[selinux-policy/f14/master] * Wed Jul 28 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-9 - Apply Miroslav munin patch
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Jul 30 15:43:51 UTC 2010
commit 392f11cfb672c9880460775dd49deb4209a8f610
Author: Dan Walsh <dwalsh at redhat.com>
Date: Fri Jul 30 11:43:46 2010 -0400
* Wed Jul 28 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-9
- Apply Miroslav munin patch
modules-minimum.conf | 2232 +------------------------------------------------
modules-mls.conf | 14 -
modules-targeted.conf | 15 -
policy-F14.patch | 598 ++++++++++----
selinux-policy.spec | 9 +-
5 files changed, 457 insertions(+), 2411 deletions(-)
---
diff --git a/modules-minimum.conf b/modules-minimum.conf
deleted file mode 100644
index d1bb917..0000000
--- a/modules-minimum.conf
+++ /dev/null
@@ -1,2231 +0,0 @@
-#
-# This file contains a listing of available modules.
-# To prevent a module from being used in policy
-# creation, set the module name to "off".
-#
-# For monolithic policies, modules set to "base" and "module"
-# will be built into the policy.
-#
-# For modular policies, modules set to "base" will be
-# included in the base module. "module" will be compiled
-# as individual loadable modules.
-#
-
-# Layer: admin
-# Module: accountsd
-#
-# An application to view and modify user accounts information
-#
-accountsd = module
-
-# Layer: admin
-# Module: acct
-#
-# Berkeley process accounting
-#
-acct = base
-
-# Layer: admin
-# Module: alsa
-#
-# Ainit ALSA configuration tool
-#
-alsa = base
-
-# Layer: apps
-# Module: ada
-#
-# ada executable
-#
-ada = module
-
-# Layer: services
-# Module: cachefilesd
-#
-# CacheFiles userspace management daemon
-#
-cachefilesd = module
-
-# Layer: apps
-# Module: cpufreqselector
-#
-# cpufreqselector executable
-#
-cpufreqselector = module
-
-# Layer: apps
-# Module: chrome
-#
-# chrome sandbox
-#
-chrome = module
-
-# Layer: modules
-# Module: awstats
-#
-# awstats executable
-#
-awstats = module
-
-# Layer: services
-# Module: abrt
-#
-# Automatic bug detection and reporting tool
-#
-abrt = module
-
-# Layer: services
-# Module: aiccu
-#
-# SixXS Automatic IPv6 Connectivity Client Utility
-#
-aiccu = module
-
-# Layer: admin
-# Module: amanda
-#
-# Automated backup program.
-#
-amanda = module
-
-# Layer: services
-# Module: afs
-#
-# Andrew Filesystem server
-#
-afs = module
-
-# Layer: services
-# Module: amavis
-#
-# Anti-virus
-#
-amavis = module
-
-# Layer: admin
-# Module: anaconda
-#
-# Policy for the Anaconda installer.
-#
-anaconda = base
-
-# Layer: services
-# Module: apache
-#
-# Apache web server
-#
-apache = module
-
-# Layer: services
-# Module: apm
-#
-# Advanced power management daemon
-#
-apm = base
-
-# Layer: system
-# Module: application
-# Required in base
-#
-# Defines attributs and interfaces for all user applications
-#
-application = base
-
-# Layer: services
-# Module: arpwatch
-#
-# Ethernet activity monitor.
-#
-arpwatch = module
-
-# Layer: services
-# Module: audioentropy
-#
-# Generate entropy from audio input
-#
-audioentropy = module
-
-# Layer: system
-# Module: authlogin
-#
-# Common policy for authentication and user login.
-#
-authlogin = base
-
-# Layer: services
-# Module: asterisk
-#
-# Asterisk IP telephony server
-#
-asterisk = module
-
-# Layer: services
-# Module: automount
-#
-# Filesystem automounter service.
-#
-automount = module
-
-# Layer: services
-# Module: avahi
-#
-# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
-#
-avahi = module
-
-# Layer: services
-# Module: boinc
-#
-# Berkeley Open Infrastructure for Network Computing
-#
-boinc = module
-
-# Layer: services
-# Module: bind
-#
-# Berkeley internet name domain DNS server.
-#
-bind = module
-
-# Layer: services
-# Module: bugzilla
-#
-# Bugzilla server
-#
-bugzilla = module
-
-# Layer: services
-# Module: dnsmasq
-#
-# A lightweight DHCP and caching DNS server.
-#
-dnsmasq = module
-
-# Layer: services
-# Module: bluetooth
-#
-# Bluetooth tools and system services.
-#
-bluetooth = module
-
-# Layer: kernel
-# Module: ubac
-#
-#
-#
-ubac = base
-
-#
-# Layer: kernel
-# Module: bootloader
-#
-# Policy for the kernel modules, kernel image, and bootloader.
-#
-bootloader = base
-
-
-# Layer: services
-# Module: canna
-#
-# Canna - kana-kanji conversion server
-#
-canna = module
-
-# Layer: services
-# Module: ccs
-#
-# policy for ccs
-#
-ccs = module
-
-# Layer: apps
-# Module: calamaris
-#
-#
-# Squid log analysis
-#
-calamaris = module
-
-# Layer: apps
-# Module: cdrecord
-#
-# Policy for cdrecord
-#
-cdrecord = module
-
-# Layer: admin
-# Module: certwatch
-#
-# Digital Certificate Tracking
-#
-certwatch = module
-
-# Layer: admin
-# Module: certmaster
-#
-# Digital Certificate master
-#
-certmaster = module
-
-# Layer: services
-# Module: certmonger
-#
-# Certificate status monitor and PKI enrollment client
-#
-certmonger = module
-
-# Layer: services
-# Module: cipe
-#
-# Encrypted tunnel daemon
-#
-cipe = module
-
-# Layer: services
-# Module: chronyd
-#
-# Daemon for maintaining clock time
-#
-chronyd = module
-
-# Layer: services
-# Module: cobbler
-#
-# cobbler
-#
-cobbler = module
-
-# Layer: services
-# Module: comsat
-#
-# Comsat, a biff server.
-#
-comsat = module
-
-# Layer: services
-# Module: corosync
-#
-# Corosync Cluster Engine Executive
-#
-corosync = module
-
-# Layer: services
-# Module: clamav
-#
-# ClamAV Virus Scanner
-#
-clamav = module
-
-# Layer: system
-# Module: clock
-#
-# Policy for reading and setting the hardware clock.
-#
-clock = base
-
-# Layer: services
-# Module: consolekit
-#
-# ConsoleKit is a system daemon for tracking what users are logged
-#
-consolekit = module
-
-# Layer: admin
-# Module: consoletype
-#
-# Determine of the console connected to the controlling terminal.
-#
-consoletype = base
-
-# Layer: kernel
-# Module: corecommands
-# Required in base
-#
-# Core policy for shells, and generic programs
-# in /bin, /sbin, /usr/bin, and /usr/sbin.
-#
-corecommands = base
-
-# Layer: kernel
-# Module: corenetwork
-# Required in base
-#
-# Policy controlling access to network objects
-#
-corenetwork = base
-
-# Layer: services
-# Module: cpucontrol
-#
-# Services for loading CPU microcode and CPU frequency scaling.
-#
-cpucontrol = base
-
-# Layer: services
-# Module: cron
-#
-# Periodic execution of scheduled commands.
-#
-cron = base
-
-# Layer: services
-# Module: cups
-#
-# Common UNIX printing system
-#
-cups = module
-
-# Layer: services
-# Module: cvs
-#
-# Concurrent versions system
-#
-cvs = module
-
-# Layer: services
-# Module: cyphesis
-#
-# cyphesis game server
-#
-cyphesis = module
-
-# Layer: services
-# Module: cyrus
-#
-# Cyrus is an IMAP service intended to be run on sealed servers
-#
-cyrus = module
-
-# Layer: system
-# Module: daemontools
-#
-# Collection of tools for managing UNIX services
-#
-daemontools = module
-
-# Layer: services
-# Module: dbskk
-#
-# Dictionary server for the SKK Japanese input method system.
-#
-dbskk = module
-
-# Layer: services
-# Module: dbus
-#
-# Desktop messaging bus
-#
-dbus = base
-
-# Layer: services
-# Module: dcc
-#
-# A distributed, collaborative, spam detection and filtering network.
-#
-dcc = module
-
-# Layer: admin
-# Module: ddcprobe
-#
-# ddcprobe retrieves monitor and graphics card information
-#
-ddcprobe = off
-
-# Layer: services
-# Module: devicekit
-#
-# devicekit-daemon
-#
-devicekit = module
-
-# Layer: kernel
-# Module: devices
-# Required in base
-#
-# Device nodes and interfaces for many basic system devices.
-#
-devices = base
-
-# Layer: services
-# Module: dhcp
-#
-# Dynamic host configuration protocol (DHCP) server
-#
-dhcp = module
-
-# Layer: services
-# Module: dictd
-#
-# Dictionary daemon
-#
-dictd = module
-
-# Layer: services
-# Module: distcc
-#
-# Distributed compiler daemon
-#
-distcc = off
-
-# Layer: admin
-# Module: dmesg
-#
-# Policy for dmesg.
-#
-dmesg = base
-
-# Layer: admin
-# Module: dmidecode
-#
-# Decode DMI data for x86/ia64 bioses.
-#
-dmidecode = base
-
-# Layer: system
-# Module: domain
-# Required in base
-#
-# Core policy for domains.
