diff --git a/modules-mls.conf b/modules-mls.conf
index b994d4d..1ff7437 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -2089,3 +2089,10 @@ shutdown = module
# policy for namespace.init script
#
namespace = module
+
+# Layer: services
+# Module: matahari
+#
+# Matahari system maangement tools
+#
+matahari = module
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 54d4a43..21189c8 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2244,3 +2244,10 @@ namespace = module
# vdagent
#
vdagent = module
+
+# Layer: services
+# Module: matahari
+#
+# Matahari system maangement tools
+#
+matahari = module
diff --git a/policy-F13.patch b/policy-F13.patch
index 969029f..7efbf39 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -2970,7 +2970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.7.19/policy/modules/admin/shutdown.te
--- nsaserefpolicy/policy/modules/admin/shutdown.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2011-02-25 17:15:02.692365619 +0000
++++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2011-03-16 13:24:10.175107001 +0000
@@ -0,0 +1,75 @@
+policy_module(shutdown,1.0.0)
+
@@ -2995,8 +2995,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
+# shutdown local policy
+#
+
-+allow shutdown_t self:capability { dac_override kill setuid sys_tty_config };
-+allow shutdown_t self:process { fork signal signull };
++allow shutdown_t self:capability { dac_override kill setuid sys_nice sys_tty_config };
++allow shutdown_t self:process { fork setsched signal signull };
+
+allow shutdown_t self:fifo_file manage_fifo_file_perms;
+allow shutdown_t self:unix_stream_socket create_stream_socket_perms;
@@ -7988,8 +7988,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2011-03-04 14:39:39.566413002 +0000
-@@ -0,0 +1,475 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2011-03-16 09:27:13.618107000 +0000
+@@ -0,0 +1,477 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -8126,6 +8126,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+manage_sock_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
+manage_fifo_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
+manage_lnk_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
++dontaudit sandbox_domain sandbox_file_t:dir mounton;
+
+gen_require(`
+ type usr_t, lib_t, locale_t;
@@ -8207,6 +8208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+fs_getattr_tmpfs(sandbox_x_domain)
+fs_getattr_xattr_fs(sandbox_x_domain)
+fs_list_inotifyfs(sandbox_x_domain)
++fs_dontaudit_getattr_xattr_fs(sandbox_x_domain)
+
+auth_dontaudit_read_login_records(sandbox_x_domain)
+auth_dontaudit_write_login_records(sandbox_x_domain)
@@ -8568,8 +8570,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.19/policy/modules/apps/seunshare.te
--- nsaserefpolicy/policy/modules/apps/seunshare.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/apps/seunshare.te 2011-03-04 14:39:51.781413002 +0000
-@@ -1,45 +1,52 @@
++++ serefpolicy-3.7.19/policy/modules/apps/seunshare.te 2011-03-16 18:18:06.860851000 +0000
+@@ -1,45 +1,64 @@
-
-policy_module(seunshare, 1.0.1)
+policy_module(seunshare, 1.1.0)
@@ -8629,6 +8631,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
-userdom_use_user_terminals(seunshare_t)
+userdom_use_user_terminals(seunshare_domain)
+userdom_list_user_home_content(seunshare_domain)
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_mounton_nfs(seunshare_domain)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_mounton_cifs(seunshare_domain)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_mounton_fusefs(seunshare_domain)
++')
ifdef(`hide_broken_symptoms', `
- fs_dontaudit_rw_anon_inodefs_files(seunshare_t)
@@ -9780,7 +9794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2011-02-04 10:57:54.385796000 +0000
++++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2011-03-16 14:25:07.223107001 +0000
@@ -25,6 +25,7 @@
#
type tun_tap_device_t;
@@ -9830,9 +9844,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(comsat, udp,512,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
-@@ -98,7 +104,9 @@
+@@ -97,8 +103,11 @@
+ network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
++network_port(dogtag, tcp,7390,s0)
network_port(epmap, tcp,135,s0, udp,135,s0)
+network_port(festival, tcp,1314,s0)
network_port(fingerd, tcp,79,s0)
@@ -9840,7 +9856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -109,7 +117,7 @@
+@@ -109,7 +118,7 @@
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
@@ -9849,7 +9865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
-@@ -124,40 +132,56 @@
+@@ -124,40 +133,58 @@
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -9868,6 +9884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
+network_port(luci, tcp,8084,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
network_port(mail, tcp,2000,s0, tcp,3905,s0)
++network_port(matahari, tcp,49000,s0, udp,49000,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
@@ -9878,6 +9895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
-network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63163,s0)
+network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
++network_port(movaz_ssc, tcp,5252,s0)
network_port(nessus, tcp,1241,s0)
+network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -9908,7 +9926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -177,18 +201,22 @@
+@@ -177,18 +204,22 @@
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(rwho, udp,513,s0)
network_port(sap, tcp,9875,s0, udp,9875,s0)
@@ -9932,7 +9950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -201,23 +229,23 @@
+@@ -201,23 +232,23 @@
network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -9962,7 +9980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
########################################
#
-@@ -266,5 +294,5 @@
+@@ -266,5 +297,5 @@
allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
# Bind to any network address.
@@ -10041,7 +10059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.19/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2011-02-08 16:10:25.428796002 +0000
++++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2011-03-16 13:14:36.657107001 +0000
@@ -407,7 +407,7 @@
########################################
@@ -10430,6 +10448,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Get the attributes of video4linux devices.
##
##
+@@ -4068,6 +4312,24 @@
+ allow $1 vmware_device_t:chr_file execute;
+ ')
+
++#######################################
++##
++## Read to watchdog devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_read_watchdog',`
++ gen_require(`
++ type device_t, watchdog_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, watchdog_device_t)
++')
++
+ ########################################
+ ##
+ ## Write to watchdog devices.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.19/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2010-04-13 18:44:37.000000000 +0000
+++ serefpolicy-3.7.19/policy/modules/kernel/devices.te 2011-02-08 15:56:57.441796002 +0000
@@ -10745,7 +10788,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.19/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/kernel/files.fc 2010-10-25 09:09:58.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/kernel/files.fc 2011-03-16 13:09:38.572107001 +0000
@@ -18,6 +18,7 @@
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -10768,8 +10811,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -62,6 +65,12 @@
+@@ -60,8 +63,15 @@
+ /etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/reader\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
++/etc/securetty -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/smartd\.conf.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0)
@@ -10781,7 +10827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
/etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0)
-@@ -71,8 +80,9 @@
+@@ -71,8 +81,9 @@
/etc/ptal/ptal-printd-like -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -10793,7 +10839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
ifdef(`distro_gentoo', `
/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -93,7 +103,7 @@
+@@ -93,7 +104,7 @@
# HOME_ROOT
# expanded by genhomedircon
#
@@ -10802,7 +10848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
HOME_ROOT/\.journal <>
HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
HOME_ROOT/lost\+found/.* <>
-@@ -157,6 +167,12 @@
+@@ -157,6 +168,12 @@
/proc -d <>
/proc/.* <>
@@ -10815,7 +10861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
#
# /selinux
#
-@@ -170,12 +186,6 @@
+@@ -170,12 +187,6 @@
/srv/.* gen_context(system_u:object_r:var_t,s0)
#
@@ -10828,7 +10874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
# /tmp
#
/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
-@@ -205,15 +215,19 @@
+@@ -205,15 +216,19 @@
/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/usr/local/lost\+found/.* <>
@@ -10848,7 +10894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/usr/tmp/.* <>
-@@ -229,6 +243,8 @@
+@@ -229,6 +244,8 @@
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -10857,7 +10903,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
/var/lib/nfs/rpc_pipefs(/.*)? <>
-@@ -254,3 +270,5 @@
+@@ -254,3 +271,5 @@
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
@@ -12000,7 +12046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.19/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2011-02-04 09:52:43.632796001 +0000
++++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2011-03-16 18:17:00.451851001 +0000
@@ -559,6 +559,24 @@
########################################
@@ -12039,10 +12085,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
- allow $1 cifs_t:filesystem getattr;
--')
--
--########################################
--##
++ allow $1 cgroup_t:filesystem getattr;
+ ')
+
+ ########################################
+ ##
-## list dirs on cgroup
-## file systems.
