+##
@@ -15932,7 +16086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+ gen_require(`
+ type cgred_t, cgconfigparser_t, cgred_var_run_t;
+ type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t;
-+ type cgred_etc_t, cgroup_t, cgroupfs_t;
++ type cgroup_t, cgroupfs_t;
+ ')
+
+ allow $1 cgconfigparser_t:process { ptrace signal_perms getattr };
@@ -15946,7 +16100,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+
+ files_search_etc($1)
+ admin_pattern($1, cgconfig_etc_t)
-+ admin_pattern($1, cgred_etc_t)
+
+ files_list_var($1)
+ admin_pattern($1, cgred_var_run_t)
@@ -16067,7 +16220,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+fs_setattr_cgroupfs_files(cgconfigparser_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.19/policy/modules/services/chronyd.if
--- nsaserefpolicy/policy/modules/services/chronyd.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/chronyd.if 2010-05-28 09:42:00.077610724 +0200
++++ serefpolicy-3.7.19/policy/modules/services/chronyd.if 2010-06-28 18:44:16.191151821 +0200
@@ -19,6 +19,24 @@
domtrans_pattern($1, chronyd_exec_t, chronyd_t)
')
@@ -16158,9 +16311,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
####################################
##
## All of the rules required to administrate
-@@ -103,3 +179,4 @@
+@@ -75,9 +151,10 @@
+ #
+ interface(`chronyd_admin',`
+ gen_require(`
+- type chronyd_t, chronyd_var_log_t;
+- type chronyd_var_run_t, chronyd_var_lib_t;
+- type chronyd_initrc_exec_t, chronyd_keys_t;
++ type chronyd_t, chronyd_initrc_exec_t;
++ type chronyd_keys_t, chronyd_var_log_t;
++ type chronyd_var_lib_t, chronyd_var_run_t;
++ type chronyd_tmpfs_t;
+ ')
+
+ allow $1 chronyd_t:process { ptrace signal_perms };
+@@ -101,5 +178,6 @@
+ admin_pattern($1, chronyd_var_run_t)
+
files_search_tmp($1)
- admin_pattern($1, chronyd_tmp_t)
+- admin_pattern($1, chronyd_tmp_t)
++ admin_pattern($1, chronyd_tmpfs_t)
')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.19/policy/modules/services/chronyd.te
@@ -16207,7 +16377,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.19/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-06-08 15:32:46.193610434 +0200
++++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-06-28 16:21:55.618400228 +0200
@@ -1,6 +1,13 @@
policy_module(clamav, 1.7.1)
@@ -16230,15 +16400,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow clamd_t self:unix_dgram_socket create_socket_perms;
-@@ -177,6 +185,7 @@
+@@ -177,8 +185,11 @@
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
+corenet_tcp_connect_clamd_port(freshclam_t)
corenet_sendrecv_http_client_packets(freshclam_t)
++corecmd_exec_shell(freshclam_t)
++
dev_read_rand(freshclam_t)
-@@ -189,10 +198,14 @@
+ dev_read_urand(freshclam_t)
+
+@@ -189,10 +200,14 @@
auth_use_nsswitch(freshclam_t)
@@ -16253,7 +16427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
optional_policy(`
cron_system_entry(freshclam_t, freshclam_exec_t)
')
-@@ -246,6 +259,14 @@
+@@ -246,6 +261,14 @@
mta_send_mail(clamscan_t)
@@ -16641,7 +16815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
+/var/cache/cobbler(/.*)? gen_context(system_u:object_r:cobbler_cache_t, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.19/policy/modules/services/cobbler.if
--- nsaserefpolicy/policy/modules/services/cobbler.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/cobbler.if 2010-06-16 21:29:07.544874309 +0200
++++ serefpolicy-3.7.19/policy/modules/services/cobbler.if 2010-06-25 15:03:23.048137726 +0200
@@ -68,7 +68,7 @@
########################################
##
@@ -16660,7 +16834,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
## an cobblerd environment
##
##
-@@ -173,9 +173,11 @@
+@@ -162,6 +162,7 @@
+ gen_require(`
+ type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
+ type cobbler_etc_t, cobblerd_initrc_exec_t;
++ type httpd_cobbler_content_rw_t;
+ ')
+
+ allow $1 cobblerd_t:process { ptrace signal_perms getattr };
+@@ -173,9 +174,11 @@
files_list_var_lib($1)
admin_pattern($1, cobbler_var_lib_t)
@@ -17752,6 +17934,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.7.19/policy/modules/services/cups.if
+--- nsaserefpolicy/policy/modules/services/cups.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/cups.if 2010-06-28 18:43:30.174401225 +0200
+@@ -314,7 +314,7 @@
+ interface(`cups_admin',`
+ gen_require(`
+ type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
+- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
++ type cupsd_etc_t, cupsd_log_t;
+ type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
+ type cupsd_var_run_t, ptal_etc_t;
+ type ptal_var_run_t, hplip_var_run_t;
+@@ -341,9 +341,6 @@
+
+ admin_pattern($1, cupsd_lpd_var_run_t)
+
+- admin_pattern($1, cupsd_spool_t)
+- files_list_spool($1)
+-
+ admin_pattern($1, cupsd_tmp_t)
+ files_list_tmp($1)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.19/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/cups.te 2010-06-01 16:38:46.796222623 +0200
@@ -18982,6 +19186,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.7.19/policy/modules/services/dovecot.if
+--- nsaserefpolicy/policy/modules/services/dovecot.if 2010-04-13 20:44:36.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/dovecot.if 2010-06-25 15:36:57.767137390 +0200
+@@ -93,7 +93,7 @@
+ #
+ interface(`dovecot_admin',`
+ gen_require(`
+- type dovecot_t, dovecot_etc_t, dovecot_log_t;
++ type dovecot_t, dovecot_etc_t;
+ type dovecot_spool_t, dovecot_var_lib_t;
+ type dovecot_var_run_t;
+
+@@ -112,9 +112,6 @@
+ files_list_etc($1)
+ admin_pattern($1, dovecot_etc_t)
+
+- logging_list_logs($1)
