From bb814d73d777a65c037552ec296ac51f41dd53ea Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jun 01 2010 15:56:42 +0000 Subject: - Add cmirrord policy - Fixes for accountsd policy - Fixes for boinc policy - Allow cups-pdf to set attributes on fonts cache directory - Allow radiusd to setrlimit - Allow nscd sys_ptrace capability --- diff --git a/modules-minimum.conf b/modules-minimum.conf index 967a530..80e65eb 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -1345,6 +1345,13 @@ rgmanager = module clogd = module # Layer: services +# Module: cmirrord +# +# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster +# +cmirrord = module + +# Layer: services # Module: rhgb # # X windows login display manager diff --git a/modules-mls.conf b/modules-mls.conf index 86a4270..6caf71e 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -2042,6 +2042,13 @@ rgmanager = module clogd = module # Layer: services +# Module: cmirrord +# +# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster +# +cmirrord = module + +# Layer: services # Module: ricci # # policy for ricci diff --git a/modules-targeted.conf b/modules-targeted.conf index 967a530..910c8b2 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1345,6 +1345,13 @@ rgmanager = module clogd = module # Layer: services +# Module: cmirrord +# +# cmirrord - daemon providing device-mapper-base mirrors in a shared-storege cluster +# +cmirrord = module + +# Layer: services # Module: rhgb # # X windows login display manager diff --git a/policy-F13.patch b/policy-F13.patch index 1950820..4ab7696 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -1,6 +1,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.19/Makefile ---- nsaserefpolicy/Makefile 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/Makefile 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/Makefile 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/Makefile 2010-05-28 09:41:59.942610848 +0200 @@ -244,7 +244,7 @@ appdir := $(contextpath) user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) @@ -11,8 +11,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.19/ all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.19/policy/global_tunables ---- nsaserefpolicy/policy/global_tunables 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/global_tunables 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/global_tunables 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/global_tunables 2010-05-28 09:41:59.942610848 +0200 @@ -61,15 +61,6 @@ ## @@ -49,8 +49,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref +gen_tunable(mmap_low_allowed, false) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.7.19/policy/mls ---- nsaserefpolicy/policy/mls 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/mls 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/mls 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/mls 2010-05-28 09:41:59.943612109 +0200 @@ -208,12 +208,14 @@ (( l1 eq l2 ) or (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or @@ -67,16 +67,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.7.1 # these access vectors have no MLS restrictions diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.fc serefpolicy-3.7.19/policy/modules/admin/accountsd.fc ---- nsaserefpolicy/policy/modules/admin/accountsd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/admin/accountsd.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/accountsd.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/admin/accountsd.fc 2010-05-28 09:41:59.944611136 +0200 @@ -0,0 +1,4 @@ + +/usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) + +/var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.if serefpolicy-3.7.19/policy/modules/admin/accountsd.if ---- nsaserefpolicy/policy/modules/admin/accountsd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/admin/accountsd.if 2010-05-27 10:17:33.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/accountsd.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/admin/accountsd.if 2010-05-28 09:41:59.944611136 +0200 @@ -0,0 +1,164 @@ +## policy for accountsd + @@ -243,9 +243,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account + accountsd_manage_var_lib($1) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.te serefpolicy-3.7.19/policy/modules/admin/accountsd.te ---- nsaserefpolicy/policy/modules/admin/accountsd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/admin/accountsd.te 2010-05-27 12:01:08.000000000 -0400 -@@ -0,0 +1,57 @@ +--- nsaserefpolicy/policy/modules/admin/accountsd.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/admin/accountsd.te 2010-06-01 13:50:27.639177903 +0200 +@@ -0,0 +1,64 @@ +policy_module(accountsd,1.0.0) + +######################################## @@ -266,7 +266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account +# +# accountsd local policy +# -+allow accountsd_t self:capability { dac_override sys_ptrace }; ++allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace }; + +allow accountsd_t self:fifo_file rw_fifo_file_perms; + @@ -274,11 +274,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account +manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) +files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir } ) + ++kernel_read_kernel_sysctls(accountsd_t) ++ +corecmd_exec_bin(accountsd_t) + ++files_read_mnt_files(accountsd_t) +files_read_usr_files(accountsd_t) + +fs_list_inotifyfs(accountsd_t) ++fs_read_noxattr_fs_files(accountsd_t) + +auth_use_nsswitch(accountsd_t) +auth_read_shadow(accountsd_t) @@ -291,6 +295,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account +usermanage_domtrans_useradd(accountsd_t) +usermanage_domtrans_passwd(accountsd_t) + ++userdom_read_user_tmp_files(accountsd_t) ++userdom_read_user_home_content_files(accountsd_t) ++ +optional_policy(` + consolekit_read_log(accountsd_t) +') @@ -304,8 +311,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account + xserver_dbus_chat_xdm(accountsd_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-3.7.19/policy/modules/admin/acct.te ---- nsaserefpolicy/policy/modules/admin/acct.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/acct.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/acct.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/acct.te 2010-05-28 09:41:59.946611004 +0200 @@ -43,6 +43,7 @@ fs_getattr_xattr_fs(acct_t) @@ -315,8 +322,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te corecmd_exec_bin(acct_t) corecmd_exec_shell(acct_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.7.19/policy/modules/admin/alsa.te ---- nsaserefpolicy/policy/modules/admin/alsa.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/alsa.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/alsa.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/alsa.te 2010-05-28 09:41:59.946611004 +0200 @@ -52,6 +52,8 @@ files_read_usr_files(alsa_t) @@ -327,8 +334,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te auth_use_nsswitch(alsa_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.7.19/policy/modules/admin/anaconda.te ---- nsaserefpolicy/policy/modules/admin/anaconda.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/anaconda.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/anaconda.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/anaconda.te 2010-05-28 09:41:59.947613243 +0200 @@ -29,8 +29,10 @@ logging_send_syslog_msg(anaconda_t) @@ -350,8 +357,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.7.19/policy/modules/admin/certwatch.te ---- nsaserefpolicy/policy/modules/admin/certwatch.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/certwatch.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/certwatch.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/certwatch.te 2010-05-28 09:41:59.948610734 +0200 @@ -36,7 +36,7 @@ miscfiles_read_localization(certwatch_t) @@ -362,8 +369,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwat optional_policy(` apache_exec_modules(certwatch_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.if serefpolicy-3.7.19/policy/modules/admin/consoletype.if ---- nsaserefpolicy/policy/modules/admin/consoletype.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/consoletype.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/consoletype.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/consoletype.if 2010-05-28 09:41:59.948610734 +0200 @@ -19,6 +19,9 @@ corecmd_search_bin($1) @@ -375,8 +382,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.7.19/policy/modules/admin/consoletype.te ---- nsaserefpolicy/policy/modules/admin/consoletype.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/consoletype.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/consoletype.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/consoletype.te 2010-06-01 14:04:47.354160745 +0200 @@ -10,7 +10,6 @@ type consoletype_exec_t; application_executable_file(consoletype_exec_t) @@ -385,9 +392,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console role system_r types consoletype_t; ######################################## +@@ -85,6 +84,7 @@ + hal_dontaudit_use_fds(consoletype_t) + hal_dontaudit_rw_pipes(consoletype_t) + hal_dontaudit_rw_dgram_sockets(consoletype_t) ++ hal_dontaudit_write_log(consoletype_t) + ') + + optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.7.19/policy/modules/admin/dmesg.te ---- nsaserefpolicy/policy/modules/admin/dmesg.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/dmesg.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/dmesg.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/dmesg.te 2010-05-28 09:41:59.949610668 +0200 @@ -51,6 +51,11 @@ userdom_use_user_terminals(dmesg_t) @@ -401,8 +416,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.t ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.19/policy/modules/admin/firstboot.te ---- nsaserefpolicy/policy/modules/admin/firstboot.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/firstboot.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/firstboot.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/firstboot.te 2010-05-28 09:41:59.950610882 +0200 @@ -77,6 +77,7 @@ miscfiles_read_localization(firstboot_t) @@ -425,8 +440,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo xserver_unconfined(firstboot_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.7.19/policy/modules/admin/kismet.te ---- nsaserefpolicy/policy/modules/admin/kismet.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/kismet.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/kismet.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/kismet.te 2010-05-28 09:41:59.951610956 +0200 @@ -45,6 +45,7 @@ manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t) manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t) @@ -436,8 +451,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.19/policy/modules/admin/logrotate.te ---- nsaserefpolicy/policy/modules/admin/logrotate.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/logrotate.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/logrotate.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/logrotate.te 2010-05-28 09:41:59.951610956 +0200 @@ -32,7 +32,7 @@ # Change ownership on log files. allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; @@ -548,8 +563,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota varnishd_manage_log(logrotate_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.7.19/policy/modules/admin/mcelog.te ---- nsaserefpolicy/policy/modules/admin/mcelog.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/mcelog.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/mcelog.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/mcelog.te 2010-05-28 09:41:59.952610471 +0200 @@ -25,6 +25,8 @@ files_read_etc_files(mcelog_t) @@ -560,8 +575,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog. miscfiles_read_localization(mcelog_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.7.19/policy/modules/admin/mrtg.te ---- nsaserefpolicy/policy/modules/admin/mrtg.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/mrtg.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/mrtg.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/mrtg.te 2010-05-28 09:41:59.952610471 +0200 @@ -116,6 +116,7 @@ userdom_use_user_terminals(mrtg_t) userdom_dontaudit_read_user_home_content_files(mrtg_t) @@ -571,8 +586,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te netutils_domtrans_ping(mrtg_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.7.19/policy/modules/admin/netutils.fc ---- nsaserefpolicy/policy/modules/admin/netutils.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/netutils.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/netutils.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/netutils.fc 2010-05-28 09:41:59.953610894 +0200 @@ -9,6 +9,8 @@ /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) @@ -583,8 +598,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil /usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0) +/usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.19/policy/modules/admin/netutils.te ---- nsaserefpolicy/policy/modules/admin/netutils.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/netutils.te 2010-05-26 15:35:33.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/netutils.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/netutils.te 2010-05-28 09:41:59.954610969 +0200 @@ -44,6 +44,7 @@ allow netutils_t self:packet_socket create_socket_perms; allow netutils_t self:udp_socket create_socket_perms; @@ -641,8 +656,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil + term_use_all_ptys(traceroute_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.7.19/policy/modules/admin/prelink.fc ---- nsaserefpolicy/policy/modules/admin/prelink.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/prelink.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/prelink.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/prelink.fc 2010-05-28 09:41:59.955610693 +0200 @@ -1,3 +1,4 @@ +/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0) @@ -656,8 +671,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink +/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0) +/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.7.19/policy/modules/admin/prelink.if ---- nsaserefpolicy/policy/modules/admin/prelink.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/prelink.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/prelink.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/prelink.if 2010-05-28 09:41:59.955610693 +0200 @@ -17,6 +17,30 @@ corecmd_search_bin($1) @@ -704,8 +719,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink + relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.19/policy/modules/admin/prelink.te ---- nsaserefpolicy/policy/modules/admin/prelink.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/prelink.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/prelink.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/prelink.te 2010-05-28 09:41:59.956610558 +0200 @@ -21,8 +21,21 @@ type prelink_tmp_t; files_tmp_file(prelink_tmp_t) @@ -831,8 +846,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-3.7.19/policy/modules/admin/quota.te ---- nsaserefpolicy/policy/modules/admin/quota.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/quota.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/quota.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/quota.te 2010-05-28 09:41:59.956610558 +0200 @@ -39,6 +39,7 @@ kernel_list_proc(quota_t) kernel_read_proc_symlinks(quota_t) @@ -842,8 +857,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.t dev_read_sysfs(quota_t) dev_getattr_all_blk_files(quota_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.19/policy/modules/admin/readahead.te ---- nsaserefpolicy/policy/modules/admin/readahead.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/readahead.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/readahead.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/readahead.te 2010-05-28 09:41:59.957610702 +0200 @@ -52,6 +52,7 @@ files_list_non_security(readahead_t) @@ -865,8 +880,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahe fs_dontaudit_read_ramfs_pipes(readahead_t) fs_dontaudit_read_ramfs_files(readahead_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.19/policy/modules/admin/rpm.fc ---- nsaserefpolicy/policy/modules/admin/rpm.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/rpm.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/rpm.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/rpm.fc 2010-05-28 09:41:59.957610702 +0200 @@ -1,18 +1,19 @@ /bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -918,8 +933,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc ifdef(`distro_suse', ` /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.19/policy/modules/admin/rpm.if ---- nsaserefpolicy/policy/modules/admin/rpm.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/rpm.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/rpm.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/rpm.if 2010-05-28 09:41:59.958611405 +0200 @@ -13,11 +13,36 @@ interface(`rpm_domtrans',` gen_require(` @@ -1374,8 +1389,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.19/policy/modules/admin/rpm.te ---- nsaserefpolicy/policy/modules/admin/rpm.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/rpm.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/rpm.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/rpm.te 2010-05-28 09:41:59.960611623 +0200 @@ -1,6 +1,8 @@ policy_module(rpm, 1.10.0) @@ -1675,8 +1690,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te optional_policy(` java_domtrans_unconfined(rpm_script_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.19/policy/modules/admin/shorewall.te ---- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/shorewall.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/shorewall.te 2010-05-28 09:41:59.961611278 +0200 @@ -87,7 +87,11 @@ sysnet_domtrans_ifconfig(shorewall_t) @@ -1691,8 +1706,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa optional_policy(` iptables_domtrans(shorewall_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.fc serefpolicy-3.7.19/policy/modules/admin/shutdown.fc ---- nsaserefpolicy/policy/modules/admin/shutdown.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/admin/shutdown.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/shutdown.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/admin/shutdown.fc 2010-05-28 09:41:59.962611422 +0200 @@ -0,0 +1,5 @@ +/etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0) + @@ -1700,8 +1715,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow + +/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.if serefpolicy-3.7.19/policy/modules/admin/shutdown.if ---- nsaserefpolicy/policy/modules/admin/shutdown.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/admin/shutdown.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/shutdown.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/admin/shutdown.if 2010-05-28 09:41:59.963611216 +0200 @@ -0,0 +1,136 @@ + +## policy for shutdown @@ -1840,8 +1855,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow + allow $1 shutdown_exec_t:file getattr; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.7.19/policy/modules/admin/shutdown.te ---- nsaserefpolicy/policy/modules/admin/shutdown.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/shutdown.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2010-05-28 09:41:59.963611216 +0200 @@ -0,0 +1,63 @@ +policy_module(shutdown,1.0.0) + @@ -1907,8 +1922,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow + xserver_dontaudit_write_log(shutdown_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.19/policy/modules/admin/sudo.if ---- nsaserefpolicy/policy/modules/admin/sudo.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/sudo.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/sudo.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/sudo.if 2010-05-28 09:41:59.964611081 +0200 @@ -73,12 +73,16 @@ # Enter this derived domain from the user domain domtrans_pattern($3, sudo_exec_t, $1_sudo_t) @@ -1941,8 +1956,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files($1_sudo_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.7.19/policy/modules/admin/su.if ---- nsaserefpolicy/policy/modules/admin/su.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/su.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/su.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/su.if 2010-05-28 09:41:59.965611225 +0200 @@ -58,6 +58,10 @@ allow $2 $1_su_t:fifo_file rw_file_perms; allow $2 $1_su_t:process sigchld; @@ -1983,8 +1998,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s ifdef(`distro_redhat',` # RHEL5 and possibly newer releases incl. Fedora diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.19/policy/modules/admin/tmpreaper.te ---- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/tmpreaper.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/tmpreaper.te 2010-05-28 09:41:59.965611225 +0200 @@ -26,8 +26,11 @@ files_read_etc_files(tmpreaper_t) files_read_var_lib_files(tmpreaper_t) @@ -2039,8 +2054,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap unconfined_domain(tmpreaper_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.7.19/policy/modules/admin/usermanage.if ---- nsaserefpolicy/policy/modules/admin/usermanage.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/usermanage.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/usermanage.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/usermanage.if 2010-05-28 09:41:59.966611090 +0200 @@ -18,6 +18,10 @@ files_search_usr($1) corecmd_search_bin($1) @@ -2097,8 +2112,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman nscd_run(useradd_t, $2) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.19/policy/modules/admin/usermanage.te ---- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/usermanage.te 2010-05-26 16:59:39.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/usermanage.te 2010-05-28 09:41:59.967610815 +0200 @@ -209,6 +209,7 @@ files_manage_etc_files(groupadd_t) files_relabel_etc_files(groupadd_t) @@ -2187,8 +2202,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.7.19/policy/modules/admin/vbetool.te ---- nsaserefpolicy/policy/modules/admin/vbetool.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/vbetool.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/vbetool.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/vbetool.te 2010-05-28 09:41:59.967610815 +0200 @@ -25,7 +25,13 @@ dev_rw_xserver_misc(vbetool_t) dev_rw_mtrr(vbetool_t) @@ -2204,8 +2219,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool term_use_unallocated_ttys(vbetool_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.7.19/policy/modules/admin/vpn.if ---- nsaserefpolicy/policy/modules/admin/vpn.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/vpn.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/vpn.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/vpn.if 2010-05-28 09:41:59.968610889 +0200 @@ -110,7 +110,7 @@ ## ## @@ -2238,8 +2253,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if + allow $1 vpnc_t:tun_socket relabelfrom; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.19/policy/modules/admin/vpn.te ---- nsaserefpolicy/policy/modules/admin/vpn.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/admin/vpn.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/vpn.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/vpn.te 2010-05-28 09:41:59.969610893 +0200 @@ -31,7 +31,7 @@ allow vpnc_t self:rawip_socket create_socket_perms; allow vpnc_t self:unix_dgram_socket create_socket_perms; @@ -2274,15 +2289,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te + networkmanager_attach_tun_iface(vpnc_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.7.19/policy/modules/apps/chrome.fc ---- nsaserefpolicy/policy/modules/apps/chrome.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/chrome.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/chrome.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/chrome.fc 2010-05-28 09:41:59.969610893 +0200 @@ -0,0 +1,3 @@ + /opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) + +/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.19/policy/modules/apps/chrome.if ---- nsaserefpolicy/policy/modules/apps/chrome.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/chrome.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/chrome.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/chrome.if 2010-05-28 09:41:59.970610618 +0200 @@ -0,0 +1,90 @@ + +## policy for chrome @@ -2375,8 +2390,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.19/policy/modules/apps/chrome.te ---- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/chrome.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/chrome.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/chrome.te 2010-05-28 09:41:59.970610618 +0200 @@ -0,0 +1,86 @@ +policy_module(chrome,1.0.0) + @@ -2465,8 +2480,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t + fs_dontaudit_read_cifs_files(chrome_sandbox_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.7.19/policy/modules/apps/cpufreqselector.te ---- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/cpufreqselector.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/cpufreqselector.te 2010-05-28 09:41:59.971610832 +0200 @@ -25,8 +25,10 @@ dev_rw_sysfs(cpufreqselector_t) @@ -2480,8 +2495,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqs optional_policy(` dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.7.19/policy/modules/apps/execmem.fc ---- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/execmem.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/execmem.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/execmem.fc 2010-05-28 09:41:59.971610832 +0200 @@ -0,0 +1,47 @@ + +/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0) @@ -2531,8 +2546,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. +/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:execmem_exec_t,s0) +/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.19/policy/modules/apps/execmem.if ---- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/execmem.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/execmem.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/execmem.if 2010-05-28 09:41:59.972612093 +0200 @@ -0,0 +1,110 @@ +## execmem domain + @@ -2645,8 +2660,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. + domtrans_pattern($1, execmem_exec_t, $2) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.7.19/policy/modules/apps/execmem.te ---- nsaserefpolicy/policy/modules/apps/execmem.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/execmem.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/execmem.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/execmem.te 2010-05-28 09:41:59.973610840 +0200 @@ -0,0 +1,11 @@ + +policy_module(execmem, 1.0.0) @@ -2660,15 +2675,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. +application_executable_file(execmem_exec_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.7.19/policy/modules/apps/firewallgui.fc ---- nsaserefpolicy/policy/modules/apps/firewallgui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/firewallgui.