-#
-domain = base
-
-# Layer: services
-# Module: dovecot
-#
-# Dovecot POP and IMAP mail server
-#
-dovecot = module
-
-# Layer: apps
-# Module: gitosis
-#
-# Policy for gitosis
-#
-gitosis = module
-
-# Layer: apps
-# Module: gpg
-#
-# Policy for GNU Privacy Guard and related programs.
-#
-gpg = module
-
-# Layer: services
-# Module: gpsd
-#
-# gpsd monitor daemon
-#
-#
-gpsd = module
-
-# Layer: services
-# Module: git
-#
-# Policy for the stupid content tracker
-#
-git = module
-
-# Layer: services
-# Module: gpm
-#
-# General Purpose Mouse driver
-#
-gpm = module
-
-# Layer: services
-# Module: fail2ban
-#
-# daiemon that bans IP that makes too many password failures
-#
-fail2ban = module
-
-# Layer: services
-# Module: fetchmail
-#
-# Remote-mail retrieval and forwarding utility
-#
-fetchmail = module
-
-# Layer: kernel
-# Module: files
-# Required in base
-#
-# Basic filesystem types and interfaces.
-#
-files = base
-
-# Layer: kernel
-# Module: filesystem
-# Required in base
-#
-# Policy for filesystems.
-#
-filesystem = base
-
-# Layer: services
-# Module: finger
-#
-# Finger user information service.
-#
-finger = module
-
-# Layer: admin
-# Module: firstboot
-#
-# Final system configuration run during the first boot
-# after installation of Red Hat/Fedora systems.
-#
-firstboot = base
-
-# Layer: apps
-# Module: firewallgui
-#
-# policy for system-config-firewall
-#
-firewallgui = module
-
-# Layer: services
-# Module: fprintd
-#
-# finger print server
-#
-fprintd = module
-
-# Layer: system
-# Module: fstools
-#
-# Tools for filesystem management, such as mkfs and fsck.
-#
-fstools = base
-
-# Layer: services
-# Module: ftp
-#
-# File transfer protocol service
-#
-ftp = module
-
-# Layer: apps
-# Module: games
-#
-# The Open Group Pegasus CIM/WBEM Server.
-#
-games = module
-
-# Layer: system
-# Module: getty
-#
-# Policy for getty.
-#
-getty = base
-
-# Layer: apps
-# Module: gnome
-#
-# gnome session and gconf
-#
-gnome = module
-
-# Layer: services
-# Module: gnomeclock
-#
-# gnomeclock used by dbus/polkit to set time
-#
-gnomeclock = module
-
-# Layer: services
-# Module: hal
-#
-# Hardware abstraction layer
-#
-hal = module
-
-# Layer: services
-# Module: hddtemp
-#
-# hddtemp hard disk temperature tool running as a daemon
-#
-hddtemp = module
-
-# Layer: services
-# Module: policykit
-#
-# Hardware abstraction layer
-#
-policykit = module
-
-# Layer: services
-# Module: puppet
-#
-# A network tool for managing many disparate systems
-#
-puppet = module
-
-# Layer: apps
-# Module: ptchown
-#
-# helper function for grantpt(3), changes ownship and permissions of pseudotty
-#
-ptchown = module
-
-# Layer: services
-# Module: psad
-#
-# Analyze iptables log for hostile traffic
-#
-psad = module
-
-# Layer: system
-# Module: hostname
-#
-# Policy for changing the system host name.
-#
-hostname = base
-
-
-# Layer: system
-# Module: hotplug
-#
-# Policy for hotplug system, for supporting the
-# connection and disconnection of devices at runtime.
-#
-hotplug = base
-
-# Layer: services
-# Module: howl
-#
-# Port of Apple Rendezvous multicast DNS
-#
-howl = module
-
-# Layer: services
-# Module: inetd
-#
-# Internet services daemon.
-#
-inetd = base
-
-# Layer: system
-# Module: init
-#
-# System initialization programs (init and init scripts).
-#
-init = base
-
-# Layer: services
-# Module: inn
-#
-# Internet News NNTP server
-#
-inn = module
-
-# Layer: system
-# Module: iptables
-#
-# Policy for iptables.
-#
-iptables = base
-
-# Layer: system
-# Module: ipsec
-#
-# TCP/IP encryption
-#
-ipsec = module
-
-# Layer: apps
-# Module: irc
-#
-# IRC client policy
-#
-irc = module
-
-# Layer: services
-# Module: irqbalance
-#
-# IRQ balancing daemon
-#
-irqbalance = base
-
-# Layer: system
-# Module: iscsi
-#
-# Open-iSCSI daemon
-#
-iscsi = module
-
-# Layer: services
-# Module: icecast
-#
-# ShoutCast compatible streaming media server
-#
-icecast = module
-
-# Layer: services
-# Module: i18n_input
-#
-# IIIMF htt server
-#
-i18n_input = off
-
-
-# Layer: services
-# Module: jabber
-#
-# Jabber instant messaging server
-#
-jabber = module
-
-# Layer: apps
-# Module: java
-#
-# java executable
-#
-java = module
-
-# Layer: apps
-# Module: execmem
-#
-# execmem executable
-#
-execmem = module
-
-# Layer: system
-# Module: kdump
-#
-# kdump is kernel crash dumping mechanism
-#
-kdump = module
-
-# Layer: apps
-# Module: kdumpgui
-#
-# system-config-kdump policy
-#
-kdumpgui = module
-
-# Layer: services
-# Module: ksmtuned
-#
-# Kernel Samepage Merging (KSM) Tuning Daemon
-#
-ksmtuned = module
-
-# Layer: services
-# Module: kerberos
-#
-# MIT Kerberos admin and KDC
-#
-kerberos = module
-
-# Layer: kernel
-# Module: kernel
-# Required in base
-#
-# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
-#
-kernel = base
-
-# Layer: services
-# Module: ktalk
-#
-# KDE Talk daemon
-#
-ktalk = module
-
-# Layer: admin
-# Module: kudzu
-#
-# Hardware detection and configuration tools
-#
-kudzu = base
-
-# Layer: services
-# Module: ldap
-#
-# OpenLDAP directory server
-#
-ldap = module
-
-# Layer: services
-# Module: likewise
-#
-# Likewise Active Directory support for UNIX
-#
-likewise = module
-
-# Layer: system
-# Module: libraries
-#
-# Policy for system libraries.
-#
-libraries = base
-
-# Layer: apps
-# Module: loadkeys
-#
-# Load keyboard mappings.
-#
-loadkeys = base
-
-# Layer: system
-# Module: locallogin
-#
-# Policy for local logins.
-#
-locallogin = base
-
-# Layer: apps
-# Module: lockdev
-#
-# device locking policy for lockdev
-#
-lockdev = module
-
-# Layer: system
-# Module: logging
-#
-# Policy for the kernel message logger and system logging daemon.
-#
-logging = base
-
-# Layer: admin
-# Module: logrotate
-#
-# Rotate and archive system logs
-#
-logrotate = base
-
-# Layer: services
-# Module: logwatch
-#
-# logwatch executable
-#
-logwatch = base
-
-# Layer: services
-# Module: lpd
-#
-# Line printer daemon
-#
-lpd = module
-
-# Layer: services
-# Module: lircd
-#
-# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket.
-#
-lircd = module
-
-# Layer: system
-# Module: lvm
-#
-# Policy for logical volume management programs.
-#
-lvm = base
-
-# Layer: admin
-# Module: mcelog
-#
-# Policy for mcelog.
-#
-mcelog = base
-
-# Layer: services
-# Module: mailman
-#
-# Mailman is for managing electronic mail discussion and e-newsletter lists
-#
-mailman = module
-
-# Layer: kernel
-# Module: mcs
-# Required in base
-#
-# MultiCategory security policy
-#
-mcs = base
-
-# Layer: system
-# Module: miscfiles
-#
-# Miscelaneous files.
-#
-miscfiles = base
-
-# Layer: kernel
-# Module: mls
-# Required in base
-#
-# Multilevel security policy
-#
-mls = base
-
-# Layer: services
-# Module: mock
-#
-# Policy for mock rpm builder
-#
-mock = module
-
-# Layer: services
-# Module: mojomojo
-#
-# Wiki server
-#
-mojomojo = module
-
-# Layer: system
-# Module: modutils
-#
-# Policy for kernel module utilities
-#
-modutils = base
-
-# Layer: apps
-# Module: mono
-#
-# mono executable
-#
-mono = module
-
-# Layer: system
-# Module: mount
-#
-# Policy for mount.
-#
-mount = base
-
-# Layer: apps
-# Module: mozilla
-#
-# Policy for Mozilla and related web browsers
-#
-mozilla = module
-
-# Layer: services
-# Module: ntop
-#
-# Policy for ntop
-#
-ntop = module
-
-# Layer: services
-# Module: nslcd
-#
-# Policy for nslcd
-#
-nslcd = module
-
-# Layer: apps
-# Module: nsplugin
-#
-# Policy for nspluginwrapper
-#
-nsplugin = module
-
-# Layer: services
-# Module: modemmanager
-#
-# Manager for dynamically switching between modems.