+- admin_pattern($1, dovecot_log_t)
+-
+ files_list_spool($1)
+ admin_pattern($1, dovecot_spool_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.19/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-06-08 14:51:46.576610409 +0200
@@ -20673,6 +20899,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt
/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0)
+
+/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.7.19/policy/modules/services/ksmtuned.if
+--- nsaserefpolicy/policy/modules/services/ksmtuned.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/ksmtuned.if 2010-06-28 14:28:28.265152638 +0200
+@@ -59,8 +59,8 @@
+ type ksmtuned_initrc_exec_t;
+ ')
+
+- allow $1 ksmtuned_t:process { ptrace signal_perms };
+- ps_process_pattern(ksmtumed_t)
++ allow $1 ksmtuned_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, ksmtuned_t, ksmtuned_t)
+
+ files_list_pids($1)
+ admin_pattern($1, ksmtuned_var_run_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.7.19/policy/modules/services/ksmtuned.te
--- nsaserefpolicy/policy/modules/services/ksmtuned.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/ksmtuned.te 2010-06-21 21:11:46.923156716 +0200
@@ -20925,6 +21165,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc
+
+sysnet_dns_name_resolve(lircd_t)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.if serefpolicy-3.7.19/policy/modules/services/memcached.if
+--- nsaserefpolicy/policy/modules/services/memcached.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/memcached.if 2010-06-25 15:07:20.909137514 +0200
+@@ -59,6 +59,7 @@
+ gen_require(`
+ type memcached_t;
+ type memcached_initrc_exec_t;
++ type memcached_var_run_t;
+ ')
+
+ allow $1 memcached_t:process { ptrace signal_perms };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.7.19/policy/modules/services/milter.if
--- nsaserefpolicy/policy/modules/services/milter.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/milter.if 2010-05-28 09:42:00.123612272 +0200
@@ -21016,11 +21267,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mode
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.fc serefpolicy-3.7.19/policy/modules/services/mpd.fc
--- nsaserefpolicy/policy/modules/services/mpd.fc 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/mpd.fc 2010-06-14 18:34:39.866517713 +0200
-@@ -0,0 +1,10 @@
++++ serefpolicy-3.7.19/policy/modules/services/mpd.fc 2010-06-28 14:07:11.647362394 +0200
+@@ -0,0 +1,11 @@
++
+
++/etc/mpd\.conf -- gen_context(system_u:object_r:mpd_etc_t,s0)
+
-+/etc/mpd\.conf -- gen_context(system_u:object_r:mpd_etc_t,s0)
+/etc/rc\.d/init\.d/mpd -- gen_context(system_u:object_r:mpd_initrc_exec_t,s0)
+
+/usr/bin/mpd -- gen_context(system_u:object_r:mpd_exec_t,s0)
@@ -21030,7 +21282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.if serefpolicy-3.7.19/policy/modules/services/mpd.if
--- nsaserefpolicy/policy/modules/services/mpd.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/mpd.if 2010-06-15 17:58:09.853018142 +0200
++++ serefpolicy-3.7.19/policy/modules/services/mpd.if 2010-06-28 14:07:11.654150869 +0200
@@ -0,0 +1,295 @@
+
+## policy for daemon for playing music
@@ -21304,7 +21556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+ type mpd_data_t;
+ type mpd_etc_t;
+ type mpd_log_t;
-+ type mpd_var_lib_t;
++ type mpd_var_lib_t;
+ ')
+
+ allow $1 mpd_t:process { ptrace signal_perms };
@@ -21316,7 +21568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+ allow $2 system_r;
+
+ admin_pattern($1, mpd_etc_t)
-+ files_search_etc($1)
++ files_search_etc($1)
+
+ files_search_var_lib($1)
+ admin_pattern($1, mpd_var_lib_t)
@@ -21329,7 +21581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.te serefpolicy-3.7.19/policy/modules/services/mpd.te
--- nsaserefpolicy/policy/modules/services/mpd.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/mpd.te 2010-06-14 18:36:19.117468437 +0200
++++ serefpolicy-3.7.19/policy/modules/services/mpd.te 2010-06-28 14:07:11.656151016 +0200
@@ -0,0 +1,111 @@
+
+policy_module(mpd,1.0.0)
@@ -21414,7 +21666,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+
+dev_read_sysfs(mpd_t)
+
-+files_read_etc_files(mpd_t)
+files_read_usr_files(mpd_t)
+
+fs_getattr_tmpfs(mpd_t)
@@ -21427,6 +21678,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+
+miscfiles_read_localization(mpd_t)
+
++userdom_read_home_audio_files(mpd_t)
+userdom_read_user_tmpfs_files(mpd_t)
+
+optional_policy(`
@@ -21574,8 +21826,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.19/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/mta.te 2010-06-21 21:28:36.494406812 +0200
-@@ -63,6 +63,9 @@
++++ serefpolicy-3.7.19/policy/modules/services/mta.te 2010-06-28 17:07:58.819151852 +0200
+@@ -23,6 +23,7 @@
+
+ type mail_forward_t;
+ files_type(mail_forward_t)
++userdom_user_home_content(mail_forward_t)
+
+ type mqueue_spool_t;
+ files_mountpoint(mqueue_spool_t)
+@@ -63,6 +64,9 @@
can_exec(system_mail_t, mta_exec_type)
@@ -21585,7 +21845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
kernel_read_system_state(system_mail_t)
kernel_read_network_state(system_mail_t)
kernel_request_load_module(system_mail_t)
-@@ -75,10 +78,15 @@
+@@ -75,10 +79,15 @@
selinux_getattr_fs(system_mail_t)
@@ -21601,7 +21861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
-@@ -89,6 +97,7 @@
+@@ -89,6 +98,7 @@
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@@ -21609,7 +21869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -100,6 +109,11 @@
+@@ -100,6 +110,11 @@
')
optional_policy(`
@@ -21621,7 +21881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
