[selinux-policy/f13/master] - Add cluster_var_lib_t type and label for /var/lib/cluster
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Sep 16 15:27:27 UTC 2010
commit 01c9e8a4f30b9e57334abb9d841108c36603e4ff
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Sep 16 17:27:15 2010 +0200
- Add cluster_var_lib_t type and label for /var/lib/cluster
policy-F13.patch | 1629 +++++++++++++++++++++++++++++++++++++++++----------
selinux-policy.spec | 5 +-
2 files changed, 1337 insertions(+), 297 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index ee93bb4..ec44540 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -544,7 +544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.19/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/logrotate.te 2010-05-28 09:41:59.951610956 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/logrotate.te 2010-09-16 15:32:06.757637046 +0200
@@ -32,7 +32,7 @@
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
@@ -581,6 +581,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
cron_system_entry(logrotate_t, logrotate_exec_t)
cron_search_spool(logrotate_t)
+@@ -125,7 +128,7 @@
+ mta_send_mail(logrotate_t)
+
+ ifdef(`distro_debian', `
+- allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
++ allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
+ # for savelog
+ can_exec(logrotate_t, logrotate_exec_t)
+
@@ -137,6 +140,10 @@
')
@@ -1131,7 +1140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.19/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/prelink.te 2010-08-13 08:05:22.243084958 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/prelink.te 2010-09-16 15:32:42.205637133 +0200
@@ -21,8 +21,21 @@
type prelink_tmp_t;
files_tmp_file(prelink_tmp_t)
@@ -1163,7 +1172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
allow prelink_t prelink_log_t:dir setattr;
create_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
-@@ -45,10 +57,14 @@
+@@ -45,15 +57,19 @@
allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod };
files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
@@ -1179,6 +1188,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
files_search_var_lib(prelink_t)
# prelink misc objects that are not system
+ # libraries or entrypoints
+-allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
++allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms };
+
+ kernel_read_system_state(prelink_t)
+ kernel_read_kernel_sysctls(prelink_t)
@@ -64,6 +80,7 @@
corecmd_read_bin_symlinks(prelink_t)
@@ -3036,8 +3051,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.19/policy/modules/apps/chrome.te
--- nsaserefpolicy/policy/modules/apps/chrome.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/chrome.te 2010-09-13 14:43:33.016085201 +0200
-@@ -0,0 +1,88 @@
++++ serefpolicy-3.7.19/policy/modules/apps/chrome.te 2010-09-16 16:57:25.804637037 +0200
+@@ -0,0 +1,89 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -3117,14 +3132,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t
+')
+
+tunable_policy(`use_nfs_home_dirs',`
-+ fs_dontaudit_append_nfs_files(chrome_sandbox_t)
-+ fs_dontaudit_read_nfs_files(chrome_sandbox_t)
-+ fs_dontaudit_read_nfs_symlinks(chrome_sandbox_t)
++ fs_search_nfs(chrome_sandbox_t)
++ fs_read_inherited_nfs_files(chrome_sandbox_t)
++ fs_read_nfs_symlinks(chrome_sandbox_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
++ fs_search_cifs(chrome_sandbox_t)
++ fs_read_inherited_cifs_files(chrome_sandbox_t)
+ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
-+ fs_dontaudit_read_cifs_files(chrome_sandbox_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.7.19/policy/modules/apps/cpufreqselector.te
--- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2010-04-13 20:44:37.000000000 +0200
@@ -6346,7 +6362,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut
dbus_system_bus_client(podsleuth_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.19/policy/modules/apps/pulseaudio.if
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.if 2010-05-28 09:41:59.998610877 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.if 2010-09-16 14:32:51.711386965 +0200
+@@ -17,7 +17,7 @@
+ #
+ interface(`pulseaudio_role',`
+ gen_require(`
+- type pulseaudio_t, pulseaudio_exec_t, print_spool_t;
++ type pulseaudio_t, pulseaudio_exec_t;
+ class dbus { acquire_svc send_msg };
+ ')
+
@@ -104,6 +104,24 @@
can_exec($1, pulseaudio_exec_t)
')
@@ -10859,7 +10884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.19/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-09-09 13:45:53.856085155 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-09-16 17:07:16.826386994 +0200
@@ -559,6 +559,24 @@
########################################
@@ -10898,11 +10923,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
- allow $1 cifs_t:filesystem getattr;
-+ allow $1 cgroup_t:filesystem getattr;
- ')
-
- ########################################
- ## <summary>
+-')
+-
+-########################################
+-## <summary>
-## list dirs on cgroup
-## file systems.
-## </summary>
@@ -10919,10 +10943,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
- ')
-
- list_dirs_pattern($1, cgroup_t, cgroup_t)
--')
--
--########################################
--## <summary>
++ allow $1 cgroup_t:filesystem getattr;
+ ')
+
+ ########################################
+ ## <summary>
-## Do not audit attempts to read
-## dirs on a CIFS or SMB filesystem.
+## list dirs on cgroup
@@ -11038,7 +11063,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Mount a CIFS or SMB network filesystem.
## </summary>
## <param name="domain">
-@@ -1141,7 +1213,7 @@
+@@ -1095,7 +1167,6 @@
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+ interface(`fs_append_cifs_files',`
+ gen_require(`
+@@ -1115,7 +1186,6 @@
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+ interface(`fs_dontaudit_append_cifs_files',`
+ gen_require(`
+@@ -1125,6 +1195,24 @@
+ dontaudit $1 cifs_t:file append_file_perms;
+ ')
+
++#######################################
++## <summary>
++## Read inherited files on a CIFS or SMB filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`fs_read_inherited_cifs_files',`
++ gen_require(`
++ type cifs_t;
++ ')
++
++ allow $1 cifs_t:file read_inherited_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Do not audit attempts to read or
+@@ -1141,7 +1229,7 @@
type cifs_t;
')
@@ -11047,7 +11113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
########################################
-@@ -1404,6 +1476,25 @@
+@@ -1404,6 +1492,25 @@
domain_auto_transition_pattern($1, cifs_t, $2)
')
@@ -11073,7 +11139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
#######################################
## <summary>
## Create, read, write, and delete dirs
-@@ -1831,6 +1922,25 @@
+@@ -1831,6 +1938,25 @@
########################################
## <summary>
@@ -11099,7 +11165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Read and write hugetlbfs files.
## </summary>
## <param name="domain">
-@@ -1847,6 +1957,24 @@
+@@ -1847,6 +1973,24 @@
rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
')
@@ -11124,7 +11190,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
########################################
## <summary>
## Allow the type to associate to hugetlbfs filesystems.
-@@ -1899,6 +2027,7 @@
+@@ -1899,6 +2043,7 @@
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -11132,7 +11198,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
########################################
-@@ -2295,6 +2424,25 @@
+@@ -2295,6 +2440,25 @@
########################################
## <summary>
@@ -11158,7 +11224,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2349,7 +2497,7 @@
+@@ -2333,6 +2497,24 @@
+ dontaudit $1 nfs_t:file append_file_perms;
+ ')
+
++#######################################
++## <summary>
++## Read inherited files on a NFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`fs_read_inherited_nfs_files',`
++ gen_require(`
++ type nfs_t;
++ ')
++
++ allow $1 nfs_t:file read_inherited_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Do not audit attempts to read or
+@@ -2349,7 +2531,7 @@
type nfs_t;
')
@@ -11167,7 +11258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
########################################
-@@ -2537,6 +2685,24 @@
+@@ -2537,6 +2719,24 @@
########################################
## <summary>
@@ -11192,7 +11283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Read removable storage symbolic links.
## </summary>
## <param name="domain">
-@@ -2745,7 +2911,7 @@
+@@ -2745,7 +2945,7 @@
#########################################
## <summary>
## Create, read, write, and delete symbolic links
@@ -11201,7 +11292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## </summary>
## <param name="domain">
## <summary>
-@@ -3812,6 +3978,24 @@
+@@ -3812,6 +4012,24 @@
rw_files_pattern($1, tmpfs_t, tmpfs_t)
')
@@ -11226,7 +11317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
########################################
## <summary>
## Read tmpfs link files.
-@@ -3870,6 +4054,24 @@
+@@ -3870,6 +4088,24 @@
########################################
## <summary>
@@ -11251,7 +11342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4432,6 +4634,44 @@
+@@ -4432,6 +4668,44 @@
########################################
## <summary>
@@ -11296,7 +11387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Do not audit attempts to get the attributes
## of all files with a filesystem type.
## </summary>
-@@ -4549,3 +4789,24 @@
+@@ -4549,3 +4823,24 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
')
@@ -11717,7 +11808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.19/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/terminal.if 2010-08-04 15:34:29.688085386 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/terminal.if 2010-09-16 15:33:56.220637065 +0200
@@ -292,9 +292,11 @@
interface(`term_dontaudit_use_console',`
gen_require(`
@@ -11731,6 +11822,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
')
########################################
+@@ -334,7 +336,7 @@
+ ')
+
+ dev_list_all_dev_nodes($1)
+- allow $1 console_device_t:chr_file { relabelfrom relabelto };
++ allow $1 console_device_t:chr_file relabel_chr_file_perms;
+ ')
+
+ ########################################
@@ -672,6 +674,25 @@
########################################
@@ -11766,6 +11866,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
')
########################################
+@@ -1097,7 +1118,7 @@
+ ')
+
+ dev_list_all_dev_nodes($1)
+- allow $1 tty_device_t:chr_file { relabelfrom relabelto };
++ allow $1 tty_device_t:chr_file relabel_chr_file_perms;
+ ')
+
+ ########################################
@@ -1196,7 +1217,7 @@
type tty_device_t;
')
@@ -11788,6 +11897,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
')
########################################
+@@ -1275,7 +1298,7 @@
+ ')
+
+ dev_list_all_dev_nodes($1)
+- allow $1 ttynode:chr_file { relabelfrom relabelto };
++ allow $1 ttynode:chr_file relabel_chr_file_perms;
+ ')
+
+ ########################################
@@ -1333,7 +1356,7 @@
attribute ttynode;
')
@@ -13799,7 +13917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
+/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.19/policy/modules/services/abrt.if
--- nsaserefpolicy/policy/modules/services/abrt.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/abrt.if 2010-06-21 21:22:47.103156860 +0200
++++ serefpolicy-3.7.19/policy/modules/services/abrt.if 2010-09-16 14:47:19.835637495 +0200
@@ -21,7 +21,7 @@
######################################
@@ -13809,7 +13927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
## </summary>
## <param name="domain">
## <summary>
-@@ -38,6 +38,148 @@
+@@ -38,6 +38,149 @@
can_exec($1, abrt_exec_t)
')
@@ -13863,7 +13981,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
+ gen_require(`
+ type abrt_t;
+ ')
-+
++
++ kernel_search_proc($1)
+ ps_process_pattern($1, abrt_t)
+')
+
@@ -13958,7 +14077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
####################################
## <summary>
## Read abrt configuration file.
-@@ -76,9 +218,85 @@
+@@ -76,9 +219,85 @@
read_files_pattern($1, abrt_var_log_t, abrt_var_log_t)
')
@@ -14045,7 +14164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
## an abrt environment
## </summary>
## <param name="domain">
-@@ -95,7 +313,7 @@
+@@ -95,7 +314,7 @@
#
interface(`abrt_admin',`
gen_require(`
@@ -14054,7 +14173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
type abrt_var_cache_t, abrt_var_log_t;
type abrt_var_run_t, abrt_tmp_t;
type abrt_initrc_exec_t;
-@@ -113,7 +331,7 @@
+@@ -113,7 +332,7 @@
admin_pattern($1, abrt_etc_t)
logging_search_logs($1)
@@ -14335,6 +14454,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
+ allow abrt_t domain:file write;
+ allow abrt_t domain:process setrlimit;
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.7.19/policy/modules/services/afs.if
+--- nsaserefpolicy/policy/modules/services/afs.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/afs.if 2010-09-16 15:14:41.650636974 +0200
+@@ -97,8 +97,8 @@
+ type afs_t, afs_initrc_exec_t;
+ ')
+
+- allow $1 afs_t:process { ptrace signal_perms getattr };
+- read_files_pattern($1, afs_t, afs_t)
++ allow $1 afs_t:process { ptrace signal_perms };
++ ps_process_pattern($1, afs_t)
+
+ # Allow afs_admin to restart the afs service
+ afs_initrc_domtrans($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.7.19/policy/modules/services/afs.te
--- nsaserefpolicy/policy/modules/services/afs.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/afs.te 2010-05-28 09:42:00.053610763 +0200
@@ -14487,7 +14620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.7.19/policy/modules/services/aiccu.te
--- nsaserefpolicy/policy/modules/services/aiccu.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/aiccu.te 2010-07-13 09:29:24.178502599 +0200
++++ serefpolicy-3.7.19/policy/modules/services/aiccu.te 2010-09-16 09:55:09.026658234 +0200
@@ -0,0 +1,72 @@
+
+policy_module(aiccu, 1.0.0)
@@ -14515,7 +14648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+# aiccu local policy
+#
+
-+allow aiccu_t self:capability { kill net_admin };
++allow aiccu_t self:capability { kill net_admin net_raw };
+dontaudit aiccu_t self:capability sys_tty_config;
+allow aiccu_t self:process signal;
+allow aiccu_t self:fifo_file rw_file_perms;
@@ -15991,6 +16124,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.
