267,7 +36360,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
-@@ -423,3 +465,4 @@
+@@ -423,3 +466,4 @@
seutil_read_config(setkey_t)
userdom_use_user_terminals(setkey_t)
@@ -37223,7 +37316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
## Read the configuration options used when
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.19/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/modutils.te 2010-07-21 09:19:47.151135117 +0200
++++ serefpolicy-3.7.19/policy/modules/system/modutils.te 2010-08-10 16:41:48.680085643 +0200
@@ -19,6 +19,7 @@
type insmod_exec_t;
application_domain(insmod_t, insmod_exec_t)
@@ -37280,8 +37373,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
-@@ -161,11 +167,14 @@
+@@ -159,13 +165,17 @@
+ # for locking: (cjp: ????)
+ files_write_kernel_modules(insmod_t)
++fs_search_rpc(insmod_t)
fs_getattr_xattr_fs(insmod_t)
fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
+fs_mount_rpc_pipefs(insmod_t)
@@ -37295,7 +37391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
logging_send_syslog_msg(insmod_t)
logging_search_logs(insmod_t)
-@@ -174,8 +183,7 @@
+@@ -174,8 +184,7 @@
seutil_read_file_contexts(insmod_t)
@@ -37305,7 +37401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
userdom_dontaudit_search_user_home_dirs(insmod_t)
if( ! secure_mode_insmod ) {
-@@ -236,6 +244,10 @@
+@@ -236,6 +245,10 @@
')
optional_policy(`
@@ -40213,7 +40309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-07-13 08:35:48.785502965 +0200
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-08-10 16:46:30.604085285 +0200
@@ -30,8 +30,9 @@
')
@@ -40343,8 +40439,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
+ files_exec_usr_files($1_t)
+
-+ fs_list_cgroupfs_dirs($1_usertype)
-+ fs_dontaudit_rw_cgroupfs_files($1_usertype)
++ fs_list_cgroup_dirs($1_usertype)
++ fs_dontaudit_rw_cgroup_files($1_usertype)
- libs_exec_ld_so($1_t)
+ storage_rw_fuse($1_usertype)
@@ -40369,7 +40465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
+
+ optional_policy(`
-+ cgroup_list_cgroup_dirs($1_usertype)
++ fs_list_cgroup_dirs($1_usertype)
+ ')
+
+ optional_policy(`
@@ -40682,7 +40778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ files_read_config_files($1_usertype)
+ fs_read_noxattr_fs_files($1_usertype)
+ fs_read_noxattr_fs_symlinks($1_usertype)
-+ fs_rw_cgroupfs_files($1_usertype)
++ fs_rw_cgroup_files($1_usertype)
+
+ logging_send_syslog_msg($1_usertype)
+ logging_send_audit_msgs($1_usertype)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e9017a3..bf0b38f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 44%{?dist}
+Release: 45%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,15 @@ exit 0
%endif
%changelog
+* Tue Aug 10 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-45
+- Fixes for cgroup policy
+- Fixes for ncftool policy
+- Add ncftool_read_user_content boolean
+- Fix label for boinc init script
+- Fix label for fence_tool
+- Allow vhostmd to write virt content
+- Allow ricci domtrans ot shutdown
+
* Thu Aug 5 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-44
- Add support for luci
- Add label for /var/spool/up2date
More information about the scm-commits
mailing list