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/firewallgui.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/firewallgui.fc 2010-05-28 09:41:59.974610705 +0200 @@ -0,0 +1,3 @@ + +/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.7.19/policy/modules/apps/firewallgui.if ---- nsaserefpolicy/policy/modules/apps/firewallgui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/firewallgui.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/firewallgui.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/firewallgui.if 2010-05-28 09:41:59.974610705 +0200 @@ -0,0 +1,23 @@ + +## policy for firewallgui @@ -2694,8 +2709,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall + allow firewallgui_t $1:dbus send_msg; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.19/policy/modules/apps/firewallgui.te ---- nsaserefpolicy/policy/modules/apps/firewallgui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/firewallgui.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/firewallgui.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/firewallgui.te 2010-05-28 09:41:59.975610499 +0200 @@ -0,0 +1,66 @@ + +policy_module(firewallgui,1.0.0) @@ -2764,8 +2779,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.7.19/policy/modules/apps/gitosis.if ---- nsaserefpolicy/policy/modules/apps/gitosis.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/gitosis.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/gitosis.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/gitosis.if 2010-05-28 09:41:59.975610499 +0200 @@ -62,7 +62,7 @@ files_search_var_lib($1) read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) @@ -2776,8 +2791,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis. ###################################### diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.19/policy/modules/apps/gnome.fc ---- nsaserefpolicy/policy/modules/apps/gnome.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/gnome.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/gnome.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/gnome.fc 2010-05-28 09:41:59.976610853 +0200 @@ -1,8 +1,28 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) @@ -2810,8 +2825,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.19/policy/modules/apps/gnome.if ---- nsaserefpolicy/policy/modules/apps/gnome.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/gnome.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/gnome.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/gnome.if 2010-05-28 09:41:59.977610927 +0200 @@ -74,6 +74,24 @@ ######################################## @@ -3267,8 +3282,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if + allow gconfdefaultsm_t $1:dbus send_msg; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.7.19/policy/modules/apps/gnome.te ---- nsaserefpolicy/policy/modules/apps/gnome.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/gnome.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/gnome.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/gnome.te 2010-06-01 13:55:21.432171932 +0200 @@ -7,18 +7,33 @@ # @@ -3327,7 +3342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te ############################## # # Local Policy -@@ -73,3 +97,89 @@ +@@ -73,3 +97,91 @@ xserver_use_xdm_fds(gconfd_t) xserver_rw_xdm_pipes(gconfd_t) ') @@ -3400,6 +3415,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te +files_read_etc_files(gnomesystemmm_t) +files_read_usr_files(gnomesystemmm_t) + ++miscfiles_read_localization(gnomesystemmm_t) ++ +userdom_read_all_users_state(gnomesystemmm_t) +userdom_dontaudit_search_admin_dir(gnomesystemmm_t) + @@ -3418,8 +3435,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te + policykit_read_reload(gnomesystemmm_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.7.19/policy/modules/apps/gpg.fc ---- nsaserefpolicy/policy/modules/apps/gpg.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/gpg.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/gpg.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/gpg.fc 2010-05-28 09:41:59.978610931 +0200 @@ -1,4 +1,5 @@ HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) +/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) @@ -3427,8 +3444,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.7.19/policy/modules/apps/gpg.if ---- nsaserefpolicy/policy/modules/apps/gpg.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/gpg.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/gpg.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/gpg.if 2010-05-28 09:41:59.978610931 +0200 @@ -21,6 +21,7 @@ type gpg_agent_t, gpg_agent_exec_t; type gpg_agent_tmp_t; @@ -3572,8 +3589,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.19/policy/modules/apps/gpg.te ---- nsaserefpolicy/policy/modules/apps/gpg.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/gpg.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/gpg.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/gpg.te 2010-05-28 09:41:59.979610866 +0200 @@ -5,6 +5,7 @@ # # Declarations @@ -3870,8 +3887,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc serefpolicy-3.7.19/policy/modules/apps/irc.fc ---- nsaserefpolicy/policy/modules/apps/irc.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/irc.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/irc.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/irc.fc 2010-05-28 09:41:59.980610940 +0200 @@ -2,10 +2,17 @@ # /home # @@ -3891,8 +3908,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc s +/usr/bin/irssi -- gen_context(system_u:object_r:irssi_exec_t,s0) /usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.if serefpolicy-3.7.19/policy/modules/apps/irc.if ---- nsaserefpolicy/policy/modules/apps/irc.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/irc.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/irc.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/irc.if 2010-05-28 09:41:59.981611014 +0200 @@ -18,14 +18,51 @@ interface(`irc_role',` gen_require(` @@ -3946,8 +3963,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.if s ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te serefpolicy-3.7.19/policy/modules/apps/irc.te ---- nsaserefpolicy/policy/modules/apps/irc.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/irc.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/irc.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/irc.te 2010-05-28 09:41:59.981611014 +0200 @@ -25,6 +25,30 @@ ######################################## @@ -4064,8 +4081,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te s +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.7.19/policy/modules/apps/java.fc ---- nsaserefpolicy/policy/modules/apps/java.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/java.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/java.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/java.fc 2010-05-28 09:41:59.982610809 +0200 @@ -9,6 +9,7 @@ # # /usr @@ -4086,8 +4103,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc +/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.7.19/policy/modules/apps/java.if ---- nsaserefpolicy/policy/modules/apps/java.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/java.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/java.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/java.if 2010-05-28 09:41:59.982610809 +0200 @@ -72,6 +72,7 @@ domain_interactive_fd($1_java_t) @@ -4114,8 +4131,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.19/policy/modules/apps/java.te ---- nsaserefpolicy/policy/modules/apps/java.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/java.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/java.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/java.te 2010-05-28 09:41:59.983610743 +0200 @@ -147,6 +147,15 @@ init_dbus_chat_script(unconfined_java_t) @@ -4133,20 +4150,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te + ') ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.7.19/policy/modules/apps/kdumpgui.fc ---- nsaserefpolicy/policy/modules/apps/kdumpgui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/kdumpgui.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/kdumpgui.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/kdumpgui.fc 2010-05-28 09:41:59.984611027 +0200 @@ -0,0 +1,2 @@ + +/usr/share/system-config-kdump/system-config-kdump-backend.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.7.19/policy/modules/apps/kdumpgui.if ---- nsaserefpolicy/policy/modules/apps/kdumpgui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/kdumpgui.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/kdumpgui.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/kdumpgui.if 2010-05-28 09:41:59.984611027 +0200 @@ -0,0 +1,2 @@ +## system-config-kdump policy + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.19/policy/modules/apps/kdumpgui.te ---- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/kdumpgui.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/kdumpgui.te 2010-05-28 09:41:59.985610961 +0200 @@ -0,0 +1,68 @@ +policy_module(kdumpgui,1.0.0) + @@ -4217,14 +4234,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui + policykit_dbus_chat(kdumpgui_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.7.19/policy/modules/apps/livecd.fc ---- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/livecd.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/livecd.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/livecd.fc 2010-05-28 09:41:59.986610896 +0200 @@ -0,0 +1,2 @@ + +/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.7.19/policy/modules/apps/livecd.if ---- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/livecd.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/livecd.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/livecd.if 2010-05-28 09:41:59.986610896 +0200 @@ -0,0 +1,127 @@ + +## policy for livecd @@ -4354,8 +4371,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.i +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.7.19/policy/modules/apps/livecd.te ---- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/livecd.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/livecd.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/livecd.te 2010-05-28 09:41:59.987610690 +0200 @@ -0,0 +1,34 @@ +policy_module(livecd, 1.0.0) + @@ -4392,8 +4409,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.t +seutil_domtrans_setfiles_mac(livecd_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.if serefpolicy-3.7.19/policy/modules/apps/loadkeys.if ---- nsaserefpolicy/policy/modules/apps/loadkeys.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/loadkeys.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/loadkeys.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/loadkeys.if 2010-05-28 09:41:59.987610690 +0200 @@ -17,6 +17,9 @@ corecmd_search_bin($1) @@ -4405,8 +4422,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.7.19/policy/modules/apps/loadkeys.te ---- nsaserefpolicy/policy/modules/apps/loadkeys.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/loadkeys.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/loadkeys.te 2010-05-28 09:41:59.988610625 +0200 @@ -40,8 +40,12 @@ miscfiles_read_localization(loadkeys_t) @@ -4422,8 +4439,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys + dev_dontaudit_rw_lvm_control(loadkeys_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.19/policy/modules/apps/mono.if ---- nsaserefpolicy/policy/modules/apps/mono.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/mono.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/mono.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/mono.if 2010-05-28 09:41:59.988610625 +0200 @@ -40,16 +40,19 @@ domain_interactive_fd($1_mono_t) application_type($1_mono_t) @@ -4446,8 +4463,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if optional_policy(` xserver_role($1_r, $1_mono_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.7.19/policy/modules/apps/mozilla.fc ---- nsaserefpolicy/policy/modules/apps/mozilla.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/mozilla.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/mozilla.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/mozilla.fc 2010-05-28 09:41:59.989610908 +0200 @@ -1,6 +1,7 @@ HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) @@ -4465,8 +4482,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. /usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.7.19/policy/modules/apps/mozilla.if ---- nsaserefpolicy/policy/modules/apps/mozilla.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/mozilla.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/mozilla.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/mozilla.if 2010-05-28 09:41:59.989610908 +0200 @@ -48,6 +48,12 @@ mozilla_dbus_chat($2) @@ -4548,8 +4565,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. + domtrans_pattern($1, mozilla_exec_t, $2) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.19/policy/modules/apps/mozilla.te ---- nsaserefpolicy/policy/modules/apps/mozilla.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/mozilla.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/mozilla.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/mozilla.te 2010-05-28 09:41:59.990610633 +0200 @@ -91,6 +91,7 @@ corenet_raw_sendrecv_generic_node(mozilla_t) corenet_tcp_sendrecv_http_port(mozilla_t) @@ -4609,8 +4626,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. thunderbird_domtrans(mozilla_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.7.19/policy/modules/apps/mplayer.if ---- nsaserefpolicy/policy/modules/apps/mplayer.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/mplayer.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/mplayer.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/mplayer.if 2010-05-28 09:41:59.991610847 +0200 @@ -102,3 +102,39 @@ read_files_pattern($1, mplayer_home_t, mplayer_home_t) userdom_search_user_home_dirs($1) @@ -4652,8 +4669,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer. + domtrans_pattern($1, mplayer_exec_t, $2) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.te serefpolicy-3.7.19/policy/modules/apps/mplayer.te ---- nsaserefpolicy/policy/modules/apps/mplayer.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/mplayer.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/mplayer.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/mplayer.te 2010-05-28 09:41:59.992610642 +0200 @@ -152,11 +152,15 @@ allow mplayer_t self:process { signal_perms getsched }; @@ -4730,8 +4747,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer. +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.7.19/policy/modules/apps/nsplugin.fc ---- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/nsplugin.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/nsplugin.fc 2010-05-28 09:41:59.992610642 +0200 @@ -0,0 +1,10 @@ +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) @@ -4744,8 +4761,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0) +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.19/policy/modules/apps/nsplugin.if ---- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/nsplugin.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/nsplugin.if 2010-05-28 09:41:59.993610716 +0200 @@ -0,0 +1,391 @@ + +## policy for nsplugin @@ -5139,8 +5156,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + domtrans_pattern($1, nsplugin_exec_t, $2) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.19/policy/modules/apps/nsplugin.te ---- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/nsplugin.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/nsplugin.te 2010-05-28 09:41:59.994610930 +0200 @@ -0,0 +1,297 @@ + +policy_module(nsplugin, 1.0.0) @@ -5440,16 +5457,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.7.19/policy/modules/apps/openoffice.fc ---- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/openoffice.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/openoffice.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/openoffice.fc 2010-05-28 09:41:59.995610655 +0200 @@ -0,0 +1,4 @@ +/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) +/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) +/opt/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.7.19/policy/modules/apps/openoffice.if ---- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/openoffice.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/openoffice.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/openoffice.if 2010-05-28 09:41:59.995610655 +0200 @@ -0,0 +1,129 @@ +## Openoffice + @@ -5581,8 +5598,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi + domtrans_pattern($1, openoffice_exec_t, $2) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.7.19/policy/modules/apps/openoffice.te ---- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/openoffice.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/openoffice.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/openoffice.te 2010-05-28 09:41:59.996611008 +0200 @@ -0,0 +1,17 @@ + +policy_module(openoffice, 1.0.0) @@ -5602,8 +5619,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi +# + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.7.19/policy/modules/apps/podsleuth.te ---- nsaserefpolicy/policy/modules/apps/podsleuth.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/podsleuth.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/podsleuth.te 2010-05-28 09:41:59.997610803 +0200 @@ -50,6 +50,7 @@ fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file }) @@ -5628,8 +5645,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut optional_policy(` dbus_system_bus_client(podsleuth_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.7.19/policy/modules/apps/pulseaudio.fc ---- nsaserefpolicy/policy/modules/apps/pulseaudio.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/pulseaudio.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.fc 2010-05-28 09:41:59.997610803 +0200 @@ -3,5 +3,6 @@ /usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) @@ -5638,8 +5655,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud /var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0) /var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.19/policy/modules/apps/pulseaudio.if ---- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.if 2010-05-28 09:41:59.998610877 +0200 @@ -104,6 +104,24 @@ can_exec($1, pulseaudio_exec_t) ') @@ -5717,8 +5734,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud + allow $1 pulseaudio_t:process signull; ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.19/policy/modules/apps/pulseaudio.te ---- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.te 2010-05-28 09:41:59.998610877 +0200 @@ -41,6 +41,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) @@ -5744,8 +5761,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud + sandbox_manage_tmpfs_files(pulseaudio_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.7.19/policy/modules/apps/qemu.fc ---- nsaserefpolicy/policy/modules/apps/qemu.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/qemu.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/qemu.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/qemu.fc 2010-05-28 09:41:59.999610811 +0200 @@ -1,2 +1,4 @@ -/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) @@ -5753,8 +5770,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc +/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) /usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.19/policy/modules/apps/qemu.if ---- nsaserefpolicy/policy/modules/apps/qemu.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/qemu.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/qemu.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/qemu.if 2010-05-28 09:42:00.000610955 +0200 @@ -127,12 +127,14 @@ template(`qemu_role',` gen_require(` @@ -5864,8 +5881,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.19/policy/modules/apps/qemu.te ---- nsaserefpolicy/policy/modules/apps/qemu.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/qemu.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/qemu.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/qemu.te 2010-05-28 09:42:00.001611798 +0200 @@ -50,6 +50,8 @@ # # qemu local policy @@ -5899,19 +5916,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te + allow unconfined_qemu_t qemu_exec_t:file execmod; ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.7.19/policy/modules/apps/sambagui.fc ---- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/sambagui.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/sambagui.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/sambagui.fc 2010-05-28 09:42:00.002611802 +0200 @@ -0,0 +1 @@ +/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.7.19/policy/modules/apps/sambagui.if ---- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/sambagui.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/sambagui.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/sambagui.if 2010-05-28 09:42:00.002611802 +0200 @@ -0,0 +1,2 @@ +## system-config-samba policy + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.19/policy/modules/apps/sambagui.te ---- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/sambagui.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/sambagui.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/sambagui.te 2010-05-28 09:42:00.003610619 +0200 @@ -0,0 +1,66 @@ +policy_module(sambagui,1.0.0) + @@ -5980,13 +5997,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui + policykit_dbus_chat(sambagui_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.19/policy/modules/apps/sandbox.fc ---- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/sandbox.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.fc 2010-05-28 09:42:00.003610619 +0200 @@ -0,0 +1 @@ +# No types are sandbox_exec_t diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.19/policy/modules/apps/sandbox.if ---- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/sandbox.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2010-05-28 09:42:00.004610972 +0200 @@ -0,0 +1,314 @@ + +## policy for sandbox @@ -6303,8 +6320,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + allow $1 sandbox_file_type:dir list_dir_perms; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te ---- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-05-28 09:42:00.005610977 +0200 @@ -0,0 +1,385 @@ +policy_module(sandbox,1.0.0) +dbus_stub() @@ -6692,8 +6709,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.19/policy/modules/apps/seunshare.if ---- nsaserefpolicy/policy/modules/apps/seunshare.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/seunshare.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/seunshare.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/seunshare.if 2010-05-28 09:42:00.006611051 +0200 @@ -2,30 +2,12 @@ ######################################## @@ -6798,8 +6815,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar + ') ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.19/policy/modules/apps/seunshare.te ---- nsaserefpolicy/policy/modules/apps/seunshare.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/seunshare.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/seunshare.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/seunshare.te 2010-05-28 09:42:00.006611051 +0200 @@ -6,40 +6,39 @@ # Declarations # @@ -6859,8 +6876,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar ') ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.7.19/policy/modules/apps/slocate.te ---- nsaserefpolicy/policy/modules/apps/slocate.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/slocate.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/slocate.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/slocate.te 2010-05-28 09:42:00.007614268 +0200 @@ -30,6 +30,7 @@ manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t) @@ -6882,14 +6899,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate. # getpwnam auth_use_nsswitch(locate_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathysofiasip.fc serefpolicy-3.7.19/policy/modules/apps/telepathysofiasip.fc ---- nsaserefpolicy/policy/modules/apps/telepathysofiasip.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/telepathysofiasip.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/telepathysofiasip.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/telepathysofiasip.fc 2010-05-28 09:42:00.009611133 +0200 @@ -0,0 +1,2 @@ + +/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathysofiasip_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathysofiasip.if serefpolicy-3.7.19/policy/modules/apps/telepathysofiasip.if ---- nsaserefpolicy/policy/modules/apps/telepathysofiasip.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/telepathysofiasip.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/telepathysofiasip.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/telepathysofiasip.if 2010-05-28 09:42:00.009611133 +0200 @@ -0,0 +1,69 @@ + +## policy for telepathy-sofiasip @@ -6961,8 +6978,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath + telepathysofiasip_dbus_chat($2) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathysofiasip.te serefpolicy-3.7.19/policy/modules/apps/telepathysofiasip.te ---- nsaserefpolicy/policy/modules/apps/telepathysofiasip.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/telepathysofiasip.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/telepathysofiasip.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/telepathysofiasip.te 2010-05-28 09:42:00.011611282 +0200 @@ -0,0 +1,45 @@ + +policy_module(telepathysofiasip,1.0.0) @@ -7010,16 +7027,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath + +sysnet_read_config(telepathysofiasip_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.fc serefpolicy-3.7.19/policy/modules/apps/userhelper.fc ---- nsaserefpolicy/policy/modules/apps/userhelper.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/userhelper.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/userhelper.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/userhelper.fc 2010-05-28 09:42:00.011611282 +0200 @@ -7,3 +7,4 @@ # /usr # /usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) +/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.7.19/policy/modules/apps/userhelper.if ---- nsaserefpolicy/policy/modules/apps/userhelper.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/userhelper.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/userhelper.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/userhelper.if 2010-05-28 09:42:00.012610867 +0200 @@ -25,6 +25,7 @@ gen_require(` attribute userhelper_type; @@ -7088,8 +7105,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp + ') +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.te serefpolicy-3.7.19/policy/modules/apps/userhelper.te ---- nsaserefpolicy/policy/modules/apps/userhelper.