dev_read_realtime_clock(apmd_t)
dev_read_urand(apmd_t)
dev_rw_apm_bios(apmd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.if serefpolicy-3.7.19/policy/modules/services/arpwatch.if
+--- nsaserefpolicy/policy/modules/services/arpwatch.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/arpwatch.if 2010-09-16 15:05:24.621637181 +0200
+@@ -137,7 +137,7 @@
+ type arpwatch_initrc_exec_t;
+ ')
+
+- allow $1 arpwatch_t:process { ptrace signal_perms getattr };
++ allow $1 arpwatch_t:process { ptrace signal_perms };
+ ps_process_pattern($1, arpwatch_t)
+
+ arpwatch_initrc_domtrans($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.19/policy/modules/services/arpwatch.te
--- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/arpwatch.te 2010-07-23 14:06:57.786138760 +0200
@@ -16025,7 +16170,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw
fs_search_auto_mountpoints(arpwatch_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.19/policy/modules/services/asterisk.if
--- nsaserefpolicy/policy/modules/services/asterisk.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/asterisk.if 2010-05-28 09:42:00.063611364 +0200
++++ serefpolicy-3.7.19/policy/modules/services/asterisk.if 2010-09-16 15:05:49.748637209 +0200
@@ -1,5 +1,24 @@
## <summary>Asterisk IP telephony server</summary>
@@ -16051,6 +16196,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
#####################################
## <summary>
## Connect to asterisk over a unix domain
+@@ -45,7 +64,7 @@
+ type asterisk_initrc_exec_t;
+ ')
+
+- allow $1 asterisk_t:process { ptrace signal_perms getattr };
++ allow $1 asterisk_t:process { ptrace signal_perms };
+ ps_process_pattern($1, asterisk_t)
+
+ init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.19/policy/modules/services/asterisk.te
--- nsaserefpolicy/policy/modules/services/asterisk.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/asterisk.te 2010-05-28 09:42:00.064610809 +0200
@@ -16163,6 +16317,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
+ udev_read_db(asterisk_t)
')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.7.19/policy/modules/services/automount.if
+--- nsaserefpolicy/policy/modules/services/automount.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/automount.if 2010-09-16 15:06:07.893637088 +0200
+@@ -68,7 +68,8 @@
+ type automount_t;
+ ')
+
+- read_files_pattern($1, automount_t, automount_t)
++ kernel_search_proc($1)
++ ps_process_pattern($1, automount_t)
+ ')
+
+ ########################################
+@@ -149,7 +150,7 @@
+ type automount_var_run_t, automount_initrc_exec_t;
+ ')
+
+- allow $1 automount_t:process { ptrace signal_perms getattr };
++ allow $1 automount_t:process { ptrace signal_perms };
+ ps_process_pattern($1, automount_t)
+
+ init_labeled_script_domtrans($1, automount_initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.7.19/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2010-04-13 20:44:36.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/automount.te 2010-05-28 09:42:00.065610953 +0200
@@ -16348,7 +16524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.if serefpolicy-3.7.19/policy/modules/services/boinc.if
--- nsaserefpolicy/policy/modules/services/boinc.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/boinc.if 2010-06-25 14:56:43.461388526 +0200
++++ serefpolicy-3.7.19/policy/modules/services/boinc.if 2010-09-16 15:15:07.962637079 +0200
@@ -0,0 +1,151 @@
+
+## <summary>policy for boinc</summary>
@@ -16490,8 +16666,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+ type boinc_var_lib_t;
+ ')
+
-+ allow $1 boinc_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, boinc_t, boinc_t)
++ allow $1 boinc_t:process { ptrace signal_perms };
++ ps_process_pattern($1, boinc_t)
+
+ boinc_initrc_domtrans($1)
+ domain_system_change_exemption($1)
@@ -18224,7 +18400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
+/var/cache/cobbler(/.*)? gen_context(system_u:object_r:cobbler_cache_t, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.19/policy/modules/services/cobbler.if
--- nsaserefpolicy/policy/modules/services/cobbler.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/cobbler.if 2010-06-25 15:03:23.048137726 +0200
++++ serefpolicy-3.7.19/policy/modules/services/cobbler.if 2010-09-16 15:15:34.657636962 +0200
@@ -68,7 +68,7 @@
########################################
## <summary>
@@ -18243,14 +18419,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
## an cobblerd environment
## </summary>
## <param name="domain">
-@@ -162,6 +162,7 @@
+@@ -162,10 +162,11 @@
gen_require(`
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
type cobbler_etc_t, cobblerd_initrc_exec_t;
+ type httpd_cobbler_content_rw_t;
')
- allow $1 cobblerd_t:process { ptrace signal_perms getattr };
+- allow $1 cobblerd_t:process { ptrace signal_perms getattr };
+- read_files_pattern($1, cobblerd_t, cobblerd_t)
++ allow $1 cobblerd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, cobblerd_t)
+
+ files_search_etc($1)
+ admin_pattern($1, cobbler_etc_t)
@@ -173,9 +174,11 @@
files_list_var_lib($1)
admin_pattern($1, cobbler_var_lib_t)
@@ -18574,8 +18756,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.19/policy/modules/services/corosync.if
--- nsaserefpolicy/policy/modules/services/corosync.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/corosync.if 2010-05-28 09:42:00.087610617 +0200
-@@ -0,0 +1,108 @@
++++ serefpolicy-3.7.19/policy/modules/services/corosync.if 2010-09-16 17:00:39.809386936 +0200
+@@ -0,0 +1,127 @@
+## <summary>SELinux policy for Corosync Cluster Engine</summary>
+
+########################################
@@ -18596,6 +18778,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+ domtrans_pattern($1, corosync_exec_t, corosync_t)
+')
+
++#######################################
++## <summary>
++## Execute corosync in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`corosync_exec',`
++ gen_require(`
++ type corosync_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, corosync_exec_t)
++')
++
+#####################################
+## <summary>
+## Connect to corosync over a unix domain
@@ -18686,8 +18887,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.19/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2010-09-13 16:14:36.850085069 +0200
-@@ -0,0 +1,143 @@
++++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2010-09-16 17:00:39.810387061 +0200
+@@ -0,0 +1,144 @@
+
+policy_module(corosync,1.0.0)
+
@@ -18819,6 +19020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+ rhcs_rw_cluster_shm(corosync_t)
+ rhcs_rw_cluster_semaphores(corosync_t)
+ rhcs_stream_connect_cluster(corosync_t)
++ rhcs_read_cluster_lib_files(corosync_t)
+')
+
+optional_policy(`
@@ -18853,19 +19055,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.19/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/cron.if 2010-07-27 16:15:15.408074038 +0200
-@@ -12,6 +12,10 @@
++++ serefpolicy-3.7.19/policy/modules/services/cron.if 2010-09-16 14:41:50.412386895 +0200
+@@ -12,6 +12,12 @@
## </param>
#
template(`cron_common_crontab_template',`
+ gen_require(`
-+ type crond_t, crond_var_run_t;
++ type crond_t, crond_var_run_t, crontab_exec_t;
++ type cron_spool_t, user_cron_spool_t;
++
+ ')
+
##############################
#
# Declarations
-@@ -34,8 +38,12 @@
+@@ -34,8 +40,12 @@
allow $1_t self:process { setsched signal_perms };
allow $1_t self:fifo_file rw_fifo_file_perms;
@@ -18880,7 +19084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
# create files in /var/spool/cron
manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
-@@ -62,6 +70,7 @@
+@@ -62,6 +72,7 @@
logging_send_syslog_msg($1_t)
logging_send_audit_msgs($1_t)
@@ -18888,7 +19092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
init_dontaudit_write_utmp($1_t)
init_read_utmp($1_t)
-@@ -76,6 +85,7 @@
+@@ -76,6 +87,7 @@
userdom_use_user_terminals($1_t)
# Read user crontabs
userdom_read_user_home_content_files($1_t)
@@ -18896,7 +19100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
-@@ -106,6 +116,7 @@
+@@ -106,6 +118,7 @@
interface(`cron_role',`
gen_require(`
type cronjob_t, crontab_t, crontab_exec_t;
@@ -18904,7 +19108,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
role $1 types { cronjob_t crontab_t };
-@@ -120,6 +131,15 @@
+@@ -120,6 +133,15 @@
ps_process_pattern($2, crontab_t)
allow $2 crontab_t:process signal;
@@ -18920,7 +19124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
# Run helper programs as the user domain
#corecmd_bin_domtrans(crontab_t, $2)
#corecmd_shell_domtrans(crontab_t, $2)
-@@ -154,27 +174,14 @@
+@@ -154,27 +176,14 @@
#
interface(`cron_unconfined_role',`
gen_require(`
@@ -18950,7 +19154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
optional_policy(`
gen_require(`
class dbus send_msg;
-@@ -259,9 +266,8 @@
+@@ -259,9 +268,8 @@
gen_require(`
type crond_t, system_cronjob_t;
')
@@ -18961,7 +19165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
role system_r types $1;
')
-@@ -408,7 +414,43 @@
+@@ -408,7 +416,43 @@
type crond_t;
')
@@ -19006,7 +19210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
########################################
-@@ -554,7 +596,7 @@
+@@ -554,7 +598,7 @@
type system_cronjob_t;
')
@@ -19015,7 +19219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
########################################
-@@ -587,11 +629,14 @@
+@@ -587,11 +631,14 @@
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
@@ -19031,12 +19235,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
########################################
-@@ -627,7 +672,48 @@
+@@ -627,7 +674,47 @@
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
+ type cron_var_run_t;
-+ type system_cronjob_var_run_t;
')
dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
@@ -20257,7 +20460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
+/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.19/policy/modules/services/devicekit.if
--- nsaserefpolicy/policy/modules/services/devicekit.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/devicekit.if 2010-05-28 09:42:00.099610866 +0200
++++ serefpolicy-3.7.19/policy/modules/services/devicekit.if 2010-09-16 14:43:03.179637274 +0200
@@ -139,6 +139,26 @@
########################################
@@ -20285,7 +20488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
## All of the rules required to administrate
## an devicekit environment
## </summary>
-@@ -162,7 +182,7 @@
+@@ -162,16 +182,16 @@
interface(`devicekit_admin',`
gen_require(`
type devicekit_t, devicekit_disk_t, devicekit_power_t;
@@ -20293,7 +20496,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
+ type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
')
- allow $1 devicekit_t:process { ptrace signal_perms getattr };
+- allow $1 devicekit_t:process { ptrace signal_perms getattr };
