rpms/selinux-policy/F-12 modules-minimum.conf, 1.49, 1.50 modules-mls.conf, 1.66, 1.67 modules-targeted.conf, 1.158, 1.159 policy-20100106.patch, 1.41, 1.42 selinux-policy.spec, 1.1026, 1.1027
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Mar 1 16:42:03 UTC 2010
Author: mgrepl
Update of /cvs/pkgs/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv5807
Modified Files:
modules-minimum.conf modules-mls.conf modules-targeted.conf
policy-20100106.patch selinux-policy.spec
Log Message:
- Add cachefilesfd policy
- Update cobbler policy from F13
- Allow hald connect to usbmuxd over a unix domain
- Allow staff_t to read semanage module store
Index: modules-minimum.conf
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/modules-minimum.conf,v
retrieving revision 1.49
retrieving revision 1.50
diff -u -p -r1.49 -r1.50
--- modules-minimum.conf 3 Feb 2010 22:22:08 -0000 1.49
+++ modules-minimum.conf 1 Mar 2010 16:42:01 -0000 1.50
@@ -32,6 +32,13 @@ alsa = base
#
ada = module
+# Layer: services
+# Module: cachefilesd
+#
+# CacheFiles userspace management daemon
+#
+cachefilesd = module
+
# Layer: apps
# Module: cpufreqselector
#
Index: modules-mls.conf
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/modules-mls.conf,v
retrieving revision 1.66
retrieving revision 1.67
diff -u -p -r1.66 -r1.67
--- modules-mls.conf 26 Feb 2010 14:17:58 -0000 1.66
+++ modules-mls.conf 1 Mar 2010 16:42:02 -0000 1.67
@@ -32,6 +32,13 @@ alsa = base
#
ada = module
+# Layer: services
+# Module: cachefilesd
+#
+# CacheFiles userspace management daemon
+#
+cachefilesd = module
+
# Layer: apps
# Module: cpufreqselector
#
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/modules-targeted.conf,v
retrieving revision 1.158
retrieving revision 1.159
diff -u -p -r1.158 -r1.159
--- modules-targeted.conf 3 Feb 2010 22:22:08 -0000 1.158
+++ modules-targeted.conf 1 Mar 2010 16:42:02 -0000 1.159
@@ -32,6 +32,13 @@ alsa = base
#
ada = module
+# Layer: services
+# Module: cachefilesd
+#
+# CacheFiles userspace management daemon
+#
+cachefilesd = module
+
# Layer: apps
# Module: cpufreqselector
#
policy-20100106.patch:
modules/admin/consoletype.if | 4
modules/admin/dmesg.fc | 1
modules/admin/logrotate.te | 4
modules/admin/logwatch.te | 5
modules/admin/mcelog.fc | 2
modules/admin/mcelog.if | 20 +
modules/admin/mcelog.te | 31 ++
modules/admin/netutils.fc | 1
modules/admin/netutils.te | 6
modules/admin/prelink.te | 1
modules/admin/quota.te | 1
modules/admin/readahead.te | 2
modules/admin/rpm.if | 60 +++-
modules/admin/rpm.te | 2
modules/admin/smoltclient.te | 2
modules/admin/usermanage.te | 6
modules/admin/vbetool.te | 13 +
modules/apps/cdrecord.te | 2
modules/apps/chrome.te | 3
modules/apps/execmem.if | 5
modules/apps/firewallgui.te | 6
modules/apps/gnome.fc | 9
modules/apps/gnome.if | 81 +++++-
modules/apps/gnome.te | 8
modules/apps/gpg.fc | 2
modules/apps/gpg.te | 5
modules/apps/kdumpgui.te | 4
modules/apps/mozilla.fc | 1
modules/apps/nsplugin.fc | 1
modules/apps/nsplugin.if | 36 ++
modules/apps/podsleuth.te | 1
modules/apps/pulseaudio.fc | 2
modules/apps/pulseaudio.if | 6
modules/apps/pulseaudio.te | 16 +
modules/apps/qemu.te | 1
modules/apps/sambagui.te | 4
modules/apps/sandbox.if | 54 +++-
modules/apps/sandbox.te | 49 ++-
modules/apps/slocate.te | 1
modules/apps/vmware.if | 18 +
modules/apps/vmware.te | 9
modules/apps/wine.if | 4
modules/apps/wine.te | 14 +
modules/kernel/corecommands.fc | 5
modules/kernel/corenetwork.if.in | 18 +
modules/kernel/corenetwork.te.in | 6
modules/kernel/devices.fc | 6
modules/kernel/devices.if | 200 +++++++++++++++
modules/kernel/devices.te | 25 +
modules/kernel/domain.if | 22 +
modules/kernel/domain.te | 4
modules/kernel/files.fc | 2
modules/kernel/files.if | 334 ++++++++++++++++++++------
modules/kernel/files.te | 6
modules/kernel/filesystem.if | 156 +++++++++++-
modules/kernel/filesystem.te | 12
modules/kernel/kernel.if | 18 +
modules/kernel/terminal.if | 247 +++++++++++++++++++
modules/roles/auditadm.te | 2
modules/roles/secadm.te | 2
modules/roles/staff.te | 18 -
modules/roles/sysadm.te | 5
modules/roles/unconfineduser.fc | 5
modules/roles/unconfineduser.te | 4
modules/roles/xguest.te | 6
modules/services/abrt.if | 5
modules/services/abrt.te | 15 +
modules/services/afs.te | 6
modules/services/aisexec.fc | 2
modules/services/aisexec.te | 8
modules/services/amavis.te | 1
modules/services/apache.fc | 9
modules/services/apache.if | 48 +++
modules/services/apache.te | 35 ++
modules/services/apcupsd.te | 2
modules/services/arpwatch.te | 2
modules/services/asterisk.te | 1
modules/services/avahi.fc | 2
modules/services/bind.if | 19 +
modules/services/cachefilesd.fc | 28 ++
modules/services/cachefilesd.if | 41 +++
modules/services/cachefilesd.te | 146 +++++++++++
modules/services/ccs.te | 6
modules/services/chronyd.fc | 2
modules/services/chronyd.te | 15 -
modules/services/clogd.if | 24 -
modules/services/clogd.te | 7
modules/services/cobbler.fc | 5
modules/services/cobbler.if | 156 +++++++++++-
modules/services/cobbler.te | 132 ++++++++++
modules/services/consolekit.te | 10
modules/services/corosync.fc | 2
modules/services/corosync.te | 9
modules/services/cron.te | 9
modules/services/cups.te | 7
modules/services/dbus.if | 3
modules/services/dcc.te | 2
modules/services/devicekit.fc | 4
modules/services/devicekit.te | 12
modules/services/dhcp.if | 19 +
modules/services/dhcp.te | 4
modules/services/djbdns.if | 38 +++
modules/services/djbdns.te | 8
modules/services/dnsmasq.fc | 2
modules/services/dnsmasq.if | 38 +++
modules/services/dnsmasq.te | 8
modules/services/dovecot.te | 6
modules/services/exim.if | 18 +
modules/services/fail2ban.if | 18 +
modules/services/ftp.fc | 2
modules/services/ftp.if | 37 ++
modules/services/ftp.te | 116 +++++++++
modules/services/git.fc | 17 -
modules/services/git.if | 466 ++++++++++++++++++++++++++++---------
modules/services/git.te | 145 ++++++-----
modules/services/gpm.fc | 2
modules/services/hal.te | 9
modules/services/inn.te | 1
modules/services/kerberos.if | 2
modules/services/ldap.fc | 3
modules/services/ldap.te | 7
modules/services/lircd.te | 7
modules/services/mailman.te | 1
modules/services/memcached.te | 14 -
modules/services/modemmanager.te | 2
modules/services/mta.if | 38 +++
modules/services/mta.te | 1
modules/services/munin.te | 1
modules/services/mysql.te | 5
modules/services/nagios.fc | 46 +++
modules/services/nagios.if | 28 ++
modules/services/nagios.te | 87 ++++++
modules/services/networkmanager.fc | 1
modules/services/networkmanager.te | 1
modules/services/nis.fc | 5
modules/services/nis.te | 8
modules/services/nx.if | 18 +
modules/services/openvpn.te | 4
modules/services/plymouth.te | 33 +-
modules/services/policykit.te | 8
modules/services/postfix.if | 37 ++
modules/services/postfix.te | 5
modules/services/ppp.fc | 2
modules/services/ppp.te | 8
modules/services/prelude.te | 2
modules/services/qmail.if | 18 +
modules/services/rgmanager.if | 40 +++
modules/services/rgmanager.te | 58 +++-
modules/services/rhcs.fc | 9
modules/services/rhcs.if | 58 ++++
modules/services/rhcs.te | 278 ++++------------------
modules/services/ricci.te | 6
modules/services/rpc.if | 1
modules/services/rpc.te | 8
modules/services/rsync.if | 38 +++
modules/services/samba.te | 16 +
modules/services/sendmail.te | 4
modules/services/setroubleshoot.te | 4
modules/services/snmp.te | 4
modules/services/snort.te | 1
modules/services/spamassassin.if | 18 +
modules/services/spamassassin.te | 6
modules/services/ssh.if | 4
modules/services/ssh.te | 81 ------
modules/services/sssd.fc | 2
modules/services/sssd.if | 85 +++---
modules/services/sssd.te | 16 -
modules/services/tftp.if | 20 +
modules/services/tftp.te | 1
modules/services/tgtd.te | 1
modules/services/tuned.fc | 3
modules/services/tuned.te | 15 +
