++##
+ ## Allow rsync to modify public files
+ ## used for public file transfer services.
+ ##
+@@ -17,6 +24,7 @@
type rsync_t;
type rsync_exec_t;
init_daemon_domain(rsync_t,rsync_exec_t)
@@ -8537,6 +8660,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
role system_r types rsync_t;
type rsync_data_t;
+@@ -57,11 +65,14 @@
+ manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t)
+ files_pid_filetrans(rsync_t,rsync_var_run_t,file)
+
++auth_use_nsswitch(rsync_t)
++
+ kernel_read_kernel_sysctls(rsync_t)
+ kernel_read_system_state(rsync_t)
+ kernel_read_network_state(rsync_t)
+
+-corenet_non_ipsec_sendrecv(rsync_t)
++corenet_all_recvfrom_unlabeled(rsync_t)
++corenet_all_recvfrom_netlabel(rsync_t)
+ corenet_tcp_sendrecv_all_if(rsync_t)
+ corenet_udp_sendrecv_all_if(rsync_t)
+ corenet_tcp_sendrecv_all_nodes(rsync_t)
+@@ -88,8 +99,6 @@
+ miscfiles_read_localization(rsync_t)
+ miscfiles_read_public_files(rsync_t)
+
+-sysnet_read_config(rsync_t)
+-
+ tunable_policy(`allow_rsync_anon_write',`
+ miscfiles_manage_public_files(rsync_t)
+ ')
+@@ -106,10 +115,8 @@
+ inetd_service_domain(rsync_t,rsync_exec_t)
+ ')
+
+-optional_policy(`
+- nis_use_ypbind(rsync_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(rsync_t)
++tunable_policy(`rsync_export_all_ro',`
++ allow rsync_t self:capability dac_override;
++ fs_read_noxattr_fs_files(rsync_t)
++ auth_read_all_files_except_shadow(rsync_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.if serefpolicy-2.6.4/policy/modules/services/rwho.if
--- nsaserefpolicy/policy/modules/services/rwho.if 2007-05-07 14:50:57.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/rwho.if 2007-08-07 09:42:35.000000000 -0400
@@ -8893,7 +9056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.6.4/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/samba.te 2007-10-01 16:01:17.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/samba.te 2007-10-09 10:45:19.000000000 -0400
@@ -16,6 +16,14 @@
##
@@ -9216,11 +9379,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+allow swat_t nmbd_port_t:udp_socket name_bind;
+allow swat_t nmbd_t:process { signal signull };
+allow swat_t nmbd_var_run_t:file { lock read unlink };
-
--rw_files_pattern(swat_t,samba_etc_t,samba_etc_t)
++
+init_read_utmp(swat_t)
+init_dontaudit_write_utmp(swat_t)
-+
+
+-rw_files_pattern(swat_t,samba_etc_t,samba_etc_t)
+manage_dirs_pattern(swat_t,samba_log_t,samba_log_t)
+create_files_pattern(swat_t,samba_log_t,samba_log_t)
+
@@ -9360,26 +9523,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
seutil_sigchld_newrole(winbind_t)
')
-@@ -736,6 +810,7 @@
+@@ -736,8 +810,11 @@
read_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t)
read_lnk_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t)
+files_list_var_lib(winbind_helper_t)
allow winbind_helper_t samba_var_t:dir search;
++auth_use_nsswitch(winbind_helper_t)
++
stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t)
-@@ -763,4 +838,66 @@
+
+ term_list_ptys(winbind_helper_t)
+@@ -757,10 +834,68 @@
+ ')
+
optional_policy(`
- squid_read_log(winbind_helper_t)
- squid_append_log(winbind_helper_t)
+- nscd_socket_use(winbind_helper_t)
++ squid_read_log(winbind_helper_t)
++ squid_append_log(winbind_helper_t)
+ squid_rw_stream_sockets(winbind_helper_t)
-+')
-+
+ ')
+
+########################################
+#
+# samba_unconfined_script_t local policy
+#
-+optional_policy(`
+ optional_policy(`
+- squid_read_log(winbind_helper_t)
+- squid_append_log(winbind_helper_t)
+ type samba_unconfined_script_t;
+ domain_type(samba_unconfined_script_t)
+ role system_r types samba_unconfined_script_t;
@@ -10080,8 +10252,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.