++ allow $1 devicekit_t:process { ptrace signal_perms };
+ ps_process_pattern($1, devicekit_t)
+
+- allow $1 devicekit_disk_t:process { ptrace signal_perms getattr };
++ allow $1 devicekit_disk_t:process { ptrace signal_perms };
+ ps_process_pattern($1, devicekit_disk_t)
+
+- allow $1 devicekit_power_t:process { ptrace signal_perms getattr };
++ allow $1 devicekit_power_t:process { ptrace signal_perms };
+ ps_process_pattern($1, devicekit_power_t)
+
+ admin_pattern($1, devicekit_tmp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.19/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/devicekit.te 2010-08-10 17:16:41.979085228 +0200
@@ -20530,6 +20745,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
+optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.7.19/policy/modules/services/dhcp.if
+--- nsaserefpolicy/policy/modules/services/dhcp.if 2010-04-13 20:44:36.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/dhcp.if 2010-09-16 17:18:21.454637263 +0200
+@@ -77,7 +77,7 @@
+ #
+ interface(`dhcpd_admin',`
+ gen_require(`
+- type dhcpd_t; type dhcpd_tmp_t; type dhcpd_state_t;
++ type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t;
+ type dhcpd_var_run_t, dhcpd_initrc_exec_t;
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.7.19/policy/modules/services/dhcp.te
--- nsaserefpolicy/policy/modules/services/dhcp.te 2010-04-13 20:44:36.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/dhcp.te 2010-06-16 21:55:51.478859909 +0200
@@ -20972,7 +21199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.7.19/policy/modules/services/exim.if
--- nsaserefpolicy/policy/modules/services/exim.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/exim.if 2010-05-28 09:42:00.106610959 +0200
++++ serefpolicy-3.7.19/policy/modules/services/exim.if 2010-09-16 15:15:56.330386661 +0200
@@ -20,6 +20,24 @@
########################################
@@ -21025,8 +21252,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
+ type exim_tmp_t, exim_spool_t, exim_var_run_t;
+ ')
+
-+ allow $1 exim_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, exim_t, exim_t)
++ allow $1 exim_t:process { ptrace signal_perms };
++ ps_process_pattern($1, exim_t)
+
+ exim_initrc_domtrans($1)
+ domain_system_change_exemption($1)
@@ -21117,6 +21344,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
+optional_policy(`
iptables_domtrans(fail2ban_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.if serefpolicy-3.7.19/policy/modules/services/fetchmail.if
+--- nsaserefpolicy/policy/modules/services/fetchmail.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/fetchmail.if 2010-09-16 14:46:13.627387014 +0200
+@@ -18,6 +18,7 @@
+ type fetchmail_var_run_t;
+ ')
+
++ allow $1 fetchmail_t:process { ptrace signal_perms };
+ ps_process_pattern($1, fetchmail_t)
+
+ files_list_etc($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.19/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 2010-04-13 20:44:36.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/fprintd.te 2010-09-13 13:10:28.599085102 +0200
@@ -22254,8 +22492,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.7.19/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2010-04-13 20:44:36.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/hal.if 2010-05-28 09:42:00.115610849 +0200
-@@ -367,7 +367,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/hal.if 2010-09-16 15:08:39.708386708 +0200
+@@ -51,6 +51,7 @@
+ type hald_t;
+ ')
+
++ kernel_search_proc($1)
+ ps_process_pattern($1, hald_t)
+ ')
+
+@@ -367,7 +368,7 @@
## </param>
#
interface(`hal_read_pid_files',`
@@ -22264,7 +22510,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
type hald_var_run_t;
')
-@@ -377,6 +377,26 @@
+@@ -377,6 +378,26 @@
########################################
## <summary>
@@ -22273,7 +22519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -22449,6 +22695,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
########################################
#
# Local hald dccm policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.if serefpolicy-3.7.19/policy/modules/services/icecast.if
+--- nsaserefpolicy/policy/modules/services/icecast.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/icecast.if 2010-09-16 14:50:20.457637118 +0200
+@@ -173,6 +173,7 @@
+ type icecast_t, icecast_initrc_exec_t;
+ ')
+
++ allow $1 icecast_t:process { ptrace signal_perms };
+ ps_process_pattern($1, icecast_t)
+
+ # Allow icecast_t to restart the apache service
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.7.19/policy/modules/services/icecast.te
--- nsaserefpolicy/policy/modules/services/icecast.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/icecast.te 2010-09-09 12:23:45.726084993 +0200
@@ -22525,7 +22782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb
/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.if serefpolicy-3.7.19/policy/modules/services/jabber.if
--- nsaserefpolicy/policy/modules/services/jabber.if 2010-04-13 20:44:36.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/jabber.if 2010-09-01 11:58:19.536083725 +0200
++++ serefpolicy-3.7.19/policy/modules/services/jabber.if 2010-09-16 15:09:16.987637037 +0200
@@ -1,17 +1,96 @@
## <summary>Jabber instant messaging server</summary>
@@ -22597,7 +22854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -22966,7 +23223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
+#/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.7.19/policy/modules/services/ldap.if
--- nsaserefpolicy/policy/modules/services/ldap.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/ldap.if 2010-05-28 09:42:00.121610589 +0200
++++ serefpolicy-3.7.19/policy/modules/services/ldap.if 2010-09-16 15:00:27.926637062 +0200
@@ -1,5 +1,43 @@
## <summary>OpenLDAP directory server</summary>
@@ -23037,10 +23294,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
## Read the OpenLDAP configuration files.
## </summary>
## <param name="domain">
-@@ -71,6 +128,30 @@
+@@ -69,8 +126,30 @@
+ ')
+
files_search_pids($1)
- allow $1 slapd_var_run_t:sock_file write;
- allow $1 slapd_t:unix_stream_socket connectto;
+- allow $1 slapd_var_run_t:sock_file write;
+- allow $1 slapd_t:unix_stream_socket connectto;
++ stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
+
+ optional_policy(`
+ ldap_stream_connect_dirsrv($1)
@@ -23063,8 +23323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
+ ')
+
+ files_search_pids($1)
-+ allow $1 dirsrv_var_run_t:sock_file write;
-+ allow $1 dirsrv_t:unix_stream_socket connectto;
++ stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t)
')
########################################
@@ -23167,9 +23426,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc
+
+sysnet_dns_name_resolve(lircd_t)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.7.19/policy/modules/services/lpd.if
+--- nsaserefpolicy/policy/modules/services/lpd.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/lpd.if 2010-09-16 15:34:23.589636742 +0200
+@@ -153,7 +153,7 @@
+ ')
+
+ files_search_spool($1)
+- allow $1 print_spool_t:file { relabelto relabelfrom };
++ allow $1 print_spool_t:file relabel_file_perms;
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.if serefpolicy-3.7.19/policy/modules/services/memcached.if
--- nsaserefpolicy/policy/modules/services/memcached.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/memcached.if 2010-06-25 15:07:20.909137514 +0200
++++ serefpolicy-3.7.19/policy/modules/services/memcached.if 2010-09-16 14:51:54.584636864 +0200
@@ -59,6 +59,7 @@
gen_require(`
type memcached_t;
@@ -23178,6 +23449,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memc
')
allow $1 memcached_t:process { ptrace signal_perms };
+@@ -69,5 +70,6 @@
+ role_transition $2 memcached_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ files_search_pids($1)
+ admin_pattern($1, memcached_var_run_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.7.19/policy/modules/services/milter.fc
--- nsaserefpolicy/policy/modules/services/milter.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/milter.fc 2010-09-09 10:52:57.640084901 +0200
@@ -23363,7 +23641,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.if serefpolicy-3.7.19/policy/modules/services/mpd.if
--- nsaserefpolicy/policy/modules/services/mpd.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/mpd.if 2010-06-28 14:07:11.654150869 +0200
++++ serefpolicy-3.7.19/policy/modules/services/mpd.if 2010-09-16 14:59:09.494386932 +0200
@@ -0,0 +1,295 @@
+
+## <summary>policy for daemon for playing music</summary>
@@ -23420,8 +23698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+ type mpd_data_t;
+ ')
+
-+ files_search_var_lib($1)
-+ mpd_search_lib($1)
++ mpd_search_lib($1)
+ read_files_pattern($1, mpd_data_t, mpd_data_t)
+')
+
@@ -23440,8 +23717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+ type mpd_tmpfs_t;
+ ')
+
-+ files_search_var_lib($1)
-+ mpd_search_lib($1)
++ fs_search_tmpfs($1)
+ read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
+')
+
@@ -23460,10 +23736,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+ type mpd_tmpfs_t;
+ ')
+
-+ files_search_var_lib($1)
-+ mpd_search_lib($1)
-+ manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
-+ manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
++ fs_search_tmpfs($1)
++ manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
++ manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
+')
+
+######################################
@@ -23637,7 +23912,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+ type mpd_data_t;
+ type mpd_etc_t;
+ type mpd_log_t;
-+ type mpd_var_lib_t;
++ type mpd_tmpfs_t;
++ type mpd_var_lib_t;
+ ')
+
+ allow $1 mpd_t:process { ptrace signal_perms };
@@ -23659,6 +23935,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+
+ admin_pattern($1, mpd_log_t)
+
++ fs_search_tmpfs($1)
++ admin_pattern($1, mpd_tmpfs_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.te serefpolicy-3.7.19/policy/modules/services/mpd.te
--- nsaserefpolicy/policy/modules/services/mpd.te 1970-01-01 01:00:00.000000000 +0100
@@ -24286,8 +24564,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.7.19/policy/modules/services/munin.if
--- nsaserefpolicy/policy/modules/services/munin.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/munin.if 2010-08-02 09:03:40.662642033 +0200
-@@ -43,6 +43,24 @@
++++ serefpolicy-3.7.19/policy/modules/services/munin.if 2010-09-16 15:01:01.167395899 +0200
+@@ -16,8 +16,7 @@
+ type munin_var_run_t, munin_t;
+ ')
+
+- allow $1 munin_t:unix_stream_socket connectto;
+- allow $1 munin_var_run_t:sock_file { getattr write };
++ stream_connect_pattern($1, munin_var_run_t, munin_var_run_t, munin_t)
+ files_search_pids($1)
+ ')
+
+@@ -43,6 +42,24 @@
files_search_etc($1)
')