-#
-modemmanager = module
-
-# Layer: services
-# Module: mpd
-#
-# mpd - daemon for playing music
-#
-mpd = module
-
-# Layer: apps
-# Module: mplayer
-#
-# Policy for Mozilla and related web browsers
-#
-mplayer = module
-
-# Layer: apps
-# Module: gpg
-#
-# Policy for Mozilla and related web browsers
-#
-gpg = module
-
-# Layer: admin
-# Module: mrtg
-#
-# Network traffic graphing
-#
-mrtg = module
-
-# Layer: services
-# Module: mta
-#
-# Policy common to all email tranfer agents.
-#
-mta = base
-
-# Layer: services
-# Module: mysql
-#
-# Policy for MySQL
-#
-mysql = module
-
-# Layer: services
-# Module: nagios
-#
-# policy for nagios Host/service/network monitoring program
-#
-nagios = module
-
-# Layer: admin
-# Module: ncftool
-#
-# Tool to modify the network configuration of a system
-#
-ncftool = module
-
-# Layer: admin
-# Module: ncftool
-#
-# Tool to modify the network configuration of a system
-#
-ncftool = module
-
-# Layer: admin
-# Module: netutils
-#
-# Network analysis utilities
-#
-netutils = base
-
-# Layer: services
-# Module: networkmanager
-#
-# Manager for dynamically switching between networks.
-#
-networkmanager = base
-
-# Layer: services
-# Module: nis
-#
-# Policy for NIS (YP) servers and clients
-#
-nis = module
-
-
-# Layer: services
-# Module: nscd
-#
-# Name service cache daemon
-#
-nscd = base
-
-
-# Layer: services
-# Module: ntp
-#
-# Network time protocol daemon
-#
-ntp = module
-
-# Layer: services
-# Module: nut
-#
-# nut - Network UPS Tools
-#
-nut = module
-
-# Layer: services
-# Module: nx
-#
-# NX Remote Desktop
-#
-nx = module
-
-
-# Layer: services
-# Module: oddjob
-#
-# policy for oddjob
-#
-oddjob = module
-
-# Layer: services
-# Module: openct
-#
-# Service for handling smart card readers.
-#
-openct = off
-
-# Layer: services
-# Module: openvpn
-#
-# Policy for OPENVPN full-featured SSL VPN solution
-#
-openvpn = module
-
-
-# Layer: service
-# Module: pcscd
-#
-# PC/SC Smart Card Daemon
-#
-pcscd = module
-
-# Layer: service
-# Module: openct
-#
-# Middleware framework for smart card terminals
-#
-openct = module
-
-# Layer: system
-# Module: pcmcia
-#
-# PCMCIA card management services
-#
-pcmcia = base
-
-# Layer: services
-# Module: pegasus
-#
-# The Open Group Pegasus CIM/WBEM Server.
-#
-pegasus = module
-
-# Layer: services
-# Module: piranha
-#
-# piranha - various tools to administer and configure the Linux Virtual Server
-#
-piranha = module
-
-# Layer: services
-# Module: postgresql
-#
-# PostgreSQL relational database
-#
-postgresql = module
-
-# Layer: services
-# Module: portmap
-#
-# RPC port mapping service.
-#
-portmap = module
-
-# Layer: services
-# Module: postfix
-#
-# Postfix email server
-#
-postfix = module
-
-# Layer: services
-# Module: postgrey
-#
-# email scanner
-#
-postgrey = module
-
-# Layer: services
-# Module: ppp
-#
-# Point to Point Protocol daemon creates links in ppp networks
-#
-ppp = module
-
-# Layer: admin
-# Module: prelink
-#
-# Manage temporary directory sizes and file ages
-#
-prelink = base
-
-# Layer: services
-# Module: procmail
-#
-# Procmail mail delivery agent
-#
-procmail = module
-
-# Layer: services
-# Module: privoxy
-#
-# Privacy enhancing web proxy.
-#
-privoxy = module
-
-# Layer: services
-# Module: publicfile
-#
-# publicfile supplies files to the public through HTTP and FTP
-#
-publicfile = module
-
-# Layer: apps
-# Module: pulseaudio
-#
-# The PulseAudio Sound System
-#
-pulseaudio = module
-
-# Layer: services
-# Module: pyzor
-#
-# Spam Blocker
-#
-pyzor = module
-
-
-# Layer: services
-# Module: qmail
-#
-# Policy for qmail
-#
-qmail = module
-
-# Layer: services
-# Module: qpidd
-#
-# Policy for qpidd
-#
-qpidd = module
-
-# Layer: admin
-# Module: quota
-#
-# File system quota management
-#
-quota = base
-
-# Layer: system
-# Module: raid
-#
-# RAID array management tools
-#
-raid = base
-
-# Layer: services
-# Module: radius
-#
-# RADIUS authentication and accounting server.
-#
-radius = module
-
-# Layer: services
-# Module: radvd
-#
-# IPv6 router advertisement daemon
-#
-radvd = module
-
-# Layer: services
-# Module: razor
-#
-# A distributed, collaborative, spam detection and filtering network.
-#
-razor = module
-
-# Layer: admin
-# Module: readahead
-#
-# Readahead, read files into page cache for improved performance
-#
-readahead = base
-
-# Layer: services
-# Module: rgmanager
-#
-# Red Hat Resource Group Manager
-#
-rgmanager = module
-
-# Layer: services
-# Module: rhcs
-#
-# RHCS - Red Hat Cluster Suite
-#
-rhcs = module
-
-# Layer: services
-# Module: aisexec
-#
-# RHCS - Red Hat Cluster Suite
-#
-aisexec = module
-
-# Layer: services
-# Module: rgmanager
-#
-# rgmanager
-#
-rgmanager = module
-
-# Layer: services
-# Module: clogd
-#
-# clogd - clustered mirror log server
-#
-clogd = module
-
-# Layer: services
-# Module: cmirrord
-#
-# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster
-#
-cmirrord = module
-
-# Layer: services
-# Module: rhgb
-#
-# X windows login display manager
-#
-rhgb = module
-
-# Layer: services
-# Module: rdisc
-#
-# Network router discovery daemon
-#
-rdisc = module
-
-# Layer: services
-# Module: remotelogin
-#
-# Policy for rshd, rlogind, and telnetd.
-#
-remotelogin = module
-
-# Layer: services
-# Module: ricci
-#
-# policy for ricci
-#
-ricci = module
-
-# Layer: services
-# Module: rlogin
-#
-# Remote login daemon
-#
-rlogin = module
-
-# Layer: services
-# Module: roundup
-#
-# Roundup Issue Tracking System policy
-#
-roundup = module
-
-# Layer: services
-# Module: rpc
-#
-# Remote Procedure Call Daemon for managment of network based process communication
-#
-rpc = base
-
-# Layer: admin
-# Module: rpm
-#
-# Policy for the RPM package manager.
-#
-rpm = base
-
-
-# Layer: services
-# Module: rshd
-#
-# Remote shell service.
-#
-rshd = module
-
-# Layer: services
-# Module: rsync
-#
-# Fast incremental file transfer for synchronization
-#
-rsync = module
-
-# Layer: services
-# Module: rtkit
-#
-# Real Time Kit Daemon
-#
-rtkit = module
-
-# Layer: services
-# Module: rwho
-#
-# who is logged in on local machines
-#
-rwho = module
-
-# Layer: services
-# Module: samba
-#
-# SMB and CIFS client/server programs for UNIX and
-# name Service Switch daemon for resolving names
-# from Windows NT servers.
-#
-samba = module
-
-# Layer: apps
-# Module: sandbox
-#
-# Experimental policy for running apps within a sandbox
-#
-sandbox = module
-
-# Layer: apps
-# Module: sambagui
-#
-# policy for system-config-samba
-#
-sambagui = module
-
-# Layer: services
-# Module: sasl
-#
-# SASL authentication server
-#
-sasl = module
-
-# Layer: apps
-# Module: screen
-#
-# GNU terminal multiplexer
-#
-screen = module
-
-# Layer: kernel
-# Module: selinux
-# Required in base
-#
-# Policy for kernel security interface, in particular, selinuxfs.
-#
-selinux = base
-
-# Layer: system
-# Module: selinuxutil
-#
-# Policy for SELinux policy and userland applications.
-#
-selinuxutil = base
-
-# Layer: services
-# Module: sendmail
-#
-# Policy for sendmail.
-#
-sendmail = base
-
-# Layer: apps
-# Module: seunshare
-#
-# seunshare executable
-#
-seunshare = module
-
-# Layer: admin
-# Module: shorewall
-#
-# Policy for shorewall
-#
-shorewall = base
-
-# Layer: admin
-# Module: shutdown
-#
-# Policy for shutdown
-#
-shutdown = module
-
-# Layer: admin
-# Module: sectoolm
-#
-# Policy for sectool-mechanism
-#
-sectoolm = module
-
-# Layer: system
-# Module: setrans
-# Required in base
-#
-# Policy for setrans
-#
-setrans = base
-
-# Layer: services
-# Module: setroubleshoot
-#
-# Policy for the SELinux troubleshooting utility
-#
-setroubleshoot = base
-
-# Layer: services
-# Module: slrnpull
-#
-# Service for downloading news feeds the slrn newsreader.
