From 8fb7d3d78bd347e4bc6953063bb4c045d86a0e21 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Oct 20 2008 19:54:21 +0000
Subject: - Allow wine to mmap_zero

- Fix mapping for google/picasa/wine

---

diff --git a/policy-20070703.patch b/policy-20070703.patch
index 13968a3..1b5c337 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -1185,6 +1185,201 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond
  	kudzu_domtrans(anaconda_t)
  ')
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/avahi.if serefpolicy-3.0.8/policy/modules/admin/avahi.if
+--- nsaserefpolicy/policy/modules/admin/avahi.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/admin/avahi.if	2008-10-16 14:54:07.000000000 -0400
+@@ -0,0 +1,191 @@
++## <summary>mDNS/DNS-SD daemon implementing Apple ZeroConf architecture</summary>
++
++########################################
++## <summary>
++##	Execute avahi server in the avahi domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++#
++interface(`avahi_domtrans',`
++	gen_require(`
++		type avahi_exec_t;
++		type avahi_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, avahi_exec_t, avahi_t)
++')
++
++########################################
++## <summary>
++##	Execute avahi server in the avahi domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++#
++interface(`avahi_initrc_domtrans',`
++	gen_require(`
++		type avahi_initrc_exec_t;
++	')
++
++	init_labeled_script_domtrans($1, avahi_initrc_exec_t)
++')
++
++########################################
++## <summary>
++##	Send avahi a sigkill
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++#
++interface(`avahi_sigkill',`
++	gen_require(`
++		type avahi_t;
++	')
++
++	allow $1 avahi_t:process sigkill;
++')
++
++########################################
++## <summary>
++##	Send avahi a signal
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++#
++interface(`avahi_signal',`
++	gen_require(`
++		type avahi_t;
++	')
++
++	allow $1 avahi_t:process signal;
++')
++
++########################################
++## <summary>
++##	Send avahi a signull
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++#
++interface(`avahi_signull',`
++	gen_require(`
++		type avahi_t;
++	')
++
++	allow $1 avahi_t:process signull;
++')
++
++########################################
++## <summary>
++##	Send and receive messages from
++##	avahi over dbus.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`avahi_dbus_chat',`
++	gen_require(`
++		type avahi_t;
++		class dbus send_msg;
++	')
++
++	allow $1 avahi_t:dbus send_msg;
++	allow avahi_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
++##	Connect to avahi using a unix domain stream socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`avahi_stream_connect',`
++	gen_require(`
++		type avahi_t, avahi_var_run_t;
++	')
++
++	files_search_pids($1)
++	stream_connect_pattern($1, avahi_var_run_t, avahi_var_run_t, avahi_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to search the avahi pid directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`avahi_dontaudit_search_pid',`
++	gen_require(`
++		type avahi_var_run_t;
++	')
++
++	dontaudit $1 avahi_var_run_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an avahi environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed to manage the avahi domain.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`avahi_admin',`
++	gen_require(`
++		type avahi_t, avahi_var_run_t;
++		type avahi_initrc_exec_t;
++	')
++
++	allow $1 avahi_t:process { ptrace signal_perms };
++	ps_process_pattern($1, avahi_t)
++	        
++	init_labeled_script_domtrans($1, avahi_initrc_exec_t)
++	domain_system_change_exemption($1)
++	role_transition $2 avahi_initrc_exec_t system_r;
++	allow $2 system_r;
++
++	files_list_pids($1)
++	admin_pattern($1, avahi_var_run_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-3.0.8/policy/modules/admin/bootloader.te
 --- nsaserefpolicy/policy/modules/admin/bootloader.te	2008-06-12 23:37:55.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/admin/bootloader.te	2008-10-14 12:05:29.000000000 -0400
@@ -4390,14 +4585,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.0.8/policy/modules/apps/wine.fc
 --- nsaserefpolicy/policy/modules/apps/wine.fc	2008-06-12 23:37:56.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/wine.fc	2008-10-14 12:05:29.000000000 -0400
-@@ -1,4 +1,5 @@
++++ serefpolicy-3.0.8/policy/modules/apps/wine.fc	2008-10-15 13:39:12.000000000 -0400
+@@ -1,4 +1,7 @@
  /usr/bin/wine			--	gen_context(system_u:object_r:wine_exec_t,s0)
  
