rpms/selinux-policy/devel policy-F13.patch, 1.50, 1.51 selinux-policy.spec, 1.967, 1.968
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Feb 11 21:54:06 UTC 2010
Author: dwalsh
Update of /cvs/pkgs/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv22801
Modified Files:
policy-F13.patch selinux-policy.spec
Log Message:
* Thu Feb 11 2010 Dan Walsh <dwalsh at redhat.com> 3.7.8-11
- Allow sandbox to work with MLS
policy-F13.patch:
Makefile | 2
policy/global_tunables | 24
policy/modules/admin/alsa.te | 2
policy/modules/admin/anaconda.te | 3
policy/modules/admin/brctl.te | 2
policy/modules/admin/certwatch.te | 2
policy/modules/admin/consoletype.te | 2
policy/modules/admin/dmesg.te | 10
policy/modules/admin/firstboot.te | 6
policy/modules/admin/kismet.te | 5
policy/modules/admin/logrotate.te | 35
policy/modules/admin/logwatch.te | 8
policy/modules/admin/mcelog.fc | 2
policy/modules/admin/mcelog.if | 21
policy/modules/admin/mcelog.te | 32
policy/modules/admin/mrtg.te | 1
policy/modules/admin/netutils.te | 4
policy/modules/admin/portage.te | 2
policy/modules/admin/prelink.fc | 1
policy/modules/admin/prelink.if | 23
policy/modules/admin/prelink.te | 78 +
policy/modules/admin/quota.te | 1
policy/modules/admin/readahead.te | 3
policy/modules/admin/rpm.fc | 21
policy/modules/admin/rpm.if | 344 +++++
policy/modules/admin/rpm.te | 102 +
policy/modules/admin/shorewall.fc | 5
policy/modules/admin/shorewall.if | 40
policy/modules/admin/shorewall.te | 9
policy/modules/admin/smoltclient.fc | 4
policy/modules/admin/smoltclient.if | 1
policy/modules/admin/smoltclient.te | 66 +
policy/modules/admin/sudo.if | 13
policy/modules/admin/tmpreaper.te | 12
policy/modules/admin/usermanage.if | 11
policy/modules/admin/usermanage.te | 37
policy/modules/admin/vbetool.te | 14
policy/modules/admin/vpn.te | 4
policy/modules/apps/cdrecord.te | 2
policy/modules/apps/chrome.fc | 2
policy/modules/apps/chrome.if | 86 +
policy/modules/apps/chrome.te | 82 +
policy/modules/apps/cpufreqselector.te | 2
policy/modules/apps/execmem.fc | 43
policy/modules/apps/execmem.if | 108 +
policy/modules/apps/execmem.te | 11
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 23
policy/modules/apps/firewallgui.te | 66 +
policy/modules/apps/gitosis.if | 44
policy/modules/apps/gnome.fc | 24
policy/modules/apps/gnome.if | 221 +++
policy/modules/apps/gnome.te | 116 +-
policy/modules/apps/gpg.fc | 1
policy/modules/apps/gpg.te | 12
policy/modules/apps/java.fc | 23
policy/modules/apps/java.if | 113 +
policy/modules/apps/java.te | 18
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 68 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 52
policy/modules/apps/livecd.te | 27
policy/modules/apps/loadkeys.te | 6
policy/modules/apps/mono.fc | 2
policy/modules/apps/mono.if | 101 +
policy/modules/apps/mono.te | 9
policy/modules/apps/mozilla.fc | 2
policy/modules/apps/mozilla.if | 27
policy/modules/apps/mozilla.te | 22
policy/modules/apps/nsplugin.fc | 10
policy/modules/apps/nsplugin.if | 358 ++++++
policy/modules/apps/nsplugin.te | 296 +++++
policy/modules/apps/openoffice.fc | 3
policy/modules/apps/openoffice.if | 92 +
policy/modules/apps/openoffice.te | 11
policy/modules/apps/podsleuth.te | 3
policy/modules/apps/ptchown.if | 24
policy/modules/apps/pulseaudio.fc | 6
policy/modules/apps/pulseaudio.if | 72 +
policy/modules/apps/pulseaudio.te | 27
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 189 +++
policy/modules/apps/qemu.te | 83 +
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 66 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 230 +++
policy/modules/apps/sandbox.te | 364 ++++++
policy/modules/apps/screen.if | 1
policy/modules/apps/sectoolm.fc | 6
policy/modules/apps/sectoolm.if | 3
policy/modules/apps/sectoolm.te | 118 ++
policy/modules/apps/seunshare.if | 78 -
policy/modules/apps/seunshare.te | 35
policy/modules/apps/slocate.te | 1
policy/modules/apps/vmware.if | 19
policy/modules/apps/vmware.te | 9
policy/modules/apps/wine.fc | 24
policy/modules/apps/wine.if | 118 ++
policy/modules/apps/wine.te | 50
policy/modules/kernel/corecommands.fc | 36
policy/modules/kernel/corecommands.if | 21
policy/modules/kernel/corenetwork.if.in | 18
policy/modules/kernel/corenetwork.te.in | 46
policy/modules/kernel/devices.fc | 9
policy/modules/kernel/devices.if | 198 +++
policy/modules/kernel/devices.te | 18
policy/modules/kernel/domain.if | 174 ++-
policy/modules/kernel/domain.te | 103 +
policy/modules/kernel/files.fc | 9
policy/modules/kernel/files.if | 503 ++++++++
policy/modules/kernel/files.te | 12
policy/modules/kernel/filesystem.if | 337 +++++
policy/modules/kernel/filesystem.te | 8
policy/modules/kernel/kernel.if | 58 -
policy/modules/kernel/kernel.te | 27
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 1
policy/modules/kernel/terminal.if | 27
policy/modules/roles/guest.te | 8
policy/modules/roles/staff.te | 124 --
policy/modules/roles/sysadm.te | 123 --
policy/modules/roles/unconfineduser.fc | 10
policy/modules/roles/unconfineduser.if | 667 +++++++++++
policy/modules/roles/unconfineduser.te | 445 +++++++
policy/modules/roles/unprivuser.te | 127 --
policy/modules/roles/xguest.te | 72 +
policy/modules/services/abrt.fc | 8
policy/modules/services/abrt.if | 144 ++
policy/modules/services/abrt.te | 128 ++
policy/modules/services/afs.fc | 2
policy/modules/services/afs.te | 6
policy/modules/services/aiccu.fc | 5
policy/modules/services/aiccu.if | 119 ++
policy/modules/services/aiccu.te | 41
policy/modules/services/aisexec.fc | 12
policy/modules/services/aisexec.if | 106 +
policy/modules/services/aisexec.te | 112 +
policy/modules/services/amavis.te | 2
policy/modules/services/apache.fc | 62 +
policy/modules/services/apache.if | 512 ++++++--
policy/modules/services/apache.te | 490 +++++++-
policy/modules/services/apm.te | 4
policy/modules/services/arpwatch.te | 4
policy/modules/services/asterisk.if | 53
policy/modules/services/asterisk.te | 42
policy/modules/services/automount.te | 2
policy/modules/services/avahi.fc | 2
policy/modules/services/avahi.te | 13
policy/modules/services/bind.if | 61 +
policy/modules/services/bind.te | 4
policy/modules/services/bluetooth.te | 1
policy/modules/services/ccs.fc | 8
policy/modules/services/ccs.te | 33
policy/modules/services/certmaster.fc | 1
policy/modules/services/certmonger.fc | 6
policy/modules/services/certmonger.if | 217 +++
policy/modules/services/certmonger.te | 74 +
policy/modules/services/cgroup.fc | 7
policy/modules/services/cgroup.if | 35
policy/modules/services/cgroup.te | 87 +
policy/modules/services/chronyd.fc | 13