-##
@@ -12059,11 +12106,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
- ')
-
- list_dirs_pattern($1, cgroup_t, cgroup_t)
-+ allow $1 cgroup_t:filesystem getattr;
- ')
-
- ########################################
- ##
+-')
+-
+-########################################
+-##
-## Do not audit attempts to read
-## dirs on a CIFS or SMB filesystem.
+## list dirs on cgroup
@@ -12255,7 +12301,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
#######################################
##
## Create, read, write, and delete dirs
-@@ -1790,6 +1897,25 @@
+@@ -1672,6 +1779,24 @@
+ allow $1 fusefs_t:filesystem unmount;
+ ')
+
++ #######################################
++ ##
++ ## Mounton a FUSEFS filesystem.
++ ##
++ ##
++ ##
++ ## Domain allowed access.
++ ##
++ ##
++ #
++interface(`fs_mounton_fusefs',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 fusefs_t:dir mounton;
++')
++
+ ########################################
+ ##
+ ## Search directories
+@@ -1790,6 +1915,25 @@
manage_files_pattern($1, fusefs_t, fusefs_t)
')
@@ -12281,7 +12352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
########################################
##
## Do not audit attempts to create,
-@@ -1831,6 +1957,25 @@
+@@ -1831,6 +1975,25 @@
########################################
##
@@ -12307,7 +12378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Read and write hugetlbfs files.
##
##
-@@ -1847,6 +1992,42 @@
+@@ -1847,6 +2010,42 @@
rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
')
@@ -12350,7 +12421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
########################################
##
## Allow the type to associate to hugetlbfs filesystems.
-@@ -1899,6 +2080,7 @@
+@@ -1899,6 +2098,7 @@
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -12358,7 +12429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
########################################
-@@ -2295,6 +2477,25 @@
+@@ -2295,6 +2495,25 @@
########################################
##
@@ -12384,7 +12455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Append files
## on a NFS filesystem.
##
-@@ -2333,6 +2534,24 @@
+@@ -2333,6 +2552,24 @@
dontaudit $1 nfs_t:file append_file_perms;
')
@@ -12409,7 +12480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
########################################
##
## Do not audit attempts to read or
-@@ -2349,7 +2568,7 @@
+@@ -2349,7 +2586,7 @@
type nfs_t;
')
@@ -12418,7 +12489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
########################################
-@@ -2537,6 +2756,24 @@
+@@ -2537,6 +2774,24 @@
########################################
##
@@ -12443,7 +12514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Read removable storage symbolic links.
##
##
-@@ -2745,7 +2982,7 @@
+@@ -2745,7 +3000,7 @@
#########################################
##
## Create, read, write, and delete symbolic links
@@ -12452,7 +12523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
##
##
##
-@@ -3812,6 +4049,24 @@
+@@ -3812,6 +4067,24 @@
rw_files_pattern($1, tmpfs_t, tmpfs_t)
')
@@ -12477,7 +12548,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
########################################
##
## Read tmpfs link files.
-@@ -3870,6 +4125,24 @@
+@@ -3870,6 +4143,24 @@
########################################
##
@@ -12502,7 +12573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Relabel character nodes on tmpfs filesystems.
##
##
-@@ -4432,6 +4705,44 @@
+@@ -4432,6 +4723,44 @@
########################################
##
@@ -12547,7 +12618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Do not audit attempts to get the attributes
## of all files with a filesystem type.
##
-@@ -4549,3 +4860,24 @@
+@@ -4549,3 +4878,24 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
')
@@ -17030,7 +17101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/apache.te 2011-02-04 10:58:08.393796000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/apache.te 2011-03-16 13:04:07.336107002 +0000
@@ -19,11 +19,13 @@
# Declarations
#
@@ -17319,7 +17390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -470,11 +576,25 @@
+@@ -470,11 +576,27 @@
userdom_read_user_home_content_files(httpd_t)
')
@@ -17332,11 +17403,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+')
+
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
++ fs_list_auto_mountpoints(httpd_t)
fs_read_nfs_files(httpd_t)
fs_read_nfs_symlinks(httpd_t)
')
+tunable_policy(`httpd_use_nfs',`
++ fs_list_auto_mountpoints(httpd_t)
+ fs_manage_nfs_dirs(httpd_t)
+ fs_manage_nfs_files(httpd_t)
+ fs_manage_nfs_symlinks(httpd_t)
@@ -17345,7 +17418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,9 +604,23 @@
+@@ -484,9 +606,23 @@
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -17369,7 +17442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -500,8 +634,13 @@
+@@ -500,8 +636,13 @@
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
userdom_use_user_terminals(httpd_t)
@@ -17383,7 +17456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -514,6 +653,12 @@
+@@ -514,6 +655,12 @@
optional_policy(`
cobbler_search_lib(httpd_t)
@@ -17396,7 +17469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -528,7 +673,18 @@
+@@ -528,7 +675,18 @@
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -17416,7 +17489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +693,12 @@
+@@ -537,8 +695,12 @@
')
optional_policy(`
@@ -17430,7 +17503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -556,7 +716,13 @@
+@@ -556,7 +718,13 @@
')
optional_policy(`
@@ -17444,7 +17517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +733,7 @@
+@@ -567,6 +735,7 @@
optional_policy(`
nagios_read_config(httpd_t)
@@ -17452,7 +17525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -577,12 +744,29 @@
+@@ -577,12 +746,29 @@
')
optional_policy(`
@@ -17482,7 +17555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -591,6 +775,11 @@
+@@ -591,6 +777,11 @@
')
optional_policy(`
@@ -17494,7 +17567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -618,6 +807,10 @@
+@@ -618,6 +809,10 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -17505,7 +17578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -667,6 +860,17 @@
+@@ -667,6 +862,17 @@
corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
corenet_tcp_connect_mssql_port(httpd_suexec_t)
corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
@@ -17523,7 +17596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -699,17 +903,18 @@
+@@ -699,17 +905,18 @@
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -17545,7 +17618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +945,21 @@
+@@ -740,13 +947,25 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -17568,7 +17641,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +985,12 @@
++ fs_list_auto_mountpoints(httpd_suexec_t)
+ fs_read_nfs_files(httpd_suexec_t)
+ fs_read_nfs_symlinks(httpd_suexec_t)
+ fs_exec_nfs_files(httpd_suexec_t)
+@@ -769,6 +988,12 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -17581,7 +17658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache system script local policy
-@@ -791,10 +1013,15 @@
+@@ -791,10 +1016,15 @@
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -17597,7 +17674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +1030,28 @@
+@@ -803,6 +1033,30 @@
mta_send_mail(httpd_sys_script_t)
')
@@ -17612,11 +17689,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+fs_nfs_entry_type(httpd_sys_script_t)
+
+tunable_policy(`httpd_use_nfs',`
++ fs_list_auto_mountpoints(httpd_sys_script_t)
+ fs_manage_nfs_dirs(httpd_sys_script_t)
+ fs_manage_nfs_files(httpd_sys_script_t)
+ fs_manage_nfs_symlinks(httpd_sys_script_t)
+ fs_exec_nfs_files(httpd_sys_script_t)
+
++ fs_list_auto_mountpoints(httpd_suexec_t)
+ fs_manage_nfs_dirs(httpd_suexec_t)
+ fs_manage_nfs_files(httpd_suexec_t)
+ fs_manage_nfs_symlinks(httpd_suexec_t)
@@ -17626,7 +17705,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -830,6 +1079,16 @@
+@@ -826,10 +1080,21 @@
+ ')
+
+ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
++ fs_list_auto_mountpoints(httpd_sys_script_t)
+ fs_read_nfs_files(httpd_sys_script_t)
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -17643,7 +17727,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,6 +1101,7 @@