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/userhelper.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/userhelper.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/userhelper.te 2010-05-28 09:42:00.013611081 +0200 @@ -7,9 +7,51 @@ # @@ -7143,8 +7160,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp + xserver_stream_connect(consolehelper_domain) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.7.19/policy/modules/apps/vmware.if ---- nsaserefpolicy/policy/modules/apps/vmware.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/vmware.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/vmware.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/vmware.if 2010-05-28 09:42:00.013611081 +0200 @@ -84,3 +84,22 @@ logging_search_logs($1) append_files_pattern($1, vmware_log_t, vmware_log_t) @@ -7169,8 +7186,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.i +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.19/policy/modules/apps/vmware.te ---- nsaserefpolicy/policy/modules/apps/vmware.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/vmware.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/vmware.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/vmware.te 2010-06-01 17:53:10.951411029 +0200 @@ -29,6 +29,10 @@ type vmware_host_exec_t; init_daemon_domain(vmware_host_t, vmware_host_exec_t) @@ -7213,8 +7230,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t domain_use_interactive_fds(vmware_host_t) domain_dontaudit_read_all_domains_state(vmware_host_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.7.19/policy/modules/apps/wine.fc ---- nsaserefpolicy/policy/modules/apps/wine.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/wine.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/wine.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/wine.fc 2010-05-28 09:42:00.014611294 +0200 @@ -2,6 +2,7 @@ /opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) @@ -7224,8 +7241,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc /opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) /opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.7.19/policy/modules/apps/wine.if ---- nsaserefpolicy/policy/modules/apps/wine.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/wine.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/wine.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/wine.if 2010-05-28 09:42:00.015611019 +0200 @@ -35,6 +35,8 @@ role $1 types wine_t; @@ -7252,8 +7269,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if optional_policy(` xserver_role($1_r, $1_wine_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.7.19/policy/modules/apps/wine.te ---- nsaserefpolicy/policy/modules/apps/wine.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/wine.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/wine.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/wine.te 2010-05-28 09:42:00.016654044 +0200 @@ -1,6 +1,14 @@ policy_module(wine, 1.6.1) @@ -7298,8 +7315,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.7.19/policy/modules/apps/wm.if ---- nsaserefpolicy/policy/modules/apps/wm.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/wm.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/wm.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/wm.if 2010-05-28 09:42:00.017610539 +0200 @@ -30,6 +30,7 @@ template(`wm_role_template',` gen_require(` @@ -7350,8 +7367,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc ---- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-05-28 09:42:00.017610539 +0200 @@ -49,7 +49,8 @@ /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0) @@ -7435,8 +7452,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco + +/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.19/policy/modules/kernel/corecommands.if ---- nsaserefpolicy/policy/modules/kernel/corecommands.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.if 2010-05-28 09:42:00.018610892 +0200 @@ -931,6 +931,7 @@ read_lnk_files_pattern($1, bin_t, bin_t) @@ -7454,8 +7471,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco manage_lnk_files_pattern($1, bin_t, bin_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in ---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2010-05-26 16:57:26.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2010-05-28 09:42:00.019610687 +0200 @@ -25,6 +25,7 @@ # type tun_tap_device_t; @@ -7608,8 +7625,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(zope, tcp,8021,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.19/policy/modules/kernel/devices.fc ---- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/devices.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/devices.fc 2010-05-28 09:42:00.020633179 +0200 @@ -108,6 +108,7 @@ /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) /dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) @@ -7636,8 +7653,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.19/policy/modules/kernel/devices.if ---- nsaserefpolicy/policy/modules/kernel/devices.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2010-05-28 09:42:00.022611259 +0200 @@ -934,6 +934,42 @@ ######################################## @@ -7765,8 +7782,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.19/policy/modules/kernel/devices.te ---- nsaserefpolicy/policy/modules/kernel/devices.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/devices.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/devices.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/devices.te 2010-05-28 09:42:00.024610918 +0200 @@ -101,6 +101,7 @@ # type kvm_device_t; @@ -7806,8 +7823,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device allow devices_unconfined_type mtrr_device_t:file *; + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.19/policy/modules/kernel/domain.if ---- nsaserefpolicy/policy/modules/kernel/domain.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/domain.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/domain.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/domain.if 2010-05-28 09:42:00.025610713 +0200 @@ -611,7 +611,7 @@ ######################################## @@ -7913,8 +7930,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain + dontaudit $1 domain:socket_class_set { read write }; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.19/policy/modules/kernel/domain.te ---- nsaserefpolicy/policy/modules/kernel/domain.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/domain.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/domain.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/domain.te 2010-05-28 09:42:00.026611136 +0200 @@ -5,6 +5,21 @@ # # Declarations @@ -8088,8 +8105,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain + userdom_relabelto_user_home_files(polydomain) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.19/policy/modules/kernel/files.fc ---- nsaserefpolicy/policy/modules/kernel/files.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/files.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/files.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/files.fc 2010-05-28 09:42:00.027654091 +0200 @@ -18,6 +18,7 @@ /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0) /halt -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -8192,8 +8209,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.19/policy/modules/kernel/files.if ---- nsaserefpolicy/policy/modules/kernel/files.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-05-27 15:35:13.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/files.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-05-28 09:42:00.031611018 +0200 @@ -1053,10 +1053,8 @@ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -9039,8 +9056,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + allow $1 file_type:kernel_service create_files_as; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.19/policy/modules/kernel/files.te ---- nsaserefpolicy/policy/modules/kernel/files.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/files.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/files.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/files.te 2010-05-28 09:42:00.032610673 +0200 @@ -1,4 +1,4 @@ - + @@ -9087,8 +9104,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.19/policy/modules/kernel/filesystem.if ---- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-05-28 09:42:00.035610756 +0200 @@ -559,7 +559,7 @@ ######################################## @@ -9595,8 +9612,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.19/policy/modules/kernel/filesystem.te ---- nsaserefpolicy/policy/modules/kernel/filesystem.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.te 2010-05-28 09:42:00.036611249 +0200 @@ -53,6 +53,7 @@ fs_type(anon_inodefs_t) files_mountpoint(anon_inodefs_t) @@ -9630,8 +9647,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.19/policy/modules/kernel/kernel.if ---- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2010-05-28 09:42:00.038610838 +0200 @@ -534,6 +534,37 @@ ######################################## @@ -9779,8 +9796,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.19/policy/modules/kernel/kernel.te ---- nsaserefpolicy/policy/modules/kernel/kernel.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/kernel.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/kernel.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/kernel.te 2010-05-28 09:42:00.039611192 +0200 @@ -46,15 +46,6 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) @@ -9871,8 +9888,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel # # Unlabeled process local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.19/policy/modules/kernel/selinux.if ---- nsaserefpolicy/policy/modules/kernel/selinux.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/selinux.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/selinux.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/selinux.if 2010-05-28 09:42:00.040610567 +0200 @@ -40,7 +40,7 @@ # because of this statement, any module which @@ -9931,8 +9948,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu + mls_trusted_object($1) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.7.19/policy/modules/kernel/storage.fc ---- nsaserefpolicy/policy/modules/kernel/storage.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/storage.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/storage.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/storage.fc 2010-05-28 09:42:00.041610572 +0200 @@ -20,6 +20,7 @@ /dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/hitcd -b gen_context(system_u:object_r:removable_device_t,s0) @@ -9942,8 +9959,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag /dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.7.19/policy/modules/kernel/storage.if ---- nsaserefpolicy/policy/modules/kernel/storage.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/storage.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/storage.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/storage.if 2010-05-28 09:42:00.041610572 +0200 @@ -101,6 +101,8 @@ dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file read_blk_file_perms; @@ -9981,8 +9998,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag ## devices device nodes. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.19/policy/modules/kernel/terminal.if ---- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/terminal.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/terminal.if 2010-05-28 09:42:00.042610995 +0200 @@ -292,9 +292,11 @@ interface(`term_dontaudit_use_console',` gen_require(` @@ -10050,8 +10067,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.7.19/policy/modules/roles/auditadm.te ---- nsaserefpolicy/policy/modules/roles/auditadm.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/roles/auditadm.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/roles/auditadm.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/roles/auditadm.te 2010-05-28 09:42:00.043610790 +0200 @@ -29,10 +29,13 @@ logging_manage_audit_config(auditadm_t) logging_run_auditctl(auditadm_t, auditadm_r) @@ -10067,8 +10084,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditad consoletype_exec(auditadm_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.19/policy/modules/roles/guest.te ---- nsaserefpolicy/policy/modules/roles/guest.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/roles/guest.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/roles/guest.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/roles/guest.te 2010-05-28 09:42:00.044610794 +0200 @@ -16,11 +16,7 @@ # @@ -10084,8 +10101,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.t -#gen_user(guest_u,, guest_r, s0, s0) +gen_user(guest_u, user, guest_r, s0, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.te serefpolicy-3.7.19/policy/modules/roles/secadm.te ---- nsaserefpolicy/policy/modules/roles/secadm.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/roles/secadm.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/roles/secadm.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/roles/secadm.te 2010-05-28 09:42:00.044610794 +0200 @@ -10,6 +10,8 @@ userdom_unpriv_user_template(secadm) @@ -10096,8 +10113,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm. ######################################## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.19/policy/modules/roles/staff.te ---- nsaserefpolicy/policy/modules/roles/staff.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/roles/staff.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/roles/staff.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/roles/staff.te 2010-05-28 09:42:00.045610728 +0200 @@ -9,25 +9,56 @@ role staff_r; @@ -10293,8 +10310,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t + userhelper_console_role_template(staff, staff_r, staff_usertype) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.19/policy/modules/roles/sysadm.te ---- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2010-05-28 09:42:00.046610802 +0200 @@ -28,17 +28,29 @@ corecmd_exec_shell(sysadm_t) @@ -10639,8 +10656,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. +modutils_read_module_deps(sysadm_t) +miscfiles_read_hwdata(sysadm_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.7.19/policy/modules/roles/unconfineduser.fc ---- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.fc 2010-05-28 09:42:00.047610527 +0200 @@ -0,0 +1,10 @@ +# Add programs here which should not be confined by SELinux +# e.g.: @@ -10653,8 +10670,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0) +/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.19/policy/modules/roles/unconfineduser.if ---- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.if 2010-05-28 09:42:00.048612487 +0200 @@ -0,0 +1,667 @@ +## Unconfiend user role + @@ -11324,8 +11341,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + allow $1 unconfined_r; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te ---- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-05-27 16:00:30.000000000 -0400 +--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-05-28 09:42:00.049610676 +0200 @@ -0,0 +1,439 @@ +policy_module(unconfineduser, 1.0.0) + @@ -11767,8 +11784,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.19/policy/modules/roles/unprivuser.te ---- nsaserefpolicy/policy/modules/roles/unprivuser.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/roles/unprivuser.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/roles/unprivuser.te 2010-05-28 09:42:00.049610676 +0200 @@ -13,10 +13,13 @@ userdom_unpriv_user_template(user) @@ -11823,8 +11840,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu xserver_role(user_r, user_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.19/policy/modules/roles/xguest.te ---- nsaserefpolicy/policy/modules/roles/xguest.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/roles/xguest.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/roles/xguest.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/roles/xguest.te 2010-05-28 09:42:00.050610680 +0200 @@ -15,7 +15,7 @@ ## @@ -11960,8 +11977,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. + +gen_user(xguest_u, user, xguest_r, s0, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.19/policy/modules/services/abrt.fc ---- nsaserefpolicy/policy/modules/services/abrt.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/abrt.fc 2010-05-26 15:38:09.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/abrt.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/abrt.fc 2010-05-28 09:42:00.051610544 +0200 @@ -1,11 +1,20 @@ -/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) +/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) @@ -11988,8 +12005,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt + +/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.19/policy/modules/services/abrt.if ---- nsaserefpolicy/policy/modules/services/abrt.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/abrt.if 2010-05-26 15:38:10.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/abrt.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/abrt.if 2010-05-28 09:42:00.051610544 +0200 @@ -21,7 +21,7 @@ ###################################### @@ -12236,8 +12253,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt files_search_var($1) admin_pattern($1, abrt_var_cache_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.19/policy/modules/services/abrt.te ---- nsaserefpolicy/policy/modules/services/abrt.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/abrt.te 2010-05-27 09:59:57.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/abrt.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/abrt.te 2010-06-01 17:24:25.046412435 +0200 @@ -1,5 +1,5 @@ -policy_module(abrt, 1.0.1) @@ -12347,13 +12364,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt sysnet_read_config(abrt_t) -@@ -103,22 +141,116 @@ +@@ -103,22 +141,117 @@ miscfiles_read_certs(abrt_t) miscfiles_read_localization(abrt_t) -# to run bugzilla plugin -# read ~/.abrt/Bugzilla.conf -userdom_read_user_home_content_files(abrt_t) ++userdom_dontaudit_read_admin_home_files(abrt_t) +userdom_dontaudit_read_user_home_content_files(abrt_t) + +optional_policy(` @@ -12472,8 +12490,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt + allow abrt_t domain:process setrlimit; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.7.19/policy/modules/services/afs.te ---- nsaserefpolicy/policy/modules/services/afs.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/afs.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/afs.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/afs.te 2010-05-28 09:42:00.053610763 +0200 @@ -88,9 +88,14 @@ fs_getattr_xattr_fs(afs_t) @@ -12490,8 +12508,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs. corenet_all_recvfrom_netlabel(afs_t) corenet_tcp_sendrecv_generic_if(afs_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.7.19/policy/modules/services/aiccu.fc ---- nsaserefpolicy/policy/modules/services/aiccu.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/aiccu.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/aiccu.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/aiccu.fc 2010-05-28 09:42:00.054610627 +0200 @@ -0,0 +1,5 @@ + +/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0) @@ -12499,8 +12517,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc +/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0) +/var/run/aiccu.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.7.19/policy/modules/services/aiccu.if ---- nsaserefpolicy/policy/modules/services/aiccu.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/aiccu.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/aiccu.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/aiccu.if 2010-05-28 09:42:00.054610627 +0200 @@ -0,0 +1,119 @@ + +## policy for aiccu @@ -12622,8 +12640,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc + +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.7.19/policy/modules/services/aiccu.te ---- nsaserefpolicy/policy/modules/services/aiccu.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/aiccu.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/aiccu.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/aiccu.te 2010-05-28 09:42:00.055610771 +0200 @@ -0,0 +1,44 @@ +policy_module(aiccu,1.0.0) + @@ -12670,8 +12688,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc +files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir }) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.19/policy/modules/services/aisexec.fc ---- nsaserefpolicy/policy/modules/services/aisexec.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/aisexec.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/aisexec.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/aisexec.fc 2010-05-28 09:42:00.055610771 +0200 @@ -0,0 +1,10 @@ + +/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:aisexec_initrc_exec_t,s0) @@ -12684,8 +12702,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise + +/var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.7.19/policy/modules/services/aisexec.if ---- nsaserefpolicy/policy/modules/services/aisexec.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/aisexec.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/aisexec.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/aisexec.if 2010-05-28 09:42:00.056610845 +0200 @@ -0,0 +1,106 @@ +## SELinux policy for Aisexec Cluster Engine + @@ -12794,8 +12812,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise + admin_pattern($1, aisexec_tmpfs_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.19/policy/modules/services/aisexec.te ---- nsaserefpolicy/policy/modules/services/aisexec.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/aisexec.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/aisexec.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/aisexec.te 2010-05-28 09:42:00.056610845 +0200 @@ -0,0 +1,118 @@ + +policy_module(aisexec,1.0.0) @@ -12916,13 +12934,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise +userdom_rw_semaphores(aisexec_t) +userdom_rw_unpriv_user_shared_mem(aisexec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.19/policy/modules/services/apache.fc ---- nsaserefpolicy/policy/modules/services/apache.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/apache.fc 2010-05-26 17:03:21.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/apache.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/apache.fc 2010-05-28 12:43:02.369860821 +0200 @@ -3,6 +3,7 @@ /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/etc/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_rw_t,s0) ++/etc/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) @@ -12969,8 +12987,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.19/policy/modules/services/apache.if ---- nsaserefpolicy/policy/modules/services/apache.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/apache.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-05-28 09:42:00.059610718 +0200 @@ -13,17 +13,13 @@ # template(`apache_content_template',` @@ -13362,8 +13380,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + dontaudit $1 httpd_t:unix_stream_socket { read write }; ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te ---- nsaserefpolicy/policy/modules/services/apache.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/apache.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-05-28 09:42:00.060610653 +0200 @@ -19,11 +19,13 @@ # Declarations # @@ -13893,8 +13911,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.7.19/policy/modules/services/apcupsd.te ---- nsaserefpolicy/policy/modules/services/apcupsd.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/apcupsd.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/apcupsd.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/apcupsd.te 2010-05-28 09:42:00.061610936 +0200 @@ -95,6 +95,10 @@ ') @@ -13907,8 +13925,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu mta_system_content(apcupsd_tmp_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.19/policy/modules/services/arpwatch.te ---- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/arpwatch.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/arpwatch.te 2010-05-28 09:42:00.062610591 +0200 @@ -34,6 +34,7 @@ allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms }; allow arpwatch_t self:udp_socket create_socket_perms; @@ -13935,8 +13953,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw fs_getattr_all_fs(arpwatch_t) fs_search_auto_mountpoints(arpwatch_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.19/policy/modules/services/asterisk.if ---- nsaserefpolicy/policy/modules/services/asterisk.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/asterisk.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/asterisk.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/asterisk.if 2010-05-28 09:42:00.063611364 +0200 @@ -1,5 +1,24 @@ ## Asterisk IP telephony server @@ -13963,8 +13981,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste ## ## Connect to asterisk over a unix domain diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.19/policy/modules/services/asterisk.te ---- nsaserefpolicy/policy/modules/services/asterisk.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/asterisk.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/asterisk.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/asterisk.te 2010-05-28 09:42:00.064610809 +0200 @@ -40,12 +40,13 @@ # @@ -14075,8 +14093,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.7.19/policy/modules/services/automount.te ---- nsaserefpolicy/policy/modules/services/automount.te 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/automount.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/automount.te 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/automount.te 2010-05-28 09:42:00.065610953 +0200 @@ -146,6 +146,7 @@ # Run mount in the mount_t domain. @@ -14086,8 +14104,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto userdom_dontaudit_use_unpriv_user_fds(automount_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.7.19/policy/modules/services/avahi.if ---- nsaserefpolicy/policy/modules/services/avahi.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/avahi.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/avahi.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/avahi.if 2010-05-28 09:42:00.065610953 +0200 @@ -90,6 +90,7 @@ class dbus send_msg; ') @@ -14097,8 +14115,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah allow avahi_t $1:dbus send_msg; ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.7.19/policy/modules/services/bluetooth.if ---- nsaserefpolicy/policy/modules/services/bluetooth.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/bluetooth.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/bluetooth.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/bluetooth.if 2010-05-28 09:42:00.066610888 +0200 @@ -117,6 +117,27 @@ ######################################## @@ -14128,8 +14146,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.fc serefpolicy-3.7.19/policy/modules/services/boinc.fc ---- nsaserefpolicy/policy/modules/services/boinc.