policy/modules/services/chronyd.if | 106 +
policy/modules/services/chronyd.te | 76 +
policy/modules/services/clamav.te | 5
policy/modules/services/clogd.fc | 4
policy/modules/services/clogd.if | 98 +
policy/modules/services/clogd.te | 62 +
policy/modules/services/cobbler.fc | 9
policy/modules/services/cobbler.if | 186 +++
policy/modules/services/cobbler.te | 127 ++
policy/modules/services/consolekit.fc | 3
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 23
policy/modules/services/corosync.fc | 13
policy/modules/services/corosync.if | 108 +
policy/modules/services/corosync.te | 110 +
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 76 +
policy/modules/services/cron.te | 91 +
policy/modules/services/cups.fc | 14
policy/modules/services/cups.te | 64 -
policy/modules/services/cvs.te | 1
policy/modules/services/cyrus.te | 2
policy/modules/services/dbus.if | 55
policy/modules/services/dbus.te | 31
policy/modules/services/denyhosts.fc | 7
policy/modules/services/denyhosts.if | 90 +
policy/modules/services/denyhosts.te | 72 +
policy/modules/services/devicekit.fc | 4
policy/modules/services/devicekit.if | 20
policy/modules/services/devicekit.te | 83 +
policy/modules/services/dhcp.if | 19
policy/modules/services/djbdns.if | 38
policy/modules/services/djbdns.te | 8
policy/modules/services/dnsmasq.fc | 1
policy/modules/services/dnsmasq.if | 38
policy/modules/services/dnsmasq.te | 19
policy/modules/services/dovecot.fc | 1
policy/modules/services/dovecot.te | 34
policy/modules/services/exim.te | 4
policy/modules/services/fail2ban.if | 58 +
policy/modules/services/fetchmail.te | 1
policy/modules/services/fprintd.te | 2
policy/modules/services/ftp.if | 38
policy/modules/services/ftp.te | 176 ++-
policy/modules/services/git.fc | 19
policy/modules/services/git.if | 536 +++++++++
policy/modules/services/git.te | 179 +++
policy/modules/services/gpsd.te | 2
policy/modules/services/hal.fc | 1
policy/modules/services/hal.if | 18
policy/modules/services/hal.te | 53
policy/modules/services/howl.te | 2
policy/modules/services/icecast.fc | 7
policy/modules/services/icecast.if | 199 +++
policy/modules/services/icecast.te | 59 +
policy/modules/services/kerberos.if | 6
policy/modules/services/kerberos.te | 3
policy/modules/services/ksmtuned.fc | 5
policy/modules/services/ksmtuned.if | 76 +
policy/modules/services/ksmtuned.te | 44
policy/modules/services/ktalk.te | 1
policy/modules/services/ldap.fc | 8
policy/modules/services/ldap.if | 38
policy/modules/services/ldap.te | 7
policy/modules/services/lircd.te | 21
policy/modules/services/mailman.fc | 10
policy/modules/services/memcached.te | 10
policy/modules/services/modemmanager.te | 5
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 44
policy/modules/services/mta.te | 16
policy/modules/services/munin.fc | 3
policy/modules/services/munin.te | 7
policy/modules/services/mysql.if | 38
policy/modules/services/mysql.te | 24
policy/modules/services/nagios.fc | 81 +
policy/modules/services/nagios.if | 128 ++
policy/modules/services/nagios.te | 247 +++-
policy/modules/services/networkmanager.fc | 16
policy/modules/services/networkmanager.if | 65 +
policy/modules/services/networkmanager.te | 121 +-
policy/modules/services/nis.fc | 10
policy/modules/services/nis.if | 87 +
policy/modules/services/nis.te | 19
policy/modules/services/nscd.if | 20
policy/modules/services/nscd.te | 23
policy/modules/services/ntop.fc | 1
policy/modules/services/ntop.te | 34
policy/modules/services/ntp.te | 2
policy/modules/services/nut.fc | 16
policy/modules/services/nut.if | 58 +
policy/modules/services/nut.te | 188 +++
policy/modules/services/nx.fc | 10
policy/modules/services/nx.if | 67 +
policy/modules/services/nx.te | 13
policy/modules/services/oddjob.if | 1
policy/modules/services/oddjob.te | 5
policy/modules/services/openvpn.te | 7
policy/modules/services/pcscd.if | 38
policy/modules/services/pegasus.te | 28
policy/modules/services/plymouth.fc | 5
policy/modules/services/plymouth.if | 322 +++++
policy/modules/services/plymouth.te | 104 +
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 71 +
policy/modules/services/policykit.te | 73 +
policy/modules/services/portreserve.te | 3
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 150 ++
policy/modules/services/postfix.te | 144 ++
policy/modules/services/postgresql.fc | 16
policy/modules/services/postgresql.if | 60 +
policy/modules/services/postgresql.te | 9
policy/modules/services/ppp.fc | 2
policy/modules/services/ppp.if | 4
policy/modules/services/ppp.te | 10
policy/modules/services/prelude.te | 3
policy/modules/services/procmail.te | 12
policy/modules/services/puppet.te | 2
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/radvd.te | 12
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rdisc.if | 19
policy/modules/services/rgmanager.fc | 8
policy/modules/services/rgmanager.if | 59 +
policy/modules/services/rgmanager.te | 204 +++
policy/modules/services/rhcs.fc | 22
policy/modules/services/rhcs.if | 367 ++++++
policy/modules/services/rhcs.te | 419 +++++++
policy/modules/services/ricci.te | 31
policy/modules/services/rpc.fc | 4
policy/modules/services/rpc.if | 45
policy/modules/services/rpc.te | 30
policy/modules/services/rsync.fc | 1
policy/modules/services/rsync.if | 38
policy/modules/services/rsync.te | 28
policy/modules/services/rtkit.if | 20
policy/modules/services/rtkit.te | 4
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 138 ++
policy/modules/services/samba.te | 116 +-
policy/modules/services/sasl.te | 15
policy/modules/services/sendmail.if | 19
policy/modules/services/sendmail.te | 17
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 124 ++
policy/modules/services/setroubleshoot.te | 89 +
policy/modules/services/snmp.if | 18
policy/modules/services/snmp.te | 2
policy/modules/services/snort.te | 10
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 107 +
policy/modules/services/spamassassin.te | 141 ++
policy/modules/services/squid.te | 9
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 61 -
policy/modules/services/ssh.te | 62 -
policy/modules/services/sssd.fc | 2
policy/modules/services/sssd.if | 47
policy/modules/services/sssd.te | 15
policy/modules/services/sysstat.te | 5
policy/modules/services/telnet.te | 1
policy/modules/services/tftp.if | 38
policy/modules/services/tftp.te | 3
policy/modules/services/tgtd.if | 17
policy/modules/services/tgtd.te | 2
policy/modules/services/tor.te | 13
policy/modules/services/tuned.fc | 3
policy/modules/services/tuned.te | 10
policy/modules/services/ucspitcp.te | 5
policy/modules/services/usbmuxd.fc | 4