 -/opt/cxoffice/bin/wine		--	gen_context(system_u:object_r:wine_exec_t,s0)
 -/opt/picasa/wine/bin/wine	--	gen_context(system_u:object_r:wine_exec_t,s0)
 +/opt/cxoffice/bin/wine.*	--	gen_context(system_u:object_r:wine_exec_t,s0)
 +/opt/picasa/wine/bin/wine.*	--	gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/google/picasa(/.*)?/bin/wine.*	--	gen_context(system_u:object_r:wine_exec_t,s0)
++
 +HOME_DIR/cxoffice/bin/wine.*	--	gen_context(system_u:object_r:wine_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.0.8/policy/modules/apps/wine.if
 --- nsaserefpolicy/policy/modules/apps/wine.if	2008-06-12 23:37:56.000000000 -0400
@@ -4489,7 +4686,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if 
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.0.8/policy/modules/apps/wine.te
 --- nsaserefpolicy/policy/modules/apps/wine.te	2008-06-12 23:37:56.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/wine.te	2008-10-14 12:05:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/wine.te	2008-10-15 14:49:17.000000000 -0400
+@@ -1,5 +1,5 @@
+ 
+-policy_module(wine,1.3.1)
++policy_module(wine,1.5.0)
+ 
+ ########################################
+ #
 @@ -9,6 +9,7 @@
  type wine_t;
  type wine_exec_t;
@@ -8119,14 +8323,240 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
  	seutil_sigchld_newrole(automount_t)
  ')
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.0.8/policy/modules/services/avahi.fc
+--- nsaserefpolicy/policy/modules/services/avahi.fc	2008-06-12 23:37:57.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/avahi.fc	2008-10-15 13:45:05.000000000 -0400
+@@ -1,5 +1,9 @@
++/etc/rc\.d/init\.d/avahi.*	--	gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
+ 
+ /usr/sbin/avahi-daemon		--	gen_context(system_u:object_r:avahi_exec_t,s0)
+ /usr/sbin/avahi-dnsconfd 	--	gen_context(system_u:object_r:avahi_exec_t,s0)
++/usr/sbin/avahi-autoipd 	--	gen_context(system_u:object_r:avahi_exec_t,s0)
+ 
+ /var/run/avahi-daemon(/.*)? 		gen_context(system_u:object_r:avahi_var_run_t,s0)
++
++/usr/lib/avahi-autoipd(/.*)		gen_context(system_u:object_r:avahi_var_lib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.0.8/policy/modules/services/avahi.if
+--- nsaserefpolicy/policy/modules/services/avahi.if	2008-06-12 23:37:57.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/avahi.if	2008-10-16 14:52:08.000000000 -0400
+@@ -2,6 +2,103 @@
+ 
+ ########################################
+ ## <summary>
++##	Execute avahi server in the avahi domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++#
++interface(`avahi_domtrans',`
++	gen_require(`
++		type avahi_exec_t;
++		type avahi_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, avahi_exec_t, avahi_t)
++')
++
++########################################
++## <summary>
++##	Execute avahi server in the avahi domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++#
++interface(`avahi_initrc_domtrans',`
++	gen_require(`
++		type avahi_initrc_exec_t;
++	')
++
++	init_labeled_script_domtrans($1, avahi_initrc_exec_t)
++')
++
++########################################
++## <summary>
++##	Send avahi a sigkill
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++#
++interface(`avahi_sigkill',`
++	gen_require(`
++		type avahi_t;
++	')
++
++	allow $1 avahi_t:process sigkill;
++')
++
++########################################
++## <summary>
++##	Send avahi a signal
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++#
++interface(`avahi_signal',`
++	gen_require(`
++		type avahi_t;
++	')
++
++	allow $1 avahi_t:process signal;
++')
++
++########################################
++## <summary>
++##	Send avahi a signull
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++#
++interface(`avahi_signull',`
++	gen_require(`
++		type avahi_t;
++	')
++
++	allow $1 avahi_t:process signull;
++')
++
++########################################
++## <summary>
+ ##	Send and receive messages from
+ ##	avahi over dbus.
+ ## </summary>
+@@ -37,7 +134,7 @@
+ 	')
+ 
+ 	files_search_pids($1)
+-	stream_connect_pattern($1,avahi_var_run_t,avahi_var_run_t,avahi_t)
++	stream_connect_pattern($1, avahi_var_run_t, avahi_var_run_t, avahi_t)
+ ')
+ 
+ ########################################
+@@ -57,3 +154,38 @@
+ 
+ 	dontaudit $1 avahi_var_run_t:dir search_dir_perms;
+ ')
++
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an avahi environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed to manage the avahi domain.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`avahi_admin',`
++	gen_require(`
++		type avahi_t, avahi_var_run_t;
++		type avahi_initrc_exec_t;
++	')
++
++	allow $1 avahi_t:process { ptrace signal_perms };
++	ps_process_pattern($1, avahi_t)
++	        
++	init_labeled_script_domtrans($1, avahi_initrc_exec_t)
++	domain_system_change_exemption($1)
++	role_transition $2 avahi_initrc_exec_t system_r;
++	allow $2 system_r;
++
++	files_list_pids($1)
++	admin_pattern($1, avahi_var_run_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.0.8/policy/modules/services/avahi.te
 --- nsaserefpolicy/policy/modules/services/avahi.te	2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/avahi.te	2008-10-14 12:05:29.000000000 -0400
-@@ -85,6 +85,7 @@
++++ serefpolicy-3.0.8/policy/modules/services/avahi.te	2008-10-15 14:18:33.000000000 -0400
+@@ -1,5 +1,5 @@
+ 
+-policy_module(avahi,1.6.1)
++policy_module(avahi, 1.9.0)
+ 
+ ########################################
+ #
+@@ -8,7 +8,13 @@
+ 
+ type avahi_t;
+ type avahi_exec_t;
+-init_daemon_domain(avahi_t,avahi_exec_t)
++init_daemon_domain(avahi_t, avahi_exec_t)
++
++type avahi_initrc_exec_t;
++init_script_file(avahi_initrc_exec_t)
++
++type avahi_var_lib_t;
++files_pid_file(avahi_var_lib_t)
+ 
+ type avahi_var_run_t;
+ files_pid_file(avahi_var_run_t)
+@@ -20,15 +26,20 @@
+ 
+ allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot };
+ dontaudit avahi_t self:capability sys_tty_config;
+-allow avahi_t self:process { setrlimit signal_perms setcap };
++allow avahi_t self:process { setrlimit signal_perms getcap setcap };
+ allow avahi_t self:fifo_file { read write };
+ allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow avahi_t self:unix_dgram_socket create_socket_perms;
+ allow avahi_t self:tcp_socket create_stream_socket_perms;
+ allow avahi_t self:udp_socket create_socket_perms;
+ 
+-manage_files_pattern(avahi_t,avahi_var_run_t,avahi_var_run_t)
+-manage_sock_files_pattern(avahi_t,avahi_var_run_t,avahi_var_run_t)
++files_search_var_lib(avahi_t)
++manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
++manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
++files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file })
++
++manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
++manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
+ allow avahi_t avahi_var_run_t:dir setattr;
+ files_pid_filetrans(avahi_t,avahi_var_run_t,file)
+ 
+@@ -76,15 +87,18 @@
+ logging_send_syslog_msg(avahi_t)
+ 
+ miscfiles_read_localization(avahi_t)
++miscfiles_read_certs(avahi_t)
+ 
+ userdom_dontaudit_use_unpriv_user_fds(avahi_t)
++
+ userdom_dontaudit_search_sysadm_home_dirs(avahi_t)
+ 
+ optional_policy(`
+ 	dbus_system_bus_client_template(avahi,avahi_t)
  	dbus_connect_system_bus(avahi_t)
- 	dbus_send_system_bus(avahi_t)
+-	dbus_send_system_bus(avahi_t)
++
  	init_dbus_chat_script(avahi_t)
-+	dbus_system_domain(avahi_t,avahi_exec_t)
++	dbus_system_domain(avahi_t, avahi_exec_t)
  ')
  