modules/services/ucspitcp.te | 5
modules/services/usbmuxd.fc | 6
modules/services/usbmuxd.if | 64 +++++
modules/services/usbmuxd.te | 48 +++
modules/services/virt.if | 7
modules/services/virt.te | 15 -
modules/services/xserver.fc | 7
modules/services/xserver.if | 2
modules/services/xserver.te | 25 +
modules/system/application.te | 12
modules/system/daemontools.if | 62 ++++
modules/system/daemontools.te | 26 +-
modules/system/fstools.fc | 2
modules/system/hostname.te | 3
modules/system/hotplug.te | 4
modules/system/init.if | 33 ++
modules/system/init.te | 27 ++
modules/system/ipsec.te | 11
modules/system/iptables.if | 10
modules/system/iptables.te | 6
modules/system/iscsi.fc | 3
modules/system/iscsi.te | 10
modules/system/libraries.fc | 19 +
modules/system/locallogin.te | 19 -
modules/system/logging.fc | 7
modules/system/logging.if | 18 +
modules/system/logging.te | 10
modules/system/lvm.fc | 1
modules/system/lvm.te | 3
modules/system/miscfiles.fc | 5
modules/system/miscfiles.if | 37 ++
modules/system/modutils.te | 2
modules/system/mount.if | 4
modules/system/mount.te | 16 +
modules/system/selinuxutil.if | 21 +
modules/system/selinuxutil.te | 1
modules/system/sysnetwork.fc | 1
modules/system/sysnetwork.if | 4
modules/system/sysnetwork.te | 3
modules/system/udev.te | 5
modules/system/unconfined.if | 2
modules/system/userdomain.fc | 1
modules/system/userdomain.if | 36 ++
modules/system/xen.if | 2
modules/system/xen.te | 22 +
support/obj_perm_sets.spt | 8
users | 2
219 files changed, 4285 insertions(+), 856 deletions(-)
Index: policy-20100106.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/policy-20100106.patch,v
retrieving revision 1.41
retrieving revision 1.42
diff -u -p -r1.41 -r1.42
--- policy-20100106.patch 26 Feb 2010 16:54:53 -0000 1.41
+++ policy-20100106.patch 1 Mar 2010 16:42:02 -0000 1.42
@@ -125,7 +125,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.32/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2010-01-18 18:24:22.552539984 +0100
-+++ serefpolicy-3.6.32/policy/modules/admin/netutils.te 2010-02-16 16:59:33.332598118 +0100
++++ serefpolicy-3.6.32/policy/modules/admin/netutils.te 2010-03-01 13:34:16.025492348 +0100
@@ -132,6 +132,8 @@
kernel_read_system_state(ping_t)
@@ -135,6 +135,17 @@ diff -b -B --ignore-all-space --exclude-
auth_use_nsswitch(ping_t)
logging_send_syslog_msg(ping_t)
+@@ -158,6 +160,10 @@
+ ')
+
+ optional_policy(`
++ nagios_rw_inerited_tmp_files(ping_t)
++')
++
++optional_policy(`
+ pcmcia_use_cardmgr_fds(ping_t)
+ ')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.32/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2010-01-18 18:24:22.564530406 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/prelink.te 2010-02-01 20:30:49.318160848 +0100
@@ -743,8 +754,12 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-02-21 20:47:43.404568303 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2010-02-21 20:34:21.100559574 +0100
-@@ -11,6 +11,12 @@
++++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2010-03-01 16:03:40.936502769 +0100
+@@ -8,14 +8,22 @@
+
+ type pulseaudio_t;
+ type pulseaudio_exec_t;
++init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
application_domain(pulseaudio_t, pulseaudio_exec_t)
role system_r types pulseaudio_t;
@@ -757,7 +772,13 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# pulseaudio local policy
-@@ -24,6 +30,11 @@
+ #
+
++allow pulseaudio_t self:capability { setuid sys_nice setgid };
+ allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
+ allow pulseaudio_t self:fifo_file rw_file_perms;
+ allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto };
+@@ -24,6 +32,11 @@
allow pulseaudio_t self:udp_socket create_socket_perms;
allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -769,7 +790,7 @@ diff -b -B --ignore-all-space --exclude-
can_exec(pulseaudio_t, pulseaudio_exec_t)
kernel_getattr_proc(pulseaudio_t)
-@@ -72,6 +83,8 @@
+@@ -72,6 +85,8 @@
')
optional_policy(`
@@ -778,7 +799,7 @@ diff -b -B --ignore-all-space --exclude-
dbus_system_bus_client(pulseaudio_t)
dbus_session_bus_client(pulseaudio_t)
dbus_connect_session_bus(pulseaudio_t)
-@@ -111,4 +124,5 @@
+@@ -111,4 +126,5 @@
xserver_manage_xdm_tmp_files(pulseaudio_t)
xserver_read_xdm_lib_files(pulseaudio_t)
xserver_common_app(pulseaudio_t)
@@ -1198,8 +1219,16 @@ diff -b -B --ignore-all-space --exclude-
domain_mmap_low(wine_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-01-18 18:24:22.665531100 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2010-02-10 11:51:39.387858338 +0100
-@@ -218,8 +218,9 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2010-03-01 09:10:51.189491683 +0100
+@@ -166,6 +166,7 @@
+ /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+@@ -218,8 +219,9 @@
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
@@ -1210,7 +1239,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/SAPInstance -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/SAPDatabase -- gen_context(system_u:object_r:bin_t,s0)
-@@ -237,6 +238,7 @@
+@@ -237,6 +239,7 @@
/usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -1248,8 +1277,16 @@ diff -b -B --ignore-all-space --exclude-
## Getattr the point-to-point device.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-01-18 18:24:22.668540002 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2010-02-16 17:21:28.658848158 +0100
-@@ -92,11 +92,12 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2010-03-01 09:53:43.085750129 +0100
+@@ -85,6 +85,7 @@
+ network_port(clamd, tcp,3310,s0)
+ network_port(clockspeed, udp,4041,s0)
+ network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
++network_port(cobbler, tcp,25151,s0)
+ network_port(comsat, udp,512,s0)
+ network_port(cvs, tcp,2401,s0, udp,2401,s0)
+ network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0)
+@@ -92,11 +93,12 @@
network_port(dbskkd, tcp,1178,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dccm, tcp,5679,s0, udp,5679,s0)
@@ -1609,7 +1646,7 @@ diff -b -B --ignore-all-space --exclude-
## Do not audit attempts to get the attributes
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.32/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2010-01-18 18:24:22.675530137 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.te 2010-02-26 09:33:50.290799322 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.te 2010-03-01 13:31:38.484740499 +0100
@@ -1,5 +1,5 @@
-policy_module(devices, 1.8.2)
@@ -1659,6 +1696,13 @@ diff -b -B --ignore-all-space --exclude-
type v4l_device_t;
dev_node(v4l_device_t)
+@@ -278,5 +295,5 @@
+ #
+
+ allow devices_unconfined_type self:capability sys_rawio;
+-allow devices_unconfined_type device_node:{ blk_file chr_file } *;
++allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
+ allow devices_unconfined_type mtrr_device_t:file *;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.32/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2010-01-18 18:24:22.683530317 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/domain.if 2010-02-26 09:33:54.830549053 +0100
@@ -1700,7 +1744,16 @@ diff -b -B --ignore-all-space --exclude-
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.32/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2010-01-18 18:24:22.685530781 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/domain.te 2010-02-26 16:50:12.859856633 +0100
++++ serefpolicy-3.6.32/policy/modules/kernel/domain.te 2010-03-01 15:15:36.898740594 +0100
+@@ -106,7 +106,7 @@
+ kernel_dontaudit_link_key(domain)
+
+ # create child processes in the domain
+-allow domain self:process { fork sigchld };
++allow domain self:process { fork getsched sigchld };
+
+ # Use trusted objects in /dev
+ dev_rw_null(domain)
@@ -216,8 +216,10 @@
optional_policy(`
rpm_use_fds(domain)