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/boinc.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/boinc.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/boinc.fc 2010-05-28 09:42:00.067610962 +0200 @@ -0,0 +1,6 @@ + +/etc/rc\.d/init\.d/boinc_client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0) @@ -14138,8 +14156,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin + +/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.if serefpolicy-3.7.19/policy/modules/services/boinc.if ---- nsaserefpolicy/policy/modules/services/boinc.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/boinc.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/boinc.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/boinc.if 2010-05-28 09:42:00.067610962 +0200 @@ -0,0 +1,151 @@ + +## policy for boinc @@ -14293,9 +14311,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin + admin_pattern($1, boinc_var_lib_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.19/policy/modules/services/boinc.te ---- nsaserefpolicy/policy/modules/services/boinc.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-05-27 10:11:30.000000000 -0400 -@@ -0,0 +1,95 @@ +--- nsaserefpolicy/policy/modules/services/boinc.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-06-01 16:58:59.673160682 +0200 +@@ -0,0 +1,97 @@ + +policy_module(boinc,1.0.0) + @@ -14328,7 +14346,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +# + +allow boinc_t self:capability { kill }; -+allow boinc_t self:process { execmem fork setsched signal sigkill }; ++allow boinc_t self:process { execmem fork setsched signal signull sigkill }; + +allow boinc_t self:fifo_file rw_fifo_file_perms; +allow boinc_t self:unix_stream_socket create_stream_socket_perms; @@ -14348,6 +14366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) +files_var_lib_filetrans(boinc_t, boinc_var_lib_t, { file dir } ) + ++kernel_read_network_state(boinc_t) +kernel_read_system_state(boinc_t) +kernel_read_kernel_sysctls(boinc_t) +kernel_search_vm_sysctl(boinc_t) @@ -14373,6 +14392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +dev_read_rand(boinc_t) +dev_read_urand(boinc_t) +dev_read_sysfs(boinc_t) ++dev_rw_xserver_misc(boinc_t) + +domain_read_all_domains_state(boinc_t) + @@ -14392,16 +14412,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin + +mta_send_mail(boinc_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.fc serefpolicy-3.7.19/policy/modules/services/bugzilla.fc ---- nsaserefpolicy/policy/modules/services/bugzilla.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/bugzilla.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/bugzilla.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/bugzilla.fc 2010-05-28 09:42:00.069610831 +0200 @@ -0,0 +1,4 @@ + +/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0) +/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) +/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.if serefpolicy-3.7.19/policy/modules/services/bugzilla.if ---- nsaserefpolicy/policy/modules/services/bugzilla.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/bugzilla.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/bugzilla.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/bugzilla.if 2010-05-28 09:42:00.069610831 +0200 @@ -0,0 +1,39 @@ +## Bugzilla server + @@ -14443,8 +14463,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugz + dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write }; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.te serefpolicy-3.7.19/policy/modules/services/bugzilla.te ---- nsaserefpolicy/policy/modules/services/bugzilla.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/bugzilla.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/bugzilla.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/bugzilla.te 2010-05-28 09:42:00.070610905 +0200 @@ -0,0 +1,57 @@ + +policy_module(bugzilla, 1.0) @@ -14504,8 +14524,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugz +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.7.19/policy/modules/services/cachefilesd.fc ---- nsaserefpolicy/policy/modules/services/cachefilesd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/cachefilesd.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/cachefilesd.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/cachefilesd.fc 2010-05-28 09:42:00.070610905 +0200 @@ -0,0 +1,29 @@ +############################################################################### +# @@ -14537,8 +14557,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach + +/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.7.19/policy/modules/services/cachefilesd.if ---- nsaserefpolicy/policy/modules/services/cachefilesd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/cachefilesd.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/cachefilesd.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/cachefilesd.if 2010-05-28 09:42:00.071610839 +0200 @@ -0,0 +1,41 @@ +############################################################################### +# @@ -14582,8 +14602,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach + allow cachefilesd_t $1:process sigchld; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.7.19/policy/modules/services/cachefilesd.te ---- nsaserefpolicy/policy/modules/services/cachefilesd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/cachefilesd.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/cachefilesd.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/cachefilesd.te 2010-05-28 09:42:00.071610839 +0200 @@ -0,0 +1,147 @@ +############################################################################### +# @@ -14733,8 +14753,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach + +dev_search_sysfs(cachefiles_kernel_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.19/policy/modules/services/ccs.te ---- nsaserefpolicy/policy/modules/services/ccs.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/ccs.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ccs.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ccs.te 2010-05-28 09:42:00.072610704 +0200 @@ -114,5 +114,15 @@ ') @@ -14752,8 +14772,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs. unconfined_use_fds(ccs_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.fc serefpolicy-3.7.19/policy/modules/services/certmonger.fc ---- nsaserefpolicy/policy/modules/services/certmonger.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/certmonger.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/certmonger.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/certmonger.fc 2010-05-28 09:42:00.073610778 +0200 @@ -0,0 +1,6 @@ +/etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0) + @@ -14762,8 +14782,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert +/var/run/certmonger.pid -- gen_context(system_u:object_r:certmonger_var_run_t,s0) +/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.7.19/policy/modules/services/certmonger.if ---- nsaserefpolicy/policy/modules/services/certmonger.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/certmonger.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/certmonger.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/certmonger.if 2010-05-28 09:42:00.073610778 +0200 @@ -0,0 +1,217 @@ + +## Certificate status monitor and PKI enrollment client @@ -14983,8 +15003,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert + admin_pattern($1, cermonger_var_run_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.19/policy/modules/services/certmonger.te ---- nsaserefpolicy/policy/modules/services/certmonger.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/certmonger.te 2010-05-27 15:59:55.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/certmonger.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/certmonger.te 2010-05-28 09:42:00.074610853 +0200 @@ -0,0 +1,75 @@ +policy_module(certmonger,1.0.0) + @@ -15062,8 +15082,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.19/policy/modules/services/cgroup.fc ---- nsaserefpolicy/policy/modules/services/cgroup.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/cgroup.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/cgroup.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/cgroup.fc 2010-05-28 09:42:00.075610786 +0200 @@ -0,0 +1,12 @@ +/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0) + @@ -15078,8 +15098,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro + +/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.19/policy/modules/services/cgroup.if ---- nsaserefpolicy/policy/modules/services/cgroup.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/cgroup.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/cgroup.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/cgroup.if 2010-05-28 09:42:00.075610786 +0200 @@ -0,0 +1,243 @@ +## libcg is a library that abstracts the control group file system in Linux. +## @@ -15325,8 +15345,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro + role_transition $2 cgred_initrc_exec_t system_r; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.19/policy/modules/services/cgroup.te ---- nsaserefpolicy/policy/modules/services/cgroup.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/cgroup.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/cgroup.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/cgroup.te 2010-05-28 09:42:00.076610720 +0200 @@ -0,0 +1,102 @@ + +policy_module(cgroup, 1.0.0) @@ -15431,8 +15451,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro +fs_unmount_cgroupfs(cgconfigparser_t) +fs_setattr_cgroupfs_files(cgconfigparser_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.19/policy/modules/services/chronyd.if ---- nsaserefpolicy/policy/modules/services/chronyd.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/chronyd.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/chronyd.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/chronyd.if 2010-05-28 09:42:00.077610724 +0200 @@ -19,6 +19,24 @@ domtrans_pattern($1, chronyd_exec_t, chronyd_t) ') @@ -15529,8 +15549,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.19/policy/modules/services/chronyd.te ---- nsaserefpolicy/policy/modules/services/chronyd.te 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/chronyd.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/chronyd.te 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/chronyd.te 2010-05-28 09:42:00.077610724 +0200 @@ -16,6 +16,9 @@ type chronyd_keys_t; files_type(chronyd_keys_t) @@ -15571,8 +15591,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro corenet_udp_bind_chronyd_port(chronyd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.19/policy/modules/services/clamav.te ---- nsaserefpolicy/policy/modules/services/clamav.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/clamav.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-05-28 09:42:00.078610798 +0200 @@ -1,6 +1,13 @@ policy_module(clamav, 1.7.1) @@ -15632,16 +15652,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam amavis_read_spool_files(clamscan_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.19/policy/modules/services/clogd.fc ---- nsaserefpolicy/policy/modules/services/clogd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/clogd.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/clogd.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/clogd.fc 2010-05-28 09:42:00.079610731 +0200 @@ -0,0 +1,4 @@ + +/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0) + +/var/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.19/policy/modules/services/clogd.if ---- nsaserefpolicy/policy/modules/services/clogd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/clogd.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/clogd.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/clogd.if 2010-05-28 09:42:00.079610731 +0200 @@ -0,0 +1,82 @@ +## clogd - clustered mirror log server + @@ -15726,8 +15746,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.7.19/policy/modules/services/clogd.te ---- nsaserefpolicy/policy/modules/services/clogd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/clogd.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/clogd.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/clogd.te 2010-05-28 09:42:00.080611084 +0200 @@ -0,0 +1,65 @@ + +policy_module(clogd,1.0.0) @@ -15794,9 +15814,205 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog +') + + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.fc serefpolicy-3.7.19/policy/modules/services/cmirrord.fc +--- nsaserefpolicy/policy/modules/services/cmirrord.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/cmirrord.fc 2010-05-28 12:23:32.682860590 +0200 +@@ -0,0 +1,6 @@ ++ ++/etc/rc\.d/init\.d/cmirrord -- gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0) ++ ++/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0) ++ ++/var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.if serefpolicy-3.7.19/policy/modules/services/cmirrord.if +--- nsaserefpolicy/policy/modules/services/cmirrord.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/cmirrord.if 2010-05-28 12:30:40.719860805 +0200 +@@ -0,0 +1,118 @@ ++ ++## policy for cmirrord ++ ++######################################## ++## ++## Execute a domain transition to run cmirrord. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`cmirrord_domtrans',` ++ gen_require(` ++ type cmirrord_t, cmirrord_exec_t; ++ ') ++ ++ domtrans_pattern($1, cmirrord_exec_t, cmirrord_t) ++') ++ ++######################################## ++## ++## Execute cmirrord server in the cmirrord domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`cmirrord_initrc_domtrans',` ++ gen_require(` ++ type cmirrord_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, cmirrord_initrc_exec_t) ++') ++ ++######################################## ++## ++## Read cmirrord PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cmirrord_read_pid_files',` ++ gen_require(` ++ type cmirrord_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 cmirrord_var_run_t:file read_file_perms; ++') ++ ++####################################### ++## ++## Read and write to cmirrord shared memory. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`cmirrord_rw_shm',` ++ gen_require(` ++ type cmirrord_t; ++ type cmirrord_tmpfs_t; ++ ') ++ ++ allow $1 cmirrord_t:shm { rw_shm_perms destroy }; ++ allow $1 cmirrord_tmpfs_t:dir list_dir_perms; ++ rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) ++ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) ++ read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) ++ fs_search_tmpfs($1) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an cmirrord environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`cmirrord_admin',` ++ gen_require(` ++ type cmirrord_t; ++ type cmirrord_initrc_exec_t; ++ type cmirrord_var_run_t; ++ ') ++ ++ allow $1 cmirrord_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, cmirrord_t) ++ ++ cmirrord_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 cmirrord_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ files_search_pids($1) ++ admin_pattern($1, cmirrord_var_run_t) ++ ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.te serefpolicy-3.7.19/policy/modules/services/cmirrord.te +--- nsaserefpolicy/policy/modules/services/cmirrord.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/cmirrord.te 2010-05-28 12:25:06.226860459 +0200 +@@ -0,0 +1,60 @@ ++ ++policy_module(cmirrord,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type cmirrord_t; ++type cmirrord_exec_t; ++init_daemon_domain(cmirrord_t, cmirrord_exec_t) ++ ++permissive cmirrord_t; ++ ++type cmirrord_initrc_exec_t; ++init_script_file(cmirrord_initrc_exec_t) ++ ++type cmirrord_tmpfs_t; ++files_tmpfs_file(cmirrord_tmpfs_t) ++ ++type cmirrord_var_run_t; ++files_pid_file(cmirrord_var_run_t) ++ ++######################################## ++# ++# cmirrord local policy ++# ++ ++allow cmirrord_t self:capability { net_admin kill }; ++allow cmirrord_t self:process { fork signal }; ++ ++allow cmirrord_t self:fifo_file rw_fifo_file_perms; ++ ++allow cmirrord_t self:sem create_sem_perms; ++allow cmirrord_t self:shm create_shm_perms; ++allow cmirrord_t self:netlink_socket create_socket_perms; ++allow cmirrord_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t) ++manage_files_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t) ++fs_tmpfs_filetrans(cmirrord_t, cmirrord_tmpfs_t, { dir file }) ++ ++manage_dirs_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t) ++manage_files_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t) ++files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, { file }) ++ ++domain_use_interactive_fds(cmirrord_t) ++ ++files_read_etc_files(cmirrord_t) ++ ++libs_use_ld_so(cmirrord_t) ++libs_use_shared_libs(cmirrord_t) ++ ++logging_send_syslog_msg(cmirrord_t) ++ ++miscfiles_read_localization(cmirrord_t) ++ ++optional_policy(` ++ corosync_stream_connect(cmirrord_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.19/policy/modules/services/cobbler.if ---- nsaserefpolicy/policy/modules/services/cobbler.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/cobbler.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/cobbler.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/cobbler.if 2010-05-28 09:42:00.081612483 +0200 @@ -173,9 +173,11 @@ files_list_var_lib($1) admin_pattern($1, cobbler_var_lib_t) @@ -15811,8 +16027,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb domain_system_change_exemption($1) role_transition $2 cobblerd_initrc_exec_t system_r; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.19/policy/modules/services/cobbler.te ---- nsaserefpolicy/policy/modules/services/cobbler.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/cobbler.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/cobbler.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/cobbler.te 2010-05-28 09:42:00.083611512 +0200 @@ -40,6 +40,7 @@ allow cobblerd_t self:fifo_file rw_fifo_file_perms; allow cobblerd_t self:tcp_socket create_stream_socket_perms; @@ -15853,8 +16069,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb +manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) +manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.19/policy/modules/services/consolekit.fc ---- nsaserefpolicy/policy/modules/services/consolekit.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/consolekit.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/consolekit.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/consolekit.fc 2010-05-28 09:42:00.084613262 +0200 @@ -1,5 +1,7 @@ /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) @@ -15865,8 +16081,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons +/var/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) +/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.19/policy/modules/services/consolekit.if ---- nsaserefpolicy/policy/modules/services/consolekit.if 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/consolekit.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/consolekit.if 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/consolekit.if 2010-05-28 09:42:00.085610890 +0200 @@ -55,5 +55,44 @@ ') @@ -15913,8 +16129,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.19/policy/modules/services/consolekit.te ---- nsaserefpolicy/policy/modules/services/consolekit.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/consolekit.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/consolekit.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/consolekit.te 2010-05-28 09:42:00.086610824 +0200 @@ -16,12 +16,15 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -16009,8 +16225,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons unconfined_stream_connect(consolekit_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.7.19/policy/modules/services/corosync.fc ---- nsaserefpolicy/policy/modules/services/corosync.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/corosync.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/corosync.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/corosync.fc 2010-05-28 09:42:00.087610617 +0200 @@ -0,0 +1,15 @@ + +/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0) @@ -16028,8 +16244,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro +/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.19/policy/modules/services/corosync.if ---- nsaserefpolicy/policy/modules/services/corosync.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/corosync.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/corosync.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/corosync.if 2010-05-28 09:42:00.087610617 +0200 @@ -0,0 +1,108 @@ +## SELinux policy for Corosync Cluster Engine + @@ -16140,9 +16356,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.19/policy/modules/services/corosync.te ---- nsaserefpolicy/policy/modules/services/corosync.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2010-05-26 15:34:37.000000000 -0400 -@@ -0,0 +1,122 @@ +--- nsaserefpolicy/policy/modules/services/corosync.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2010-05-28 12:24:51.498860537 +0200 +@@ -0,0 +1,126 @@ + +policy_module(corosync,1.0.0) + @@ -16250,6 +16466,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro +') + +optional_policy(` ++ cmirrord_rw_shm(corosync_t) ++') ++ ++optional_policy(` + # to communication with RHCS + dlm_controld_manage_tmpfs_files(corosync_t) + dlm_controld_rw_semaphores(corosync_t) @@ -16266,8 +16486,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.19/policy/modules/services/cron.fc ---- nsaserefpolicy/policy/modules/services/cron.fc 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/cron.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/cron.fc 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/cron.fc 2010-05-28 09:42:00.088610900 +0200 @@ -14,7 +14,7 @@ /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) @@ -16286,8 +16506,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron + +/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.19/policy/modules/services/cron.if ---- nsaserefpolicy/policy/modules/services/cron.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/cron.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/cron.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/cron.if 2010-05-28 09:42:00.089610903 +0200 @@ -12,6 +12,10 @@ ## # @@ -16465,8 +16685,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.19/policy/modules/services/cron.te ---- nsaserefpolicy/policy/modules/services/cron.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/cron.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/cron.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/cron.te 2010-05-28 09:42:00.091610700 +0200 @@ -38,8 +38,10 @@ type cron_var_lib_t; files_type(cron_var_lib_t) @@ -16772,8 +16992,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron tunable_policy(`fcron_crond', ` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.19/policy/modules/services/cups.fc ---- nsaserefpolicy/policy/modules/services/cups.fc 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/cups.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/cups.fc 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/cups.fc 2010-05-28 09:42:00.091610700 +0200 @@ -13,10 +13,14 @@ /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) @@ -16822,8 +17042,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups + +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.19/policy/modules/services/cups.te ---- nsaserefpolicy/policy/modules/services/cups.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/cups.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/cups.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/cups.te 2010-06-01 16:38:46.796222623 +0200 @@ -16,6 +16,7 @@ type cupsd_t; type cupsd_exec_t; @@ -17052,8 +17272,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups kernel_read_system_state(cups_pdf_t) files_read_etc_files(cups_pdf_t) -@@ -556,13 +600,18 @@ +@@ -554,15 +598,21 @@ + + miscfiles_read_localization(cups_pdf_t) miscfiles_read_fonts(cups_pdf_t) ++miscfiles_setattr_fonts_cache_dirs(cups_pdf_t) userdom_home_filetrans_user_home_dir(cups_pdf_t) +userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir }) @@ -17071,7 +17294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups fs_manage_nfs_dirs(cups_pdf_t) fs_manage_nfs_files(cups_pdf_t) ') -@@ -601,6 +650,9 @@ +@@ -601,6 +651,9 @@ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) @@ -17081,7 +17304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file ) -@@ -627,6 +679,7 @@ +@@ -627,6 +680,7 @@ corenet_tcp_connect_ipp_port(hplip_t) corenet_sendrecv_hplip_client_packets(hplip_t) corenet_receive_hplip_server_packets(hplip_t) @@ -17090,8 +17313,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups dev_read_sysfs(hplip_t) dev_rw_printer(hplip_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.7.19/policy/modules/services/cvs.te ---- nsaserefpolicy/policy/modules/services/cvs.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/cvs.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/cvs.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/cvs.te 2010-05-28 09:42:00.093610497 +0200 @@ -93,6 +93,7 @@ auth_can_read_shadow_passwords(cvs_t) tunable_policy(`allow_cvs_read_shadow',` @@ -17107,8 +17330,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs. + files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.19/policy/modules/services/cyrus.te ---- nsaserefpolicy/policy/modules/services/cyrus.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/cyrus.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/cyrus.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/cyrus.te 2010-05-28 09:42:00.094610780 +0200 @@ -75,6 +75,7 @@ corenet_tcp_bind_mail_port(cyrus_t) corenet_tcp_bind_lmtp_port(cyrus_t) @@ -17126,8 +17349,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) snmp_stream_connect(cyrus_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.19/policy/modules/services/dbus.if ---- nsaserefpolicy/policy/modules/services/dbus.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/dbus.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/dbus.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/dbus.if 2010-05-28 09:42:00.095610713 +0200 @@ -42,8 +42,10 @@ gen_require(` class dbus { send_msg acquire_svc }; @@ -17321,8 +17544,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.19/policy/modules/services/dbus.te ---- nsaserefpolicy/policy/modules/services/dbus.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/dbus.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/dbus.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/dbus.te 2010-05-28 09:42:00.096610787 +0200 @@ -86,6 +86,7 @@ dev_read_sysfs(system_dbusd_t) @@ -17371,8 +17594,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + xserver_append_xdm_home_files(session_bus_type) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.fc serefpolicy-3.7.19/policy/modules/services/denyhosts.fc ---- nsaserefpolicy/policy/modules/services/denyhosts.