clamav_stream_connect(system_mail_t)
clamav_append_log(system_mail_t)
')
-@@ -107,6 +121,9 @@
+@@ -107,6 +122,9 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
@@ -21631,7 +21891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -126,6 +143,7 @@
+@@ -126,6 +144,7 @@
optional_policy(`
fail2ban_append_log(system_mail_t)
@@ -21639,7 +21899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -142,6 +160,10 @@
+@@ -142,6 +161,10 @@
')
optional_policy(`
@@ -21650,7 +21910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
nagios_read_tmp_files(system_mail_t)
')
-@@ -185,6 +207,10 @@
+@@ -185,6 +208,10 @@
')
optional_policy(`
@@ -21661,7 +21921,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
smartmon_read_tmp_files(system_mail_t)
')
-@@ -216,6 +242,7 @@
+@@ -216,6 +243,7 @@
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -22795,7 +23055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.19/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2010-04-13 20:44:36.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/networkmanager.if 2010-05-28 09:42:00.134610841 +0200
++++ serefpolicy-3.7.19/policy/modules/services/networkmanager.if 2010-06-28 18:01:28.875149888 +0200
@@ -100,6 +100,27 @@
########################################
@@ -22849,7 +23109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
## Read NetworkManager PID files.
##
##
-@@ -134,3 +173,90 @@
+@@ -134,3 +173,89 @@
files_search_pids($1)
allow $1 NetworkManager_var_run_t:file read_file_perms;
')
@@ -22900,7 +23160,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+ role $2 types NetworkManager_t;
+')
+
-+
+#######################################
+##
+## Allow caller to relabel tun_socket
@@ -22942,7 +23201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.19/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/networkmanager.te 2010-06-16 23:01:53.144859835 +0200
++++ serefpolicy-3.7.19/policy/modules/services/networkmanager.te 2010-06-28 17:38:00.689150486 +0200
@@ -19,6 +19,9 @@
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
@@ -23124,12 +23383,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
-@@ -155,23 +212,55 @@
+@@ -155,23 +212,58 @@
')
optional_policy(`
- nis_use_ypbind(NetworkManager_t)
+ ipsec_domtrans_mgmt(NetworkManager_t)
++ ipsec_mgmt_kill(NetworkManager_t)
++ ipsec_mgmt_signal(NetworkManager_t)
++ ipsec_mgmt_signull(NetworkManager_t)
+')
+
+optional_policy(`
@@ -23183,7 +23445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
-@@ -179,12 +268,16 @@
+@@ -179,12 +271,16 @@
')
optional_policy(`
@@ -23561,6 +23823,167 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslc
files_read_etc_files(nslcd_t)
auth_use_nsswitch(nslcd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.if serefpolicy-3.7.19/policy/modules/services/ntop.if
+--- nsaserefpolicy/policy/modules/services/ntop.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/ntop.if 2010-06-28 14:35:14.462401509 +0200
+@@ -1 +1,157 @@
+ ## Network Top
++
++########################################
++##
++## Execute a domain transition to run ntop.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ntop_domtrans',`
++ gen_require(`
++ type ntop_t, ntop_exec_t;
++ ')
++
++ domtrans_pattern($1, ntop_exec_t, ntop_t)
++')
++
++########################################
++##
++## Execute ntop server in the ntop domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`ntop_initrc_domtrans',`
++ gen_require(`
++ type ntop_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, ntop_initrc_exec_t)
++')
++
++########################################
++##
++## Read ntop content in /etc
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ntop_read_config',`
++ gen_require(`
++ type ntop_etc_t;
++ ')
++
++ read_files_pattern($1, ntop_etc_t, ntop_etc_t);
++ files_search_etc($1)
++')
++
++########################################
++##
++## Search ntop dirs in /var/lib
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ntop_search_lib',`
++ gen_require(`
++ type ntop_var_lib_t;
++ ')
++
++ search_dirs_pattern($1, ntop_var_lib_t, ntop_var_lib_t)
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read ntop files in /var/lib
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ntop_read_lib_files',`
++ gen_require(`
++ type ntop_var_lib_t;
++ ')
++
++ read_files_pattern($1, ntop_var_lib_t, ntop_var_lib_t)
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Manage ntop files in /var/lib
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ntop_manage_lib_files',`
++ gen_require(`
++ type ntop_var_lib_t;
++ ')
++
++ manage_files_pattern($1, ntop_var_lib_t, ntop_var_lib_t)
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an ntop environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`ntop_admin',`
++ gen_require(`
++ type ntop_t, ntop_var_lib_t, ntop_var_run_t;
++ type ntop_etc_t, ntop_initrc_exec_t;
++ type ntop_tmp_t;
++ ')
++
++ allow $1 ntop_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, ntop_t, ntop_t)
++
++ files_search_etc($1)
++ admin_pattern($1, ntop_etc_t)
++
++ files_list_var_lib($1)
++ admin_pattern($1, ntop_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, ntop_var_run_t)
++
++ admin_pattern($1, ntop_tmp_t)
++
++ ntop_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 ntop_initrc_exec_t system_r;
++ allow $2 system_r;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.7.19/policy/modules/services/ntop.te
--- nsaserefpolicy/policy/modules/services/ntop.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/ntop.te 2010-05-28 09:42:00.140610931 +0200