-#
-slrnpull = off
-
-# Layer: apps
-# Module: slocate
-#
-# Update database for mlocate
-#
-slocate = module
-
-# Layer: services
-# Module: smartmon
-#
-# Smart disk monitoring daemon policy
-#
-smartmon = module
-
-# Layer: services
-# Module: smokeping
-#
-# Latency Logging and Graphing System
-#
-smokeping = module
-
-# Layer: admin
-# Module: smoltclient
-#
-#The Fedora hardware profiler client
-#
-smoltclient = module
-
-# Layer: services
-# Module: snmp
-#
-# Simple network management protocol services
-#
-snmp = module
-
-# Layer: services
-# Module: spamassassin
-#
-# Filter used for removing unsolicited email.
-#
-spamassassin = module
-
-# Layer: services
-# Module: squid
-#
-# Squid caching http proxy server
-#
-squid = module
-
-# Layer: services
-# Module: ssh
-#
-# Secure shell client and server policy.
-#
-ssh = base
-
-# Layer: services
-# Module: sssd
-#
-# System Security Services Daemon
-#
-sssd = module
-
-# Layer: kernel
-# Module: storage
-#
-# Policy controlling access to storage devices
-#
-storage = base
-
-# Layer: services
-# Module: stunnel
-#
-# SSL Tunneling Proxy
-#
-stunnel = module
-
-# Layer: admin
-# Module: su
-#
-# Run shells with substitute user and group
-#
-su = base
-
-# Layer: admin
-# Module: sudo
-#
-# Execute a command with a substitute user
-#
-sudo = base
-
-# Layer: system
-# Module: sysnetwork
-#
-# Policy for network configuration: ifconfig and dhcp client.
-#
-sysnetwork = base
-
-
-# Layer: services
-# Module: sysstat
-#
-# Policy for sysstat. Reports on various system states
-#
-sysstat = module
-
-# Layer: services
-# Module: tcpd
-#
-# Policy for TCP daemon.
-#
-tcpd = module
-
-# Layer: services
-# Module: tgtd
-#
-# Linux Target Framework Daemon.
-#
-tgtd = module
-
-# Layer: system
-# Module: udev
-#
-# Policy for udev.
-#
-udev = base
-
-# Layer: services
-# Module: usbmuxd
-#
-# Daemon for communicating with Apple's iPod Touch and iPhone
-#
-usbmuxd = module
-
-# Layer: system
-# Module: userdomain
-#
-# Policy for user domains
-#
-userdomain = base
-
-# Layer: system
-# Module: unconfined
-#
-# The unconfined domain.
-#
-unconfined = module
-
-# Layer: services
-# Module: ulogd
-#
-# netfilter/iptables ULOG daemon
-#
-ulogd = module
-
-# Layer: services
-# Module: vhostmd
-#
-# vhostmd - A metrics gathering daemon
-#
-vhostmd = module
-
-# Layer: apps
-# Module: wine
-#
-# wine executable
-#
-wine = module
-
-# Layer: apps
-# Module: wireshark
-#
-# wireshark executable
-#
-wireshark = module
-
-# Layer: apps
-# Module: telepathy
-#
-# telepathy - Policy for Telepathy framework
-#
-telepathy = module
-
-# Layer: admin
-# Module: tzdata
-#
-# Policy for tzdata-update
-#
-tzdata = base
-
-# Layer: apps
-# Module: userhelper
-#
-# A helper interface to pam.
-#
-userhelper = module
-
-# Layer: services
-# Module: tor
-#
-# TOR, the onion router
-#
-tor = module
-
-# Layer: apps
-# Module: tvtime
-#
-# tvtime - a high quality television application
-#
-tvtime = module
-
-# Layer: apps
-# Module: uml
-#
-# Policy for UML
-#
-uml = module
-
-# Layer: admin
-# Module: usbmodules
-#
-# List kernel modules of USB devices
-#
-usbmodules = module
-
-# Layer: apps
-# Module: usernetctl
-#
-# User network interface configuration helper
-#
-usernetctl = module
-
-# Layer: system
-# Module: xen
-#
-# virtualization software
-#
-xen = module
-
-# Layer: services
-# Module: varnishd
-#
-# Varnishd http accelerator daemon
-#
-varnishd = module
-
-# Layer: services
-# Module: virt
-#
-# Virtualization libraries
-#
-virt = module
-
-# Layer: apps
-# Module: qemu
-#
-# Virtualization emulator
-#
-qemu = module
-
-# Layer: system
-# Module: brctl
-#
-# Utilities for configuring the linux ethernet bridge
-#
-brctl = base
-
-# Layer: services
-# Module: telnet
-#
-# Telnet daemon
-#
-telnet = module
-
-# Layer: services
-# Module: timidity
-#
-# MIDI to WAV converter and player configured as a service
-#
-timidity = off
-
-# Layer: services
-# Module: tftp
-#
-# Trivial file transfer protocol daemon
-#
-tftp = module
-
-# Layer: services
-# Module: tuned
-#
-# Dynamic adaptive system tuning daemon
-#
-tuned = module
-
-# Layer: services
-# Module: uucp
-#
-# Unix to Unix Copy
-#
-uucp = module
-
-# Layer: services
-# Module: vbetool
-#
-# run real-mode video BIOS code to alter hardware state
-#
-vbetool = base
-
-# Layer: apps
-# Module: webalizer
-#
-# Web server log analysis
-#
-webalizer = module
-
-# Layer: services
-# Module: xfs
-#
-# X Windows Font Server
-#
-xfs = module
-
-# Layer: services
-# Module: xserver
-#
-# X windows login display manager
-#
-xserver = base
-
-# Layer: services
-# Module: zarafa
-#
-# Zarafa Collaboration Platform
-#
-zarafa = module
-
-# Layer: services
-# Module: zebra
-#
-# Zebra border gateway protocol network routing service
-#
-zebra = module
-
-# Layer: admin
-# Module: usermanage
-#
-# Policy for managing user accounts.
-#
-usermanage = base
-
-# Layer: admin
-# Module: updfstab
-#
-# Red Hat utility to change /etc/fstab.
-#
-updfstab = base
-
-# Layer: admin
-# Module: vpn
-#
-# Virtual Private Networking client
-#
-vpn = module
-
-# Layer: admin
-# Module: vbetool
-#
-# run real-mode video BIOS code to alter hardware state
-#
-vbetool = base
-
-# Layer: kernel
-# Module: terminal
-# Required in base
-#
-# Policy for terminals.
-#
-terminal = base
-
-# Layer: admin
-# Module: tmpreaper
-#
-# Manage temporary directory sizes and file ages
-#
-tmpreaper = module
-
-# Layer: admin
-# Module: amtu
-#
-# Abstract Machine Test Utility (AMTU)
-#
-amtu = module
-
-# Layer: services
-# Module: zabbix
-#
-# Open-source monitoring solution for your IT infrastructure
-#
-zabbix = module
-
-# Layer: services
-# Module: apcupsd
-#
-# daemon for most APC’s UPS for Linux
-#
-apcupsd = module
-
-# Layer: services
-# Module: aide
-#
-# Policy for aide
-#
-aide = module
-
-# Layer: services
-# Module: w3c
-#
-# w3c
-#
-w3c = module
-
-# Layer: services
-# Module: plymouthd
-#
-# Plymouth
-#
-plymouthd = module
-
-# Layer: services
-# Module: portreserve
-#
-# reserve ports to prevent portmap mapping them
-#
-portreserve = module
-
-# Layer: services
-# Module: rpcbind
-#
-# universal addresses to RPC program number mapper
-#
-rpcbind = module
-
-# Layer: apps
-# Module: rssh
-#
-# Restricted (scp/sftp) only shell
-#
-rssh = module
-
-# Layer: apps
-# Module: vmware
-#
-# VMWare Workstation virtual machines
-#
-vmware = module
-
-# Layer: role
-# Module: logadm
-#
-# Minimally prived root role for managing logging system
-#
-logadm = module
-
-# Layer: role
-# Module: webadm
-#
-# Minimally prived root role for managing apache
-#
-webadm = module
-
-#
-# Layer: services
-# Module: exim
-#
-# exim mail server
-#
-exim = module
-
-
-# Layer: services
-# Module: kismet
-#
-# Wireless sniffing and monitoring
-#
-kismet = module
-
-# Layer: services
-# Module: munin
-#
-# Munin
-#
-munin = module
-
-# Layer: services
-# Module: bitlbee
-#
-# An IRC to other chat networks gateway
-#
-bitlbee = module
-
-# Layer: system
-# Module: sosreport
-#
-# sosreport debuggin information generator
-#
-sosreport = module
-
-# Layer: services
-# Module: soundserver
-#
-# sound server for network audio server programs, nasd, yiff, etc</summary>
-#
-soundserver = module
-
-# Layer: role
-# Module: unconfineduser
-#
-# The unconfined user domain.
-#
-unconfineduser = module
-
-# Layer:role
-# Module: staff
-#
-# admin account
-#
-staff = module
-
-# Layer:role
-# Module: sysadm
-#
-# System Administrator
-#
-sysadm = base
-
-# Layer: role
-# Module: unprivuser
-#
-# Minimally privs guest account on tty logins
-#
-unprivuser = module
-
-# Layer: services
-# Module: prelude
-#
-prelude = module
-
-# Layer: services
-# Module: pads
-#
-pads = module
-
-# Layer: services
-# Module: kerneloops
-#
-# program to collect and submit kernel oopses to kerneloops.org
-#
-kerneloops = module
-
-# Layer: apps
-# Module: openoffice
-#
-# openoffice executable
-#
-openoffice = module
-
-# Layer: apps
-# Module: podsleuth
-#
-# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods.