  optional_policy(`
@@ -8141,6 +8571,208 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
 +/var/named/chroot/var/named/dynamic(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
  ')
 +/var/named/chroot/var/log/named.*	--	gen_context(system_u:object_r:named_log_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.0.8/policy/modules/services/bind.if
+--- nsaserefpolicy/policy/modules/services/bind.if	2008-06-12 23:37:57.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/bind.if	2008-10-16 16:02:58.000000000 -0400
+@@ -15,7 +15,7 @@
+ 		type ndc_t, ndc_exec_t;
+ 	')
+ 
+-	domtrans_pattern($1,ndc_exec_t,ndc_t)
++	domtrans_pattern($1, ndc_exec_t, ndc_t)
+ ')
+ 
+ ########################################
+@@ -38,6 +38,42 @@
+ 
+ ########################################
+ ## <summary>
++##	Send signulls to BIND.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`bind_signull',`
++	gen_require(`
++		type named_t;
++	')
++
++	allow $1 named_t:process signull;
++')
++
++########################################
++## <summary>
++##	Send sigkills to BIND.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`bind_sigkill',`
++	gen_require(`
++		type named_t;
++	')
++
++	allow $1 named_t:process sigkill;
++')
++
++########################################
++## <summary>
+ ##	Execute ndc in the ndc domain, and
+ ##	allow the specified role the ndc domain.
+ ## </summary>
+@@ -83,7 +119,7 @@
+ 		type named_t, named_exec_t;
+ 	')
+ 
+-	domtrans_pattern($1,named_exec_t,named_t)
++	domtrans_pattern($1, named_exec_t, named_t)
+ ')
+ 
+ ########################################
+@@ -101,7 +137,7 @@
+ 		type named_conf_t, named_zone_t, dnssec_t;
+ 	')
+ 
+-	read_files_pattern($1,{ named_conf_t named_zone_t },dnssec_t)
++	read_files_pattern($1, { named_conf_t named_zone_t }, dnssec_t)
+ ')
+ 
+ ########################################
+@@ -119,7 +155,7 @@
+ 		type named_conf_t;
+ 	')
+ 
+-	read_files_pattern($1,named_conf_t,named_conf_t)
++	read_files_pattern($1, named_conf_t, named_conf_t)
+ ')
+ 
+ ########################################
+@@ -137,7 +173,7 @@
+ 		type named_conf_t;
+ 	')
+ 
+-	write_files_pattern($1,named_conf_t,named_conf_t)
++	write_files_pattern($1, named_conf_t, named_conf_t)
+ 	allow $1 named_conf_t:file setattr;
+ ')
+ 
+@@ -157,7 +193,7 @@
+ 		type named_conf_t;
+ 	')
+ 
+-	manage_dirs_pattern($1,named_conf_t,named_conf_t)
++	manage_dirs_pattern($1, named_conf_t, named_conf_t)
+ ')
+ 
+ ########################################
+@@ -199,8 +235,8 @@
+ 
+ 	files_search_var($1)
+ 	allow $1 named_zone_t:dir search_dir_perms;
+-	manage_files_pattern($1,named_cache_t,named_cache_t)
+-	manage_lnk_files_pattern($1,named_cache_t,named_cache_t)
++	manage_files_pattern($1, named_cache_t, named_cache_t)
++	manage_lnk_files_pattern($1, named_cache_t, named_cache_t)
+ ')
+ 
+ ########################################
+@@ -238,7 +274,7 @@
+ 	')
+ 
+ 	files_search_var($1)
+-	read_files_pattern($1,named_zone_t,named_zone_t)
++	read_files_pattern($1, named_zone_t, named_zone_t)
+ ')
+ 
+ ########################################
+@@ -254,3 +290,81 @@
+ interface(`bind_udp_chat_named',`
+ 	refpolicywarn(`$0($*) has been deprecated.')
+ ')
++
++########################################
++## <summary>
++##	Execute bind server in the bind domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++#
++interface(`bind_script_domtrans',`
++	gen_require(`
++		type bind_initrc_exec_t;
++	')
++
++	init_labeled_script_domtrans($1, bind_initrc_exec_t)
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an bind environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed to manage the bind domain.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`bind_admin',`
++	gen_require(`
++		type named_t, named_tmp_t, named_log_t;
++		type named_conf_t, named_var_lib_t, named_var_run_t;
++		type named_cache_t, named_zone_t;
++		type dnssec_t, ndc_t;
++		type named_initrc_exec_t;
++	')
++
++	allow $1 named_t:process { ptrace signal_perms };
++	ps_process_pattern($1, named_t)
++	        
++	allow $1 ndc_t:process { ptrace signal_perms };
++	ps_process_pattern($1, ndc_t)
++	        
++	bind_run_ndc($1, $2, $3)
++
++	bind_script_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 named_initrc_exec_t system_r;
++	allow $2 system_r;
++
++	files_list_tmp($1)
++	admin_pattern($1, named_tmp_t)
++
++	logging_list_logs($1)
++	admin_pattern($1, named_log_t)