@@ -24312,7 +24600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
#######################################
## <summary>
## Append to the munin log.
-@@ -102,6 +120,58 @@
+@@ -102,6 +119,58 @@
dontaudit $1 munin_var_lib_t:dir search_dir_perms;
')
@@ -24603,6 +24891,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
+term_getattr_unallocated_ttys(munin_system_plugin_t)
+term_getattr_all_ptys(munin_system_plugin_t)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.7.19/policy/modules/services/mysql.if
+--- nsaserefpolicy/policy/modules/services/mysql.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/mysql.if 2010-09-16 15:01:43.198637084 +0200
+@@ -73,6 +73,7 @@
+ type mysqld_t, mysqld_var_run_t, mysqld_db_t;
+ ')
+
++ files_search_pids($1)
+ stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
+ stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.19/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/mysql.te 2010-06-21 15:32:41.673073820 +0200
@@ -26176,6 +26475,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
+optional_policy(`
+ unconfined_dontaudit_rw_packet_sockets(nscd_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.7.19/policy/modules/services/nslcd.if
+--- nsaserefpolicy/policy/modules/services/nslcd.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/nslcd.if 2010-09-16 15:03:19.430636930 +0200
+@@ -106,9 +106,9 @@
+ role_transition $2 nslcd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- manage_files_pattern($1, nslcd_conf_t, nslcd_conf_t)
++ files_search_etc($1)
++ admin_pattern($1, nslcd_conf_t)
+
+- manage_dirs_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
+- manage_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
+- manage_lnk_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
++ files_search_pids($1)
++ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.7.19/policy/modules/services/nslcd.te
--- nsaserefpolicy/policy/modules/services/nslcd.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/nslcd.te 2010-05-28 09:42:00.139610787 +0200
@@ -26441,6 +26757,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop
seutil_sigchld_newrole(ntop_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.7.19/policy/modules/services/ntp.if
+--- nsaserefpolicy/policy/modules/services/ntp.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/ntp.if 2010-09-16 15:06:24.157386834 +0200
+@@ -144,7 +144,7 @@
+ type ntpd_initrc_exec_t;
+ ')
+
+- allow $1 ntpd_t:process { ptrace signal_perms getattr };
++ allow $1 ntpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ntpd_t)
+
+ init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.7.19/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/ntp.te 2010-05-28 09:42:00.141610585 +0200
@@ -26631,7 +26959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.19/policy/modules/services/oddjob.if
--- nsaserefpolicy/policy/modules/services/oddjob.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/oddjob.if 2010-08-09 14:17:22.876085247 +0200
++++ serefpolicy-3.7.19/policy/modules/services/oddjob.if 2010-09-16 15:10:11.324637049 +0200
@@ -22,6 +22,25 @@
domtrans_pattern($1, oddjob_exec_t, oddjob_t)
')
@@ -26643,7 +26971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -26782,6 +27110,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
+optional_policy(`
+ unconfined_attach_tun_iface(openvpn_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.if serefpolicy-3.7.19/policy/modules/services/pads.if
+--- nsaserefpolicy/policy/modules/services/pads.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/pads.if 2010-09-16 15:10:56.276637029 +0200
+@@ -39,6 +39,9 @@
+ role_transition $2 pads_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ files_search_pids($1)
+ admin_pattern($1, pads_var_run_t)
++
++ files_search_etc($1)
+ admin_pattern($1, pads_config_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.7.19/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/pcscd.te 2010-08-17 15:11:28.402085340 +0200
@@ -27326,8 +27667,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym
+/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.if serefpolicy-3.7.19/policy/modules/services/plymouthd.if
--- nsaserefpolicy/policy/modules/services/plymouthd.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/plymouthd.if 2010-05-28 09:42:00.150610614 +0200
-@@ -0,0 +1,322 @@
++++ serefpolicy-3.7.19/policy/modules/services/plymouthd.if 2010-09-16 15:18:22.185386928 +0200
+@@ -0,0 +1,326 @@
+## <summary>policy for plymouthd</summary>
+
+########################################
@@ -27619,17 +27960,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym
+#
+interface(`plymouthd_admin', `
+ gen_require(`
-+ type plymouthd_t;
++ type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
++ type plymouthd_var_run_t;
+ ')
+
-+ allow $1 plymouthd_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, plymouthd_t, plymouthd_t)
-+
-+ plymouthd_manage_var_run($1)
++ allow $1 plymouthd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, plymouthd_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, plymouthd_spool_t)
++
++ admin_pattern($1, plymouthd_var_lib_t)
+
-+ plymouthd_manage_var_lib($1)
++ files_search_pids($1)
++ admin_pattern($1, plymouthd_var_run_t)
+
-+ plymouthd_manage_spool($1)
+')
+
+########################################
@@ -28077,7 +28422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port
/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.if serefpolicy-3.7.19/policy/modules/services/portreserve.if
--- nsaserefpolicy/policy/modules/services/portreserve.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/portreserve.if 2010-05-28 09:42:00.154610557 +0200
++++ serefpolicy-3.7.19/policy/modules/services/portreserve.if 2010-09-16 15:19:05.465636901 +0200
@@ -18,6 +18,24 @@
domtrans_pattern($1, portreserve_exec_t, portreserve_t)
')
@@ -28130,8 +28475,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port
+ type portreserve_initrc_exec_t, portreserve_var_run_t;
+ ')
+
-+ allow $1 portreserve_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, portreserve_t, portreserve_t)
++ allow $1 portreserve_t:process { ptrace signal_perms };
++ ps_process_pattern($1, portreserve_t)
+
+ portreserve_initrc_domtrans($1)
+ domain_system_change_exemption($1)
@@ -28187,7 +28532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.19/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/postfix.if 2010-08-25 16:01:16.678085053 +0200
++++ serefpolicy-3.7.19/policy/modules/services/postfix.if 2010-09-16 15:22:04.119636970 +0200
@@ -46,6 +46,7 @@
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
@@ -28360,20 +28705,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
files_search_spool($1)
')
-@@ -437,11 +522,30 @@
+@@ -437,15 +522,34 @@
#
interface(`postfix_list_spool',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
-+ ')
-+
+ ')
+
+- allow $1 postfix_spool_t:dir list_dir_perms;
+ allow $1 postfix_spool_type:dir list_dir_perms;
-+ files_search_spool($1)
-+')
-+
-+########################################
-+## <summary>
+ files_search_spool($1)
+ ')
+
+ ########################################
+ ## <summary>
+## Getattr postfix mail spool files.
+## </summary>
+## <param name="domain">
@@ -28385,14 +28731,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+interface(`postfix_getattr_spool_files',`
+ gen_require(`
+ attribute postfix_spool_type;
- ')
-
-- allow $1 postfix_spool_t:dir list_dir_perms;
- files_search_spool($1)
++ ')
++
++ files_search_spool($1)
+ getattr_files_pattern($1, postfix_spool_type, postfix_spool_type)
- ')
-
- ########################################
++')
++
++########################################
++## <summary>
+ ## Read postfix mail spool files.
+ ## </summary>
+ ## <param name="domain">
@@ -456,16 +560,16 @@
#
interface(`postfix_read_spool_files',`
@@ -28540,26 +28889,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+ type postfix_map_tmp_t, postfix_prng_t, postfix_public_t;
+ ')
+
-+ allow $1 postfix_bounce_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, postfix_bounce_t, postfix_bounce_t)
++ allow $1 postfix_bounce_t:process { ptrace signal_perms };
++ ps_process_pattern($1, postfix_bounce_t)
+
-+ allow $1 postfix_cleanup_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, postfix_cleanup_t, postfix_cleanup_t)
++ allow $1 postfix_cleanup_t:process { ptrace signal_perms };
++ ps_process_pattern($1, postfix_cleanup_t)
+
-+ allow $1 postfix_local_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, postfix_local_t, postfix_local_t)
++ allow $1 postfix_local_t:process { ptrace signal_perms };
++ ps_process_pattern($1, postfix_local_t)
+
-+ allow $1 postfix_master_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, postfix_master_t, postfix_master_t)
++ allow $1 postfix_master_t:process { ptrace signal_perms };
++ ps_process_pattern($1, postfix_master_t)
+
-+ allow $1 postfix_pickup_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, postfix_pickup_t, postfix_pickup_t)
++ allow $1 postfix_pickup_t:process { ptrace signal_perms };
++ ps_process_pattern($1, postfix_pickup_t)
+
-+ allow $1 postfix_qmgr_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, postfix_qmgr_t, postfix_qmgr_t)
++ allow $1 postfix_qmgr_t:process { ptrace signal_perms };
++ ps_process_pattern($1, postfix_qmgr_t)
+
-+ allow $1 postfix_smtpd_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, postfix_smtpd_t, postfix_smtpd_t)
++ allow $1 postfix_smtpd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, postfix_smtpd_t)
+
+ postfix_run_map($1,$2)
+ postfix_run_postdrop($1,$2)
@@ -29013,6 +29362,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+userdom_manage_user_home_content(postfix_virtual_t)
+userdom_home_filetrans_user_home_dir(postfix_virtual_t)
+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.7.19/policy/modules/services/postgresql.if
+--- nsaserefpolicy/policy/modules/services/postgresql.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/postgresql.if 2010-09-16 15:28:46.998386775 +0200
+@@ -312,10 +312,8 @@
+ ')
+
+ files_search_pids($1)
+- allow $1 postgresql_t:unix_stream_socket connectto;
+- allow $1 postgresql_var_run_t:sock_file write;
+- # Some versions of postgresql put the sock file in /tmp
+- allow $1 postgresql_tmp_t:sock_file write;
++ files_search_tmp($1)
++ stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t}, { postgresql_var_run_t postgresql_tmp_t}, postgresql_t)
+ ')
+
+ ########################################
+@@ -439,14 +437,19 @@
+ role_transition $2 postgresql_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ files_search_pids($1)
+ admin_pattern($1, postgresql_var_run_t)
+
++ files_search_var_lib($1)
+ admin_pattern($1, postgresql_db_t)
+
++ files_search_etc($1)
+ admin_pattern($1, postgresql_etc_t)
+
++ logging_search_logs($1)
+ admin_pattern($1, postgresql_log_t)
+
++ files_search_tmp($1)
+ admin_pattern($1, postgresql_tmp_t)
+
+ postgresql_tcp_connect($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.19/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/postgresql.te 2010-09-15 15:43:14.862386997 +0200
@@ -29025,6 +29410,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
files_search_etc(postgresql_t)
files_read_etc_runtime_files(postgresql_t)
files_read_usr_files(postgresql_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.19/policy/modules/services/ppp.if
+--- nsaserefpolicy/policy/modules/services/ppp.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/ppp.if 2010-09-16 15:24:30.000387099 +0200
+@@ -360,7 +360,7 @@
+ type pppd_initrc_exec_t;
+ ')
+
+- allow $1 pppd_t:process { ptrace signal_perms getattr };
++ allow $1 pppd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, pppd_t)
+
+ ppp_initrc_domtrans($1)
+@@ -386,7 +386,7 @@
+ files_list_pids($1)
+ admin_pattern($1, pppd_var_run_t)
+
+- allow $1 pptp_t:process { ptrace signal_perms getattr };
++ allow $1 pptp_t:process { ptrace signal_perms };
+ ps_process_pattern($1, pptp_t)
+
+ admin_pattern($1, pptp_log_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.7.19/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/ppp.te 2010-05-28 09:42:00.159610853 +0200
@@ -29046,6 +29452,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.7.19/policy/modules/services/prelude.if
+--- nsaserefpolicy/policy/modules/services/prelude.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/prelude.if 2010-09-16 15:12:53.251386792 +0200
+@@ -136,9 +136,15 @@
+ allow $2 system_r;
+
+ admin_pattern($1, prelude_spool_t)
++
++ files_search_var_lib($1)
+ admin_pattern($1, prelude_var_lib_t)
++
++ files_search_pids($1)
+ admin_pattern($1, prelude_var_run_t)
+ admin_pattern($1, prelude_audisp_var_run_t)
++
++ files_search_tmp($1)
+ admin_pattern($1, prelude_lml_tmp_t)
+ admin_pattern($1, prelude_lml_var_run_t)
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.if serefpolicy-3.7.19/policy/modules/services/privoxy.if
+--- nsaserefpolicy/policy/modules/services/privoxy.if 2010-04-13 20:44:36.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/privoxy.if 2010-09-16 15:24:54.424637062 +0200
+@@ -24,7 +24,7 @@
+ type privoxy_initrc_exec_t;
+ ')
+
+- allow $1 privoxy_t:process { ptrace signal_perms getattr };
++ allow $1 privoxy_t:process { ptrace signal_perms };
+ ps_process_pattern($1, privoxy_t)
+
+ init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.7.19/policy/modules/services/procmail.fc
--- nsaserefpolicy/policy/modules/services/procmail.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/procmail.fc 2010-05-28 09:42:00.159610853 +0200
@@ -29219,13 +29656,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.te serefpolicy-3.7.19/policy/modules/services/puppet.te
--- nsaserefpolicy/policy/modules/services/puppet.te 2010-04-13 20:44:36.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/puppet.te 2010-08-30 19:46:34.715085037 +0200
++++ serefpolicy-3.7.19/policy/modules/services/puppet.te 2010-09-16 15:40:46.667386897 +0200
@@ -192,7 +192,14 @@
manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
-+allow puppetmaster_t puppet_log_t:file { relabelfrom relabelto };
-+allow puppetmaster_t puppet_var_lib_t:dir { relabelfrom relabelto };
++allow puppetmaster_t puppet_log_t:file relabel_file_perms;
++allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms;
