diff --git a/policy-F13.patch b/policy-F13.patch index 983b8dc..8349857 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -1,6 +1,6 @@ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.13/Makefile +diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.14/Makefile --- nsaserefpolicy/Makefile 2009-08-18 11:41:14.000000000 -0400 -+++ serefpolicy-3.7.13/Makefile 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/Makefile 2010-03-12 09:30:00.000000000 -0500 @@ -244,7 +244,7 @@ appdir := $(contextpath) user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) @@ -10,9 +10,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.13/ net_contexts := $(builddir)net_contexts all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.13/policy/global_tunables +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.14/policy/global_tunables --- nsaserefpolicy/policy/global_tunables 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.13/policy/global_tunables 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/global_tunables 2010-03-12 09:30:00.000000000 -0500 @@ -61,15 +61,6 @@ ## @@ -48,9 +48,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref +## +gen_tunable(mmap_low_allowed, false) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-3.7.13/policy/modules/admin/acct.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-3.7.14/policy/modules/admin/acct.te --- nsaserefpolicy/policy/modules/admin/acct.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/admin/acct.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/acct.te 2010-03-12 09:30:00.000000000 -0500 @@ -43,6 +43,7 @@ fs_getattr_xattr_fs(acct_t) @@ -59,51 +59,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te corecmd_exec_bin(acct_t) corecmd_exec_shell(acct_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.7.13/policy/modules/admin/alsa.if ---- nsaserefpolicy/policy/modules/admin/alsa.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/admin/alsa.if 2010-03-11 08:56:13.000000000 -0500 -@@ -76,6 +76,26 @@ - - ######################################## - ## -+## Manage alsa writable config files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`alsa_manage_rw_config',` -+ gen_require(` -+ type alsa_etc_rw_t; -+ ') -+ -+ allow $1 alsa_etc_rw_t:dir list_dir_perms; -+ manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) -+ read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) -+') -+ -+######################################## -+## - ## Read alsa lib files. - ## - ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.7.13/policy/modules/admin/alsa.te ---- nsaserefpolicy/policy/modules/admin/alsa.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/admin/alsa.te 2010-03-11 08:56:13.000000000 -0500 -@@ -51,6 +51,8 @@ - files_read_etc_files(alsa_t) - files_read_usr_files(alsa_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.7.14/policy/modules/admin/alsa.te +--- nsaserefpolicy/policy/modules/admin/alsa.te 2010-03-12 11:48:14.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/alsa.te 2010-03-12 09:25:28.000000000 -0500 +@@ -1,5 +1,5 @@ -+term_dontaudit_use_console(alsa_t) -+ - auth_use_nsswitch(alsa_t) +-policy_module(alsa, 1.8.1) ++policy_module(alsa, 1.8.0) - init_use_fds(alsa_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.7.13/policy/modules/admin/anaconda.te + ######################################## + # +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.7.14/policy/modules/admin/anaconda.te --- nsaserefpolicy/policy/modules/admin/anaconda.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/admin/anaconda.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/anaconda.te 2010-03-12 09:30:00.000000000 -0500 @@ -31,6 +31,7 @@ modutils_domtrans_insmod(anaconda_t) @@ -121,9 +89,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.7.13/policy/modules/admin/brctl.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.7.14/policy/modules/admin/brctl.te --- nsaserefpolicy/policy/modules/admin/brctl.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/admin/brctl.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/brctl.te 2010-03-12 09:30:00.000000000 -0500 @@ -21,7 +21,7 @@ allow brctl_t self:unix_dgram_socket create_socket_perms; allow brctl_t self:tcp_socket create_socket_perms; @@ -133,9 +101,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.t kernel_read_network_state(brctl_t) kernel_read_sysctl(brctl_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.7.13/policy/modules/admin/certwatch.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.7.14/policy/modules/admin/certwatch.te --- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/admin/certwatch.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/certwatch.te 2010-03-12 09:30:00.000000000 -0500 @@ -36,7 +36,7 @@ miscfiles_read_localization(certwatch_t) @@ -145,9 +113,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwat optional_policy(` apache_exec_modules(certwatch_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.if serefpolicy-3.7.13/policy/modules/admin/consoletype.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.if serefpolicy-3.7.14/policy/modules/admin/consoletype.if --- nsaserefpolicy/policy/modules/admin/consoletype.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/admin/consoletype.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/consoletype.if 2010-03-12 09:30:00.000000000 -0500 @@ -19,6 +19,9 @@ corecmd_search_bin($1) @@ -158,9 +126,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.7.13/policy/modules/admin/consoletype.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.7.14/policy/modules/admin/consoletype.te --- nsaserefpolicy/policy/modules/admin/consoletype.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/admin/consoletype.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/consoletype.te 2010-03-12 09:30:00.000000000 -0500 @@ -10,7 +10,6 @@ type consoletype_exec_t; application_executable_file(consoletype_exec_t) @@ -169,9 +137,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console role system_r types consoletype_t; ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.13/policy/modules/admin/firstboot.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.14/policy/modules/admin/firstboot.te --- nsaserefpolicy/policy/modules/admin/firstboot.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/admin/firstboot.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/firstboot.te 2010-03-12 09:30:00.000000000 -0500 @@ -91,8 +91,12 @@ userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) @@ -194,9 +162,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.7.13/policy/modules/admin/kismet.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.7.14/policy/modules/admin/kismet.te --- nsaserefpolicy/policy/modules/admin/kismet.te 2010-03-09 15:39:06.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/admin/kismet.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/kismet.te 2010-03-12 09:30:00.000000000 -0500 @@ -45,6 +45,7 @@ manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t) manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t) @@ -205,9 +173,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir }) manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.13/policy/modules/admin/logrotate.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.14/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/admin/logrotate.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/logrotate.te 2010-03-12 09:30:00.000000000 -0500 @@ -32,7 +32,7 @@ # Change ownership on log files. allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; @@ -313,15 +281,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota +optional_policy(` varnishd_manage_log(logrotate_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.fc serefpolicy-3.7.13/policy/modules/admin/mcelog.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.fc serefpolicy-3.7.14/policy/modules/admin/mcelog.fc --- nsaserefpolicy/policy/modules/admin/mcelog.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/admin/mcelog.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/mcelog.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.if serefpolicy-3.7.13/policy/modules/admin/mcelog.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.if serefpolicy-3.7.14/policy/modules/admin/mcelog.if --- nsaserefpolicy/policy/modules/admin/mcelog.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/admin/mcelog.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/mcelog.if 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,21 @@ + +## policy for mcelog @@ -344,9 +312,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog. + domtrans_pattern($1, mcelog_exec_t, mcelog_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.7.13/policy/modules/admin/mcelog.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.7.14/policy/modules/admin/mcelog.te --- nsaserefpolicy/policy/modules/admin/mcelog.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/admin/mcelog.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/mcelog.te 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,32 @@ + +policy_module(mcelog,1.0.0) @@ -380,9 +348,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog. +miscfiles_read_localization(mcelog_t) + +logging_send_syslog_msg(mcelog_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.7.13/policy/modules/admin/mrtg.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.7.14/policy/modules/admin/mrtg.te --- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/admin/mrtg.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/mrtg.te 2010-03-12 09:30:00.000000000 -0500 @@ -116,6 +116,7 @@ userdom_use_user_terminals(mrtg_t) userdom_dontaudit_read_user_home_content_files(mrtg_t) @@ -391,9 +359,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te netutils_domtrans_ping(mrtg_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.7.13/policy/modules/admin/netutils.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.7.14/policy/modules/admin/netutils.fc --- nsaserefpolicy/policy/modules/admin/netutils.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/admin/netutils.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/netutils.fc 2010-03-12 09:30:00.000000000 -0500 @@ -9,6 +9,7 @@ /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) @@ -402,9 +370,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil /usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0) /usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.13/policy/modules/admin/netutils.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.14/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/admin/netutils.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/netutils.te 2010-03-12 09:30:00.000000000 -0500 @@ -44,6 +44,7 @@ allow netutils_t self:packet_socket create_socket_perms; allow netutils_t self:udp_socket create_socket_perms; @@ -455,17 +423,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil + term_use_all_ttys(traceroute_t) + term_use_all_ptys(traceroute_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.7.13/policy/modules/admin/prelink.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.7.14/policy/modules/admin/prelink.fc --- nsaserefpolicy/policy/modules/admin/prelink.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/admin/prelink.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/prelink.fc 2010-03-12 09:30:00.000000000 -0500 @@ -1,3 +1,4 @@ +/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0) /etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.7.13/policy/modules/admin/prelink.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.7.14/policy/modules/admin/prelink.if --- nsaserefpolicy/policy/modules/admin/prelink.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/admin/prelink.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/prelink.if 2010-03-12 09:30:00.000000000 -0500 @@ -21,6 +21,25 @@ ######################################## @@ -506,9 +474,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink - relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) + relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.13/policy/modules/admin/prelink.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.14/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/admin/prelink.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/prelink.te 2010-03-12 09:30:00.000000000 -0500 @@ -21,8 +21,21 @@ type prelink_tmp_t; files_tmp_file(prelink_tmp_t) @@ -633,9 +601,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink +optional_policy(` + rpm_read_db(prelink_cron_system_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-3.7.13/policy/modules/admin/quota.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-3.7.14/policy/modules/admin/quota.te --- nsaserefpolicy/policy/modules/admin/quota.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/admin/quota.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/quota.te 2010-03-12 09:30:00.000000000 -0500 @@ -39,6 +39,7 @@ kernel_list_proc(quota_t) kernel_read_proc_symlinks(quota_t) @@ -644,9 +612,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.t dev_read_sysfs(quota_t) dev_getattr_all_blk_files(quota_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.13/policy/modules/admin/readahead.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.14/policy/modules/admin/readahead.te --- nsaserefpolicy/policy/modules/admin/readahead.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/admin/readahead.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/readahead.te 2010-03-12 09:30:00.000000000 -0500 @@ -52,6 +52,7 @@ files_list_non_security(readahead_t) @@ -664,9 +632,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahe fs_read_tmpfs_symlinks(readahead_t) fs_list_inotifyfs(readahead_t) fs_dontaudit_search_ramfs(readahead_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.13/policy/modules/admin/rpm.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.14/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/admin/rpm.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/rpm.fc 2010-03-12 09:30:00.000000000 -0500 @@ -1,18 +1,19 @@ /bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -717,9 +685,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc # SuSE ifdef(`distro_suse', ` /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.13/policy/modules/admin/rpm.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.14/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/admin/rpm.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/rpm.if 2010-03-12 09:30:00.000000000 -0500 @@ -13,11 +13,36 @@ interface(`rpm_domtrans',` gen_require(` @@ -1173,9 +1141,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.13/policy/modules/admin/rpm.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.14/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/admin/rpm.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/rpm.te 2010-03-12 09:30:00.000000000 -0500 @@ -1,6 +1,8 @@ policy_module(rpm, 1.10.0) @@ -1460,9 +1428,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te optional_policy(` java_domtrans_unconfined(rpm_script_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.13/policy/modules/admin/shorewall.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.14/policy/modules/admin/shorewall.te --- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-03-08 14:49:44.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/admin/shorewall.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/shorewall.te 2010-03-12 09:30:00.000000000 -0500 @@ -87,7 +87,7 @@ sysnet_domtrans_ifconfig(shorewall_t) @@ -1472,18 +1440,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa optional_policy(` iptables_domtrans(shorewall_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.fc serefpolicy-3.7.13/policy/modules/admin/shutdown.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.fc serefpolicy-3.7.14/policy/modules/admin/shutdown.fc --- nsaserefpolicy/policy/modules/admin/shutdown.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/admin/shutdown.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/shutdown.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,5 @@ +/etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0) + +/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) + +/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.if serefpolicy-3.7.13/policy/modules/admin/shutdown.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.if serefpolicy-3.7.14/policy/modules/admin/shutdown.if --- nsaserefpolicy/policy/modules/admin/shutdown.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/admin/shutdown.if 2010-03-11 14:16:05.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/shutdown.if 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,118 @@ + +## policy for shutdown @@ -1603,9 +1571,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow + allow $1 shutdown_t:dbus send_msg; + allow shutdown_t $1:dbus send_msg; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.7.13/policy/modules/admin/shutdown.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.7.14/policy/modules/admin/shutdown.te --- nsaserefpolicy/policy/modules/admin/shutdown.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/admin/shutdown.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/shutdown.te 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,57 @@ +policy_module(shutdown,1.0.0) + @@ -1664,22 +1632,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow + dbus_system_bus_client(shutdown_t) + dbus_connect_system_bus(shutdown_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.7.13/policy/modules/admin/smoltclient.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.7.14/policy/modules/admin/smoltclient.fc --- nsaserefpolicy/policy/modules/admin/smoltclient.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/admin/smoltclient.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/smoltclient.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,4 @@ + +/usr/share/smolt/client/sendProfile.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0) + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.if serefpolicy-3.7.13/policy/modules/admin/smoltclient.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.if serefpolicy-3.7.14/policy/modules/admin/smoltclient.if --- nsaserefpolicy/policy/modules/admin/smoltclient.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/admin/smoltclient.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/smoltclient.if 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1 @@ +## The Fedora hardware profiler client -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.7.13/policy/modules/admin/smoltclient.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.7.14/policy/modules/admin/smoltclient.te --- nsaserefpolicy/policy/modules/admin/smoltclient.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/admin/smoltclient.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/smoltclient.te 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,66 @@ +policy_module(smoltclient,1.0.0) + @@ -1747,9 +1715,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltcl + rpm_exec(smoltclient_t) + rpm_read_db(smoltclient_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.13/policy/modules/admin/sudo.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.14/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/admin/sudo.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/sudo.if 2010-03-12 09:30:00.000000000 -0500 @@ -73,12 +73,16 @@ # Enter this derived domain from the user domain domtrans_pattern($3, sudo_exec_t, $1_sudo_t) @@ -1778,9 +1746,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files($1_sudo_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.7.13/policy/modules/admin/su.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.7.14/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/admin/su.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/su.if 2010-03-12 09:30:00.000000000 -0500 @@ -58,6 +58,10 @@ allow $2 $1_su_t:fifo_file rw_file_perms; allow $2 $1_su_t:process sigchld; @@ -1803,9 +1771,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s ps_process_pattern($3, $1_su_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.13/policy/modules/admin/tmpreaper.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.14/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/admin/tmpreaper.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/tmpreaper.te 2010-03-12 09:30:00.000000000 -0500 @@ -42,6 +42,7 @@ cron_system_entry(tmpreaper_t, tmpreaper_exec_t) @@ -1844,9 +1812,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap +optional_policy(` unconfined_domain(tmpreaper_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.7.13/policy/modules/admin/usermanage.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.7.14/policy/modules/admin/usermanage.if --- nsaserefpolicy/policy/modules/admin/usermanage.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/admin/usermanage.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/usermanage.if 2010-03-12 09:30:00.000000000 -0500 @@ -18,6 +18,10 @@ files_search_usr($1) corecmd_search_bin($1) @@ -1902,9 +1870,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman optional_policy(` nscd_run(useradd_t, $2) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.13/policy/modules/admin/usermanage.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.14/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/admin/usermanage.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/usermanage.te 2010-03-12 09:30:00.000000000 -0500 @@ -209,6 +209,7 @@ files_manage_etc_files(groupadd_t) files_relabel_etc_files(groupadd_t) @@ -1973,9 +1941,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman puppet_rw_tmp(useradd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.7.13/policy/modules/admin/vbetool.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.7.14/policy/modules/admin/vbetool.te --- nsaserefpolicy/policy/modules/admin/vbetool.te 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/admin/vbetool.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/vbetool.te 2010-03-12 09:30:00.000000000 -0500 @@ -25,7 +25,13 @@ dev_rw_xserver_misc(vbetool_t) dev_rw_mtrr(vbetool_t) @@ -1990,9 +1958,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool term_use_unallocated_ttys(vbetool_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.13/policy/modules/admin/vpn.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.14/policy/modules/admin/vpn.te --- nsaserefpolicy/policy/modules/admin/vpn.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/admin/vpn.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/admin/vpn.te 2010-03-12 09:30:00.000000000 -0500 @@ -31,7 +31,7 @@ allow vpnc_t self:rawip_socket create_socket_perms; allow vpnc_t self:unix_dgram_socket create_socket_perms; @@ -2026,15 +1994,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te +optional_policy(` + networkmanager_attach_tun_iface(vpnc_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.7.13/policy/modules/apps/chrome.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.7.14/policy/modules/apps/chrome.fc --- nsaserefpolicy/policy/modules/apps/chrome.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/chrome.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/chrome.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.13/policy/modules/apps/chrome.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.14/policy/modules/apps/chrome.if --- nsaserefpolicy/policy/modules/apps/chrome.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/chrome.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/chrome.if 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,90 @@ + +## policy for chrome @@ -2126,9 +2094,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i + allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.13/policy/modules/apps/chrome.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.14/policy/modules/apps/chrome.te --- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/chrome.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/chrome.te 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,81 @@ +policy_module(chrome,1.0.0) + @@ -2211,9 +2179,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t + fs_dontaudit_append_cifs_files(chrome_sandbox_t) + fs_dontaudit_read_cifs_files(chrome_sandbox_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.7.13/policy/modules/apps/cpufreqselector.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.7.14/policy/modules/apps/cpufreqselector.te --- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/cpufreqselector.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/cpufreqselector.te 2010-03-12 09:30:00.000000000 -0500 @@ -26,7 +26,7 @@ dev_rw_sysfs(cpufreqselector_t) @@ -2223,9 +2191,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqs optional_policy(` dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.7.13/policy/modules/apps/execmem.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.7.14/policy/modules/apps/execmem.fc --- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/execmem.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/execmem.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,45 @@ + +/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0) @@ -2272,9 +2240,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. + +/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0) +/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.13/policy/modules/apps/execmem.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.14/policy/modules/apps/execmem.if --- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/execmem.if 2010-03-11 14:42:14.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/execmem.if 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,116 @@ +## execmem domain + @@ -2392,9 +2360,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. + + domtrans_pattern($1, execmem_exec_t, $2) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.7.13/policy/modules/apps/execmem.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.7.14/policy/modules/apps/execmem.te --- nsaserefpolicy/policy/modules/apps/execmem.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/execmem.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/execmem.te 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,11 @@ + +policy_module(execmem, 1.0.0) @@ -2407,16 +2375,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. +type execmem_exec_t alias unconfined_execmem_exec_t; +application_executable_file(execmem_exec_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.7.13/policy/modules/apps/firewallgui.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.7.14/policy/modules/apps/firewallgui.fc --- nsaserefpolicy/policy/modules/apps/firewallgui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/firewallgui.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/firewallgui.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,3 @@ + +/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.7.13/policy/modules/apps/firewallgui.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.7.14/policy/modules/apps/firewallgui.if --- nsaserefpolicy/policy/modules/apps/firewallgui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/firewallgui.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/firewallgui.if 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,23 @@ + +## policy for firewallgui @@ -2441,9 +2409,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall + allow $1 firewallgui_t:dbus send_msg; + allow firewallgui_t $1:dbus send_msg; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.13/policy/modules/apps/firewallgui.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.14/policy/modules/apps/firewallgui.te --- nsaserefpolicy/policy/modules/apps/firewallgui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/firewallgui.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/firewallgui.te 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,66 @@ + +policy_module(firewallgui,1.0.0) @@ -2511,9 +2479,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall + policykit_dbus_chat(firewallgui_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.7.13/policy/modules/apps/gitosis.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.7.14/policy/modules/apps/gitosis.if --- nsaserefpolicy/policy/modules/apps/gitosis.if 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/apps/gitosis.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/gitosis.if 2010-03-12 09:30:00.000000000 -0500 @@ -43,3 +43,47 @@ role $2 types gitosis_t; ') @@ -2562,9 +2530,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis. + manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) + manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.13/policy/modules/apps/gnome.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.14/policy/modules/apps/gnome.fc --- nsaserefpolicy/policy/modules/apps/gnome.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/apps/gnome.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/gnome.fc 2010-03-12 09:30:00.000000000 -0500 @@ -1,8 +1,28 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) @@ -2596,9 +2564,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc + +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.13/policy/modules/apps/gnome.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.14/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/apps/gnome.