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/denyhosts.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/denyhosts.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/denyhosts.fc 2010-05-28 09:42:00.096610787 +0200 @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/denyhosts -- gen_context(system_u:object_r:denyhosts_initrc_exec_t, s0) + @@ -17382,8 +17605,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny +/var/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t, s0) +/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.19/policy/modules/services/denyhosts.if ---- nsaserefpolicy/policy/modules/services/denyhosts.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/denyhosts.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/denyhosts.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/denyhosts.if 2010-05-28 09:42:00.097610580 +0200 @@ -0,0 +1,87 @@ +## Deny Hosts. +## @@ -17473,8 +17696,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny + admin_pattern($1, denyhosts_var_lock_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.19/policy/modules/services/denyhosts.te ---- nsaserefpolicy/policy/modules/services/denyhosts.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/denyhosts.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/denyhosts.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/denyhosts.te 2010-05-28 09:42:00.097610580 +0200 @@ -0,0 +1,76 @@ + +policy_module(denyhosts, 1.0.0) @@ -17553,8 +17776,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny + cron_system_entry(denyhosts_t, denyhosts_exec_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.19/policy/modules/services/devicekit.fc ---- nsaserefpolicy/policy/modules/services/devicekit.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/devicekit.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/devicekit.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/devicekit.fc 2010-05-28 09:42:00.098611422 +0200 @@ -1,8 +1,14 @@ /usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) /usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) @@ -17572,8 +17795,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi +/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.19/policy/modules/services/devicekit.if ---- nsaserefpolicy/policy/modules/services/devicekit.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/devicekit.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/devicekit.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/devicekit.if 2010-05-28 09:42:00.099610866 +0200 @@ -139,6 +139,26 @@ ######################################## @@ -17611,8 +17834,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi allow $1 devicekit_t:process { ptrace signal_perms getattr }; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.19/policy/modules/services/devicekit.te ---- nsaserefpolicy/policy/modules/services/devicekit.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/devicekit.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/devicekit.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/devicekit.te 2010-05-28 09:42:00.100610800 +0200 @@ -42,6 +42,8 @@ files_read_etc_files(devicekit_t) @@ -17847,8 +18070,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi vbetool_domtrans(devicekit_power_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.7.19/policy/modules/services/dhcp.te ---- nsaserefpolicy/policy/modules/services/dhcp.te 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/dhcp.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/dhcp.te 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/dhcp.te 2010-05-28 09:42:00.100610800 +0200 @@ -112,6 +112,10 @@ ') @@ -17861,8 +18084,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp dbus_connect_system_bus(dhcpd_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.7.19/policy/modules/services/djbdns.if ---- nsaserefpolicy/policy/modules/services/djbdns.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/djbdns.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/djbdns.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/djbdns.if 2010-05-28 09:42:00.101610733 +0200 @@ -26,6 +26,8 @@ daemontools_read_svc(djbdns_$1_t) @@ -17913,8 +18136,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd + allow $1 djbdns_tinydn_t:key link; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.7.19/policy/modules/services/djbdns.te ---- nsaserefpolicy/policy/modules/services/djbdns.te 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/djbdns.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/djbdns.te 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/djbdns.te 2010-05-28 09:42:00.101610733 +0200 @@ -42,3 +42,11 @@ files_search_var(djbdns_axfrdns_t) @@ -17928,8 +18151,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd +init_dontaudit_use_script_fds(djbdns_tinydns_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.19/policy/modules/services/dnsmasq.fc ---- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/dnsmasq.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/dnsmasq.fc 2010-05-28 09:42:00.102610946 +0200 @@ -6,5 +6,7 @@ /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) /var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) @@ -17939,8 +18162,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.7.19/policy/modules/services/dnsmasq.if ---- nsaserefpolicy/policy/modules/services/dnsmasq.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/dnsmasq.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/dnsmasq.if 2010-05-28 09:42:00.102610946 +0200 @@ -111,7 +111,7 @@ type dnsmasq_etc_t; ') @@ -17960,8 +18183,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.19/policy/modules/services/dnsmasq.te ---- nsaserefpolicy/policy/modules/services/dnsmasq.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/dnsmasq.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/dnsmasq.te 2010-05-28 09:42:00.103610809 +0200 @@ -19,6 +19,9 @@ type dnsmasq_lease_t; files_type(dnsmasq_lease_t) @@ -18018,8 +18241,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.7.19/policy/modules/services/dovecot.fc ---- nsaserefpolicy/policy/modules/services/dovecot.fc 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/dovecot.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/dovecot.fc 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/dovecot.fc 2010-05-28 09:42:00.104610534 +0200 @@ -3,6 +3,7 @@ # /etc # @@ -18048,8 +18271,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.19/policy/modules/services/dovecot.te ---- nsaserefpolicy/policy/modules/services/dovecot.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-05-28 09:42:00.105610536 +0200 @@ -9,6 +9,9 @@ type dovecot_exec_t; init_daemon_domain(dovecot_t, dovecot_exec_t) @@ -18202,8 +18425,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove fs_manage_cifs_symlinks(dovecot_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.7.19/policy/modules/services/exim.fc ---- nsaserefpolicy/policy/modules/services/exim.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/exim.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/exim.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/exim.fc 2010-05-28 09:42:00.105610536 +0200 @@ -1,3 +1,6 @@ + +/etc/rc\.d/init\.d/exim -- gen_context(system_u:object_r:exim_initrc_exec_t,s0) @@ -18212,8 +18435,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim /var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0) /var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.7.19/policy/modules/services/exim.if ---- nsaserefpolicy/policy/modules/services/exim.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/exim.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/exim.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/exim.if 2010-05-28 09:42:00.106610959 +0200 @@ -20,6 +20,24 @@ ######################################## @@ -18287,8 +18510,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim + admin_pattern($1, exim_var_run_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.7.19/policy/modules/services/exim.te ---- nsaserefpolicy/policy/modules/services/exim.te 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/exim.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/exim.te 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/exim.te 2010-05-28 09:42:00.107610683 +0200 @@ -36,6 +36,9 @@ application_executable_file(exim_exec_t) mta_agent_executable(exim_exec_t) @@ -18300,8 +18523,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim logging_log_file(exim_log_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.19/policy/modules/services/fail2ban.if ---- nsaserefpolicy/policy/modules/services/fail2ban.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/fail2ban.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/fail2ban.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/fail2ban.if 2010-05-28 09:42:00.108611036 +0200 @@ -138,6 +138,26 @@ ######################################## @@ -18330,8 +18553,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail ## an fail2ban environment ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.19/policy/modules/services/fprintd.te ---- nsaserefpolicy/policy/modules/services/fprintd.te 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/fprintd.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/fprintd.te 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/fprintd.te 2010-05-28 09:42:00.108611036 +0200 @@ -55,4 +55,6 @@ policykit_read_lib(fprintd_t) policykit_dbus_chat(fprintd_t) @@ -18340,8 +18563,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fpri ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.7.19/policy/modules/services/ftp.fc ---- nsaserefpolicy/policy/modules/services/ftp.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/ftp.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ftp.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ftp.fc 2010-05-28 09:42:00.109610829 +0200 @@ -22,7 +22,7 @@ # # /var @@ -18352,8 +18575,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. /var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.7.19/policy/modules/services/ftp.if ---- nsaserefpolicy/policy/modules/services/ftp.if 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/ftp.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ftp.if 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ftp.if 2010-05-28 09:42:00.110611252 +0200 @@ -115,6 +115,44 @@ role $2 types ftpdctl_t; ') @@ -18400,8 +18623,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. ## ## All of the rules required to administrate diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.19/policy/modules/services/ftp.te ---- nsaserefpolicy/policy/modules/services/ftp.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/ftp.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ftp.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ftp.te 2010-05-28 09:42:00.111610835 +0200 @@ -41,11 +41,51 @@ ## @@ -18651,8 +18874,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. + fs_read_nfs_symlinks(ftpd_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.19/policy/modules/services/git.fc ---- nsaserefpolicy/policy/modules/services/git.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/git.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/git.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/git.fc 2010-05-28 09:42:00.112610839 +0200 @@ -1,3 +1,12 @@ +HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t, s0) +HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t, s0) @@ -18667,8 +18890,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. +/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) +/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.19/policy/modules/services/git.if ---- nsaserefpolicy/policy/modules/services/git.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/git.if 2010-05-26 16:43:06.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/git.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/git.if 2010-05-28 09:42:00.113610772 +0200 @@ -1 +1,525 @@ -## GIT revision control system +## Fast Version Control System. @@ -19197,8 +19420,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.19/policy/modules/services/git.te ---- nsaserefpolicy/policy/modules/services/git.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/git.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/git.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/git.te 2010-05-28 09:42:00.113610772 +0200 @@ -1,9 +1,193 @@ -policy_module(git, 1.0) @@ -19397,8 +19620,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. +gen_user(git_shell_u, user, git_shell_r, s0, s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.7.19/policy/modules/services/gnomeclock.if ---- nsaserefpolicy/policy/modules/services/gnomeclock.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/gnomeclock.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/gnomeclock.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/gnomeclock.if 2010-05-28 09:42:00.114610776 +0200 @@ -63,3 +63,24 @@ allow $1 gnomeclock_t:dbus send_msg; allow gnomeclock_t $1:dbus send_msg; @@ -19425,8 +19648,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom + dontaudit gnomeclock_t $1:dbus send_msg; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.19/policy/modules/services/gpsd.te ---- nsaserefpolicy/policy/modules/services/gpsd.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/gpsd.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/gpsd.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/gpsd.te 2010-05-28 09:42:00.114610776 +0200 @@ -57,9 +57,14 @@ miscfiles_read_localization(gpsd_t) @@ -19443,8 +19666,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.7.19/policy/modules/services/hal.if ---- nsaserefpolicy/policy/modules/services/hal.if 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/hal.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/hal.if 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/hal.if 2010-05-28 09:42:00.115610849 +0200 @@ -367,7 +367,7 @@ ## # @@ -19482,8 +19705,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.19/policy/modules/services/hal.te ---- nsaserefpolicy/policy/modules/services/hal.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/hal.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/hal.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/hal.te 2010-05-28 09:42:00.116610713 +0200 @@ -55,6 +55,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -19628,8 +19851,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. # # Local hald dccm policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.7.19/policy/modules/services/inn.te ---- nsaserefpolicy/policy/modules/services/inn.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/inn.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/inn.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/inn.te 2010-05-28 09:42:00.117610715 +0200 @@ -106,6 +106,7 @@ userdom_dontaudit_use_unpriv_user_fds(innd_t) @@ -19639,8 +19862,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn. mta_send_mail(innd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.19/policy/modules/services/kerberos.if ---- nsaserefpolicy/policy/modules/services/kerberos.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/kerberos.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/kerberos.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/kerberos.if 2010-05-28 09:42:00.117610715 +0200 @@ -74,7 +74,7 @@ ') @@ -19662,8 +19885,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.19/policy/modules/services/kerberos.te ---- nsaserefpolicy/policy/modules/services/kerberos.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/kerberos.te 2010-05-26 16:59:13.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/kerberos.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/kerberos.te 2010-05-28 09:42:00.118610789 +0200 @@ -112,6 +112,7 @@ kernel_read_kernel_sysctls(kadmind_t) @@ -19692,8 +19915,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb allow kpropd_t krb5_keytab_t:file read_file_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.7.19/policy/modules/services/ksmtuned.fc ---- nsaserefpolicy/policy/modules/services/ksmtuned.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/ksmtuned.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ksmtuned.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ksmtuned.fc 2010-05-28 09:42:00.119610652 +0200 @@ -3,3 +3,5 @@ /usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0) @@ -19701,8 +19924,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt + +/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.7.19/policy/modules/services/ksmtuned.te ---- nsaserefpolicy/policy/modules/services/ksmtuned.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/ksmtuned.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ksmtuned.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ksmtuned.te 2010-05-28 09:42:00.120610656 +0200 @@ -10,6 +10,9 @@ type ksmtuned_exec_t; init_daemon_domain(ksmtuned_t, ksmtuned_exec_t) @@ -19739,8 +19962,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt miscfiles_read_localization(ksmtuned_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.7.19/policy/modules/services/ldap.fc ---- nsaserefpolicy/policy/modules/services/ldap.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/ldap.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ldap.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ldap.fc 2010-05-28 09:42:00.120610656 +0200 @@ -1,6 +1,8 @@ /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) @@ -19757,8 +19980,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) +#/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.7.19/policy/modules/services/ldap.if ---- nsaserefpolicy/policy/modules/services/ldap.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/ldap.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ldap.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ldap.if 2010-05-28 09:42:00.121610589 +0200 @@ -1,5 +1,43 @@ ## OpenLDAP directory server @@ -19861,8 +20084,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.7.19/policy/modules/services/ldap.te ---- nsaserefpolicy/policy/modules/services/ldap.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/ldap.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ldap.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ldap.te 2010-05-28 09:42:00.121610589 +0200 @@ -28,9 +28,15 @@ type slapd_replog_t; files_type(slapd_replog_t) @@ -19898,8 +20121,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) files_pid_filetrans(slapd_t, slapd_var_run_t, { file sock_file }) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.19/policy/modules/services/lircd.te ---- nsaserefpolicy/policy/modules/services/lircd.te 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/lircd.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/lircd.te 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/lircd.te 2010-05-28 09:42:00.122610872 +0200 @@ -24,8 +24,11 @@ # lircd local policy # @@ -19950,8 +20173,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc +sysnet_dns_name_resolve(lircd_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.7.19/policy/modules/services/milter.if ---- nsaserefpolicy/policy/modules/services/milter.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/milter.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/milter.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/milter.if 2010-05-28 09:42:00.123612272 +0200 @@ -37,6 +37,8 @@ files_read_etc_files($1_milter_t) @@ -19987,8 +20210,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.te serefpolicy-3.7.19/policy/modules/services/milter.te ---- nsaserefpolicy/policy/modules/services/milter.te 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/milter.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/milter.te 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/milter.te 2010-05-28 09:42:00.123612272 +0200 @@ -81,13 +81,11 @@ allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms; files_search_var_lib(spamass_milter_t) @@ -20007,8 +20230,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt mta_send_mail(spamass_milter_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.19/policy/modules/services/modemmanager.te ---- nsaserefpolicy/policy/modules/services/modemmanager.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/modemmanager.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/modemmanager.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/modemmanager.te 2010-05-28 09:42:00.124610948 +0200 @@ -16,8 +16,8 @@ # # ModemManager local policy @@ -20039,8 +20262,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mode udev_read_db(modemmanager_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.19/policy/modules/services/mta.fc ---- nsaserefpolicy/policy/modules/services/mta.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/mta.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/mta.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/mta.fc 2010-05-28 09:42:00.125610532 +0200 @@ -13,6 +13,8 @@ /usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) @@ -20051,8 +20274,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.19/policy/modules/services/mta.if ---- nsaserefpolicy/policy/modules/services/mta.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/mta.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/mta.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/mta.if 2010-05-28 09:42:00.125610532 +0200 @@ -220,6 +220,25 @@ application_executable_file($1) ') @@ -20169,8 +20392,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.19/policy/modules/services/mta.te ---- nsaserefpolicy/policy/modules/services/mta.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/mta.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/mta.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/mta.te 2010-05-28 09:42:00.126610675 +0200 @@ -63,6 +63,9 @@ can_exec(system_mail_t, mta_exec_type) @@ -20264,8 +20487,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.19/policy/modules/services/munin.fc ---- nsaserefpolicy/policy/modules/services/munin.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/munin.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/munin.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/munin.fc 2010-05-28 09:42:00.127610888 +0200 @@ -6,6 +6,64 @@ /usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) /usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0) @@ -20332,8 +20555,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni +/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) +/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.7.19/policy/modules/services/munin.if ---- nsaserefpolicy/policy/modules/services/munin.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/munin.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/munin.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/munin.if 2010-05-28 09:42:00.128610403 +0200 @@ -43,6 +43,24 @@ files_search_etc($1) ') @@ -20415,8 +20638,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni ## ## All of the rules required to administrate diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.19/policy/modules/services/munin.te ---- nsaserefpolicy/policy/modules/services/munin.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/munin.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/munin.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/munin.te 2010-05-28 09:42:00.129610615 +0200 @@ -28,12 +28,26 @@ type munin_var_run_t alias lrrd_var_run_t; files_pid_file(munin_var_run_t) @@ -20632,8 +20855,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni +term_getattr_all_ptys(munin_system_plugin_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.19/policy/modules/services/mysql.te ---- nsaserefpolicy/policy/modules/services/mysql.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/mysql.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/mysql.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/mysql.te 2010-05-28 09:42:00.130610619 +0200 @@ -65,6 +65,7 @@ manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) @@ -20659,8 +20882,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq files_read_usr_files(mysqld_safe_t) files_dontaudit_getattr_all_dirs(mysqld_safe_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.19/policy/modules/services/nagios.fc ---- nsaserefpolicy/policy/modules/services/nagios.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/nagios.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/nagios.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/nagios.fc 2010-05-28 09:42:00.131610831 +0200 @@ -1,16 +1,89 @@ /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) /etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) @@ -20757,8 +20980,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +# unconfined plugins +/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.19/policy/modules/services/nagios.if ---- nsaserefpolicy/policy/modules/services/nagios.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/nagios.if 2010-05-26 15:34:59.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/nagios.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/nagios.if 2010-05-28 09:42:00.132610905 +0200 @@ -64,8 +64,8 @@ ######################################## @@ -20941,8 +21164,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi + admin_pattern($1, nrpe_etc_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.19/policy/modules/services/nagios.te ---- nsaserefpolicy/policy/modules/services/nagios.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/nagios.te 2010-05-26 15:34:48.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/nagios.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/nagios.te 2010-05-28 09:42:00.133610558 +0200 @@ -6,17 +6,23 @@ # Declarations # @@ -21352,8 +21575,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi + init_read_utmp(nagios_system_plugin_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.7.19/policy/modules/services/networkmanager.fc ---- nsaserefpolicy/policy/modules/services/networkmanager.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/networkmanager.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/networkmanager.fc 2010-05-28 09:42:00.133610558 +0200 @@ -1,12 +1,32 @@ +/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0) +/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) @@ -21388,8 +21611,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw +/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.19/policy/modules/services/networkmanager.if ---- nsaserefpolicy/policy/modules/services/networkmanager.if 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/networkmanager.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/networkmanager.if 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/networkmanager.if 2010-05-28 09:42:00.134610841 +0200 @@ -100,6 +100,27 @@ ######################################## @@ -21535,8 +21758,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw + append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.19/policy/modules/services/networkmanager.te ---- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/networkmanager.