+
+selinux_validate_context(puppetmaster_t)
+seutil_read_file_contexts(puppetmaster_t)
@@ -29417,8 +29854,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid
+/var/run/qpidd\.pid gen_context(system_u:object_r:qpidd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.if serefpolicy-3.7.19/policy/modules/services/qpidd.if
--- nsaserefpolicy/policy/modules/services/qpidd.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/qpidd.if 2010-05-28 09:42:00.164610730 +0200
-@@ -0,0 +1,236 @@
++++ serefpolicy-3.7.19/policy/modules/services/qpidd.if 2010-09-16 15:23:19.343636970 +0200
+@@ -0,0 +1,231 @@
+
+## <summary>policy for qpidd</summary>
+
@@ -29597,16 +30034,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid
+#
+interface(`qpidd_admin',`
+ gen_require(`
-+ type qpidd_t;
++ type qpidd_t, qpidd_initrc_exec_t;
+ ')
+
-+ allow $1 qpidd_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, qpidd_t, qpidd_t)
-+
-+
-+ gen_require(`
-+ type qpidd_initrc_exec_t;
-+ ')
++ allow $1 qpidd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, qpidd_t)
+
+ # Allow qpidd_t to restart the apache service
+ qpidd_initrc_domtrans($1)
@@ -29718,6 +30150,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid
+miscfiles_read_localization(qpidd_t)
+
+sysnet_dns_name_resolve(qpidd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.if serefpolicy-3.7.19/policy/modules/services/radius.if
+--- nsaserefpolicy/policy/modules/services/radius.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/radius.if 2010-09-16 15:25:26.911637199 +0200
+@@ -38,7 +38,7 @@
+ type radiusd_initrc_exec_t;
+ ')
+
+- allow $1 radiusd_t:process { ptrace signal_perms getattr };
++ allow $1 radiusd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, radiusd_t)
+
+ init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.7.19/policy/modules/services/radius.te
--- nsaserefpolicy/policy/modules/services/radius.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/radius.te 2010-08-30 19:31:22.527085108 +0200
@@ -29748,8 +30192,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.7.19/policy/modules/services/razor.if
--- nsaserefpolicy/policy/modules/services/razor.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/razor.if 2010-05-28 09:42:00.166610736 +0200
-@@ -157,3 +157,45 @@
++++ serefpolicy-3.7.19/policy/modules/services/razor.if 2010-09-16 15:26:20.599637115 +0200
+@@ -157,3 +157,44 @@
domtrans_pattern($1, razor_exec_t, razor_t)
')
@@ -29770,7 +30214,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
+ type razor_home_t;
+ ')
+
-+ files_search_home($1)
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, razor_home_t, razor_home_t)
+ read_lnk_files_pattern($1, razor_home_t, razor_home_t)
@@ -29849,6 +30292,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
+')
+
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/resmgr.if serefpolicy-3.7.19/policy/modules/services/resmgr.if
+--- nsaserefpolicy/policy/modules/services/resmgr.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/resmgr.if 2010-09-16 15:29:11.862636875 +0200
+@@ -16,7 +16,6 @@
+ type resmgrd_var_run_t, resmgrd_t;
+ ')
+
+- allow $1 resmgrd_t:unix_stream_socket connectto;
+- allow $1 resmgrd_var_run_t:sock_file { getattr write };
+ files_search_pids($1)
++ stream_connect_pattern($1, resmgrd_var_run_t, resmgrd_var_run_t, resmgrd_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.19/policy/modules/services/rgmanager.fc
--- nsaserefpolicy/policy/modules/services/rgmanager.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.7.19/policy/modules/services/rgmanager.fc 2010-05-28 09:42:00.167610740 +0200
@@ -29865,7 +30320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.19/policy/modules/services/rgmanager.if
--- nsaserefpolicy/policy/modules/services/rgmanager.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/rgmanager.if 2010-05-28 09:42:00.168610743 +0200
++++ serefpolicy-3.7.19/policy/modules/services/rgmanager.if 2010-09-16 15:26:59.814637060 +0200
@@ -0,0 +1,141 @@
+## <summary>SELinux policy for rgmanager</summary>
+
@@ -29990,7 +30445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+ ')
+
+ allow $1 rgmanager_t:process { ptrace signal_perms };
-+ read_files_pattern($1, rgmanager_t, rgmanager_t)
++ ps_process_pattern($1, rgmanager_t)
+
+ init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
+ domain_system_change_exemption($1)
@@ -30237,8 +30692,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.19/policy/modules/services/rhcs.fc
--- nsaserefpolicy/policy/modules/services/rhcs.fc 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/rhcs.fc 2010-08-10 16:35:38.723085246 +0200
-@@ -0,0 +1,24 @@
++++ serefpolicy-3.7.19/policy/modules/services/rhcs.fc 2010-09-16 17:00:39.815401517 +0200
+@@ -0,0 +1,26 @@
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
@@ -30249,8 +30704,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+
+/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
+
++/var/lib/cluster(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
+
++/var/log/cluster/.*\.*log <<none>>
+/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
+/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
+/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
@@ -30265,8 +30722,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.19/policy/modules/services/rhcs.if
--- nsaserefpolicy/policy/modules/services/rhcs.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/rhcs.if 2010-09-01 11:22:33.060333720 +0200
-@@ -0,0 +1,439 @@
++++ serefpolicy-3.7.19/policy/modules/services/rhcs.if 2010-09-16 17:00:39.817386962 +0200
+@@ -0,0 +1,458 @@
+## <summary>RHCS - Red Hat Cluster Suite</summary>
+
+#######################################
@@ -30706,10 +31163,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+
+ allow $1 qdiskd_tmpfs_t:file read_file_perms;
+')
++
++#######################################
++## <summary>
++## Allow domain to read cluster lib files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhcs_read_cluster_lib_files',`
++ gen_require(`
++ type cluster_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.19/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-08-06 12:18:34.559334235 +0200
-@@ -0,0 +1,245 @@
++++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-09-16 17:00:39.818386668 +0200
+@@ -0,0 +1,257 @@
+
+policy_module(rhcs,1.1.0)
+
@@ -30750,6 +31226,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+type qdiskd_var_lib_t;
+files_type(qdiskd_var_lib_t)
+
++# type for generic cluster lib files
++type cluster_var_lib_t;
++files_type(cluster_var_lib_t)
++
+#####################################
+#
+# dlm_controld local policy
@@ -30829,6 +31309,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+ ccs_stream_connect(cluster_domain)
+')
+
++# needed by fence_scsi
++optional_policy(`
++ corosync_exec(fenced_t)
++')
++
+optional_policy(`
+ lvm_domtrans(fenced_t)
+ lvm_read_config(fenced_t)
@@ -30945,6 +31430,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
+allow cluster_domain self:unix_dgram_socket create_socket_perms;
+
++manage_files_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t)
++manage_dirs_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t)
++
+libs_use_ld_so(cluster_domain)
+libs_use_shared_libs(cluster_domain)
+
@@ -30967,7 +31455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
/usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-3.7.19/policy/modules/services/ricci.if
--- nsaserefpolicy/policy/modules/services/ricci.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/ricci.if 2010-08-09 14:36:06.787334935 +0200
++++ serefpolicy-3.7.19/policy/modules/services/ricci.if 2010-09-16 15:29:32.734636961 +0200
@@ -18,6 +18,24 @@
domtrans_pattern($1, ricci_exec_t, ricci_t)
')
@@ -30993,8 +31481,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
########################################
## <summary>
## Execute a domain transition to run ricci_modcluster.
-@@ -94,6 +112,25 @@
- allow $1 ricci_modclusterd_t:unix_stream_socket connectto;
+@@ -90,10 +108,28 @@
+ ')
+
+ files_search_pids($1)
+- allow $1 ricci_modcluster_var_run_t:sock_file write;
+- allow $1 ricci_modclusterd_t:unix_stream_socket connectto;
++ stream_connect_pattern($1, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t, ricci_modclusterd_t)
')
+#######################################
@@ -31019,7 +31512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
########################################
## <summary>
## Execute a domain transition to run ricci_modlog.
-@@ -165,3 +202,87 @@
+@@ -165,3 +201,87 @@
domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
')
@@ -31309,8 +31802,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcb
/var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.7.19/policy/modules/services/rpcbind.if
--- nsaserefpolicy/policy/modules/services/rpcbind.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/rpcbind.if 2010-06-25 15:10:52.796137763 +0200
-@@ -141,7 +141,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/rpcbind.if 2010-09-16 15:30:57.838386767 +0200
+@@ -34,8 +34,7 @@
+ ')
+
+ files_search_pids($1)
+- allow $1 rpcbind_var_run_t:sock_file write;
+- allow $1 rpcbind_t:unix_stream_socket connectto;
++ stream_connect_pattern($1, rpcbind_var_run_t, rpcbind_var_run_t, rpcbind_t)
+ ')
+
+ ########################################
+@@ -141,8 +140,14 @@
allow $1 rpcbind_t:process { ptrace signal_perms };
ps_process_pattern($1, rpcbind_t)
@@ -31319,6 +31822,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcb
domain_system_change_exemption($1)
role_transition $2 rpcbind_initrc_exec_t system_r;
allow $2 system_r;
++
++ files_search_var_lib($1)
++ admin_pattern($1, rpcbind_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, rpcbind_var_run_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.7.19/policy/modules/services/rpcbind.te
--- nsaserefpolicy/policy/modules/services/rpcbind.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/rpcbind.te 2010-08-30 20:25:53.722333587 +0200
@@ -31341,7 +31851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcb
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.19/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/rpc.if 2010-05-28 09:42:00.175610487 +0200
++++ serefpolicy-3.7.19/policy/modules/services/rpc.if 2010-09-16 15:41:11.666398045 +0200
@@ -246,6 +246,26 @@
allow rpcd_t $1:process signal;
')
@@ -31373,7 +31883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
files_search_var_lib($1)
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
-+ allow $1 var_lib_nfs_t:file { relabelfrom relabelto };
++ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.19/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2010-04-13 20:44:37.000000000 +0200
@@ -31669,7 +32179,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.19/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/samba.if 2010-06-28 18:46:37.808401969 +0200
++++ serefpolicy-3.7.19/policy/modules/services/samba.if 2010-09-16 16:51:08.806636988 +0200
@@ -62,6 +62,25 @@
########################################
@@ -31804,7 +32314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
########################################
## <summary>
## Connect to winbind.
-@@ -610,6 +709,36 @@
+@@ -610,6 +709,37 @@
########################################
## <summary>
@@ -31820,6 +32330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+template(`samba_helper_template',`
+ gen_require(`
+ type smbd_t;
++ role system_r;
+ ')
+ #This type is for samba helper scripts
+ type samba_$1_script_t;
@@ -31841,7 +32352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
## All of the rules required to administrate
## an samba environment
## </summary>
-@@ -640,6 +769,7 @@
+@@ -640,6 +770,7 @@
type winbind_var_run_t, winbind_tmp_t;
type winbind_log_t;
@@ -31849,17 +32360,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
type samba_initrc_exec_t;
')
-@@ -649,6 +779,9 @@
+@@ -649,6 +780,9 @@
allow $1 nmbd_t:process { ptrace signal_perms };
ps_process_pattern($1, nmbd_t)
-+ allow $1 samba_unconfined_script_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, samba_unconfined_script_t, samba_unconfined_script_t)
++ allow $1 samba_unconfined_script_t:process { ptrace signal_perms };
++ ps_process_pattern($1, samba_unconfined_script_t)
+
samba_run_smbcontrol($1, $2, $3)
samba_run_winbind_helper($1, $2, $3)
samba_run_smbmount($1, $2, $3)
-@@ -689,4 +822,5 @@
+@@ -689,4 +823,5 @@
admin_pattern($1, winbind_tmp_t)
admin_pattern($1, winbind_var_run_t)
@@ -32225,6 +32736,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl
#
# /usr
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.if serefpolicy-3.7.19/policy/modules/services/sasl.if
+--- nsaserefpolicy/policy/modules/services/sasl.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/sasl.if 2010-09-16 16:45:19.599637162 +0200
+@@ -42,7 +42,7 @@
+ type saslauthd_initrc_exec_t;
+ ')
+
+- allow $1 saslauthd_t:process { ptrace signal_perms getattr };
++ allow $1 saslauthd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, saslauthd_t)
+
+ init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.19/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/sasl.te 2010-05-28 09:42:00.182610859 +0200
@@ -32250,11 +32773,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.19/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2010-04-13 20:44:36.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/sendmail.if 2010-07-14 12:54:00.393409832 +0200
-@@ -57,6 +57,24 @@
- allow sendmail_t $1:process sigchld;
- ')
++++ serefpolicy-3.7.19/policy/modules/services/sendmail.if 2010-09-16 16:48:16.015637212 +0200
+@@ -51,10 +51,24 @@
+ ')
+ mta_sendmail_domtrans($1, sendmail_t)
++')
++
+#######################################
+## <summary>
+## Execute sendmail in the sendmail domain.
@@ -32269,14 +32794,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
+ gen_require(`
+ type sendmail_initrc_exec_t;
+ ')
-+
+
+- allow sendmail_t $1:fd use;
+- allow sendmail_t $1:fifo_file rw_file_perms;
+- allow sendmail_t $1:process sigchld;
+ init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
-+')
-+
+ ')
+
########################################
- ## <summary>
- ## Execute the sendmail program in the sendmail domain.