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/gnome.if 2010-03-12 09:30:00.000000000 -0500 @@ -74,6 +74,24 @@ ######################################## @@ -2856,9 +2824,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if + allow $1 gconfdefaultsm_t:dbus send_msg; + allow gconfdefaultsm_t $1:dbus send_msg; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.7.13/policy/modules/apps/gnome.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.7.14/policy/modules/apps/gnome.te --- nsaserefpolicy/policy/modules/apps/gnome.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/apps/gnome.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/gnome.te 2010-03-12 09:30:00.000000000 -0500 @@ -7,18 +7,33 @@ # @@ -3007,18 +2975,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te + policykit_read_lib(gnomesystemmm_t) + policykit_read_reload(gnomesystemmm_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.7.13/policy/modules/apps/gpg.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.7.14/policy/modules/apps/gpg.fc --- nsaserefpolicy/policy/modules/apps/gpg.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/apps/gpg.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/gpg.fc 2010-03-12 09:30:00.000000000 -0500 @@ -1,4 +1,5 @@ HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) +/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.7.13/policy/modules/apps/gpg.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.7.14/policy/modules/apps/gpg.if --- nsaserefpolicy/policy/modules/apps/gpg.if 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/apps/gpg.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/gpg.if 2010-03-12 09:30:00.000000000 -0500 @@ -52,11 +52,8 @@ ifdef(`hide_broken_symptoms',` @@ -3032,9 +3000,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s ') ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.13/policy/modules/apps/gpg.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.14/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/gpg.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/gpg.te 2010-03-12 09:30:00.000000000 -0500 @@ -20,6 +20,7 @@ typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t }; application_domain(gpg_t, gpg_exec_t) @@ -3091,9 +3059,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s # rlimit: gpg-agent wants to prevent coredumps allow gpg_agent_t self:process setrlimit; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.7.13/policy/modules/apps/java.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.7.14/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/java.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/java.fc 2010-03-12 09:30:00.000000000 -0500 @@ -9,6 +9,7 @@ # # /usr @@ -3113,9 +3081,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc + +/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.7.13/policy/modules/apps/java.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.7.14/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/java.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/java.if 2010-03-12 09:30:00.000000000 -0500 @@ -72,6 +72,7 @@ domain_interactive_fd($1_java_t) @@ -3141,9 +3109,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.13/policy/modules/apps/java.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.14/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/java.te 2010-03-11 16:37:25.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/java.te 2010-03-12 09:30:00.000000000 -0500 @@ -147,6 +147,14 @@ init_dbus_chat_script(unconfined_java_t) @@ -3159,21 +3127,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te + rpm_domtrans(unconfined_java_t) + ') ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.7.13/policy/modules/apps/kdumpgui.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.7.14/policy/modules/apps/kdumpgui.fc --- nsaserefpolicy/policy/modules/apps/kdumpgui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/kdumpgui.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/kdumpgui.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/share/system-config-kdump/system-config-kdump-backend.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.7.13/policy/modules/apps/kdumpgui.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.7.14/policy/modules/apps/kdumpgui.if --- nsaserefpolicy/policy/modules/apps/kdumpgui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/kdumpgui.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/kdumpgui.if 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,2 @@ +## system-config-kdump policy + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.13/policy/modules/apps/kdumpgui.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.14/policy/modules/apps/kdumpgui.te --- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/kdumpgui.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/kdumpgui.te 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,68 @@ +policy_module(kdumpgui,1.0.0) + @@ -3243,15 +3211,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui +optional_policy(` + policykit_dbus_chat(kdumpgui_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.7.13/policy/modules/apps/livecd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.7.14/policy/modules/apps/livecd.fc --- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/livecd.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/livecd.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.7.13/policy/modules/apps/livecd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.7.14/policy/modules/apps/livecd.if --- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/livecd.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/livecd.if 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,52 @@ + +## policy for livecd @@ -3305,9 +3273,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.i + usermanage_run_chfn(livecd_t, $2) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.7.13/policy/modules/apps/livecd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.7.14/policy/modules/apps/livecd.te --- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/livecd.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/livecd.te 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,27 @@ +policy_module(livecd, 1.0.0) + @@ -3336,9 +3304,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.t + +seutil_domtrans_setfiles_mac(livecd_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.if serefpolicy-3.7.13/policy/modules/apps/loadkeys.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.if serefpolicy-3.7.14/policy/modules/apps/loadkeys.if --- nsaserefpolicy/policy/modules/apps/loadkeys.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/apps/loadkeys.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/loadkeys.if 2010-03-12 09:30:00.000000000 -0500 @@ -17,6 +17,9 @@ corecmd_search_bin($1) @@ -3349,9 +3317,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.7.13/policy/modules/apps/loadkeys.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.7.14/policy/modules/apps/loadkeys.te --- nsaserefpolicy/policy/modules/apps/loadkeys.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/apps/loadkeys.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/loadkeys.te 2010-03-12 09:30:00.000000000 -0500 @@ -40,8 +40,12 @@ miscfiles_read_localization(loadkeys_t) @@ -3366,9 +3334,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys +ifdef(`hide_broken_symptoms',` + dev_dontaudit_rw_lvm_control(loadkeys_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.13/policy/modules/apps/mono.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.14/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/mono.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/mono.if 2010-03-12 09:30:00.000000000 -0500 @@ -40,10 +40,10 @@ domain_interactive_fd($1_mono_t) application_type($1_mono_t) @@ -3381,9 +3349,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; domtrans_pattern($3, mono_exec_t, $1_mono_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.7.13/policy/modules/apps/mozilla.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.7.14/policy/modules/apps/mozilla.fc --- nsaserefpolicy/policy/modules/apps/mozilla.fc 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/apps/mozilla.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/mozilla.fc 2010-03-12 09:30:00.000000000 -0500 @@ -1,6 +1,7 @@ HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) @@ -3400,9 +3368,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. /usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.7.13/policy/modules/apps/mozilla.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.7.14/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/mozilla.if 2010-03-11 12:30:03.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/mozilla.if 2010-03-12 09:30:00.000000000 -0500 @@ -48,6 +48,12 @@ mozilla_dbus_chat($2) @@ -3483,9 +3451,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. + allow $2 mozilla_exec_t:file entrypoint; + domtrans_pattern($1, mozilla_exec_t, $2) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.13/policy/modules/apps/mozilla.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.14/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/mozilla.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/mozilla.te 2010-03-12 09:30:00.000000000 -0500 @@ -91,6 +91,7 @@ corenet_raw_sendrecv_generic_node(mozilla_t) corenet_tcp_sendrecv_http_port(mozilla_t) @@ -3544,9 +3512,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. +optional_policy(` thunderbird_domtrans(mozilla_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.7.13/policy/modules/apps/mplayer.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.7.14/policy/modules/apps/mplayer.if --- nsaserefpolicy/policy/modules/apps/mplayer.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/apps/mplayer.if 2010-03-11 12:29:39.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/mplayer.if 2010-03-12 09:30:00.000000000 -0500 @@ -102,3 +102,39 @@ read_files_pattern($1, mplayer_home_t, mplayer_home_t) userdom_search_user_home_dirs($1) @@ -3587,9 +3555,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer. + allow $2 mplayer_exec_t:file entrypoint; + domtrans_pattern($1, mplayer_exec_t, $2) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.7.13/policy/modules/apps/nsplugin.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.7.14/policy/modules/apps/nsplugin.fc --- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/nsplugin.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/nsplugin.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,10 @@ +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) @@ -3601,9 +3569,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) +/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0) +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.13/policy/modules/apps/nsplugin.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.14/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/nsplugin.if 2010-03-11 12:29:54.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/nsplugin.if 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,390 @@ + +## policy for nsplugin @@ -3995,9 +3963,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + allow $2 nsplugin_exec_t:file entrypoint; + domtrans_pattern($1, nsplugin_exec_t, $2) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.13/policy/modules/apps/nsplugin.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.14/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/nsplugin.te 2010-03-11 08:59:06.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/nsplugin.te 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,295 @@ + +policy_module(nsplugin, 1.0.0) @@ -4294,16 +4262,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.7.13/policy/modules/apps/openoffice.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.7.14/policy/modules/apps/openoffice.fc --- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/openoffice.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/openoffice.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,3 @@ +/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) +/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.7.13/policy/modules/apps/openoffice.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.7.14/policy/modules/apps/openoffice.if --- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/openoffice.if 2010-03-11 16:39:27.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/openoffice.if 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,129 @@ +## Openoffice + @@ -4434,9 +4402,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi + allow $2 openoffice_exec_t:file entrypoint; + domtrans_pattern($1, openoffice_exec_t, $2) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.7.13/policy/modules/apps/openoffice.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.7.14/policy/modules/apps/openoffice.te --- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/openoffice.te 2010-03-11 16:38:23.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/openoffice.te 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,17 @@ + +policy_module(openoffice, 1.0.0) @@ -4455,9 +4423,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi +# Unconfined java local policy +# + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.7.13/policy/modules/apps/podsleuth.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.7.14/policy/modules/apps/podsleuth.te --- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/podsleuth.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/podsleuth.te 2010-03-12 09:30:00.000000000 -0500 @@ -50,6 +50,7 @@ fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file }) @@ -4481,9 +4449,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut optional_policy(` dbus_system_bus_client(podsleuth_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.7.13/policy/modules/apps/ptchown.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.7.14/policy/modules/apps/ptchown.if --- nsaserefpolicy/policy/modules/apps/ptchown.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/apps/ptchown.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/ptchown.if 2010-03-12 09:30:00.000000000 -0500 @@ -18,3 +18,27 @@ domtrans_pattern($1, ptchown_exec_t, ptchown_t) ') @@ -4512,9 +4480,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown. + ptchown_domtrans($1) + role $2 types ptchown_t; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.te serefpolicy-3.7.13/policy/modules/apps/ptchown.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.te serefpolicy-3.7.14/policy/modules/apps/ptchown.te --- nsaserefpolicy/policy/modules/apps/ptchown.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/ptchown.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/ptchown.te 2010-03-12 09:30:00.000000000 -0500 @@ -24,6 +24,7 @@ fs_rw_anon_inodefs_files(ptchown_t) @@ -4523,9 +4491,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown. term_setattr_all_ptys(ptchown_t) term_use_generic_ptys(ptchown_t) term_use_ptmx(ptchown_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.7.13/policy/modules/apps/pulseaudio.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.7.14/policy/modules/apps/pulseaudio.fc --- nsaserefpolicy/policy/modules/apps/pulseaudio.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/apps/pulseaudio.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/pulseaudio.fc 2010-03-12 09:30:00.000000000 -0500 @@ -1 +1,9 @@ +HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) +HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0) @@ -4536,9 +4504,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud + /usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.13/policy/modules/apps/pulseaudio.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.14/policy/modules/apps/pulseaudio.if --- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/apps/pulseaudio.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/pulseaudio.if 2010-03-12 09:30:00.000000000 -0500 @@ -29,7 +29,7 @@ ps_process_pattern($2, pulseaudio_t) @@ -4642,9 +4610,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud - allow $1 pulseaudio_t:unix_stream_socket connectto; + stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.13/policy/modules/apps/pulseaudio.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.14/policy/modules/apps/pulseaudio.te --- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/pulseaudio.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/pulseaudio.te 2010-03-12 09:30:00.000000000 -0500 @@ -8,24 +8,52 @@ type pulseaudio_t; @@ -4733,9 +4701,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud + xserver_read_xdm_pid(pulseaudio_t) + xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.13/policy/modules/apps/qemu.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.14/policy/modules/apps/qemu.if --- nsaserefpolicy/policy/modules/apps/qemu.if 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/qemu.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/qemu.if 2010-03-12 09:30:00.000000000 -0500 @@ -127,12 +127,14 @@ template(`qemu_role',` gen_require(` @@ -4824,9 +4792,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.13/policy/modules/apps/qemu.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.14/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/qemu.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/qemu.te 2010-03-12 09:30:00.000000000 -0500 @@ -50,6 +50,8 @@ # # qemu local policy @@ -4857,20 +4825,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te allow unconfined_qemu_t self:process { execstack execmem }; + allow unconfined_qemu_t qemu_exec_t:file execmod; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.7.13/policy/modules/apps/sambagui.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.7.14/policy/modules/apps/sambagui.fc --- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/sambagui.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/sambagui.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1 @@ +/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.7.13/policy/modules/apps/sambagui.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.7.14/policy/modules/apps/sambagui.if --- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/sambagui.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/sambagui.if 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,2 @@ +## system-config-samba policy + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.13/policy/modules/apps/sambagui.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.14/policy/modules/apps/sambagui.te --- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/sambagui.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/sambagui.te 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,66 @@ +policy_module(sambagui,1.0.0) + @@ -4938,14 +4906,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui +optional_policy(` + policykit_dbus_chat(sambagui_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.13/policy/modules/apps/sandbox.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.14/policy/modules/apps/sandbox.fc --- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/sandbox.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/sandbox.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1 @@ +# No types are sandbox_exec_t -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.13/policy/modules/apps/sandbox.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.14/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/sandbox.if 2010-03-11 15:13:16.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/sandbox.if 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,250 @@ + +## policy for sandbox @@ -5197,9 +5165,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + + allow $1 sandbox_file_type:dir list_dir_perms; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.13/policy/modules/apps/sandbox.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.14/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/sandbox.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/sandbox.te 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,365 @@ +policy_module(sandbox,1.0.0) +dbus_stub() @@ -5566,9 +5534,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +optional_policy(` + hal_dbus_chat(sandbox_net_client_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.7.13/policy/modules/apps/screen.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.7.14/policy/modules/apps/screen.if --- nsaserefpolicy/policy/modules/apps/screen.if 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/screen.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/screen.if 2010-03-12 09:30:00.000000000 -0500 @@ -141,6 +141,7 @@ userdom_create_user_pty($1_screen_t) userdom_user_home_domtrans($1_screen_t, $3) @@ -5577,9 +5545,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.i tunable_policy(`use_samba_home_dirs',` fs_cifs_domtrans($1_screen_t, $3) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.13/policy/modules/apps/seunshare.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.14/policy/modules/apps/seunshare.if --- nsaserefpolicy/policy/modules/apps/seunshare.if 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/seunshare.if 2010-03-11 15:15:33.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/seunshare.if 2010-03-12 09:30:00.000000000 -0500 @@ -2,30 +2,12 @@ ######################################## @@ -5683,9 +5651,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar + dontaudit $1_seunshare_t $3:socket_class_set { read write }; + ') ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.13/policy/modules/apps/seunshare.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.14/policy/modules/apps/seunshare.te --- nsaserefpolicy/policy/modules/apps/seunshare.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/seunshare.te 2010-03-11 15:15:02.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/seunshare.te 2010-03-12 09:30:00.000000000 -0500 @@ -6,40 +6,39 @@ # Declarations # @@ -5744,9 +5712,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar + mozilla_dontaudit_manage_user_home_files(seunshare_domain) ') ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.7.13/policy/modules/apps/slocate.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.7.14/policy/modules/apps/slocate.te --- nsaserefpolicy/policy/modules/apps/slocate.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/apps/slocate.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/slocate.te 2010-03-12 09:30:00.000000000 -0500 @@ -30,6 +30,7 @@ manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t) @@ -5763,17 +5731,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate. # getpwnam auth_use_nsswitch(locate_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.fc serefpolicy-3.7.13/policy/modules/apps/userhelper.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.fc serefpolicy-3.7.14/policy/modules/apps/userhelper.fc --- nsaserefpolicy/policy/modules/apps/userhelper.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/apps/userhelper.fc 2010-03-11 13:48:29.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/userhelper.fc 2010-03-12 09:30:00.000000000 -0500 @@ -7,3 +7,4 @@ # /usr # /usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) +/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.7.13/policy/modules/apps/userhelper.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.7.14/policy/modules/apps/userhelper.if --- nsaserefpolicy/policy/modules/apps/userhelper.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/userhelper.if 2010-03-11 14:17:35.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/userhelper.if 2010-03-12 09:30:00.000000000 -0500 @@ -260,3 +260,51 @@ can_exec($1, userhelper_exec_t) @@ -5826,9 +5794,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp + shutdown_send_sigchld($3) + ') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.te serefpolicy-3.7.13/policy/modules/apps/userhelper.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.te serefpolicy-3.7.14/policy/modules/apps/userhelper.te --- nsaserefpolicy/policy/modules/apps/userhelper.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/apps/userhelper.te 2010-03-11 14:03:58.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/userhelper.te 2010-03-12 09:30:00.000000000 -0500 @@ -7,9 +7,51 @@ # @@ -5881,9 +5849,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp +optional_policy(` + xserver_stream_connect(consolehelper_domain) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.7.13/policy/modules/apps/vmware.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.7.14/policy/modules/apps/vmware.if --- nsaserefpolicy/policy/modules/apps/vmware.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/apps/vmware.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/vmware.if 2010-03-12 09:30:00.000000000 -0500 @@ -84,3 +84,22 @@ logging_search_logs($1) append_files_pattern($1, vmware_log_t, vmware_log_t) @@ -5907,9 +5875,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.i + can_exec($1, vmware_host_exec_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.13/policy/modules/apps/vmware.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.14/policy/modules/apps/vmware.te --- nsaserefpolicy/policy/modules/apps/vmware.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/vmware.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/vmware.te 2010-03-12 09:30:00.000000000 -0500 @@ -29,6 +29,10 @@ type vmware_host_exec_t; init_daemon_domain(vmware_host_t, vmware_host_exec_t) @@ -5934,9 +5902,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t) manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.7.13/policy/modules/apps/wine.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.7.14/policy/modules/apps/wine.if --- nsaserefpolicy/policy/modules/apps/wine.if 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/wine.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/wine.if 2010-03-12 09:30:00.000000000 -0500 @@ -35,6 +35,8 @@ role $1 types wine_t; @@ -5962,9 +5930,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if optional_policy(` xserver_role($1_r, $1_wine_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.7.13/policy/modules/apps/wine.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.7.14/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/apps/wine.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/wine.te 2010-03-12 09:30:00.000000000 -0500 @@ -1,6 +1,14 @@ policy_module(wine, 1.6.1) @@ -5995,9 +5963,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te files_execmod_all_files(wine_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.7.13/policy/modules/apps/wm.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.7.14/policy/modules/apps/wm.if --- nsaserefpolicy/policy/modules/apps/wm.if 2009-07-27 18:11:17.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/apps/wm.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/wm.if 2010-03-12 09:30:00.000000000 -0500 @@ -30,6 +30,7 @@ template(`wm_role_template',` gen_require(` @@ -6047,9 +6015,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.13/policy/modules/kernel/corecommands.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.14/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-03-05 17:14:56.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/kernel/corecommands.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/kernel/corecommands.fc 2010-03-12 09:30:00.000000000 -0500 @@ -147,6 +147,9 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -6082,9 +6050,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco +/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) + +/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.13/policy/modules/kernel/corecommands.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.14/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2010-03-05 17:14:56.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/kernel/corecommands.if 2010-03-11 14:15:42.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/kernel/corecommands.if 2010-03-12 09:30:00.000000000 -0500 @@ -931,6 +931,7 @@ read_lnk_files_pattern($1, bin_t, bin_t) @@ -6101,9 +6069,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.13/policy/modules/kernel/corenetwork.te.in +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.14/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-03-08 14:49:44.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/kernel/corenetwork.te.in 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/kernel/corenetwork.te.in 2010-03-12 09:30:00.000000000 -0500 @@ -65,6 +65,7 @@ type server_packet_t, packet_type, server_packet_type; @@ -6206,9 +6174,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(wccp, udp,2048,s0) network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 ) network_port(xdmcp, udp,177,s0, tcp,177,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.13/policy/modules/kernel/devices.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.14/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-03-05 10:46:32.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/kernel/devices.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/kernel/devices.fc 2010-03-12 09:30:00.000000000 -0500 @@ -108,6 +108,7 @@ /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) /dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) @@ -6217,9 +6185,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.13/policy/modules/kernel/devices.