policy/modules/services/usbmuxd.if | 39
policy/modules/services/usbmuxd.te | 47
policy/modules/services/uucp.te | 5
policy/modules/services/vhostmd.fc | 6
policy/modules/services/vhostmd.if | 228 +++
policy/modules/services/vhostmd.te | 84 +
policy/modules/services/virt.fc | 17
policy/modules/services/virt.if | 210 +++
policy/modules/services/virt.te | 300 ++++-
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 54
policy/modules/services/xserver.if | 365 ++++++
policy/modules/services/xserver.te | 377 +++++-
policy/modules/services/zebra.if | 20
policy/modules/system/application.te | 11
policy/modules/system/authlogin.fc | 9
policy/modules/system/authlogin.if | 210 +++
policy/modules/system/authlogin.te | 11
policy/modules/system/daemontools.if | 62 +
policy/modules/system/daemontools.te | 26
policy/modules/system/fstools.fc | 3
policy/modules/system/fstools.te | 5
policy/modules/system/getty.te | 7
policy/modules/system/hostname.te | 3
policy/modules/system/hotplug.te | 4
policy/modules/system/init.fc | 7
policy/modules/system/init.if | 197 +++
policy/modules/system/init.te | 323 ++++-
policy/modules/system/ipsec.fc | 4
policy/modules/system/ipsec.if | 65 -
policy/modules/system/ipsec.te | 43
policy/modules/system/iptables.fc | 9
policy/modules/system/iptables.if | 7
policy/modules/system/iptables.te | 20
policy/modules/system/iscsi.fc | 9
policy/modules/system/iscsi.te | 26
policy/modules/system/libraries.fc | 221 +++
policy/modules/system/libraries.if | 5
policy/modules/system/libraries.te | 18
policy/modules/system/locallogin.te | 36
policy/modules/system/logging.fc | 13
policy/modules/system/logging.if | 38
policy/modules/system/logging.te | 47
policy/modules/system/lvm.te | 10
policy/modules/system/miscfiles.fc | 3
policy/modules/system/miscfiles.if | 69 +
policy/modules/system/miscfiles.te | 3
policy/modules/system/modutils.te | 21
policy/modules/system/mount.fc | 7
policy/modules/system/mount.if | 59 +
policy/modules/system/mount.te | 105 +
policy/modules/system/raid.te | 2
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 330 +++++
policy/modules/system/selinuxutil.te | 230 +--
policy/modules/system/sysnetwork.fc | 14
policy/modules/system/sysnetwork.if | 116 +-
policy/modules/system/sysnetwork.te | 80 +
policy/modules/system/udev.if | 1
policy/modules/system/udev.te | 17
policy/modules/system/unconfined.fc | 15
policy/modules/system/unconfined.if | 445 -------
policy/modules/system/unconfined.te | 224 ---
policy/modules/system/userdomain.fc | 9
policy/modules/system/userdomain.if | 1730 +++++++++++++++++++++++-------
policy/modules/system/userdomain.te | 51
policy/modules/system/xen.if | 19
policy/modules/system/xen.te | 20
policy/support/misc_patterns.spt | 4
policy/support/obj_perm_sets.spt | 33
policy/users | 17
412 files changed, 22519 insertions(+), 2868 deletions(-)
Index: policy-F13.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/devel/policy-F13.patch,v
retrieving revision 1.50
retrieving revision 1.51
diff -u -p -r1.50 -r1.51
--- policy-F13.patch 10 Feb 2010 22:26:52 -0000 1.50
+++ policy-F13.patch 11 Feb 2010 21:54:05 -0000 1.51
@@ -631,6 +631,17 @@ diff --exclude-from=exclude -N -u -r nsa
+optional_policy(`
+ rpm_read_db(prelink_cron_system_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-3.7.8/policy/modules/admin/quota.te
+--- nsaserefpolicy/policy/modules/admin/quota.te 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.8/policy/modules/admin/quota.te 2010-02-11 15:13:50.000000000 -0500
+@@ -39,6 +39,7 @@
+ kernel_list_proc(quota_t)
+ kernel_read_proc_symlinks(quota_t)
+ kernel_read_kernel_sysctls(quota_t)
++kernel_setsched(quota_t)
+
+ dev_read_sysfs(quota_t)
+ dev_getattr_all_blk_files(quota_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.8/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-11-17 10:54:26.000000000 -0500
+++ serefpolicy-3.7.8/policy/modules/admin/readahead.te 2010-02-08 15:48:06.000000000 -0500
@@ -3545,7 +3556,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.8/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/mozilla.te 2010-02-09 10:11:18.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/mozilla.te 2010-02-11 08:44:05.000000000 -0500
@@ -91,6 +91,7 @@
corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
@@ -3982,7 +3993,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.8/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/nsplugin.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/nsplugin.te 2010-02-11 08:51:41.000000000 -0500
@@ -0,0 +1,296 @@
+
+policy_module(nsplugin, 1.0.0)
@@ -5059,8 +5070,8 @@ diff --exclude-from=exclude -N -u -r nsa
+# No types are sandbox_exec_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.8/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/sandbox.if 2010-02-05 16:08:07.000000000 -0500
-@@ -0,0 +1,225 @@
++++ serefpolicy-3.7.8/policy/modules/apps/sandbox.if 2010-02-11 15:07:54.000000000 -0500
+@@ -0,0 +1,230 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -5186,6 +5197,11 @@ diff --exclude-from=exclude -N -u -r nsa
+ manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
+ manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
+
++ type $1_devpts_t;
++ term_pty($1_devpts_t)
++ term_create_pty($1_t, $1_devpts_t)
++ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
++
+ # window manager
+ miscfiles_setattr_fonts_cache_dirs($1_t)
+ allow $1_t self:capability setuid;
@@ -5288,8 +5304,8 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.8/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/sandbox.te 2010-02-02 10:31:03.000000000 -0500
-@@ -0,0 +1,349 @@
++++ serefpolicy-3.7.8/policy/modules/apps/sandbox.te 2010-02-11 12:13:25.000000000 -0500
+@@ -0,0 +1,364 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -5392,9 +5408,15 @@ diff --exclude-from=exclude -N -u -r nsa
+
+## internal communication is often done using fifo and unix sockets.
+allow sandbox_domain self:fifo_file manage_file_perms;
++allow sandbox_domain self:sem create_sem_perms;
++allow sandbox_domain self:shm create_shm_perms;
++allow sandbox_domain self:msgq create_msgq_perms;
+allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
+allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
+
++dev_rw_all_inherited_chr_files(sandbox_domain)
++dev_rw_all_inherited_blk_files(sandbox_domain)
++
+gen_require(`
+ type usr_t, lib_t, locale_t;
+ attribute exec_type;
@@ -5414,8 +5436,13 @@ diff --exclude-from=exclude -N -u -r nsa
+#
+# sandbox_x_domain local policy
+#
-+## internal communication is often done using fifo and unix sockets.