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/networkmanager.te 2010-05-28 09:42:00.135610774 +0200 @@ -19,6 +19,9 @@ type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) @@ -21791,8 +22014,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.7.19/policy/modules/services/nis.fc ---- nsaserefpolicy/policy/modules/services/nis.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/nis.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/nis.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/nis.fc 2010-05-28 09:42:00.136610568 +0200 @@ -1,4 +1,7 @@ - +/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) @@ -21812,8 +22035,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. +/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0) +/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.7.19/policy/modules/services/nis.if ---- nsaserefpolicy/policy/modules/services/nis.if 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/nis.if 2010-05-27 09:44:04.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/nis.if 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/nis.if 2010-05-28 09:42:00.136610568 +0200 @@ -28,7 +28,7 @@ type var_yp_t; ') @@ -21949,8 +22172,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. admin_pattern($1, ypbind_tmp_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.7.19/policy/modules/services/nis.te ---- nsaserefpolicy/policy/modules/services/nis.te 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/nis.te 2010-05-27 09:44:20.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/nis.te 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/nis.te 2010-05-28 09:42:00.137610990 +0200 @@ -1,11 +1,14 @@ -policy_module(nis, 1.9.0) @@ -22036,8 +22259,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. corenet_udp_bind_all_rpc_ports(ypxfr_t) corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.7.19/policy/modules/services/nscd.if ---- nsaserefpolicy/policy/modules/services/nscd.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/nscd.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/nscd.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/nscd.if 2010-05-28 09:42:00.138610784 +0200 @@ -121,6 +121,24 @@ ######################################## @@ -22073,8 +22296,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.7.19/policy/modules/services/nscd.te ---- nsaserefpolicy/policy/modules/services/nscd.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/nscd.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/nscd.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/nscd.te 2010-06-01 17:15:11.443159955 +0200 @@ -1,10 +1,17 @@ -policy_module(nscd, 1.10.0) @@ -22094,6 +22317,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd ######################################## # # Declarations +@@ -31,7 +38,7 @@ + # Local policy + # + +-allow nscd_t self:capability { kill setgid setuid }; ++allow nscd_t self:capability { kill setgid setuid sys_ptrace }; + dontaudit nscd_t self:capability sys_tty_config; + allow nscd_t self:process { getattr getcap setcap setsched signal_perms }; + allow nscd_t self:fifo_file read_fifo_file_perms; @@ -91,6 +98,7 @@ selinux_compute_relabel_context(nscd_t) selinux_compute_user_contexts(nscd_t) @@ -22131,8 +22363,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd + unconfined_dontaudit_rw_packet_sockets(nscd_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.7.19/policy/modules/services/nslcd.te ---- nsaserefpolicy/policy/modules/services/nslcd.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/nslcd.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/nslcd.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/nslcd.te 2010-05-28 09:42:00.139610787 +0200 @@ -35,6 +35,8 @@ manage_sock_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir }) @@ -22143,8 +22375,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslc auth_use_nsswitch(nslcd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.7.19/policy/modules/services/ntop.te ---- nsaserefpolicy/policy/modules/services/ntop.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/ntop.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ntop.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ntop.te 2010-05-28 09:42:00.140610931 +0200 @@ -11,12 +11,12 @@ init_daemon_domain(ntop_t, ntop_exec_t) application_domain(ntop_t, ntop_exec_t) @@ -22235,8 +22467,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.7.19/policy/modules/services/ntp.te ---- nsaserefpolicy/policy/modules/services/ntp.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/ntp.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ntp.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ntp.te 2010-05-28 09:42:00.141610585 +0200 @@ -97,9 +97,12 @@ dev_read_sysfs(ntpd_t) # for SSP @@ -22251,8 +22483,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. term_use_ptmx(ntpd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.19/policy/modules/services/nut.te ---- nsaserefpolicy/policy/modules/services/nut.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/nut.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/nut.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/nut.te 2010-05-28 09:42:00.142610728 +0200 @@ -104,6 +104,10 @@ mta_send_mail(nut_upsmon_t) @@ -22265,8 +22497,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut. # # Local policy for upsdrvctl diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.7.19/policy/modules/services/nx.fc ---- nsaserefpolicy/policy/modules/services/nx.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/nx.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/nx.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/nx.fc 2010-05-28 09:42:00.142610728 +0200 @@ -1,7 +1,15 @@ /opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) @@ -22286,8 +22518,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.f + /usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.7.19/policy/modules/services/nx.if ---- nsaserefpolicy/policy/modules/services/nx.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/nx.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/nx.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/nx.if 2010-05-28 09:42:00.143610940 +0200 @@ -17,3 +17,70 @@ spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t) @@ -22360,8 +22592,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.i + filetrans_pattern($1, nx_server_var_lib_t, $2, $3) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.7.19/policy/modules/services/nx.te ---- nsaserefpolicy/policy/modules/services/nx.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/nx.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/nx.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/nx.te 2010-05-28 09:42:00.144610804 +0200 @@ -25,6 +25,12 @@ type nx_server_var_run_t; files_pid_file(nx_server_var_run_t) @@ -22397,8 +22629,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.t kernel_read_kernel_sysctls(nx_server_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.7.19/policy/modules/services/oddjob.fc ---- nsaserefpolicy/policy/modules/services/oddjob.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/oddjob.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/oddjob.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/oddjob.fc 2010-05-28 09:42:00.144610804 +0200 @@ -1,4 +1,5 @@ /usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) +/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) @@ -22406,8 +22638,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.19/policy/modules/services/oddjob.if ---- nsaserefpolicy/policy/modules/services/oddjob.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/oddjob.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/oddjob.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/oddjob.if 2010-05-28 09:42:00.145610598 +0200 @@ -44,6 +44,7 @@ ') @@ -22417,8 +22649,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.7.19/policy/modules/services/oddjob.te ---- nsaserefpolicy/policy/modules/services/oddjob.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/oddjob.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/oddjob.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/oddjob.te 2010-05-28 09:42:00.145610598 +0200 @@ -100,8 +100,7 @@ # Add/remove user home directories @@ -22431,8 +22663,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj +userdom_manage_user_home_content(oddjob_mkhomedir_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oident.te serefpolicy-3.7.19/policy/modules/services/oident.te ---- nsaserefpolicy/policy/modules/services/oident.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/oident.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/oident.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/oident.te 2010-05-28 09:42:00.146610252 +0200 @@ -49,6 +49,7 @@ kernel_read_network_state(oidentd_t) kernel_read_network_state_symlinks(oidentd_t) @@ -22442,8 +22674,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oide logging_send_syslog_msg(oidentd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.19/policy/modules/services/openvpn.te ---- nsaserefpolicy/policy/modules/services/openvpn.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/openvpn.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/openvpn.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/openvpn.te 2010-05-28 09:42:00.147610884 +0200 @@ -25,6 +25,9 @@ type openvpn_etc_rw_t; files_config_file(openvpn_etc_rw_t) @@ -22473,8 +22705,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open tunable_policy(`openvpn_enable_homedirs',` userdom_read_user_home_content_files(openvpn_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.19/policy/modules/services/pegasus.te ---- nsaserefpolicy/policy/modules/services/pegasus.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/pegasus.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/pegasus.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/pegasus.te 2010-05-28 09:42:00.147610884 +0200 @@ -30,7 +30,7 @@ # Local policy # @@ -22547,8 +22779,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega + xen_stream_connect_xenstore(pegasus_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.fc serefpolicy-3.7.19/policy/modules/services/piranha.fc ---- nsaserefpolicy/policy/modules/services/piranha.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/piranha.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/piranha.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/piranha.fc 2010-05-28 09:42:00.148610747 +0200 @@ -0,0 +1,21 @@ + +/etc/rc\.d/init\.d/pulse -- gen_context(system_u:object_r:piranha_pulse_initrc_exec_t,s0) @@ -22572,8 +22804,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.if serefpolicy-3.7.19/policy/modules/services/piranha.if ---- nsaserefpolicy/policy/modules/services/piranha.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/piranha.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/piranha.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/piranha.if 2010-05-28 09:42:00.149610331 +0200 @@ -0,0 +1,175 @@ + +## policy for piranha @@ -22751,8 +22983,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira + manage_lnk_files_pattern($1, piranha_log_t, piranha_log_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.te serefpolicy-3.7.19/policy/modules/services/piranha.te ---- nsaserefpolicy/policy/modules/services/piranha.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/piranha.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/piranha.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/piranha.te 2010-05-28 09:42:00.149610331 +0200 @@ -0,0 +1,187 @@ + +policy_module(piranha,1.0.0) @@ -22942,8 +23174,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira + +sysnet_read_config(piranha_domain) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.fc serefpolicy-3.7.19/policy/modules/services/plymouthd.fc ---- nsaserefpolicy/policy/modules/services/plymouthd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/plymouthd.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/plymouthd.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/plymouthd.fc 2010-05-28 09:42:00.150610614 +0200 @@ -0,0 +1,9 @@ +/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t, s0) + @@ -22955,8 +23187,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym + +/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.if serefpolicy-3.7.19/policy/modules/services/plymouthd.if ---- nsaserefpolicy/policy/modules/services/plymouthd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/plymouthd.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/plymouthd.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/plymouthd.if 2010-05-28 09:42:00.150610614 +0200 @@ -0,0 +1,322 @@ +## policy for plymouthd + @@ -23281,8 +23513,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym + allow $1 plymouthd_t:unix_stream_socket connectto; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.7.19/policy/modules/services/plymouthd.te ---- nsaserefpolicy/policy/modules/services/plymouthd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/plymouthd.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/plymouthd.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/plymouthd.te 2010-05-28 09:42:00.151610478 +0200 @@ -0,0 +1,109 @@ +policy_module(plymouthd, 1.0.0) + @@ -23394,8 +23626,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym +') +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.7.19/policy/modules/services/policykit.fc ---- nsaserefpolicy/policy/modules/services/policykit.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/policykit.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/policykit.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/policykit.fc 2010-05-28 09:42:00.152610621 +0200 @@ -6,10 +6,13 @@ /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) /usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) @@ -23412,8 +23644,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli /var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.7.19/policy/modules/services/policykit.if ---- nsaserefpolicy/policy/modules/services/policykit.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/policykit.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/policykit.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/policykit.if 2010-05-28 09:42:00.152610621 +0200 @@ -17,12 +17,37 @@ class dbus send_msg; ') @@ -23511,8 +23743,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli + allow $1 policykit_auth_t:process signal; ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.19/policy/modules/services/policykit.te ---- nsaserefpolicy/policy/modules/services/policykit.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/policykit.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/policykit.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/policykit.te 2010-05-28 09:42:00.153610624 +0200 @@ -25,6 +25,9 @@ type policykit_reload_t alias polkit_reload_t; files_type(policykit_reload_t) @@ -23696,8 +23928,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.fc serefpolicy-3.7.19/policy/modules/services/portreserve.fc ---- nsaserefpolicy/policy/modules/services/portreserve.fc 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/portreserve.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/portreserve.fc 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/portreserve.fc 2010-05-28 09:42:00.154610557 +0200 @@ -1,3 +1,6 @@ + +/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0) @@ -23706,8 +23938,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port /sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.if serefpolicy-3.7.19/policy/modules/services/portreserve.if ---- nsaserefpolicy/policy/modules/services/portreserve.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/portreserve.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/portreserve.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/portreserve.if 2010-05-28 09:42:00.154610557 +0200 @@ -18,6 +18,24 @@ domtrans_pattern($1, portreserve_exec_t, portreserve_t) ') @@ -23775,8 +24007,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port + admin_pattern($1, portreserve_var_run_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.7.19/policy/modules/services/portreserve.te ---- nsaserefpolicy/policy/modules/services/portreserve.te 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/portreserve.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/portreserve.te 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/portreserve.te 2010-05-28 09:42:00.155610840 +0200 @@ -10,6 +10,9 @@ type portreserve_exec_t; init_daemon_domain(portreserve_t, portreserve_exec_t) @@ -23788,8 +24020,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port files_type(portreserve_etc_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.19/policy/modules/services/postfix.fc ---- nsaserefpolicy/policy/modules/services/postfix.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/postfix.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/postfix.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/postfix.fc 2010-05-28 09:42:00.155610840 +0200 @@ -1,4 +1,5 @@ # postfix +/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0) @@ -23810,8 +24042,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.19/policy/modules/services/postfix.if ---- nsaserefpolicy/policy/modules/services/postfix.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/postfix.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/postfix.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/postfix.if 2010-05-28 09:42:00.157610567 +0200 @@ -46,6 +46,7 @@ allow postfix_$1_t postfix_etc_t:dir list_dir_perms; @@ -24205,8 +24437,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + admin_pattern($1, postfix_public_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.19/policy/modules/services/postfix.te ---- nsaserefpolicy/policy/modules/services/postfix.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/postfix.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/postfix.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/postfix.te 2010-05-28 09:42:00.158610990 +0200 @@ -6,6 +6,15 @@ # Declarations # @@ -24623,8 +24855,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +userdom_home_filetrans_user_home_dir(postfix_virtual_t) +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.7.19/policy/modules/services/ppp.te ---- nsaserefpolicy/policy/modules/services/ppp.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/ppp.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ppp.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ppp.te 2010-05-28 09:42:00.159610853 +0200 @@ -71,7 +71,7 @@ # PPPD Local policy # @@ -24644,8 +24876,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.7.19/policy/modules/services/procmail.fc ---- nsaserefpolicy/policy/modules/services/procmail.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/procmail.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/procmail.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/procmail.fc 2010-05-28 09:42:00.159610853 +0200 @@ -1,3 +1,5 @@ +HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0) +/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0) @@ -24653,8 +24885,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc /usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.19/policy/modules/services/procmail.te ---- nsaserefpolicy/policy/modules/services/procmail.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/procmail.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/procmail.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/procmail.te 2010-05-28 09:42:00.161610790 +0200 @@ -11,6 +11,9 @@ application_domain(procmail_t, procmail_exec_t) role system_r types procmail_t; @@ -24735,8 +24967,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.te serefpolicy-3.7.19/policy/modules/services/puppet.te ---- nsaserefpolicy/policy/modules/services/puppet.te 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/puppet.te 2010-05-27 10:25:16.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/puppet.te 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/puppet.te 2010-05-28 09:42:00.161610790 +0200 @@ -222,6 +222,8 @@ sysnet_dns_name_resolve(puppetmaster_t) sysnet_run_ifconfig(puppetmaster_t, system_r) @@ -24747,8 +24979,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp hostname_exec(puppetmaster_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.19/policy/modules/services/pyzor.fc ---- nsaserefpolicy/policy/modules/services/pyzor.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/pyzor.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/pyzor.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/pyzor.fc 2010-05-28 09:42:00.162610723 +0200 @@ -1,6 +1,10 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) +/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) @@ -24761,8 +24993,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.7.19/policy/modules/services/pyzor.if ---- nsaserefpolicy/policy/modules/services/pyzor.if 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/pyzor.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/pyzor.if 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/pyzor.if 2010-05-28 09:42:00.162610723 +0200 @@ -88,3 +88,50 @@ corecmd_search_bin($1) can_exec($1, pyzor_exec_t) @@ -24815,8 +25047,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.7.19/policy/modules/services/pyzor.te ---- nsaserefpolicy/policy/modules/services/pyzor.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/pyzor.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/pyzor.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/pyzor.te 2010-05-28 09:42:00.163610797 +0200 @@ -6,6 +6,38 @@ # Declarations # @@ -24882,8 +25114,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.fc serefpolicy-3.7.19/policy/modules/services/qpidd.fc ---- nsaserefpolicy/policy/modules/services/qpidd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/qpidd.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/qpidd.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/qpidd.fc 2010-05-28 09:42:00.163610797 +0200 @@ -0,0 +1,9 @@ + +/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0) @@ -24895,8 +25127,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid +/var/run/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_run_t,s0) +/var/run/qpidd\.pid gen_context(system_u:object_r:qpidd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.if serefpolicy-3.7.19/policy/modules/services/qpidd.if ---- nsaserefpolicy/policy/modules/services/qpidd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/qpidd.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/qpidd.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/qpidd.if 2010-05-28 09:42:00.164610730 +0200 @@ -0,0 +1,236 @@ + +## policy for qpidd @@ -25135,8 +25367,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid + allow $1 qpidd_t:shm rw_shm_perms; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.te serefpolicy-3.7.19/policy/modules/services/qpidd.te ---- nsaserefpolicy/policy/modules/services/qpidd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/qpidd.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/qpidd.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/qpidd.te 2010-05-28 09:42:00.165610873 +0200 @@ -0,0 +1,61 @@ +policy_module(qpidd,1.0.0) + @@ -25199,17 +25431,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid +miscfiles_read_localization(qpidd_t) + +sysnet_dns_name_resolve(qpidd_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.7.19/policy/modules/services/radius.te +--- nsaserefpolicy/policy/modules/services/radius.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/radius.te 2010-06-01 17:29:47.678168541 +0200 +@@ -37,7 +37,7 @@ + # gzip also needs chown access to preserve GID for radwtmp files + allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; + dontaudit radiusd_t self:capability sys_tty_config; +-allow radiusd_t self:process { getsched setsched sigkill signal }; ++allow radiusd_t self:process { getsched setsched setrlimit sigkill signal }; + allow radiusd_t self:fifo_file rw_fifo_file_perms; + allow radiusd_t self:unix_stream_socket create_stream_socket_perms; + allow radiusd_t self:tcp_socket create_stream_socket_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.19/policy/modules/services/razor.fc ---- nsaserefpolicy/policy/modules/services/razor.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/razor.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/razor.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/razor.fc 2010-05-28 09:42:00.165610873 +0200 @@ -1,3 +1,4 @@ +/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.7.19/policy/modules/services/razor.if ---- nsaserefpolicy/policy/modules/services/razor.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/razor.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/razor.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/razor.if 2010-05-28 09:42:00.166610736 +0200 @@ -157,3 +157,45 @@ domtrans_pattern($1, razor_exec_t, razor_t) @@ -25257,8 +25501,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.7.19/policy/modules/services/razor.te ---- nsaserefpolicy/policy/modules/services/razor.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/razor.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/razor.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/razor.te 2010-05-28 09:42:00.166610736 +0200 @@ -6,6 +6,32 @@ # Declarations # @@ -25311,8 +25555,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.19/policy/modules/services/rgmanager.fc ---- nsaserefpolicy/policy/modules/services/rgmanager.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/rgmanager.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/rgmanager.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/rgmanager.fc 2010-05-28 09:42:00.167610740 +0200 @@ -0,0 +1,10 @@ + +/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0) @@ -25325,8 +25569,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma + +/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.19/policy/modules/services/rgmanager.if ---- nsaserefpolicy/policy/modules/services/rgmanager.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/rgmanager.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/rgmanager.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/rgmanager.if 2010-05-28 09:42:00.168610743 +0200 @@ -0,0 +1,141 @@ +## SELinux policy for rgmanager + @@ -25470,8 +25714,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma + admin_pattern($1, rgmanager_var_run_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.19/policy/modules/services/rgmanager.te ---- nsaserefpolicy/policy/modules/services/rgmanager.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/rgmanager.te 2010-05-27 15:27:41.