@@ -23862,7 +24285,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oide
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.19/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/openvpn.te 2010-05-28 09:42:00.147610884 +0200
++++ serefpolicy-3.7.19/policy/modules/services/openvpn.te 2010-06-28 16:12:48.219149997 +0200
@@ -25,6 +25,9 @@
type openvpn_etc_rw_t;
files_config_file(openvpn_etc_rw_t)
@@ -23883,7 +24306,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
allow openvpn_t openvpn_var_log_t:file manage_file_perms;
logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
-@@ -114,6 +120,7 @@
+@@ -103,6 +109,9 @@
+
+ auth_use_pam(openvpn_t)
+
++init_read_utmp(openvpn_t)
++init_dontaudit_write_utmp(openvpn_t)
++
+ logging_send_syslog_msg(openvpn_t)
+
+ miscfiles_read_localization(openvpn_t)
+@@ -114,6 +123,7 @@
sysnet_etc_filetrans_config(openvpn_t)
userdom_use_user_terminals(openvpn_t)
@@ -25230,7 +25663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.19/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/postfix.if 2010-05-28 09:42:00.157610567 +0200
++++ serefpolicy-3.7.19/policy/modules/services/postfix.if 2010-06-25 15:34:21.259137720 +0200
@@ -46,6 +46,7 @@
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
@@ -25574,7 +26007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+ type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t;
+ type postfix_var_run_t;
+
-+ type postfix_map_tmp, postfix_prng_t, postfix_public_t;
++ type postfix_map_tmp_t, postfix_prng_t, postfix_public_t;
+ ')
+
+ allow $1 postfix_bounce_t:process { ptrace signal_perms getattr };
@@ -25617,7 +26050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+ admin_pattern($1, postfix_var_run_t)
+
+ files_search_tmp($1)
-+ admin_pattern($1, postfix_map_tmp)
++ admin_pattern($1, postfix_map_tmp_t)
+
+ admin_pattern($1, postfix_prng_t)
+
@@ -26157,7 +26590,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.if serefpolicy-3.7.19/policy/modules/services/psad.if
--- nsaserefpolicy/policy/modules/services/psad.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/psad.if 2010-06-16 22:24:51.305109719 +0200
++++ serefpolicy-3.7.19/policy/modules/services/psad.if 2010-06-25 15:09:49.810137902 +0200
@@ -174,6 +174,26 @@
append_files_pattern($1, psad_var_log_t, psad_var_log_t)
')
@@ -26185,6 +26618,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad
########################################
##
## Read and write psad fifo files.
+@@ -232,9 +252,9 @@
+ #
+ interface(`psad_admin',`
+ gen_require(`
+- type psad_t, psad_var_run_t, psad_var_log_t;
+- type psad_initrc_exec_t, psad_var_lib_t;
+- type psad_tmp_t;
++ type psad_t, psad_initrc_exec_t, psad_etc_t;
++ type psad_var_lib_t, psad_var_log_t;
++ type psad_var_run_t, psad_tmp_t;
+ ')
+
+ allow $1 psad_t:process { ptrace signal_perms };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.te serefpolicy-3.7.19/policy/modules/services/psad.te
--- nsaserefpolicy/policy/modules/services/psad.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/psad.te 2010-06-03 10:24:19.786161096 +0200
@@ -26598,7 +27044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.te serefpolicy-3.7.19/policy/modules/services/qpidd.te
--- nsaserefpolicy/policy/modules/services/qpidd.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/qpidd.te 2010-05-28 09:42:00.165610873 +0200
++++ serefpolicy-3.7.19/policy/modules/services/qpidd.te 2010-06-28 16:21:33.763401566 +0200
@@ -0,0 +1,61 @@
+policy_module(qpidd,1.0.0)
+
@@ -26627,7 +27073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid
+# qpidd local policy
+#
+
-+allow qpidd_t self:process signull;
++allow qpidd_t self:process { getsched setsched signull };
+allow qpidd_t self:fifo_file rw_fifo_file_perms;
+allow qpidd_t self:sem create_sem_perms;
+allow qpidd_t self:shm create_shm_perms;
@@ -28093,6 +28539,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog
remotelogin_domtrans(rlogind_t)
remotelogin_signal(rlogind_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.7.19/policy/modules/services/rpcbind.if
+--- nsaserefpolicy/policy/modules/services/rpcbind.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/rpcbind.if 2010-06-25 15:10:52.796137763 +0200
+@@ -141,7 +141,7 @@
+ allow $1 rpcbind_t:process { ptrace signal_perms };
+ ps_process_pattern($1, rpcbind_t)
+
+- init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
++ init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 rpcbind_initrc_exec_t system_r;
+ allow $2 system_r;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.7.19/policy/modules/services/rpcbind.te
--- nsaserefpolicy/policy/modules/services/rpcbind.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/rpcbind.te 2010-06-09 23:09:15.321208553 +0200
@@ -28395,7 +28853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.19/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/samba.if 2010-05-28 09:42:00.179610779 +0200
++++ serefpolicy-3.7.19/policy/modules/services/samba.if 2010-06-28 18:46:37.808401969 +0200
@@ -62,6 +62,25 @@
########################################
@@ -28567,15 +29025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
## All of the rules required to administrate
## an samba environment
##
-@@ -630,6 +759,7 @@
- type nmbd_t, nmbd_var_run_t;
- type smbd_t, smbd_tmp_t;
- type smbd_var_run_t;
-+ type smbd_initrc_exec_t, smbd_spool_t;
-
- type samba_log_t, samba_var_t;
- type samba_etc_t, samba_share_t;
-@@ -640,6 +770,7 @@
+@@ -640,6 +769,7 @@
type winbind_var_run_t, winbind_tmp_t;