+@@ -842,6 +1107,7 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -17651,7 +17735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -891,11 +1151,33 @@
+@@ -891,11 +1157,33 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -19126,8 +19210,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.19/policy/modules/services/certmonger.te
--- nsaserefpolicy/policy/modules/services/certmonger.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/certmonger.te 2011-03-04 14:00:18.904413000 +0000
-@@ -0,0 +1,95 @@
++++ serefpolicy-3.7.19/policy/modules/services/certmonger.te 2011-03-15 20:36:12.127107001 +0000
+@@ -0,0 +1,96 @@
+policy_module(certmonger,1.0.0)
+
+########################################
@@ -19176,6 +19260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+corenet_tcp_sendrecv_generic_node(certmonger_t)
+corenet_tcp_sendrecv_all_ports(certmonger_t)
+corenet_tcp_connect_certmaster_port(certmonger_t)
++corenet_tcp_connect_http_port(certmonger_t)
+
+dev_read_urand(certmonger_t)
+
@@ -19703,7 +19788,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.19/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-12-09 11:46:16.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2011-03-16 13:22:27.646107001 +0000
@@ -1,6 +1,13 @@
policy_module(clamav, 1.7.1)
@@ -19736,7 +19821,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
# log files
manage_dirs_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
-@@ -167,9 +178,15 @@
+@@ -104,6 +115,7 @@
+ corenet_tcp_bind_clamd_port(clamd_t)
+ corenet_tcp_bind_generic_port(clamd_t)
+ corenet_tcp_connect_generic_port(clamd_t)
++corenet_tcp_connect_clamd_port(clamd_t)
+ corenet_sendrecv_clamd_server_packets(clamd_t)
+
+ dev_read_rand(clamd_t)
+@@ -167,9 +179,15 @@
# log files (own logfiles only)
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
allow freshclam_t freshclam_var_log_t:dir setattr;
@@ -19753,7 +19846,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -177,8 +194,11 @@
+@@ -177,8 +195,11 @@
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
@@ -19765,7 +19858,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
dev_read_rand(freshclam_t)
dev_read_urand(freshclam_t)
-@@ -189,14 +209,24 @@
+@@ -189,14 +210,24 @@
auth_use_nsswitch(freshclam_t)
@@ -19790,7 +19883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
########################################
#
# clamscam local policy
-@@ -228,9 +258,11 @@
+@@ -228,9 +259,11 @@
corenet_tcp_sendrecv_generic_node(clamscan_t)
corenet_tcp_sendrecv_all_ports(clamscan_t)
corenet_tcp_sendrecv_clamd_port(clamscan_t)
@@ -19802,7 +19895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
-@@ -245,6 +277,17 @@
+@@ -245,6 +278,17 @@
clamav_stream_connect(clamscan_t)
mta_send_mail(clamscan_t)
@@ -23366,8 +23459,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv.te serefpolicy-3.7.19/policy/modules/services/dirsrv.te
--- nsaserefpolicy/policy/modules/services/dirsrv.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/dirsrv.te 2011-02-03 10:11:55.317796001 +0000
-@@ -0,0 +1,185 @@
++++ serefpolicy-3.7.19/policy/modules/services/dirsrv.te 2011-03-16 13:34:01.046107000 +0000
+@@ -0,0 +1,187 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
@@ -23451,6 +23544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs
+
+manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
++manage_lnk_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+
+manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
@@ -23467,6 +23561,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs
+corenet_tcp_sendrecv_all_ports(dirsrv_t)
+corenet_tcp_bind_all_nodes(dirsrv_t)
+corenet_tcp_bind_ldap_port(dirsrv_t)
++corenet_tcp_bind_dogtag_port(dirsrv_t)
+corenet_tcp_bind_all_rpc_ports(dirsrv_t)
+corenet_udp_bind_all_rpc_ports(dirsrv_t)
+corenet_tcp_connect_all_ports(dirsrv_t)
@@ -24280,8 +24375,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.7.19/policy/modules/services/ftp.if
--- nsaserefpolicy/policy/modules/services/ftp.if 2010-04-13 18:44:36.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/ftp.if 2010-05-28 07:42:00.000000000 +0000
-@@ -115,6 +115,44 @@
++++ serefpolicy-3.7.19/policy/modules/services/ftp.if 2011-03-16 14:35:12.605107001 +0000
+@@ -1,5 +1,43 @@
+ ## File transfer protocol service
+
++#####################################
++##
++## Execute a domain transition to run ftpd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ftp_domtrans',`
++ gen_require(`
++ type ftpd_t, ftpd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1,ftpd_exec_t, ftpd_t)
++
++')
++
++######################################
++##
++## Execute ftpd server in the ftpd domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`ftp_initrc_domtrans',`
++ gen_require(`
++ type ftp_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, ftp_initrc_exec_t)
++')
++
+ ########################################
+ ##
+ ## Use ftp by connecting over TCP. (Deprecated)
+@@ -115,6 +153,44 @@
role $2 types ftpdctl_t;
')
@@ -25992,7 +26131,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.19/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/kerberos.if 2011-01-27 14:25:40.043455001 +0000
++++ serefpolicy-3.7.19/policy/modules/services/kerberos.if 2011-03-16 13:57:42.672107002 +0000
@@ -74,7 +74,7 @@
')
@@ -26013,6 +26152,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
tunable_policy(`allow_kerberos',`
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
+@@ -103,7 +107,7 @@
+ corenet_sendrecv_kerberos_client_packets($1)
+ corenet_sendrecv_ocsp_client_packets($1)
+
+- allow $1 krb5_host_rcache_t:file getattr;
++ allow $1 krb5_host_rcache_t:file getattr_file_perms;
+ ')
+
+ optional_policy(`
@@ -212,6 +216,25 @@
allow $1 krb5_keytab_t:file rw_file_perms;
')
@@ -26039,18 +26187,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
########################################
##
## Create a derived type for kerberos keytab
+@@ -374,3 +397,22 @@
+
+ admin_pattern($1, krb5kdc_var_run_t)
+ ')
++
++#######################################
++##
++## Type transition files created in /tmp
++## to the krb5_host_rcache type.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mta_tmp_filetrans_host_rcache',`
++ gen_require(`
++ type krb5_host_rcache_t;
++ ')
++
++ files_tmp_filetrans($1, krb5_host_rcache_t, file)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.19/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/kerberos.te 2011-01-20 11:02:37.000000000 +0000
-@@ -36,6 +36,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/kerberos.te 2011-03-16 13:51:14.123107002 +0000
+@@ -36,12 +36,12 @@
domain_obj_id_change_exemption(kpropd_t)
type krb5_conf_t;
+-files_type(krb5_conf_t)
+files_config_file(krb5_conf_t)
- files_type(krb5_conf_t)
type krb5_home_t;
-@@ -50,10 +51,10 @@
+ userdom_user_home_content(krb5_home_t)
+
+-type krb5_host_rcache_t;
++type krb5_host_rcache_t alias saslauthd_tmp_t;
+ files_tmp_file(krb5_host_rcache_t)
+
+ # types for general configuration files in /etc
+@@ -50,10 +50,10 @@
# types for KDC configs and principal file(s)
type krb5kdc_conf_t;
@@ -26063,7 +26241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
# types for KDC principal file(s)
type krb5kdc_principal_t;
-@@ -94,9 +95,9 @@
+@@ -94,9 +94,9 @@
dontaudit kadmind_t krb5_conf_t:file write;
read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
@@ -26075,7 +26253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
allow kadmind_t krb5kdc_principal_t:file manage_file_perms;
filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file)
-@@ -112,6 +113,7 @@
+@@ -112,6 +112,7 @@
kernel_read_kernel_sysctls(kadmind_t)
kernel_list_proc(kadmind_t)
@@ -26083,7 +26261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
kernel_read_proc_symlinks(kadmind_t)
kernel_read_system_state(kadmind_t)
-@@ -126,10 +128,13 @@
+@@ -126,10 +127,13 @@
corenet_tcp_bind_generic_node(kadmind_t)
corenet_udp_bind_generic_node(kadmind_t)
corenet_tcp_bind_kerberos_admin_port(kadmind_t)
@@ -26097,7 +26275,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
dev_read_sysfs(kadmind_t)
dev_read_rand(kadmind_t)
-@@ -149,6 +154,7 @@
+@@ -149,6 +153,7 @@
logging_send_syslog_msg(kadmind_t)
@@ -26105,7 +26283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
miscfiles_read_localization(kadmind_t)
seutil_read_file_contexts(kadmind_t)