-#
-podsleuth = module
-
-# Layer: role
-# Module: guest
-#
-# Minimally privs guest account on tty logins
-#
-guest = module
-
-# Layer: role
-# Module: xguest
-#
-# Minimally privs guest account on X Windows logins
-#
-xguest = module
-
-# Layer: services
-# Module: cgroup
-#
-# Tools and libraries to control and monitor control groups
-#
-cgroup = module
-
-# Layer: services
-# Module: courier
-#
-# IMAP and POP3 email servers
-#
-courier = module
-
-# Layer: services
-# Module: denyhosts
-#
-# script to help thwart ssh server attacks
-#
-denyhosts = module
-
-# Layer: apps
-# Module: livecd
-#
-# livecd creator
-#
-livecd = module
-
-# Layer: services
-# Module: snort
-#
-# Snort network intrusion detection system
-#
-snort = module
-
-# Layer: services
-# Module: memcached
-#
-# high-performance memory object caching system
-#
-memcached = module
-
-# Layer: system
-# Module: netlabel
-#
-# Basic netlabel types and interfaces.
-#
-netlabel = module
-
-# Layer: services
-# Module: zosremote
-#
-# policy for z/OS Remote-services Audit dispatcher plugin</summary>
-#
-zosremote = module
-
-# Layer: services
-# Module: pingd
-#
-#
-pingd = module
-
-# Layer: services
-# Module: milter
-#
-#
-#
-milter = module
diff --git a/modules-minimum.conf b/modules-minimum.conf
new file mode 120000
index 0000000..f601659
--- /dev/null
+++ b/modules-minimum.conf
@@ -0,0 +1 @@
+modules-targeted.conf
\ No newline at end of file
diff --git a/modules-mls.conf b/modules-mls.conf
index b99b28a..d2bbca4 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -1191,13 +1191,6 @@ publicfile = module
pulseaudio = module
# Layer: services
-# Module: pyzor
-#
-# Spam Blocker
-#
-pyzor = module
-
-# Layer: services
# Module: qmail
#
# Policy for qmail
@@ -1239,13 +1232,6 @@ radius = module
#
radvd = module
-# Layer: services
-# Module: razor
-#
-# A distributed, collaborative, spam detection and filtering network.
-#
-razor = module
-
# Layer: admin
# Module: readahead
#
diff --git a/modules-targeted.conf b/modules-targeted.conf
index d1bb917..d3b08ab 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1274,14 +1274,6 @@ publicfile = module
pulseaudio = module
# Layer: services
-# Module: pyzor
-#
-# Spam Blocker
-#
-pyzor = module
-
-
-# Layer: services
# Module: qmail
#
# Policy for qmail
@@ -1323,13 +1315,6 @@ radius = module
#
radvd = module
-# Layer: services
-# Module: razor
-#
-# A distributed, collaborative, spam detection and filtering network.
-#
-razor = module
-
# Layer: admin
# Module: readahead
#
diff --git a/policy-F14.patch b/policy-F14.patch
index 5eefd78..c3b935c 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -1426,7 +1426,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.8.8/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/logwatch.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/logwatch.te 2010-07-29 12:03:44.000000000 -0400
@@ -19,6 +19,9 @@
type logwatch_tmp_t;
files_tmp_file(logwatch_tmp_t)
@@ -1447,7 +1447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
kernel_read_fs_sysctls(logwatch_t)
kernel_read_kernel_sysctls(logwatch_t)
kernel_read_system_state(logwatch_t)
-@@ -92,8 +98,14 @@
+@@ -92,8 +98,15 @@
sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t)
@@ -1460,6 +1460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
+role system_r types logwatch_mail_t;
+logging_read_all_logs(logwatch_mail_t)
+manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t)
++allow logwatch_mail_t self:capability { dac_read_search dac_override };
ifdef(`distro_redhat',`
files_search_all(logwatch_t)
@@ -1728,7 +1729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.8.8/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/prelink.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/prelink.te 2010-07-29 11:54:38.000000000 -0400
@@ -59,6 +59,7 @@
manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
@@ -1745,7 +1746,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
files_list_all(prelink_t)
files_getattr_all_files(prelink_t)
-@@ -99,6 +101,8 @@
+@@ -86,6 +88,8 @@
+
+ fs_getattr_xattr_fs(prelink_t)
+
++storage_getattr_fixed_disk_dev(prelink_t)
++
+ selinux_get_enforce_mode(prelink_t)
+
+ libs_exec_ld_so(prelink_t)
+@@ -99,6 +103,8 @@
miscfiles_read_localization(prelink_t)
userdom_use_user_terminals(prelink_t)
@@ -1754,7 +1764,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
optional_policy(`
amanda_manage_lib(prelink_t)
-@@ -129,6 +133,7 @@
+@@ -129,6 +135,7 @@
read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
allow prelink_cron_system_t prelink_cache_t:file unlink;
@@ -2398,8 +2408,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
auth_use_nsswitch(shutdown_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.8.8/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/sudo.if 2010-07-27 16:12:03.000000000 -0400
-@@ -134,12 +134,16 @@
++++ serefpolicy-3.8.8/policy/modules/admin/sudo.if 2010-07-28 13:17:33.000000000 -0400
+@@ -76,6 +76,8 @@
+ # By default, revert to the calling domain when a shell is executed.
+ corecmd_shell_domtrans($1_sudo_t, $3)
+ corecmd_bin_domtrans($1_sudo_t, $3)
++ userdom_domtrans_user_home($1_sudo_t, $3)
++ userdom_domtrans_user_tmp($1_sudo_t, $3)
+ allow $3 $1_sudo_t:fd use;
+ allow $3 $1_sudo_t:fifo_file rw_file_perms;
+ allow $3 $1_sudo_t:process signal_perms;
+@@ -134,12 +136,16 @@
userdom_manage_user_tmp_symlinks($1_sudo_t)
userdom_use_user_terminals($1_sudo_t)
# for some PAM modules and for cwd
@@ -2679,14 +2698,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.8.8/policy/modules/admin/vbetool.te
--- nsaserefpolicy/policy/modules/admin/vbetool.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/vbetool.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/vbetool.te 2010-07-28 13:41:18.000000000 -0400
@@ -24,7 +24,10 @@
dev_rw_xserver_misc(vbetool_t)
dev_rw_mtrr(vbetool_t)
+-domain_mmap_low(vbetool_t)
+domain_mmap_low_type(vbetool_t)
+tunable_policy(`mmap_low_allowed',`
- domain_mmap_low(vbetool_t)
++ allow vbetool_t self:memprotect mmap_zero;
+')
mls_file_read_all_levels(vbetool_t)
@@ -7367,7 +7387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc
/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.8.8/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/wine.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/wine.if 2010-07-29 11:56:07.000000000 -0400
@@ -35,6 +35,8 @@
role $1 types wine_t;
@@ -7387,7 +7407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if
- domain_mmap_low($1_wine_t)
+ domain_mmap_low_type($1_wine_t)
+ tunable_policy(`mmap_low_allowed',`
-+ domain_mmap_low($1_wine_t)
++ allow $1_wine_t self:memprotect mmap_zero;
+ ')
+
+ tunable_policy(`wine_mmap_zero_ignore',`
@@ -7407,7 +7427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if
## <param name="role">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.8.8/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/wine.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/wine.te 2010-07-28 13:41:23.000000000 -0400
@@ -1,5 +1,13 @@
policy_module(wine, 1.7.1)
@@ -7429,7 +7449,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
-domain_mmap_low(wine_t)
+domain_mmap_low_type(wine_t)
+tunable_policy(`mmap_low_allowed',`
-+ domain_mmap_low(wine_t)
++ allow wine_t self:memprotect mmap_zero;
+')
+tunable_policy(`wine_mmap_zero_ignore',`
+ dontaudit wine_t self:memprotect mmap_zero;
@@ -7486,7 +7506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
dbus_session_bus_client($1_wm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc 2010-07-28 10:08:06.000000000 -0400
@@ -9,8 +9,10 @@
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -7535,7 +7555,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -228,6 +239,8 @@
+@@ -220,6 +231,7 @@
+
+ /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/dayplanner/dayplanner -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/denyhosts/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+@@ -228,6 +240,8 @@
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -7544,7 +7572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,6 +327,7 @@
+@@ -314,6 +328,7 @@
/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0)
@@ -7552,7 +7580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
ifdef(`distro_suse', `
-@@ -340,3 +354,24 @@
+@@ -340,3 +355,24 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -7579,7 +7607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.8.8/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.if 2010-07-28 13:13:22.000000000 -0400
@@ -931,6 +931,7 @@
read_lnk_files_pattern($1, bin_t, bin_t)
@@ -7972,7 +8000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
allow devices_unconfined_type mtrr_device_t:file *;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.8.8/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/domain.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/domain.if 2010-07-28 13:40:51.000000000 -0400
@@ -611,7 +611,7 @@
########################################
@@ -7991,7 +8019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
## </summary>
## <param name="domain">
## <summary>
-@@ -1372,18 +1372,34 @@
+@@ -1372,13 +1372,11 @@
## </summary>
## </param>
#
@@ -8006,30 +8034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
typeattribute $1 mmap_low_domain_type;
')
- ########################################
- ## <summary>
-+## Ability to mmap a low area of the address space,
-+## as configured by /proc/sys/kernel/mmap_min_addr.
-+## Preventing such mappings helps protect against
-+## exploiting null deref bugs in the kernel.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to mmap low memory.