type winbind_log_t;
@@ -28583,7 +29033,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
type samba_initrc_exec_t;
')
-@@ -649,6 +780,9 @@
+@@ -649,6 +779,9 @@
allow $1 nmbd_t:process { ptrace signal_perms };
ps_process_pattern($1, nmbd_t)
@@ -28593,17 +29043,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
samba_run_smbcontrol($1, $2, $3)
samba_run_winbind_helper($1, $2, $3)
samba_run_smbmount($1, $2, $3)
-@@ -674,6 +808,9 @@
- admin_pattern($1, samba_var_t)
- files_list_var($1)
-
-+ admin_pattern($1, smbd_spool_t)
-+ files_list_spool($1)
-+
- admin_pattern($1, smbd_var_run_t)
- files_list_pids($1)
-
-@@ -689,4 +826,5 @@
+@@ -689,4 +822,5 @@
admin_pattern($1, winbind_tmp_t)
admin_pattern($1, winbind_var_run_t)
@@ -29166,7 +29606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
+/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.19/policy/modules/services/setroubleshoot.if
--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/setroubleshoot.if 2010-05-28 09:42:00.185610799 +0200
++++ serefpolicy-3.7.19/policy/modules/services/setroubleshoot.if 2010-06-25 15:13:41.144137172 +0200
@@ -16,8 +16,8 @@
')
@@ -29288,7 +29728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
+#
+interface(`setroubleshoot_admin',`
+ gen_require(`
-+ type setroubleshootd_t, setroubleshoot_log_t;
++ type setroubleshootd_t, setroubleshoot_var_log_t;
+ type setroubleshoot_var_lib_t, setroubleshoot_var_run_t;
+ ')
+
@@ -29296,7 +29736,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
+ ps_process_pattern($1, setroubleshootd_t)
+
+ logging_list_logs($1)
-+ admin_pattern($1, setroubleshoot_log_t)
++ admin_pattern($1, setroubleshoot_var_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, setroubleshoot_var_lib_t)
@@ -30072,7 +30512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+/root/\.shosts gen_context(system_u:object_r:home_ssh_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.19/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.if 2010-05-28 09:42:00.193610685 +0200
++++ serefpolicy-3.7.19/policy/modules/services/ssh.if 2010-06-28 14:23:36.870401349 +0200
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -30233,7 +30673,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+#
+interface(`ssh_initrc_domtrans',`
+ gen_require(`
-+ type sshdd_initrc_exec_t;
++ type sshd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, sshd_initrc_exec_t)
@@ -30331,7 +30771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+
+ userdom_search_user_home_dirs($1)
+ userdom_search_admin_dir($1)
-+ admin_pattern($1,ssh_home_t)
++ admin_pattern($1, ssh_home_t)
+
+ files_search_etc($1)
+ admin_pattern($1,sshd_key_t)
@@ -30702,7 +31142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.19/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/virt.if 2010-05-28 09:42:00.200610708 +0200
++++ serefpolicy-3.7.19/policy/modules/services/virt.if 2010-06-28 16:27:05.439151006 +0200
@@ -21,6 +21,7 @@
type $1_t, virt_domain;
domain_type($1_t)
@@ -30711,7 +31151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
role system_r types $1_t;
type $1_devpts_t;
-@@ -35,9 +36,7 @@
+@@ -35,16 +36,16 @@
type $1_image_t, virt_image_type;
files_type($1_image_t)
dev_node($1_image_t)
@@ -30722,15 +31162,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty($1_t, $1_devpts_t)
-@@ -45,6 +44,7 @@
+
manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
manage_files_pattern($1_t, $1_image_t, $1_image_t)
++ manage_fifo_files_pattern($1_t, $1_image_t, $1_image_t)
read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
+ rw_chr_files_pattern($1_t, $1_image_t, $1_image_t)
rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
-@@ -57,18 +57,6 @@
+@@ -57,18 +58,6 @@
manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
@@ -30749,7 +31190,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
optional_policy(`
xserver_rw_shm($1_t)
')
-@@ -171,6 +159,7 @@
+@@ -171,6 +160,7 @@
files_search_etc($1)
read_files_pattern($1, virt_etc_t, virt_etc_t)
read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
@@ -30757,7 +31198,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
########################################
-@@ -192,6 +181,7 @@
+@@ -192,6 +182,7 @@
files_search_etc($1)
manage_files_pattern($1, virt_etc_t, virt_etc_t)
manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
@@ -30765,7 +31206,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
########################################
-@@ -433,15 +423,15 @@
+@@ -306,6 +297,24 @@
+ read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+ ')
+
++#######################################
++##
++## Dontaudit inherited read virt lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`virt_dontaudit_read_lib_files',`
++ gen_require(`
++ type virt_var_lib_t;
++ ')
++
++ dontaudit $1 virt_var_lib_t:file read_inherited_file_perms;
++')
++
+ ########################################
+ ##
+ ## Create, read, write, and delete
+@@ -433,15 +442,15 @@
##
##
#
@@ -30786,7 +31252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
########################################
-@@ -516,3 +506,32 @@
+@@ -516,3 +525,32 @@
virt_manage_log($1)
')
@@ -33954,7 +34420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.19/policy/modules/system/ipsec.if
--- nsaserefpolicy/policy/modules/system/ipsec.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/ipsec.if 2010-06-16 22:59:08.426110312 +0200
++++ serefpolicy-3.7.19/policy/modules/system/ipsec.if 2010-06-28 18:03:11.725433402 +0200
@@ -18,6 +18,24 @@
domtrans_pattern($1, ipsec_exec_t, ipsec_t)
')