+allow sandbox_x_domain self:fifo_file manage_file_perms;
++allow sandbox_x_domain self:sem create_sem_perms;
++allow sandbox_x_domain self:shm create_shm_perms;
++allow sandbox_x_domain self:msgq create_msgq_perms;
++allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
++allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
++
+allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
+
+allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem };
@@ -5554,10 +5581,15 @@ diff --exclude-from=exclude -N -u -r nsa
+corenet_tcp_sendrecv_ipp_port(sandbox_web_client_t)
+corenet_tcp_connect_http_port(sandbox_web_client_t)
+corenet_tcp_connect_http_cache_port(sandbox_web_client_t)
++corenet_tcp_connect_flash_port(sandbox_web_client_t)
+corenet_tcp_connect_ftp_port(sandbox_web_client_t)
+corenet_tcp_connect_ipp_port(sandbox_web_client_t)
++corenet_tcp_connect_streaming_port(sandbox_web_client_t)
++corenet_tcp_connect_pulseaudio_port(sandbox_web_client_t)
++corenet_tcp_connect_speech_port(sandbox_web_client_t)
+corenet_tcp_connect_generic_port(sandbox_web_client_t)
+corenet_tcp_connect_soundd_port(sandbox_web_client_t)
++corenet_tcp_connect_speech_port(sandbox_web_client_t)
+corenet_sendrecv_http_client_packets(sandbox_web_client_t)
+corenet_sendrecv_http_cache_client_packets(sandbox_web_client_t)
+corenet_sendrecv_ftp_client_packets(sandbox_web_client_t)
@@ -5566,7 +5598,6 @@ diff --exclude-from=exclude -N -u -r nsa
+# Should not need other ports
+corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_client_t)
+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t)
-+corenet_tcp_connect_speech_port(sandbox_web_client_t)
+
+auth_use_nsswitch(sandbox_web_client_t)
+
@@ -5791,30 +5822,167 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.8/policy/modules/apps/seunshare.if
--- nsaserefpolicy/policy/modules/apps/seunshare.if 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/seunshare.if 2010-02-02 10:31:03.000000000 -0500
-@@ -44,6 +44,8 @@
-
- allow $1 seunshare_t:process signal_perms;
++++ serefpolicy-3.7.8/policy/modules/apps/seunshare.if 2010-02-11 16:52:18.000000000 -0500
+@@ -2,59 +2,14 @@
-+ sandbox_transition(seunshare_t, $2)
-+
- ifdef(`hide_broken_symptoms', `
- dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
- dontaudit seunshare_t $1:udp_socket rw_socket_perms;
+ ########################################
+ ## <summary>
+-## Execute a domain transition to run seunshare.
++## The role template for the seunshare module.
+ ## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed to transition.
+-## </summary>
+-## </param>
+-#
+-interface(`seunshare_domtrans',`
+- gen_require(`
+- type seunshare_t, seunshare_exec_t;
+- ')
+-
+- domtrans_pattern($1, seunshare_exec_t, seunshare_t)
+-')
+-
+-########################################
+-## <summary>
+-## Execute seunshare in the seunshare domain, and
+-## allow the specified role the seunshare domain.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="role">
++## <param name="role_prefix">
+ ## <summary>
+-## Role allowed access.
++## The prefix of the user role (e.g., user
++## is the prefix for user_r).
+ ## </summary>
+ ## </param>
+-#
+-interface(`seunshare_run',`
+- gen_require(`
+- type seunshare_t;
+- ')
+-
+- seunshare_domtrans($1)
+- role $2 types seunshare_t;
+-
+- allow $1 seunshare_t:process signal_perms;
+-
+- ifdef(`hide_broken_symptoms', `
+- dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
+- dontaudit seunshare_t $1:udp_socket rw_socket_perms;
+- dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms;
+- ')
+-')
+-
+-########################################
+-## <summary>
+-## Role access for seunshare
+-## </summary>
+ ## <param name="role">
+ ## <summary>
+ ## Role allowed access.
+@@ -66,15 +21,28 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`seunshare_role',`
++interface(`seunshare_role_template',`
+ gen_require(`
+- type seunshare_t;
++ attribute seunshare_domain;
++ type seunshare_exec_t;
+ ')
+
+- role $2 types seunshare_t;
++ type $1_seunshare_t, seunshare_domain;
++ application_domain($1_seunshare_t, seunshare_exec_t)
++ role $2 types $1_seunshare_t;
+
+- seunshare_domtrans($1)
++ domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t)
++ sandbox_transition($1_seunshare_t, $2)
+
+- ps_process_pattern($2, seunshare_t)
+- allow $2 seunshare_t:process signal;
++ ps_process_pattern($3, $1_seunshare_t)
++ allow $3 $1_seunshare_t:process signal_perms;
++
++ allow $1_seunshare_t $3:process transition;
++ dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh };
++
++ ifdef(`hide_broken_symptoms', `
++ dontaudit $1_seunshare_t $3:tcp_socket rw_socket_perms;
++ dontaudit $1_seunshare_t $3:udp_socket rw_socket_perms;
++ dontaudit $1_seunshare_t $3:unix_stream_socket rw_socket_perms;
++ ')
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.8/policy/modules/apps/seunshare.te
--- nsaserefpolicy/policy/modules/apps/seunshare.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/seunshare.te 2010-02-02 10:31:03.000000000 -0500
-@@ -15,9 +15,8 @@
++++ serefpolicy-3.7.8/policy/modules/apps/seunshare.te 2010-02-11 16:49:25.000000000 -0500
+@@ -6,40 +6,39 @@
+ # Declarations
+ #
+
+-type seunshare_t;
++attribute seunshare_domain;
+ type seunshare_exec_t;
+-application_domain(seunshare_t, seunshare_exec_t)
+-role system_r types seunshare_t;
+
+ ########################################
#
# seunshare local policy
#
--
- allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
++allow seunshare_domain self:capability { setuid dac_override setpcap sys_admin };
++allow seunshare_domain self:process { fork setexec signal getcap setcap };
+
+-allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
-allow seunshare_t self:process { setexec signal getcap setcap };
-+allow seunshare_t self:process { fork setexec signal getcap setcap };
++allow seunshare_domain self:fifo_file rw_file_perms;
++allow seunshare_domain self:unix_stream_socket create_stream_socket_perms;
+
+-allow seunshare_t self:fifo_file rw_file_perms;
+-allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
++corecmd_exec_shell(seunshare_domain)
++corecmd_exec_bin(seunshare_domain)
+
+-corecmd_exec_shell(seunshare_t)
+-corecmd_exec_bin(seunshare_t)
++files_search_all(seunshare_domain)
++files_read_etc_files(seunshare_domain)
++files_mounton_all_poly_members(seunshare_domain)
+
+-files_read_etc_files(seunshare_t)
+-files_mounton_all_poly_members(seunshare_t)
++auth_use_nsswitch(seunshare_domain)
+
+-auth_use_nsswitch(seunshare_t)
++logging_send_syslog_msg(seunshare_domain)
+
+-logging_send_syslog_msg(seunshare_t)
++miscfiles_read_localization(seunshare_domain)
+
+-miscfiles_read_localization(seunshare_t)
+-
+-userdom_use_user_terminals(seunshare_t)
++userdom_use_user_terminals(seunshare_domain)
+
+ ifdef(`hide_broken_symptoms', `
+- fs_dontaudit_rw_anon_inodefs_files(seunshare_t)
++ fs_dontaudit_rw_anon_inodefs_files(seunshare_domain)
++ fs_dontaudit_list_inotifyfs(seunshare_domain)
- allow seunshare_t self:fifo_file rw_file_perms;
- allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
+ optional_policy(`
+- mozilla_dontaudit_manage_user_home_files(seunshare_t)
++ mozilla_dontaudit_manage_user_home_files(seunshare_domain)
+ ')
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.7.8/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.8/policy/modules/apps/slocate.te 2010-02-02 10:31:03.000000000 -0500
@@ -6485,7 +6653,7 @@ diff --exclude-from=exclude -N -u -r nsa
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.8/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/devices.if 2010-02-09 16:10:20.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/devices.if 2010-02-11 11:47:56.000000000 -0500
@@ -801,6 +801,24 @@
########################################
@@ -6536,7 +6704,50 @@ diff --exclude-from=exclude -N -u -r nsa
## Create all block device files.
## </summary>
## <param name="domain">
-@@ -1380,6 +1416,42 @@
+@@ -855,6 +891,42 @@
+
+ ########################################
+ ## <summary>
++## rw all inherited character device files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rw_all_inherited_chr_files',`
++ gen_require(`
++ attribute device_node;
++ ')
++
++ allow $1 device_node:chr_file rw_inherited_chr_file_perms;
++')
++
++########################################
++## <summary>
++## rw all inherited blk device files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rw_all_inherited_blk_files',`
++ gen_require(`
++ attribute device_node;
++ ')
++
++ allow $1 device_node:blk_file rw_inherited_blk_file_perms;
++')
++
++########################################
++## <summary>
+ ## Delete all block device files.