-+## </summary>
-+## </param>
-+#
-+interface(`domain_mmap_low',`
-+
-+ allow $1 self:memprotect mmap_zero;
-+')
-+
-+########################################
-+## <summary>
- ## Allow specified type to receive labeled
- ## networking packets from all domains, over
- ## all protocols (TCP, UDP, etc)
-@@ -1445,3 +1461,22 @@
+@@ -1445,3 +1443,22 @@
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
')
@@ -8324,7 +8329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.8.8/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/files.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/files.if 2010-07-28 14:47:24.000000000 -0400
@@ -1053,10 +1053,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -8876,7 +8881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.8.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.if 2010-07-28 13:58:45.000000000 -0400
@@ -1233,7 +1233,7 @@
type cifs_t;
')
@@ -11856,7 +11861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.8.8/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/apache.fc 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/apache.fc 2010-07-29 09:41:47.000000000 -0400
@@ -24,7 +24,6 @@
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -11877,7 +11882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
++/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -13517,7 +13522,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugz
+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.if serefpolicy-3.8.8/policy/modules/services/bugzilla.if
--- nsaserefpolicy/policy/modules/services/bugzilla.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/bugzilla.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/bugzilla.if 2010-07-29 13:50:08.000000000 -0400
@@ -0,0 +1,81 @@
+## <summary>Bugzilla server</summary>
+
@@ -13587,7 +13592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugz
+ allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
+ ps_process_pattern($1, httpd_bugzilla_script_t)
+
-+ files_list_tmps($1)
++ files_list_tmp($1)
+ admin_pattern($1, httpd_bugzilla_tmp_t)
+
+ files_search_var_lib(httpd_bugzilla_script_t)
@@ -14673,7 +14678,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.8.8/policy/modules/services/cobbler.te
--- nsaserefpolicy/policy/modules/services/cobbler.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cobbler.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cobbler.te 2010-07-29 07:50:54.000000000 -0400
@@ -1,3 +1,4 @@
+
policy_module(cobbler, 1.1.0)
@@ -14715,7 +14720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
type cobblerd_t;
type cobblerd_exec_t;
-@@ -23,28 +46,45 @@
+@@ -23,28 +46,46 @@
type cobbler_etc_t;
files_config_file(cobbler_etc_t)
@@ -14747,7 +14752,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
allow cobblerd_t self:fifo_file rw_fifo_file_perms;
+allow cobblerd_t self:netlink_route_socket create_netlink_socket_perms;
allow cobblerd_t self:tcp_socket create_stream_socket_perms;
-+allow cobblerd_t self:udp_socket create_stream_socket_perms;
++allow cobblerd_t self:udp_socket create_socket_perms;
++allow cobblerd_t self:unix_dgram_socket create_socket_perms;
list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
@@ -14768,7 +14774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
-@@ -52,39 +92,93 @@
+@@ -52,39 +93,93 @@
setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
@@ -14866,7 +14872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
optional_policy(`
bind_read_config(cobblerd_t)
bind_write_config(cobblerd_t)
-@@ -95,6 +189,10 @@
+@@ -95,6 +190,10 @@
')
optional_policy(`
@@ -14877,7 +14883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
dhcpd_domtrans(cobblerd_t)
dhcpd_initrc_domtrans(cobblerd_t)
')
-@@ -110,12 +208,20 @@
+@@ -110,12 +209,20 @@
')
optional_policy(`
@@ -14901,7 +14907,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
')
########################################
-@@ -123,6 +229,18 @@
+@@ -123,6 +230,18 @@
# Cobbler web local policy.
#
@@ -18933,7 +18939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.8.8/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/mta.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mta.if 2010-07-29 15:05:32.000000000 -0400
@@ -220,6 +220,25 @@
application_executable_file($1)
')
@@ -19021,9 +19027,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
+@@ -899,3 +920,23 @@
+
+ allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
+ ')
++
++########################################
++## <summary>
++## Type transition files created in calling dir
++## to the mail address aliases type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Directory to transition on.
++## </summary>
++## </param>
++#
++interface(`mta_filetrans_aliases',`
++ filetrans_pattern($1, $2, etc_aliases_t, file)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.8.8/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/mta.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mta.te 2010-07-29 14:36:57.000000000 -0400
@@ -21,7 +21,7 @@
files_config_file(etc_mail_t)
@@ -19033,20 +19063,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
type mqueue_spool_t;
files_mountpoint(mqueue_spool_t)
-@@ -62,9 +62,9 @@
+@@ -50,22 +50,9 @@
+
+ # newalias required this, not sure if it is needed in 'if' file
+ allow system_mail_t self:capability { dac_override fowner };
+-allow system_mail_t self:fifo_file rw_fifo_file_perms;
+-
+-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
- can_exec(system_mail_t, mta_exec_type)
+ read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
+-allow system_mail_t mail_forward_t:file read_file_perms;
+-
+-allow system_mail_t mta_exec_type:file entrypoint;
+-
+-can_exec(system_mail_t, mta_exec_type)
+-
-kernel_read_system_state(system_mail_t)
-kernel_read_network_state(system_mail_t)
-kernel_request_load_module(system_mail_t)
-+kernel_read_system_state(user_mail_domain)
-+kernel_read_network_state(user_mail_domain)
-+kernel_request_load_module(user_mail_domain)
-
+-
dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
-@@ -82,6 +82,9 @@
+ dev_read_urand(system_mail_t)
+@@ -82,6 +69,9 @@
userdom_use_user_terminals(system_mail_t)
userdom_dontaudit_search_user_home_dirs(system_mail_t)
@@ -19056,7 +19096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
-@@ -92,6 +95,12 @@
+@@ -92,6 +82,12 @@
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@@ -19069,7 +19109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -103,6 +112,11 @@
+@@ -103,6 +99,11 @@
')
optional_policy(`
@@ -19081,7 +19121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
clamav_stream_connect(system_mail_t)
clamav_append_log(system_mail_t)
')
-@@ -111,6 +125,8 @@
+@@ -111,6 +112,8 @@
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
cron_rw_system_job_stream_sockets(system_mail_t)
@@ -19090,15 +19130,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -130,6 +146,7 @@
+@@ -124,12 +127,8 @@
+ ')
optional_policy(`
+- exim_domtrans(system_mail_t)
+- exim_manage_log(system_mail_t)
+-')
+-
+-optional_policy(`
fail2ban_append_log(system_mail_t)
+ fail2ban_dontaudit_leaks(system_mail_t)
')
optional_policy(`
-@@ -146,6 +163,10 @@
+@@ -146,6 +145,10 @@
')
optional_policy(`
@@ -19109,7 +19155,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
nagios_read_tmp_files(system_mail_t)
')
-@@ -189,6 +210,10 @@
+@@ -158,18 +161,6 @@
+ files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
+
+ domain_use_interactive_fds(system_mail_t)
+-
+- # postfix needs this for newaliases
+- files_getattr_tmp_dirs(system_mail_t)
+-
+- postfix_exec_master(system_mail_t)
+- postfix_read_config(system_mail_t)
+- postfix_search_spool(system_mail_t)
+-
+- ifdef(`distro_redhat',`
+- # compatability for old default main.cf
+- postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
+- ')
+ ')
+
+ optional_policy(`
+@@ -189,6 +180,10 @@
')
optional_policy(`
@@ -19120,7 +19185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
smartmon_read_tmp_files(system_mail_t)
')
-@@ -220,6 +245,7 @@
+@@ -220,6 +215,7 @@
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -19128,18 +19193,97 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t)
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
+@@ -292,3 +288,42 @@
+ postfix_read_config(user_mail_t)
+ postfix_list_spool(user_mail_t)
+ ')
++
++########################################
++#
++# Comman user_mail_domain policy
++#
++
++allow user_mail_domain self:fifo_file rw_fifo_file_perms;
++allow user_mail_domain mta_exec_type:file entrypoint;
++
++can_exec(user_mail_domain, mta_exec_type)
++
++allow system_mail_t user_mail_domain:file read_file_perms;
++
++read_files_pattern(user_mail_domain, etc_mail_t, etc_mail_t)
++
++kernel_read_system_state(user_mail_domain)
++kernel_read_network_state(user_mail_domain)
++kernel_request_load_module(user_mail_domain)
++
++
++
++optional_policy(`
++ # postfix needs this for newaliases
++ files_getattr_tmp_dirs(user_mail_domain)
++
++ postfix_exec_master(user_mail_domain)
++ postfix_read_config(user_mail_domain)
++ postfix_search_spool(user_mail_domain)
++
++ ifdef(`distro_redhat',`
++ # compatability for old default main.cf
++ postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
++ ')
++')
++
++optional_policy(`
++ exim_domtrans(user_mail_domain)
++ exim_manage_log(user_mail_domain)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.8.8/policy/modules/services/munin.fc
+--- nsaserefpolicy/policy/modules/services/munin.fc 2010-07-27 16:06:05.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/munin.fc 2010-07-28 09:53:05.000000000 -0400
+@@ -63,6 +63,7 @@
+ /usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+
+ /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
++/var/lib/munin/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0)
+ /var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
+ /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