@@ -33980,9 +34446,67 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
########################################
##
## Connect to IPSEC using a unix domain stream socket.
+@@ -273,3 +291,57 @@
+ ipsec_domtrans_setkey($1)
+ role $2 types setkey_t;
+ ')
++
++#######################################
++##
++## Send the kill signal to ipsec-mgmt
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipsec_mgmt_kill',`
++ gen_require(`
++ type NetworkManager_t;
++ ')
++
++ allow $1 ipsec_mgmt_t:process sigkill;
++')
++
++########################################
++##
++## Send a generic signal to ipsec-mgmt
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipsec_mgmt_signal',`
++ gen_require(`
++ type ipsec_mgmt_t;
++ ')
++
++ allow $1 ipsec_mgmt_t:process signal;
++')
++
++########################################
++##
++## Send a generic signull to ipsec-mgmt.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipsec_mgmt_signull',`
++ gen_require(`
++ type ipsec-mgmt_t;
++ ')
++
++ allow $1 ipsec_mgmt_t:process signull;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.19/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2010-05-28 09:42:00.219610910 +0200
++++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2010-06-28 17:43:10.957161748 +0200
@@ -73,7 +73,7 @@
#
@@ -34001,16 +34525,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -186,7 +188,7 @@
+@@ -186,7 +188,9 @@
allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
dontaudit ipsec_mgmt_t self:capability sys_tty_config;
-allow ipsec_mgmt_t self:process { getsched ptrace setrlimit signal };
++# don't audit using of lsof
++dontaudit ipsec_mgmt_t self:capability sys_ptrace;
+allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -225,7 +227,6 @@
+@@ -225,7 +229,6 @@
manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
@@ -34018,25 +34544,49 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# whack needs to connect to pluto
stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
-@@ -258,7 +259,7 @@
+@@ -258,7 +261,13 @@
domain_use_interactive_fds(ipsec_mgmt_t)
# denials when ps tries to search /proc. Do not audit these denials.
-domain_dontaudit_list_all_domains_state(ipsec_mgmt_t)
+domain_dontaudit_read_all_domains_state(ipsec_mgmt_t)
++
++domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
++domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t)
++
++dev_dontaudit_getattr_all_blk_files(ipsec_mgmt_t)
++dev_dontaudit_getattr_all_chr_files(ipsec_mgmt_t)
# suppress audit messages about unnecessary socket access
# cjp: this seems excessive
domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
-@@ -276,7 +277,7 @@
+@@ -270,19 +279,25 @@
+ files_read_usr_files(ipsec_mgmt_t)
+ files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
+ files_dontaudit_getattr_default_files(ipsec_mgmt_t)
++files_dontaudit_getattr_all_files(ipsec_mgmt_t)
++files_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
+ files_list_tmp(ipsec_mgmt_t)
+
+ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
-term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
+term_use_all_terms(ipsec_mgmt_t)
++
++auth_read_login_records(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
-@@ -291,7 +292,9 @@
+ init_use_fds(ipsec_mgmt_t)
+ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
++init_read_utmp(ipsec_mgmt_t)
+
++logging_read_all_logs(ipsec_mgmt_t)
+ logging_send_syslog_msg(ipsec_mgmt_t)
+
+ miscfiles_read_localization(ipsec_mgmt_t)
+@@ -291,15 +306,34 @@
seutil_dontaudit_search_config(ipsec_mgmt_t)
@@ -34046,7 +34596,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
userdom_use_user_terminals(ipsec_mgmt_t)
-@@ -386,6 +389,8 @@
+ optional_policy(`
++ dbus_system_bus_client(ipsec_mgmt_t)
++ dbus_connect_system_bus(ipsec_mgmt_t)
++')
++
++optional_policy(`
+ consoletype_exec(ipsec_mgmt_t)
+ ')
+
+ optional_policy(`
++ hostname_exec(ipsec_mgmt_t)
++')
++
++optional_policy(`
++ iptables_domtrans(ipsec_mgmt_t)
++')
++
++optional_policy(`
++ networkmanager_dbus_chat(ipsec_mgmt_t)
++')
++
++optional_policy(`
+ nscd_socket_use(ipsec_mgmt_t)
+ ')
+
+@@ -386,6 +420,8 @@
sysnet_exec_ifconfig(racoon_t)
@@ -34055,7 +34630,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -412,6 +417,7 @@
+@@ -412,6 +448,7 @@
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
@@ -34063,7 +34638,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
-@@ -423,3 +429,4 @@
+@@ -423,3 +460,4 @@
seutil_read_config(setkey_t)
userdom_use_user_terminals(setkey_t)
@@ -34617,7 +35192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.19/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/logging.if 2010-05-28 09:42:00.503610861 +0200
++++ serefpolicy-3.7.19/policy/modules/system/logging.if 2010-06-28 18:21:14.861150814 +0200
@@ -545,6 +545,25 @@
########################################
@@ -34671,7 +35246,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
########################################
-@@ -798,7 +835,7 @@
+@@ -739,6 +776,25 @@
+ read_files_pattern($1, logfile, logfile)
+ ')
+
++#######################################
++##
++## dontaudit Read all log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`logging_dontaudit_read_all_logs',`
++ gen_require(`
++ attribute logfile;
++ ')
++
++ dontaudit $1 logfile:file read_file_perms;
++')
++
+ ########################################
+ ##
+ ## Execute all log files in the caller domain.