++
++	files_list_etc($1)
++	admin_pattern($1, named_conf_t)
++
++	admin_pattern($1, named_cache_t)
++	admin_pattern($1, named_zone_t)
++	admin_pattern($1, dnssec_t)
++
++	files_list_var_lib($1)
++	admin_pattern($1, named_var_lib_t)
++
++	files_list_pids($1)
++	admin_pattern($1, named_var_run_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.0.8/policy/modules/services/bind.te
 --- nsaserefpolicy/policy/modules/services/bind.te	2008-06-12 23:37:57.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/bind.te	2008-10-14 12:05:29.000000000 -0400
@@ -10205,9 +10837,139 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
  /var/lib/misc/dnsmasq\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
 +/var/lib/dnsmasq(/.*)?		gen_context(system_u:object_r:dnsmasq_lease_t,s0)
  /var/run/dnsmasq\.pid		--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.0.8/policy/modules/services/dnsmasq.if
+--- nsaserefpolicy/policy/modules/services/dnsmasq.if	2008-06-12 23:37:57.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dnsmasq.if	2008-10-15 14:20:09.000000000 -0400
+@@ -1 +1,117 @@
+ ## <summary>dnsmasq DNS forwarder and DHCP server</summary>
++
++########################################
++## <summary>
++##	Execute dnsmasq server in the dnsmasq domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++#
++interface(`dnsmasq_domtrans',`
++	gen_require(`
++		type dnsmasq_exec_t;
++		type dnsmasq_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t)
++')
++
++########################################
++## <summary>
++##	Execute dnsmasq server in the dnsmasq domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++#
++interface(`dnsmasq_initrc_domtrans',`
++	gen_require(`
++		type dnsmasq_initrc_exec_t;
++	')
++
++	init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
++')
++
++########################################
++## <summary>
++##	Send dnsmasq a signal
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++#
++interface(`dnsmasq_signal',`
++	gen_require(`
++		type dnsmasq_t;
++	')
++
++	allow $1 dnsmasq_t:process signal;
++')
++
++########################################
++## <summary>
++##	Send dnsmasq a sigkill
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++#
++interface(`dnsmasq_sigkill',`
++	gen_require(`
++		type dnsmasq_t;
++	')
++
++	allow $1 dnsmasq_t:process sigkill;
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an dnsmasq environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed to manage the dnsmasq domain.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`dnsmasq_admin',`
++	gen_require(`
++		type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
++		type dnsmasq_initrc_exec_t;
++	')
++
++	allow $1 dnsmasq_t:process { ptrace signal_perms };
++	ps_process_pattern($1, dnsmasq_t)
++	        
++	init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
++	domain_system_change_exemption($1)
++	role_transition $2 dnsmasq_initrc_exec_t system_r;
++	allow $2 system_r;
++
++	files_list_var_lib($1)
++	admin_pattern($1, dnsmasq_lease_t)
++
++	files_list_pids($1)
++	admin_pattern($1, dnsmasq_var_run_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.0.8/policy/modules/services/dnsmasq.te
 --- nsaserefpolicy/policy/modules/services/dnsmasq.te	2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dnsmasq.te	2008-10-14 12:05:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dnsmasq.te	2008-10-15 14:22:15.000000000 -0400
+@@ -8,7 +8,7 @@
+ 
+ type dnsmasq_t;
+ type dnsmasq_exec_t;
+-init_daemon_domain(dnsmasq_t,dnsmasq_exec_t)
++init_daemon_domain(dnsmasq_t, dnsmasq_exec_t)
+ 
+ type dnsmasq_lease_t;
+ files_type(dnsmasq_lease_t)
 @@ -16,6 +16,9 @@
  type dnsmasq_var_run_t;
  files_pid_file(dnsmasq_var_run_t)
@@ -10218,6 +10980,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
  ########################################
  #
  # Local policy
+@@ -23,7 +26,7 @@
+ 
+ allow dnsmasq_t self:capability { net_admin setgid setuid net_bind_service net_raw };
+ dontaudit dnsmasq_t self:capability sys_tty_config;
+-allow dnsmasq_t self:process { setcap signal_perms };
++allow dnsmasq_t self:process { getcap setcap signal_perms };
+ allow dnsmasq_t self:fifo_file { read write };
+ allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write };
+ allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
 @@ -32,7 +35,7 @@
  allow dnsmasq_t self:rawip_socket create_socket_perms;
  