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.14/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2010-03-05 10:46:32.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/kernel/devices.if 2010-03-11 22:32:20.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/kernel/devices.if 2010-03-12 09:30:00.000000000 -0500 @@ -934,6 +934,42 @@ ######################################## @@ -6288,10 +6256,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Mount a usbfs filesystem. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.13/policy/modules/kernel/devices.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.14/policy/modules/kernel/devices.te --- nsaserefpolicy/policy/modules/kernel/devices.te 2010-03-05 10:46:32.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/kernel/devices.te 2010-03-11 08:56:13.000000000 -0500 -@@ -239,6 +239,12 @@ ++++ serefpolicy-3.7.14/policy/modules/kernel/devices.te 2010-03-12 12:16:46.000000000 -0500 +@@ -210,7 +210,8 @@ + files_mountpoint(sysfs_t) + fs_type(sysfs_t) + genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0) +- ++fs_use_xattr sysfs gen_context(system_u:object_r:sysfs_t,s0); ++ + # + # Type for /dev/tpm + # +@@ -239,6 +240,12 @@ dev_node(usb_device_t) # @@ -6304,16 +6282,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device # userio_device_t is the type for /dev/uio[0-9]+ # type userio_device_t; -@@ -289,5 +295,5 @@ +@@ -289,5 +296,5 @@ # allow devices_unconfined_type self:capability sys_rawio; -allow devices_unconfined_type device_node:{ blk_file chr_file } *; +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; allow devices_unconfined_type mtrr_device_t:file *; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.13/policy/modules/kernel/domain.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.14/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/kernel/domain.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/kernel/domain.if 2010-03-12 09:30:00.000000000 -0500 @@ -611,7 +611,7 @@ ######################################## @@ -6533,9 +6511,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain + + dontaudit $1 domain:socket_class_set { read write }; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.13/policy/modules/kernel/domain.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.14/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/kernel/domain.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/kernel/domain.te 2010-03-12 09:30:00.000000000 -0500 @@ -5,6 +5,21 @@ # # Declarations @@ -6704,9 +6682,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain + userdom_relabelto_user_home_dirs(polydomain) + userdom_relabelto_user_home_files(polydomain) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.13/policy/modules/kernel/files.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.14/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/kernel/files.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/kernel/files.fc 2010-03-12 09:30:00.000000000 -0500 @@ -18,6 +18,7 @@ /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0) /halt -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -6778,9 +6756,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) /var/lib/nfs/rpc_pipefs(/.*)? <> -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.13/policy/modules/kernel/files.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.14/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/kernel/files.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/kernel/files.if 2010-03-12 09:30:00.000000000 -0500 @@ -1053,10 +1053,8 @@ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -7537,9 +7515,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + dontaudit $1 file_type:file rw_inherited_file_perms; + dontaudit $1 file_type:lnk_file { read }; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.13/policy/modules/kernel/files.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.14/policy/modules/kernel/files.te --- nsaserefpolicy/policy/modules/kernel/files.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/kernel/files.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/kernel/files.te 2010-03-12 09:30:00.000000000 -0500 @@ -12,6 +12,7 @@ attribute mountpoint; attribute pidfile; @@ -7572,108 +7550,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.13/policy/modules/kernel/filesystem.if ---- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/kernel/filesystem.if 2010-03-11 08:56:13.000000000 -0500 -@@ -929,7 +929,7 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.14/policy/modules/kernel/filesystem.if +--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-03-12 11:48:14.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/kernel/filesystem.if 2010-03-12 11:58:52.000000000 -0500 +@@ -1141,7 +1141,7 @@ type cifs_t; ') -- dontaudit $1 cifs_t:file { read write }; +- dontaudit $1 cifs_t:file rw_file_perms; + dontaudit $1 cifs_t:file rw_inherited_file_perms; ') ######################################## -@@ -1482,6 +1482,25 @@ - - ######################################## - ## -+## Do not audit attempts to list the contents -+## of directories on a FUSEFS filesystem. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_list_fusefs',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ dontaudit $1 fusefs_t:dir list_dir_perms; -+') -+ -+######################################## -+## - ## Create, read, write, and delete directories - ## on a FUSEFS filesystem. - ## -@@ -1636,6 +1655,36 @@ - - ######################################## - ## -+## Create an object in a hugetlbfs filesystem, with a private -+## type using a type transition. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the object to be created. -+## -+## -+## -+## -+## The object class of the object being created. -+## -+## -+# -+interface(`fs_hugetlbfs_filetrans',` -+ gen_require(` -+ type hugetlbfs_t; -+ ') -+ -+ allow $2 hugetlbfs_t:filesystem associate; -+ filetrans_pattern($1, hugetlbfs_t, $2, $3) -+') -+ -+######################################## -+## - ## Search inotifyfs filesystem. - ## - ## -@@ -1668,6 +1717,25 @@ +@@ -1899,6 +1899,7 @@ ') allow $1 inotifyfs_t:dir list_dir_perms; + fs_read_anon_inodefs_files($1) -+') -+ -+######################################## -+## -+## Dontaudit List inotifyfs filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_dontaudit_list_inotifyfs',` -+ gen_require(` -+ type inotifyfs_t; -+ ') -+ -+ dontaudit $1 inotifyfs_t:dir list_dir_perms; ') ######################################## -@@ -2070,7 +2138,7 @@ +@@ -2349,7 +2350,7 @@ type nfs_t; ') @@ -7682,280 +7579,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -2092,6 +2160,25 @@ - read_lnk_files_pattern($1, nfs_t, nfs_t) - ') - -+######################################## -+## -+## Dontaudit read symbolic links on a NFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_dontaudit_read_nfs_symlinks',` -+ gen_require(` -+ type nfs_t; -+ ') -+ -+ allow $1 nfs_t:dir list_dir_perms; -+ read_lnk_files_pattern($1, nfs_t, nfs_t) -+') -+ - ######################################### - ## - ## Read named sockets on a NFS filesystem. -@@ -3481,6 +3568,24 @@ - - ######################################## - ## -+## Read generic tmpfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_read_tmpfs_files',` -+ gen_require(` -+ type tmpfs_t; -+ ') -+ -+ read_files_pattern($1, tmpfs_t, tmpfs_t) -+') -+ -+######################################## -+## - ## Read and write generic tmpfs files. - ## - ## -@@ -3707,6 +3812,24 @@ - - ######################################## - ## -+## Search the XENFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_search_xenfs',` -+ gen_require(` -+ type xenfs_t; -+ ') -+ -+ allow $1 xenfs_t:dir search_dir_perms; -+') -+ -+######################################## -+## - ## Mount a XENFS filesystem. - ## - ## -@@ -4216,3 +4339,214 @@ +@@ -4549,3 +4550,24 @@ relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs) ') + +######################################## +## -+## list dirs on cgroup -+## file systems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_list_cgroup_dirs', ` -+ gen_require(` -+ type cgroup_t; -+ -+ ') -+ -+ list_dirs_pattern($1, cgroup_t, cgroup_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to read -+## dirs on a CIFS or SMB filesystem. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_list_cifs_dirs',` -+ gen_require(` -+ type cifs_t; -+ ') -+ -+ dontaudit $1 cifs_t:dir list_dir_perms; -+') -+ -+######################################## -+## -+## Manage dirs on cgroup file systems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_manage_cgroup_dirs',` -+ gen_require(` -+ type cgroup_t; -+ -+ ') -+ manage_dirs_pattern($1, cgroup_t, cgroup_t) -+') -+ -+######################################## -+## -+## Read files on cgroup -+## file systems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_read_cgroup_files',` -+ gen_require(` -+ type cgroup_t; -+ -+ ') -+ -+ read_files_pattern($1, cgroup_t, cgroup_t) -+') -+ -+######################################## -+## -+## Read and write files on cgroup -+## file systems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_rw_cgroup_files',` -+ gen_require(` -+ type cgroup_t; -+ -+ ') -+ -+ rw_files_pattern($1, cgroup_t, cgroup_t) -+') -+######################################## -+## -+## Mount a cgroup filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_mount_cgroup_fs', ` -+ gen_require(` -+ type cgroup_t; -+ ') -+ -+ allow $1 cgroup_t:filesystem mount; -+') -+ -+######################################## -+## -+## Remount a cgroup filesystem This allows -+## some mount options to be changed. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_remount_cgroup_fs', ` -+ gen_require(` -+ type cgroup_t; -+ ') -+ -+ allow $1 cgroup_t:filesystem remount; -+') -+ -+######################################## -+## -+## Unmount a cgroup file system. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_unmount_cgroup_fs', ` -+ gen_require(` -+ type cgroup_t; -+ ') -+ -+ allow $1 cgroup_t:filesystem unmount; -+') -+ -+######################################## -+## -+## Set attributes of files on cgroup -+## file systems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_setattr_cgroup_files',` -+ gen_require(` -+ type cgroup_t; -+ -+ ') -+ -+ setattr_files_pattern($1, cgroup_t, cgroup_t) -+') -+ -+######################################## -+## -+## Write files on cgroup -+## file systems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_write_cgroup_files', ` -+ gen_require(` -+ type cgroup_t; -+ -+ ') -+ -+ write_files_pattern($1, cgroup_t, cgroup_t) -+') -+ -+######################################## -+## +## Do not audit attempts to read or write +## all leaked filesystems files. +## @@ -7973,18 +7603,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy + dontaudit $1 filesystem_type:file rw_inherited_file_perms; + dontaudit $1 filesystem_type:lnk_file { read }; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.13/policy/modules/kernel/filesystem.te ---- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/kernel/filesystem.te 2010-03-11 08:56:13.000000000 -0500 -@@ -29,6 +29,7 @@ - fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0); - fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0); - fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0); -+fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0); - fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); - fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0); - fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0); -@@ -93,6 +94,8 @@ ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.14/policy/modules/kernel/filesystem.te +--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2010-03-12 11:48:14.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/kernel/filesystem.te 2010-03-12 11:59:26.000000000 -0500 +@@ -94,6 +94,8 @@ type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) @@ -7993,7 +7616,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); type ibmasmfs_t; -@@ -171,6 +174,7 @@ +@@ -172,6 +174,7 @@ fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0); fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0); fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0); @@ -8001,41 +7624,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy allow tmpfs_t noxattrfs:filesystem associate; -@@ -205,6 +209,7 @@ - # - type dosfs_t; - fs_noxattr_type(dosfs_t) -+files_mountpoint(dosfs_t) - allow dosfs_t fs_t:filesystem associate; - genfscon fat / gen_context(system_u:object_r:dosfs_t,s0) - genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0) -@@ -216,6 +221,7 @@ - - type fusefs_t; - fs_noxattr_type(fusefs_t) -+files_mountpoint(fusefs_t) - allow fusefs_t self:filesystem associate; - allow fusefs_t fs_t:filesystem associate; - genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0) -@@ -228,6 +234,7 @@ - # - type iso9660_t; - fs_noxattr_type(iso9660_t) -+files_mountpoint(iso9660_t) - genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0) - genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) - -@@ -238,6 +245,7 @@ +@@ -242,6 +245,7 @@ + type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) - files_type(removable_t) -+files_mountpoint(removable_t) ++files_type(removable_t) + files_mountpoint(removable_t) # - # nfs_t is the default type for NFS file systems -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.13/policy/modules/kernel/kernel.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.14/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/kernel/kernel.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/kernel/kernel.if 2010-03-12 09:30:00.000000000 -0500 @@ -144,6 +144,24 @@ ######################################## @@ -8169,9 +7768,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel + + allow $1 kernel_t:unix_stream_socket connectto; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.13/policy/modules/kernel/kernel.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.14/policy/modules/kernel/kernel.te --- nsaserefpolicy/policy/modules/kernel/kernel.te 2010-03-04 08:02:45.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/kernel/kernel.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/kernel/kernel.te 2010-03-12 09:30:00.000000000 -0500 @@ -64,6 +64,15 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) @@ -8246,9 +7845,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ######################################## # # Unlabeled process local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.13/policy/modules/kernel/selinux.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.14/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/kernel/selinux.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/kernel/selinux.if 2010-03-12 09:30:00.000000000 -0500 @@ -40,7 +40,7 @@ # because of this statement, any module which @@ -8306,9 +7905,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu + fs_type($1) + mls_trusted_object($1) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.13/policy/modules/kernel/terminal.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.14/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/kernel/terminal.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/kernel/terminal.if 2010-03-12 09:30:00.000000000 -0500 @@ -292,9 +292,11 @@ interface(`term_dontaudit_use_console',` gen_require(` @@ -8349,9 +7948,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.7.13/policy/modules/roles/auditadm.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.7.14/policy/modules/roles/auditadm.te --- nsaserefpolicy/policy/modules/roles/auditadm.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/roles/auditadm.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/roles/auditadm.te 2010-03-12 09:30:00.000000000 -0500 @@ -33,6 +33,8 @@ seutil_run_runinit(auditadm_t, auditadm_r) seutil_read_bin_policy(auditadm_t) @@ -8361,9 +7960,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditad optional_policy(` consoletype_exec(auditadm_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.13/policy/modules/roles/guest.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.14/policy/modules/roles/guest.te --- nsaserefpolicy/policy/modules/roles/guest.te 2010-03-05 17:14:56.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/roles/guest.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/roles/guest.te 2010-03-12 09:30:00.000000000 -0500 @@ -16,6 +16,10 @@ # @@ -8381,9 +7980,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.t -#gen_user(guest_u,, guest_r, s0, s0) +gen_user(guest_u, user, guest_r, s0, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.13/policy/modules/roles/staff.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.14/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2010-03-10 15:27:26.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/roles/staff.te 2010-03-11 14:17:43.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/roles/staff.te 2010-03-12 09:30:00.000000000 -0500 @@ -10,24 +10,50 @@ userdom_unpriv_user_template(staff) @@ -8562,9 +8161,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t +') + +userhelper_console_role_template(staff, staff_t, staff_usertype) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.13/policy/modules/roles/sysadm.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.14/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-02-17 10:37:39.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/roles/sysadm.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/roles/sysadm.te 2010-03-12 09:30:00.000000000 -0500 @@ -15,7 +15,7 @@ role sysadm_r; @@ -8919,9 +8518,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. + +init_script_role_transition(sysadm_r) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.7.13/policy/modules/roles/unconfineduser.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.7.14/policy/modules/roles/unconfineduser.fc --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/roles/unconfineduser.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/roles/unconfineduser.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,10 @@ +# Add programs here which should not be confined by SELinux +# e.g.: @@ -8933,9 +8532,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + +/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0) +/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.13/policy/modules/roles/unconfineduser.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.14/policy/modules/roles/unconfineduser.if --- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/roles/unconfineduser.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/roles/unconfineduser.if 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,667 @@ +## Unconfiend user role + @@ -9604,9 +9203,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + + allow $1 unconfined_r; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.13/policy/modules/roles/unconfineduser.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.14/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/roles/unconfineduser.te 2010-03-11 16:39:48.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/roles/unconfineduser.te 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,417 @@ +policy_module(unconfineduser, 1.0.0) + @@ -10025,9 +9624,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +# + +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.13/policy/modules/roles/unprivuser.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.14/policy/modules/roles/unprivuser.te --- nsaserefpolicy/policy/modules/roles/unprivuser.te 2010-03-10 15:27:39.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/roles/unprivuser.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/roles/unprivuser.te 2010-03-12 09:30:00.000000000 -0500 @@ -17,6 +17,7 @@ apache_role(user_r, user_t) ') @@ -10075,9 +9674,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu optional_policy(` xserver_role(user_r, user_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.13/policy/modules/roles/xguest.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.14/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 2010-03-10 15:28:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/roles/xguest.te 2010-03-11 09:14:55.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/roles/xguest.te 2010-03-12 09:30:00.000000000 -0500 @@ -15,7 +15,7 @@ ## @@ -10200,9 +9799,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. -#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.13/policy/modules/services/abrt.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.14/policy/modules/services/abrt.fc --- nsaserefpolicy/policy/modules/services/abrt.fc 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/abrt.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/abrt.fc 2010-03-12 09:30:00.000000000 -0500 @@ -1,11 +1,17 @@ /etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) /etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) @@ -10222,9 +9821,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt /var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) /var/run/abrt\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) +/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.13/policy/modules/services/abrt.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.14/policy/modules/services/abrt.if --- nsaserefpolicy/policy/modules/services/abrt.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/abrt.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/abrt.if 2010-03-12 09:30:00.000000000 -0500 @@ -19,6 +19,28 @@ domtrans_pattern($1, abrt_exec_t, abrt_t) ') @@ -10389,9 +9988,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt ##################################### ## ## All of the rules required to administrate -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.13/policy/modules/services/abrt.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.14/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/abrt.te 2010-03-11 13:52:28.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/abrt.te 2010-03-12 09:30:00.000000000 -0500 @@ -33,12 +33,24 @@ type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -10593,9 +10192,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt + dev_dontaudit_write_all_blk_files(abrt_helper_t) + fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.7.13/policy/modules/services/afs.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.7.14/policy/modules/services/afs.if --- nsaserefpolicy/policy/modules/services/afs.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/afs.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/afs.if 2010-03-12 09:30:00.000000000 -0500 @@ -94,7 +94,7 @@ # interface(`afs_admin',` @@ -10605,9 +10204,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs. ') allow $1 afs_t:process { ptrace signal_perms getattr }; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.7.13/policy/modules/services/afs.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.7.14/policy/modules/services/afs.te --- nsaserefpolicy/policy/modules/services/afs.te 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/afs.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/afs.te 2010-03-12 09:30:00.000000000 -0500 @@ -71,8 +71,8 @@ # afs client local policy # @@ -10628,18 +10227,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs. ######################################## # # AFS bossserver local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.7.13/policy/modules/services/aiccu.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.7.14/policy/modules/services/aiccu.fc --- nsaserefpolicy/policy/modules/services/aiccu.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/aiccu.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/aiccu.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,5 @@ + +/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0) + +/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0) +/var/run/aiccu.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.7.13/policy/modules/services/aiccu.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.7.14/policy/modules/services/aiccu.if --- nsaserefpolicy/policy/modules/services/aiccu.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/aiccu.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/aiccu.if 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,119 @@ + +## policy for aiccu @@ -10760,9 +10359,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc + aiccu_manage_var_run($1) + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.7.13/policy/modules/services/aiccu.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.7.14/policy/modules/services/aiccu.te --- nsaserefpolicy/policy/modules/services/aiccu.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/aiccu.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/aiccu.te 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,41 @@ +policy_module(aiccu,1.0.0) + @@ -10805,9 +10404,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc +manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) +manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) +files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir }) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.13/policy/modules/services/aisexec.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.14/policy/modules/services/aisexec.fc --- nsaserefpolicy/policy/modules/services/aisexec.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/aisexec.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/aisexec.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,10 @@ + +/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:aisexec_initrc_exec_t,s0) @@ -10819,9 +10418,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise +/var/log/cluster/aisexec\.log -- gen_context(system_u:object_r:aisexec_var_log_t,s0) + +/var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.7.13/policy/modules/services/aisexec.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.7.14/policy/modules/services/aisexec.if --- nsaserefpolicy/policy/modules/services/aisexec.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/aisexec.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/aisexec.if 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,106 @@ +## SELinux policy for Aisexec Cluster Engine + @@ -10929,9 +10528,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise + + admin_pattern($1, aisexec_tmpfs_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.13/policy/modules/services/aisexec.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.14/policy/modules/services/aisexec.te --- nsaserefpolicy/policy/modules/services/aisexec.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/aisexec.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/aisexec.te 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,115 @@ + +policy_module(aisexec,1.0.0) @@ -11048,9 +10647,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise + groupd_rw_semaphores(aisexec_t) + groupd_rw_shm(aisexec_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-3.7.13/policy/modules/services/amavis.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-3.7.14/policy/modules/services/amavis.if --- nsaserefpolicy/policy/modules/services/amavis.if 2010-03-04 11:17:25.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/amavis.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/amavis.if 2010-03-12 09:30:00.000000000 -0500 @@ -18,30 +18,11 @@ type amavis_t, amavis_exec_t; ') @@ -11098,9 +10697,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav domain_system_change_exemption($1) role_transition $2 amavis_initrc_exec_t system_r; allow $2 system_r; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.7.13/policy/modules/services/amavis.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.7.14/policy/modules/services/amavis.te --- nsaserefpolicy/policy/modules/services/amavis.te 2010-03-04 11:17:25.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/amavis.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/amavis.te 2010-03-12 09:30:00.000000000 -0500 @@ -1,5 +1,5 @@ -policy_module(amavis, 1.10.2) @@ -11122,9 +10721,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav sysnet_dns_name_resolve(amavis_t) sysnet_use_ldap(amavis_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.13/policy/modules/services/apache.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.14/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/apache.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/apache.fc 2010-03-12 09:30:00.000000000 -0500 @@ -2,12 +2,19 @@ /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) @@ -11252,9 +10851,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.13/policy/modules/services/apache.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.14/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/apache.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/apache.if 2010-03-12 09:30:00.000000000 -0500 @@ -13,21 +13,17 @@ # template(`apache_content_template',` @@ -11963,9 +11562,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + dontaudit $1 httpd_t:unix_dgram_socket { read write }; + dontaudit $1 httpd_t:unix_stream_socket { read write }; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.13/policy/modules/services/apache.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.14/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-03-09 19:04:58.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/apache.te 2010-03-12 08:45:37.