-@@ -277,3 +295,70 @@
+@@ -152,7 +166,7 @@
+ type sendmail_t;
+ ')
+
+- allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
++ allow $1 sendmail_t:unix_stream_socket rw_socket_perms;
+ ')
+
+ ########################################
+@@ -171,7 +185,7 @@
+ type sendmail_t;
+ ')
+
+- dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
++ dontaudit $1 sendmail_t:unix_stream_socket rw_socket_perms;
+ ')
+
+ ########################################
+@@ -277,3 +291,70 @@
sendmail_domtrans_unconfined($1)
role $2 types unconfined_sendmail_t;
')
@@ -32324,11 +32868,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
+ type mail_spool_t;
+ ')
+
-+ allow $1 sendmail_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, sendmail_t, sendmail_t)
++ allow $1 sendmail_t:process { ptrace signal_perms };
++ ps_process_pattern($1, sendmail_t)
+
-+ allow $1 unconfined_sendmail_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, unconfined_sendmail_t, unconfined_sendmail_t)
++ allow $1 unconfined_sendmail_t:process { ptrace signal_perms };
++ ps_process_pattern($1, unconfined_sendmail_t)
+
+ init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
+ domain_system_change_exemption($1)
@@ -32449,7 +32993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
+/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.19/policy/modules/services/setroubleshoot.if
--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/setroubleshoot.if 2010-06-25 15:13:41.144137172 +0200
++++ serefpolicy-3.7.19/policy/modules/services/setroubleshoot.if 2010-09-16 16:20:10.904636972 +0200
@@ -16,8 +16,8 @@
')
@@ -32498,7 +33042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -32737,6 +33281,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
+ policykit_dbus_chat(setroubleshoot_fixit_t)
+ userdom_read_all_users_state(setroubleshoot_fixit_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.if serefpolicy-3.7.19/policy/modules/services/smartmon.if
+--- nsaserefpolicy/policy/modules/services/smartmon.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/smartmon.if 2010-09-16 16:45:57.103387039 +0200
+@@ -15,6 +15,7 @@
+ type fsdaemon_tmp_t;
+ ')
+
++ files_search_tmp($1)
+ allow $1 fsdaemon_tmp_t:file read_file_perms;
+ ')
+
+@@ -41,7 +42,7 @@
+ type fsdaemon_initrc_exec_t;
+ ')
+
+- allow $1 fsdaemon_t:process { ptrace signal_perms getattr };
++ allow $1 fsdaemon_t:process { ptrace signal_perms };
+ ps_process_pattern($1, fsdaemon_t)
+
+ init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.7.19/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/smartmon.te 2010-05-28 09:42:00.186610872 +0200
@@ -32768,6 +33332,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok
logging_send_syslog_msg(smokeping_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.7.19/policy/modules/services/snmp.if
+--- nsaserefpolicy/policy/modules/services/snmp.if 2010-04-13 20:44:36.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/snmp.if 2010-09-16 16:46:09.199637062 +0200
+@@ -62,6 +62,7 @@
+ type snmpd_var_lib_t;
+ ')
+
++ files_search_var_lib($1)
+ allow $1 snmpd_var_lib_t:dir list_dir_perms;
+ read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+ read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+@@ -83,7 +84,7 @@
+ ')
+ dontaudit $1 snmpd_var_lib_t:dir list_dir_perms;
+ dontaudit $1 snmpd_var_lib_t:file read_file_perms;
+- dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read };
++ dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -128,7 +129,7 @@
+ type snmpd_initrc_exec_t;
+ ')
+
+- allow $1 snmpd_t:process { ptrace signal_perms getattr };
++ allow $1 snmpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, snmpd_t)
+
+ init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.19/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2010-04-13 20:44:36.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/snmp.te 2010-05-28 09:42:00.187610526 +0200
@@ -32788,6 +33381,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp
auth_use_nsswitch(snmpd_t)
auth_read_all_dirs_except_shadow(snmpd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.if serefpolicy-3.7.19/policy/modules/services/snort.if
+--- nsaserefpolicy/policy/modules/services/snort.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/snort.if 2010-09-16 16:42:05.561636781 +0200
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run snort.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed to transition.
+-## </summary>
++## </summary>
+ ## </param>
+ #
+ interface(`snort_domtrans',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.19/policy/modules/services/snort.te
--- nsaserefpolicy/policy/modules/services/snort.te 2010-04-13 20:44:36.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/snort.te 2010-05-28 09:42:00.188610878 +0200
@@ -32844,8 +33452,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.19/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/spamassassin.if 2010-05-28 09:42:00.189610812 +0200
-@@ -111,6 +111,45 @@
++++ serefpolicy-3.7.19/policy/modules/services/spamassassin.if 2010-09-16 16:51:58.958637037 +0200
+@@ -14,6 +14,7 @@
+ ## User domain for the role
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+ interface(`spamassassin_role',`
+ gen_require(`
+@@ -25,9 +26,13 @@
+ role $1 types { spamc_t spamassassin_t };
+
+ domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
++
++ allow $2 spamassassin_t:process { ptrace signal_perms };
+ ps_process_pattern($2, spamassassin_t)
+
+ domtrans_pattern($2, spamc_exec_t, spamc_t)
++
++ allow $2 spamc_t:process { ptrace signal_perms };
+ ps_process_pattern($2, spamc_t)
+
+ manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
+@@ -111,6 +116,46 @@
')
domtrans_pattern($1, spamc_exec_t, spamc_t)
@@ -32885,13 +33515,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+ type spamc_home_t;
+ ')
+
++ userdom_search_user_home_dirs($1)
+ manage_dirs_pattern($1, spamc_home_t, spamc_home_t)
+ manage_files_pattern($1, spamc_home_t, spamc_home_t)
+ manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
')
########################################
-@@ -166,7 +205,9 @@
+@@ -166,7 +211,9 @@
')
files_search_var_lib($1)
@@ -32901,10 +33532,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
')
########################################
-@@ -225,3 +266,69 @@
+@@ -204,6 +251,7 @@
+ type spamd_tmp_t;
+ ')
- dontaudit $1 spamd_tmp_t:sock_file getattr;
++ files_search_tmp($1)
+ allow $1 spamd_tmp_t:file read_file_perms;
')
+
+@@ -223,5 +271,72 @@
+ type spamd_tmp_t;
+ ')
+
+- dontaudit $1 spamd_tmp_t:sock_file getattr;
++ dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms;
++')
+
+########################################
+## <summary>
@@ -32918,9 +33560,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+#
+interface(`spamd_stream_connect',`
+ gen_require(`
-+ type spamd_t, spamd_var_run_t, spamd_spool_t;
++ type spamd_t, spamd_var_run_t;
+ ')
+
++ files_search_pids($1)
+ stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
+')
+
@@ -32970,7 +33613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+
+ files_list_pids($1)
+ admin_pattern($1, spamd_var_run_t)
-+')
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.19/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/spamassassin.te 2010-07-21 09:36:37.293135266 +0200
@@ -33290,6 +33933,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+optional_policy(`
udev_read_db(spamd_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.7.19/policy/modules/services/squid.if
+--- nsaserefpolicy/policy/modules/services/squid.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/squid.if 2010-09-16 16:33:25.875637032 +0200
+@@ -71,7 +71,7 @@
+ type squid_t;
+ ')
+
+- allow $1 squid_t:unix_stream_socket { getattr read write };
++ allow $1 squid_t:unix_stream_socket rw_socket_perms;
+ ')
+
+ ########################################
+@@ -83,7 +83,6 @@
+ ## Domain to not audit.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+ interface(`squid_dontaudit_search_cache',`
+ gen_require(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.19/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/squid.te 2010-05-28 09:42:00.191611098 +0200
@@ -33367,7 +34030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+/root/\.shosts gen_context(system_u:object_r:home_ssh_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.19/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.if 2010-07-14 14:41:02.740409622 +0200
++++ serefpolicy-3.7.19/policy/modules/services/ssh.if 2010-09-16 16:52:19.653637145 +0200
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -33423,7 +34086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
dev_read_urand($1_ssh_t)
-@@ -181,9 +180,9 @@
+@@ -181,16 +180,16 @@
type $1_var_run_t;
files_pid_file($1_var_run_t)
@@ -33435,6 +34098,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
# ssh agent connections:
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:shm create_shm_perms;
+
+- allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
++ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
+ term_create_pty($1_t, $1_devpts_t)
+
+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
@@ -206,6 +205,7 @@
kernel_read_kernel_sysctls($1_t)
@@ -33456,7 +34127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
fs_dontaudit_getattr_all_fs($1_t)
-@@ -234,17 +239,19 @@
+@@ -234,17 +239,18 @@
corecmd_getattr_bin_files($1_t)
domain_interactive_fd($1_t)
@@ -33472,12 +34143,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
- userdom_create_all_users_keys($1_t)
userdom_dontaudit_relabelfrom_user_ptys($1_t)
- userdom_search_user_home_dirs($1_t)
+- userdom_search_user_home_dirs($1_t)
+ userdom_read_user_home_content_files($1_t)
# Allow checking users mail at login
mta_getattr_spool($1_t)
-@@ -265,9 +272,16 @@
+@@ -265,9 +271,16 @@
optional_policy(`
files_read_var_lib_symlinks($1_t)
@@ -33495,6 +34166,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
########################################
+@@ -290,6 +303,7 @@
+ ## User domain for the role
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+ template(`ssh_role_template',`
+ gen_require(`
+@@ -327,7 +341,7 @@
+
+ # allow ps to show ssh
+ ps_process_pattern($3, ssh_t)
+- allow $3 ssh_t:process signal;
++ allow $3 ssh_t:process { ptrace signal_perms };
+
+ # for rsync
+ allow ssh_t $3:unix_stream_socket rw_socket_perms;
+@@ -359,7 +373,7 @@
+ stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
+
+ # Allow the user shell to signal the ssh program.
+- allow $3 $1_ssh_agent_t:process signal;
++ allow $3 $1_ssh_agent_t:process { ptrace signal_perms };
+
+ # allow ps to show ssh
+ ps_process_pattern($3, $1_ssh_agent_t)
@@ -388,6 +402,7 @@
logging_send_syslog_msg($1_ssh_agent_t)
@@ -33503,15 +34200,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
seutil_dontaudit_read_config($1_ssh_agent_t)
-@@ -395,6 +410,7 @@
+@@ -395,10 +410,8 @@
userdom_use_user_terminals($1_ssh_agent_t)
# for the transition back to normal privs upon exec
+ userdom_search_user_home_content($1_ssh_agent_t)
userdom_user_home_domtrans($1_ssh_agent_t, $3)
- allow $3 $1_ssh_agent_t:fd use;
- allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
-@@ -582,6 +598,25 @@
+- allow $3 $1_ssh_agent_t:fd use;
+- allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
+- allow $3 $1_ssh_agent_t:process sigchld;
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files($1_ssh_agent_t)
+@@ -475,7 +488,7 @@
+ type sshd_t;
+ ')
+
+- allow $1 sshd_t:fifo_file { getattr read };
++ allow $1 sshd_t:fifo_file read_fifo_file_perms;
+ ')
+ ########################################
+ ## <summary>
+@@ -492,7 +505,7 @@
+ type sshd_t;
+ ')
+
+- allow $1 sshd_t:fifo_file { write read getattr ioctl };
++ allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -582,6 +595,25 @@
domtrans_pattern($1, sshd_exec_t, sshd_t)
')
@@ -33537,10 +34256,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
########################################
## <summary>
## Execute the ssh client in the caller domain.
-@@ -696,6 +731,50 @@
- dontaudit $1 sshd_key_t:file { getattr read };
+@@ -616,7 +648,7 @@
+ type sshd_key_t;
+ ')
+
+- allow $1 sshd_key_t:file setattr;
++ allow $1 sshd_key_t:file setattr_file_perms;
+ files_search_pids($1)
')
+@@ -693,7 +725,51 @@
+ type sshd_key_t;
+ ')
+
+- dontaudit $1 sshd_key_t:file { getattr read };
++ dontaudit $1 sshd_key_t:file read_file_perms;
++')
++
+######################################
+## <summary>
+## Manage ssh home directory content
@@ -33583,12 +34315,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+ create_files_pattern($1, home_ssh_t, home_ssh_t)
+ userdom_user_home_dir_filetrans($1, home_ssh_t, { dir file })
+ userdom_search_user_home_dirs($1)
-+')
-+
+ ')
+
#######################################
- ## <summary>
- ## Delete from the ssh temp files.
