From 403433320a67db28bfd6dbb4217c9182600b01a2 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sep 23 2008 20:09:57 +0000 Subject: - Update to latest policy for NetworkManager --- diff --git a/policy-20071130.patch b/policy-20071130.patch index 5fe051e..29a9df8 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -15267,7 +15267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.3.1/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2008-06-12 23:38:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/dbus.if 2008-09-08 11:45:12.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/dbus.if 2008-09-23 15:34:07.000000000 -0400 @@ -53,6 +53,7 @@ gen_require(` type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t; @@ -15479,7 +15479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ## Read dbus configuration. ## ## -@@ -366,3 +431,73 @@ +@@ -366,3 +431,74 @@ allow $1 system_dbusd_t:dbus *; ') @@ -15552,10 +15552,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + ') + + allow $1 system_dbusd_t:tcp_socket { read write }; ++ allow $1 system_dbusd_t:fd use; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.3.1/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-09-08 11:45:12.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-09-23 15:32:58.000000000 -0400 @@ -9,9 +9,10 @@ # # Delcarations @@ -15628,20 +15629,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus domain_use_interactive_fds(system_dbusd_t) -@@ -91,6 +107,8 @@ +@@ -91,6 +107,9 @@ init_use_fds(system_dbusd_t) init_use_script_ptys(system_dbusd_t) +init_dbus_chat_script(system_dbusd_t) +init_bin_domtrans_spec(system_dbusd_t) ++init_domtrans_script(system_dbusd_t) libs_use_ld_so(system_dbusd_t) libs_use_shared_libs(system_dbusd_t) -@@ -121,9 +139,37 @@ +@@ -121,9 +140,37 @@ ') optional_policy(` -+ networkmanager_init_script_domtrans_spec(system_dbusd_t) ++ consolekit_dbus_chat(system_dbusd_t) ++') ++ ++optional_policy(` ++ networkmanager_script_domtrans(system_dbusd_t) +') + +optional_policy(` @@ -15658,10 +15664,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ') + +optional_policy(` -+ consolekit_dbus_chat(system_dbusd_t) -+') -+ -+optional_policy(` + gen_require(` + type unconfined_dbusd_t; + attribute domain; @@ -20330,24 +20332,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.3.1/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-06-12 23:38:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc 2008-09-08 11:45:12.000000000 -0400 -@@ -1,7 +1,13 @@ ++++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc 2008-09-23 15:27:49.000000000 -0400 +@@ -1,7 +1,16 @@ ++/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_script_exec_t,s0) ++ ++/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++ /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++ ++/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -+ -+/var/log/wpa_supplicant\.log.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) -+/etc/NetworkManager/dispatcher.d(/.*) gen_context(system_u:object_r:NetworkManager_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.3.1/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.if 2008-09-08 11:45:12.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/networkmanager.if 2008-09-23 15:27:57.000000000 -0400 +@@ -74,7 +74,7 @@ + ') + + corecmd_search_bin($1) +- domtrans_pattern($1,NetworkManager_exec_t,NetworkManager_t) ++ domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t) + ') + + ######################################## @@ -97,3 +97,58 @@ allow $1 NetworkManager_t:dbus send_msg; allow NetworkManager_t $1:dbus send_msg; @@ -20381,7 +20395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw +## +## +# -+interface(`networkmanager_init_script_domtrans_spec',` ++interface(`networkmanager_script_domtrans',` + gen_require(` + type NetworkManager_script_exec_t; + ') @@ -20405,44 +20419,66 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw + ') + + files_search_pids($1) -+ read_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) ++ allow $1 NetworkManager_var_run_t:file read_file_perms; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.3.1/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-06-12 