@@ -2997,8 +3050,17 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.32/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2010-01-18 18:24:22.718544267 +0100
-+++ serefpolicy-3.6.32/policy/modules/roles/staff.te 2010-02-11 17:58:37.444708661 +0100
-@@ -76,20 +76,20 @@
++++ serefpolicy-3.6.32/policy/modules/roles/staff.te 2010-03-01 16:05:50.238492151 +0100
+@@ -26,6 +26,8 @@
+ auth_domtrans_pam_console(staff_t)
+
+ seutil_run_newrole(staff_t, staff_r)
++seutil_read_module_store(staff_t)
++
+ netutils_run_ping(staff_t, staff_r)
+
+ optional_policy(`
+@@ -76,20 +78,20 @@
webadm_role_change(staff_r)
')
@@ -3253,7 +3315,7 @@ diff -b -B --ignore-all-space --exclude-
logging_send_syslog_msg(amavis_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.32/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2010-01-18 18:24:22.733530530 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2010-02-23 16:43:34.009526021 +0100
++++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2010-03-01 16:56:36.009747781 +0100
@@ -8,10 +8,12 @@
/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
@@ -3275,7 +3337,13 @@ diff -b -B --ignore-all-space --exclude-
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
-@@ -71,6 +74,9 @@
+@@ -66,11 +69,14 @@
+ /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
+
+ /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
++#/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+ /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -3295,7 +3363,7 @@ diff -b -B --ignore-all-space --exclude-
/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-01-18 18:24:22.736530563 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-02-01 15:06:59.560081274 +0100
++++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-03-01 15:49:14.043490674 +0100
@@ -16,6 +16,7 @@
attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
@@ -3321,7 +3389,35 @@ diff -b -B --ignore-all-space --exclude-
')
tunable_policy(`httpd_enable_cgi',`
-@@ -1167,6 +1171,29 @@
+@@ -833,6 +837,27 @@
+ domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
+ ')
+
++#######################################
++## <summary>
++## Allow the specified domain to list
++## apache system content files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`apache_list_sys_content',`
++ gen_require(`
++ type httpd_sys_content_t;
++ ')
++
++ list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
++ read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
++ files_search_var($1)
++')
++
+ ########################################
+ ## <summary>
+ ## Allow the specified domain to manage
+@@ -1167,6 +1192,29 @@
allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
')
@@ -3353,8 +3449,22 @@ diff -b -B --ignore-all-space --exclude-
## Do not audit attempts to read and write Apache
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-01-18 18:24:22.739530246 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-02-23 19:15:56.528525860 +0100
-@@ -309,7 +309,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-03-01 09:52:48.889491880 +0100
+@@ -67,6 +67,13 @@
+
+ ## <desc>
+ ## <p>
++## Allow HTTPD scripts and modules to connect to cobbler over the network.
++## </p>
++## </desc>
++gen_tunable(httpd_can_network_connect_cobbler, false)
++
++## <desc>
++## <p>
+ ## Allow HTTPD scripts and modules to connect to databases over the network.
+ ## </p>
+ ## </desc>
+@@ -309,7 +316,7 @@
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
@@ -3363,7 +3473,7 @@ diff -b -B --ignore-all-space --exclude-
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -363,10 +363,10 @@
+@@ -363,10 +370,10 @@
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
@@ -3376,7 +3486,7 @@ diff -b -B --ignore-all-space --exclude-
manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
-@@ -400,6 +400,7 @@
+@@ -400,6 +407,7 @@
dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
@@ -3384,7 +3494,7 @@ diff -b -B --ignore-all-space --exclude-
fs_search_auto_mountpoints(httpd_t)
fs_read_iso9660_files(httpd_t)
-@@ -483,8 +484,14 @@
+@@ -483,8 +491,14 @@
corenet_tcp_connect_pop_port(httpd_t)
corenet_sendrecv_pop_client_packets(httpd_t)
mta_send_mail(httpd_t)
@@ -3400,7 +3510,17 @@ diff -b -B --ignore-all-space --exclude-
')
tunable_policy(`httpd_can_network_relay',`
-@@ -612,6 +619,11 @@
+@@ -588,6 +602,9 @@
+
+ optional_policy(`
+ cobbler_search_lib(httpd_t)
++ tunable_policy(`httpd_can_network_connect_cobbler',`
++ corenet_tcp_connect_cobbler_port(httpd_t)
++ ')
+ ')
+
+ optional_policy(`
+@@ -612,6 +629,11 @@
avahi_dbus_chat(httpd_t)
')
')
@@ -3412,7 +3532,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
kerberos_keytab_template(httpd, httpd_t)
')
-@@ -895,6 +907,9 @@
+@@ -895,6 +917,9 @@
sysnet_read_config(httpd_sys_script_t)
@@ -3422,7 +3542,7 @@ diff -b -B --ignore-all-space --exclude-
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -906,6 +921,7 @@
+@@ -906,6 +931,7 @@
fs_manage_nfs_files(httpd_sys_script_t)
fs_manage_nfs_symlinks(httpd_sys_script_t)
fs_exec_nfs_files(httpd_sys_script_t)
@@ -3430,7 +3550,7 @@ diff -b -B --ignore-all-space --exclude-
fs_manage_nfs_dirs(httpd_suexec_t)
fs_manage_nfs_files(httpd_suexec_t)
-@@ -945,6 +960,7 @@
+@@ -945,6 +970,7 @@
fs_manage_cifs_files(httpd_suexec_t)
fs_manage_cifs_symlinks(httpd_suexec_t)
fs_exec_cifs_files(httpd_suexec_t)
@@ -3462,6 +3582,17 @@ diff -b -B --ignore-all-space --exclude-
fs_getattr_all_fs(arpwatch_t)
fs_search_auto_mountpoints(arpwatch_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.6.32/policy/modules/services/asterisk.te
+--- nsaserefpolicy/policy/modules/services/asterisk.te 2010-01-18 18:24:22.742540405 +0100
++++ serefpolicy-3.6.32/policy/modules/services/asterisk.te 2010-03-01 16:56:10.526493733 +0100
+@@ -128,6 +128,7 @@
+ files_read_usr_files(asterisk_t)
+
+ fs_getattr_all_fs(asterisk_t)
++fs_list_inotifyfs(asterisk_t)
+ fs_search_auto_mountpoints(asterisk_t)
+
+ auth_use_nsswitch(asterisk_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.6.32/policy/modules/services/avahi.fc
--- nsaserefpolicy/policy/modules/services/avahi.fc 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/avahi.fc 2010-01-19 21:19:40.967763409 +0100
@@ -3471,6 +3602,262 @@ diff -b -B --ignore-all-space --exclude-
-/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0)
+/var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.32/policy/modules/services/bind.if
+--- nsaserefpolicy/policy/modules/services/bind.if 2010-01-18 18:24:22.745530450 +0100
++++ serefpolicy-3.6.32/policy/modules/services/bind.if 2010-03-01 15:52:05.256741085 +0100
+@@ -290,6 +290,25 @@
+ read_files_pattern($1, named_zone_t, named_zone_t)
+ ')
+
++#######################################
++## <summary>
++## Manage BIND zone files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`bind_manage_zone',`
++ gen_require(`
++ type named_zone_t;
++ ')
++
++ files_search_var($1)
++ manage_files_pattern($1, named_zone_t, named_zone_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Send and receive datagrams to and from named. (Deprecated)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.6.32/policy/modules/services/cachefilesd.fc
+--- nsaserefpolicy/policy/modules/services/cachefilesd.fc 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/cachefilesd.fc 2010-03-01 09:30:08.471741607 +0100
+@@ -0,0 +1,28 @@
++###############################################################################
++#
++# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
++# Written by David Howells (dhowells at redhat.com)
++# Karl MacMillan (kmacmill at redhat.com)
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License
++# as published by the Free Software Foundation; either version
++# 2 of the License, or (at your option) any later version.
