++##
++## Allow tftp to modify public files
++## used for public file transfer services.
++##
++##
++gen_tunable(allow_tftp_anon_write,false)
++
+ ########################################
+ #
+ # Local policy
+@@ -26,12 +34,17 @@
allow tftpd_t self:udp_socket create_socket_perms;
allow tftpd_t self:unix_dgram_socket create_socket_perms;
allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
@@ -11574,6 +11637,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp
dontaudit tftpd_t self:capability sys_tty_config;
allow tftpd_t tftpdir_t:dir { getattr read search };
+ allow tftpd_t tftpdir_t:file { read getattr };
+ allow tftpd_t tftpdir_t:lnk_file { getattr read };
+
++manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
++manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
++manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
++
+ manage_files_pattern(tftpd_t,tftpd_var_run_t,tftpd_var_run_t)
+ files_pid_filetrans(tftpd_t,tftpd_var_run_t,file)
+
+@@ -72,6 +85,10 @@
+ miscfiles_read_localization(tftpd_t)
+ miscfiles_read_public_files(tftpd_t)
+
++tunable_policy(`allow_tftp_anon_write',`
++ miscfiles_manage_public_files(tftpd_t)
++')
++
+ sysnet_read_config(tftpd_t)
+ sysnet_use_ldap(tftpd_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.if serefpolicy-3.0.8/policy/modules/services/ucspitcp.if
--- nsaserefpolicy/policy/modules/services/ucspitcp.if 2007-05-29 14:10:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/ucspitcp.if 2007-10-08 07:47:57.000000000 -0400
@@ -11707,7 +11791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-10-19 16:57:07.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-10-22 10:05:16.000000000 -0400
@@ -126,6 +126,8 @@
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev($1_xserver_t)
@@ -11740,7 +11824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
type $1_iceauth_t;
domain_type($1_iceauth_t)
-@@ -282,6 +286,7 @@
+@@ -282,11 +286,14 @@
domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
allow $1_xserver_t $1_xauth_home_t:file { getattr read };
@@ -11748,7 +11832,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
allow $1_xserver_t $2:process signal;
-@@ -353,12 +358,6 @@
+
+ allow $1_xserver_t $2:shm rw_shm_perms;
++ # Certain X Libraries want to read /proc/self/cmdline when started with startx
++ allow $1_xserver_t $2:file r_file_perms;
+
+ manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
+ manage_files_pattern($2,$1_fonts_t,$1_fonts_t)
+@@ -316,6 +323,7 @@
+ userdom_use_user_ttys($1,$1_xserver_t)
+ userdom_setattr_user_ttys($1,$1_xserver_t)
+ userdom_rw_user_tmpfs_files($1,$1_xserver_t)
++ userdom_rw_user_tmp_files($1,$1_xserver_t)
+
+ xserver_use_user_fonts($1,$1_xserver_t)
+ xserver_rw_xdm_tmp_files($1_xauth_t)
+@@ -353,12 +361,6 @@
# allow ps to show xauth
ps_process_pattern($2,$1_xauth_t)
@@ -11761,7 +11860,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
domain_use_interactive_fds($1_xauth_t)
files_read_etc_files($1_xauth_t)
-@@ -387,6 +386,14 @@
+@@ -387,6 +389,14 @@
')
optional_policy(`
@@ -11776,7 +11875,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
nis_use_ypbind($1_xauth_t)
')
-@@ -537,16 +544,14 @@
+@@ -537,16 +547,14 @@
gen_require(`
type xdm_t, xdm_tmp_t;
@@ -11798,7 +11897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -555,25 +560,53 @@
+@@ -555,25 +563,53 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@@ -11860,7 +11959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
')
-@@ -626,6 +659,24 @@
+@@ -626,6 +662,24 @@
########################################
##