-@@ -160,6 +166,14 @@
+@@ -160,6 +165,14 @@
userdom_dontaudit_search_user_home_dirs(kadmind_t)
optional_policy(`
@@ -26120,7 +26298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
nis_use_ypbind(kadmind_t)
')
-@@ -193,13 +207,12 @@
+@@ -193,13 +206,12 @@
read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
dontaudit krb5kdc_t krb5kdc_conf_t:file write;
@@ -26136,7 +26314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
-@@ -249,6 +262,7 @@
+@@ -249,6 +261,7 @@
logging_send_syslog_msg(krb5kdc_t)
@@ -26144,7 +26322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
miscfiles_read_localization(krb5kdc_t)
seutil_read_file_contexts(krb5kdc_t)
-@@ -260,6 +274,14 @@
+@@ -260,6 +273,14 @@
userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
optional_policy(`
@@ -26159,7 +26337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
nis_use_ypbind(krb5kdc_t)
')
-@@ -283,7 +305,7 @@
+@@ -283,7 +304,7 @@
allow kpropd_t self:unix_stream_socket create_stream_socket_perms;
allow kpropd_t self:tcp_socket create_stream_socket_perms;
@@ -26498,6 +26676,370 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
-')
\ No newline at end of file
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/matahari.fc serefpolicy-3.7.19/policy/modules/services/matahari.fc
+--- nsaserefpolicy/policy/modules/services/matahari.fc 1970-01-01 00:00:00.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/matahari.fc 2011-03-16 14:17:03.980107001 +0000
+@@ -0,0 +1,15 @@
++/etc/rc\.d/init\.d/matahari-host gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/matahari-net gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/matahari-service gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
++
++/usr/sbin/matahari-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
++
++/usr/sbin/matahari-netd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0)
++
++/usr/sbin/matahari-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0)
++
++/var/lib/matahari(/.*)? gen_context(system_u:object_r:matahari_var_lib_t,s0)
++
++/var/run/matahari(/.*)? gen_context(system_u:object_r:matahari_var_run_t,s0)
++/var/run/matahari.pid gen_context(system_u:object_r:matahari_var_run_t,s0)
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/matahari.if serefpolicy-3.7.19/policy/modules/services/matahari.if
+--- nsaserefpolicy/policy/modules/services/matahari.if 1970-01-01 00:00:00.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/matahari.if 2011-03-16 14:17:03.980107001 +0000
+@@ -0,0 +1,220 @@
++## policy for matahari
++
++########################################
++##
++## Search matahari lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`matahari_search_lib',`
++ gen_require(`
++ type matahari_var_lib_t;
++ ')
++
++ allow $1 matahari_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read matahari lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`matahari_read_lib_files',`
++ gen_require(`
++ type matahari_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, matahari_var_lib_t, matahari_var_lib_t)
++')
++
++########################################
++##
++## Create, read, write, and delete
++## matahari lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`matahari_manage_lib_files',`
++ gen_require(`
++ type matahari_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, matahari_var_lib_t, matahari_var_lib_t)
++')
++
++########################################
++##
++## Manage matahari lib dirs files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`matahari_manage_lib_dirs',`
++ gen_require(`
++ type matahari_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, matahari_var_lib_t, matahari_var_lib_t)
++')
++
++
++########################################
++##
++## Read matahari PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`matahari_read_pid_files',`
++ gen_require(`
++ type matahari_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 matahari_var_run_t:file read_file_perms;
++')
++
++########################################
++##
++## Read matahari PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`matahari_manage_pid_files',`
++ gen_require(`
++ type matahari_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, matahari_var_run_t, matahari_var_run_t)
++')
++
++########################################
++##
++## Execute a domain transition to run matahari_hostd.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`matahari_hostd_domtrans',`
++ gen_require(`
++ type matahari_hostd_t, matahari_hostd_exec_t;
++ ')
++
++ domtrans_pattern($1, matahari_hostd_exec_t, matahari_hostd_t)
++')
++
++########################################
++##
++## Execute a domain transition to run matahari_netd.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`matahari_netd_domtrans',`
++ gen_require(`
++ type matahari_netd_t, matahari_netd_exec_t;
++ ')
++
++ domtrans_pattern($1, matahari_netd_exec_t, matahari_netd_t)
++')
++
++########################################
++##
++## Execute a domain transition to run matahari_serviced.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`matahari_serviced_domtrans',`
++ gen_require(`
++ type matahari_serviced_t, matahari_serviced_exec_t;
++ ')
++
++ domtrans_pattern($1, matahari_serviced_exec_t, matahari_serviced_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an matahari environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`matahari_admin',`
++ gen_require(`
++ type matahari_inirc_exec_t;
++ type matahari_hostd_t;
++ type matahari_netd_t;
++ type matahari_serviced_t;
++ type matahari_var_lib_t;
++ type matahari_var_run_t;
++ ')
++
++ init_labeled_script_domtrans($1, matahari_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 matahari_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ allow $1 matahari_netd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, matahari_netd_t)
++
++ allow $1 matahari_hostd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, matahari_hostd_t)
++
++ allow $1 matahari_serviced_t:process { ptrace signal_perms };
++ ps_process_pattern($1, matahari_serviced_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, matahari_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, matahari_var_run_t)
++
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/matahari.te serefpolicy-3.7.19/policy/modules/services/matahari.te
+--- nsaserefpolicy/policy/modules/services/matahari.te 1970-01-01 00:00:00.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/matahari.te 2011-03-16 14:17:03.980107001 +0000
+@@ -0,0 +1,117 @@
++policy_module(matahari,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type matahari_hostd_t;
++type matahari_hostd_exec_t;
++init_daemon_domain(matahari_hostd_t, matahari_hostd_exec_t)
++
++type matahari_netd_t;
++type matahari_netd_exec_t;
++init_daemon_domain(matahari_netd_t, matahari_netd_exec_t)
++
++type matahari_serviced_t;
++type matahari_serviced_exec_t;
++init_daemon_domain(matahari_serviced_t, matahari_serviced_exec_t)
++
++type matahari_initrc_exec_t;
++init_script_file(matahari_initrc_exec_t)
++
++permissive matahari_serviced_t;
++permissive matahari_hostd_t;
++permissive matahari_netd_t;
++
++type matahari_var_lib_t;
++files_type(matahari_var_lib_t)
++
++type matahari_var_run_t;
++files_pid_file(matahari_var_run_t)
++
++########################################
++#
++# matahari_hostd local policy
++#
++allow matahari_hostd_t self:capability sys_ptrace;
++allow matahari_hostd_t self:process { signal };
++
++allow matahari_hostd_t self:fifo_file rw_fifo_file_perms;
++allow matahari_hostd_t self:unix_stream_socket create_stream_socket_perms;
++
++kernel_read_network_state(matahari_hostd_t)
++kernel_read_system_state(matahari_hostd_t)
++
++corenet_tcp_connect_matahari_port(matahari_hostd_t)
++
++dev_read_sysfs(matahari_hostd_t)
++dev_read_urand(matahari_hostd_t)
++dev_read_mtrr(matahari_hostd_t)
++dev_write_mtrr(matahari_hostd_t)
++
++domain_use_interactive_fds(matahari_hostd_t)
++domain_read_all_domains_state(matahari_hostd_t)
++
++files_read_etc_files(matahari_hostd_t)
++
++logging_send_syslog_msg(matahari_hostd_t)
++
++miscfiles_read_localization(matahari_hostd_t)
++
++sysnet_dns_name_resolve(matahari_hostd_t)
++
++optional_policy(`
++ dbus_system_bus_client(matahari_hostd_t)
++')