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/rgmanager.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/rgmanager.te 2010-05-28 09:42:00.169610746 +0200 @@ -0,0 +1,223 @@ + +policy_module(rgmanager, 1.0.0) @@ -25697,8 +25941,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma + xen_domtrans_xm(rgmanager_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.19/policy/modules/services/rhcs.fc ---- nsaserefpolicy/policy/modules/services/rhcs.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/rhcs.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/rhcs.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/rhcs.fc 2010-05-28 09:42:00.169610746 +0200 @@ -0,0 +1,23 @@ +/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) +/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0) @@ -25724,8 +25968,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.19/policy/modules/services/rhcs.if ---- nsaserefpolicy/policy/modules/services/rhcs.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/rhcs.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/rhcs.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/rhcs.if 2010-05-28 09:42:00.170610889 +0200 @@ -0,0 +1,424 @@ +## SELinux policy for RHCS - Red Hat Cluster Suite + @@ -26152,9 +26396,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs + + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.19/policy/modules/services/rhcs.te ---- nsaserefpolicy/policy/modules/services/rhcs.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-05-26 15:34:37.000000000 -0400 -@@ -0,0 +1,240 @@ +--- nsaserefpolicy/policy/modules/services/rhcs.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-05-28 12:24:14.508611285 +0200 +@@ -0,0 +1,242 @@ + +policy_module(rhcs,1.1.0) + @@ -26249,6 +26493,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +dev_read_sysfs(fenced_t) +dev_read_urand(fenced_t) + ++files_read_usr_files(fenced_t) ++ +storage_raw_read_fixed_disk(fenced_t) +storage_raw_write_fixed_disk(fenced_t) +storage_raw_read_removable_device(fenced_t) @@ -26396,8 +26642,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs + corosync_stream_connect(cluster_domain) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.fc serefpolicy-3.7.19/policy/modules/services/ricci.fc ---- nsaserefpolicy/policy/modules/services/ricci.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/ricci.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ricci.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ricci.fc 2010-05-28 09:42:00.171610753 +0200 @@ -1,3 +1,6 @@ + +/etc/rc\.d/init\.d/ricci -- gen_context(system_u:object_r:ricci_initrc_exec_t,s0) @@ -26406,8 +26652,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc /usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0) /usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-3.7.19/policy/modules/services/ricci.if ---- nsaserefpolicy/policy/modules/services/ricci.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/ricci.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ricci.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ricci.if 2010-05-28 09:42:00.172610686 +0200 @@ -18,6 +18,24 @@ domtrans_pattern($1, ricci_exec_t, ricci_t) ') @@ -26482,8 +26728,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc + admin_pattern($1, ricci_var_run_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.19/policy/modules/services/ricci.te ---- nsaserefpolicy/policy/modules/services/ricci.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/ricci.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ricci.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ricci.te 2010-05-28 09:42:00.173610620 +0200 @@ -11,6 +11,9 @@ domain_type(ricci_t) init_daemon_domain(ricci_t, ricci_exec_t) @@ -26604,8 +26850,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc ccs_read_config(ricci_modstorage_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.fc serefpolicy-3.7.19/policy/modules/services/rlogin.fc ---- nsaserefpolicy/policy/modules/services/rlogin.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/rlogin.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/rlogin.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/rlogin.fc 2010-05-28 09:42:00.174610693 +0200 @@ -1,4 +1,7 @@ HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0) +HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0) @@ -26615,8 +26861,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog /usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.7.19/policy/modules/services/rlogin.te ---- nsaserefpolicy/policy/modules/services/rlogin.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/rlogin.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/rlogin.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/rlogin.te 2010-05-28 09:42:00.174610693 +0200 @@ -89,6 +89,7 @@ userdom_setattr_user_ptys(rlogind_t) # cjp: this is egregious @@ -26626,8 +26872,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog remotelogin_domtrans(rlogind_t) remotelogin_signal(rlogind_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.19/policy/modules/services/rpc.if ---- nsaserefpolicy/policy/modules/services/rpc.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/rpc.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/rpc.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/rpc.if 2010-05-28 09:42:00.175610487 +0200 @@ -246,6 +246,26 @@ allow rpcd_t $1:process signal; ') @@ -26662,8 +26908,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. + allow $1 var_lib_nfs_t:file { relabelfrom relabelto }; ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.19/policy/modules/services/rpc.te ---- nsaserefpolicy/policy/modules/services/rpc.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/rpc.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/rpc.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/rpc.te 2010-05-28 09:42:00.175610487 +0200 @@ -80,6 +80,7 @@ corecmd_exec_bin(rpcd_t) @@ -26717,8 +26963,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.7.19/policy/modules/services/rsync.if ---- nsaserefpolicy/policy/modules/services/rsync.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/rsync.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/rsync.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/rsync.if 2010-05-28 09:42:00.176610979 +0200 @@ -119,7 +119,7 @@ type rsync_etc_t; ') @@ -26737,8 +26983,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn files_search_etc($1) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.7.19/policy/modules/services/rsync.te ---- nsaserefpolicy/policy/modules/services/rsync.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/rsync.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/rsync.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/rsync.te 2010-05-28 09:42:00.177610912 +0200 @@ -8,6 +8,13 @@ ## @@ -26799,8 +27045,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn + auth_can_read_shadow_passwords(rsync_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.7.19/policy/modules/services/rtkit.if ---- nsaserefpolicy/policy/modules/services/rtkit.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/rtkit.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/rtkit.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/rtkit.if 2010-05-28 09:42:00.177610912 +0200 @@ -41,6 +41,27 @@ ######################################## @@ -26830,8 +27076,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.19/policy/modules/services/samba.fc ---- nsaserefpolicy/policy/modules/services/samba.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/samba.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/samba.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/samba.fc 2010-05-28 09:42:00.178610776 +0200 @@ -51,3 +51,7 @@ /var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) @@ -26841,8 +27087,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.19/policy/modules/services/samba.if ---- nsaserefpolicy/policy/modules/services/samba.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/samba.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/samba.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/samba.if 2010-05-28 09:42:00.179610779 +0200 @@ -62,6 +62,25 @@ ######################################## @@ -27057,8 +27303,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb + admin_pattern($1, samba_unconfined_script_exec_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.19/policy/modules/services/samba.te ---- nsaserefpolicy/policy/modules/services/samba.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/samba.te 2010-05-27 15:52:50.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/samba.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/samba.te 2010-05-28 09:42:00.181610786 +0200 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -27391,8 +27637,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb + can_exec(smbd_t, samba_unconfined_script_exec_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.19/policy/modules/services/sasl.te ---- nsaserefpolicy/policy/modules/services/sasl.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/sasl.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/sasl.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/sasl.te 2010-05-28 09:42:00.182610859 +0200 @@ -50,6 +50,9 @@ kernel_read_kernel_sysctls(saslauthd_t) kernel_read_system_state(saslauthd_t) @@ -27404,8 +27650,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl corenet_all_recvfrom_netlabel(saslauthd_t) corenet_tcp_sendrecv_generic_if(saslauthd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.fc serefpolicy-3.7.19/policy/modules/services/sendmail.fc ---- nsaserefpolicy/policy/modules/services/sendmail.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/sendmail.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/sendmail.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/sendmail.fc 2010-05-28 09:42:00.182610859 +0200 @@ -1,4 +1,6 @@ +/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0) @@ -27414,8 +27660,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send /var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.19/policy/modules/services/sendmail.if ---- nsaserefpolicy/policy/modules/services/sendmail.if 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/sendmail.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/sendmail.if 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/sendmail.if 2010-05-28 09:42:00.183610792 +0200 @@ -57,6 +57,24 @@ allow sendmail_t $1:process sigchld; ') @@ -27512,8 +27758,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send + admin_pattern($1, mail_spool_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.19/policy/modules/services/sendmail.te ---- nsaserefpolicy/policy/modules/services/sendmail.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/sendmail.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/sendmail.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/sendmail.te 2010-05-28 09:42:00.184610725 +0200 @@ -20,6 +20,9 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -27603,8 +27849,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.7.19/policy/modules/services/setroubleshoot.fc ---- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/setroubleshoot.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/setroubleshoot.fc 2010-05-28 09:42:00.184610725 +0200 @@ -5,3 +5,5 @@ /var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) @@ -27612,8 +27858,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr + +/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.19/policy/modules/services/setroubleshoot.if ---- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/setroubleshoot.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/setroubleshoot.if 2010-05-28 09:42:00.185610799 +0200 @@ -16,8 +16,8 @@ ') @@ -27752,8 +27998,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr + admin_pattern($1, setroubleshoot_var_run_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.19/policy/modules/services/setroubleshoot.te ---- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/setroubleshoot.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/setroubleshoot.te 2010-05-28 09:42:00.186610872 +0200 @@ -22,13 +22,19 @@ type setroubleshoot_var_run_t; files_pid_file(setroubleshoot_var_run_t) @@ -27902,8 +28148,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr + userdom_read_all_users_state(setroubleshoot_fixit_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.7.19/policy/modules/services/smartmon.te ---- nsaserefpolicy/policy/modules/services/smartmon.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/smartmon.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/smartmon.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/smartmon.te 2010-05-28 09:42:00.186610872 +0200 @@ -83,6 +83,8 @@ storage_raw_read_fixed_disk(fsdaemon_t) storage_raw_write_fixed_disk(fsdaemon_t) @@ -27914,8 +28160,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar term_dontaudit_search_ptys(fsdaemon_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.te serefpolicy-3.7.19/policy/modules/services/smokeping.te ---- nsaserefpolicy/policy/modules/services/smokeping.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/smokeping.te 2010-05-26 16:07:38.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/smokeping.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/smokeping.te 2010-05-28 09:42:00.187610526 +0200 @@ -24,6 +24,7 @@ # smokeping local policy # @@ -27933,8 +28179,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok logging_send_syslog_msg(smokeping_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.19/policy/modules/services/snmp.te ---- nsaserefpolicy/policy/modules/services/snmp.te 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/snmp.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/snmp.te 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/snmp.te 2010-05-28 09:42:00.187610526 +0200 @@ -25,7 +25,7 @@ # # Local policy @@ -27953,8 +28199,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp auth_use_nsswitch(snmpd_t) auth_read_all_dirs_except_shadow(snmpd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.19/policy/modules/services/snort.te ---- nsaserefpolicy/policy/modules/services/snort.te 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/snort.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/snort.te 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/snort.te 2010-05-28 09:42:00.188610878 +0200 @@ -62,6 +62,7 @@ kernel_read_proc_symlinks(snort_t) kernel_request_load_module(snort_t) @@ -27974,8 +28220,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor domain_use_interactive_fds(snort_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.19/policy/modules/services/spamassassin.fc ---- nsaserefpolicy/policy/modules/services/spamassassin.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/spamassassin.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/spamassassin.fc 2010-05-28 09:42:00.189610812 +0200 @@ -1,15 +1,26 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) @@ -28006,8 +28252,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.19/policy/modules/services/spamassassin.if ---- nsaserefpolicy/policy/modules/services/spamassassin.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/spamassassin.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/spamassassin.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/spamassassin.if 2010-05-28 09:42:00.189610812 +0200 @@ -111,6 +111,45 @@ ') @@ -28135,8 +28381,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + admin_pattern($1, spamd_var_run_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.19/policy/modules/services/spamassassin.te ---- nsaserefpolicy/policy/modules/services/spamassassin.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/spamassassin.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/spamassassin.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/spamassassin.te 2010-05-28 09:42:00.190610815 +0200 @@ -20,6 +20,35 @@ ## gen_tunable(spamd_enable_home_dirs, true) @@ -28443,8 +28689,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam udev_read_db(spamd_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.19/policy/modules/services/squid.te ---- nsaserefpolicy/policy/modules/services/squid.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/squid.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/squid.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/squid.te 2010-05-28 09:42:00.191611098 +0200 @@ -14,6 +14,13 @@ ## gen_tunable(squid_connect_any, false) @@ -28500,8 +28746,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi -allow squid_t tmpfs_t:file { read write }; -') dnl end TODO diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.19/policy/modules/services/ssh.fc ---- nsaserefpolicy/policy/modules/services/ssh.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/ssh.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ssh.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ssh.fc 2010-05-28 09:42:00.192610961 +0200 @@ -1,4 +1,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) @@ -28518,8 +28764,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. +/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) +/root/\.shosts gen_context(system_u:object_r:home_ssh_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.19/policy/modules/services/ssh.if ---- nsaserefpolicy/policy/modules/services/ssh.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/ssh.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ssh.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ssh.if 2010-05-28 09:42:00.193610685 +0200 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -28792,8 +29038,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. + admin_pattern($1, sshd_var_run_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.19/policy/modules/services/ssh.te ---- nsaserefpolicy/policy/modules/services/ssh.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ssh.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2010-05-28 09:42:00.194610898 +0200 @@ -34,6 +34,9 @@ ssh_server_template(sshd) init_daemon_domain(sshd_t, sshd_exec_t) @@ -28937,8 +29183,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.19/policy/modules/services/sssd.te ---- nsaserefpolicy/policy/modules/services/sssd.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/sssd.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/sssd.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/sssd.te 2010-05-28 09:42:00.195610901 +0200 @@ -32,6 +32,7 @@ allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid }; allow sssd_t self:process { setfscreate setsched sigkill signal getsched }; @@ -28957,8 +29203,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd dbus_system_bus_client(sssd_t) dbus_connect_system_bus(sssd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.7.19/policy/modules/services/tgtd.te ---- nsaserefpolicy/policy/modules/services/tgtd.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/tgtd.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/tgtd.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/tgtd.te 2010-05-28 09:42:00.195610901 +0200 @@ -38,7 +38,7 @@ allow tgtd_t self:unix_dgram_socket create_socket_perms; @@ -28982,8 +29228,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd + +iscsi_manage_semaphores(tgtd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.19/policy/modules/services/tor.te ---- nsaserefpolicy/policy/modules/services/tor.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/tor.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/tor.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/tor.te 2010-05-28 09:42:00.196611254 +0200 @@ -45,6 +45,7 @@ allow tor_t self:capability { setgid setuid sys_tty_config }; allow tor_t self:fifo_file rw_fifo_file_perms; @@ -29002,8 +29248,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor. tunable_policy(`tor_bind_all_unreserved_ports', ` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.7.19/policy/modules/services/tuned.te ---- nsaserefpolicy/policy/modules/services/tuned.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/tuned.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/tuned.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/tuned.te 2010-05-28 09:42:00.196611254 +0200 @@ -25,6 +25,7 @@ # @@ -29024,8 +29270,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune optional_policy(` sysnet_domtrans_ifconfig(tuned_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.7.19/policy/modules/services/ucspitcp.te ---- nsaserefpolicy/policy/modules/services/ucspitcp.te 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/ucspitcp.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ucspitcp.te 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ucspitcp.te 2010-05-28 09:42:00.197610559 +0200 @@ -92,3 +92,8 @@ daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t) daemontools_read_svc(ucspitcp_t) @@ -29036,16 +29282,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucsp +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.19/policy/modules/services/usbmuxd.fc ---- nsaserefpolicy/policy/modules/services/usbmuxd.fc 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/usbmuxd.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/usbmuxd.fc 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/usbmuxd.fc 2010-05-28 09:42:00.198610771 +0200 @@ -1,3 +1,3 @@ /usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0) -/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0) +/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.if serefpolicy-3.7.19/policy/modules/services/varnishd.if ---- nsaserefpolicy/policy/modules/services/varnishd.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/varnishd.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/varnishd.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/varnishd.if 2010-05-28 09:42:00.198610771 +0200 @@ -56,6 +56,25 @@ read_files_pattern($1, varnishd_etc_t, varnishd_etc_t) ') @@ -29073,8 +29319,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varn ## ## Read varnish logs. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.7.19/policy/modules/services/vhostmd.te ---- nsaserefpolicy/policy/modules/services/vhostmd.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/vhostmd.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/vhostmd.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/vhostmd.te 2010-05-28 09:42:00.199610914 +0200 @@ -45,6 +45,8 @@ corenet_tcp_connect_soundd_port(vhostmd_t) @@ -29085,8 +29331,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos files_read_usr_files(vhostmd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.19/policy/modules/services/virt.fc ---- nsaserefpolicy/policy/modules/services/virt.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/virt.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/virt.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/virt.fc 2010-05-28 09:42:00.200610708 +0200 @@ -14,16 +14,16 @@ /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) @@ -29108,8 +29354,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt /var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.19/policy/modules/services/virt.if ---- nsaserefpolicy/policy/modules/services/virt.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/virt.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/virt.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/virt.if 2010-05-28 09:42:00.200610708 +0200 @@ -21,6 +21,7 @@ type $1_t, virt_domain; domain_type($1_t) @@ -29227,8 +29473,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt + ') +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.19/policy/modules/services/virt.te ---- nsaserefpolicy/policy/modules/services/virt.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-05-27 11:56:23.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/virt.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-05-28 09:42:00.201610851 +0200 @@ -1,5 +1,5 @@ -policy_module(virt, 1.3.2) @@ -29462,8 +29708,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.7.19/policy/modules/services/w3c.te ---- nsaserefpolicy/policy/modules/services/w3c.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/w3c.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/w3c.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/w3c.te 2010-05-28 09:42:00.202610575 +0200 @@ -8,11 +8,18 @@ apache_content_template(w3c_validator) @@ -29484,8 +29730,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c. corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.19/policy/modules/services/xserver.fc ---- nsaserefpolicy/policy/modules/services/xserver.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/xserver.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/xserver.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/xserver.fc 2010-05-28 09:42:00.203610788 +0200 @@ -2,13 +2,23 @@ # HOME_DIR # @@ -29608,8 +29854,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.19/policy/modules/services/xserver.if ---- nsaserefpolicy/policy/modules/services/xserver.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/xserver.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/xserver.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/xserver.if 2010-05-28 09:42:00.205610724 +0200 @@ -19,9 +19,10 @@ interface(`xserver_restricted_role',` gen_require(` @@ -30208,8 +30454,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.19/policy/modules/services/xserver.te ---- nsaserefpolicy/policy/modules/services/xserver.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-05-27 10:21:52.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/xserver.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-05-28 09:42:00.207610801 +0200 @@ -1,5 +1,5 @@ -policy_module(xserver, 3.3.2) @@ -31097,8 +31343,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + fs_append_cifs_files(xdmhomewriter) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.19/policy/modules/system/application.te ---- nsaserefpolicy/policy/modules/system/application.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/application.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/application.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/application.te 2010-05-28 09:42:00.208611712 +0200 @@ -7,6 +7,22 @@ # Executables to be run by user attribute application_exec_type; @@ -31123,8 +31369,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic ssh_sigchld(application_domain_type) ssh_rw_stream_sockets(application_domain_type) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.19/policy/modules/system/authlogin.fc ---- nsaserefpolicy/policy/modules/system/authlogin.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/authlogin.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/authlogin.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/authlogin.fc 2010-05-28 09:42:00.209610947 +0200 @@ -10,6 +10,7 @@ /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) @@ -31134,8 +31380,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ifdef(`distro_suse', ` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.19/policy/modules/system/authlogin.if ---- nsaserefpolicy/policy/modules/system/authlogin.