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/apache.te 2010-03-12 09:30:00.000000000 -0500 @@ -19,6 +19,8 @@ # Declarations # @@ -12852,9 +12451,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +typealias httpd_sys_script_t alias httpd_fastcgi_script_t; +typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.7.13/policy/modules/services/apcupsd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.7.14/policy/modules/services/apcupsd.te --- nsaserefpolicy/policy/modules/services/apcupsd.te 2010-03-04 11:17:25.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/apcupsd.te 2010-03-11 09:06:40.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/apcupsd.te 2010-03-12 09:30:00.000000000 -0500 @@ -95,6 +95,10 @@ ') @@ -12866,9 +12465,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu mta_send_mail(apcupsd_t) mta_system_content(apcupsd_tmp_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.13/policy/modules/services/arpwatch.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.14/policy/modules/services/arpwatch.te --- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-03-04 11:17:25.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/arpwatch.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/arpwatch.te 2010-03-12 09:30:00.000000000 -0500 @@ -34,6 +34,7 @@ allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms }; allow arpwatch_t self:udp_socket create_socket_perms; @@ -12894,9 +12493,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw fs_getattr_all_fs(arpwatch_t) fs_search_auto_mountpoints(arpwatch_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.13/policy/modules/services/asterisk.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.14/policy/modules/services/asterisk.if --- nsaserefpolicy/policy/modules/services/asterisk.if 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/asterisk.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/asterisk.if 2010-03-12 09:30:00.000000000 -0500 @@ -1,5 +1,24 @@ ## Asterisk IP telephony server @@ -12922,9 +12521,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste ##################################### ## ## Connect to asterisk over a unix domain -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.13/policy/modules/services/asterisk.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.14/policy/modules/services/asterisk.te --- nsaserefpolicy/policy/modules/services/asterisk.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/asterisk.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/asterisk.te 2010-03-12 09:30:00.000000000 -0500 @@ -40,12 +40,13 @@ # @@ -13025,18 +12624,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste + udev_read_db(asterisk_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.7.13/policy/modules/services/avahi.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.7.14/policy/modules/services/avahi.fc --- nsaserefpolicy/policy/modules/services/avahi.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/avahi.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/avahi.fc 2010-03-12 09:30:00.000000000 -0500 @@ -6,4 +6,4 @@ /var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0) -/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0) +/var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.13/policy/modules/services/avahi.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.14/policy/modules/services/avahi.te --- nsaserefpolicy/policy/modules/services/avahi.te 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/avahi.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/avahi.te 2010-03-12 09:30:00.000000000 -0500 @@ -24,7 +24,7 @@ # Local policy # @@ -13081,9 +12680,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah userdom_dontaudit_use_unpriv_user_fds(avahi_t) userdom_dontaudit_search_user_home_dirs(avahi_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.13/policy/modules/services/bind.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.14/policy/modules/services/bind.if --- nsaserefpolicy/policy/modules/services/bind.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/bind.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/bind.if 2010-03-12 09:30:00.000000000 -0500 @@ -253,7 +253,7 @@ ######################################## @@ -13128,9 +12727,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind domain_system_change_exemption($1) role_transition $2 named_initrc_exec_t system_r; allow $2 system_r; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.7.13/policy/modules/services/bind.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.7.14/policy/modules/services/bind.te --- nsaserefpolicy/policy/modules/services/bind.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/bind.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/bind.te 2010-03-12 09:30:00.000000000 -0500 @@ -142,11 +142,11 @@ logging_send_syslog_msg(named_t) @@ -13145,9 +12744,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind userdom_dontaudit_use_unpriv_user_fds(named_t) userdom_dontaudit_search_user_home_dirs(named_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.7.13/policy/modules/services/bluetooth.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.7.14/policy/modules/services/bluetooth.te --- nsaserefpolicy/policy/modules/services/bluetooth.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/bluetooth.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/bluetooth.te 2010-03-12 12:36:31.000000000 -0500 +@@ -54,7 +54,7 @@ + # Bluetooth services local policy + # + +-allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_tty_config ipc_lock }; ++allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock }; + dontaudit bluetooth_t self:capability sys_tty_config; + allow bluetooth_t self:process { getcap setcap getsched signal_perms }; + allow bluetooth_t self:fifo_file rw_fifo_file_perms; @@ -96,6 +96,7 @@ kernel_read_system_state(bluetooth_t) kernel_read_network_state(bluetooth_t) @@ -13156,9 +12764,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue corenet_all_recvfrom_unlabeled(bluetooth_t) corenet_all_recvfrom_netlabel(bluetooth_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.fc serefpolicy-3.7.13/policy/modules/services/boinc.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.fc serefpolicy-3.7.14/policy/modules/services/boinc.fc --- nsaserefpolicy/policy/modules/services/boinc.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/boinc.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/boinc.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,6 @@ + +/etc/rc\.d/init\.d/boinc_client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0) @@ -13166,9 +12774,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0) + +/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.if serefpolicy-3.7.13/policy/modules/services/boinc.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.if serefpolicy-3.7.14/policy/modules/services/boinc.if --- nsaserefpolicy/policy/modules/services/boinc.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/boinc.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/boinc.if 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,151 @@ + +## policy for boinc @@ -13321,9 +12929,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin + files_list_var_lib($1) + admin_pattern($1, boinc_var_lib_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.13/policy/modules/services/boinc.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.14/policy/modules/services/boinc.te --- nsaserefpolicy/policy/modules/services/boinc.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/boinc.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/boinc.te 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,73 @@ + +policy_module(boinc,1.0.0) @@ -13398,9 +13006,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +logging_send_syslog_msg(boinc_t) + +sysnet_dns_name_resolve(boinc_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.7.13/policy/modules/services/cachefilesd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.7.14/policy/modules/services/cachefilesd.fc --- nsaserefpolicy/policy/modules/services/cachefilesd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/cachefilesd.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/cachefilesd.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,28 @@ +############################################################################### +# @@ -13430,9 +13038,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach +/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0) + +/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.7.13/policy/modules/services/cachefilesd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.7.14/policy/modules/services/cachefilesd.if --- nsaserefpolicy/policy/modules/services/cachefilesd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/cachefilesd.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/cachefilesd.if 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,41 @@ +############################################################################### +# @@ -13475,9 +13083,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach + allow cachefilesd_t $1:fifo_file rw_file_perms; + allow cachefilesd_t $1:process sigchld; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.7.13/policy/modules/services/cachefilesd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.7.14/policy/modules/services/cachefilesd.te --- nsaserefpolicy/policy/modules/services/cachefilesd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/cachefilesd.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/cachefilesd.te 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,146 @@ +############################################################################### +# @@ -13625,9 +13233,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach +fs_getattr_xattr_fs(cachefiles_kernel_t) + +dev_search_sysfs(cachefiles_kernel_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.13/policy/modules/services/ccs.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.14/policy/modules/services/ccs.te --- nsaserefpolicy/policy/modules/services/ccs.te 2010-02-16 14:58:22.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/ccs.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/ccs.te 2010-03-12 09:30:00.000000000 -0500 @@ -114,5 +114,10 @@ ') @@ -13639,9 +13247,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs. +optional_policy(` unconfined_use_fds(ccs_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.7.13/policy/modules/services/certmaster.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.7.14/policy/modules/services/certmaster.fc --- nsaserefpolicy/policy/modules/services/certmaster.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/certmaster.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/certmaster.fc 2010-03-12 09:30:00.000000000 -0500 @@ -3,5 +3,6 @@ /usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0) @@ -13649,9 +13257,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert +/var/lib/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_lib_t,s0) /var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0) /var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.fc serefpolicy-3.7.13/policy/modules/services/certmonger.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.fc serefpolicy-3.7.14/policy/modules/services/certmonger.fc --- nsaserefpolicy/policy/modules/services/certmonger.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/certmonger.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/certmonger.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,6 @@ +/etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0) + @@ -13659,9 +13267,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert + +/var/run/certmonger.pid -- gen_context(system_u:object_r:certmonger_var_run_t,s0) +/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.7.13/policy/modules/services/certmonger.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.7.14/policy/modules/services/certmonger.if --- nsaserefpolicy/policy/modules/services/certmonger.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/certmonger.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/certmonger.if 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,217 @@ + +## Certificate status monitor and PKI enrollment client @@ -13880,9 +13488,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert + files_search_pids($1) + admin_pattern($1, cermonger_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.13/policy/modules/services/certmonger.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.14/policy/modules/services/certmonger.te --- nsaserefpolicy/policy/modules/services/certmonger.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/certmonger.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/certmonger.te 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,74 @@ +policy_module(certmonger,1.0.0) + @@ -13958,9 +13566,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert +optional_policy(` + unconfined_dbus_send(certmonger_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.13/policy/modules/services/cgroup.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.14/policy/modules/services/cgroup.fc --- nsaserefpolicy/policy/modules/services/cgroup.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/cgroup.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/cgroup.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t, s0) +/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t, s0) @@ -13969,9 +13577,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro +/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfigparser_exec_t, s0) + +/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.13/policy/modules/services/cgroup.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.14/policy/modules/services/cgroup.if --- nsaserefpolicy/policy/modules/services/cgroup.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/cgroup.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/cgroup.if 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,35 @@ +## Control group rules engine daemon. +## @@ -14008,9 +13616,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro + stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.13/policy/modules/services/cgroup.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.14/policy/modules/services/cgroup.te --- nsaserefpolicy/policy/modules/services/cgroup.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/cgroup.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/cgroup.te 2010-03-12 12:05:49.000000000 -0500 @@ -0,0 +1,87 @@ +policy_module(cgroup, 1.0.0) + @@ -14088,7 +13696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro + fs_manage_cgroup_dirs(cgconfigparser_t) + fs_rw_cgroup_files(cgconfigparser_t) + fs_setattr_cgroup_files(cgconfigparser_t) -+ fs_mount_cgroup_fs(cgconfigparser_t) ++ fs_mount_cgroup(cgconfigparser_t) +') + +files_mounton_mnt(cgconfigparser_t) @@ -14099,18 +13707,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro +# /mnt/cgroups/cpu +kernel_list_unlabeled(cgconfigparser_t) +kernel_read_system_state(cgconfigparser_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.7.13/policy/modules/services/chronyd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.7.14/policy/modules/services/chronyd.fc --- nsaserefpolicy/policy/modules/services/chronyd.fc 2010-02-16 14:58:22.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/chronyd.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/chronyd.fc 2010-03-12 09:30:00.000000000 -0500 @@ -1,3 +1,5 @@ +/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0) + /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.13/policy/modules/services/chronyd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.14/policy/modules/services/chronyd.if --- nsaserefpolicy/policy/modules/services/chronyd.if 2010-02-16 14:58:22.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/chronyd.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/chronyd.if 2010-03-12 09:30:00.000000000 -0500 @@ -77,7 +77,7 @@ gen_require(` type chronyd_t, chronyd_var_log_t; @@ -14129,9 +13737,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro logging_search_logs($1) admin_pattern($1, chronyd_var_log_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.13/policy/modules/services/chronyd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.14/policy/modules/services/chronyd.te --- nsaserefpolicy/policy/modules/services/chronyd.te 2010-02-16 14:58:22.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/chronyd.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/chronyd.te 2010-03-12 09:30:00.000000000 -0500 @@ -13,6 +13,9 @@ type chronyd_initrc_exec_t; init_script_file(chronyd_initrc_exec_t) @@ -14180,9 +13788,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro +optional_policy(` + gpsd_rw_shm(chronyd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.13/policy/modules/services/clamav.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.14/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/clamav.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/clamav.te 2010-03-12 09:30:00.000000000 -0500 @@ -57,6 +57,7 @@ # @@ -14206,17 +13814,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam optional_policy(` cron_system_entry(freshclam_t, freshclam_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.13/policy/modules/services/clogd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.14/policy/modules/services/clogd.fc --- nsaserefpolicy/policy/modules/services/clogd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/clogd.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/clogd.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,4 @@ + +/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0) + +/var/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.13/policy/modules/services/clogd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.14/policy/modules/services/clogd.if --- nsaserefpolicy/policy/modules/services/clogd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/clogd.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/clogd.if 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,82 @@ +## clogd - clustered mirror log server + @@ -14300,9 +13908,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog + fs_search_tmpfs($1) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.7.13/policy/modules/services/clogd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.7.14/policy/modules/services/clogd.te --- nsaserefpolicy/policy/modules/services/clogd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/clogd.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/clogd.te 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,65 @@ + +policy_module(clogd,1.0.0) @@ -14369,9 +13977,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.13/policy/modules/services/cobbler.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.14/policy/modules/services/cobbler.if --- nsaserefpolicy/policy/modules/services/cobbler.if 2010-03-05 10:46:32.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/cobbler.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/cobbler.if 2010-03-12 09:30:00.000000000 -0500 @@ -173,9 +173,11 @@ files_list_var_lib($1) admin_pattern($1, cobbler_var_lib_t) @@ -14385,9 +13993,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb cobblerd_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 cobblerd_initrc_exec_t system_r; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.13/policy/modules/services/cobbler.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.14/policy/modules/services/cobbler.te --- nsaserefpolicy/policy/modules/services/cobbler.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/cobbler.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/cobbler.te 2010-03-12 09:30:00.000000000 -0500 @@ -40,6 +40,7 @@ allow cobblerd_t self:fifo_file rw_fifo_file_perms; allow cobblerd_t self:tcp_socket create_stream_socket_perms; @@ -14418,9 +14026,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb +apache_content_template(cobbler) +manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) +manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.13/policy/modules/services/consolekit.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.14/policy/modules/services/consolekit.fc --- nsaserefpolicy/policy/modules/services/consolekit.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/consolekit.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/consolekit.fc 2010-03-12 09:30:00.000000000 -0500 @@ -2,4 +2,5 @@ /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) @@ -14428,9 +14036,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons -/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0) + +/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.13/policy/modules/services/consolekit.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.14/policy/modules/services/consolekit.if --- nsaserefpolicy/policy/modules/services/consolekit.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/consolekit.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/consolekit.if 2010-03-12 09:30:00.000000000 -0500 @@ -57,3 +57,42 @@ read_files_pattern($1, consolekit_log_t, consolekit_log_t) files_search_pids($1) @@ -14474,9 +14082,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons + read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.13/policy/modules/services/consolekit.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.14/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/consolekit.te 2010-03-11 09:06:25.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/consolekit.te 2010-03-12 09:30:00.000000000 -0500 @@ -16,12 +16,15 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -14569,9 +14177,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons + unconfined_ptrace(consolekit_t) unconfined_stream_connect(consolekit_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.7.13/policy/modules/services/corosync.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.7.14/policy/modules/services/corosync.fc --- nsaserefpolicy/policy/modules/services/corosync.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/corosync.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/corosync.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,14 @@ + +/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0) @@ -14587,9 +14195,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro +/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0) +/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.13/policy/modules/services/corosync.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.14/policy/modules/services/corosync.if --- nsaserefpolicy/policy/modules/services/corosync.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/corosync.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/corosync.if 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,108 @@ +## SELinux policy for Corosync Cluster Engine + @@ -14699,9 +14307,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.13/policy/modules/services/corosync.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.14/policy/modules/services/corosync.te --- nsaserefpolicy/policy/modules/services/corosync.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/corosync.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/corosync.te 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,115 @@ + +policy_module(corosync,1.0.0) @@ -14818,9 +14426,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro +optional_policy(` + rgmanager_manage_tmpfs_files(corosync_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.13/policy/modules/services/cron.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.14/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/cron.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/cron.fc 2010-03-12 09:30:00.000000000 -0500 @@ -14,7 +14,7 @@ /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) @@ -14838,9 +14446,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron +/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) + +/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.13/policy/modules/services/cron.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.14/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/cron.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/cron.if 2010-03-12 09:30:00.000000000 -0500 @@ -12,6 +12,10 @@ ## # @@ -14991,9 +14599,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron + + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.13/policy/modules/services/cron.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.14/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/cron.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/cron.te 2010-03-12 09:30:00.000000000 -0500 @@ -38,8 +38,10 @@ type cron_var_lib_t; files_type(cron_var_lib_t) @@ -15271,9 +14879,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron unconfined_domain(system_cronjob_t) userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.13/policy/modules/services/cups.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.14/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/cups.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/cups.fc 2010-03-12 09:30:00.000000000 -0500 @@ -13,10 +13,14 @@ /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) @@ -15320,9 +14928,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.13/policy/modules/services/cups.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.14/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/cups.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/cups.te 2010-03-12 09:30:00.000000000 -0500 @@ -23,6 +23,9 @@ type cupsd_initrc_exec_t; init_script_file(cupsd_initrc_exec_t) @@ -15572,9 +15180,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups dev_read_sysfs(hplip_t) dev_rw_printer(hplip_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.7.13/policy/modules/services/cvs.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.7.14/policy/modules/services/cvs.te --- nsaserefpolicy/policy/modules/services/cvs.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/cvs.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/cvs.te 2010-03-12 09:30:00.000000000 -0500 @@ -93,6 +93,7 @@ auth_can_read_shadow_passwords(cvs_t) tunable_policy(`allow_cvs_read_shadow',` @@ -15589,9 +15197,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs. manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) + files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.13/policy/modules/services/cyrus.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.14/policy/modules/services/cyrus.te --- nsaserefpolicy/policy/modules/services/cyrus.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/cyrus.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/cyrus.te 2010-03-12 09:30:00.000000000 -0500 @@ -75,6 +75,7 @@ corenet_tcp_bind_mail_port(cyrus_t) corenet_tcp_bind_lmtp_port(cyrus_t) @@ -15608,9 +15216,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru snmp_read_snmp_var_lib_files(cyrus_t) snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) snmp_stream_connect(cyrus_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.13/policy/modules/services/dbus.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.14/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/dbus.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/dbus.if 2010-03-12 09:30:00.000000000 -0500 @@ -42,8 +42,10 @@ gen_require(` class dbus { send_msg acquire_svc }; @@ -15746,9 +15354,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.13/policy/modules/services/dbus.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.14/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/dbus.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/dbus.te 2010-03-12 09:30:00.000000000 -0500 @@ -86,6 +86,7 @@ dev_read_sysfs(system_dbusd_t) @@ -15807,9 +15415,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + xserver_rw_xdm_pipes(session_bus_type) + xserver_append_xdm_home_files(session_bus_type) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.7.13/policy/modules/services/dcc.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.7.14/policy/modules/services/dcc.te --- nsaserefpolicy/policy/modules/services/dcc.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/dcc.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/dcc.te 2010-03-12 09:30:00.000000000 -0500 @@ -81,7 +81,7 @@ # dcc daemon controller local policy # @@ -15819,9 +15427,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. allow cdcc_t self:unix_dgram_socket create_socket_perms; allow cdcc_t self:udp_socket create_socket_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.fc serefpolicy-3.7.13/policy/modules/services/denyhosts.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.fc serefpolicy-3.7.14/policy/modules/services/denyhosts.fc --- nsaserefpolicy/policy/modules/services/denyhosts.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/denyhosts.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/denyhosts.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/denyhosts -- gen_context(system_u:object_r:denyhosts_initrc_exec_t, s0) + @@ -15830,9 +15438,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny +/var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t, s0) +/var/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t, s0) +/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.13/policy/modules/services/denyhosts.