@@ -10227,16 +10998,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
  files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file)
  
  manage_files_pattern(dnsmasq_t,dnsmasq_var_run_t,dnsmasq_var_run_t)
-@@ -55,7 +58,7 @@
+@@ -55,8 +58,7 @@
  corenet_tcp_bind_all_nodes(dnsmasq_t)
  corenet_udp_bind_all_nodes(dnsmasq_t)
  corenet_tcp_bind_dns_port(dnsmasq_t)
 -corenet_udp_bind_dns_port(dnsmasq_t)
+-corenet_udp_bind_dhcpd_port(dnsmasq_t)
 +corenet_udp_bind_all_ports(dnsmasq_t)
- corenet_udp_bind_dhcpd_port(dnsmasq_t)
  corenet_sendrecv_dns_server_packets(dnsmasq_t)
  corenet_sendrecv_dhcpd_server_packets(dnsmasq_t)
-@@ -94,3 +97,7 @@
+ 
+@@ -94,3 +96,7 @@
  optional_policy(`
  	udev_read_db(dnsmasq_t)
  ')
@@ -13165,7 +13937,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.8/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te	2008-10-14 12:05:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te	2008-10-16 14:53:36.000000000 -0400
 @@ -1,5 +1,5 @@
  
 -policy_module(networkmanager,1.7.1)
@@ -13173,7 +13945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
  
  ########################################
  #
-@@ -8,7 +8,16 @@
+@@ -8,11 +8,24 @@
  
  type NetworkManager_t;
  type NetworkManager_exec_t;
@@ -13191,7 +13963,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
  
  type NetworkManager_var_run_t;
  files_pid_file(NetworkManager_var_run_t)
-@@ -20,9 +29,9 @@
+ 
++type wpa_cli_t;
++type wpa_cli_exec_t;
++init_system_domain(wpa_cli_t, wpa_cli_exec_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -20,9 +33,9 @@
  
  # networkmanager will ptrace itself if gdb is installed
  # and it receives a unexpected signal (rh bug #204161) 
@@ -13203,8 +13983,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
  allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
  allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
  allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
-@@ -33,15 +42,22 @@
+@@ -31,17 +44,27 @@
+ allow NetworkManager_t self:udp_socket create_socket_perms;
+ allow NetworkManager_t self:packet_socket create_socket_perms;
  
++allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
++
  can_exec(NetworkManager_t, NetworkManager_exec_t)
  
 -manage_dirs_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
@@ -13226,10 +14010,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
  kernel_read_kernel_sysctls(NetworkManager_t)
  kernel_load_module(NetworkManager_t)
 +kernel_read_debugfs(NetworkManager_t)
++kernel_search_network_sysctl(NetworkManager_t)
  
  corenet_all_recvfrom_unlabeled(NetworkManager_t)
  corenet_all_recvfrom_netlabel(NetworkManager_t)
-@@ -64,9 +80,11 @@
+@@ -64,9 +87,11 @@
  dev_read_sysfs(NetworkManager_t)
  dev_read_rand(NetworkManager_t)
  dev_read_urand(NetworkManager_t)
@@ -13241,7 +14026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
  
  mls_file_read_all_levels(NetworkManager_t)
  
-@@ -83,9 +101,14 @@
+@@ -83,9 +108,14 @@
  files_read_etc_runtime_files(NetworkManager_t)
  files_read_usr_files(NetworkManager_t)
  
@@ -13256,11 +14041,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
  libs_use_ld_so(NetworkManager_t)
  libs_use_shared_libs(NetworkManager_t)
  
-@@ -107,12 +130,17 @@
- # in /etc created by NetworkManager will be labelled net_conf_t.
- sysnet_manage_config(NetworkManager_t)
- sysnet_etc_filetrans_config(NetworkManager_t)
+@@ -98,26 +128,40 @@
+ 
+ seutil_read_config(NetworkManager_t)
+ 
+-sysnet_domtrans_ifconfig(NetworkManager_t)
++sysnet_etc_filetrans_config(NetworkManager_t)
++sysnet_delete_dhcpc_pid(NetworkManager_t)
+ sysnet_domtrans_dhcpc(NetworkManager_t)
+-sysnet_signal_dhcpc(NetworkManager_t)
++sysnet_domtrans_ifconfig(NetworkManager_t)
++sysnet_kill_dhcpc(NetworkManager_t)
++sysnet_manage_config(NetworkManager_t)
 +sysnet_read_dhcp_config(NetworkManager_t)
+ sysnet_read_dhcpc_pid(NetworkManager_t)
+-sysnet_delete_dhcpc_pid(NetworkManager_t)
+ sysnet_search_dhcp_state(NetworkManager_t)
+-# in /etc created by NetworkManager will be labelled net_conf_t.
+-sysnet_manage_config(NetworkManager_t)
+-sysnet_etc_filetrans_config(NetworkManager_t)
++sysnet_signal_dhcpc(NetworkManager_t)
  
  userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
 -userdom_dontaudit_search_sysadm_home_dirs(NetworkManager_t)
@@ -13272,10 +14072,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 +userdom_dontaudit_search_sysadm_home_dirs(NetworkManager_t)
 +
 +cron_read_system_job_lib_files(NetworkManager_t)
++
++optional_policy(`
++	avahi_domtrans(NetworkManager_t)
++	avahi_sigkill(NetworkManager_t)
++	avahi_signal(NetworkManager_t)
++	avahi_signull(NetworkManager_t)
++')
  
  optional_policy(`
  	bind_domtrans(NetworkManager_t)
-@@ -129,28 +157,26 @@
+ 	bind_manage_cache(NetworkManager_t)
+ 	bind_signal(NetworkManager_t)
++	bind_signull(NetworkManager_t)
++	bind_sigkill(NetworkManager_t)
+ ')
+ 
+ optional_policy(`
+@@ -129,15 +173,18 @@
  ')
  
  optional_policy(`
@@ -13289,22 +14103,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 -	dbus_connect_system_bus(NetworkManager_t)
 -	dbus_send_system_bus(NetworkManager_t)
 +	dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
++')
++
++optional_policy(`
++	dnsmasq_script_domtrans(NetworkManager_t)
++	dnsmasq_signal(NetworkManager_t)
++	dnsmasq_sigkill(NetworkManager_t)
++	dnsmasq_signull(NetworkManager_t)
++')
++
++optional_policy(`
++	hal_write_log(NetworkManager_t)
  ')
  
  optional_policy(`
--	howl_signal(NetworkManager_t)
-+	hal_write_log(NetworkManager_t)
+@@ -145,39 +192,86 @@
  ')
  
  optional_policy(`
 -	nis_use_ypbind(NetworkManager_t)
-+	howl_signal(NetworkManager_t)
++	iptables_domtrans(NetworkManager_t)
  ')
  
  optional_policy(`
 -	nscd_socket_use(NetworkManager_t)
 +	nscd_domtrans(NetworkManager_t)
  	nscd_signal(NetworkManager_t)
++	nscd_signull(NetworkManager_t)
++	nscd_sigkill(NetworkManager_t)
 +	nscd_script_domtrans(NetworkManager_t)
 +')
 +
@@ -13314,18 +14140,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
  ')
  
  optional_policy(`
-@@ -159,22 +185,30 @@
- ')
- 
- optional_policy(`
--	ppp_domtrans(NetworkManager_t)
-+	polkit_domtrans_auth(NetworkManager_t)
-+	polkit_read_lib(NetworkManager_t)
+ 	openvpn_domtrans(NetworkManager_t)
+ 	openvpn_signal(NetworkManager_t)
++	openvpn_signull(NetworkManager_t)
++	openvpn_sigkill(NetworkManager_t)
 +')
 +
 +optional_policy(`
++	polkit_domtrans_auth(NetworkManager_t)
++	polkit_read_lib(NetworkManager_t)
+ ')
+ 
+ optional_policy(`
 +	ppp_script_domtrans(NetworkManager_t)
+ 	ppp_domtrans(NetworkManager_t)
  	ppp_read_pid_files(NetworkManager_t)
++	ppp_sigkill(NetworkManager_t)
  	ppp_signal(NetworkManager_t)
 +	ppp_signull(NetworkManager_t)
 +	ppp_read_config(NetworkManager_t)
@@ -13350,6 +14180,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
  ')
  
  optional_policy(`
+ 	vpn_domtrans(NetworkManager_t)
++	vpn_sigkill(NetworkManager_t)
+ 	vpn_signal(NetworkManager_t)
++	vpn_signull(NetworkManager_t)
+ ')
++
++########################################
++#
++# wpa_cli local policy
++#
++allow wpa_cli_t self:capability dac_override;
++allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
++
++allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto;
++
++manage_sock_files_pattern(wpa_cli_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
++files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file)
++
++list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
++rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
++
++init_dontaudit_use_fds(wpa_cli_t)
++init_use_script_ptys(wpa_cli_t)
++
++libs_use_ld_so(wpa_cli_t)
++libs_use_shared_libs(wpa_cli_t)
++
++miscfiles_read_localization(wpa_cli_t)
++
++term_dontaudit_use_console(wpa_cli_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.0.8/policy/modules/services/nis.fc
 --- nsaserefpolicy/policy/modules/services/nis.fc	2008-06-12 23:37:57.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/nis.fc	2008-10-14 12:05:29.000000000 -0400
@@ -15372,8 +16232,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.0.8/policy/modules/services/ppp.fc
 --- nsaserefpolicy/policy/modules/services/ppp.fc	2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/ppp.fc	2008-10-14 12:05:29.000000000 -0400
-@@ -25,7 +25,7 @@
++++ serefpolicy-3.0.8/policy/modules/services/ppp.fc	2008-10-15 13:00:08.000000000 -0400
+@@ -1,6 +1,8 @@
+ #
+ # /etc
+ #
++/etc/rc\.d/init\.d/ppp	--	gen_context(system_u:object_r:pppd_script_exec_t,s0)
++
+ /etc/ppp			-d	gen_context(system_u:object_r:pppd_etc_t,s0)
+ /etc/ppp(/.*)?			--	gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+ /etc/ppp/peers(/.*)?			gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+@@ -25,7 +27,7 @@
  #
  # /var
  #
@@ -15384,8 +16253,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
  # Fix pptp sockets
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.0.8/policy/modules/services/ppp.if
 --- nsaserefpolicy/policy/modules/services/ppp.if	2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/ppp.if	2008-10-14 12:05:29.000000000 -0400
-@@ -76,6 +76,24 @@
++++ serefpolicy-3.0.8/policy/modules/services/ppp.if	2008-10-15 13:00:12.000000000 -0400
+@@ -39,6 +39,25 @@
+ 
+ ########################################
+ ## <summary>
++##	Send ppp a sigkill
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++#
++interface(`ppp_sigkill',`
++	gen_require(`
++		type pppd_t;
++	')
++
++	allow $1 pppd_t:process sigkill;
++')
++
++########################################
++## <summary>
+ ##	Send a SIGCHLD signal to PPP.
+ ## </summary>
+ ## <param name="domain">
+@@ -76,6 +95,24 @@
  