-@@ -714,3 +793,67 @@
+@@ -714,3 +790,67 @@
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -33805,6 +34535,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
ifdef(`TODO',`
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.19/policy/modules/services/sssd.if
+--- nsaserefpolicy/policy/modules/services/sssd.if 2010-04-13 20:44:36.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/sssd.if 2010-09-16 16:48:33.455636869 +0200
+@@ -89,6 +89,7 @@
+ type sssd_var_run_t;
+ ')
+
++ files_search_pids($1)
+ manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
+ manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
+ ')
+@@ -128,7 +129,6 @@
+ ')
+
+ dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
+- files_search_var_lib($1)
+ ')
+
+ ########################################
+@@ -225,11 +225,6 @@
+ ## The role to be allowed to manage the sssd domain.
+ ## </summary>
+ ## </param>
+-## <param name="terminal">
+-## <summary>
+-## The type of the user terminal.
+-## </summary>
+-## </param>
+ ## <rolecap/>
+ #
+ interface(`sssd_admin',`
+@@ -238,8 +233,8 @@
+ type sssd_initrc_exec_t;
+ ')
+
+- allow $1 sssd_t:process { ptrace signal_perms getattr };
+- read_files_pattern($1, sssd_t, sssd_t)
++ allow $1 sssd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, sssd_t)
+
+ # Allow sssd_t to restart the apache service
+ sssd_initrc_domtrans($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.19/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/sssd.te 2010-08-18 13:10:17.920085544 +0200
@@ -33861,7 +34633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/syss
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.if serefpolicy-3.7.19/policy/modules/services/tftp.if
--- nsaserefpolicy/policy/modules/services/tftp.if 2010-04-13 20:44:36.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/tftp.if 2010-07-19 15:51:20.642151520 +0200
++++ serefpolicy-3.7.19/policy/modules/services/tftp.if 2010-09-16 16:46:36.105386681 +0200
@@ -16,6 +16,26 @@
')
@@ -33889,6 +34661,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp
')
########################################
+@@ -55,9 +75,10 @@
+ type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
+ ')
+
+- allow $1 tftpd_t:process { ptrace signal_perms getattr };
++ allow $1 tftpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, tftpd_t)
+
++ files_list_var_lib($1)
+ admin_pattern($1, tftpdir_rw_t)
+
+ admin_pattern($1, tftpdir_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.if serefpolicy-3.7.19/policy/modules/services/tgtd.if
--- nsaserefpolicy/policy/modules/services/tgtd.if 2010-04-13 20:44:36.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/tgtd.if 2010-09-15 15:55:31.098636967 +0200
@@ -33945,6 +34729,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd
+optional_policy(`
+ iscsi_manage_semaphores(tgtd_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.if serefpolicy-3.7.19/policy/modules/services/tor.if
+--- nsaserefpolicy/policy/modules/services/tor.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/tor.if 2010-09-16 16:46:52.559636983 +0200
+@@ -42,7 +42,7 @@
+ type tor_initrc_exec_t;
+ ')
+
+- allow $1 tor_t:process { ptrace signal_perms getattr };
++ allow $1 tor_t:process { ptrace signal_perms };
+ ps_process_pattern($1, tor_t)
+
+ init_labeled_script_domtrans($1, tor_initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.19/policy/modules/services/tor.te
--- nsaserefpolicy/policy/modules/services/tor.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/tor.te 2010-09-13 12:47:18.717085060 +0200
@@ -34019,6 +34815,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune
# to allow network interface tuning
optional_policy(`
sysnet_domtrans_ifconfig(tuned_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.if serefpolicy-3.7.19/policy/modules/services/ucspitcp.if
+--- nsaserefpolicy/policy/modules/services/ucspitcp.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/ucspitcp.if 2010-09-16 15:55:14.630636773 +0200
+@@ -31,8 +31,5 @@
+
+ role system_r types $1;
+
+- domain_auto_trans(ucspitcp_t, $2, $1)
+- allow $1 ucspitcp_t:fd use;
+- allow $1 ucspitcp_t:process sigchld;
+- allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms;
++ domtrans_pattern(ucspitcp_t, $2, $1)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.7.19/policy/modules/services/ucspitcp.te
--- nsaserefpolicy/policy/modules/services/ucspitcp.te 2010-04-13 20:44:36.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/ucspitcp.te 2010-05-28 09:42:00.197610559 +0200
@@ -34074,7 +34883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm
+/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.if serefpolicy-3.7.19/policy/modules/services/uucp.if
--- nsaserefpolicy/policy/modules/services/uucp.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/uucp.if 2010-09-01 12:03:39.662084414 +0200
++++ serefpolicy-3.7.19/policy/modules/services/uucp.if 2010-09-16 16:47:05.182637460 +0200
@@ -1,5 +1,24 @@
## <summary>Unix to Unix Copy</summary>
@@ -34100,6 +34909,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp
########################################
## <summary>
## Allow the specified domain to append
+@@ -80,7 +99,7 @@
+ type uucpd_var_run_t;
+ ')
+
+- allow $1 uucpd_t:process { ptrace signal_perms getattr };
++ allow $1 uucpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, uucpd_t)
+
+ logging_list_logs($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.19/policy/modules/services/uucp.te
--- nsaserefpolicy/policy/modules/services/uucp.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/uucp.te 2010-08-04 15:04:00.352085562 +0200
@@ -34175,8 +34993,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
+/var/run/vhostmd\.pid -- gen_context(system_u:object_r:vhostmd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.7.19/policy/modules/services/vhostmd.if
--- nsaserefpolicy/policy/modules/services/vhostmd.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/vhostmd.if 2010-07-21 09:59:21.999134987 +0200
-@@ -212,7 +212,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/vhostmd.if 2010-09-16 16:16:14.800637139 +0200
+@@ -51,8 +51,8 @@
+ type vhostmd_tmpfs_t;
+ ')
+
++ fs_search_tmpfs($1)
+ allow $1 vhostmd_tmpfs_t:file read_file_perms;
+- files_search_tmp($1)
+ ')
+
+ ########################################
+@@ -89,8 +89,8 @@
+ type vhostmd_tmpfs_t;
+ ')
+
++ fs_search_tmpfs($1)
+ rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+- files_search_tmp($1)
+ ')
+
+ ########################################
+@@ -108,8 +108,8 @@
+ type vhostmd_tmpfs_t;
+ ')
+
++ fs_search_tmpfs($1)
+ manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+- files_search_tmp($1)
+ ')
+
+ ########################################
+@@ -146,7 +146,8 @@
+ type vhostmd_var_run_t;
+ ')
+
+- manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
++ files_search_pids($1)
++ manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
+ ')
+
+ ########################################
+@@ -212,7 +213,7 @@
allow $1 vhostmd_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, vhostmd_t)
@@ -34234,7 +35092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.19/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/virt.if 2010-08-30 20:21:58.039085207 +0200
++++ serefpolicy-3.7.19/policy/modules/services/virt.if 2010-09-16 16:52:58.485636847 +0200
@@ -21,6 +21,7 @@
type $1_t, virt_domain;
domain_type($1_t)
@@ -34247,12 +35105,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
type $1_image_t, virt_image_type;
files_type($1_image_t)
dev_node($1_image_t)
--
-- type $1_var_run_t;
-- files_pid_file($1_var_run_t)
+ dev_associate_sysfs($1_image_t)
- allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
+- type $1_var_run_t;
+- files_pid_file($1_var_run_t)
+-
+- allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
++ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty($1_t, $1_devpts_t)
manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
@@ -34333,7 +35192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -34394,7 +35253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
########################################
-@@ -516,3 +561,49 @@
+@@ -516,3 +561,50 @@
virt_manage_log($1)
')
@@ -34411,9 +35270,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+## </param>
+## <param name="role">
+## <summary>
-+## The role to be allowed the sandbox domain.
++## The role to be allowed the svirt domain.
+## </summary>
+## </param>
++## <rolecap/>
+#
+interface(`virt_transition_svirt',`
+ gen_require(`
@@ -34446,7 +35306,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.19/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-09-15 15:47:01.852387031 +0200
++++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-09-16 17:06:29.681386750 +0200
@@ -1,5 +1,5 @@
-policy_module(virt, 1.3.2)
@@ -34607,22 +35467,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -205,9 +237,15 @@
+@@ -205,8 +237,14 @@
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
+-allow virtd_t virt_image_type:file { relabelfrom relabelto };
+-allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
+manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
- allow virtd_t virt_image_type:file { relabelfrom relabelto };
- allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
-
++allow virtd_t virt_image_type:file relabel_file_perms;
++allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
++
+manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
+manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
+files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
+can_exec(virtd_t, virt_tmp_t)
-+
+
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
- logging_log_filetrans(virtd_t, virt_log_t, { file dir })
@@ -225,6 +263,7 @@
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
@@ -34679,12 +35540,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
mcs_process_set_categories(virtd_t)
-@@ -291,15 +351,24 @@
+@@ -290,16 +350,26 @@
+ modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
-
-+selinux_validate_context(virtd_t)
++logging_send_audit_msgs(virtd_t)
+
++selinux_validate_context(virtd_t)
+
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
@@ -34704,7 +35567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -370,6 +439,8 @@
+@@ -370,6 +440,8 @@
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -34713,7 +35576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
optional_policy(`
-@@ -407,6 +478,19 @@
+@@ -407,6 +479,19 @@
allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
allow virt_domain self:tcp_socket create_stream_socket_perms;
@@ -34733,7 +35596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -427,6 +511,7 @@
+@@ -427,6 +512,7 @@
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -34741,7 +35604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -434,10 +519,12 @@
+@@ -434,10 +520,12 @@
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -34754,7 +35617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -445,6 +532,11 @@
+@@ -445,6 +533,11 @@
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -34766,7 +35629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -462,8 +554,13 @@
+@@ -462,8 +555,13 @@
')
optional_policy(`
@@ -34808,6 +35671,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.
sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
+
+apache_dontaudit_rw_tmp_files(httpd_w3c_validator_script_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.if serefpolicy-3.7.19/policy/modules/services/xfs.if
+--- nsaserefpolicy/policy/modules/services/xfs.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/xfs.if 2010-09-16 15:50:24.207636935 +0200
+@@ -1,4 +1,4 @@
+-## <summary>X Windows Font Server </summary>
++## <summary>X Windows Font Server</summary>
+
+ ########################################
+ ## <summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.19/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/xserver.fc 2010-05-28 09:42:00.203610788 +0200
@@ -34934,7 +35806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.19/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.if 2010-06-03 10:20:29.487175768 +0200
++++ serefpolicy-3.7.19/policy/modules/services/xserver.if 2010-09-16 16:53:59.645636878 +0200
@@ -19,9 +19,10 @@
interface(`xserver_restricted_role',`
gen_require(`
@@ -34964,42 +35836,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_search_tmp($2)