+ ## </summary>
+ ## <param name="domain">
+@@ -1380,6 +1452,42 @@
rw_chr_files_pattern($1, device_t, crypt_device_t)
')
@@ -6579,7 +6790,7 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
## <summary>
## getattr the dri devices.
-@@ -1710,6 +1782,24 @@
+@@ -1710,6 +1818,24 @@
########################################
## <summary>
@@ -6604,7 +6815,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Get the attributes of the ksm devices.
## </summary>
## <param name="domain">
-@@ -1999,6 +2089,24 @@
+@@ -1999,6 +2125,24 @@
########################################
## <summary>
@@ -6629,7 +6840,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Read raw memory devices (e.g. /dev/mem).
## </summary>
## <param name="domain">
-@@ -2450,6 +2558,24 @@
+@@ -2450,6 +2594,24 @@
########################################
## <summary>
@@ -6654,7 +6865,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Get the attributes of the network control device
## </summary>
## <param name="domain">
-@@ -3515,6 +3641,24 @@
+@@ -3515,6 +3677,24 @@
########################################
## <summary>
@@ -6679,7 +6890,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
-@@ -3703,6 +3847,24 @@
+@@ -3703,6 +3883,24 @@
getattr_chr_files_pattern($1, device_t, v4l_device_t)
')
@@ -7177,7 +7388,7 @@ diff --exclude-from=exclude -N -u -r nsa
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.8/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/files.if 2010-02-09 14:24:24.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/files.if 2010-02-11 11:49:05.000000000 -0500
@@ -932,10 +932,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -7875,7 +8086,7 @@ diff --exclude-from=exclude -N -u -r nsa
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/filesystem.if 2010-02-08 15:48:31.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/filesystem.if 2010-02-11 14:13:24.000000000 -0500
@@ -906,7 +906,7 @@
type cifs_t;
')
@@ -7911,7 +8122,69 @@ diff --exclude-from=exclude -N -u -r nsa
## Create, read, write, and delete directories
## on a FUSEFS filesystem.
## </summary>
-@@ -2047,7 +2066,7 @@
+@@ -1613,6 +1632,36 @@
+
+ ########################################
+ ## <summary>
++## Create an object in a hugetlbfs filesystem, with a private
++## type using a type transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private type">
++## <summary>
++## The type of the object to be created.
++## </summary>
++## </param>
++## <param name="object">
++## <summary>
++## The object class of the object being created.
++## </summary>
++## </param>
++#
++interface(`fs_hugetlbfs_filetrans',`
++ gen_require(`
++ type hugetlbfs_t;
++ ')
++
++ allow $2 hugetlbfs_t:filesystem associate;
++ filetrans_pattern($1, hugetlbfs_t, $2, $3)
++')
++
++########################################
++## <summary>
+ ## Search inotifyfs filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -1649,6 +1698,24 @@
+
+ ########################################
+ ## <summary>
++## Dontaudit List inotifyfs filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_dontaudit_list_inotifyfs',`
++ gen_require(`
++ type inotifyfs_t;
++ ')
++
++ dontaudit $1 inotifyfs_t:dir list_dir_perms;
++')
++
++########################################
++## <summary>
+ ## Mount an iso9660 filesystem, which
+ ## is usually used on CDs.
+ ## </summary>
+@@ -2047,7 +2114,7 @@
type nfs_t;
')
@@ -7920,7 +8193,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -2069,6 +2088,25 @@
+@@ -2069,6 +2136,25 @@
read_lnk_files_pattern($1, nfs_t, nfs_t)
')
@@ -7946,7 +8219,7 @@ diff --exclude-from=exclude -N -u -r nsa
#########################################
## <summary>
## Read named sockets on a NFS filesystem.
-@@ -3458,6 +3496,24 @@
+@@ -3458,6 +3544,24 @@
########################################
## <summary>
@@ -7971,7 +8244,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Read and write generic tmpfs files.
## </summary>
## <param name="domain">
-@@ -3684,6 +3740,24 @@
+@@ -3684,6 +3788,24 @@
########################################
## <summary>
@@ -7996,7 +8269,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Mount a XENFS filesystem.
## </summary>
## <param name="domain">
-@@ -4181,3 +4255,214 @@
+@@ -4181,3 +4303,214 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
')
@@ -8273,7 +8546,7 @@ diff --exclude-from=exclude -N -u -r nsa
# nfs_t is the default type for NFS file systems
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.8/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/kernel.if 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/kernel.if 2010-02-11 08:05:42.000000000 -0500
@@ -1849,7 +1849,7 @@
')
@@ -8814,7 +9087,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.8/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/roles/sysadm.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/roles/sysadm.te 2010-02-11 12:30:41.000000000 -0500
@@ -15,7 +15,7 @@
role sysadm_r;
@@ -8883,18 +9156,16 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -135,10 +129,6 @@
+@@ -135,7 +129,7 @@
')
optional_policy(`
- dbus_role_template(sysadm, sysadm_r, sysadm_t)
--')
--
--optional_policy(`
- dcc_run_cdcc(sysadm_t, sysadm_r)
- dcc_run_client(sysadm_t, sysadm_r)
- dcc_run_dbclean(sysadm_t, sysadm_r)
-@@ -166,10 +156,6 @@
++ daemonstools_run_start(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -166,10 +160,6 @@
')
optional_policy(`
@@ -8905,7 +9176,7 @@ diff --exclude-from=exclude -N -u -r nsa
firstboot_run(sysadm_t, sysadm_r)
')
-@@ -178,22 +164,6 @@
+@@ -178,22 +168,6 @@
')
optional_policy(`
@@ -8928,7 +9199,7 @@ diff --exclude-from=exclude -N -u -r nsa
hostname_run(sysadm_t, sysadm_r)
')
-@@ -205,6 +175,9 @@
+@@ -205,6 +179,9 @@
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -8938,7 +9209,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -212,11 +185,7 @@
+@@ -212,11 +189,7 @@
')
optional_policy(`
@@ -8951,7 +9222,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -228,10 +197,6 @@
+@@ -228,10 +201,6 @@
')
optional_policy(`
@@ -8962,7 +9233,7 @@ diff --exclude-from=exclude -N -u -r nsa
logrotate_run(sysadm_t, sysadm_r)
')
-@@ -255,14 +220,6 @@
+@@ -255,14 +224,6 @@
')
optional_policy(`
@@ -8977,7 +9248,7 @@ diff --exclude-from=exclude -N -u -r nsa
mta_role(sysadm_r, sysadm_t)
')
-@@ -290,11 +247,6 @@
+@@ -290,11 +251,6 @@
')
optional_policy(`
@@ -8989,7 +9260,7 @@ diff --exclude-from=exclude -N -u -r nsa
pcmcia_run_cardctl(sysadm_t, sysadm_r)
')
-@@ -308,7 +260,7 @@
+@@ -308,7 +264,7 @@
')
optional_policy(`
@@ -8998,7 +9269,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -320,10 +272,6 @@
+@@ -320,10 +276,6 @@
')
optional_policy(`
@@ -9009,7 +9280,7 @@ diff --exclude-from=exclude -N -u -r nsa
rpc_domtrans_nfsd(sysadm_t)
')
-@@ -332,10 +280,6 @@
+@@ -332,10 +284,6 @@
')
optional_policy(`
@@ -9020,7 +9291,7 @@ diff --exclude-from=exclude -N -u -r nsa
rsync_exec(sysadm_t)
')
-@@ -345,10 +289,6 @@
+@@ -345,10 +293,6 @@
')
optional_policy(`
@@ -9031,7 +9302,7 @@ diff --exclude-from=exclude -N -u -r nsa
secadm_role_change(sysadm_r)
')
-@@ -358,35 +298,15 @@
+@@ -358,35 +302,15 @@
')
optional_policy(`
@@ -9067,7 +9338,7 @@ diff --exclude-from=exclude -N -u -r nsa
tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r)
tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -394,18 +314,10 @@
+@@ -394,18 +318,10 @@
')
optional_policy(`
@@ -9086,7 +9357,7 @@ diff --exclude-from=exclude -N -u -r nsa
unconfined_domtrans(sysadm_t)
')
-@@ -418,17 +330,13 @@
+@@ -418,17 +334,13 @@
')