+@@ -798,7 +854,7 @@
files_search_var($1)
manage_files_pattern($1, logfile, logfile)
@@ -34680,7 +35281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
########################################
-@@ -996,6 +1033,8 @@
+@@ -996,6 +1052,8 @@
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@@ -34893,8 +35494,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.7.19/policy/modules/system/miscfiles.fc
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/miscfiles.fc 2010-06-16 23:04:05.990110101 +0200
-@@ -76,12 +76,16 @@
++++ serefpolicy-3.7.19/policy/modules/system/miscfiles.fc 2010-06-28 14:07:11.666276142 +0200
+@@ -76,12 +76,18 @@
/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
@@ -34903,6 +35504,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
++/var/spool/abrt-upload(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0)
++
/var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
@@ -37876,8 +38479,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.19/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.fc 2010-05-28 09:42:00.524610720 +0200
-@@ -1,4 +1,13 @@
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.fc 2010-06-28 14:07:11.693150801 +0200
+@@ -1,4 +1,14 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
@@ -37889,12 +38492,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
+HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
+HOME_DIR/local/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
++HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
+HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.gvfs(/.*)? <>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-06-14 18:44:14.626468321 +0200
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-06-28 16:31:05.602400171 +0200
@@ -30,8 +30,9 @@
')
@@ -38637,11 +39241,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_change_password_template($1)
-@@ -735,70 +841,73 @@
+@@ -735,70 +841,74 @@
allow $1_t self:context contains;
- kernel_dontaudit_read_system_state($1_t)
++ kernel_dontaudit_list_all_proc($1_usertype)
+ kernel_dontaudit_read_system_state($1_usertype)
- dev_read_sysfs($1_t)
@@ -38744,10 +39349,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -830,12 +939,35 @@
+@@ -830,12 +940,38 @@
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
++ allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms;
++ dontaudit $1_usertype self:netlink_audit_socket create_socket_perms;
++
+ allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
+ dontaudit $1_t self:netlink_audit_socket create_socket_perms;
+
@@ -38780,7 +39388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
loadkeys_run($1_t,$1_r)
')
')
-@@ -871,45 +1003,83 @@
+@@ -871,45 +1007,83 @@
#
auth_role($1_r, $1_t)
@@ -38879,7 +39487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -944,7 +1114,7 @@
+@@ -944,7 +1118,7 @@
#
# Inherit rules for ordinary users.
@@ -38888,7 +39496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_common_user_template($1)
##############################
-@@ -953,54 +1123,73 @@
+@@ -953,54 +1127,73 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -38904,7 +39512,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
-
- ifndef(`enable_mls',`
- fs_exec_noxattr($1_t)
--
++ storage_rw_fuse($1_t)
+
- tunable_policy(`user_rw_noexattrfile',`
- fs_manage_noxattr_fs_files($1_t)
- fs_manage_noxattr_fs_dirs($1_t)
@@ -38915,8 +39524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- storage_raw_read_removable_device($1_t)
- ')
- ')
-+ storage_rw_fuse($1_t)
-
+-
- tunable_policy(`user_dmesg',`
- kernel_read_ring_buffer($1_t)
- ',`
@@ -38957,16 +39565,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
+ optional_policy(`
+ gpm_stream_connect($1_usertype)
- ')
-
-- # Run pppd in pppd_t by default for user
- optional_policy(`
-- ppp_run_cond($1_t,$1_r)
++ ')
++
++ optional_policy(`
+ execmem_role_template($1, $1_r, $1_t)
- ')
-
- optional_policy(`
-- setroubleshoot_stream_connect($1_t)
++ ')
++
++ optional_policy(`
+ java_role_template($1, $1_r, $1_t)
+ ')
+
@@ -38980,19 +39585,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+- # Run pppd in pppd_t by default for user
+ optional_policy(`
+- ppp_run_cond($1_t,$1_r)
+ postfix_run_postdrop($1_t, $1_r)
-+ ')
-+
+ ')
+
+ # Run pppd in pppd_t by default for user
-+ optional_policy(`
+ optional_policy(`
+- setroubleshoot_stream_connect($1_t)
+ ppp_run_cond($1_t, $1_r)
')
')
-@@ -1036,7 +1225,7 @@
+@@ -1036,7 +1229,7 @@
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -39001,7 +39609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
##############################
-@@ -1071,6 +1260,9 @@
+@@ -1071,6 +1264,9 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -39011,7 +39619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1085,6 +1277,7 @@
+@@ -1085,6 +1281,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -39019,7 +39627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1116,10 +1309,13 @@
+@@ -1116,10 +1313,13 @@
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -39033,7 +39641,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
-@@ -1139,6 +1335,7 @@
+@@ -1139,6 +1339,7 @@
logging_send_syslog_msg($1_t)
modutils_domtrans_insmod($1_t)
@@ -39041,7 +39649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1207,6 +1404,8 @@
+@@ -1207,6 +1408,8 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -39050,7 +39658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1234,6 +1433,7 @@
+@@ -1234,6 +1437,7 @@
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -39058,7 +39666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1272,11 +1472,15 @@
+@@ -1272,11 +1476,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -39074,7 +39682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1387,6 +1591,7 @@
+@@ -1387,6 +1595,7 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -39082,7 +39690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_home($1)
')
-@@ -1433,6 +1638,14 @@
+@@ -1433,6 +1642,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -39097,7 +39705,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1448,9 +1661,11 @@
+@@ -1448,9 +1665,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -39109,7 +39717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1507,6 +1722,42 @@
+@@ -1507,6 +1726,42 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -39152,7 +39760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
##
## Create directories in the home dir root with
-@@ -1581,6 +1832,8 @@
+@@ -1581,6 +1836,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -39161,7 +39769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1595,10 +1848,12 @@
+@@ -1595,10 +1852,12 @@
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -39176,7 +39784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1641,6 +1896,24 @@
+@@ -1641,6 +1900,24 @@
########################################
##
@@ -39201,7 +39809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to set the