++#
++###############################################################################
++
++#
++# Define the contexts to be assigned to various files and directories of
++# importance to the CacheFiles kernel module and userspace management daemon.
++#
++
++# cachefilesd executable will have:
++# label: system_u:object_r:cachefilesd_exec_t
++# MLS sensitivity: s0
++# MCS categories: <none>
++
++/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
++/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0)
++/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
++
++/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.6.32/policy/modules/services/cachefilesd.if
+--- nsaserefpolicy/policy/modules/services/cachefilesd.if 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/cachefilesd.if 2010-03-01 09:30:08.471741607 +0100
+@@ -0,0 +1,41 @@
++###############################################################################
++#
++# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
++# Written by David Howells (dhowells at redhat.com)
++# Karl MacMillan (kmacmill at redhat.com)
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License
++# as published by the Free Software Foundation; either version
++# 2 of the License, or (at your option) any later version.
++#
++###############################################################################
++
++#
++# Define the policy interface for the CacheFiles userspace management daemon.
++#
++
++## <summary>policy for cachefilesd</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run cachefilesd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`cachefilesd_domtrans',`
++ gen_require(`
++ type cachefilesd_t, cachefilesd_exec_t;
++ ')
++
++ domain_auto_trans($1,cachefilesd_exec_t,cachefilesd_t)
++
++ allow $1 cachefilesd_t:fd use;
++ allow cachefilesd_t $1:fd use;
++ allow cachefilesd_t $1:fifo_file rw_file_perms;
++ allow cachefilesd_t $1:process sigchld;
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.6.32/policy/modules/services/cachefilesd.te
+--- nsaserefpolicy/policy/modules/services/cachefilesd.te 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/cachefilesd.te 2010-03-01 09:30:08.471741607 +0100
+@@ -0,0 +1,146 @@
++###############################################################################
++#
++# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
++# Written by David Howells (dhowells at redhat.com)
++# Karl MacMillan (kmacmill at redhat.com)
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License
++# as published by the Free Software Foundation; either version
++# 2 of the License, or (at your option) any later version.
++#
++###############################################################################
++
++#
++# This security policy governs access by the CacheFiles kernel module and
++# userspace management daemon to the files and directories in the on-disk
++# cache, on behalf of the processes accessing the cache through a network
++# filesystem such as NFS
++#
++policy_module(cachefilesd,1.0.17)
++
++###############################################################################
++#
++# Declarations
++#
++require { type kernel_t; }
++
++#
++# Files in the cache are created by the cachefiles module with security ID
++# cachefiles_var_t
++#
++type cachefiles_var_t;
++files_type(cachefiles_var_t)
++
++#
++# The /dev/cachefiles character device has security ID cachefiles_dev_t
++#
++type cachefiles_dev_t;
++dev_node(cachefiles_dev_t)
++
++#
++# The cachefilesd daemon normally runs with security ID cachefilesd_t
++#
++type cachefilesd_t;
++type cachefilesd_exec_t;
++domain_type(cachefilesd_t)
++init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
++
++#
++# The cachefilesd daemon pid file context
++#
++type cachefilesd_var_run_t;
++files_pid_file(cachefilesd_var_run_t)
++
++#
++# The CacheFiles kernel module causes processes accessing the cache files to do
++# so acting as security ID cachefiles_kernel_t
++#
++type cachefiles_kernel_t;
++domain_type(cachefiles_kernel_t)
++domain_obj_id_change_exemption(cachefiles_kernel_t)
++role system_r types cachefiles_kernel_t;
++
++###############################################################################
++#
++# Permit RPM to deal with files in the cache
++#
++rpm_use_script_fds(cachefilesd_t)
++
++###############################################################################
++#
++# cachefilesd local policy
++#
++# These define what cachefilesd is permitted to do. This doesn't include very
++# much: startup stuff, logging, pid file, scanning the cache superstructure and
++# deleting files from the cache. It is not permitted to read/write files in
++# the cache.
++#
++# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
++# rules.
++#
++allow cachefilesd_t self : capability { setuid setgid sys_admin dac_override };
++
++# Basic access
++files_read_etc_files(cachefilesd_t)
++libs_use_ld_so(cachefilesd_t)
++libs_use_shared_libs(cachefilesd_t)
++miscfiles_read_localization(cachefilesd_t)
++logging_send_syslog_msg(cachefilesd_t)
++init_dontaudit_use_script_ptys(cachefilesd_t)
++term_dontaudit_use_generic_ptys(cachefilesd_t)
++term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
++
++# Allow manipulation of pid file
++allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
++manage_files_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
++manage_dirs_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
++files_pid_file(cachefilesd_var_run_t)
++files_pid_filetrans(cachefilesd_t,cachefilesd_var_run_t,file)
++
++# Allow access to cachefiles device file
++allow cachefilesd_t cachefiles_dev_t : chr_file rw_file_perms;
++
++# Allow access to cache superstructure
++allow cachefilesd_t cachefiles_var_t : dir rw_dir_perms;
++allow cachefilesd_t cachefiles_var_t : file { getattr rename unlink };
++
++# Permit statfs on the backing filesystem
++fs_getattr_xattr_fs(cachefilesd_t)
++
++###############################################################################
++#
++# When cachefilesd invokes the kernel module to begin caching, it has to tell
++# the kernel module the security context in which it should act, and this
++# policy has to approve that.
++#
++# There are two parts to this:
++#
++# (1) the security context used by the module to access files in the cache,
++# as set by the 'secctx' command in /etc/cachefilesd.conf, and
++#
++allow cachefilesd_t cachefiles_kernel_t : kernel_service { use_as_override };
++
++#
++# (2) the label that will be assigned to new files and directories created in
++# the cache by the module, which will be the same as the label on the
++# directory pointed to by the 'dir' command.
++#
++allow cachefilesd_t cachefiles_var_t : kernel_service { create_files_as };
++
++###############################################################################
++#
++# cachefiles kernel module local policy
++#
++# This governs what the kernel module is allowed to do the contents of the
++# cache.
++#
++allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
++allow cachefiles_kernel_t initrc_t:process sigchld;
++
++manage_dirs_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
++manage_files_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
++
++fs_getattr_xattr_fs(cachefiles_kernel_t)
++
++dev_search_sysfs(cachefiles_kernel_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.6.32/policy/modules/services/ccs.te
--- nsaserefpolicy/policy/modules/services/ccs.te 2010-01-18 18:24:22.749530749 +0100
+++ serefpolicy-3.6.32/policy/modules/services/ccs.te 2010-02-17 15:18:32.630863465 +0100
@@ -3539,73 +3926,419 @@ diff -b -B --ignore-all-space --exclude-
-permissive chronyd_t;
+optional_policy(`
-+ gpsd_rw_shm(chronyd_t)
++ gpsd_rw_shm(chronyd_t)
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.6.32/policy/modules/services/clogd.if
+--- nsaserefpolicy/policy/modules/services/clogd.if 2010-01-18 18:24:22.757540078 +0100
++++ serefpolicy-3.6.32/policy/modules/services/clogd.if 2010-02-17 11:59:55.124863336 +0100
+@@ -42,26 +42,6 @@
+
+ #####################################
+ ## <summary>
+-## Manage clogd tmpfs files.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## The type of the process performing this action.
+-## </summary>
+-## </param>
+-#
+-interface(`clogd_manage_tmpfs_files',`
+- gen_require(`
+- type clogd_tmpfs_t;
+- ')
+-
+- fs_search_tmpfs($1)
+- manage_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
+- manage_lnk_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
+-')
+-
+-#####################################
+-## <summary>
+ ## Allow read and write access to clogd semaphores.