optional_policy(`
@@ -9105,7 +9376,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -440,13 +348,16 @@
+@@ -440,13 +352,16 @@
')
optional_policy(`
@@ -13131,7 +13402,7 @@ diff --exclude-from=exclude -N -u -r nsa
xserver_domtrans(apmd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.8/policy/modules/services/arpwatch.te
--- nsaserefpolicy/policy/modules/services/arpwatch.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/arpwatch.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/arpwatch.te 2010-02-11 14:04:49.000000000 -0500
@@ -34,6 +34,7 @@
allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
allow arpwatch_t self:udp_socket create_socket_perms;
@@ -13148,11 +13419,12 @@ diff --exclude-from=exclude -N -u -r nsa
kernel_read_kernel_sysctls(arpwatch_t)
kernel_list_proc(arpwatch_t)
kernel_read_proc_symlinks(arpwatch_t)
-@@ -62,6 +64,7 @@
+@@ -62,6 +64,8 @@
corenet_udp_sendrecv_all_ports(arpwatch_t)
dev_read_sysfs(arpwatch_t)
+dev_read_usbmon_dev(arpwatch_t)
++dev_rw_generic_usb_dev(arpwatch_t)
fs_getattr_all_fs(arpwatch_t)
fs_search_auto_mountpoints(arpwatch_t)
@@ -15394,7 +15666,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.8/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/cron.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/cron.te 2010-02-11 12:30:41.000000000 -0500
@@ -38,8 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -15488,7 +15760,7 @@ diff --exclude-from=exclude -N -u -r nsa
ifdef(`distro_debian',`
# pam_limits is used
-@@ -241,8 +261,12 @@
+@@ -241,8 +261,17 @@
')
')
@@ -15500,10 +15772,15 @@ diff --exclude-from=exclude -N -u -r nsa
+
+optional_policy(`
+ apache_search_sys_content(crond_t)
++')
++
++optional_policy(`
++ djbdns_search_key_tinydns(crond_t)
++ djbdns_link_key_tinydns(crond_t)
')
optional_policy(`
-@@ -251,6 +275,20 @@
+@@ -251,6 +280,20 @@
')
optional_policy(`
@@ -15524,7 +15801,7 @@ diff --exclude-from=exclude -N -u -r nsa
amanda_search_var_lib(crond_t)
')
-@@ -260,6 +298,8 @@
+@@ -260,6 +303,8 @@
optional_policy(`
hal_dbus_chat(crond_t)
@@ -15533,7 +15810,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -302,10 +342,17 @@
+@@ -302,10 +347,17 @@
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
@@ -15552,7 +15829,7 @@ diff --exclude-from=exclude -N -u -r nsa
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -325,6 +372,7 @@
+@@ -325,6 +377,7 @@
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
@@ -15560,7 +15837,7 @@ diff --exclude-from=exclude -N -u -r nsa
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -336,9 +384,13 @@
+@@ -336,9 +389,13 @@
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -15575,7 +15852,7 @@ diff --exclude-from=exclude -N -u -r nsa
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -361,6 +413,7 @@
+@@ -361,6 +418,7 @@
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
@@ -15583,7 +15860,7 @@ diff --exclude-from=exclude -N -u -r nsa
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
-@@ -387,6 +440,7 @@
+@@ -387,6 +445,7 @@
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
@@ -15591,7 +15868,7 @@ diff --exclude-from=exclude -N -u -r nsa
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
-@@ -411,6 +465,8 @@
+@@ -411,6 +470,8 @@
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
@@ -15600,7 +15877,7 @@ diff --exclude-from=exclude -N -u -r nsa
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
-@@ -435,6 +491,7 @@
+@@ -435,6 +496,7 @@
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
@@ -15608,7 +15885,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -442,6 +499,14 @@
+@@ -442,6 +504,14 @@
')
optional_policy(`
@@ -15623,7 +15900,7 @@ diff --exclude-from=exclude -N -u -r nsa
ftp_read_log(system_cronjob_t)
')
-@@ -456,11 +521,16 @@
+@@ -456,11 +526,16 @@
')
optional_policy(`
@@ -15640,7 +15917,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -476,7 +546,7 @@
+@@ -476,7 +551,7 @@
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -15649,7 +15926,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -491,6 +561,7 @@
+@@ -491,6 +566,7 @@
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -15657,7 +15934,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -498,6 +569,9 @@
+@@ -498,6 +574,9 @@
')
optional_policy(`
@@ -15718,7 +15995,7 @@ diff --exclude-from=exclude -N -u -r nsa
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.8/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/cups.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/cups.te 2010-02-11 13:29:01.000000000 -0500
@@ -23,6 +23,9 @@
type cupsd_initrc_exec_t;
init_script_file(cupsd_initrc_exec_t)
@@ -15913,6 +16190,15 @@ diff --exclude-from=exclude -N -u -r nsa
cups_stream_connect(cupsd_lpd_t)
+@@ -532,7 +572,7 @@
+ # cups_pdf local policy
+ #
+
+-allow cups_pdf_t self:capability { chown fsetid setuid setgid dac_override };
++allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
+ allow cups_pdf_t self:fifo_file rw_file_perms;
+ allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
+
@@ -542,6 +582,8 @@
manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
@@ -16654,7 +16940,7 @@ diff --exclude-from=exclude -N -u -r nsa
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.7.8/policy/modules/services/djbdns.if
--- nsaserefpolicy/policy/modules/services/djbdns.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/djbdns.if 2010-02-10 13:04:18.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/djbdns.if 2010-02-11 12:30:41.000000000 -0500
@@ -26,6 +26,8 @@
daemontools_read_svc(djbdns_$1_t)
@@ -16664,6 +16950,61 @@ diff --exclude-from=exclude -N -u -r nsa
allow djbdns_$1_t self:tcp_socket create_stream_socket_perms;
allow djbdns_$1_t self:udp_socket create_socket_perms;
+@@ -50,3 +52,39 @@
+
+ files_search_var(djbdns_$1_t)
+ ')
++
++#####################################
++## <summary>
++## Allow search the djbdns-tinydns key ring.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`djbdns_search_key_tinydns',`
++ gen_require(`
++ type djbdns_tinydns_t;
++ ')
++
++ allow $1 djbdns_tinydns_t:key search;
++')
++
++#####################################
++## <summary>
++## Allow link to the djbdns-tinydns key ring.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`djbdns_link_key_tinydns',`
++ gen_require(`
++ type djbdns_tinydn_t;
++ ')
++
++ allow $1 djbdns_tinydn_t:key link;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.7.8/policy/modules/services/djbdns.te
+--- nsaserefpolicy/policy/modules/services/djbdns.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.7.8/policy/modules/services/djbdns.te 2010-02-11 12:30:41.000000000 -0500
+@@ -42,3 +42,11 @@
+ files_search_var(djbdns_axfrdns_t)
+
+ ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
++
++#####################################
++#
++# Local policy for djbdns_tinydns_t
++#
++
++init_dontaudit_use_script_fds(djbdns_tinydns_t)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.8/policy/modules/services/dnsmasq.fc
--- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.8/policy/modules/services/dnsmasq.fc 2010-02-02 10:31:03.000000000 -0500
@@ -24645,7 +24986,16 @@ diff --exclude-from=exclude -N -u -r nsa
## Read NFS exported content.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.8/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/rpc.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/rpc.te 2010-02-11 15:23:21.000000000 -0500
+@@ -8,7 +8,7 @@
+
+ ## <desc>
+ ## <p>
+-## Allow gssd to read temp directory. For access to kerberos tgt.