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.14/policy/modules/services/denyhosts.if --- nsaserefpolicy/policy/modules/services/denyhosts.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/denyhosts.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/denyhosts.if 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,90 @@ +## Deny Hosts. +## @@ -15924,9 +15532,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny + ps_process_pattern($1, denyhosts_t) + read_lnk_files_pattern($1, denyhosts_t, denyhosts_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.13/policy/modules/services/denyhosts.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.14/policy/modules/services/denyhosts.te --- nsaserefpolicy/policy/modules/services/denyhosts.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/denyhosts.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/denyhosts.te 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,72 @@ + +policy_module(denyhosts, 1.0.0) @@ -16000,9 +15608,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny +optional_policy(` + cron_system_entry(denyhosts_t, denyhosts_exec_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.13/policy/modules/services/devicekit.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.14/policy/modules/services/devicekit.fc --- nsaserefpolicy/policy/modules/services/devicekit.fc 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/devicekit.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/devicekit.fc 2010-03-12 09:30:00.000000000 -0500 @@ -1,8 +1,12 @@ /usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) /usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) @@ -16017,9 +15625,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi -/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.13/policy/modules/services/devicekit.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.14/policy/modules/services/devicekit.if --- nsaserefpolicy/policy/modules/services/devicekit.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/devicekit.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/devicekit.if 2010-03-12 09:30:00.000000000 -0500 @@ -139,6 +139,26 @@ ######################################## @@ -16056,9 +15664,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi ') allow $1 devicekit_t:process { ptrace signal_perms getattr }; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.13/policy/modules/services/devicekit.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.14/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/devicekit.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/devicekit.te 2010-03-12 09:30:00.000000000 -0500 @@ -42,6 +42,8 @@ files_read_etc_files(devicekit_t) @@ -16276,9 +15884,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi +optional_policy(` vbetool_domtrans(devicekit_power_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.7.13/policy/modules/services/dhcp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.7.14/policy/modules/services/dhcp.te --- nsaserefpolicy/policy/modules/services/dhcp.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/dhcp.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/dhcp.te 2010-03-12 09:30:00.000000000 -0500 @@ -112,6 +112,10 @@ ') @@ -16290,9 +15898,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp dbus_system_bus_client(dhcpd_t) dbus_connect_system_bus(dhcpd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.7.13/policy/modules/services/djbdns.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.7.14/policy/modules/services/djbdns.if --- nsaserefpolicy/policy/modules/services/djbdns.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/djbdns.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/djbdns.if 2010-03-12 09:30:00.000000000 -0500 @@ -26,6 +26,8 @@ daemontools_read_svc(djbdns_$1_t) @@ -16342,9 +15950,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd + + allow $1 djbdns_tinydn_t:key link; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.7.13/policy/modules/services/djbdns.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.7.14/policy/modules/services/djbdns.te --- nsaserefpolicy/policy/modules/services/djbdns.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/djbdns.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/djbdns.te 2010-03-12 09:30:00.000000000 -0500 @@ -42,3 +42,11 @@ files_search_var(djbdns_axfrdns_t) @@ -16357,9 +15965,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd + +init_dontaudit_use_script_fds(djbdns_tinydns_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.13/policy/modules/services/dnsmasq.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.14/policy/modules/services/dnsmasq.fc --- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/dnsmasq.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/dnsmasq.fc 2010-03-12 09:30:00.000000000 -0500 @@ -6,5 +6,7 @@ /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) /var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) @@ -16368,9 +15976,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm + /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.7.13/policy/modules/services/dnsmasq.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.7.14/policy/modules/services/dnsmasq.if --- nsaserefpolicy/policy/modules/services/dnsmasq.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/dnsmasq.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/dnsmasq.if 2010-03-12 09:30:00.000000000 -0500 @@ -111,7 +111,7 @@ type dnsmasq_etc_t; ') @@ -16389,9 +15997,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm files_search_etc($1) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.13/policy/modules/services/dnsmasq.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.14/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/dnsmasq.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/dnsmasq.te 2010-03-12 09:30:00.000000000 -0500 @@ -19,6 +19,9 @@ type dnsmasq_lease_t; files_type(dnsmasq_lease_t) @@ -16447,9 +16055,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm seutil_sigchld_newrole(dnsmasq_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.7.13/policy/modules/services/dovecot.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.7.14/policy/modules/services/dovecot.fc --- nsaserefpolicy/policy/modules/services/dovecot.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/dovecot.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/dovecot.fc 2010-03-12 09:30:00.000000000 -0500 @@ -34,6 +34,7 @@ /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) @@ -16458,9 +16066,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove /var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.13/policy/modules/services/dovecot.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.14/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/dovecot.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/dovecot.te 2010-03-12 09:30:00.000000000 -0500 @@ -73,14 +73,21 @@ can_exec(dovecot_t, dovecot_exec_t) @@ -16578,9 +16186,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove fs_manage_cifs_files(dovecot_t) fs_manage_cifs_symlinks(dovecot_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.13/policy/modules/services/fail2ban.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.14/policy/modules/services/fail2ban.if --- nsaserefpolicy/policy/modules/services/fail2ban.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/fail2ban.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/fail2ban.if 2010-03-12 09:30:00.000000000 -0500 @@ -98,6 +98,46 @@ allow $1 fail2ban_var_run_t:file read_file_perms; ') @@ -16650,9 +16258,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail + + allow $1 fail2ban_t:unix_stream_socket { getattr read write ioctl }; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.7.13/policy/modules/services/fetchmail.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.7.14/policy/modules/services/fetchmail.te --- nsaserefpolicy/policy/modules/services/fetchmail.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/fetchmail.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/fetchmail.te 2010-03-12 09:30:00.000000000 -0500 @@ -48,6 +48,7 @@ kernel_dontaudit_read_system_state(fetchmail_t) @@ -16661,9 +16269,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetc corenet_all_recvfrom_unlabeled(fetchmail_t) corenet_all_recvfrom_netlabel(fetchmail_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.13/policy/modules/services/fprintd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.14/policy/modules/services/fprintd.te --- nsaserefpolicy/policy/modules/services/fprintd.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/fprintd.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/fprintd.te 2010-03-12 09:30:00.000000000 -0500 @@ -55,4 +55,6 @@ policykit_read_lib(fprintd_t) policykit_dbus_chat(fprintd_t) @@ -16671,9 +16279,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fpri + policykit_dbus_chat_auth(fprintd_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.7.13/policy/modules/services/ftp.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.7.14/policy/modules/services/ftp.fc --- nsaserefpolicy/policy/modules/services/ftp.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/ftp.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/ftp.fc 2010-03-12 09:30:00.000000000 -0500 @@ -22,7 +22,7 @@ # # /var @@ -16683,9 +16291,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. /var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.7.13/policy/modules/services/ftp.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.7.14/policy/modules/services/ftp.if --- nsaserefpolicy/policy/modules/services/ftp.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/ftp.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/ftp.if 2010-03-12 09:30:00.000000000 -0500 @@ -115,6 +115,44 @@ role $2 types ftpdctl_t; ') @@ -16731,9 +16339,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. ######################################## ## ## All of the rules required to administrate -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.13/policy/modules/services/ftp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.14/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/ftp.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/ftp.te 2010-03-12 09:30:00.000000000 -0500 @@ -41,11 +41,51 @@ ## @@ -16982,9 +16590,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. + fs_read_nfs_files(sftpd_t) + fs_read_nfs_symlinks(ftpd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.13/policy/modules/services/git.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.14/policy/modules/services/git.fc --- nsaserefpolicy/policy/modules/services/git.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/git.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/git.fc 2010-03-12 09:30:00.000000000 -0500 @@ -1,3 +1,16 @@ -/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0) -/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) @@ -17005,9 +16613,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. + +/var/lib/git(/.*)? gen_context(system_u:object_r:git_system_content_t, s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.13/policy/modules/services/git.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.14/policy/modules/services/git.if --- nsaserefpolicy/policy/modules/services/git.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/git.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/git.if 2010-03-12 09:30:00.000000000 -0500 @@ -1 +1,535 @@ -## GIT revision control system +## Git - Fast Version Control System. @@ -17545,9 +17153,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. + userdom_search_user_home_dirs($1) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.13/policy/modules/services/git.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.14/policy/modules/services/git.te --- nsaserefpolicy/policy/modules/services/git.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/git.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/git.te 2010-03-12 09:30:00.000000000 -0500 @@ -1,9 +1,182 @@ -policy_module(git, 1.0) @@ -17734,9 +17342,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. -apache_content_template(git) +#git_role_template(git_shell) +#gen_user(git_shell_u, user, git_shell_r, s0, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.13/policy/modules/services/gpsd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.14/policy/modules/services/gpsd.te --- nsaserefpolicy/policy/modules/services/gpsd.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/gpsd.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/gpsd.te 2010-03-12 09:30:00.000000000 -0500 @@ -25,7 +25,7 @@ # gpsd local policy # @@ -17746,9 +17354,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd allow gpsd_t self:process setsched; allow gpsd_t self:shm create_shm_perms; allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto }; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.13/policy/modules/services/hal.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.14/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/hal.te 2010-03-11 10:37:42.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/hal.te 2010-03-12 09:30:00.000000000 -0500 @@ -55,6 +55,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -17875,9 +17483,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. dbus_system_bus_client(hald_dccm_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl.te serefpolicy-3.7.13/policy/modules/services/howl.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl.te serefpolicy-3.7.14/policy/modules/services/howl.te --- nsaserefpolicy/policy/modules/services/howl.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/howl.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/howl.te 2010-03-12 09:30:00.000000000 -0500 @@ -30,7 +30,7 @@ kernel_read_network_state(howl_t) @@ -17887,9 +17495,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl kernel_list_proc(howl_t) kernel_read_proc_symlinks(howl_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.fc serefpolicy-3.7.13/policy/modules/services/icecast.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.fc serefpolicy-3.7.14/policy/modules/services/icecast.fc --- nsaserefpolicy/policy/modules/services/icecast.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/icecast.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/icecast.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/icecast -- gen_context(system_u:object_r:icecast_initrc_exec_t,s0) + @@ -17898,9 +17506,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec +/var/log/icecast(/.*)? gen_context(system_u:object_r:icecast_log_t,s0) + +/var/run/icecast(/.*)? gen_context(system_u:object_r:icecast_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.if serefpolicy-3.7.13/policy/modules/services/icecast.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.if serefpolicy-3.7.14/policy/modules/services/icecast.if --- nsaserefpolicy/policy/modules/services/icecast.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/icecast.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/icecast.if 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,199 @@ + +## ShoutCast compatible streaming media server @@ -18101,9 +17709,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec + icecast_manage_log($1) + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.7.13/policy/modules/services/icecast.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.7.14/policy/modules/services/icecast.te --- nsaserefpolicy/policy/modules/services/icecast.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/icecast.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/icecast.te 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,59 @@ +policy_module(icecast,1.0.0) + @@ -18164,9 +17772,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec +optional_policy(` + rtkit_daemon_system_domain(icecast_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.7.13/policy/modules/services/inn.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.7.14/policy/modules/services/inn.te --- nsaserefpolicy/policy/modules/services/inn.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/inn.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/inn.te 2010-03-12 09:30:00.000000000 -0500 @@ -106,6 +106,7 @@ userdom_dontaudit_use_unpriv_user_fds(innd_t) @@ -18175,9 +17783,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn. mta_send_mail(innd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.13/policy/modules/services/kerberos.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.14/policy/modules/services/kerberos.if --- nsaserefpolicy/policy/modules/services/kerberos.if 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/kerberos.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/kerberos.if 2010-03-12 09:30:00.000000000 -0500 @@ -74,7 +74,7 @@ ') @@ -18198,9 +17806,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb tunable_policy(`allow_kerberos',` allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.13/policy/modules/services/kerberos.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.14/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/kerberos.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/kerberos.te 2010-03-12 09:30:00.000000000 -0500 @@ -112,6 +112,7 @@ kernel_read_kernel_sysctls(kadmind_t) @@ -18218,18 +17826,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb allow kpropd_t krb5_keytab_t:file read_file_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.7.13/policy/modules/services/ksmtuned.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.7.14/policy/modules/services/ksmtuned.fc --- nsaserefpolicy/policy/modules/services/ksmtuned.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/ksmtuned.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/ksmtuned.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,5 @@ +/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0) + +/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0) + +/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.7.13/policy/modules/services/ksmtuned.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.7.14/policy/modules/services/ksmtuned.if --- nsaserefpolicy/policy/modules/services/ksmtuned.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/ksmtuned.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/ksmtuned.if 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,76 @@ + +## policy for Kernel Samepage Merging (KSM) Tuning Daemon @@ -18307,9 +17915,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt + allow $2 system_r; + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.7.13/policy/modules/services/ksmtuned.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.7.14/policy/modules/services/ksmtuned.te --- nsaserefpolicy/policy/modules/services/ksmtuned.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/ksmtuned.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/ksmtuned.te 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,44 @@ +policy_module(ksmtuned,1.0.0) + @@ -18355,9 +17963,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt +files_read_etc_files(ksmtuned_t) + +miscfiles_read_localization(ksmtuned_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.7.13/policy/modules/services/ldap.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.7.14/policy/modules/services/ldap.fc --- nsaserefpolicy/policy/modules/services/ldap.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/ldap.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/ldap.fc 2010-03-12 09:30:00.000000000 -0500 @@ -1,5 +1,7 @@ /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) @@ -18371,9 +17979,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) +#/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.7.13/policy/modules/services/ldap.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.7.14/policy/modules/services/ldap.if --- nsaserefpolicy/policy/modules/services/ldap.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/ldap.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/ldap.if 2010-03-12 09:30:00.000000000 -0500 @@ -1,5 +1,43 @@ ## OpenLDAP directory server @@ -18418,9 +18026,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap ######################################## ## ## Read the contents of the OpenLDAP -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.7.13/policy/modules/services/ldap.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.7.14/policy/modules/services/ldap.te --- nsaserefpolicy/policy/modules/services/ldap.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/ldap.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/ldap.te 2010-03-12 09:30:00.000000000 -0500 @@ -28,9 +28,15 @@ type slapd_replog_t; files_type(slapd_replog_t) @@ -18455,9 +18063,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) files_pid_filetrans(slapd_t, slapd_var_run_t, { file sock_file }) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.13/policy/modules/services/lircd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.14/policy/modules/services/lircd.te --- nsaserefpolicy/policy/modules/services/lircd.te 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/lircd.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/lircd.te 2010-03-12 09:30:00.000000000 -0500 @@ -24,8 +24,11 @@ # lircd local policy # @@ -18506,9 +18114,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc + +sysnet_dns_name_resolve(lircd_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.7.13/policy/modules/services/mailman.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.7.14/policy/modules/services/mailman.fc --- nsaserefpolicy/policy/modules/services/mailman.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/mailman.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/mailman.fc 2010-03-12 09:30:00.000000000 -0500 @@ -1,4 +1,4 @@ -/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib(64)?/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) @@ -18530,9 +18138,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail /var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.7.13/policy/modules/services/memcached.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.7.14/policy/modules/services/memcached.te --- nsaserefpolicy/policy/modules/services/memcached.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/memcached.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/memcached.te 2010-03-12 09:30:00.000000000 -0500 @@ -22,9 +22,12 @@ # @@ -18563,9 +18171,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memc +term_dontaudit_use_all_ptys(memcached_t) +term_dontaudit_use_all_ttys(memcached_t) +term_dontaudit_use_console(memcached_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.13/policy/modules/services/modemmanager.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.14/policy/modules/services/modemmanager.te --- nsaserefpolicy/policy/modules/services/modemmanager.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/modemmanager.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/modemmanager.te 2010-03-12 09:30:00.000000000 -0500 @@ -16,8 +16,8 @@ # # ModemManager local policy @@ -18585,9 +18193,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mode term_use_unallocated_ttys(modemmanager_t) miscfiles_read_localization(modemmanager_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.13/policy/modules/services/mta.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.14/policy/modules/services/mta.fc --- nsaserefpolicy/policy/modules/services/mta.fc 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/mta.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/mta.fc 2010-03-12 09:30:00.000000000 -0500 @@ -13,6 +13,8 @@ /usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) @@ -18597,9 +18205,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.13/policy/modules/services/mta.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.14/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/mta.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/mta.if 2010-03-12 09:30:00.000000000 -0500 @@ -220,6 +220,25 @@ application_executable_file($1) ') @@ -18715,9 +18323,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## Read the mail queue. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.13/policy/modules/services/mta.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.14/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/mta.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/mta.te 2010-03-12 09:30:00.000000000 -0500 @@ -63,6 +63,9 @@ can_exec(system_mail_t, mta_exec_type) @@ -18791,9 +18399,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t) read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.13/policy/modules/services/munin.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.14/policy/modules/services/munin.fc --- nsaserefpolicy/policy/modules/services/munin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/munin.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/munin.fc 2010-03-12 09:30:00.000000000 -0500 @@ -9,3 +9,6 @@ /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) /var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) @@ -18801,9 +18409,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni +/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) +/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.13/policy/modules/services/munin.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.14/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/munin.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/munin.te 2010-03-12 09:30:00.000000000 -0500 @@ -33,7 +33,7 @@ # Local policy # @@ -18854,131 +18462,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.7.13/policy/modules/services/mysql.if ---- nsaserefpolicy/policy/modules/services/mysql.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/mysql.if 2010-03-11 08:56:13.000000000 -0500 -@@ -1,5 +1,43 @@ - ## Policy for MySQL - -+###################################### -+## -+## Execute MySQL in the mysql domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`mysql_domtrans',` -+ gen_require(` -+ type mysqld_t, mysqld_exec_t; -+ ') -+ -+ domtrans_pattern($1,mysqld_exec_t,mysqld_t) -+ -+') -+ -+###################################### -+## -+## Execute MySQL server in the mysql domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`mysql_domtrans_mysql_safe',` -+ gen_require(` -+ type mysqld_safe_t, mysqld_safe_exec_t; -+ ') -+ -+ domtrans_pattern($1,mysqld_safe_exec_t, mysqld_safe_t) -+') -+ -+ - ######################################## - ## - ## Send a generic signal to MySQL. -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.13/policy/modules/services/mysql.te ---- nsaserefpolicy/policy/modules/services/mysql.te 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/mysql.te 2010-03-11 08:56:13.000000000 -0500 -@@ -1,6 +1,13 @@ - - policy_module(mysql, 1.11.2) - -+## -+##

-+## Allow mysqld to connect to all ports -+##