23:38:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-09-08 11:45:12.000000000 -0400 -@@ -13,6 +13,13 @@ - type NetworkManager_var_run_t; - files_pid_file(NetworkManager_var_run_t) ++++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-09-23 16:07:05.000000000 -0400 +@@ -1,5 +1,5 @@ +-policy_module(networkmanager,1.9.0) ++policy_module(networkmanager, 1.10.2) + + ######################################## + # +@@ -8,7 +8,16 @@ + + type NetworkManager_t; + type NetworkManager_exec_t; +-init_daemon_domain(NetworkManager_t,NetworkManager_exec_t) ++init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) ++ +type NetworkManager_log_t; +logging_log_file(NetworkManager_log_t) + +type NetworkManager_script_exec_t; +init_script_file(NetworkManager_script_exec_t) -+init_script_domtrans_spec(NetworkManager_t, NetworkManager_script_exec_t) + - ######################################## - # - # Local policy -@@ -20,9 +27,9 @@ ++type NetworkManager_tmp_t; ++files_tmp_file(NetworkManager_tmp_t) + + type NetworkManager_var_run_t; + files_pid_file(NetworkManager_var_run_t) +@@ -20,9 +29,9 @@ # networkmanager will ptrace itself if gdb is installed # and it receives a unexpected signal (rh bug #204161) -allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock }; -+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock }; ++allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bin_dservice ipc_lock }; dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; -allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms }; +allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; allow NetworkManager_t self:fifo_file rw_fifo_file_perms; allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; -@@ -38,10 +45,14 @@ - manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t) - files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file }) +@@ -33,15 +42,22 @@ + + can_exec(NetworkManager_t, NetworkManager_exec_t) -+manage_files_pattern(NetworkManager_t,NetworkManager_log_t,NetworkManager_log_t) -+logging_log_filetrans(NetworkManager_t,NetworkManager_log_t, file) +-manage_dirs_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t) +-manage_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t) +-manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t) ++manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) ++logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) ++ ++manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) ++files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file) + ++manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) ++manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) ++manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) + files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file }) + kernel_read_system_state(NetworkManager_t) kernel_read_network_state(NetworkManager_t) kernel_read_kernel_sysctls(NetworkManager_t) @@ -20451,7 +20487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw corenet_all_recvfrom_unlabeled(NetworkManager_t) corenet_all_recvfrom_netlabel(NetworkManager_t) -@@ -64,9 +75,11 @@ +@@ -64,9 +80,11 @@ dev_read_sysfs(NetworkManager_t) dev_read_rand(NetworkManager_t) dev_read_urand(NetworkManager_t) @@ -20463,14 +20499,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw mls_file_read_all_levels(NetworkManager_t) -@@ -82,10 +95,16 @@ - files_read_etc_files(NetworkManager_t) +@@ -83,9 +101,14 @@ files_read_etc_runtime_files(NetworkManager_t) files_read_usr_files(NetworkManager_t) -+files_list_tmp(NetworkManager_t) -+ -+storage_getattr_fixed_disk_dev(NetworkManager_t) ++storage_getattr_fixed_disk_dev(NetworkManager_t) ++ init_read_utmp(NetworkManager_t) +init_dontaudit_write_utmp(NetworkManager_t) init_domtrans_script(NetworkManager_t) @@ -20480,23 +20514,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw libs_use_ld_so(NetworkManager_t) libs_use_shared_libs(NetworkManager_t) -@@ -113,6 +132,9 @@ +@@ -109,10 +132,14 @@ + sysnet_etc_filetrans_config(NetworkManager_t) + + userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) +-userdom_dontaudit_search_sysadm_home_dirs(NetworkManager_t) userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t) # Read gnome-keyring userdom_read_unpriv_users_home_content_files(NetworkManager_t) +userdom_unpriv_users_stream_connect(NetworkManager_t) + ++userdom_dontaudit_search_sysadm_home_dirs(NetworkManager_t) ++ +cron_read_system_job_lib_files(NetworkManager_t) optional_policy(` bind_domtrans(NetworkManager_t) -@@ -129,21 +151,21 @@ +@@ -129,21 +156,26 @@ ') optional_policy(` - dbus_system_bus_client_template(NetworkManager,NetworkManager_t) - dbus_connect_system_bus(NetworkManager_t) -+ dbus_system_domain(NetworkManager_t,NetworkManager_exec_t) ++ dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) ') optional_policy(` @@ -20511,14 +20551,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw optional_policy(` - nscd_socket_use(NetworkManager_t) ++ nscd_domtrans(NetworkManager_t) nscd_signal(NetworkManager_t) + nscd_script_domtrans(NetworkManager_t) -+ nscd_domtrans(NetworkManager_t) ++') ++ ++optional_policy(` ++ # Dispatcher starting and stoping ntp ++ ntp_script_domtrans(NetworkManager_t) + ') + + optional_policy(` +@@ -152,22 +184,25 @@ ') optional_policy(` -@@ -155,19 +177,21 @@ - ppp_domtrans(NetworkManager_t) +- ppp_domtrans(NetworkManager_t) ++ ppp_script_domtrans(NetworkManager_t) ppp_read_pid_files(NetworkManager_t) ppp_signal(NetworkManager_t) + ppp_signull(NetworkManager_t) @@ -20527,8 +20576,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw optional_policy(` - seutil_sigchld_newrole(NetworkManager_t) -+ # Dispatcher starting and stoping ntp -+ ntp_script_domtrans(NetworkManager_t) ++ rpm_exec(NetworkManager_t) ++ rpm_read_db(NetworkManager_t) ++ rpm_dontaudit_manage_db(NetworkManager_t) ') optional_policy(` @@ -23461,17 +23511,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.3.1/policy/modules/services/ppp.fc --- nsaserefpolicy/policy/modules/services/ppp.fc 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/ppp.fc 2008-09-08 11:45:12.000000000 -0400 -@@ -33,3 +33,5 @@ - - /var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0) - /var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0) -+ ++++ serefpolicy-3.3.1/policy/modules/services/ppp.fc 2008-09-23 15:54:31.000000000 -0400 +@@ -1,6 +1,8 @@ + # + # /etc + # +/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_script_exec_t,s0) ++ + /etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0) + /etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) + /etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.3.1/policy/modules/services/ppp.if --- nsaserefpolicy/policy/modules/services/ppp.if 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/ppp.if 2008-09-08 11:45:12.000000000 -0400 -@@ -95,6 +95,24 @@ ++++ serefpolicy-3.3.1/policy/modules/services/ppp.if 2008-09-23 15:53:51.000000000 -0400 +@@ -76,6 +76,24 @@ ######################################## ## @@ -23493,16 +23546,62 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. + +######################################## +## - ## Conditionally execute ppp daemon on behalf of a user or staff type. + ## Execute domain in the ppp domain. ## ## -@@ -297,38 +315,42 @@ +@@ -102,6 +120,16 @@ + ## Domain allowed access. + ## + ## ++## ++## ++## The role to allow the ppp domain. ++## ++## ++## ++## ++## The type of the terminal allow the ppp domain to use. ++## ++## + ## + # + interface(`ppp_run_cond',` +@@ -272,6 +300,24 @@ + + ######################################## + ## ++## Execute ppp server in the ntpd domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`ppp_script_domtrans',` ++ gen_require(` ++ type pppd_script_exec_t; ++ ') ++ ++ init_script_domtrans_spec($1, pppd_script_exec_t) ++') ++ ++######################################## ++## + ## All of the rules required to administrate + ## an ppp environment + ## +@@ -295,40 +341,51 @@ + interface(`ppp_admin',` + gen_require(` type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t; - type pppd_etc_t, pppd_script_t, pppd_secret_t; - type pppd_etc_rw_t, pppd_var_lib_t, pppd_var_run_t; -- +- type pppd_etc_t, pppd_script_t, pppd_secret_t; +- type