++## Allow gssd to read tep directory. For access to kerberos tgt.
+ ## </p>
+ ## </desc>
+ gen_tunable(allow_gssd_read_tmp, true)
@@ -37,8 +37,14 @@
# rpc_exec_t is the type of rpc daemon programs.
rpc_domain_template(rpcd)
@@ -24671,7 +25021,7 @@ diff --exclude-from=exclude -N -u -r nsa
allow rpcd_t self:fifo_file rw_fifo_file_perms;
allow rpcd_t rpcd_var_run_t:dir setattr;
-@@ -67,6 +74,7 @@
+@@ -67,12 +74,14 @@
kernel_read_network_state(rpcd_t)
# for rpc.rquotad
kernel_read_sysctl(rpcd_t)
@@ -24679,7 +25029,14 @@ diff --exclude-from=exclude -N -u -r nsa
kernel_rw_fs_sysctls(rpcd_t)
kernel_dontaudit_getattr_core_if(rpcd_t)
kernel_signal(rpcd_t)
-@@ -91,14 +99,21 @@
+
+ corecmd_exec_bin(rpcd_t)
+
++files_read_default_files(rpcd_t)
+ files_manage_mounttab(rpcd_t)
+ files_getattr_all_dirs(rpcd_t)
+
+@@ -91,14 +100,21 @@
seutil_dontaudit_search_config(rpcd_t)
@@ -24701,7 +25058,7 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
#
# NFSD local policy
-@@ -127,6 +142,7 @@
+@@ -127,6 +143,7 @@
files_getattr_tmp_dirs(nfsd_t)
# cjp: this should really have its own type
files_manage_mounttab(nfsd_t)
@@ -24709,7 +25066,7 @@ diff --exclude-from=exclude -N -u -r nsa
fs_mount_nfsd_fs(nfsd_t)
fs_search_nfsd_fs(nfsd_t)
-@@ -135,6 +151,7 @@
+@@ -135,6 +152,7 @@
fs_rw_nfsd_fs(nfsd_t)
storage_dontaudit_read_fixed_disk(nfsd_t)
@@ -24717,7 +25074,7 @@ diff --exclude-from=exclude -N -u -r nsa
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
-@@ -151,6 +168,7 @@
+@@ -151,6 +169,7 @@
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
')
@@ -24725,7 +25082,7 @@ diff --exclude-from=exclude -N -u -r nsa
tunable_policy(`nfs_export_all_ro',`
dev_getattr_all_blk_files(nfsd_t)
-@@ -182,6 +200,7 @@
+@@ -182,6 +201,7 @@
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
@@ -24733,7 +25090,7 @@ diff --exclude-from=exclude -N -u -r nsa
corecmd_exec_bin(gssd_t)
-@@ -189,8 +208,10 @@
+@@ -189,8 +209,10 @@
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
@@ -24744,7 +25101,7 @@ diff --exclude-from=exclude -N -u -r nsa
auth_use_nsswitch(gssd_t)
auth_manage_cache(gssd_t)
-@@ -199,10 +220,14 @@
+@@ -199,10 +221,14 @@
mount_signal(gssd_t)
@@ -27173,6 +27530,18 @@ diff --exclude-from=exclude -N -u -r nsa
dev_read_sysfs(tuned_t)
# to allow cpu tuning
dev_rw_netcontrol(tuned_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.7.8/policy/modules/services/ucspitcp.te
+--- nsaserefpolicy/policy/modules/services/ucspitcp.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.7.8/policy/modules/services/ucspitcp.te 2010-02-11 12:30:41.000000000 -0500
+@@ -92,3 +92,8 @@
+ daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t)
+ daemontools_read_svc(ucspitcp_t)
+ ')
++
++optional_policy(`
++ daemontools_sigchld_run(ucspitcp_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.8/policy/modules/services/usbmuxd.fc
--- nsaserefpolicy/policy/modules/services/usbmuxd.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.8/policy/modules/services/usbmuxd.fc 2010-02-03 14:20:04.000000000 -0500
@@ -27226,8 +27595,8 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.7.8/policy/modules/services/usbmuxd.te
--- nsaserefpolicy/policy/modules/services/usbmuxd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/usbmuxd.te 2010-02-02 10:31:03.000000000 -0500
-@@ -0,0 +1,43 @@
++++ serefpolicy-3.7.8/policy/modules/services/usbmuxd.te 2010-02-11 13:37:45.000000000 -0500
+@@ -0,0 +1,47 @@
+policy_module(usbmuxd,1.0.0)
+
+########################################
@@ -27264,6 +27633,10 @@ diff --exclude-from=exclude -N -u -r nsa
+manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file })
+
++kernel_read_system_state(usbmuxd_t)
++
++dev_rw_generic_usb_dev(usbmuxd_t)
++
+files_read_etc_files(usbmuxd_t)
+
+miscfiles_read_localization(usbmuxd_t)
@@ -27660,7 +28033,7 @@ diff --exclude-from=exclude -N -u -r nsa
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.8/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/virt.if 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/virt.if 2010-02-11 14:19:09.000000000 -0500
@@ -136,7 +136,7 @@
')
@@ -27916,7 +28289,7 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.8/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/virt.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/virt.te 2010-02-11 14:17:16.000000000 -0500
@@ -8,6 +8,13 @@
## <desc>
@@ -28179,7 +28552,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -196,8 +312,159 @@
+@@ -196,8 +312,162 @@
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
@@ -28208,6 +28581,7 @@ diff --exclude-from=exclude -N -u -r nsa
+allow svirt_t svirt_image_t:dir search_dir_perms;
+manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
+manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
++fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
+
+list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_t, virt_content_t, virt_content_t)
@@ -28215,6 +28589,7 @@ diff --exclude-from=exclude -N -u -r nsa
+dontaudit svirt_t virt_content_t:dir write;
+
+userdom_search_user_home_content(svirt_t)
++userdom_read_user_home_content_symlinks(svirt_t)
+userdom_read_all_users_state(svirt_t)
+
+allow svirt_t self:udp_socket create_socket_perms;
@@ -28240,6 +28615,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
+tunable_policy(`virt_use_fusefs',`
+ fs_read_fusefs_files(svirt_t)
++ fs_read_fusefs_symlinks(svirt_t)
+')
+
+tunable_policy(`virt_use_nfs',`
@@ -30188,10 +30564,113 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
#
# PAM local policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.7.8/policy/modules/system/daemontools.if
+--- nsaserefpolicy/policy/modules/system/daemontools.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.8/policy/modules/system/daemontools.if 2010-02-11 12:30:41.000000000 -0500
+@@ -71,6 +71,32 @@
+ domtrans_pattern($1, svc_start_exec_t, svc_start_t)
+ ')
+
++######################################
++## <summary>
++## Execute svc_start in the svc_start domain, and
++## allow the specified role the svc_start domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the svc_start domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`daemonstools_run_start',`
++ gen_require(`
++ type svc_start_t;
++ ')
++
++ daemontools_domtrans_start($1)
++ role $2 types svc_start_t;
++')
++
+ ########################################
+ ## <summary>
+ ## Execute in the svc_run_t domain.