-+## -+gen_tunable(mysql_connect_any, false) -+ - ######################################## - # - # Declarations -@@ -47,7 +54,7 @@ - # Local policy - # - --allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service }; -+allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource net_bind_service }; - dontaudit mysqld_t self:capability sys_tty_config; - allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; - allow mysqld_t self:fifo_file rw_fifo_file_perms; -@@ -120,6 +127,11 @@ - # for /root/.my.cnf - should not be needed: - userdom_read_user_home_content_files(mysqld_t) - -+tunable_policy(`mysql_connect_any',` -+ corenet_tcp_connect_all_ports(mysqld_t) -+ corenet_sendrecv_all_client_packets(mysqld_t) -+') -+ - ifdef(`distro_redhat',` - # because Fedora has the sock_file in the database directory - type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t; -@@ -142,20 +154,26 @@ - # Local mysqld_safe policy - # - --allow mysqld_safe_t self:capability { dac_override fowner chown }; -+allow mysqld_safe_t self:capability { chown dac_override fowner kill }; -+dontaudit mysqld_safe_t self:capability sys_ptrace; - allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; - - domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) - - allow mysqld_safe_t mysqld_log_t:file manage_file_perms; - --allow mysqld_safe_t mysqld_var_run_t:sock_file unlink; -+manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) -+delete_sock_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.14/policy/modules/services/mysql.te +--- nsaserefpolicy/policy/modules/services/mysql.te 2010-03-12 11:48:14.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/mysql.te 2010-03-12 12:00:19.000000000 -0500 +@@ -176,6 +176,7 @@ domain_read_all_domains_state(mysqld_safe_t) +files_dontaudit_search_all_mountpoints(mysqld_safe_t) -+files_dontaudit_getattr_all_dirs(mysqld_safe_t) -+ - logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) - - kernel_read_system_state(mysqld_safe_t) -+kernel_read_kernel_sysctls(mysqld_safe_t) - - dev_list_sysfs(mysqld_safe_t) - -@@ -169,6 +187,7 @@ - miscfiles_read_localization(mysqld_safe_t) - - mysql_manage_db_files(mysqld_safe_t) -+read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) - mysql_read_config(mysqld_safe_t) - mysql_search_pid_files(mysqld_safe_t) - mysql_write_log(mysqld_safe_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.13/policy/modules/services/nagios.fc + files_read_etc_files(mysqld_safe_t) + files_read_usr_files(mysqld_safe_t) + files_dontaudit_getattr_all_dirs(mysqld_safe_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.14/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/nagios.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/nagios.fc 2010-03-12 09:30:00.000000000 -0500 @@ -1,16 +1,89 @@ /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) /etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) @@ -19074,9 +18571,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi + +# unconfined plugins +/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.13/policy/modules/services/nagios.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.14/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/nagios.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/nagios.if 2010-03-12 09:30:00.000000000 -0500 @@ -64,8 +64,8 @@ ######################################## @@ -19240,9 +18737,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi + + admin_pattern($1, nrpe_etc_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.13/policy/modules/services/nagios.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.14/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/nagios.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/nagios.te 2010-03-12 09:30:00.000000000 -0500 @@ -6,17 +6,23 @@ # Declarations # @@ -19627,9 +19124,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +optional_policy(` + init_read_utmp(nagios_system_plugin_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.7.13/policy/modules/services/networkmanager.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.7.14/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/networkmanager.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/networkmanager.fc 2010-03-12 09:30:00.000000000 -0500 @@ -1,12 +1,32 @@ +/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0) +/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) @@ -19663,9 +19160,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.13/policy/modules/services/networkmanager.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.14/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/networkmanager.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/networkmanager.if 2010-03-12 09:30:00.000000000 -0500 @@ -118,6 +118,24 @@ ######################################## @@ -19763,9 +19260,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.13/policy/modules/services/networkmanager.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.14/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/networkmanager.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/networkmanager.te 2010-03-12 09:30:00.000000000 -0500 @@ -19,6 +19,9 @@ type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) @@ -20009,9 +19506,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.7.13/policy/modules/services/nis.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.7.14/policy/modules/services/nis.fc --- nsaserefpolicy/policy/modules/services/nis.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/nis.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/nis.fc 2010-03-12 09:30:00.000000000 -0500 @@ -1,4 +1,7 @@ - +/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) @@ -20030,9 +19527,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. +/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0) +/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0) +/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.7.13/policy/modules/services/nis.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.7.14/policy/modules/services/nis.if --- nsaserefpolicy/policy/modules/services/nis.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/nis.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/nis.if 2010-03-12 09:30:00.000000000 -0500 @@ -28,7 +28,7 @@ type var_yp_t; ') @@ -20150,9 +19647,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. + nis_domtrans_ypbind($1) + role $2 types ypbind_t; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.7.13/policy/modules/services/nis.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.7.14/policy/modules/services/nis.te --- nsaserefpolicy/policy/modules/services/nis.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/nis.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/nis.te 2010-03-12 09:30:00.000000000 -0500 @@ -13,6 +13,9 @@ type ypbind_exec_t; init_daemon_domain(ypbind_t, ypbind_exec_t) @@ -20224,9 +19721,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. corenet_tcp_bind_all_rpc_ports(ypxfr_t) corenet_udp_bind_all_rpc_ports(ypxfr_t) corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.7.13/policy/modules/services/nscd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.7.14/policy/modules/services/nscd.if --- nsaserefpolicy/policy/modules/services/nscd.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/nscd.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/nscd.if 2010-03-12 09:30:00.000000000 -0500 @@ -121,6 +121,24 @@ ######################################## @@ -20261,9 +19758,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.7.13/policy/modules/services/nscd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.7.14/policy/modules/services/nscd.te --- nsaserefpolicy/policy/modules/services/nscd.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/nscd.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/nscd.te 2010-03-12 09:30:00.000000000 -0500 @@ -1,10 +1,17 @@ -policy_module(nscd, 1.10.0) @@ -20308,9 +19805,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd +optional_policy(` + unconfined_dontaudit_rw_packet_sockets(nscd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.fc serefpolicy-3.7.13/policy/modules/services/ntop.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.fc serefpolicy-3.7.14/policy/modules/services/ntop.fc --- nsaserefpolicy/policy/modules/services/ntop.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/ntop.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/ntop.fc 2010-03-12 09:30:00.000000000 -0500 @@ -1,7 +1,6 @@ /etc/ntop(/.*)? gen_context(system_u:object_r:ntop_etc_t,s0) @@ -20319,9 +19816,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop /var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0) /var/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.7.13/policy/modules/services/ntop.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.7.14/policy/modules/services/ntop.te --- nsaserefpolicy/policy/modules/services/ntop.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/ntop.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/ntop.te 2010-03-12 09:30:00.000000000 -0500 @@ -11,12 +11,12 @@ init_daemon_domain(ntop_t, ntop_exec_t) application_domain(ntop_t, ntop_exec_t) @@ -20412,9 +19909,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop seutil_sigchld_newrole(ntop_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.7.13/policy/modules/services/ntp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.7.14/policy/modules/services/ntp.te --- nsaserefpolicy/policy/modules/services/ntp.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/ntp.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/ntp.te 2010-03-12 09:30:00.000000000 -0500 @@ -100,6 +100,8 @@ fs_getattr_all_fs(ntpd_t) @@ -20424,9 +19921,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. term_use_ptmx(ntpd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.13/policy/modules/services/nut.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.14/policy/modules/services/nut.te --- nsaserefpolicy/policy/modules/services/nut.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/nut.te 2010-03-11 16:49:45.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/nut.te 2010-03-12 09:30:00.000000000 -0500 @@ -29,7 +29,8 @@ # Local policy for upsd # @@ -20482,9 +19979,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut. + + sysnet_dns_name_resolve(httpd_nutups_cgi_script_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.7.13/policy/modules/services/nx.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.7.14/policy/modules/services/nx.fc --- nsaserefpolicy/policy/modules/services/nx.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/nx.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/nx.fc 2010-03-12 09:30:00.000000000 -0500 @@ -1,7 +1,15 @@ /opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) @@ -20503,9 +20000,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.f +/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) + /usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.7.13/policy/modules/services/nx.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.7.14/policy/modules/services/nx.if --- nsaserefpolicy/policy/modules/services/nx.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/nx.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/nx.if 2010-03-12 09:30:00.000000000 -0500 @@ -17,3 +17,70 @@ spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t) @@ -20577,9 +20074,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.i + + filetrans_pattern($1, nx_server_var_lib_t, $2, $3) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.7.13/policy/modules/services/nx.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.7.14/policy/modules/services/nx.te --- nsaserefpolicy/policy/modules/services/nx.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/nx.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/nx.te 2010-03-12 09:30:00.000000000 -0500 @@ -25,6 +25,12 @@ type nx_server_var_run_t; files_pid_file(nx_server_var_run_t) @@ -20614,9 +20111,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.t kernel_read_system_state(nx_server_t) kernel_read_kernel_sysctls(nx_server_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.13/policy/modules/services/oddjob.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.14/policy/modules/services/oddjob.if --- nsaserefpolicy/policy/modules/services/oddjob.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/oddjob.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/oddjob.if 2010-03-12 09:30:00.000000000 -0500 @@ -44,6 +44,7 @@ ') @@ -20625,9 +20122,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.7.13/policy/modules/services/oddjob.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.7.14/policy/modules/services/oddjob.te --- nsaserefpolicy/policy/modules/services/oddjob.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/oddjob.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/oddjob.te 2010-03-12 09:30:00.000000000 -0500 @@ -100,8 +100,7 @@ # Add/remove user home directories @@ -20639,9 +20136,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj +userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) +userdom_manage_user_home_content(oddjob_mkhomedir_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.13/policy/modules/services/openvpn.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.14/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/openvpn.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/openvpn.te 2010-03-12 09:30:00.000000000 -0500 @@ -41,7 +41,7 @@ # openvpn local policy # @@ -20677,9 +20174,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open sysnet_etc_filetrans_config(openvpn_t) userdom_use_user_terminals(openvpn_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.7.13/policy/modules/services/pcscd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.7.14/policy/modules/services/pcscd.if --- nsaserefpolicy/policy/modules/services/pcscd.if 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/pcscd.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/pcscd.if 2010-03-12 09:30:00.000000000 -0500 @@ -39,6 +39,44 @@ ######################################## @@ -20725,9 +20222,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcsc ## Connect to pcscd over an unix stream socket. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.13/policy/modules/services/pegasus.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.14/policy/modules/services/pegasus.te --- nsaserefpolicy/policy/modules/services/pegasus.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/pegasus.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/pegasus.te 2010-03-12 09:30:00.000000000 -0500 @@ -30,7 +30,7 @@ # Local policy # @@ -20799,9 +20296,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega + xen_stream_connect(pegasus_t) + xen_stream_connect_xenstore(pegasus_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.fc serefpolicy-3.7.13/policy/modules/services/plymouthd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.fc serefpolicy-3.7.14/policy/modules/services/plymouthd.fc --- nsaserefpolicy/policy/modules/services/plymouthd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/plymouthd.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/plymouthd.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,9 @@ +/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t, s0) + @@ -20812,9 +20309,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym +/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t, s0) + +/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.if serefpolicy-3.7.13/policy/modules/services/plymouthd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.if serefpolicy-3.7.14/policy/modules/services/plymouthd.if --- nsaserefpolicy/policy/modules/services/plymouthd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/plymouthd.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/plymouthd.if 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,322 @@ +## policy for plymouthd + @@ -21138,9 +20635,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym + + allow $1 plymouthd_t:unix_stream_socket connectto; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.7.13/policy/modules/services/plymouthd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.7.14/policy/modules/services/plymouthd.te --- nsaserefpolicy/policy/modules/services/plymouthd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/plymouthd.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/plymouthd.te 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,105 @@ +policy_module(plymouthd, 1.0.0) + @@ -21247,9 +20744,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym + hal_dontaudit_rw_pipes(plymouth_t) +') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.7.13/policy/modules/services/policykit.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.7.14/policy/modules/services/policykit.fc --- nsaserefpolicy/policy/modules/services/policykit.fc 2009-08-18 11:41:14.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/policykit.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/policykit.fc 2010-03-12 09:30:00.000000000 -0500 @@ -6,10 +6,13 @@ /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) /usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) @@ -21265,9 +20762,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli /var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) /var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.7.13/policy/modules/services/policykit.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.7.14/policy/modules/services/policykit.if --- nsaserefpolicy/policy/modules/services/policykit.if 2009-08-18 18:39:50.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/policykit.if 2010-03-11 13:54:20.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/policykit.if 2010-03-12 09:30:00.000000000 -0500 @@ -17,12 +17,37 @@ class dbus send_msg; ') @@ -21364,9 +20861,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli + + allow $1 policykit_auth_t:process signal; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.13/policy/modules/services/policykit.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.14/policy/modules/services/policykit.te --- nsaserefpolicy/policy/modules/services/policykit.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/policykit.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/policykit.te 2010-03-12 09:30:00.000000000 -0500 @@ -36,11 +36,12 @@ # policykit local policy # @@ -21528,9 +21025,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.7.13/policy/modules/services/portreserve.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.7.14/policy/modules/services/portreserve.te --- nsaserefpolicy/policy/modules/services/portreserve.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/portreserve.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/portreserve.te 2010-03-12 09:30:00.000000000 -0500 @@ -21,6 +21,7 @@ # Portreserve local policy # @@ -21548,9 +21045,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port corenet_all_recvfrom_unlabeled(portreserve_t) corenet_all_recvfrom_netlabel(portreserve_t) corenet_tcp_bind_generic_node(portreserve_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.13/policy/modules/services/postfix.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.14/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/postfix.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/postfix.fc 2010-03-12 09:30:00.000000000 -0500 @@ -29,12 +29,10 @@ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) @@ -21564,9 +21061,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.13/policy/modules/services/postfix.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.14/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/postfix.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/postfix.if 2010-03-12 09:30:00.000000000 -0500 @@ -46,6 +46,7 @@ allow postfix_$1_t postfix_etc_t:dir list_dir_perms; @@ -21861,9 +21358,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + role $2 types postfix_postdrop_t; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.13/policy/modules/services/postfix.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.14/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/postfix.te 2010-03-11 09:57:10.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/postfix.te 2010-03-12 09:30:00.000000000 -0500 @@ -6,6 +6,15 @@ # Declarations # @@ -22269,9 +21766,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +userdom_manage_user_home_content(postfix_virtual_t) +userdom_home_filetrans_user_home_dir(postfix_virtual_t) +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.7.13/policy/modules/services/postgresql.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.7.14/policy/modules/services/postgresql.fc --- nsaserefpolicy/policy/modules/services/postgresql.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/postgresql.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/postgresql.fc 2010-03-12 09:30:00.000000000 -0500 @@ -3,6 +3,7 @@ # /etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0) @@ -22298,9 +21795,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) + +/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.7.13/policy/modules/services/postgresql.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.7.14/policy/modules/services/postgresql.if --- nsaserefpolicy/policy/modules/services/postgresql.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/postgresql.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/postgresql.if 2010-03-12 09:30:00.000000000 -0500 @@ -125,6 +125,23 @@ typeattribute $1 sepgsql_table_type; ') @@ -22325,9 +21822,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## ## ## Marks as a SE-PostgreSQL system table/column/tuple object type -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.13/policy/modules/services/postgresql.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.14/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/postgresql.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/postgresql.te 2010-03-12 09:30:00.000000000 -0500 @@ -150,6 +150,7 @@ dontaudit postgresql_t self:capability { sys_tty_config sys_admin }; allow postgresql_t self:process signal_perms; @@ -22362,9 +21859,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post miscfiles_read_localization(postgresql_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.7.13/policy/modules/services/ppp.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.7.14/policy/modules/services/ppp.fc --- nsaserefpolicy/policy/modules/services/ppp.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/ppp.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/ppp.fc 2010-03-12 09:30:00.000000000 -0500 @@ -3,6 +3,7 @@ # /etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) @@ -22373,9 +21870,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. /etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0) /etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) /etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.13/policy/modules/services/ppp.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.14/policy/modules/services/ppp.if --- nsaserefpolicy/policy/modules/services/ppp.if 2010-01-18 15:04:31.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/ppp.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/ppp.if 2010-03-12 09:30:00.000000000 -0500 @@ -182,6 +182,10 @@ ppp_domtrans($1) role $2 types pppd_t; @@ -22387,9 +21884,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.7.13/policy/modules/services/ppp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.7.14/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2010-01-18 15:04:31.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/ppp.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/ppp.te 2010-03-12 09:30:00.000000000 -0500 @@ -71,9 +71,9 @@ # PPPD Local policy # @@ -22427,9 +21924,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. optional_policy(` consoletype_exec(pppd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.7.13/policy/modules/services/prelude.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.7.14/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/prelude.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/prelude.te 2010-03-12 09:30:00.000000000 -0500 @@ -90,6 +90,7 @@ corenet_tcp_bind_prelude_port(prelude_t) corenet_tcp_connect_prelude_port(prelude_t) @@ -22447,9 +21944,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel fs_rw_anon_inodefs_files(prelude_lml_t) auth_use_nsswitch(prelude_lml_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.13/policy/modules/services/procmail.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.14/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/procmail.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/procmail.te 2010-03-12 09:30:00.000000000 -0500 @@ -22,7 +22,7 @@ # Local policy # @@ -22497,9 +21994,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.13/policy/modules/services/pyzor.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.14/policy/modules/services/pyzor.fc --- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/pyzor.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/pyzor.fc 2010-03-12 09:30:00.000000000 -0500 @@ -1,6 +1,10 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) +/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) @@ -22511,9 +22008,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.7.13/policy/modules/services/pyzor.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.7.14/policy/modules/services/pyzor.if --- nsaserefpolicy/policy/modules/services/pyzor.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/pyzor.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/pyzor.if 2010-03-12 09:30:00.000000000 -0500 @@ -88,3 +88,50 @@ corecmd_search_bin($1) can_exec($1, pyzor_exec_t) @@ -22565,9 +22062,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.7.13/policy/modules/services/pyzor.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.7.14/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/pyzor.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/pyzor.te 2010-03-12 09:30:00.000000000 -0500 @@ -6,6 +6,38 @@ # Declarations # @@ -22632,9 +22129,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo userdom_dontaudit_search_user_home_dirs(pyzor_t) optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.7.13/policy/modules/services/radvd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.7.14/policy/modules/services/radvd.te --- nsaserefpolicy/policy/modules/services/radvd.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/radvd.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/radvd.te 2010-03-12 09:30:00.000000000 -0500 @@ -22,9 +22,9 @@ # # Local policy @@ -22670,17 +22167,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radv seutil_sigchld_newrole(radvd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.13/policy/modules/services/razor.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.14/policy/modules/services/razor.fc --- nsaserefpolicy/policy/modules/services/razor.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/razor.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/razor.fc 2010-03-12 09:30:00.000000000 -0500 @@ -1,3 +1,4 @@ +/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.7.13/policy/modules/services/razor.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.7.14/policy/modules/services/razor.if --- nsaserefpolicy/policy/modules/services/razor.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/razor.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/razor.if 2010-03-12 09:30:00.000000000 -0500 @@ -157,3 +157,45 @@ domtrans_pattern($1, razor_exec_t, razor_t) @@ -22727,9 +22224,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo + read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.7.13/policy/modules/services/razor.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.7.14/policy/modules/services/razor.te --- nsaserefpolicy/policy/modules/services/razor.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/razor.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/razor.te 2010-03-12 09:30:00.000000000 -0500 @@ -6,6 +6,32 @@ # Declarations # @@ -22781,9 +22278,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo +') + ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.if serefpolicy-3.7.13/policy/modules/services/rdisc.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.if serefpolicy-3.7.14/policy/modules/services/rdisc.if --- nsaserefpolicy/policy/modules/services/rdisc.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/rdisc.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/rdisc.if 2010-03-12 09:30:00.000000000 -0500 @@ -1 +1,20 @@ ## Network router discovery daemon + @@ -22805,9 +22302,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdis + corecmd_search_bin($1) + can_exec($1,rdisc_exec_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.13/policy/modules/services/rgmanager.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.14/policy/modules/services/rgmanager.fc --- nsaserefpolicy/policy/modules/services/rgmanager.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/rgmanager.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/rgmanager.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,8 @@ + +/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) @@ -22817,9 +22314,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) + +/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.13/policy/modules/services/rgmanager.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.14/policy/modules/services/rgmanager.if --- nsaserefpolicy/policy/modules/services/rgmanager.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/rgmanager.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/rgmanager.if 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,98 @@ +## SELinux policy for rgmanager + @@ -22919,9 +22416,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma + manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t) + manage_lnk_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.13/policy/modules/services/rgmanager.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.14/policy/modules/services/rgmanager.te --- nsaserefpolicy/policy/modules/services/rgmanager.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/rgmanager.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/rgmanager.te 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,223 @@ + +policy_module(rgmanager,1.0.0) @@ -23146,9 +22643,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +optional_policy(` + xen_domtrans_xm(rgmanager_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.13/policy/modules/services/rhcs.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.14/policy/modules/services/rhcs.fc --- nsaserefpolicy/policy/modules/services/rhcs.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/rhcs.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/rhcs.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,23 @@ +/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) +/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0) @@ -23173,9 +22670,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) +/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.13/policy/modules/services/rhcs.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.14/policy/modules/services/rhcs.if --- nsaserefpolicy/policy/modules/services/rhcs.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/rhcs.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/rhcs.if 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,424 @@ +## SELinux policy for RHCS - Red Hat Cluster Suite + @@ -23601,9 +23098,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.13/policy/modules/services/rhcs.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.14/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/rhcs.