pppd_etc_rw_t, pppd_var_lib_t, pppd_var_run_t; ++ type pppd_etc_t, pppd_secret_t; ++ type pppd_etc_rw_t, pppd_var_run_t; + type pptp_t, pptp_log_t, pptp_var_run_t; -+ type pppd_script_exec_t; ++ type pppd_script_exec_t; ') allow $1 pppd_t:process { ptrace signal_perms getattr }; @@ -23511,6 +23610,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. + allow $1 pptp_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, pptp_t) + ++ # Allow admin domain to restart the pppd_t service ++ ppp_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 pppd_script_exec_t system_r; ++ allow $2 system_r; ++ files_list_tmp($1) - manage_files_pattern($1, pppd_tmp_t, pppd_tmp_t) + manage_all_pattern($1,pppd_tmp_t) @@ -23518,22 +23623,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. logging_list_logs($1) - manage_files_pattern($1, pppd_log_t, pppd_log_t) + manage_all_pattern($1,pppd_log_t) ++ ++ manage_all_pattern($1,pptp_log_t) - manage_files_pattern($1, pppd_lock_t, pppd_lock_t) -+ manage_all_pattern($1,pptp_log_t) -+ + manage_all_pattern($1,pppd_lock_t) files_list_etc($1) - manage_files_pattern($1, pppd_etc_t, pppd_etc_t) + manage_all_pattern($1,pppd_etc_t) -+ -+ manage_all_pattern($1,pppd_etc_rw_t) - manage_files_pattern($1, pppd_etc_rw_t, pppd_etc_rw_t) -+ manage_all_pattern($1,pppd_secret_t) ++ manage_all_pattern($1,pppd_etc_rw_t) - manage_files_pattern($1, pppd_secret_t, pppd_secret_t) ++ manage_all_pattern($1,pppd_secret_t) ++ + manage_all_pattern($1,pppd_script_exec_t) files_list_var_lib($1) @@ -28744,7 +28849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.3.1/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/squid.te 2008-09-08 11:45:13.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/squid.te 2008-09-23 15:23:50.000000000 -0400 @@ -31,12 +31,15 @@ type squid_var_run_t; files_pid_file(squid_var_run_t) @@ -28795,7 +28900,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi libs_use_ld_so(squid_t) libs_use_shared_libs(squid_t) -@@ -148,11 +156,7 @@ +@@ -145,14 +153,11 @@ + + tunable_policy(`squid_connect_any',` + corenet_tcp_connect_all_ports(squid_t) ++ corenet_tcp_bind_all_ports(squid_t) ') optional_policy(` @@ -28808,7 +28917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi ') optional_policy(` -@@ -167,7 +171,12 @@ +@@ -167,7 +172,12 @@ udev_read_db(squid_t) ') @@ -32875,7 +32984,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-09-08 11:45:13.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-09-23 15:44:00.000000000 -0400 @@ -10,6 +10,20 @@ # Declarations # @@ -33054,7 +33163,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t selinux_get_enforce_mode(initrc_t) -@@ -496,6 +535,31 @@ +@@ -352,6 +391,7 @@ + libs_use_shared_libs(initrc_t) + libs_exec_lib_files(initrc_t) + ++logging_send_audit_msgs(initrc_t) + logging_send_syslog_msg(initrc_t) + logging_manage_generic_logs(initrc_t) + logging_read_all_logs(initrc_t) +@@ -496,6 +536,31 @@ ') ') @@ -33086,7 +33203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -554,16 +618,12 @@ +@@ -554,16 +619,12 @@ dbus_read_config(initrc_t) optional_policy(` @@ -33107,7 +33224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -639,12 +699,6 @@ +@@ -639,12 +700,6 @@ mta_read_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') @@ -33120,7 +33237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ifdef(`distro_redhat',` -@@ -705,6 +759,9 @@ +@@ -705,6 +760,9 @@ # why is this needed: rpm_manage_db(initrc_t) @@ -33130,7 +33247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -717,9 +774,11 @@ +@@ -717,9 +775,11 @@ squid_manage_logs(initrc_t) ') @@ -33145,7 +33262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -738,6 +797,11 @@ +@@ -738,6 +798,11 @@ uml_setattr_util_sockets(initrc_t) ') @@ -33157,7 +33274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` unconfined_domain(initrc_t) -@@ -752,6 +816,10 @@ +@@ -752,6 +817,10 @@ ') optional_policy(` @@ -33168,7 +33285,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t vmware_read_system_config(initrc_t) vmware_append_system_config(initrc_t) ') -@@ -774,3 +842,4 @@ +@@ -774,3 +843,4 @@ optional_policy(` zebra_read_config(initrc_t) ')