+ ## </summary>
+ ## <param name="domain">
+@@ -94,5 +74,9 @@
+ ')
+
+ allow $1 clogd_t:shm { rw_shm_perms destroy };
++ allow $1 clogd_tmpfs_t:dir list_dir_perms;
++ rw_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
++ read_lnk_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
++ fs_search_tmpfs($1)
+ ')
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.6.32/policy/modules/services/clogd.te
+--- nsaserefpolicy/policy/modules/services/clogd.te 2010-01-18 18:24:22.758539996 +0100
++++ serefpolicy-3.6.32/policy/modules/services/clogd.te 2010-02-17 15:17:36.815613535 +0100
+@@ -41,8 +41,6 @@
+ manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
+ files_pid_filetrans(clogd_t,clogd_var_run_t, { file })
+
+-aisexec_stream_connect(clogd_t)
+-
+ dev_manage_generic_blk_files(clogd_t)
+
+ storage_raw_read_fixed_disk(clogd_t)
+@@ -56,6 +54,11 @@
+ miscfiles_read_localization(clogd_t)
+
+ optional_policy(`
++ aisexec_stream_connect(clogd_t)
++ corosync_stream_connect(clogd_t)
++')
++
++optional_policy(`
+ dev_read_lvm_control(clogd_t)
+ ')
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.6.32/policy/modules/services/cobbler.fc
+--- nsaserefpolicy/policy/modules/services/cobbler.fc 2010-01-18 18:24:22.758539996 +0100
++++ serefpolicy-3.6.32/policy/modules/services/cobbler.fc 2010-03-01 09:49:55.450759811 +0100
+@@ -1,2 +1,7 @@
++/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
++/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
++
++/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0)
+
+ /var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.6.32/policy/modules/services/cobbler.if
+--- nsaserefpolicy/policy/modules/services/cobbler.if 2010-01-18 18:24:22.759530345 +0100
++++ serefpolicy-3.6.32/policy/modules/services/cobbler.if 2010-03-01 09:49:55.450759811 +0100
+@@ -1,10 +1,111 @@
++## <summary>Cobbler installation server.</summary>
++## <desc>
++## <p>
++## Cobbler is a Linux installation server that allows for
++## rapid setup of network installation environments. It
++## glues together and automates many associated Linux
++## tasks so you do not have to hop between lots of various
++## commands and applications when rolling out new systems,
++## and, in some cases, changing existing ones.
++## </p>
++## </desc>
++
++########################################
++## <summary>
++## Execute a domain transition to run cobblerd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`cobblerd_domtrans',`
++ gen_require(`
++ type cobblerd_t, cobblerd_exec_t;
++ ')
++
++ domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
++')
++
++########################################
++## <summary>
++## Execute cobblerd server in the cobblerd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`cobblerd_initrc_domtrans',`
++ gen_require(`
++ type cobblerd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
++')
++
++########################################
++## <summary>
++## Read Cobbler content in /etc
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cobbler_read_config',`
++ gen_require(`
++ type cobbler_etc_t;
++ ')
++
++ read_files_pattern($1, cobbler_etc_t, cobbler_etc_t);
++ files_search_etc($1)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to read and write
++## Cobbler log files (leaked fd).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cobbler_dontaudit_rw_log',`
++ gen_require(`
++ type cobbler_var_log_t;
++ ')
++
++ dontaudit $1 cobbler_var_log_t:file rw_file_perms;
++')
++
++########################################
+ ## <summary>
+-## Cobbler var_lib_t
++## Search cobbler dirs in /var/lib
+ ## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cobbler_search_lib',`
++ gen_require(`
++ type cobbler_var_lib_t;
++ ')
++
++ search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
++ files_search_var_lib($1)
++')
+
+ ########################################
+ ## <summary>
+-## Read cobbler lib files.
++## Read cobbler files in /var/lib
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -18,7 +119,6 @@
+ ')
+
+ read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+- allow $1 cobbler_var_lib_t:dir list_dir_perms;
+ files_search_var_lib($1)
+ ')
+
+@@ -22,10 +122,9 @@
+ files_search_var_lib($1)
+ ')
+
+-
+ ########################################
+ ## <summary>
+-## Read cobbler lib files.
++## Manage cobbler files in /var/lib
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -33,12 +132,55 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`cobbler_search_lib',`
++interface(`cobbler_manage_lib_files',`
+ gen_require(`
+ type cobbler_var_lib_t;
+ ')
+
+- allow $1 cobbler_var_lib_t:dir search_dir_perms;
++ manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ files_search_var_lib($1)
+ ')
+
++########################################
++## <summary>
++## All of the rules required to administrate
++## an cobblerd environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`cobblerd_admin',`
++ gen_require(`
++ type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
++ type cobbler_etc_t;
++ type httpd_cobbler_content_rw_t;
++ ')
++
++ allow $1 cobblerd_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, cobblerd_t, cobblerd_t)
++
++ files_search_etc($1)
++ admin_pattern($1, cobbler_etc_t)
++
++ files_list_var_lib($1)
++ admin_pattern($1, cobbler_var_lib_t)
++
++ files_search_var_log($1)
++ admin_pattern($1, cobbler_var_log_t)
++
++ admin_pattern($1, httpd_cobbler_content_rw_t)
++
++ cobblerd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 cobblerd_initrc_exec_t system_r;
++ allow $2 system_r;
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.6.32/policy/modules/services/cobbler.te
+--- nsaserefpolicy/policy/modules/services/cobbler.te 2010-01-18 18:24:22.760530473 +0100
++++ serefpolicy-3.6.32/policy/modules/services/cobbler.te 2010-03-01 15:49:21.826741385 +0100
+@@ -1,5 +1,135 @@
+
+-policy_module(cobbler, 1.10.0)
++policy_module(cobbler, 1.0.0)
++
++########################################
++#
++# Cobbler personal declarations.
++#
++
++## <desc>
++## <p>
++## Allow Cobbler to modify public files
++## used for public file transfer services.
++## </p>
++## </desc>
++gen_tunable(cobbler_anon_write, false)
++
++type cobblerd_t;
++type cobblerd_exec_t;
++init_daemon_domain(cobblerd_t, cobblerd_exec_t)
++
++permissive cobblerd_t;
++
++type cobblerd_initrc_exec_t;
++init_script_file(cobblerd_initrc_exec_t)
++
++type cobbler_etc_t;
++files_config_file(cobbler_etc_t)
++
++type cobbler_var_log_t;
++logging_log_file(cobbler_var_log_t)
+
+ type cobbler_var_lib_t;
+ files_type(cobbler_var_lib_t)
++
++########################################
++#
++# Cobbler personal policy.
++#
++
++allow cobblerd_t self:capability { chown dac_override fowner sys_nice };
++allow cobblerd_t self:process { getsched setsched signal };
++allow cobblerd_t self:fifo_file rw_fifo_file_perms;
++allow cobblerd_t self:tcp_socket create_stream_socket_perms;
++
++list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
++read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
++
++manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
++manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
++files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file })
++
++append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
++create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
++read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
++setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
++logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
++
++kernel_read_system_state(cobblerd_t)
++
++corecmd_exec_bin(cobblerd_t)
++corecmd_exec_shell(cobblerd_t)
++
++corenet_all_recvfrom_netlabel(cobblerd_t)
++corenet_all_recvfrom_unlabeled(cobblerd_t)
++corenet_sendrecv_cobbler_server_packets(cobblerd_t)
++corenet_tcp_bind_cobbler_port(cobblerd_t)
++corenet_tcp_bind_generic_node(cobblerd_t)
++corenet_tcp_sendrecv_generic_if(cobblerd_t)
++corenet_tcp_sendrecv_generic_node(cobblerd_t)
++corenet_tcp_sendrecv_generic_port(cobblerd_t)
++
++dev_read_urand(cobblerd_t)
++
++# read /etc/nsswitch.conf
++files_read_etc_files(cobblerd_t)
++files_read_usr_files(cobblerd_t)
++files_list_boot(cobblerd_t)
++files_list_tmp(cobblerd_t)
++
++miscfiles_read_localization(cobblerd_t)
++miscfiles_read_public_files(cobblerd_t)
++
++sysnet_read_config(cobblerd_t)
++sysnet_rw_dhcp_config(cobblerd_t)
++sysnet_write_config(cobblerd_t)
++
++tunable_policy(`cobbler_anon_write',`
++ miscfiles_manage_public_files(cobblerd_t)
++')
++
++optional_policy(`
++ apache_list_sys_content(cobblerd_t)
++')
++
++optional_policy(`
++ bind_read_config(cobblerd_t)
++ bind_write_config(cobblerd_t)
++ bind_domtrans_ndc(cobblerd_t)
++ bind_domtrans(cobblerd_t)
++ bind_initrc_domtrans(cobblerd_t)
++ bind_manage_zone(cobblerd_t)
++')
++
++optional_policy(`
++ dhcpd_domtrans(cobblerd_t)
++ dhcpd_initrc_domtrans(cobblerd_t)
++')
++
++optional_policy(`
++ dnsmasq_domtrans(cobblerd_t)
++ dnsmasq_initrc_domtrans(cobblerd_t)
++ dnsmasq_write_config(cobblerd_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.6.32/policy/modules/services/clogd.if
---- nsaserefpolicy/policy/modules/services/clogd.if 2010-01-18 18:24:22.757540078 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/clogd.if 2010-02-17 11:59:55.124863336 +0100
-@@ -42,26 +42,6 @@
-
- #####################################
- ## <summary>
--## Manage clogd tmpfs files.