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/rhcs.te 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,248 @@ + +policy_module(rhcs,1.1.0) @@ -23853,9 +23350,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +optional_policy(` + corosync_stream_connect(cluster_domain) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.13/policy/modules/services/ricci.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.14/policy/modules/services/ricci.te --- nsaserefpolicy/policy/modules/services/ricci.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/ricci.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/ricci.te 2010-03-12 09:30:00.000000000 -0500 @@ -194,10 +194,13 @@ # ricci_modcluster local policy # @@ -23965,9 +23462,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc ccs_stream_connect(ricci_modstorage_t) ccs_read_config(ricci_modstorage_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.7.13/policy/modules/services/rpc.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.7.14/policy/modules/services/rpc.fc --- nsaserefpolicy/policy/modules/services/rpc.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/rpc.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/rpc.fc 2010-03-12 09:30:00.000000000 -0500 @@ -1,6 +1,10 @@ # # /etc @@ -23979,9 +23476,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. /etc/exports -- gen_context(system_u:object_r:exports_t,s0) # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.13/policy/modules/services/rpc.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.14/policy/modules/services/rpc.if --- nsaserefpolicy/policy/modules/services/rpc.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/rpc.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/rpc.if 2010-03-12 09:30:00.000000000 -0500 @@ -54,7 +54,7 @@ allow $1_t self:unix_dgram_socket create_socket_perms; allow $1_t self:unix_stream_socket create_stream_socket_perms; @@ -24075,9 +23572,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) + allow $1 var_lib_nfs_t:file { relabelfrom relabelto }; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.13/policy/modules/services/rpc.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.14/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/rpc.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/rpc.te 2010-03-12 09:30:00.000000000 -0500 @@ -8,7 +8,7 @@ ## @@ -24212,9 +23709,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.7.13/policy/modules/services/rsync.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.7.14/policy/modules/services/rsync.if --- nsaserefpolicy/policy/modules/services/rsync.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/rsync.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/rsync.if 2010-03-12 09:30:00.000000000 -0500 @@ -119,7 +119,7 @@ type rsync_etc_t; ') @@ -24232,9 +23729,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn + write_files_pattern($1, rsync_etc_t, rsync_etc_t) files_search_etc($1) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.7.13/policy/modules/services/rsync.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.7.14/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/rsync.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/rsync.te 2010-03-12 09:30:00.000000000 -0500 @@ -8,6 +8,13 @@ ## @@ -24286,9 +23783,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn +') + auth_can_read_shadow_passwords(rsync_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.7.13/policy/modules/services/rtkit.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.7.14/policy/modules/services/rtkit.if --- nsaserefpolicy/policy/modules/services/rtkit.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/rtkit.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/rtkit.if 2010-03-12 09:30:00.000000000 -0500 @@ -38,3 +38,23 @@ allow $1 rtkit_daemon_t:dbus send_msg; allow rtkit_daemon_t $1:dbus send_msg; @@ -24313,9 +23810,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki + allow rtkit_daemon_t $1:process { getsched setsched }; + rtkit_daemon_dbus_chat($1) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.7.13/policy/modules/services/rtkit.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.7.14/policy/modules/services/rtkit.te --- nsaserefpolicy/policy/modules/services/rtkit.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/rtkit.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/rtkit.te 2010-03-12 09:30:00.000000000 -0500 @@ -17,9 +17,11 @@ allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace }; @@ -24337,9 +23834,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki optional_policy(` policykit_dbus_chat(rtkit_daemon_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.13/policy/modules/services/samba.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.14/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/samba.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/samba.fc 2010-03-12 09:30:00.000000000 -0500 @@ -51,3 +51,7 @@ /var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) @@ -24348,9 +23845,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +ifndef(`enable_mls',` +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.13/policy/modules/services/samba.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.14/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/samba.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/samba.if 2010-03-12 09:30:00.000000000 -0500 @@ -62,6 +62,25 @@ ######################################## @@ -24564,9 +24061,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb admin_pattern($1, winbind_var_run_t) + admin_pattern($1, samba_unconfined_script_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.13/policy/modules/services/samba.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.14/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/samba.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/samba.te 2010-03-12 09:30:00.000000000 -0500 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -24886,9 +24383,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +',` + can_exec(smbd_t, samba_unconfined_script_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.13/policy/modules/services/sasl.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.14/policy/modules/services/sasl.te --- nsaserefpolicy/policy/modules/services/sasl.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/sasl.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/sasl.te 2010-03-12 09:30:00.000000000 -0500 @@ -31,7 +31,7 @@ # Local policy # @@ -24951,9 +24448,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl seutil_sigchld_newrole(saslauthd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.13/policy/modules/services/sendmail.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.14/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/sendmail.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/sendmail.if 2010-03-12 09:30:00.000000000 -0500 @@ -277,3 +277,22 @@ sendmail_domtrans_unconfined($1) role $2 types unconfined_sendmail_t; @@ -24977,9 +24474,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send + domtrans_pattern($1, sendmail_exec_t, unconfined_sendmail_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.13/policy/modules/services/sendmail.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.14/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/sendmail.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/sendmail.te 2010-03-12 09:30:00.000000000 -0500 @@ -30,7 +30,7 @@ # @@ -25058,18 +24555,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send + unconfined_domain_noaudit(unconfined_sendmail_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.7.13/policy/modules/services/setroubleshoot.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.7.14/policy/modules/services/setroubleshoot.fc --- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/setroubleshoot.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/setroubleshoot.fc 2010-03-12 09:30:00.000000000 -0500 @@ -5,3 +5,5 @@ /var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) /var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) + +/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.13/policy/modules/services/setroubleshoot.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.14/policy/modules/services/setroubleshoot.if --- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/setroubleshoot.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/setroubleshoot.if 2010-03-12 09:30:00.000000000 -0500 @@ -16,8 +16,8 @@ ') @@ -25207,9 +24704,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr + files_list_pids($1) + admin_pattern($1, setroubleshoot_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.13/policy/modules/services/setroubleshoot.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.14/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/setroubleshoot.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/setroubleshoot.te 2010-03-12 09:30:00.000000000 -0500 @@ -22,13 +22,19 @@ type setroubleshoot_var_run_t; files_pid_file(setroubleshoot_var_run_t) @@ -25355,9 +24852,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr + policykit_dbus_chat(setroubleshoot_fixit_t) + userdom_read_all_users_state(setroubleshoot_fixit_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.fc serefpolicy-3.7.13/policy/modules/services/smokeping.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.fc serefpolicy-3.7.14/policy/modules/services/smokeping.fc --- nsaserefpolicy/policy/modules/services/smokeping.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/smokeping.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/smokeping.fc 2010-03-12 09:30:00.000000000 -0500 @@ -0,0 +1,12 @@ + +/etc/rc\.d/init\.d/smokeping -- gen_context(system_u:object_r:smokeping_initrc_exec_t,s0) @@ -25371,9 +24868,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok +/var/run/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_run_t,s0) + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.if serefpolicy-3.7.13/policy/modules/services/smokeping.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.if serefpolicy-3.7.14/policy/modules/services/smokeping.if --- nsaserefpolicy/policy/modules/services/smokeping.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/smokeping.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/smokeping.if 2010-03-12 09:30:01.000000000 -0500 @@ -0,0 +1,193 @@ + +## policy for smokeping @@ -25568,9 +25065,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok + smokeping_manage_var_lib($1) + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.te serefpolicy-3.7.13/policy/modules/services/smokeping.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.te serefpolicy-3.7.14/policy/modules/services/smokeping.te --- nsaserefpolicy/policy/modules/services/smokeping.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/smokeping.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/smokeping.te 2010-03-12 09:30:01.000000000 -0500 @@ -0,0 +1,81 @@ + +policy_module(smokeping,1.0.0) @@ -25653,9 +25150,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok + + sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.13/policy/modules/services/snmp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.14/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/snmp.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/snmp.te 2010-03-12 09:30:01.000000000 -0500 @@ -25,7 +25,7 @@ # # Local policy @@ -25665,9 +25162,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp dontaudit snmpd_t self:capability { sys_module sys_tty_config }; allow snmpd_t self:process { signal_perms getsched setsched }; allow snmpd_t self:fifo_file rw_fifo_file_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.13/policy/modules/services/snort.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.14/policy/modules/services/snort.te --- nsaserefpolicy/policy/modules/services/snort.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/snort.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/snort.te 2010-03-12 09:30:01.000000000 -0500 @@ -37,6 +37,7 @@ allow snort_t self:tcp_socket create_stream_socket_perms; allow snort_t self:udp_socket create_socket_perms; @@ -25701,9 +25198,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor domain_use_interactive_fds(snort_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.13/policy/modules/services/spamassassin.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.14/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/spamassassin.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/spamassassin.fc 2010-03-12 09:30:01.000000000 -0500 @@ -1,15 +1,26 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) @@ -25733,9 +25230,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.13/policy/modules/services/spamassassin.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.14/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/spamassassin.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/spamassassin.if 2010-03-12 09:30:01.000000000 -0500 @@ -111,6 +111,45 @@ ') @@ -25862,9 +25359,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + files_list_pids($1) + admin_pattern($1, spamd_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.13/policy/modules/services/spamassassin.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.14/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/spamassassin.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/spamassassin.te 2010-03-12 09:30:01.000000000 -0500 @@ -20,6 +20,35 @@ ## gen_tunable(spamd_enable_home_dirs, true) @@ -26170,9 +25667,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +optional_policy(` udev_read_db(spamd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.13/policy/modules/services/squid.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.14/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/squid.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/squid.te 2010-03-12 09:30:01.000000000 -0500 @@ -67,7 +67,9 @@ can_exec(squid_t, squid_exec_t) @@ -26201,18 +25698,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi -#squid requires the following when run in diskd mode, the recommended setting -allow squid_t tmpfs_t:file { read write }; -') dnl end TODO -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.13/policy/modules/services/ssh.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.14/policy/modules/services/ssh.fc --- nsaserefpolicy/policy/modules/services/ssh.fc 2010-01-18 15:04:31.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/ssh.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/ssh.fc 2010-03-12 09:30:01.000000000 -0500 @@ -14,3 +14,5 @@ /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) + +/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.13/policy/modules/services/ssh.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.14/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/ssh.if 2010-03-11 13:41:34.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/ssh.if 2010-03-12 09:30:01.000000000 -0500 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -26380,9 +25877,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ####################################### ## ## Delete from the ssh temp files. -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.13/policy/modules/services/ssh.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.14/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/ssh.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/ssh.te 2010-03-12 09:30:01.000000000 -0500 @@ -114,6 +114,7 @@ manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) @@ -26515,9 +26012,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ifdef(`TODO',` tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.7.13/policy/modules/services/sssd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.7.14/policy/modules/services/sssd.fc --- nsaserefpolicy/policy/modules/services/sssd.fc 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/sssd.fc 2010-03-11 09:20:50.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/sssd.fc 2010-03-12 09:30:01.000000000 -0500 @@ -4,6 +4,8 @@ /var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) @@ -26528,9 +26025,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd +/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0) /var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.13/policy/modules/services/sssd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.14/policy/modules/services/sssd.if --- nsaserefpolicy/policy/modules/services/sssd.if 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/sssd.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/sssd.if 2010-03-12 09:30:01.000000000 -0500 @@ -38,6 +38,25 @@ ######################################## @@ -26609,9 +26106,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd + + admin_pattern($1, sssd_public_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.13/policy/modules/services/sssd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.14/policy/modules/services/sssd.te --- nsaserefpolicy/policy/modules/services/sssd.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/sssd.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/sssd.te 2010-03-12 09:30:01.000000000 -0500 @@ -13,6 +13,9 @@ type sssd_initrc_exec_t; init_script_file(sssd_initrc_exec_t) @@ -26666,9 +26163,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd optional_policy(` dbus_system_bus_client(sssd_t) dbus_connect_system_bus(sssd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.13/policy/modules/services/sysstat.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.14/policy/modules/services/sysstat.te --- nsaserefpolicy/policy/modules/services/sysstat.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/sysstat.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/sysstat.te 2010-03-12 09:30:01.000000000 -0500 @@ -19,14 +19,15 @@ # Local policy # @@ -26687,9 +26184,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/syss logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir }) # get info from /proc -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.7.13/policy/modules/services/telnet.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.7.14/policy/modules/services/telnet.te --- nsaserefpolicy/policy/modules/services/telnet.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/telnet.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/telnet.te 2010-03-12 09:30:01.000000000 -0500 @@ -85,6 +85,7 @@ remotelogin_domtrans(telnetd_t) @@ -26698,9 +26195,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln optional_policy(` kerberos_keytab_template(telnetd, telnetd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.7.13/policy/modules/services/tftp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.7.14/policy/modules/services/tftp.te --- nsaserefpolicy/policy/modules/services/tftp.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/tftp.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/tftp.te 2010-03-12 09:30:01.000000000 -0500 @@ -50,9 +50,8 @@ manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t) files_pid_filetrans(tftpd_t, tftpd_var_run_t, file) @@ -26712,9 +26209,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp corenet_all_recvfrom_unlabeled(tftpd_t) corenet_all_recvfrom_netlabel(tftpd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.fc serefpolicy-3.7.13/policy/modules/services/tor.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.fc serefpolicy-3.7.14/policy/modules/services/tor.fc --- nsaserefpolicy/policy/modules/services/tor.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/tor.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/tor.fc 2010-03-12 09:30:01.000000000 -0500 @@ -5,5 +5,8 @@ /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) @@ -26724,9 +26221,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor. /var/log/tor(/.*)? gen_context(system_u:object_r:tor_var_log_t,s0) + /var/run/tor(/.*)? gen_context(system_u:object_r:tor_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.13/policy/modules/services/tor.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.14/policy/modules/services/tor.te --- nsaserefpolicy/policy/modules/services/tor.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/tor.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/tor.te 2010-03-12 09:30:01.000000000 -0500 @@ -6,6 +6,14 @@ # Declarations # @@ -26758,9 +26255,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor. +tunable_policy(`tor_bind_all_unreserved_ports', ` + corenet_tcp_bind_all_unreserved_ports(tor_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.fc serefpolicy-3.7.13/policy/modules/services/tuned.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.fc serefpolicy-3.7.14/policy/modules/services/tuned.fc --- nsaserefpolicy/policy/modules/services/tuned.fc 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/tuned.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/tuned.fc 2010-03-12 09:30:01.000000000 -0500 @@ -2,4 +2,7 @@ /usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0) @@ -26769,9 +26266,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune +/var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0) + /var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.7.13/policy/modules/services/tuned.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.7.14/policy/modules/services/tuned.te --- nsaserefpolicy/policy/modules/services/tuned.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/tuned.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/tuned.te 2010-03-12 09:30:01.000000000 -0500 @@ -13,6 +13,9 @@ type tuned_initrc_exec_t; init_script_file(tuned_initrc_exec_t) @@ -26825,9 +26322,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune # to allow network interface tuning optional_policy(` sysnet_domtrans_ifconfig(tuned_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.7.13/policy/modules/services/ucspitcp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.7.14/policy/modules/services/ucspitcp.te --- nsaserefpolicy/policy/modules/services/ucspitcp.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/ucspitcp.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/ucspitcp.te 2010-03-12 09:30:01.000000000 -0500 @@ -92,3 +92,8 @@ daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t) daemontools_read_svc(ucspitcp_t) @@ -26837,17 +26334,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucsp + daemontools_sigchld_run(ucspitcp_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.13/policy/modules/services/usbmuxd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.14/policy/modules/services/usbmuxd.fc --- nsaserefpolicy/policy/modules/services/usbmuxd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/usbmuxd.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/usbmuxd.fc 2010-03-12 09:30:01.000000000 -0500 @@ -0,0 +1,4 @@ + +/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0) + +/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.if serefpolicy-3.7.13/policy/modules/services/usbmuxd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.if serefpolicy-3.7.14/policy/modules/services/usbmuxd.if --- nsaserefpolicy/policy/modules/services/usbmuxd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/usbmuxd.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/usbmuxd.if 2010-03-12 09:30:01.000000000 -0500 @@ -0,0 +1,39 @@ +## Daemon for communicating with Apple's iPod Touch and iPhone + @@ -26888,9 +26385,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm + files_search_pids($1) + stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.7.13/policy/modules/services/usbmuxd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.7.14/policy/modules/services/usbmuxd.te --- nsaserefpolicy/policy/modules/services/usbmuxd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/usbmuxd.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/usbmuxd.te 2010-03-12 09:30:01.000000000 -0500 @@ -0,0 +1,50 @@ +policy_module(usbmuxd,1.0.0) + @@ -26942,9 +26439,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm +auth_use_nsswitch(usbmuxd_t) + +logging_send_syslog_msg(usbmuxd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.13/policy/modules/services/uucp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.14/policy/modules/services/uucp.te --- nsaserefpolicy/policy/modules/services/uucp.te 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/uucp.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/uucp.te 2010-03-12 09:30:01.000000000 -0500 @@ -90,6 +90,7 @@ fs_getattr_xattr_fs(uucpd_t) @@ -26962,9 +26459,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp optional_policy(` cron_system_entry(uucpd_t, uucpd_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.fc serefpolicy-3.7.13/policy/modules/services/vhostmd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.fc serefpolicy-3.7.14/policy/modules/services/vhostmd.fc --- nsaserefpolicy/policy/modules/services/vhostmd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/vhostmd.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/vhostmd.fc 2010-03-12 09:30:01.000000000 -0500 @@ -0,0 +1,6 @@ + +/usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0) @@ -26972,9 +26469,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos +/etc/rc.d/init.d/vhostmd -- gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0) +/var/run/vhostmd.pid -- gen_context(system_u:object_r:vhostmd_var_run_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.7.13/policy/modules/services/vhostmd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.7.14/policy/modules/services/vhostmd.if --- nsaserefpolicy/policy/modules/services/vhostmd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/vhostmd.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/vhostmd.if 2010-03-12 09:30:01.000000000 -0500 @@ -0,0 +1,228 @@ + +## policy for vhostmd @@ -27204,9 +26701,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos + vhostmd_manage_var_run($1) + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.7.13/policy/modules/services/vhostmd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.7.14/policy/modules/services/vhostmd.te --- nsaserefpolicy/policy/modules/services/vhostmd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/vhostmd.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/vhostmd.te 2010-03-12 09:30:01.000000000 -0500 @@ -0,0 +1,84 @@ + +policy_module(vhostmd,1.0.0) @@ -27292,9 +26789,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos + xen_stream_connect_xenstore(vhostmd_t) + xen_stream_connect_xm(vhostmd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.13/policy/modules/services/virt.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.14/policy/modules/services/virt.fc --- nsaserefpolicy/policy/modules/services/virt.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/virt.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/virt.fc 2010-03-12 09:30:01.000000000 -0500 @@ -8,6 +8,10 @@ /etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) /etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) @@ -27306,9 +26803,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) /var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.13/policy/modules/services/virt.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.14/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/virt.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/virt.if 2010-03-12 12:21:38.000000000 -0500 @@ -22,6 +22,11 @@ domain_type($1_t) role system_r types $1_t; @@ -27321,7 +26818,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt type $1_tmp_t; files_tmp_file($1_tmp_t) -@@ -35,6 +40,9 @@ +@@ -31,10 +36,14 @@ + type $1_image_t, virt_image_type; + files_type($1_image_t) + dev_node($1_image_t) ++ dev_associate_sysfs($1_image_t) + type $1_var_run_t; files_pid_file($1_var_run_t) @@ -27331,7 +26833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt manage_dirs_pattern($1_t, $1_image_t, $1_image_t) manage_files_pattern($1_t, $1_image_t, $1_image_t) read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) -@@ -62,6 +70,9 @@ +@@ -62,6 +71,9 @@ files_pid_filetrans($1_t, $1_var_run_t, { dir file }) stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t) @@ -27341,7 +26843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') ######################################## -@@ -293,6 +304,7 @@ +@@ -293,6 +305,7 @@ files_search_var_lib($1) read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) @@ -27349,7 +26851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') ######################################## -@@ -505,3 +517,32 @@ +@@ -505,3 +518,32 @@ virt_manage_log($1) ') @@ -27382,9 +26884,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt + ptchown_run(svirt_t, $2) + ') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.13/policy/modules/services/virt.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.14/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/virt.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/virt.te 2010-03-12 09:30:01.000000000 -0500 @@ -15,6 +15,13 @@ ## @@ -27575,9 +27077,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt auth_use_nsswitch(virt_domain) logging_send_syslog_msg(virt_domain) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.7.13/policy/modules/services/w3c.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.7.14/policy/modules/services/w3c.te --- nsaserefpolicy/policy/modules/services/w3c.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/w3c.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/w3c.te 2010-03-12 09:30:01.000000000 -0500 @@ -8,11 +8,18 @@ apache_content_template(w3c_validator) @@ -27597,9 +27099,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c. corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.13/policy/modules/services/xserver.