+ /var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.8.8/policy/modules/services/munin.if
--- nsaserefpolicy/policy/modules/services/munin.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/munin.if 2010-07-27 16:12:03.000000000 -0400
-@@ -36,6 +36,7 @@
++++ serefpolicy-3.8.8/policy/modules/services/munin.if 2010-07-28 09:53:06.000000000 -0400
+@@ -13,10 +13,11 @@
+ #
+ template(`munin_plugin_template',`
+ gen_require(`
+- type munin_t, munin_exec_t, munin_etc_t;
++ type munin_t;
++ attribute munin_plugin_domain;
+ ')
+
+- type $1_munin_plugin_t;
++ type $1_munin_plugin_t, munin_plugin_domain;
+ type $1_munin_plugin_exec_t;
+ typealias $1_munin_plugin_t alias munin_$1_plugin_t;
+ typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t;
+@@ -36,17 +37,8 @@
# automatic transition rules from munin domain
# to specific munin plugin domain
domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t)
+ allow munin_t $1_munin_plugin_t:process signal;
- allow $1_munin_plugin_t munin_exec_t:file read_file_perms;
- allow $1_munin_plugin_t munin_t:tcp_socket rw_socket_perms;
-@@ -92,6 +93,24 @@
+- allow $1_munin_plugin_t munin_exec_t:file read_file_perms;
+- allow $1_munin_plugin_t munin_t:tcp_socket rw_socket_perms;
+-
+- read_lnk_files_pattern($1_munin_plugin_t, munin_etc_t, munin_etc_t)
+-
+- kernel_read_system_state($1_munin_plugin_t)
+-
+- corecmd_exec_bin($1_munin_plugin_t)
+-
+- miscfiles_read_localization($1_munin_plugin_t)
+ ')
+
+ ########################################
+@@ -92,6 +84,24 @@
files_search_etc($1)
')
@@ -19166,8 +19310,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
## Append to the munin log.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.8.8/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/munin.te 2010-07-27 16:12:03.000000000 -0400
-@@ -40,7 +40,7 @@
++++ serefpolicy-3.8.8/policy/modules/services/munin.te 2010-07-29 14:16:21.000000000 -0400
+@@ -5,6 +5,8 @@
+ # Declarations
+ #
+
++attribute munin_plugin_domain;
++
+ type munin_t alias lrrd_t;
+ type munin_exec_t alias lrrd_exec_t;
+ init_daemon_domain(munin_t, munin_exec_t)
+@@ -24,6 +26,9 @@
+ type munin_var_lib_t alias lrrd_var_lib_t;
+ files_type(munin_var_lib_t)
+
++type munin_plugin_state_t;
++files_type(munin_plugin_state_t)
++
+ type munin_var_run_t alias lrrd_var_run_t;
+ files_pid_file(munin_var_run_t)
+
+@@ -40,7 +45,7 @@
# Local policy
#
@@ -19176,7 +19339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
dontaudit munin_t self:capability sys_tty_config;
allow munin_t self:process { getsched setsched signal_perms };
allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -71,9 +71,10 @@
+@@ -71,9 +76,12 @@
manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
files_search_var_lib(munin_t)
@@ -19185,10 +19348,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
-files_pid_filetrans(munin_t, munin_var_run_t, file)
+files_pid_filetrans(munin_t, munin_var_run_t, { file dir })
++
++read_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t)
kernel_read_system_state(munin_t)
kernel_read_network_state(munin_t)
-@@ -145,6 +146,7 @@
+@@ -145,6 +153,7 @@
optional_policy(`
mta_read_config(munin_t)
mta_send_mail(munin_t)
@@ -19196,7 +19361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
mta_read_queue(munin_t)
')
-@@ -159,6 +161,7 @@
+@@ -159,6 +168,7 @@
optional_policy(`
postfix_list_spool(munin_t)
@@ -19204,7 +19369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
')
optional_policy(`
-@@ -182,6 +185,7 @@
+@@ -182,6 +192,7 @@
# local policy for disk plugins
#
@@ -19212,14 +19377,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
-@@ -192,13 +196,15 @@
+@@ -190,15 +201,13 @@
- files_read_etc_files(disk_munin_plugin_t)
- files_read_etc_runtime_files(disk_munin_plugin_t)
-+files_read_usr_files(disk_munin_plugin_t)
+ corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
- fs_getattr_all_fs(disk_munin_plugin_t)
+-files_read_etc_files(disk_munin_plugin_t)
+ files_read_etc_runtime_files(disk_munin_plugin_t)
+-fs_getattr_all_fs(disk_munin_plugin_t)
+-
+dev_getattr_lvm_control(disk_munin_plugin_t)
dev_read_sysfs(disk_munin_plugin_t)
dev_read_urand(disk_munin_plugin_t)
@@ -19229,7 +19395,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
sysnet_read_config(disk_munin_plugin_t)
-@@ -229,11 +235,13 @@
+@@ -221,19 +230,17 @@
+
+ dev_read_urand(mail_munin_plugin_t)
+
+-files_read_etc_files(mail_munin_plugin_t)
+-
+-fs_getattr_all_fs(mail_munin_plugin_t)
+-
+ logging_read_generic_logs(mail_munin_plugin_t)
mta_read_config(mail_munin_plugin_t)
mta_send_mail(mail_munin_plugin_t)
@@ -19243,16 +19417,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
')
optional_policy(`
-@@ -249,6 +257,8 @@
- allow services_munin_plugin_t self:udp_socket create_socket_perms;
- allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -255,10 +262,6 @@
+ dev_read_urand(services_munin_plugin_t)
+ dev_read_rand(services_munin_plugin_t)
-+corecmd_exec_shell(services_munin_plugin_t)
-+
- corenet_tcp_connect_all_ports(services_munin_plugin_t)
- corenet_tcp_connect_http_port(services_munin_plugin_t)
+-fs_getattr_all_fs(services_munin_plugin_t)
+-
+-files_read_etc_files(services_munin_plugin_t)
+-
+ sysnet_read_config(services_munin_plugin_t)
-@@ -286,6 +296,10 @@
+ optional_policy(`
+@@ -286,6 +289,10 @@
snmp_read_snmp_var_lib_files(services_munin_plugin_t)
')
@@ -19263,21 +19439,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
##################################
#
# local policy for system plugins
-@@ -300,6 +314,8 @@
-
- corecmd_exec_shell(system_munin_plugin_t)
-
-+files_read_etc_files(system_munin_plugin_t)
-+
- fs_getattr_all_fs(system_munin_plugin_t)
+@@ -298,10 +305,6 @@
+ kernel_read_network_state(system_munin_plugin_t)
+ kernel_read_all_sysctls(system_munin_plugin_t)
+-corecmd_exec_shell(system_munin_plugin_t)
+-
+-fs_getattr_all_fs(system_munin_plugin_t)
+-
dev_read_sysfs(system_munin_plugin_t)
-@@ -313,3 +329,5 @@
+ dev_read_urand(system_munin_plugin_t)
+
+@@ -313,3 +316,29 @@
sysnet_exec_ifconfig(system_munin_plugin_t)
term_getattr_unallocated_ttys(system_munin_plugin_t)
+term_getattr_all_ptys(system_munin_plugin_t)
+
++################################
++#
++# local policy for munin plugin domains
++#
++
++allow munin_plugin_domain munin_exec_t:file read_file_perms;
++allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
++
++# creates plugin state files
++manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
++
++read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t)
++
++kernel_read_system_state(munin_plugin_domain)
++
++corecmd_exec_bin(munin_plugin_domain)
++corecmd_exec_shell(munin_plugin_domain)
++
++files_read_etc_files(munin_plugin_domain)
++files_read_usr_files(munin_plugin_domain)
++
++fs_getattr_all_fs(munin_plugin_domain)
++
++miscfiles_read_localization(munin_plugin_domain)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.8.8/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2010-07-27 16:06:05.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/mysql.te 2010-07-27 16:12:03.000000000 -0400
@@ -20451,7 +20653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+sysnet_read_config(piranha_domain)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.8.8/policy/modules/services/plymouthd.te
--- nsaserefpolicy/policy/modules/services/plymouthd.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/plymouthd.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/plymouthd.te 2010-07-28 16:14:03.000000000 -0400
@@ -60,10 +60,14 @@
files_read_etc_files(plymouthd_t)
files_read_usr_files(plymouthd_t)
@@ -21140,7 +21342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.8.8/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/postfix.te 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/postfix.te 2010-07-29 15:04:30.000000000 -0400
@@ -5,6 +5,15 @@
# Declarations
#
@@ -21224,7 +21426,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
files_type(postfix_spool_flush_t)
type postfix_public_t;
-@@ -150,6 +172,9 @@
+@@ -99,7 +121,9 @@
+ allow postfix_master_t self:udp_socket create_socket_perms;
+ allow postfix_master_t self:process setrlimit;
+
++allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
+ allow postfix_master_t postfix_etc_t:file rw_file_perms;
++mta_filetrans_aliases(postfix_master_t, postfix_etc_t)
+
+ can_exec(postfix_master_t, postfix_exec_t)
+
+@@ -150,6 +174,9 @@
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -21234,7 +21446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
corenet_tcp_bind_generic_node(postfix_master_t)
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
corenet_tcp_bind_smtp_port(postfix_master_t)
-@@ -167,6 +192,8 @@
+@@ -167,6 +194,8 @@
domain_use_interactive_fds(postfix_master_t)
files_read_usr_files(postfix_master_t)
@@ -21243,7 +21455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
term_dontaudit_search_ptys(postfix_master_t)
-@@ -304,9 +331,17 @@
+@@ -304,9 +333,17 @@
')
optional_policy(`
@@ -21261,7 +21473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix map local policy
-@@ -420,6 +455,7 @@
+@@ -420,6 +457,7 @@
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -21269,7 +21481,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
optional_policy(`
-@@ -588,6 +624,11 @@
+@@ -588,6 +626,11 @@
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -21281,7 +21493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
-@@ -630,3 +671,8 @@
+@@ -630,3 +673,8 @@
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -21627,7 +21839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.8.8/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/pyzor.if 2010-07-27 16:12:03.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/pyzor.if 2010-07-29 14:38:29.000000000 -0400
@@ -88,3 +88,50 @@
corecmd_search_bin($1)
can_exec($1, pyzor_exec_t)