++
++########################################
++#
++# matahari_netd local policy
++#
++allow matahari_netd_t self:process { signal };
++
++allow matahari_netd_t self:fifo_file rw_fifo_file_perms;
++allow matahari_netd_t self:unix_stream_socket create_stream_socket_perms;
++
++kernel_read_system_state(matahari_netd_t)
++
++corenet_tcp_connect_matahari_port(matahari_netd_t)
++
++dev_read_urand(matahari_netd_t)
++
++domain_use_interactive_fds(matahari_netd_t)
++
++files_read_etc_files(matahari_netd_t)
++
++logging_send_syslog_msg(matahari_netd_t)
++
++miscfiles_read_localization(matahari_netd_t)
++
++sysnet_dns_name_resolve(matahari_netd_t)
++
++########################################
++#
++# matahari_serviced local policy
++#
++allow matahari_serviced_t self:process { signal };
++
++allow matahari_serviced_t self:fifo_file rw_fifo_file_perms;
++allow matahari_serviced_t self:unix_stream_socket create_stream_socket_perms;
++
++kernel_read_system_state(matahari_serviced_t)
++
++corenet_tcp_connect_matahari_port(matahari_serviced_t)
++
++dev_read_urand(matahari_serviced_t)
++
++domain_use_interactive_fds(matahari_serviced_t)
++
++files_read_etc_files(matahari_serviced_t)
++
++logging_send_syslog_msg(matahari_serviced_t)
++
++miscfiles_read_localization(matahari_serviced_t)
++
++sysnet_dns_name_resolve(matahari_serviced_t)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.if serefpolicy-3.7.19/policy/modules/services/memcached.if
--- nsaserefpolicy/policy/modules/services/memcached.if 2010-04-13 18:44:37.000000000 +0000
+++ serefpolicy-3.7.19/policy/modules/services/memcached.if 2010-09-16 12:51:54.000000000 +0000
@@ -26597,7 +27139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.te serefpolicy-3.7.19/policy/modules/services/milter.te
--- nsaserefpolicy/policy/modules/services/milter.te 2010-04-13 18:44:36.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/milter.te 2010-09-09 08:52:57.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/milter.te 2011-03-16 13:20:25.652107002 +0000
@@ -10,6 +10,13 @@
attribute milter_domains;
attribute milter_data_type;
@@ -26636,7 +27178,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt
########################################
#
# milter-greylist local policy
-@@ -81,13 +105,11 @@
+@@ -39,6 +63,12 @@
+
+ kernel_read_kernel_sysctls(greylist_milter_t)
+
++corecmd_exec_bin(greylist_milter_t)
++corecmd_exec_shell(greylist_milter_t)
++
++corenet_tcp_bind_movaz_ssc_port(greylist_milter_t)
++corenet_tcp_connect_movaz_ssc_port(greylist_milter_t)
++
+ # Allow the milter to read a GeoIP database in /usr/share
+ files_read_usr_files(greylist_milter_t)
+ # The milter runs from /var/lib/milter-greylist and maintains files there
+@@ -81,13 +111,11 @@
allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
files_search_var_lib(spamass_milter_t)
@@ -30278,6 +30833,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads
+ files_search_etc($1)
admin_pattern($1, pads_config_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.7.19/policy/modules/services/pads.te
+--- nsaserefpolicy/policy/modules/services/pads.te 2010-04-13 18:44:37.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/pads.te 2011-03-16 13:25:26.960107001 +0000
+@@ -49,6 +49,7 @@
+
+ dev_read_rand(pads_t)
+ dev_read_urand(pads_t)
++dev_read_sysfs(pads_t)
+
+ files_read_etc_files(pads_t)
+ files_search_spool(pads_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/passenger.fc serefpolicy-3.7.19/policy/modules/services/passenger.fc
--- nsaserefpolicy/policy/modules/services/passenger.fc 1970-01-01 00:00:00.000000000 +0000
+++ serefpolicy-3.7.19/policy/modules/services/passenger.fc 2010-12-21 07:32:58.000000000 +0000
@@ -30451,8 +31017,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pass
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.7.19/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/pcscd.te 2010-08-17 13:11:28.000000000 +0000
-@@ -42,6 +42,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/pcscd.te 2011-03-16 13:35:33.824107001 +0000
+@@ -26,6 +26,7 @@
+ allow pcscd_t self:unix_stream_socket create_stream_socket_perms;
+ allow pcscd_t self:unix_dgram_socket create_socket_perms;
+ allow pcscd_t self:tcp_socket create_stream_socket_perms;
++allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+ manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+@@ -42,6 +43,7 @@
corenet_tcp_sendrecv_all_ports(pcscd_t)
corenet_tcp_connect_http_port(pcscd_t)
@@ -30460,6 +31034,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcsc
dev_rw_generic_usb_dev(pcscd_t)
dev_rw_smartcard(pcscd_t)
dev_rw_usbfs(pcscd_t)
+@@ -78,3 +80,7 @@
+ optional_policy(`
+ rpm_use_script_fds(pcscd_t)
+ ')
++
++optional_policy(`
++ udev_read_db(pcscd_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.19/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2010-04-13 18:44:37.000000000 +0000
+++ serefpolicy-3.7.19/policy/modules/services/pegasus.te 2010-05-28 07:42:00.000000000 +0000
@@ -30746,8 +31328,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.te serefpolicy-3.7.19/policy/modules/services/piranha.te
--- nsaserefpolicy/policy/modules/services/piranha.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/piranha.te 2010-09-09 11:14:39.000000000 +0000
-@@ -0,0 +1,230 @@
++++ serefpolicy-3.7.19/policy/modules/services/piranha.te 2011-03-16 13:12:36.310107001 +0000
+@@ -0,0 +1,308 @@
+
+policy_module(piranha,1.0.0)
+
@@ -30850,6 +31432,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+manage_files_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
+fs_tmpfs_filetrans(piranha_web_t, piranha_web_tmpfs_t, { dir file })
+
++#cjp: adds luci.ini file
++#bug: 684198
++create_files_pattern(piranha_web_t, piranha_web_conf_t, piranha_web_conf_t)
++
+piranha_pulse_initrc_domtrans(piranha_web_t)
+
+kernel_read_kernel_sysctls(piranha_web_t)
@@ -30900,6 +31486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+# needed by nanny
+corenet_tcp_connect_ftp_port(piranha_lvs_t)
+corenet_tcp_connect_http_port(piranha_lvs_t)
++corenet_tcp_connect_smtp_port(piranha_lvs_t)
+
+sysnet_dns_name_resolve(piranha_lvs_t)
+
@@ -30918,6 +31505,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+# piranha-pulse local policy
+#
+
++allow piranha_pulse_t self:capability net_admin;
++
+allow piranha_pulse_t self:packet_socket create_socket_perms;
+
+# pulse starts fos and lvs daemon
@@ -30927,18 +31516,89 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+domtrans_pattern(piranha_pulse_t, piranha_lvs_exec_t, piranha_lvs_t)
+allow piranha_pulse_t piranha_lvs_t:process signal;
+
++kernel_read_kernel_sysctls(piranha_pulse_t)
++kernel_read_rpc_sysctls(piranha_pulse_t)
++kernel_read_system_state(piranha_pulse_t)
++kernel_rw_rpc_sysctls(piranha_pulse_t)
++kernel_search_debugfs(piranha_pulse_t)
++kernel_search_network_state(piranha_pulse_t)
++
++corecmd_exec_bin(piranha_pulse_t)
++corecmd_exec_shell(piranha_pulse_t)
++consoletype_exec(piranha_pulse_t)
++
+corenet_udp_bind_apertus_ldp_port(piranha_pulse_t)
+
++domain_read_all_domains_state(piranha_pulse_t)
++domain_getattr_all_domains(piranha_pulse_t)
++#domain_dontaudit_ptrace_all_domains(piranha_pulse_t)
++
++fs_getattr_all_fs(piranha_pulse_t)
++
+sysnet_dns_name_resolve(piranha_pulse_t)
+
++auth_use_nsswitch(piranha_pulse_t)
++
++logging_send_syslog_msg(piranha_pulse_t)
++
++miscfiles_read_localization(piranha_pulse_t)
++
++optional_policy(`
++ apache_domtrans(piranha_pulse_t)
++ apache_signal(piranha_pulse_t)
++')
++
++optional_policy(`
++ ftp_domtrans(piranha_pulse_t)
++ ftp_initrc_domtrans(piranha_pulse_t)
++')
++
++optional_policy(`
++ hostname_exec(piranha_pulse_t)
++')
++
++optional_policy(`
++ ldap_initrc_domtrans(piranha_pulse_t)
++ ldap_domtrans(piranha_pulse_t)
++')
++
++optional_policy(`
++ mysql_domtrans_mysql_safe(piranha_pulse_t)
++ mysql_stream_connect(piranha_pulse_t)
++')
++
++optional_policy(`
++ netutils_domtrans(piranha_pulse_t)
++ netutils_domtrans_ping(piranha_pulse_t)
++')
++
++optional_policy(`
++ postgresql_domtrans(piranha_pulse_t)
++ postgresql_signal(piranha_pulse_t)
++')
++
+optional_policy(`
-+ netutils_domtrans_ping(piranha_pulse_t)
++ samba_initrc_domtrans(piranha_pulse_t)
++ samba_domtrans_smbd(piranha_pulse_t)
++ samba_domtrans_nmbd(piranha_pulse_t)