--## </summary>
--## <param name="domain">
--## <summary>
--## The type of the process performing this action.
--## </summary>
--## </param>
--#
--interface(`clogd_manage_tmpfs_files',`
-- gen_require(`
-- type clogd_tmpfs_t;
-- ')
--
-- fs_search_tmpfs($1)
-- manage_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
-- manage_lnk_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
--')
--
--#####################################
--## <summary>
- ## Allow read and write access to clogd semaphores.
- ## </summary>
- ## <param name="domain">
-@@ -94,5 +74,9 @@
- ')
-
- allow $1 clogd_t:shm { rw_shm_perms destroy };
-+ allow $1 clogd_tmpfs_t:dir list_dir_perms;
-+ rw_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
-+ read_lnk_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
-+ fs_search_tmpfs($1)
- ')
-
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.6.32/policy/modules/services/clogd.te
---- nsaserefpolicy/policy/modules/services/clogd.te 2010-01-18 18:24:22.758539996 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/clogd.te 2010-02-17 15:17:36.815613535 +0100
-@@ -41,8 +41,6 @@
- manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
- files_pid_filetrans(clogd_t,clogd_var_run_t, { file })
-
--aisexec_stream_connect(clogd_t)
--
- dev_manage_generic_blk_files(clogd_t)
-
- storage_raw_read_fixed_disk(clogd_t)
-@@ -56,6 +54,11 @@
- miscfiles_read_localization(clogd_t)
-
- optional_policy(`
-+ aisexec_stream_connect(clogd_t)
-+ corosync_stream_connect(clogd_t)
++optional_policy(`
++ rpm_exec(cobblerd_t)
+')
+
+optional_policy(`
- dev_read_lvm_control(clogd_t)
- ')
-
++ rsync_read_config(cobblerd_t)
++ rsync_write_config(cobblerd_t)
++')
++
++optional_policy(`
++ tftp_manage_rw_content(cobblerd_t)
++')
++
++########################################
++#
++# Cobbler web local policy.
++#
++
++apache_content_template(cobbler)
++manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
++manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.32/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2010-02-21 20:46:52.740325173 +0100
+++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2010-02-21 20:34:33.717586944 +0100
@@ -3762,13 +4495,14 @@ diff -b -B --ignore-all-space --exclude-
files_read_usr_files(hplip_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.32/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2010-01-18 18:24:22.774530577 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/dbus.if 2010-02-09 15:13:10.361616292 +0100
-@@ -375,6 +375,8 @@
++++ serefpolicy-3.6.32/policy/modules/services/dbus.if 2010-03-01 16:43:21.835743624 +0100
+@@ -375,6 +375,9 @@
dbus_system_bus_client($1)
dbus_connect_system_bus($1)
+ ps_process_pattern(system_dbusd_t, $1)
+
++ userdom_read_all_users_state($1)
userdom_dontaudit_search_admin_dir($1)
optional_policy(`
@@ -3863,6 +4597,49 @@ diff -b -B --ignore-all-space --exclude-
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.32/policy/modules/services/dhcp.if
+--- nsaserefpolicy/policy/modules/services/dhcp.if 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/dhcp.if 2010-03-01 15:53:56.974502467 +0100
+@@ -2,6 +2,25 @@
+
+ ########################################
+ ## <summary>
++## Transition to dhcpd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dhcpd_domtrans',`
++ gen_require(`
++ type dhcpd_t, dhcpd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, dhcpd_exec_t, dhcpd_t)
++')
++
++########################################
++## <summary>
+ ## Set the attributes of the DCHP
+ ## server state files.
+ ## </summary>
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.6.32/policy/modules/services/dhcp.te
+--- nsaserefpolicy/policy/modules/services/dhcp.te 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/dhcp.te 2010-03-01 09:56:40.715740296 +0100
+@@ -112,6 +112,10 @@
+ ')
+
+ optional_policy(`
++ cobbler_dontaudit_rw_log(dhcpd_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(dhcpd_t)
+ dbus_connect_system_bus(dhcpd_t)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.6.32/policy/modules/services/djbdns.if
--- nsaserefpolicy/policy/modules/services/djbdns.if 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/djbdns.if 2010-02-11 12:35:57.243619172 +0100
@@ -3941,6 +4718,54 @@ diff -b -B --ignore-all-space --exclude-
+
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.6.32/policy/modules/services/dnsmasq.if
+--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/dnsmasq.if 2010-03-01 15:57:23.556490055 +0100
+@@ -96,6 +96,44 @@
+ allow $1 dnsmasq_t:process sigkill;
+ ')
+
++#######################################
++## <summary>
++## Read dnsmasq config files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed.
++## </summary>
++## </param>
++#
++interface(`dnsmasq_read_config',`
++ gen_require(`
++ type dnsmasq_etc_t;
++ ')
++
++ read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t)
++ files_search_etc($1)
++')
++
++#######################################
++## <summary>
++## Write to dnsmasq config files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed.