dev_read_sysfs(xfs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-2.6.4/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/xserver.fc 2007-10-02 11:51:15.000000000 -0400
-@@ -92,7 +92,7 @@
++++ serefpolicy-2.6.4/policy/modules/services/xserver.fc 2007-10-08 13:26:18.000000000 -0400
+@@ -92,10 +92,11 @@
/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
@@ -10090,6 +10262,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+
+ /var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+ /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.6.4/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/xserver.if 2007-08-07 09:42:35.000000000 -0400
@@ -10284,7 +10460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.6.4/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/authlogin.if 2007-10-01 16:38:06.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/authlogin.if 2007-10-09 10:29:42.000000000 -0400
@@ -27,11 +27,9 @@
domain_type($1_chkpwd_t)
domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
@@ -10395,15 +10571,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
init_rw_utmp($1)
logging_send_syslog_msg($1)
-@@ -221,6 +229,7 @@
+@@ -221,6 +229,16 @@
seutil_read_config($1)
seutil_read_default_contexts($1)
++ userdom_set_rlimitnh($1)
++
++ optional_policy(`
++ nis_authenticate($1)
++ ')
++
++ optional_policy(`
++ unconfined_set_rlimitnh($1)
++ ')
+
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all($1)
')
-@@ -320,10 +329,6 @@
+@@ -320,10 +338,6 @@
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
')
@@ -10414,7 +10599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
corecmd_search_bin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
-@@ -332,6 +337,8 @@
+@@ -332,6 +346,8 @@
dev_read_rand($1)
dev_read_urand($1)
@@ -10423,7 +10608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
miscfiles_read_certs($1)
sysnet_dns_name_resolve($1)
-@@ -357,6 +364,37 @@
+@@ -357,6 +373,37 @@
########################################
##
@@ -10461,7 +10646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
## Get the attributes of the shadow passwords file.
##
##
-@@ -1357,6 +1395,8 @@
+@@ -1357,6 +1404,8 @@
optional_policy(`
samba_stream_connect_winbind($1)
@@ -10470,7 +10655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
')
-@@ -1391,3 +1431,114 @@
+@@ -1391,3 +1440,114 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -10819,14 +11004,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-2.6.4/policy/modules/system/fstools.if
--- nsaserefpolicy/policy/modules/system/fstools.if 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/fstools.if 2007-08-07 09:42:35.000000000 -0400
-@@ -124,3 +124,22 @@
++++ serefpolicy-2.6.4/policy/modules/system/fstools.if 2007-10-08 17:26:44.000000000 -0400
+@@ -124,3 +124,40 @@
allow $1 swapfile_t:file getattr;
')
+
+########################################
+##
++## Read swapfile
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`fstools_read_swap_files',`
++ gen_require(`
++ type swapfile_t;
++ ')
++
++ allow $1 swapfile_t:file r_file_perms;
++')
++
++########################################
++##
+## Read fstools unnamed pipes.
+##
+##
@@ -12134,7 +12337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.6.4/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/mount.te 2007-09-13 12:47:13.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/mount.te 2007-10-08 17:27:32.000000000 -0400
@@ -9,6 +9,13 @@
ifdef(`targeted_policy',`
##
@@ -12162,7 +12365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
type mount_loopback_t; # customizable
files_type(mount_loopback_t)
-@@ -38,14 +49,15 @@
+@@ -38,21 +49,26 @@
#
# setuid/setgid needed to mount cifs
@@ -12180,7 +12383,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
-@@ -53,6 +65,8 @@
+
++fstools_read_swap_files(mount_t)
++
kernel_read_system_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
kernel_dontaudit_getattr_core_if(mount_t)
@@ -12189,7 +12394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
-@@ -65,6 +79,7 @@
+@@ -65,6 +81,7 @@
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@@ -12197,7 +12402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
fs_getattr_xattr_fs(mount_t)
fs_getattr_cifs(mount_t)
-@@ -103,6 +118,8 @@
+@@ -103,6 +120,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -12206,7 +12411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
libs_use_ld_so(mount_t)
libs_use_shared_libs(mount_t)
-@@ -130,10 +147,15 @@
+@@ -130,10 +149,15 @@
')
ifdef(`targeted_policy',`
@@ -12223,7 +12428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
')
-@@ -162,13 +184,8 @@
+@@ -162,13 +186,8 @@
fs_search_rpc(mount_t)
@@ -12237,7 +12442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -192,9 +209,6 @@
+@@ -192,9 +211,6 @@
samba_domtrans_smbmount(mount_t)
')
@@ -12247,7 +12452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
########################################
#
-@@ -204,4 +218,30 @@
+@@ -204,4 +220,30 @@
ifdef(`targeted_policy',`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
@@ -12255,7 +12460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+ hal_dbus_chat(unconfined_mount_t)
+ ')
+
-+')
+ ')
+
+########################################
+#
@@ -12276,7 +12481,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+ hal_write_log(mount_t)
+ hal_use_fds(mount_t)
+ hal_rw_pipes(mount_t)
- ')
++')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlabel.te serefpolicy-2.6.4/policy/modules/system/netlabel.te
--- nsaserefpolicy/policy/modules/system/netlabel.te 2007-05-07 14:51:02.000000000 -0400