  ########################################
  ## <summary>
@@ -15410,7 +16305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
  ##	 Execute domain in the ppp domain.
  ## </summary>
  ## <param name="domain">
-@@ -102,6 +120,16 @@
+@@ -102,6 +139,16 @@
  ##	 Domain allowed access.
  ##	</summary>
  ## </param>
@@ -15427,24 +16322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
  ## <rolecap/>
  #
  interface(`ppp_run_cond',`
-@@ -126,6 +154,16 @@
- ##	 Domain allowed access.
- ##	</summary>
- ## </param>
-+## <param name="role">
-+##	<summary>
-+##	The role to allow the ppp domain.
-+##	</summary>
-+## </param>
-+## <param name="terminal">
-+##	<summary>
-+##	The type of the terminal allow the ppp domain to use.
-+##	</summary>
-+## </param>
- ## <rolecap/>
- #
- interface(`ppp_run',`
-@@ -159,6 +197,25 @@
+@@ -159,6 +206,25 @@
  
  ########################################
  ## <summary>
@@ -15470,13 +16348,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
  ##	Read PPP-writable configuration files.
  ## </summary>
  ## <param name="domain">
-@@ -248,5 +305,23 @@
- 		type pppd_var_run_t;
- 	')
+@@ -250,3 +316,95 @@
  
--	files_pid_filetrans($1,pppd_var_run_t,file)
-+	files_pid_filetrans($1, pppd_var_run_t, file)
-+')
+ 	files_pid_filetrans($1,pppd_var_run_t,file)
+ ')
 +
 +########################################
 +## <summary>
@@ -15494,10 +16369,84 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
 +	')
 +
 +	init_script_domtrans_spec($1, pppd_script_exec_t)
- ')
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an ppp environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed to manage the ppp domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the user terminal.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`ppp_admin',`
++	gen_require(`
++		type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t;
++		type pppd_etc_t, pppd_secret_t;
++		type pppd_etc_rw_t, pppd_var_run_t;
++
++		type pptp_t, pptp_log_t, pptp_var_run_t;
++ 		type pppd_script_exec_t;
++	')
++
++	allow $1 pppd_t:process { ptrace signal_perms getattr };
++	ps_process_pattern($1, pppd_t)
++	        
++	allow $1 pptp_t:process { ptrace signal_perms getattr };
++	ps_process_pattern($1, pptp_t)
++
++	# Allow admin domain to restart the pppd_t service
++	ppp_script_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 pppd_script_exec_t system_r;
++	allow $2 system_r;
++
++	files_list_tmp($1)
++        manage_all_pattern($1,pppd_tmp_t)
++
++	logging_list_logs($1)
++        manage_all_pattern($1,pppd_log_t)
++
++        manage_all_pattern($1,pptp_log_t)
++
++        manage_all_pattern($1,pppd_lock_t)
++
++	files_list_etc($1)
++	manage_all_pattern($1,pppd_etc_t)
++
++	manage_all_pattern($1,pppd_etc_rw_t)
++
++	manage_all_pattern($1,pppd_secret_t)
++
++	manage_all_pattern($1,pppd_script_exec_t)
++
++	files_list_var_lib($1)
++        manage_all_pattern($1,pppd_var_lib_t)
++
++	files_list_pids($1)
++        manage_all_pattern($1,pppd_var_run_t)
++
++        manage_all_pattern($1,pptp_var_run_t)
++')
++
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.0.8/policy/modules/services/ppp.te
 --- nsaserefpolicy/policy/modules/services/ppp.te	2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/ppp.te	2008-10-14 12:05:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/ppp.te	2008-10-15 13:00:04.000000000 -0400
 @@ -1,5 +1,5 @@
  
 -policy_module(ppp,1.5.0)
@@ -15562,18 +16511,57 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
  ')
  
  optional_policy(`
-@@ -221,8 +220,9 @@
+@@ -221,13 +220,16 @@
  # PPTP Local policy
  #
  