++## </summary>
++## </param>
++#
++interface(`dnsmasq_write_config',`
++ gen_require(`
++ type dnsmasq_etc_t;
++ ')
++
++ write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t)
++ files_search_etc($1)
++')
++
+ ########################################
+ ## <summary>
+ ## Delete dnsmasq pid files
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.32/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2010-01-18 18:24:22.780530921 +0100
+++ serefpolicy-3.6.32/policy/modules/services/dnsmasq.te 2010-02-12 17:24:31.727729095 +0100
@@ -5163,6 +5988,50 @@ diff -b -B --ignore-all-space --exclude-
/usr/sbin/gpm -- gen_context(system_u:object_r:gpm_exec_t,s0)
+
+/var/run/gpm\.pid -- gen_context(system_u:object_r:gpm_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.32/policy/modules/services/hal.te
+--- nsaserefpolicy/policy/modules/services/hal.te 2010-01-18 18:24:22.795530524 +0100
++++ serefpolicy-3.6.32/policy/modules/services/hal.te 2010-03-01 15:09:45.271494370 +0100
+@@ -121,6 +121,7 @@
+ corenet_udp_sendrecv_all_ports(hald_t)
+
+ dev_rw_usbfs(hald_t)
++dev_read_rand(hald_t)
+ dev_read_urand(hald_t)
+ dev_read_input(hald_t)
+ dev_read_mouse(hald_t)
+@@ -272,6 +273,10 @@
+ ')
+
+ optional_policy(`
++ gnome_read_config(hald_t)
++')
++
++optional_policy(`
+ gpm_dontaudit_getattr_gpmctl(hald_t)
+ ')
+
+@@ -331,6 +336,10 @@
+ ')
+
+ optional_policy(`
++ usbmuxd_stream_connect(hald_t)
++')
++
++optional_policy(`
+ vbetool_domtrans(hald_t)
+ ')
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.6.32/policy/modules/services/inn.te
+--- nsaserefpolicy/policy/modules/services/inn.te 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/inn.te 2010-03-01 15:13:35.203742322 +0100
+@@ -104,6 +104,7 @@
+
+ sysnet_read_config(innd_t)
+
++userdom_stream_connect(innd_t)
+ userdom_dontaudit_use_unpriv_user_fds(innd_t)
+ userdom_dontaudit_search_user_home_dirs(innd_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.32/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2010-01-18 18:24:22.799531033 +0100
+++ serefpolicy-3.6.32/policy/modules/services/kerberos.if 2010-01-22 17:08:10.300604739 +0100
@@ -5484,30 +6353,61 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.32/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if 2010-01-18 18:24:22.821530899 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/nagios.if 2010-02-21 19:01:11.642309589 +0100
-@@ -134,6 +134,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/nagios.if 2010-03-01 16:06:40.837490351 +0100
+@@ -119,6 +119,26 @@
+ read_files_pattern($1, nagios_log_t, nagios_log_t)
+ ')
+
++#######################################
++## <summary>
++## Allow the specified domain to read
++## nagios temporary files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`nagios_rw_inerited_tmp_files',`
++ gen_require(`
++ type nagios_tmp_t;
++ ')
++
++ allow $1 nagios_tmp_t:file rw_inherited_file_perms;
++ files_search_tmp($1)
++')
++
+ ########################################
+ ## <summary>
+ ## Create a set of derived types for various
+@@ -134,6 +154,7 @@
gen_require(`
type nagios_t, nrpe_t;
-+ type nagios_log_t;
++ type nagios_log_t, nagios_tmp_t;
')
type nagios_$1_plugin_t;
-@@ -150,8 +151,11 @@
+@@ -150,8 +171,15 @@
# needed by command.cfg
domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
+ allow nagios_t nagios_$1_plugin_t:process signal_perms;
+
++ allow nagios_$1_plugin_t nagios_tmp_t:file rw_inherited_file_perms;
++
# cjp: leaked file descriptor
dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
+ dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };
++
++ files_search_tmp(nagios_$1_plugin_t)
miscfiles_read_localization(nagios_$1_plugin_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2010-01-18 18:24:22.823530245 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-02-21 19:02:48.521559835 +0100
++++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-03-01 13:28:37.750491019 +0100
@@ -45,10 +45,18 @@
type nrpe_var_run_t;
files_pid_file(nrpe_var_run_t)
@@ -5636,7 +6536,16 @@ diff -b -B --ignore-all-space --exclude-
######################################
#
-@@ -315,6 +390,10 @@
+@@ -290,6 +365,8 @@
+ allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
+ allow nagios_services_plugin_t self:udp_socket create_socket_perms;
+
++kernel_read_system_state(nagios_services_plugin_t)
++
+ corecmd_exec_bin(nagios_services_plugin_t)
+
+ corenet_tcp_connect_all_ports(nagios_services_plugin_t)
+@@ -315,6 +392,10 @@
mysql_stream_connect(nagios_services_plugin_t)
')
@@ -6095,7 +7004,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.6.32/policy/modules/services/rgmanager.te
--- nsaserefpolicy/policy/modules/services/rgmanager.te 2010-01-18 18:24:22.871540122 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/rgmanager.te 2010-02-23 18:54:23.577526518 +0100
++++ serefpolicy-3.6.32/policy/modules/services/rgmanager.te 2010-03-01 09:17:31.825491287 +0100
@@ -22,6 +22,9 @@
type rgmanager_tmp_t;
files_tmp_file(rgmanager_tmp_t)
@@ -6106,16 +7015,18 @@ diff -b -B --ignore-all-space --exclude-
# log files
type rgmanager_var_log_t;
logging_log_file(rgmanager_var_log_t)
-@@ -36,7 +39,7 @@
+@@ -36,8 +39,9 @@
# rgmanager local policy
#
-allow rgmanager_t self:capability { sys_nice ipc_lock };
-+allow rgmanager_t self:capability { dac_override sys_nice sys_resource ipc_lock };
++allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
dontaudit rgmanager_t self:capability { sys_ptrace };
++
allow rgmanager_t self:process { setsched signal };
dontaudit rgmanager_t self:process { ptrace };
-@@ -51,6 +54,10 @@
+
+@@ -51,6 +55,10 @@
manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir })
@@ -6126,7 +7037,7 @@ diff -b -B --ignore-all-space --exclude-
# log files
manage_files_pattern(rgmanager_t, rgmanager_var_log_t,rgmanager_var_log_t)
logging_log_filetrans(rgmanager_t,rgmanager_var_log_t,{ file })
-@@ -60,35 +67,44 @@
+@@ -60,35 +68,44 @@
manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
files_pid_filetrans(rgmanager_t,rgmanager_var_run_t, { file sock_file })
@@ -6179,7 +7090,7 @@ diff -b -B --ignore-all-space --exclude-
fs_getattr_xattr_fs(rgmanager_t)
-@@ -104,11 +120,18 @@
+@@ -104,11 +121,18 @@
miscfiles_read_localization(rgmanager_t)
@@ -6198,7 +7109,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
apache_domtrans(rgmanager_t)
-@@ -158,11 +181,16 @@
+@@ -158,11 +182,16 @@
')
optional_policy(`
@@ -6215,7 +7126,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -183,5 +211,16 @@
+@@ -183,5 +212,16 @@
udev_read_db(rgmanager_t)
')
@@ -6329,7 +7240,7 @@ diff -b -B --ignore-all-space --exclude-
## Execute a domain transition to run groupd.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.6.32/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 2010-01-18 18:24:22.874530726 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/rhcs.te 2010-02-23 15:15:57.274776910 +0100
++++ serefpolicy-3.6.32/policy/modules/services/rhcs.te 2010-03-01 09:19:23.343490629 +0100
@@ -1,5 +1,5 @@
-policy_module(rhcs,1.0.0)
@@ -6502,7 +7413,7 @@ diff -b -B --ignore-all-space --exclude-
allow fenced_t self:tcp_socket create_stream_socket_perms;
allow fenced_t self:udp_socket create_socket_perms;
-@@ -166,25 +74,15 @@
+@@ -166,25 +74,17 @@
# tmp files
manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
@@ -6531,10 +7442,12 @@ diff -b -B --ignore-all-space --exclude-
-ccs_stream_connect(fenced_t)
+
+kernel_read_system_state(fenced_t)
++
++corenet_tcp_connect_http_port(fenced_t)
corecmd_exec_bin(fenced_t)
-@@ -195,19 +93,13 @@
+@@ -195,19 +95,13 @@
storage_raw_write_fixed_disk(fenced_t)
storage_raw_read_removable_device(fenced_t)
@@ -6555,7 +7468,7 @@ diff -b -B --ignore-all-space --exclude-
tunable_policy(`fenced_can_network_connect',`
corenet_tcp_connect_all_ports(fenced_t)
')
-@@ -217,10 +109,6 @@
+@@ -217,10 +111,6 @@
')
optional_policy(`
@@ -6566,7 +7479,7 @@ diff -b -B --ignore-all-space --exclude-
lvm_domtrans(fenced_t)
lvm_read_config(fenced_t)
')
-@@ -230,53 +118,26 @@
+@@ -230,53 +120,26 @@
# gfs_controld local policy
#
@@ -6626,7 +7539,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -290,78 +151,29 @@
+@@ -290,78 +153,29 @@
allow groupd_t self:capability { sys_nice sys_resource };
allow groupd_t self:process setsched;
@@ -6707,7 +7620,7 @@ diff -b -B --ignore-all-space --exclude-
corecmd_getattr_sbin_files(qdiskd_t)
corecmd_exec_shell(qdiskd_t)
-@@ -391,13 +203,6 @@
+@@ -391,13 +205,6 @@
files_read_etc_files(qdiskd_t)
@@ -6721,7 +7634,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
netutils_domtrans_ping(qdiskd_t)
')
-@@ -406,5 +211,28 @@
+@@ -406,5 +213,28 @@
udev_read_db(qdiskd_t)
')
@@ -6829,6 +7742,51 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# NFSD local policy
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.6.32/policy/modules/services/rsync.if
+--- nsaserefpolicy/policy/modules/services/rsync.if 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/rsync.if 2010-03-01 16:02:14.881494801 +0100
+@@ -103,3 +103,41 @@
+
+ can_exec($1, rsync_exec_t)
+ ')
++
++#######################################
++## <summary>
++## Read rsync config files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed.
++## </summary>
++## </param>
++#
++interface(`rsync_read_config',`
++ gen_require(`
++ type rsync_etc_t;
++ ')
++
++ read_files_pattern($1, rsync_etc_t, rsync_etc_t)
++ files_search_etc($1)
++')
++
++#######################################
++## <summary>
++## Write to rsync config files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed.