# Communicate via System V shared memory.
-@@ -56,6 +58,10 @@
-
- domtrans_pattern($2, iceauth_exec_t, iceauth_t)
+@@ -70,17 +72,21 @@
-+ifdef(`hide_broken_symptoms', `
-+ dontaudit iceauth_t $2:socket_class_set { read write };
-+')
-+
- allow $2 iceauth_home_t:file read_file_perms;
-
- domtrans_pattern($2, xauth_exec_t, xauth_t)
-@@ -71,9 +77,13 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
- allow $2 xdm_t:fifo_file { getattr read write ioctl };
+- allow $2 xdm_t:fifo_file { getattr read write ioctl };
- allow $2 xdm_tmp_t:dir search;
+- allow $2 xdm_tmp_t:sock_file { read write };
++ allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
+ allow $2 xdm_tmp_t:dir search_dir_perms;
- allow $2 xdm_tmp_t:sock_file { read write };
++ allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
dontaudit $2 xdm_t:tcp_socket { read write };
-+ dontaudit $2 xdm_tmp_t:dir setattr;
++ dontaudit $2 xdm_tmp_t:dir setattr_dir_perms;
+
+ allow $2 xdm_t:dbus send_msg;
+ allow xdm_t $2:dbus send_msg;
# Client read xserver shm
allow $2 xserver_t:fd use;
-@@ -89,14 +99,19 @@
+ allow $2 xserver_tmpfs_t:file read_file_perms;
+
+ # Read /tmp/.X0-lock
+- allow $2 xserver_tmp_t:file { getattr read };
++ allow $2 xserver_tmp_t:file read_inherited_file_perms;
+
+ dev_rw_xserver_misc($2)
+ dev_rw_power_management($2)
+@@ -89,14 +95,14 @@
dev_write_misc($2)
# open office is looking for the following
dev_getattr_agp_dev($2)
- dev_dontaudit_rw_dri($2)
-+ tunable_policy(`user_direct_dri',`
-+ dev_rw_dri($2)
-+ ',`
-+ dev_dontaudit_rw_dri($2)
-+ ')
+
# GNOME checks for usb and other devices:
dev_rw_usbfs($2)
@@ -35012,15 +35879,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
xserver_stream_connect_xdm($2)
-@@ -148,6 +163,7 @@
+@@ -107,13 +113,24 @@
+ # Needed for escd, remove if we get escd policy
+ xserver_manage_xdm_tmp_files($2)
+
++ ifdef(`hide_broken_symptoms',`
++ dontaudit iceauth_t $2:socket_class_set { read write };
++ ')
++
+ # Client write xserver shm
+ tunable_policy(`allow_write_xshm',`
+ allow $2 xserver_t:shm rw_shm_perms;
+ allow $2 xserver_tmpfs_t:file rw_file_perms;
+ ')
++
++ tunable_policy(`user_direct_dri',`
++ dev_rw_dri($2)
++ ',`
++ dev_dontaudit_rw_dri($2)
++ ')
+ ')
+
++
+ ########################################
+ ## <summary>
+ ## Rules required for using the X Windows server
+@@ -143,11 +160,12 @@
+ allow $2 xserver_tmpfs_t:file rw_file_perms;
+
+ allow $2 iceauth_home_t:file manage_file_perms;
+- allow $2 iceauth_home_t:file { relabelfrom relabelto };
++ allow $2 iceauth_home_t:file relabel_file_perms;
+
allow $2 xauth_home_t:file manage_file_perms;
- allow $2 xauth_home_t:file { relabelfrom relabelto };
+- allow $2 xauth_home_t:file { relabelfrom relabelto };
++ allow $2 xauth_home_t:file relabel_file_perms;
+ mls_xwin_read_to_clearance($2)
manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
manage_files_pattern($2, user_fonts_t, user_fonts_t)
relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
-@@ -197,7 +213,7 @@
+@@ -197,7 +215,7 @@
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -35029,7 +35928,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -291,12 +307,12 @@
+@@ -227,7 +245,7 @@
+ type xserver_t, xserver_tmpfs_t;
+ ')
+
+- xserver_ro_session($1,$2)
++ xserver_ro_session($1, $2)
+ allow $1 xserver_t:shm rw_shm_perms;
+ allow $1 xserver_tmpfs_t:file rw_file_perms;
+ ')
+@@ -291,12 +309,12 @@
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -35045,7 +35953,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow $1 xdm_tmp_t:dir search;
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -355,6 +371,12 @@
+@@ -310,7 +328,7 @@
+ # for .xsession-errors
+ userdom_dontaudit_write_user_home_content_files($1)
+
+- xserver_ro_session($1,$2)
++ xserver_ro_session($1, $2)
+ xserver_use_user_fonts($1)
+
+ xserver_read_xdm_tmp_files($1)
+@@ -355,6 +373,12 @@
class x_property all_x_property_perms;
class x_event all_x_event_perms;
class x_synthetic_event all_x_synthetic_event_perms;
@@ -35058,7 +35975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
##############################
-@@ -386,6 +408,15 @@
+@@ -386,6 +410,15 @@
allow $2 xevent_t:{ x_event x_synthetic_event } receive;
# dont audit send failures
dontaudit $2 input_xevent_type:x_event send;
@@ -35074,7 +35991,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
#######################################
-@@ -476,6 +507,7 @@
+@@ -458,9 +491,9 @@
+
+ # for when /tmp/.X11-unix is created by the system
+ allow $2 xdm_t:fd use;
+- allow $2 xdm_t:fifo_file { getattr read write ioctl };
++ allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
+ allow $2 xdm_tmp_t:dir search_dir_perms;
+- allow $2 xdm_tmp_t:sock_file { read write };
++ allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
+ dontaudit $2 xdm_t:tcp_socket { read write };
+
+ # Allow connections to X server.
+@@ -472,10 +505,11 @@
+ # for .xsession-errors
+ userdom_dontaudit_write_user_home_content_files($2)
+
+- xserver_ro_session($2,$3)
++ xserver_ro_session($2, $3)
xserver_use_user_fonts($2)
xserver_read_xdm_tmp_files($2)
@@ -35082,7 +36016,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# X object manager
xserver_object_types_template($1)
-@@ -545,6 +577,27 @@
+@@ -545,6 +579,27 @@
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
@@ -35110,7 +36044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -598,6 +651,7 @@
+@@ -598,6 +653,7 @@
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -35118,7 +36052,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -724,11 +778,12 @@
+@@ -615,7 +671,7 @@
+ type xconsole_device_t;
+ ')
+
+- allow $1 xconsole_device_t:fifo_file setattr;
++ allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -724,11 +780,13 @@
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -35128,12 +36071,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
-
+
files_search_tmp($1)
++ files_search_pids($1)
stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
+ stream_connect_pattern($1, xdm_var_run_t, xdm_var_run_t, xdm_t)
')
########################################
-@@ -805,7 +860,7 @@
+@@ -765,7 +823,7 @@
+ type xdm_tmp_t;
+ ')
+
+- allow $1 xdm_tmp_t:dir setattr;
++ allow $1 xdm_tmp_t:dir setattr_dir_perms;
+ ')
+
+ ########################################
+@@ -805,7 +863,7 @@
')
files_search_pids($1)
@@ -35142,7 +36095,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -916,7 +971,7 @@
+@@ -897,7 +955,7 @@
+ ')
+
+ logging_search_logs($1)
+- allow $1 xserver_log_t:file getattr;
++ allow $1 xserver_log_t:file getattr_file_perms;
+ ')
+
+ ########################################
+@@ -916,7 +974,7 @@
type xserver_log_t;
')
@@ -35151,7 +36113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -964,6 +1019,44 @@
+@@ -964,6 +1022,44 @@
########################################
## <summary>
@@ -35196,7 +36158,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -1224,9 +1317,20 @@
+@@ -1052,7 +1148,7 @@
+ type xdm_tmp_t;
+ ')
+
+- dontaudit $1 xdm_tmp_t:sock_file getattr;
++ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
+ ')
+
+ ########################################
+@@ -1210,7 +1306,7 @@
+ ## <summary>
+ ## Interface to provide X object permissions on a given X server to
+ ## an X client domain. Gives the domain permission to read the
+-## virtual core keyboard and virtual core pointer devices.
++## virtual core keyboard and virtual core pointer devices.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1224,9 +1320,20 @@
class x_device all_x_device_perms;
class x_pointer all_x_pointer_perms;
class x_keyboard all_x_keyboard_perms;
@@ -35217,7 +36197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1250,3 +1354,329 @@
+@@ -1250,3 +1357,330 @@
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
@@ -35424,7 +36404,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
+interface(`xserver_rw_inherited_user_fonts',`
+ gen_require(`
@@ -35490,6 +36469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+## The role to be allowed the xserver domain.
+## </summary>
+## </param>
++## <rolecap/>
+#
+interface(`xserver_run',`
+ gen_require(`
@@ -35515,6 +36495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+## The role to be allowed the xserver domain.
+## </summary>
+## </param>
++## <rolecap/>
+#
+interface(`xserver_run_xauth',`
+ gen_require(`
@@ -36461,6 +37442,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+tunable_policy(`use_samba_home_dirs',`
+ fs_append_cifs_files(xdmhomewriter)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.7.19/policy/modules/services/zebra.if
+--- nsaserefpolicy/policy/modules/services/zebra.if 2010-04-13 20:44:36.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/zebra.if 2010-09-16 15:45:27.161386642 +0200
+@@ -38,8 +38,7 @@
+ ')
+
+ files_search_pids($1)
+- allow $1 zebra_var_run_t:sock_file write;
+- allow $1 zebra_t:unix_stream_socket connectto;
++ stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t)
+ ')
+
+ ########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.if serefpolicy-3.7.19/policy/modules/services/zosremote.if
+--- nsaserefpolicy/policy/modules/services/zosremote.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/zosremote.if 2010-09-16 15:54:12.998637035 +0200
+@@ -5,9 +5,9 @@
+ ## Execute a domain transition to run audispd-zos-remote.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
++## <summary>
+ ## Domain allowed to transition.
+-## </summary>
++## </summary>
+ ## </param>
+ #
+ interface(`zosremote_domtrans',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.7.19/policy/modules/system/application.if
--- nsaserefpolicy/policy/modules/system/application.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/system/application.if 2010-08-04 15:09:32.261085029 +0200
@@ -36525,7 +37534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
ifdef(`distro_suse', `
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.19/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-05-28 09:42:00.210610461 +0200
++++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-09-16 15:42:52.233637126 +0200
@@ -41,7 +41,6 @@
## </param>
#
@@ -36625,6 +37634,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
########################################
+@@ -694,7 +734,7 @@
+ ')
+
+ files_search_etc($1)
+- allow $1 shadow_t:file { relabelfrom relabelto };
++ allow $1 shadow_t:file relabel_file_perms;
+ typeattribute $1 can_relabelto_shadow_passwords;
+ ')
+
@@ -1500,6 +1540,8 @@
#
interface(`auth_use_nsswitch',`
@@ -38682,7 +39700,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.19/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/logging.if 2010-06-28 18:21:14.861150814 +0200
++++ serefpolicy-3.7.19/policy/modules/system/logging.if 2010-09-16 15:43:30.178636919 +0200
@@ -545,6 +545,25 @@
########################################
@@ -38775,8 +39793,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
-+ allow $1 logfile:dir { relabelfrom relabelto };
-+ allow $1 logfile:file { relabelfrom relabelto };
++ allow $1 logfile:dir relabel_dir_perms;
++ allow $1 logfile:file relabel_file_perms;
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
@@ -41333,8 +42351,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.f
+/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.19/policy/modules/system/udev.if
--- nsaserefpolicy/policy/modules/system/udev.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/udev.if 2010-05-28 09:42:00.521610641 +0200
-@@ -196,6 +196,25 @@
++++ serefpolicy-3.7.19/policy/modules/system/udev.if 2010-09-16 15:27:33.814637102 +0200
+@@ -88,8 +88,7 @@
+ ')
+
+ kernel_search_proc($1)
+- allow $1 udev_t:file read_file_perms;
+- allow $1 udev_t:lnk_file read_lnk_file_perms;
++ ps_process_pattern($1, udev_t)
+ ')
+
+ ########################################
+@@ -196,6 +195,25 @@
########################################
## <summary>
@@ -42185,7 +43213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-08-10 16:46:30.604085285 +0200
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-09-16 15:44:29.987386896 +0200
@@ -30,8 +30,9 @@
')
@@ -43445,7 +44473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ type user_home_t;
+ ')
+
-+ allow $1 user_home_t:file { relabelto relabelfrom };
++ allow $1 user_home_t:file relabel_file_perms;
+')
+
########################################
@@ -44585,7 +45613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+dontaudit unpriv_userdomain self:dir setattr;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.7.19/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/xen.if 2010-05-28 09:42:00.530610879 +0200
++++ serefpolicy-3.7.19/policy/modules/system/xen.if 2010-09-16 14:34:16.094636765 +0200
@@ -213,8 +213,9 @@
interface(`xen_domtrans_xm',`
gen_require(`
@@ -44597,6 +45625,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
domtrans_pattern($1, xm_exec_t, xm_t)
')
+@@ -230,7 +231,7 @@
+ #
+ interface(`xen_stream_connect_xm',`
+ gen_require(`
+- type xm_t;
++ type xm_t, xenstored_var_run_t;
+ ')
+
+ files_search_pids($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.19/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/system/xen.te 2010-07-23 14:36:40.882388397 +0200
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6f9c7b1..d50c9b2 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 58%{?dist}
+Release: 59%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,9 @@ exit 0
%endif
%changelog
+* Wed Sep 16 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-59
+- Add cluster_var_lib_t type and label for /var/lib/cluster
+
* Wed Sep 15 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-58
- Add labeling for /root/.debug
- Remove permissive from cmirrord domain
More information about the scm-commits
mailing list