+@@ -127,6 +153,24 @@
+ allow $1 svc_svc_t:file read_file_perms;
+ ')
+
++######################################
++## <summary>
++## Search svc_svc_t directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`daemontools_search_svc_dir',`
++ gen_require(`
++ type svc_svc_t;
++ ')
++
++ allow $1 svc_svc_t:dir search_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Allow a domain to create svc_svc_t files.
+@@ -148,3 +192,21 @@
+ allow $1 svc_svc_t:file manage_file_perms;
+ allow $1 svc_svc_t:lnk_file { read create };
+ ')
++
++######################################
++## <summary>
++## Send a SIGCHLD signal to svc_run domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`daemontools_sigchld_run',`
++ gen_require(`
++ type svc_run_t;
++ ')
++
++ allow $1 svc_run_t:process sigchld;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.7.8/policy/modules/system/daemontools.te
--- nsaserefpolicy/policy/modules/system/daemontools.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/daemontools.te 2010-02-10 13:04:18.000000000 -0500
-@@ -65,6 +65,8 @@
++++ serefpolicy-3.7.8/policy/modules/system/daemontools.te 2010-02-11 12:30:41.000000000 -0500
+@@ -39,7 +39,10 @@
+ # multilog creates /service/*/log/status
+ manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t)
+
++term_write_console(svc_multilog_t)
++
+ init_use_fds(svc_multilog_t)
++init_dontaudit_use_script_fds(svc_multilog_t)
+
+ # writes to /var/log/*/*
+ logging_manage_generic_logs(svc_multilog_t)
+@@ -53,7 +56,7 @@
+ # ie. softlimit, setuidgid, envuidgid, envdir, fghack ..
+ #
+
+-allow svc_run_t self:capability { setgid setuid chown fsetid };
++allow svc_run_t self:capability { setgid setuid chown fsetid sys_resource };
+ allow svc_run_t self:process setrlimit;
+ allow svc_run_t self:fifo_file rw_fifo_file_perms;
+ allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
+@@ -65,9 +68,13 @@
kernel_read_system_state(svc_run_t)
@@ -30200,7 +30679,17 @@ diff --exclude-from=exclude -N -u -r nsa
corecmd_exec_bin(svc_run_t)
corecmd_exec_shell(svc_run_t)
-@@ -93,10 +95,14 @@
++term_write_console(svc_run_t)
++
+ files_read_etc_files(svc_run_t)
+ files_read_etc_runtime_files(svc_run_t)
+ files_search_pids(svc_run_t)
+@@ -89,21 +96,36 @@
+ # ie svc, svscan, supervise ...
+ #
+
+-allow svc_start_t svc_run_t:process signal;
++allow svc_start_t svc_run_t:process { signal setrlimit };
allow svc_start_t self:fifo_file rw_fifo_file_perms;
allow svc_start_t self:capability kill;
@@ -30209,13 +30698,21 @@ diff --exclude-from=exclude -N -u -r nsa
can_exec(svc_start_t, svc_start_exec_t)
++mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t)
++
+kernel_read_kernel_sysctls(svc_start_t)
+kernel_read_system_state(svc_start_t)
+
corecmd_exec_bin(svc_start_t)
corecmd_exec_shell(svc_start_t)
-@@ -105,5 +111,9 @@
++corenet_tcp_bind_generic_node(svc_start_t)
++corenet_tcp_bind_generic_port(svc_start_t)
++
++term_write_console(svc_start_t)
++
+ files_read_etc_files(svc_start_t)
+ files_read_etc_runtime_files(svc_start_t)
files_search_var(svc_start_t)
files_search_pids(svc_start_t)
@@ -32451,7 +32948,7 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.8/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/logging.te 2010-02-09 08:53:48.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/logging.te 2010-02-11 12:30:41.000000000 -0500
@@ -101,6 +101,7 @@
kernel_read_kernel_sysctls(auditctl_t)
@@ -32575,6 +33072,17 @@ diff --exclude-from=exclude -N -u -r nsa
postgresql_stream_connect(syslogd_t)
')
+@@ -473,6 +502,10 @@
+ ')
+
+ optional_policy(`
++ daemontools_search_svc_dir(syslogd_t)
++')
++
++optional_policy(`
+ udev_read_db(syslogd_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.8/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.8/policy/modules/system/lvm.te 2010-02-02 10:31:03.000000000 -0500
@@ -35304,7 +35812,7 @@ diff --exclude-from=exclude -N -u -r nsa
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/userdomain.if 2010-02-10 17:23:48.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/userdomain.if 2010-02-11 15:04:39.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -36034,7 +36542,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
- slrnpull_search_spool($1_t)
-+ seunshare_run($1_t, $1_r)
++ seunshare_role_template($1, $1_r, $1_t)
')
optional_policy(`
@@ -37936,7 +38444,7 @@ diff --exclude-from=exclude -N -u -r nsa
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.8/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/support/obj_perm_sets.spt 2010-02-08 12:51:47.000000000 -0500
++++ serefpolicy-3.7.8/policy/support/obj_perm_sets.spt 2010-02-11 12:08:23.000000000 -0500
@@ -28,7 +28,7 @@
#
# All socket classes.
@@ -37982,7 +38490,27 @@ diff --exclude-from=exclude -N -u -r nsa
define(`create_fifo_file_perms',`{ getattr create open }')
define(`rename_fifo_file_perms',`{ getattr rename }')
define(`delete_fifo_file_perms',`{ getattr unlink }')
-@@ -305,7 +308,8 @@
+@@ -271,7 +274,8 @@
+ define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
+ define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
+ define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
+-define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }')
++define(`rw_inherited_blk_file_perms',`{ getattr read write append ioctl lock }')
++define(`rw_blk_file_perms',`{ open rw_inherited_blk_file_perms }')
+ define(`create_blk_file_perms',`{ getattr create }')
+ define(`rename_blk_file_perms',`{ getattr rename }')
+ define(`delete_blk_file_perms',`{ getattr unlink }')
+@@ -288,7 +292,8 @@
+ define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
+ define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
+ define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
+-define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }')
++define(`rw_inherited_chr_file_perms',`{ getattr read write append ioctl lock }')
++define(`rw_chr_file_perms',`{ open rw_inherited_chr_file_perms }')
+ define(`create_chr_file_perms',`{ getattr create }')
+ define(`rename_chr_file_perms',`{ getattr rename }')
+ define(`delete_chr_file_perms',`{ getattr unlink }')
+@@ -305,7 +310,8 @@
#
# Use (read and write) terminals
#
@@ -37992,7 +38520,7 @@ diff --exclude-from=exclude -N -u -r nsa
#
# Sockets
-@@ -317,3 +321,14 @@
+@@ -317,3 +323,14 @@
# Keys
#
define(`manage_key_perms', `{ create link read search setattr view write } ')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.967
retrieving revision 1.968
diff -u -p -r1.967 -r1.968
--- selinux-policy.spec 10 Feb 2010 22:13:09 -0000 1.967
+++ selinux-policy.spec 11 Feb 2010 21:54:06 -0000 1.968
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.8
-Release: 10%{?dist}
+Release: 11%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,9 @@ exit 0
%endif
%changelog
+* Thu Feb 11 2010 Dan Walsh <dwalsh at redhat.com> 3.7.8-11
+- Allow sandbox to work with MLS
+
* Tue Feb 9 2010 Dan Walsh <dwalsh at redhat.com> 3.7.8-9
- Make Chrome work with staff user
More information about the scm-commits
mailing list