--dontaudit pptp_t self:capability sys_tty_config;
- allow pptp_t self:capability net_raw;
-+dontaudit pptp_t self:capability sys_tty_config;
++allow pptp_t self:capability { net_raw net_admin };
+ dontaudit pptp_t self:capability sys_tty_config;
+-allow pptp_t self:capability net_raw;
+-allow pptp_t self:fifo_file { read write };
 +allow pptp_t self:process signal; 
- allow pptp_t self:fifo_file { read write };
++allow pptp_t self:fifo_file rw_fifo_file_perms;
  allow pptp_t self:unix_dgram_socket create_socket_perms;
  allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
-@@ -292,6 +292,14 @@
+ allow pptp_t self:rawip_socket create_socket_perms;
+ allow pptp_t self:tcp_socket create_socket_perms;
++allow pptp_t self:udp_socket create_socket_perms;
++allow pptp_t self:netlink_route_socket rw_netlink_socket_perms;
+ 
+ allow pptp_t pppd_etc_t:dir { getattr read search };
+ allow pptp_t pppd_etc_t:file { read getattr };
+@@ -251,9 +253,13 @@
+ kernel_list_proc(pptp_t)
+ kernel_read_kernel_sysctls(pptp_t)
+ kernel_read_proc_symlinks(pptp_t)
++kernel_read_system_state(pptp_t)
+ 
+ dev_read_sysfs(pptp_t)
+ 
++corecmd_exec_shell(pptp_t)
++corecmd_read_bin_symlinks(pptp_t)
++
+ corenet_all_recvfrom_unlabeled(pptp_t)
+ corenet_all_recvfrom_netlabel(pptp_t)
+ corenet_tcp_sendrecv_all_if(pptp_t)
+@@ -269,6 +275,8 @@
+ fs_getattr_all_fs(pptp_t)
+ fs_search_auto_mountpoints(pptp_t)
+ 
++files_read_etc_files(pptp_t)
++
+ term_ioctl_generic_ptys(pptp_t)
+ term_search_ptys(pptp_t)
+ term_use_ptmx(pptp_t)
+@@ -283,6 +291,7 @@
+ miscfiles_read_localization(pptp_t)
+ 
+ sysnet_read_config(pptp_t)
++sysnet_exec_ifconfig(pppd_t)
+ 
+ userdom_dontaudit_use_unpriv_user_fds(pptp_t)
+ userdom_dontaudit_search_sysadm_home_dirs(pptp_t)
+@@ -292,6 +301,14 @@
  ')
  
  optional_policy(`
@@ -17827,7 +18815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.8/policy/modules/services/sendmail.te
 --- nsaserefpolicy/policy/modules/services/sendmail.te	2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/sendmail.te	2008-10-14 12:05:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/sendmail.te	2008-10-14 21:45:19.000000000 -0400
 @@ -20,19 +20,22 @@
  mta_mailserver_delivery(sendmail_t)
  mta_mailserver_sender(sendmail_t)
@@ -17854,17 +18842,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
  
  allow sendmail_t sendmail_log_t:dir setattr;
  manage_files_pattern(sendmail_t,sendmail_log_t,sendmail_log_t)
-@@ -48,6 +51,9 @@
+@@ -48,6 +51,7 @@
  kernel_read_kernel_sysctls(sendmail_t)
  # for piping mail to a command
  kernel_read_system_state(sendmail_t)
 +kernel_read_network_state(sendmail_t)
-+
-+auth_use_nsswitch(sendmail_t)
  
  corenet_all_recvfrom_unlabeled(sendmail_t)
  corenet_all_recvfrom_netlabel(sendmail_t)
-@@ -66,14 +72,18 @@
+@@ -66,14 +70,18 @@
  fs_getattr_all_fs(sendmail_t)
  fs_search_auto_mountpoints(sendmail_t)
  
@@ -17883,15 +18869,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
  files_search_spool(sendmail_t)
  # for piping mail to a command
  files_read_etc_runtime_files(sendmail_t)
-@@ -83,6 +93,7 @@
+@@ -83,6 +91,9 @@
  # sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
  init_read_utmp(sendmail_t)
  init_dontaudit_write_utmp(sendmail_t)
 +init_rw_script_tmp_files(sendmail_t)
++
++auth_use_nsswitch(sendmail_t)
  
  libs_use_ld_so(sendmail_t)
  libs_use_shared_libs(sendmail_t)
-@@ -90,34 +101,39 @@
+@@ -90,44 +101,55 @@
  libs_read_lib_files(sendmail_t)
  
  logging_send_syslog_msg(sendmail_t)
@@ -17937,7 +18925,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
  ')
  
  optional_policy(`
-@@ -128,6 +144,11 @@
+-	postfix_exec_master(sendmail_t)
++	postfix_domtrans_postdrop(sendmail_t)
++	postfix_domtrans_master(sendmail_t)
+ 	postfix_read_config(sendmail_t)
+ 	postfix_search_spool(sendmail_t)
+ ')
  
  optional_policy(`
  	procmail_domtrans(sendmail_t)
@@ -17949,7 +18942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
  ')
  
  optional_policy(`
-@@ -135,24 +156,25 @@
+@@ -135,24 +157,25 @@
  ')
  
  optional_policy(`