++## </summary>
++## </param>
++#
++interface(`rsync_write_config',`
++ gen_require(`
++ type rsync_etc_t;
++ ')
++
++ write_files_pattern($1, rsync_etc_t, rsync_etc_t)
++ files_search_etc($1)
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2010-01-18 18:24:22.886540773 +0100
+++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-02-23 10:50:43.134867505 +0100
@@ -7460,6 +8418,36 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
dbus_system_bus_client(sssd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.if serefpolicy-3.6.32/policy/modules/services/tftp.if
+--- nsaserefpolicy/policy/modules/services/tftp.if 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/tftp.if 2010-03-01 15:59:20.787741600 +0100
+@@ -18,6 +18,26 @@
+ read_files_pattern($1, tftpdir_t, tftpdir_t)
+ ')
+
++#######################################
++## <summary>
++## Manage tftp /var/lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tftp_manage_rw_content',`
++ gen_require(`
++ type tftpdir_rw_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
++ manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
++')
++
+ ########################################
+ ## <summary>
+ ## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.6.32/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/tftp.te 2010-01-19 12:02:02.773609654 +0100
@@ -7716,7 +8704,7 @@ diff -b -B --ignore-all-space --exclude-
read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-01-18 18:24:22.915540061 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/virt.te 2010-02-11 20:30:04.756691338 +0100
++++ serefpolicy-3.6.32/policy/modules/services/virt.te 2010-03-01 17:22:48.963740399 +0100
@@ -1,5 +1,5 @@
-policy_module(virt, 1.2.1)
@@ -7764,6 +8752,18 @@ diff -b -B --ignore-all-space --exclude-
domain_use_interactive_fds(virt_domain)
+@@ -446,6 +450,11 @@
+ fs_rw_anon_inodefs_files(virt_domain)
+ fs_rw_tmpfs_files(virt_domain)
+
++# we need these for now.
++miscfiles_read_public_files(virt_domain)
++storage_raw_read_removable_device(virt_domain)
++
++
+ term_use_all_terms(virt_domain)
+ term_getattr_pty_fs(virt_domain)
+ term_use_generic_ptys(virt_domain)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2010-01-18 18:24:22.917530119 +0100
+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2010-02-03 14:24:48.062145095 +0100
@@ -8522,7 +9522,7 @@ diff -b -B --ignore-all-space --exclude-
domain_read_all_domains_state(iscsid_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-18 18:24:22.945540594 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-02-25 10:34:31.079617322 +0100
++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-03-01 15:02:25.227490412 +0100
@@ -245,8 +245,12 @@
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -8547,7 +9547,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -432,9 +434,21 @@
+@@ -432,9 +434,22 @@
/usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -8563,6 +9563,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/lib/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/transcode/filter_yuvdenoise\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -8771,8 +9772,8 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.6.32/policy/modules/system/miscfiles.fc
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2010-01-18 18:24:22.954530704 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.fc 2010-02-21 19:50:59.003309596 +0100
-@@ -71,6 +71,8 @@
++++ serefpolicy-3.6.32/policy/modules/system/miscfiles.fc 2010-03-01 09:54:58.045489944 +0100
+@@ -71,10 +71,15 @@
/var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
@@ -8781,6 +9782,13 @@ diff -b -B --ignore-all-space --exclude-
/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+
++/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
++
++/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
+ /var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
+
+ ifdef(`distro_debian',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-01-18 18:24:22.955540050 +0100
+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2010-01-22 16:24:01.851857861 +0100
@@ -8827,7 +9835,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.32/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2010-01-18 18:24:22.959530712 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/modutils.te 2010-02-09 09:59:53.815865530 +0100
++++ serefpolicy-3.6.32/policy/modules/system/modutils.te 2010-03-01 09:21:42.982491122 +0100
@@ -131,6 +131,7 @@
kernel_read_debugfs(insmod_t)
# Rules for /proc/sys/kernel/tainted
@@ -8836,6 +9844,14 @@ diff -b -B --ignore-all-space --exclude-
kernel_rw_kernel_sysctl(insmod_t)
kernel_read_hotplug_sysctls(insmod_t)
kernel_setsched(insmod_t)
+@@ -165,6 +166,7 @@
+
+ fs_getattr_xattr_fs(insmod_t)
+ fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
++fs_search_rpc(insmod_t)
+ fs_mount_rpc_pipefs(insmod_t)
+
+ init_rw_initctl(insmod_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.32/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2010-01-18 18:24:22.960539988 +0100
+++ serefpolicy-3.6.32/policy/modules/system/mount.if 2010-02-17 16:23:56.866863904 +0100
@@ -8897,6 +9913,37 @@ diff -b -B --ignore-all-space --exclude-
rpc_domtrans_rpcd(unconfined_mount_t)
devicekit_dbus_chat_disk(unconfined_mount_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.32/policy/modules/system/selinuxutil.if
+--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2010-01-18 18:24:22.965530078 +0100
++++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.if 2010-03-01 16:18:46.909490203 +0100
+@@ -1142,6 +1142,27 @@
+ role $2 types setsebool_t;
+ ')
+
++#######################################
++## <summary>
++## Full management of the semanage
++## module store.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`seutil_read_module_store',`
++ gen_require(`
++ type selinux_config_t, semanage_store_t;
++ ')
++
++ files_search_etc($1)
++ list_dirs_pattern($1, selinux_config_t, semanage_store_t)
++ read_files_pattern($1, semanage_store_t, semanage_store_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Full management of the semanage
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.32/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-01-18 18:24:22.967540599 +0100
+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te 2010-01-18 18:27:02.789530951 +0100
@@ -8908,6 +9955,17 @@ diff -b -B --ignore-all-space --exclude-
miscfiles_read_localization(load_policy_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.32/policy/modules/system/sysnetwork.fc
+--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2010-01-18 18:24:22.968540028 +0100
++++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.fc 2010-03-01 16:01:07.867490672 +0100
+@@ -11,6 +11,7 @@
+ /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+ /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
+ /etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
++/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+ /etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.32/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-01-18 18:24:22.969542320 +0100
+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.if 2010-02-16 16:50:00.011598570 +0100
@@ -9054,7 +10112,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.32/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2010-01-18 18:24:22.987540070 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/xen.te 2010-02-22 12:49:42.249615189 +0100
++++ serefpolicy-3.6.32/policy/modules/system/xen.te 2010-03-01 16:28:30.815490952 +0100
@@ -13,6 +13,8 @@
## </desc>
gen_tunable(xen_use_nfs, false)
@@ -9099,7 +10157,29 @@ diff -b -B --ignore-all-space --exclude-
fs_search_xenfs(xenstored_t)
storage_raw_read_fixed_disk(xenstored_t)
-@@ -431,11 +440,15 @@
+@@ -413,12 +422,21 @@
+ xen_stream_connect_xenstore(xm_t)
+
+ optional_policy(`
++ dbus_system_bus_client(xm_t)
++ optional_policy(`
++ hal_dbus_chat(xm_t)
++ ')
++')
++
++optional_policy(`
+ vhostmd_rw_tmpfs_files(xm_t)
+ vhostmd_stream_connect(xm_t)
+ vhostmd_dontaudit_rw_stream_connect(xm_t)
+ ')
+
+ optional_policy(`
++ virt_domtrans(xm_t)
++ virt_manage_config(xm_t)
+ virt_manage_images(xm_t)
+ virt_stream_connect(xm_t)
+ ')
+@@ -431,11 +449,15 @@
kernel_read_xen_state(xm_ssh_t)
kernel_write_xen_state(xm_ssh_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.1026
retrieving revision 1.1027
diff -u -p -r1.1026 -r1.1027
--- selinux-policy.spec 26 Feb 2010 16:54:53 -0000 1.1026
+++ selinux-policy.spec 1 Mar 2010 16:42:02 -0000 1.1027
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 95%{?dist}
+Release: 96%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,12 @@ exit 0
%endif
%changelog
+* Mon Mar 1 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-96
+- Add cachefilesfd policy
+- Update cobbler policy from F13
+- Allow hald connect to usbmuxd over a unix domain
+- Allow staff_t to read semanage module store
+
* Fri Feb 26 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-95
- Add fixes from Dan Walsh
More information about the scm-commits
mailing list