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/authlogin.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-05-28 09:42:00.210610461 +0200 @@ -41,7 +41,6 @@ ## # @@ -31262,8 +31508,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.7.19/policy/modules/system/daemontools.if ---- nsaserefpolicy/policy/modules/system/daemontools.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/daemontools.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/daemontools.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/daemontools.if 2010-05-28 09:42:00.211610814 +0200 @@ -71,6 +71,32 @@ domtrans_pattern($1, svc_start_exec_t, svc_start_t) ') @@ -31345,8 +31591,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon + allow $1 svc_run_t:process sigchld; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.7.19/policy/modules/system/daemontools.te ---- nsaserefpolicy/policy/modules/system/daemontools.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/daemontools.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/daemontools.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/daemontools.te 2010-05-28 09:42:00.211610814 +0200 @@ -39,7 +39,10 @@ # multilog creates /service/*/log/status manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t) @@ -31420,8 +31666,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon daemontools_domtrans_run(svc_start_t) daemontools_manage_svc(svc_start_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.7.19/policy/modules/system/fstools.fc ---- nsaserefpolicy/policy/modules/system/fstools.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/fstools.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/fstools.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/fstools.fc 2010-05-28 09:42:00.212610747 +0200 @@ -1,4 +1,3 @@ -/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -31436,8 +31682,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.19/policy/modules/system/fstools.te ---- nsaserefpolicy/policy/modules/system/fstools.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/fstools.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/fstools.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/fstools.te 2010-05-28 09:42:00.213610890 +0200 @@ -118,6 +118,8 @@ fs_search_tmpfs(fsadm_t) fs_getattr_tmpfs_dirs(fsadm_t) @@ -31472,8 +31718,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.7.19/policy/modules/system/getty.te ---- nsaserefpolicy/policy/modules/system/getty.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/getty.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/getty.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/getty.te 2010-05-28 09:42:00.213610890 +0200 @@ -84,7 +84,7 @@ term_setattr_all_ttys(getty_t) term_setattr_unallocated_ttys(getty_t) @@ -31484,8 +31730,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty. auth_rw_login_records(getty_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.7.19/policy/modules/system/hostname.te ---- nsaserefpolicy/policy/modules/system/hostname.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/hostname.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/hostname.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/hostname.te 2010-05-28 09:42:00.214610824 +0200 @@ -27,15 +27,18 @@ dev_read_sysfs(hostname_t) @@ -31517,8 +31763,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna xen_dontaudit_use_fds(hostname_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.19/policy/modules/system/init.fc ---- nsaserefpolicy/policy/modules/system/init.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/init.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/init.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/init.fc 2010-05-28 09:42:00.214610824 +0200 @@ -44,6 +44,9 @@ /usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -31530,8 +31776,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f # # /var diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.19/policy/modules/system/init.if ---- nsaserefpolicy/policy/modules/system/init.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/init.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/init.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/init.if 2010-05-28 09:42:00.216612297 +0200 @@ -193,8 +193,10 @@ gen_require(` attribute direct_run_init, direct_init, direct_init_entry; @@ -31781,8 +32027,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.19/policy/modules/system/init.te ---- nsaserefpolicy/policy/modules/system/init.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-05-27 09:42:57.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/init.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-05-28 09:42:00.218610487 +0200 @@ -1,5 +1,5 @@ -policy_module(init, 1.14.2) @@ -32271,8 +32517,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t + fail2ban_read_lib_files(daemon) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.19/policy/modules/system/ipsec.te ---- nsaserefpolicy/policy/modules/system/ipsec.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2010-05-28 09:42:00.219610910 +0200 @@ -73,7 +73,7 @@ # @@ -32359,8 +32605,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. userdom_use_user_terminals(setkey_t) +userdom_read_user_tmp_files(setkey_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.19/policy/modules/system/iptables.fc ---- nsaserefpolicy/policy/modules/system/iptables.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/iptables.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/iptables.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/iptables.fc 2010-05-28 09:42:00.220610773 +0200 @@ -1,13 +1,18 @@ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) @@ -32383,8 +32629,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl +/usr/bin/ncftool -- gen_context(system_u:object_r:iptables_exec_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.19/policy/modules/system/iptables.if ---- nsaserefpolicy/policy/modules/system/iptables.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/iptables.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/iptables.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/iptables.if 2010-05-28 09:42:00.220610773 +0200 @@ -17,6 +17,10 @@ corecmd_search_bin($1) @@ -32397,8 +32643,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.19/policy/modules/system/iptables.te ---- nsaserefpolicy/policy/modules/system/iptables.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/iptables.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/iptables.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/iptables.te 2010-05-28 09:42:00.221610567 +0200 @@ -14,9 +14,6 @@ type iptables_initrc_exec_t; init_script_file(iptables_initrc_exec_t) @@ -32475,8 +32721,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.7.19/policy/modules/system/iscsi.if ---- nsaserefpolicy/policy/modules/system/iscsi.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/iscsi.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/iscsi.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/iscsi.if 2010-05-28 09:42:00.221610567 +0200 @@ -56,3 +56,21 @@ allow $1 iscsi_var_lib_t:dir list_dir_perms; files_search_var_lib($1) @@ -32500,8 +32746,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. + allow $1 iscsid_t:sem create_sem_perms; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.19/policy/modules/system/libraries.fc ---- nsaserefpolicy/policy/modules/system/libraries.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-05-28 09:42:00.223612180 +0200 @@ -131,13 +131,13 @@ /usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -32694,8 +32940,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.7.19/policy/modules/system/libraries.te ---- nsaserefpolicy/policy/modules/system/libraries.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/libraries.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/libraries.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/libraries.te 2010-05-28 09:42:00.223612180 +0200 @@ -62,7 +62,7 @@ manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) @@ -32733,8 +32979,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar ifdef(`distro_gentoo',` # leaked fds from portage diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.19/policy/modules/system/locallogin.te ---- nsaserefpolicy/policy/modules/system/locallogin.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/locallogin.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/locallogin.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/locallogin.te 2010-05-28 09:42:00.245611274 +0200 @@ -33,9 +33,8 @@ # Local login local policy # @@ -32837,8 +33083,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall - nscd_socket_use(sulogin_t) -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.19/policy/modules/system/logging.fc ---- nsaserefpolicy/policy/modules/system/logging.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/logging.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/logging.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/logging.fc 2010-05-28 09:42:00.501610645 +0200 @@ -17,6 +17,10 @@ /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) @@ -32878,8 +33124,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin + +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.19/policy/modules/system/logging.if ---- nsaserefpolicy/policy/modules/system/logging.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/logging.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/logging.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/logging.if 2010-05-28 09:42:00.503610861 +0200 @@ -545,6 +545,25 @@ ######################################## @@ -32952,8 +33198,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.19/policy/modules/system/logging.te ---- nsaserefpolicy/policy/modules/system/logging.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/logging.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/logging.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/logging.te 2010-05-28 09:42:00.503610861 +0200 @@ -61,6 +61,7 @@ type syslogd_t; type syslogd_exec_t; @@ -33028,8 +33274,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.7.19/policy/modules/system/lvm.fc ---- nsaserefpolicy/policy/modules/system/lvm.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/lvm.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/lvm.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/lvm.fc 2010-05-28 09:42:00.504610725 +0200 @@ -28,10 +28,12 @@ # /lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) @@ -33044,8 +33290,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc /sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.19/policy/modules/system/lvm.if ---- nsaserefpolicy/policy/modules/system/lvm.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/lvm.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/lvm.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/lvm.if 2010-05-28 09:42:00.505610658 +0200 @@ -34,7 +34,7 @@ type lvm_exec_t; ') @@ -33056,8 +33302,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.19/policy/modules/system/lvm.te ---- nsaserefpolicy/policy/modules/system/lvm.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/lvm.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/lvm.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/lvm.te 2010-05-28 09:42:00.505610658 +0200 @@ -142,6 +142,11 @@ ') @@ -33137,8 +33383,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.7.19/policy/modules/system/miscfiles.fc ---- nsaserefpolicy/policy/modules/system/miscfiles.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/miscfiles.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/miscfiles.fc 2010-05-28 09:42:00.506610871 +0200 @@ -76,6 +76,8 @@ /var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0) @@ -33149,8 +33395,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.19/policy/modules/system/miscfiles.if ---- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/miscfiles.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/miscfiles.if 2010-05-28 09:42:00.507610874 +0200 @@ -305,9 +305,6 @@ allow $1 locale_t:dir list_dir_perms; read_files_pattern($1, locale_t, locale_t) @@ -33162,8 +33408,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.19/policy/modules/system/modutils.te ---- nsaserefpolicy/policy/modules/system/modutils.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/modutils.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/modutils.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/modutils.te 2010-05-28 09:42:00.507610874 +0200 @@ -19,6 +19,7 @@ type insmod_exec_t; application_domain(insmod_t, insmod_exec_t) @@ -33246,8 +33492,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti if( ! secure_mode_insmod ) { diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.7.19/policy/modules/system/mount.fc ---- nsaserefpolicy/policy/modules/system/mount.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/mount.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/mount.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/mount.fc 2010-05-28 09:42:00.508610668 +0200 @@ -1,4 +1,10 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) @@ -33261,8 +33507,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.19/policy/modules/system/mount.if ---- nsaserefpolicy/policy/modules/system/mount.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/mount.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/mount.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/mount.if 2010-05-28 09:42:00.509611579 +0200 @@ -16,6 +16,14 @@ ') @@ -33461,8 +33707,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. + role $2 types showmount_t; ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.19/policy/modules/system/mount.te ---- nsaserefpolicy/policy/modules/system/mount.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/mount.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-05-28 09:42:00.510610814 +0200 @@ -18,8 +18,15 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -33747,8 +33993,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. + +userdom_use_user_terminals(showmount_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.7.19/policy/modules/system/raid.te ---- nsaserefpolicy/policy/modules/system/raid.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/raid.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/raid.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/raid.te 2010-05-28 09:42:00.511610748 +0200 @@ -58,6 +58,7 @@ files_read_etc_files(mdadm_t) @@ -33758,8 +34004,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t fs_search_auto_mountpoints(mdadm_t) fs_dontaudit_list_tmpfs(mdadm_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.7.19/policy/modules/system/selinuxutil.fc ---- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.fc 2010-05-28 09:42:00.511610748 +0200 @@ -6,13 +6,13 @@ /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) @@ -33800,8 +34046,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.19/policy/modules/system/selinuxutil.if ---- nsaserefpolicy/policy/modules/system/selinuxutil.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.if 2010-05-28 09:42:00.513610614 +0200 @@ -361,6 +361,27 @@ ######################################## @@ -34179,8 +34425,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +') +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.19/policy/modules/system/selinuxutil.te ---- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.te 2010-05-28 09:42:00.514610688 +0200 @@ -23,6 +23,9 @@ type selinux_config_t; files_type(selinux_config_t) @@ -34589,8 +34835,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + unconfined_domain(setfiles_mac_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-3.7.19/policy/modules/system/setrans.te ---- nsaserefpolicy/policy/modules/system/setrans.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/setrans.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/setrans.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/setrans.te 2010-05-28 09:42:00.515611599 +0200 @@ -13,6 +13,7 @@ type setrans_t; type setrans_exec_t; @@ -34600,14 +34846,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setran type setrans_initrc_exec_t; init_script_file(setrans_initrc_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.fc serefpolicy-3.7.19/policy/modules/system/sosreport.fc ---- nsaserefpolicy/policy/modules/system/sosreport.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/system/sosreport.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/sosreport.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/system/sosreport.fc 2010-05-28 09:42:00.516610554 +0200 @@ -0,0 +1,2 @@ + +/usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.if serefpolicy-3.7.19/policy/modules/system/sosreport.if ---- nsaserefpolicy/policy/modules/system/sosreport.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/system/sosreport.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/sosreport.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/system/sosreport.if 2010-05-28 09:42:00.516610554 +0200 @@ -0,0 +1,131 @@ + +## policy for sosreport @@ -34741,8 +34987,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosrep + allow $1 sosreport_tmp_t:file append; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.te serefpolicy-3.7.19/policy/modules/system/sosreport.te ---- nsaserefpolicy/policy/modules/system/sosreport.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/system/sosreport.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/sosreport.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/policy/modules/system/sosreport.te 2010-05-28 09:42:00.517610628 +0200 @@ -0,0 +1,155 @@ + +policy_module(sosreport,1.0.0) @@ -34900,8 +35146,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosrep + unconfined_domain(sosreport_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.19/policy/modules/system/sysnetwork.fc ---- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.fc 2010-05-28 09:42:00.517610628 +0200 @@ -64,3 +64,5 @@ ifdef(`distro_gentoo',` /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) @@ -34909,8 +35155,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.19/policy/modules/system/sysnetwork.if ---- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.if 2010-05-27 10:37:13.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.if 2010-05-28 09:42:00.518610770 +0200 @@ -60,25 +60,24 @@ netutils_run(dhcpc_t, $2) netutils_run_ping(dhcpc_t, $2) @@ -35088,8 +35334,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet + role_transition $1 dhcpc_exec_t system_r; ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.19/policy/modules/system/sysnetwork.te ---- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2010-05-27 09:43:25.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2010-05-28 09:42:00.519610844 +0200 @@ -1,5 +1,5 @@ -policy_module(sysnetwork, 1.10.3) @@ -35203,16 +35449,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.7.19/policy/modules/system/udev.fc ---- nsaserefpolicy/policy/modules/system/udev.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/udev.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/udev.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/udev.fc 2010-05-28 09:42:00.520610847 +0200 @@ -22,3 +22,4 @@ /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) +/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.19/policy/modules/system/udev.if ---- nsaserefpolicy/policy/modules/system/udev.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/udev.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/udev.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/udev.if 2010-05-28 09:42:00.521610641 +0200 @@ -196,6 +196,25 @@ ######################################## @@ -35240,8 +35486,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i ## udev pid files. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.19/policy/modules/system/udev.te ---- nsaserefpolicy/policy/modules/system/udev.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/udev.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/udev.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/udev.te 2010-05-28 09:42:00.521610641 +0200 @@ -50,6 +50,7 @@ allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -35284,8 +35530,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.7.19/policy/modules/system/unconfined.fc ---- nsaserefpolicy/policy/modules/system/unconfined.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/unconfined.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/unconfined.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/unconfined.fc 2010-05-28 09:42:00.522610784 +0200 @@ -1,15 +1 @@ # Add programs here which should not be confined by SELinux -# e.g.: @@ -35303,8 +35549,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf -/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.19/policy/modules/system/unconfined.if ---- nsaserefpolicy/policy/modules/system/unconfined.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/unconfined.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/unconfined.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/unconfined.if 2010-05-28 09:42:00.523610857 +0200 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -35800,8 +36046,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf - allow $1 unconfined_t:dbus acquire_svc; -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.7.19/policy/modules/system/unconfined.te ---- nsaserefpolicy/policy/modules/system/unconfined.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/unconfined.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/unconfined.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/unconfined.te 2010-05-28 09:42:00.524610720 +0200 @@ -5,227 +5,5 @@ # # Declarations @@ -36032,8 +36278,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf - ') -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.19/policy/modules/system/userdomain.fc ---- nsaserefpolicy/policy/modules/system/userdomain.fc 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/userdomain.fc 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/userdomain.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/userdomain.fc 2010-05-28 09:42:00.524610720 +0200 @@ -1,4 +1,13 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) @@ -36050,8 +36296,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.gvfs(/.*)? <> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if ---- nsaserefpolicy/policy/modules/system/userdomain.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-06-01 17:31:14.105409578 +0200 @@ -30,8 +30,9 @@ ') @@ -37631,7 +37877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_search_proc($1) ') -@@ -3111,3 +3460,682 @@ +@@ -3111,3 +3460,702 @@ allow $1 userdomain:dbus send_msg; ') @@ -37890,6 +38136,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + read_files_pattern($1, admin_home_t, admin_home_t) +') + ++####################################### ++## ++## Read admin home files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_dontaudit_read_admin_home_files',` ++ gen_require(` ++ type admin_home_t; ++ ') ++ ++ dontaudit $1 admin_home_t:dir search_dir_perms; ++ dontaudit $1 admin_home_t:file read_file_perms; ++') ++ +######################################## +## +## Execute admin home files. @@ -38315,8 +38581,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + allow $1 user_tmp_t:file delete_file_perms; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.19/policy/modules/system/userdomain.te ---- nsaserefpolicy/policy/modules/system/userdomain.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/userdomain.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2010-05-28 09:42:00.529612133 +0200 @@ -29,13 +29,6 @@ ## @@ -38400,8 +38666,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +# Nautilus causes this avc +dontaudit unpriv_userdomain self:dir setattr; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.7.19/policy/modules/system/xen.if ---- nsaserefpolicy/policy/modules/system/xen.if 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/xen.if 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/xen.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/xen.if 2010-05-28 09:42:00.530610879 +0200 @@ -213,8 +213,9 @@ interface(`xen_domtrans_xm',` gen_require(` @@ -38414,8 +38680,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.19/policy/modules/system/xen.te ---- nsaserefpolicy/policy/modules/system/xen.te 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/xen.te 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/xen.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/xen.te 2010-05-28 09:42:00.531610673 +0200 @@ -5,6 +5,7 @@ # # Declarations @@ -38478,8 +38744,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te fs_list_auto_mountpoints(xend_t) files_search_mnt(xend_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.7.19/policy/support/misc_patterns.spt ---- nsaserefpolicy/policy/support/misc_patterns.spt 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/support/misc_patterns.spt 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/support/misc_patterns.spt 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/support/misc_patterns.spt 2010-05-28 09:42:00.532611375 +0200 @@ -15,7 +15,7 @@ domain_transition_pattern($1,$2,$3) @@ -38504,8 +38770,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.19/policy/support/obj_perm_sets.spt ---- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-04-13 14:44:37.000000000 -0400 -+++ serefpolicy-3.7.19/policy/support/obj_perm_sets.spt 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/support/obj_perm_sets.spt 2010-05-28 09:42:00.533610400 +0200 @@ -28,7 +28,7 @@ # # All socket classes. @@ -38616,8 +38882,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets +define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ') +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.19/policy/users ---- nsaserefpolicy/policy/users 2010-04-13 14:44:36.000000000 -0400 -+++ serefpolicy-3.7.19/policy/users 2010-05-26 15:34:37.000000000 -0400 +--- nsaserefpolicy/policy/users 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/users 2010-05-28 09:42:00.534610823 +0200 @@ -6,7 +6,7 @@ # # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) diff --git a/selinux-policy.spec b/selinux-policy.spec index 31d6edf..a207d6d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 22%{?dist} +Release: 23%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,14 @@ exit 0 %endif %changelog +* Tue Jun 1 2010 Miroslav Grepl 3.7.19-23 +- Add cmirrord policy +- Fixes for accountsd policy +- Fixes for boinc policy +- Allow cups-pdf to set attributes on fonts cache directory +- Allow radiusd to setrlimit +- Allow nscd sys_ptrace capability + * Tue May 25 2010 Dan Walsh 3.7.19-22 - Allow procmail to execute scripts in the users home dir that are labeled home_bin_t - Fix /var/run/abrtd.lock label