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.14/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/xserver.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/xserver.fc 2010-03-12 09:30:01.000000000 -0500 @@ -3,12 +3,21 @@ # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) @@ -27708,9 +27210,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +/var/lib/pqsql/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.13/policy/modules/services/xserver.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.14/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/xserver.if 2010-03-11 22:31:52.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/xserver.if 2010-03-12 09:30:01.000000000 -0500 @@ -19,9 +19,10 @@ interface(`xserver_restricted_role',` gen_require(` @@ -28215,9 +27717,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.13/policy/modules/services/xserver.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.14/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/xserver.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/xserver.te 2010-03-12 09:30:01.000000000 -0500 @@ -36,6 +36,13 @@ ## @@ -29048,9 +28550,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +tunable_policy(`use_samba_home_dirs',` + fs_append_cifs_files(xdmhomewriter) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.7.13/policy/modules/services/zebra.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.7.14/policy/modules/services/zebra.if --- nsaserefpolicy/policy/modules/services/zebra.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/services/zebra.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/zebra.if 2010-03-12 09:30:01.000000000 -0500 @@ -24,6 +24,26 @@ ######################################## @@ -29078,9 +28580,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr ## All of the rules required to administrate ## an zebra environment ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.13/policy/modules/system/application.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.14/policy/modules/system/application.te --- nsaserefpolicy/policy/modules/system/application.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/application.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/application.te 2010-03-12 09:30:01.000000000 -0500 @@ -7,6 +7,17 @@ # Executables to be run by user attribute application_exec_type; @@ -29099,9 +28601,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic optional_policy(` ssh_sigchld(application_domain_type) ssh_rw_stream_sockets(application_domain_type) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.13/policy/modules/system/authlogin.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.14/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/system/authlogin.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/authlogin.fc 2010-03-12 09:30:01.000000000 -0500 @@ -7,12 +7,10 @@ /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) @@ -29126,9 +28628,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.13/policy/modules/system/authlogin.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.14/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/authlogin.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/authlogin.if 2010-03-12 09:30:01.000000000 -0500 @@ -40,17 +40,76 @@ ## ## @@ -29453,9 +28955,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.13/policy/modules/system/authlogin.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.14/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/authlogin.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/authlogin.te 2010-03-12 09:30:01.000000000 -0500 @@ -103,8 +103,10 @@ fs_dontaudit_getattr_xattr_fs(chkpwd_t) @@ -29486,9 +28988,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ######################################## # # PAM local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.7.13/policy/modules/system/daemontools.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.7.14/policy/modules/system/daemontools.if --- nsaserefpolicy/policy/modules/system/daemontools.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/system/daemontools.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/daemontools.if 2010-03-12 09:30:01.000000000 -0500 @@ -71,6 +71,32 @@ domtrans_pattern($1, svc_start_exec_t, svc_start_t) ') @@ -29569,9 +29071,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon + + allow $1 svc_run_t:process sigchld; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.7.13/policy/modules/system/daemontools.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.7.14/policy/modules/system/daemontools.te --- nsaserefpolicy/policy/modules/system/daemontools.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/system/daemontools.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/daemontools.te 2010-03-12 09:30:01.000000000 -0500 @@ -39,7 +39,10 @@ # multilog creates /service/*/log/status manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t) @@ -29644,9 +29146,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon + daemontools_domtrans_run(svc_start_t) daemontools_manage_svc(svc_start_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.7.13/policy/modules/system/fstools.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.7.14/policy/modules/system/fstools.fc --- nsaserefpolicy/policy/modules/system/fstools.fc 2010-03-09 15:39:06.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/fstools.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/fstools.fc 2010-03-12 09:30:01.000000000 -0500 @@ -1,4 +1,3 @@ -/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -29660,9 +29162,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.13/policy/modules/system/fstools.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.14/policy/modules/system/fstools.te --- nsaserefpolicy/policy/modules/system/fstools.te 2010-03-09 15:39:06.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/fstools.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/fstools.te 2010-03-12 09:30:01.000000000 -0500 @@ -118,6 +118,8 @@ fs_search_tmpfs(fsadm_t) fs_getattr_tmpfs_dirs(fsadm_t) @@ -29681,9 +29183,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool ifdef(`distro_redhat',` optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.7.13/policy/modules/system/getty.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.7.14/policy/modules/system/getty.te --- nsaserefpolicy/policy/modules/system/getty.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/getty.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/getty.te 2010-03-12 09:30:01.000000000 -0500 @@ -56,11 +56,10 @@ manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t) files_pid_filetrans(getty_t, getty_var_run_t, file) @@ -29699,9 +29201,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty. dev_read_sysfs(getty_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.7.13/policy/modules/system/hostname.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.7.14/policy/modules/system/hostname.te --- nsaserefpolicy/policy/modules/system/hostname.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/hostname.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/hostname.te 2010-03-12 09:30:01.000000000 -0500 @@ -27,15 +27,18 @@ dev_read_sysfs(hostname_t) @@ -29721,9 +29223,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna fs_dontaudit_use_tmpfs_chr_dev(hostname_t) term_dontaudit_use_console(hostname_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.13/policy/modules/system/init.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.14/policy/modules/system/init.fc --- nsaserefpolicy/policy/modules/system/init.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/system/init.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/init.fc 2010-03-12 09:30:01.000000000 -0500 @@ -4,10 +4,10 @@ /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -29747,9 +29249,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f # # /var -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.13/policy/modules/system/init.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.14/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/init.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/init.if 2010-03-12 09:30:01.000000000 -0500 @@ -193,8 +193,10 @@ gen_require(` attribute direct_run_init, direct_init, direct_init_entry; @@ -30076,9 +29578,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + init_dontaudit_use_script_fds($1) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.13/policy/modules/system/init.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.14/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/init.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/init.te 2010-03-12 09:30:01.000000000 -0500 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart, false) @@ -30684,9 +30186,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t +optional_policy(` + fail2ban_read_lib_files(daemon) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.7.13/policy/modules/system/ipsec.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.7.14/policy/modules/system/ipsec.fc --- nsaserefpolicy/policy/modules/system/ipsec.fc 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/ipsec.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/ipsec.fc 2010-03-12 09:30:01.000000000 -0500 @@ -37,6 +37,8 @@ /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) @@ -30697,9 +30199,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. +/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) -/var/run/racoon.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.13/policy/modules/system/ipsec.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.14/policy/modules/system/ipsec.if --- nsaserefpolicy/policy/modules/system/ipsec.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/ipsec.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/ipsec.if 2010-03-12 09:30:01.000000000 -0500 @@ -39,6 +39,25 @@ ######################################## @@ -30726,9 +30228,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. ## Get the attributes of an IPSEC key socket. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.13/policy/modules/system/ipsec.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.14/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/ipsec.te 2010-03-12 08:40:36.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/ipsec.te 2010-03-12 09:30:01.000000000 -0500 @@ -29,9 +29,15 @@ type ipsec_key_file_t; files_type(ipsec_key_file_t) @@ -30875,9 +30377,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. userdom_use_user_terminals(setkey_t) +userdom_read_user_tmp_files(setkey_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.13/policy/modules/system/iptables.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.14/policy/modules/system/iptables.fc --- nsaserefpolicy/policy/modules/system/iptables.fc 2010-02-12 16:41:05.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/iptables.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/iptables.fc 2010-03-12 09:30:01.000000000 -0500 @@ -1,6 +1,4 @@ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) @@ -30885,9 +30387,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl /sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.13/policy/modules/system/iptables.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.14/policy/modules/system/iptables.if --- nsaserefpolicy/policy/modules/system/iptables.if 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/iptables.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/iptables.if 2010-03-12 09:30:01.000000000 -0500 @@ -17,6 +17,10 @@ corecmd_search_bin($1) @@ -30899,9 +30401,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.13/policy/modules/system/iptables.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.14/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/iptables.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/iptables.te 2010-03-12 09:30:01.000000000 -0500 @@ -14,9 +14,6 @@ type iptables_initrc_exec_t; init_script_file(iptables_initrc_exec_t) @@ -30975,9 +30477,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl udev_read_db(iptables_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.13/policy/modules/system/libraries.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.14/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/system/libraries.fc 2010-03-12 08:53:21.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/libraries.fc 2010-03-12 09:30:01.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -31338,9 +30840,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar + +/usr/lib(64)?/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.13/policy/modules/system/libraries.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.14/policy/modules/system/libraries.if --- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/system/libraries.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/libraries.if 2010-03-12 09:30:01.000000000 -0500 @@ -17,6 +17,7 @@ corecmd_search_bin($1) @@ -31367,9 +30869,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar allow $1 lib_t:dir list_dir_perms; read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.7.13/policy/modules/system/libraries.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.7.14/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/libraries.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/libraries.te 2010-03-12 09:30:01.000000000 -0500 @@ -58,11 +58,11 @@ # ldconfig local policy # @@ -31442,9 +30944,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +optional_policy(` + unconfined_domain(ldconfig_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.13/policy/modules/system/locallogin.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.14/policy/modules/system/locallogin.te --- nsaserefpolicy/policy/modules/system/locallogin.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/locallogin.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/locallogin.te 2010-03-12 09:30:01.000000000 -0500 @@ -33,9 +33,8 @@ # Local login local policy # @@ -31545,9 +31047,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall -optional_policy(` - nscd_socket_use(sulogin_t) -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.13/policy/modules/system/logging.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.14/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/system/logging.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/logging.fc 2010-03-12 09:30:01.000000000 -0500 @@ -17,6 +17,10 @@ /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) @@ -31587,9 +31089,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.13/policy/modules/system/logging.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.14/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/logging.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/logging.if 2010-03-12 09:30:01.000000000 -0500 @@ -96,6 +96,20 @@ ######################################## @@ -31649,9 +31151,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.13/policy/modules/system/logging.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.14/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/logging.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/logging.te 2010-03-12 09:30:01.000000000 -0500 @@ -101,6 +101,7 @@ kernel_read_kernel_sysctls(auditctl_t) @@ -31794,9 +31296,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin udev_read_db(syslogd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.7.13/policy/modules/system/lvm.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.7.14/policy/modules/system/lvm.fc --- nsaserefpolicy/policy/modules/system/lvm.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/system/lvm.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/lvm.fc 2010-03-12 09:30:01.000000000 -0500 @@ -28,6 +28,7 @@ # /lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) @@ -31805,9 +31307,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc # # /sbin -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.13/policy/modules/system/lvm.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.14/policy/modules/system/lvm.if --- nsaserefpolicy/policy/modules/system/lvm.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/lvm.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/lvm.if 2010-03-12 09:30:01.000000000 -0500 @@ -34,7 +34,7 @@ type lvm_exec_t; ') @@ -31817,9 +31319,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if can_exec($1, lvm_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.13/policy/modules/system/lvm.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.14/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/lvm.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/lvm.te 2010-03-12 09:30:01.000000000 -0500 @@ -142,6 +142,11 @@ ') @@ -31879,9 +31381,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te bootloader_rw_tmp_files(lvm_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.13/policy/modules/system/modutils.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.14/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/modutils.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/modutils.te 2010-03-12 09:30:01.000000000 -0500 @@ -19,6 +19,7 @@ type insmod_exec_t; application_domain(insmod_t, insmod_exec_t) @@ -31987,9 +31489,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.7.13/policy/modules/system/mount.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.7.14/policy/modules/system/mount.fc --- nsaserefpolicy/policy/modules/system/mount.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/system/mount.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/mount.fc 2010-03-12 09:30:01.000000000 -0500 @@ -1,4 +1,10 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) @@ -32002,9 +31504,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. -/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) +/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.13/policy/modules/system/mount.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.14/policy/modules/system/mount.if --- nsaserefpolicy/policy/modules/system/mount.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/system/mount.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/mount.if 2010-03-12 09:30:01.000000000 -0500 @@ -16,6 +16,14 @@ ') @@ -32178,9 +31680,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. + mount_domtrans_showmount($1) + role $2 types showmount_t; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.13/policy/modules/system/mount.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.14/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/system/mount.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/mount.te 2010-03-12 09:30:01.000000000 -0500 @@ -18,8 +18,15 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -32455,16 +31957,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +sysnet_dns_name_resolve(showmount_t) + +userdom_use_user_terminals(showmount_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.7.13/policy/modules/system/raid.te ---- nsaserefpolicy/policy/modules/system/raid.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/raid.te 2010-03-11 08:56:13.000000000 -0500 -@@ -51,11 +51,13 @@ - dev_dontaudit_getattr_generic_chr_files(mdadm_t) - dev_dontaudit_getattr_generic_blk_files(mdadm_t) - dev_read_realtime_clock(mdadm_t) -+dev_read_raw_memory(mdadm_t) - - domain_use_interactive_fds(mdadm_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.7.14/policy/modules/system/raid.te +--- nsaserefpolicy/policy/modules/system/raid.te 2010-03-12 09:24:22.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/raid.te 2010-03-12 09:33:39.000000000 -0500 +@@ -58,6 +58,7 @@ files_read_etc_files(mdadm_t) files_read_etc_runtime_files(mdadm_t) @@ -32472,9 +31968,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t fs_search_auto_mountpoints(mdadm_t) fs_dontaudit_list_tmpfs(mdadm_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.7.13/policy/modules/system/selinuxutil.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.7.14/policy/modules/system/selinuxutil.fc --- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/system/selinuxutil.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/selinuxutil.fc 2010-03-12 09:30:01.000000000 -0500 @@ -6,13 +6,13 @@ /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) @@ -32514,9 +32010,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.13/policy/modules/system/selinuxutil.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.14/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/selinuxutil.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/selinuxutil.if 2010-03-12 09:30:01.000000000 -0500 @@ -361,6 +361,27 @@ ######################################## @@ -32893,9 +32389,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + hotplug_use_fds($1) +') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.13/policy/modules/system/selinuxutil.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.14/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/selinuxutil.te 2010-03-11 20:56:51.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/selinuxutil.te 2010-03-12 09:30:01.000000000 -0500 @@ -23,6 +23,9 @@ type selinux_config_t; files_type(selinux_config_t) @@ -33280,9 +32776,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu - hotplug_use_fds(setfiles_t) + unconfined_domain(setfiles_mac_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.13/policy/modules/system/sysnetwork.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.14/policy/modules/system/sysnetwork.fc --- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/sysnetwork.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/sysnetwork.fc 2010-03-12 09:30:01.000000000 -0500 @@ -13,6 +13,9 @@ /etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) @@ -33316,9 +32812,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.13/policy/modules/system/sysnetwork.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.14/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/sysnetwork.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/sysnetwork.if 2010-03-12 09:30:01.000000000 -0500 @@ -43,6 +43,41 @@ sysnet_domtrans_dhcpc($1) @@ -33522,9 +33018,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet + + role_transition $1 dhcpc_exec_t system_r; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.13/policy/modules/system/sysnetwork.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.14/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/sysnetwork.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/sysnetwork.te 2010-03-12 09:30:01.000000000 -0500 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpc_t, dhcpc_exec_t) role system_r types dhcpc_t; @@ -33737,9 +33233,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet + hal_dontaudit_rw_pipes(ifconfig_t) + hal_dontaudit_rw_dgram_sockets(ifconfig_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.13/policy/modules/system/udev.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.14/policy/modules/system/udev.if --- nsaserefpolicy/policy/modules/system/udev.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/udev.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/udev.if 2010-03-12 09:30:01.000000000 -0500 @@ -192,6 +192,7 @@ dev_list_all_dev_nodes($1) @@ -33748,9 +33244,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.13/policy/modules/system/udev.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.14/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/udev.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/udev.te 2010-03-12 09:30:01.000000000 -0500 @@ -50,6 +50,7 @@ allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -33810,9 +33306,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t kernel_write_xen_state(udev_t) kernel_read_xen_state(udev_t) xen_manage_log(udev_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.7.13/policy/modules/system/unconfined.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.7.14/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/unconfined.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/unconfined.fc 2010-03-12 09:30:01.000000000 -0500 @@ -1,15 +1 @@ # Add programs here which should not be confined by SELinux -# e.g.: @@ -33829,9 +33325,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf -ifdef(`distro_gentoo',` -/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.13/policy/modules/system/unconfined.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.14/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/unconfined.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/unconfined.if 2010-03-12 09:30:01.000000000 -0500 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -34326,9 +33822,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf - - allow $1 unconfined_t:dbus acquire_svc; -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.7.13/policy/modules/system/unconfined.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.7.14/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/unconfined.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/unconfined.te 2010-03-12 09:30:01.000000000 -0500 @@ -5,227 +5,5 @@ # # Declarations @@ -34558,9 +34054,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf - hal_dbus_chat(unconfined_execmem_t) - ') -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.13/policy/modules/system/userdomain.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.14/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/modules/system/userdomain.fc 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/userdomain.fc 2010-03-12 09:30:01.000000000 -0500 @@ -1,4 +1,10 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) @@ -34573,9 +34069,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.gvfs(/.*)? <> -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.13/policy/modules/system/userdomain.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.14/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/userdomain.if 2010-03-11 22:38:10.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/userdomain.if 2010-03-12 09:30:01.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -36724,9 +36220,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + allow $1 user_tmp_t:file delete_file_perms; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.13/policy/modules/system/userdomain.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.14/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/userdomain.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/userdomain.te 2010-03-12 09:30:01.000000000 -0500 @@ -29,10 +29,10 @@ ## @@ -36801,9 +36297,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +') + +allow userdomain userdomain:process signull; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.7.13/policy/modules/system/xen.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.7.14/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/xen.if 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/xen.if 2010-03-12 09:30:01.000000000 -0500 @@ -180,6 +180,25 @@ ######################################## @@ -36840,9 +36336,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if + typeattribute $1 xm_transition_domain; domtrans_pattern($1, xm_exec_t, xm_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.13/policy/modules/system/xen.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.14/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/system/xen.te 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/xen.te 2010-03-12 09:30:01.000000000 -0500 @@ -5,6 +5,7 @@ # # Declarations @@ -36942,9 +36438,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te #Should have a boolean wrapping these fs_list_auto_mountpoints(xend_t) files_search_mnt(xend_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.7.13/policy/support/misc_patterns.spt +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.7.14/policy/support/misc_patterns.spt --- nsaserefpolicy/policy/support/misc_patterns.spt 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.13/policy/support/misc_patterns.spt 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/support/misc_patterns.spt 2010-03-12 09:30:01.000000000 -0500 @@ -15,7 +15,7 @@ domain_transition_pattern($1,$2,$3) @@ -36963,9 +36459,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns allow $3 $1:process sigchld; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.13/policy/support/obj_perm_sets.spt +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.14/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-03-04 11:44:07.000000000 -0500 -+++ serefpolicy-3.7.13/policy/support/obj_perm_sets.spt 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/support/obj_perm_sets.spt 2010-03-12 09:30:01.000000000 -0500 @@ -28,7 +28,7 @@ # # All socket classes. @@ -37056,9 +36552,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets +define(`all_dbus_perms', `{ acquire_svc send_msg } ') +define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ') +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.13/policy/users +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.14/policy/users --- nsaserefpolicy/policy/users 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.13/policy/users 2010-03-11 08:56:13.000000000 -0500 ++++ serefpolicy-3.7.14/policy/users 2010-03-12 09:30:01.000000000 -0500 @@ -6,7 +6,7 @@ # # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])