++ samba_manage_var_files(piranha_pulse_t)
++ samba_rw_config(piranha_pulse_t)
++ samba_signal_smbd(piranha_pulse_t)
++ samba_signal_nmbd(piranha_pulse_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(piranha_pulse_t)
+')
+
++optional_policy(`
++ udev_read_db(piranha_pulse_t)
++')
++
++#optional_policy(`
++# unconfined_domain(piranha_pulse_t)
++#')
++
+####################################
+#
+# piranha domains common policy
@@ -34255,7 +34915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi
init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.7.19/policy/modules/services/radius.te
--- nsaserefpolicy/policy/modules/services/radius.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/radius.te 2011-01-03 09:47:38.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/radius.te 2011-03-16 14:38:53.600107001 +0000
@@ -37,7 +37,7 @@
# gzip also needs chown access to preserve GID for radwtmp files
allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
@@ -34265,7 +34925,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi
allow radiusd_t self:fifo_file rw_fifo_file_perms;
allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
allow radiusd_t self:tcp_socket create_stream_socket_perms;
-@@ -79,6 +79,7 @@
+@@ -60,8 +60,9 @@
+ manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t)
+
+ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
++manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
+ manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
+-files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file })
++files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir })
+
+ kernel_read_kernel_sysctls(radiusd_t)
+ kernel_read_system_state(radiusd_t)
+@@ -79,6 +80,7 @@
corenet_udp_bind_radius_port(radiusd_t)
corenet_tcp_connect_mysqld_port(radiusd_t)
corenet_tcp_connect_snmp_port(radiusd_t)
@@ -34273,14 +34944,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi
corenet_sendrecv_radius_server_packets(radiusd_t)
corenet_sendrecv_radacct_server_packets(radiusd_t)
corenet_sendrecv_mysqld_client_packets(radiusd_t)
-@@ -131,6 +132,7 @@
+@@ -130,6 +132,7 @@
+ ')
optional_policy(`
- samba_read_var_files(radiusd_t)
+ samba_domtrans_winbind_helper(radiusd_t)
+ samba_read_var_files(radiusd_t)
')
- optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.19/policy/modules/services/razor.fc
--- nsaserefpolicy/policy/modules/services/razor.fc 2010-04-13 18:44:37.000000000 +0000
+++ serefpolicy-3.7.19/policy/modules/services/razor.fc 2010-05-28 07:42:00.000000000 +0000
@@ -34393,7 +35064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.7.19/policy/modules/services/remotelogin.te
--- nsaserefpolicy/policy/modules/services/remotelogin.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/remotelogin.te 2010-11-08 14:03:03.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/remotelogin.te 2011-03-16 13:26:33.488107001 +0000
@@ -50,6 +50,7 @@
fs_search_auto_mountpoints(remote_login_t)
@@ -34402,6 +35073,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remo
auth_rw_login_records(remote_login_t)
auth_rw_faillog(remote_login_t)
+@@ -88,6 +89,7 @@
+ # since very weak authentication is used.
+ userdom_signal_unpriv_users(remote_login_t)
+ userdom_spec_domtrans_unpriv_users(remote_login_t)
++userdom_rw_user_tmp_files(remote_login_t)
+
+ # Search for mail spool file.
+ mta_getattr_spool(remote_login_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/resmgr.if serefpolicy-3.7.19/policy/modules/services/resmgr.if
--- nsaserefpolicy/policy/modules/services/resmgr.if 2010-04-13 18:44:37.000000000 +0000
+++ serefpolicy-3.7.19/policy/modules/services/resmgr.if 2010-09-16 13:29:11.000000000 +0000
@@ -36522,7 +37201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.19/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/samba.te 2011-02-25 12:35:52.540685721 +0000
++++ serefpolicy-3.7.19/policy/modules/services/samba.te 2011-03-16 14:07:00.624107001 +0000
@@ -66,6 +66,13 @@
##
gen_tunable(samba_share_nfs, false)
@@ -36537,6 +37216,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
type nmbd_t;
type nmbd_exec_t;
init_daemon_domain(nmbd_t, nmbd_exec_t)
+@@ -146,8 +153,8 @@
+ type winbind_log_t;
+ logging_log_file(winbind_log_t)
+
+-type winbind_tmp_t;
+-files_tmp_file(winbind_tmp_t)
++#type winbind_tmp_t;
++#files_tmp_file(winbind_tmp_t)
+
+ type winbind_var_run_t;
+ files_pid_file(winbind_var_run_t)
@@ -156,7 +163,7 @@
#
# Samba net local policy
@@ -36565,7 +37255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
optional_policy(`
pcscd_read_pub_files(samba_net_t)
-@@ -216,13 +225,14 @@
+@@ -216,13 +225,15 @@
optional_policy(`
kerberos_use(samba_net_t)
@@ -36577,11 +37267,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
# smbd Local policy
#
-allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
-+allow smbd_t self:capability { chown fowner setgid setuid sys_admin sys_nice sys_resource kill lease dac_override dac_read_search };
++
++allow smbd_t self:capability { chown fowner kill setgid setuid sys_nice sys_admin sys_resource lease dac_override dac_read_search };
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
-@@ -255,7 +265,7 @@
+@@ -255,7 +266,7 @@
manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
@@ -36590,7 +37281,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
-@@ -275,6 +285,8 @@
+@@ -271,10 +282,14 @@
+ manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+ manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+-files_pid_filetrans(smbd_t, smbd_var_run_t, file)
++files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file })
++
++allow smbd_t swat_t:process signal;
allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms;
@@ -36599,7 +37297,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
kernel_read_network_state(smbd_t)
-@@ -306,16 +318,23 @@
+@@ -306,16 +321,23 @@
dev_read_urand(smbd_t)
dev_getattr_mtrr_dev(smbd_t)
dev_dontaudit_getattr_usbfs_dirs(smbd_t)
@@ -36623,7 +37321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -325,6 +344,9 @@
+@@ -325,6 +347,9 @@
files_read_etc_runtime_files(smbd_t)
files_read_usr_files(smbd_t)
files_search_spool(smbd_t)
@@ -36633,7 +37331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
# Allow samba to list mnt_t for potential mounted dirs
files_list_mnt(smbd_t)
-@@ -337,10 +359,13 @@
+@@ -337,10 +362,13 @@
miscfiles_read_public_files(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)
@@ -36648,7 +37346,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -352,19 +377,19 @@
+@@ -352,19 +380,19 @@
')
tunable_policy(`samba_domain_controller',`
@@ -36674,7 +37372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
# Support Samba sharing of NFS mount points
-@@ -376,6 +401,15 @@
+@@ -376,6 +404,15 @@
fs_manage_nfs_named_sockets(smbd_t)
')
@@ -36690,7 +37388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
optional_policy(`
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
-@@ -391,6 +425,11 @@
+@@ -391,6 +428,11 @@
')
optional_policy(`
@@ -36702,7 +37400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
rpc_search_nfs_state_data(smbd_t)
')
-@@ -405,13 +444,15 @@
+@@ -405,13 +447,15 @@
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -36719,7 +37417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
auth_read_all_files_except_shadow(nmbd_t)
')
-@@ -420,8 +461,8 @@
+@@ -420,8 +464,8 @@
auth_manage_all_files_except_shadow(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
auth_manage_all_files_except_shadow(nmbd_t)
@@ -36729,7 +37427,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
########################################
#
-@@ -518,13 +559,13 @@
+@@ -442,8 +486,9 @@
+ allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
++manage_dirs_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
+ manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
+-files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
++files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file })
+
+ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+ read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -518,13 +563,13 @@
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
allow smbcontrol_t nmbd_t:process { signal signull };