@@ -25517,7 +25729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.8.8/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/virt.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/virt.te 2010-07-28 14:48:42.000000000 -0400
@@ -4,6 +4,7 @@
#
# Declarations
@@ -25542,7 +25754,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
type virt_etc_t;
files_config_file(virt_etc_t)
-@@ -71,8 +72,12 @@
+@@ -65,20 +66,25 @@
+ # virt Image files
+ type virt_image_t; # customizable
+ virt_image(virt_image_t)
++files_mountpoint(virt_image_t)
+
+ # virt Image files
+ type virt_content_t; # customizable
virt_image(virt_content_t)
userdom_user_home_content(virt_content_t)
@@ -25555,7 +25774,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
type virt_var_run_t;
files_pid_file(virt_var_run_t)
-@@ -89,6 +94,11 @@
+
+ type virt_var_lib_t;
+-files_type(virt_var_lib_t)
++files_mountpoint(virt_var_lib_t)
+
+ type virtd_t;
+ type virtd_exec_t;
+@@ -89,6 +95,11 @@
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@@ -25567,7 +25793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -104,15 +114,12 @@
+@@ -104,15 +115,12 @@
allow svirt_t self:udp_socket create_socket_perms;
@@ -25584,7 +25810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -147,11 +154,15 @@
+@@ -147,11 +155,15 @@
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -25600,7 +25826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,6 +171,7 @@
+@@ -160,6 +172,7 @@
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -25608,7 +25834,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
fs_manage_dos_dirs(svirt_t)
fs_manage_dos_files(svirt_t)
')
-@@ -168,28 +180,39 @@
+@@ -168,28 +181,39 @@
xen_rw_image_files(svirt_t)
')
@@ -25651,7 +25877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -200,9 +223,15 @@
+@@ -200,9 +224,15 @@
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -25667,7 +25893,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
-@@ -220,6 +249,7 @@
+@@ -220,6 +250,7 @@
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
@@ -25675,7 +25901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -243,18 +273,25 @@
+@@ -243,18 +274,25 @@
dev_rw_kvm(virtd_t)
dev_getattr_all_chr_files(virtd_t)
dev_rw_mtrr(virtd_t)
@@ -25702,7 +25928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +299,17 @@
+@@ -262,6 +300,17 @@
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -25720,7 +25946,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
mcs_process_set_categories(virtd_t)
-@@ -286,15 +334,22 @@
+@@ -286,15 +335,22 @@
logging_send_syslog_msg(virtd_t)
@@ -25743,7 +25969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -365,6 +420,7 @@
+@@ -365,6 +421,7 @@
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -25751,7 +25977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
optional_policy(`
-@@ -402,6 +458,19 @@
+@@ -402,6 +459,19 @@
allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
allow virt_domain self:tcp_socket create_stream_socket_perms;
@@ -25771,7 +25997,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +491,7 @@
+@@ -422,6 +492,7 @@
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -25779,7 +26005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,6 +499,7 @@
+@@ -429,6 +500,7 @@
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -25787,7 +26013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
domain_use_interactive_fds(virt_domain)
-@@ -440,6 +511,11 @@
+@@ -440,6 +512,11 @@
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -25799,7 +26025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -457,8 +533,121 @@
+@@ -457,8 +534,121 @@
')
optional_policy(`
@@ -31130,7 +31356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.8.8/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/mount.te 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/mount.te 2010-07-28 13:59:08.000000000 -0400
@@ -17,8 +17,15 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -31232,7 +31458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
files_mount_all_file_type_fs(mount_t)
files_unmount_all_file_type_fs(mount_t)
# for when /etc/mtab loses its type
-@@ -79,15 +122,19 @@
+@@ -79,15 +122,20 @@
files_read_usr_files(mount_t)
files_list_mnt(mount_t)
@@ -31247,6 +31473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
-fs_list_auto_mountpoints(mount_t)
+fs_rw_anon_inodefs_files(mount_t)
fs_rw_tmpfs_chr_files(mount_t)
++fs_rw_nfsd_fs(mount_t)
+fs_manage_tmpfs_dirs(mount_t)
fs_read_tmpfs_symlinks(mount_t)
+fs_read_fusefs_files(mount_t)
@@ -31255,7 +31482,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
mls_file_read_all_levels(mount_t)
mls_file_write_all_levels(mount_t)
-@@ -98,6 +145,7 @@
+@@ -98,6 +146,7 @@
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@@ -31263,7 +31490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
term_use_all_terms(mount_t)
-@@ -106,6 +154,8 @@
+@@ -106,6 +155,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -31272,7 +31499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
logging_send_syslog_msg(mount_t)
-@@ -116,6 +166,12 @@
+@@ -116,6 +167,12 @@
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -31285,7 +31512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
ifdef(`distro_redhat',`
optional_policy(`
-@@ -131,10 +187,17 @@
+@@ -131,10 +188,17 @@
')
')
@@ -31303,7 +31530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -164,6 +227,8 @@
+@@ -164,6 +228,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -31312,7 +31539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -171,6 +236,25 @@
+@@ -171,6 +237,25 @@
')
optional_policy(`
@@ -31338,7 +31565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -178,6 +262,11 @@
+@@ -178,6 +263,11 @@
')
')
@@ -31350,7 +31577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -185,6 +274,19 @@
+@@ -185,6 +275,19 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -31370,7 +31597,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
########################################
-@@ -193,6 +295,42 @@
+@@ -193,6 +296,42 @@
#
optional_policy(`
@@ -33249,7 +33476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.8.8/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/unconfined.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/unconfined.if 2010-07-29 11:57:02.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -33296,7 +33523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+ ubac_process_exempt($1)
+
+ tunable_policy(`mmap_low_allowed',`
-+ domain_mmap_low($1)
++ allow $1 self:memprotect mmap_zero;
+ ')
+
tunable_policy(`allow_execheap',`
@@ -33997,7 +34224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.8.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/userdomain.if 2010-07-27 16:12:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/userdomain.if 2010-07-28 13:18:05.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -35565,7 +35792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -3128,3 +3466,779 @@
+@@ -3128,3 +3466,854 @@
allow $1 userdomain:dbus send_msg;
')
@@ -36345,6 +36572,81 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
+ dontaudit $1 user_tmp_t:dir search_dir_perms;
+')
++
++########################################
++## <summary>
++## Execute a file in a user home directory
++## in the specified domain.
++## </summary>
++## <desc>
++## <p>
++## Execute a file in a user home directory
++## in the specified domain.
++## </p>
++## <p>
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="target_domain">
++## <summary>
++## The type of the new process.
++## </summary>
++## </param>
++#
++interface(`userdom_domtrans_user_home',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ read_lnk_files_pattern($1, user_home_t, user_home_t)
++ domain_transition_pattern($1, user_home_t, $2)
++ type_transition $1 user_home_t:process $2;
++')
++
++########################################
++## <summary>
++## Execute a file in a user tmp directory
++## in the specified domain.
++## </summary>
++## <desc>
++## <p>
++## Execute a file in a user tmp directory
++## in the specified domain.
++## </p>
++## <p>
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="target_domain">
++## <summary>
++## The type of the new process.
++## </summary>
++## </param>
++#
++interface(`userdom_domtrans_user_tmp',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
++ domain_transition_pattern($1, user_tmp_t, $2)
++ type_transition $1 user_tmp_t:process $2;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.8.8/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2010-07-27 16:06:06.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/system/userdomain.te 2010-07-27 16:12:04.000000000 -0400
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 92f9e0a..94f3ef8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.8.8
-Release: 8%{?dist}
+Release: 9%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -331,7 +331,7 @@ if [ $1 -eq 1 ]; then
%loadpolicy targeted $packages
restorecon -R /root /var/log /var/run /var/lib 2> /dev/null
else
- semodule -n -s targeted -r moilscanner mailscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal 2>/dev/null
+ semodule -n -s targeted -r pyzor -r razor -r moilscanner mailscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal 2>/dev/null
%loadpolicy targeted $packages
%relabel targeted
fi
@@ -450,7 +450,7 @@ SELinux Reference policy mls base module.
%saveFileContext mls
%post mls
-semodule -n -s mls -r mailscanner polkit ModemManager telepathysofiasip ethereal 2>/dev/null
+semodule -n -s mls -r pyzor -r razor -r mailscanner polkit ModemManager telepathysofiasip ethereal 2>/dev/null
packages=`cat /usr/share/selinux/mls/modules.lst`
%loadpolicy mls $packages
@@ -469,6 +469,9 @@ exit 0
%endif
%changelog
+* Wed Jul 28 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-9
+- Apply Miroslav munin patch
+
* Tue Jul 27 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-8
- Merge in fixes from dgrift repository
More information about the scm-commits
mailing list