## attributes of user home files.
##
-@@ -1692,10 +1965,30 @@
+@@ -1692,10 +1969,30 @@
type user_home_dir_t, user_home_t;
')
@@ -39232,7 +39840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
##
## Do not audit attempts to read user home files.
-@@ -1708,11 +2001,14 @@
+@@ -1708,11 +2005,14 @@
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -39250,7 +39858,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1802,8 +2098,7 @@
+@@ -1802,8 +2102,7 @@
type user_home_dir_t, user_home_t;
')
@@ -39260,7 +39868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1815,25 +2110,18 @@
+@@ -1815,25 +2114,18 @@
## Domain allowed access.
##
##
@@ -39290,7 +39898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
##
## Do not audit attempts to execute user home files.
-@@ -1866,6 +2154,7 @@
+@@ -1866,6 +2158,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -39298,7 +39906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2102,6 +2391,25 @@
+@@ -2102,6 +2395,25 @@
########################################
##
@@ -39324,7 +39932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to list user
## temporary directories.
##
-@@ -2218,6 +2526,25 @@
+@@ -2218,6 +2530,25 @@
########################################
##
@@ -39350,7 +39958,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to manage users
## temporary files.
##
-@@ -2427,13 +2754,14 @@
+@@ -2427,13 +2758,14 @@
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -39366,7 +39974,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
##
-@@ -2454,6 +2782,24 @@
+@@ -2454,6 +2786,24 @@
########################################
##
@@ -39391,7 +39999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Get the attributes of a user domain tty.
##
##
-@@ -2747,6 +3093,25 @@
+@@ -2747,6 +3097,25 @@
########################################
##
@@ -39417,7 +40025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Execute bin_t in the unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
-@@ -2787,7 +3152,7 @@
+@@ -2787,7 +3156,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -39426,7 +40034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2803,11 +3168,13 @@
+@@ -2803,11 +3172,13 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -39442,7 +40050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2944,7 +3311,7 @@
+@@ -2944,7 +3315,7 @@
type user_tmp_t;
')
@@ -39451,7 +40059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2981,6 +3348,7 @@
+@@ -2981,6 +3352,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -39459,7 +40067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -3111,3 +3479,702 @@
+@@ -3111,3 +3483,724 @@
allow $1 userdomain:dbus send_msg;
')
@@ -40034,6 +40642,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ read_lnk_files_pattern($1, home_cert_t, home_cert_t)
+')
+
++#######################################
++##
++## Read audio files in the users homedir.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_read_home_audio_files',`
++ gen_require(`
++ type audio_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ allow $1 audio_home_t:dir list_dir_perms;
++ read_files_pattern($1, audio_home_t, audio_home_t)
++ read_lnk_files_pattern($1, audio_home_t, audio_home_t)
++')
++
+########################################
+##
+## dontaudit Search getatrr /root files
@@ -40164,7 +40794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.19/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2010-05-28 09:42:00.529612133 +0200
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2010-06-28 14:07:11.753148781 +0200
@@ -29,13 +29,6 @@
##
@@ -40210,11 +40840,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_user_home_content(user_home_t)
fs_associate_tmpfs(user_home_t)
files_associate_tmp(user_home_t)
-@@ -97,3 +100,36 @@
+@@ -97,3 +100,40 @@
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
+
++type audio_home_t;
++userdom_user_home_content(audio_home_t)
++ubac_constrained(audio_home_t)
++
+type home_bin_t;
+userdom_user_home_content(home_bin_t)
+ubac_constrained(home_bin_t)
@@ -40263,7 +40897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.19/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/xen.te 2010-05-28 09:42:00.531610673 +0200
++++ serefpolicy-3.7.19/policy/modules/system/xen.te 2010-06-28 16:10:21.601401352 +0200
@@ -5,6 +5,7 @@
#
# Declarations
@@ -40297,7 +40931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
kernel_read_kernel_sysctls(xm_t)
kernel_read_sysctl(xm_t)
kernel_read_xen_state(xm_t)
-@@ -438,6 +441,12 @@
+@@ -438,10 +441,17 @@
')
optional_policy(`
@@ -40310,7 +40944,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
virt_domtrans(xm_t)
virt_manage_images(xm_t)
virt_manage_config(xm_t)
-@@ -454,11 +463,14 @@
+ virt_stream_connect(xm_t)
++ virt_dontaudit_read_lib_files(xm_t)
+ ')
+
+ ########################################
+@@ -454,11 +464,14 @@
kernel_read_xen_state(xm_ssh_t)
kernel_write_xen_state(xm_ssh_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d4d9a49..a3d8785 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 31%{?dist}
+Release: 32%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,16 @@ exit 0
%endif
%changelog
+* Mon Jun 28 2010 Miroslav Grepl 3.7.19-32
+- Allow sectool to connect to users over unix stream socket
+- Add label for /var/spool/abrt-upload
+- Add audio_home_t type for homedir/Music files
+- Allow aiccu to read network config files
+- Allow qpidd to setsched
+- Allow virt domains to manage svirt_image_t fifo files
+- Fixes for NM-openswan
+- Fixes for admin interfaces
+
* Mon Jun 21 2010 Miroslav Grepl 3.7.19-31
- Remove daemons dontaudit to search all dirs
- Add support for epylog