@@ -36747,7 +37456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -532,10 +573,14 @@
+@@ -532,10 +577,14 @@
domain_use_interactive_fds(smbcontrol_t)
@@ -36762,7 +37471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
########################################
#
# smbmount Local policy
-@@ -618,7 +663,7 @@
+@@ -618,7 +667,7 @@
# SWAT Local policy
#
@@ -36771,41 +37480,56 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t self:process { setrlimit signal_perms };
allow swat_t self:fifo_file rw_fifo_file_perms;
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-@@ -626,23 +671,25 @@
+@@ -626,38 +675,49 @@
allow swat_t self:udp_socket create_socket_perms;
allow swat_t self:unix_stream_socket connectto;
+-allow swat_t nmbd_t:process { signal signull };
+samba_domtrans_smbd(swat_t)
+allow swat_t smbd_t:process { signal signull };
+allow smbd_t swat_t:process signal;
-+
-+samba_domtrans_nmbd(swat_t)
- allow swat_t nmbd_t:process { signal signull };
-+allow nmbd_t swat_t:process signal;
-allow swat_t nmbd_exec_t:file mmap_file_perms;
-can_exec(swat_t, nmbd_exec_t)
-+allow swat_t smbd_var_run_t:file { lock unlink };
++samba_domtrans_nmbd(swat_t)
++allow swat_t nmbd_t:process { signal signull };
++allow nmbd_t swat_t:process signal;
-allow swat_t nmbd_var_run_t:file { lock read unlink };
-+allow swat_t smbd_port_t:tcp_socket name_bind;
++allow swat_t nmbd_var_run_t:file read_file_perms;
-samba_domtrans_smbd(swat_t)
-allow swat_t smbd_t:process { signal signull };
-+allow swat_t nmbd_port_t:udp_socket name_bind;
++allow swat_t smbd_port_t:tcp_socket name_bind;
-allow swat_t smbd_var_run_t:file { lock unlink };
-+allow swat_t nmbd_var_run_t:file read_file_perms;
++allow swat_t nmbd_port_t:udp_socket name_bind;
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t)
-append_files_pattern(swat_t, samba_log_t, samba_log_t)
--
++manage_dirs_pattern(swat_t, samba_log_t, samba_log_t)
++manage_files_pattern(swat_t, samba_log_t, samba_log_t)
++
++manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
++
++manage_files_pattern(swat_t, samba_var_t, samba_var_t)
++files_list_var_lib(swat_t)
+
allow swat_t smbd_exec_t:file mmap_file_perms ;
allow swat_t smbd_t:process signull;
-@@ -657,11 +704,14 @@
+
+ allow swat_t smbd_var_run_t:file read_file_perms;
++allow swat_t smbd_var_run_t:file { lock unlink };
+
+ manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
+ manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
+ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+
++read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t)
+ manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
allow swat_t winbind_exec_t:file mmap_file_perms;
@@ -36815,13 +37539,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
+@@ -694,12 +754,17 @@
+ auth_domtrans_chk_passwd(swat_t)
+ auth_use_nsswitch(swat_t)
-+read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t)
++init_read_utmp(swat_t)
++init_dontaudit_write_utmp(swat_t)
+
- kernel_read_kernel_sysctls(swat_t)
- kernel_read_system_state(swat_t)
- kernel_read_network_state(swat_t)
-@@ -700,6 +750,8 @@
+ logging_send_syslog_msg(swat_t)
+ logging_send_audit_msgs(swat_t)
+ logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
@@ -36830,23 +37557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -713,12 +765,23 @@
- kerberos_use(swat_t)
- ')
-
-+init_read_utmp(swat_t)
-+init_dontaudit_write_utmp(swat_t)
-+
-+manage_dirs_pattern(swat_t, samba_log_t, samba_log_t)
-+manage_files_pattern(swat_t, samba_log_t, samba_log_t)
-+
-+manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
-+
-+manage_files_pattern(swat_t, samba_var_t, samba_var_t)
-+files_list_var_lib(swat_t)
-+
- ########################################
- #
+@@ -718,7 +783,7 @@
# Winbind local policy
#
@@ -36855,7 +37566,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process { signal_perms getsched setsched };
allow winbind_t self:fifo_file rw_fifo_file_perms;
-@@ -763,6 +826,7 @@
+@@ -752,17 +817,22 @@
+ allow winbind_t winbind_log_t:file manage_file_perms;
+ logging_log_filetrans(winbind_t, winbind_log_t, file)
+
+-manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
+-manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
+-manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
+-files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
++#manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
++#manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
++#manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
++#files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
++userdom_manage_user_tmp_dirs(winbind_t)
++userdom_manage_user_tmp_files(winbind_t)
++userdom_tmp_filetrans_user_tmp(winbind_t, { file dir })
+
++manage_dirs_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
+ manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
+ manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
+-files_pid_filetrans(winbind_t, winbind_var_run_t, file)
++files_pid_filetrans(winbind_t, winbind_var_run_t, { dir file })
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
@@ -36863,7 +37594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
corecmd_exec_bin(winbind_t)
-@@ -779,6 +843,9 @@
+@@ -779,6 +849,9 @@
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -36873,7 +37604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
-@@ -788,7 +855,7 @@
+@@ -788,7 +861,7 @@
auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
@@ -36882,7 +37613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
domain_use_interactive_fds(winbind_t)
-@@ -866,6 +933,18 @@
+@@ -866,6 +939,18 @@
#
optional_policy(`
@@ -36901,7 +37632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -876,9 +955,12 @@
+@@ -876,9 +961,12 @@
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -36926,8 +37657,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl
# /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.if serefpolicy-3.7.19/policy/modules/services/sasl.if
--- nsaserefpolicy/policy/modules/services/sasl.if 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/sasl.if 2010-09-16 14:45:19.000000000 +0000
-@@ -42,7 +42,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/sasl.if 2011-03-16 13:51:30.211107002 +0000
+@@ -38,11 +38,11 @@
+ #
+ interface(`sasl_admin',`
+ gen_require(`
+- type saslauthd_t, saslauthd_tmp_t, saslauthd_var_run_t;
++ type saslauthd_t, saslauthd_var_run_t;
type saslauthd_initrc_exec_t;
')
@@ -36936,9 +37672,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl
ps_process_pattern($1, saslauthd_t)
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
+@@ -50,9 +50,6 @@
+ role_transition $2 saslauthd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+- files_list_tmp($1)
+- admin_pattern($1, saslauthd_tmp_t)
+-
+ files_list_pids($1)
+ admin_pattern($1, saslauthd_var_run_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.19/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/sasl.te 2010-05-28 07:42:00.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/sasl.te 2011-03-16 13:52:02.396107002 +0000
+@@ -20,8 +20,8 @@
+ type saslauthd_initrc_exec_t;
+ init_script_file(saslauthd_initrc_exec_t)
+
+-type saslauthd_tmp_t;
+-files_tmp_file(saslauthd_tmp_t)
++#type saslauthd_tmp_t;
++#files_tmp_file(saslauthd_tmp_t)
+
+ type saslauthd_var_run_t;
+ files_pid_file(saslauthd_var_run_t)
+@@ -39,9 +39,9 @@
+ allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
+ allow saslauthd_t self:tcp_socket create_socket_perms;
+
+-allow saslauthd_t saslauthd_tmp_t:dir setattr;
+-manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t)
+-files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file)
++#allow saslauthd_t saslauthd_tmp_t:dir setattr;
++#manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t)
++#files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file)
+
+ manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
+ manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
@@ -50,6 +50,9 @@
kernel_read_kernel_sysctls(saslauthd_t)
kernel_read_system_state(saslauthd_t)
@@ -36949,6 +37719,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl
corenet_all_recvfrom_unlabeled(saslauthd_t)
corenet_all_recvfrom_netlabel(saslauthd_t)
corenet_tcp_sendrecv_generic_if(saslauthd_t)
+@@ -95,6 +98,7 @@
+
+ optional_policy(`
+ kerberos_keytab_template(saslauthd, saslauthd_t)
++ kerberos_manage_host_rcache(saslauthd_t)
+ ')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.fc serefpolicy-3.7.19/policy/modules/services/sendmail.fc
--- nsaserefpolicy/policy/modules/services/sendmail.fc 2010-04-13 18:44:37.000000000 +0000
+++ serefpolicy-3.7.19/policy/modules/services/sendmail.fc 2010-05-28 07:42:00.000000000 +0000
@@ -38734,7 +39512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.19/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2011-03-08 14:38:01.609413002 +0000
++++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2011-03-16 12:45:02.432107002 +0000
@@ -34,13 +34,12 @@
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
@@ -38977,7 +39755,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
ifdef(`TODO',`
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
-@@ -376,6 +360,10 @@
+@@ -368,6 +352,7 @@
+ # ssh_keygen_t is the type of the ssh-keygen program when run at install time
+ # and by sysadm_t
+
++allow ssh_keygen_t self:capability dac_override;
+ dontaudit ssh_keygen_t self:capability sys_tty_config;
+ allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
+
+@@ -376,6 +361,10 @@
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
@@ -38988,7 +39774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
kernel_read_kernel_sysctls(ssh_keygen_t)
fs_search_auto_mountpoints(ssh_keygen_t)
-@@ -384,6 +372,7 @@
+@@ -384,6 +373,7 @@
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
@@ -38996,7 +39782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
domain_use_interactive_fds(ssh_keygen_t)
-@@ -397,6 +386,11 @@
+@@ -397,6 +387,11 @@
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -39645,8 +40431,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdag
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdagent.te serefpolicy-3.7.19/policy/modules/services/vdagent.te
--- nsaserefpolicy/policy/modules/services/vdagent.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/vdagent.te 2011-03-09 15:08:02.121980002 +0000
-@@ -0,0 +1,57 @@
++++ serefpolicy-3.7.19/policy/modules/services/vdagent.te 2011-03-14 13:29:28.840107001 +0000
+@@ -0,0 +1,58 @@
+policy_module(vdagent,1.0.0)
+
+########################################
@@ -39656,6 +40442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdag
+
+type vdagent_t;
+type vdagent_exec_t;
++init_daemon_domain(vdagent_t, vdagent_exec_t)
+udev_system_domain(vdagent_t, vdagent_exec_t)
+
+type vdagent_var_run_t;
@@ -42439,7 +43226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic
ssh_rw_stream_sockets(application_domain_type)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.19/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/authlogin.fc 2010-11-10 14:15:13.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/system/authlogin.fc 2011-03-10 01:21:39.821980001 +0000
@@ -10,6 +10,7 @@
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
@@ -42452,13 +43239,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
/var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
/var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
-+/var/run/faillock(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
++/var/run/faillock(/.*)? gen_context(system_u:object_r:faillog_t,s0)
/var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.19/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2011-01-14 13:33:19.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2011-03-16 12:49:39.669107002 +0000
@@ -41,7 +41,6 @@
##
#
@@ -42467,7 +43254,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
# for SSP/ProPolice
dev_read_urand($1)
# for encrypted homedir
-@@ -91,9 +90,12 @@
+@@ -66,6 +65,11 @@
+ optional_policy(`
+ consolekit_dbus_chat($1)
+ ')
++
++ optional_policy(`
++ fprintd_dbus_chat($1)
++ ')
++
+ ')
+
+ optional_policy(`
+@@ -91,9 +95,12 @@
interface(`auth_login_pgm_domain',`
gen_require(`
type var_auth_t, auth_cache_t;
@@ -42480,7 +43279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
domain_subj_id_change_exemption($1)
domain_role_change_exemption($1)
domain_obj_id_change_exemption($1)
-@@ -107,6 +109,7 @@
+@@ -107,6 +114,7 @@
allow $1 self:capability ipc_lock;
allow $1 self:process setkeycreate;
allow $1 self:key manage_key_perms;
@@ -42488,15 +43287,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
files_list_var_lib($1)
manage_files_pattern($1, var_auth_t, var_auth_t)
-@@ -141,6 +144,7 @@
+@@ -141,6 +149,8 @@
mls_process_set_level($1)
mls_fd_share_all_levels($1)
++ auth_manage_faillog($1)
+ auth_manage_pam_pid($1)
auth_use_pam($1)
init_rw_utmp($1)
-@@ -151,8 +155,43 @@
+@@ -151,8 +161,43 @@
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -42542,7 +43342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
')
-@@ -365,13 +404,21 @@
+@@ -365,13 +410,21 @@
')
optional_policy(`
@@ -42565,7 +43365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
########################################
-@@ -418,6 +465,7 @@
+@@ -418,6 +471,7 @@
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -42573,7 +43373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
########################################
-@@ -694,7 +742,7 @@
+@@ -694,7 +748,7 @@
')
files_search_etc($1)
@@ -42582,7 +43382,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
typeattribute $1 can_relabelto_shadow_passwords;
')
-@@ -1500,6 +1548,8 @@
+@@ -738,6 +792,27 @@
+
+ #######################################
+ ##
++## Manage the login failure log.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_manage_faillog',`
++ gen_require(`
++ type faillog_t;
++ ')
++
++ files_search_pids($1)
++ logging_search_logs($1)
++ allow $1 faillog_t:dir manage_dir_perms;
++ allow $1 faillog_t:file manage_file_perms;
++')
++
++#######################################
++##
+ ## Read the last logins log.
+ ##
+ ##
+@@ -1500,6 +1575,8 @@
#
interface(`auth_use_nsswitch',`
@@ -42591,7 +43419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
files_list_var_lib($1)
# read /etc/nsswitch.conf
-@@ -1531,7 +1581,15 @@
+@@ -1531,7 +1608,15 @@
')
optional_policy(`
@@ -44180,7 +45008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.19/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/iptables.te 2010-09-09 11:43:36.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/system/iptables.te 2011-03-14 09:35:38.335980000 +0000
@@ -14,9 +14,6 @@
type iptables_initrc_exec_t;
init_script_file(iptables_initrc_exec_t)
@@ -44236,7 +45064,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
domain_use_interactive_fds(iptables_t)
files_read_etc_files(iptables_t)
- files_read_etc_runtime_files(iptables_t)
+-files_read_etc_runtime_files(iptables_t)
++files_rw_etc_runtime_files(iptables_t)
+files_read_usr_files(iptables_t)
auth_use_nsswitch(iptables_t)
@@ -50972,7 +51801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.19/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2011-01-19 16:11:07.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2011-03-16 14:09:58.953107001 +0000
@@ -29,18 +29,18 @@
##
@@ -51035,7 +51864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
ubac_constrained(user_devpts_t)
-type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
-+type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t sshd_tmp_t auditadm_tmp_t unconfined_tmp_t };
++type user_tmp_t alias { winbind_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t sshd_tmp_t auditadm_tmp_t unconfined_tmp_t };
typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
files_tmp_file(user_tmp_t)
userdom_user_home_content(user_tmp_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0e66624..9f951f3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 100%{?dist}
+Release: 101%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,16 @@ exit 0
%endif
%changelog
+* Wed Mar 16 2011 Miroslav Grepl 3.7.19-101
+- Fixes for sandbox/seunshare policy
+- Add matahari policy
+- Allow shutdown setsched and sys_nice
+- Add port definition for dogtag, matahari, movaz ports
+- Add label for /etc/securetty
+- Fixes for pirahna-pulse policy
+- Fixes for radius, samba, dirsrv, kerberos policies
+- RHEL6 fixes for MLS policy bugs
+
* Wed Mar 9 2011 Miroslav Grepl 3.7.19-100
- Add other fixes for spice
- Add label for dev/hpilo/*