++##
++## Allow sysadm to become security admin.
++##
++##
++gen_tunable(allow_sysadm_manage_security, false)
++
+ role sysadm_r;
+
+ userdom_admin_user_template(sysadm)
+@@ -28,17 +35,31 @@
corecmd_exec_shell(sysadm_t)
@@ -13713,7 +13747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -56,6 +70,7 @@
+@@ -56,12 +77,25 @@
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
logging_run_auditctl(sysadm_t, sysadm_r)
@@ -13721,7 +13755,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
tunable_policy(`allow_ptrace',`
-@@ -70,7 +85,9 @@
+ domain_ptrace_all_domains(sysadm_t)
+ ')
+
++ifdef(`enable_mls',`
++ tunable_policy(`allow_sysadm_manage_security',`
++ userdom_security_admin_template(sysadm_t, sysadm_r)
++
++ logging_manage_audit_log(sysadm_t)
++ logging_manage_audit_config(sysadm_t)
++ logging_run_auditctl(sysadm_t, sysadm_r)
++ logging_run_auditd(sysadm_t, sysadm_r)
++ logging_stream_connect_syslog(sysadm_t)
++ ')
++')
++
+ optional_policy(`
+ amanda_run_recover(sysadm_t, sysadm_r)
+ ')
+@@ -70,7 +104,9 @@
apache_run_helper(sysadm_t, sysadm_r)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
@@ -13732,7 +13784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -98,17 +115,25 @@
+@@ -98,17 +134,25 @@
bind_run_ndc(sysadm_t, sysadm_r)
')
@@ -13758,7 +13810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
certwatch_run(sysadm_t, sysadm_r)
-@@ -126,16 +151,18 @@
+@@ -126,16 +170,18 @@
consoletype_run(sysadm_t, sysadm_r)
')
@@ -13779,7 +13831,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -165,9 +192,11 @@
+@@ -165,9 +211,11 @@
ethereal_run_tethereal(sysadm_t, sysadm_r)
')
@@ -13791,7 +13843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
firstboot_run(sysadm_t, sysadm_r)
-@@ -177,6 +206,7 @@
+@@ -177,6 +225,7 @@
fstools_run(sysadm_t, sysadm_r)
')
@@ -13799,7 +13851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
games_role(sysadm_r, sysadm_t)
')
-@@ -192,6 +222,7 @@
+@@ -192,6 +241,7 @@
optional_policy(`
gpg_role(sysadm_r, sysadm_t)
')
@@ -13807,7 +13859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
hostname_run(sysadm_t, sysadm_r)
-@@ -205,6 +236,13 @@
+@@ -205,6 +255,13 @@
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -13821,7 +13873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -212,12 +250,18 @@
+@@ -212,12 +269,18 @@
')
optional_policy(`
@@ -13840,7 +13892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
kudzu_run(sysadm_t, sysadm_r)
-@@ -227,9 +271,11 @@
+@@ -227,9 +290,11 @@
libs_run_ldconfig(sysadm_t, sysadm_r)
')
@@ -13852,7 +13904,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
logrotate_run(sysadm_t, sysadm_r)
-@@ -252,8 +298,10 @@
+@@ -252,8 +317,10 @@
optional_policy(`
mount_run(sysadm_t, sysadm_r)
@@ -13863,7 +13915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
mozilla_role(sysadm_r, sysadm_t)
')
-@@ -261,6 +309,7 @@
+@@ -261,6 +328,7 @@
optional_policy(`
mplayer_role(sysadm_r, sysadm_t)
')
@@ -13871,7 +13923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
mta_role(sysadm_r, sysadm_t)
-@@ -275,6 +324,10 @@
+@@ -275,6 +343,10 @@
')
optional_policy(`
@@ -13882,7 +13934,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
netutils_run(sysadm_t, sysadm_r)
netutils_run_ping(sysadm_t, sysadm_r)
netutils_run_traceroute(sysadm_t, sysadm_r)
-@@ -308,8 +361,14 @@
+@@ -308,8 +380,14 @@
')
optional_policy(`
@@ -13897,7 +13949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
quota_run(sysadm_t, sysadm_r)
-@@ -319,9 +378,11 @@
+@@ -319,9 +397,11 @@
raid_domtrans_mdadm(sysadm_t)
')
@@ -13909,7 +13961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
rpc_domtrans_nfsd(sysadm_t)
-@@ -331,9 +392,11 @@
+@@ -331,9 +411,11 @@
rpm_run(sysadm_t, sysadm_r)
')
@@ -13921,7 +13973,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
rsync_exec(sysadm_t)
-@@ -346,6 +409,7 @@
+@@ -346,6 +428,7 @@
optional_policy(`
screen_role_template(sysadm, sysadm_r, sysadm_t)
@@ -13929,7 +13981,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -358,11 +422,18 @@
+@@ -358,8 +441,14 @@
')
optional_policy(`
@@ -13944,11 +13996,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
ssh_role_template(sysadm, sysadm_r, sysadm_t)
-+ ssh_run_keygen(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-@@ -382,9 +453,11 @@
+@@ -382,9 +471,11 @@
sysnet_run_dhcpc(sysadm_t, sysadm_r)
')
@@ -13960,7 +14008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
tripwire_run_siggen(sysadm_t, sysadm_r)
-@@ -393,23 +466,31 @@
+@@ -393,23 +484,31 @@
tripwire_run_twprint(sysadm_t, sysadm_r)
')
@@ -13992,7 +14040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
unprivuser_role_change(sysadm_r)
')
-@@ -417,9 +498,11 @@
+@@ -417,9 +516,11 @@
usbmodules_run(sysadm_t, sysadm_r)
')
@@ -14004,7 +14052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
-@@ -427,9 +510,15 @@
+@@ -427,9 +528,15 @@
usermanage_run_useradd(sysadm_t, sysadm_r)
')
@@ -14020,7 +14068,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
vpn_run(sysadm_t, sysadm_r)
-@@ -440,13 +529,30 @@
+@@ -440,13 +547,30 @@
')
optional_policy(`
@@ -23891,7 +23939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.19/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2011-02-07 13:53:03.122796000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2011-03-25 10:21:14.947630001 +0000
@@ -9,6 +9,9 @@
type dovecot_exec_t;
init_daemon_domain(dovecot_t, dovecot_exec_t)
@@ -24102,7 +24150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
miscfiles_read_localization(dovecot_deliver_t)
-@@ -263,15 +320,30 @@
+@@ -263,15 +320,34 @@
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
tunable_policy(`use_nfs_home_dirs',`
@@ -24132,6 +24180,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+ # Handle sieve scripts
+ allow dovecot_deliver_t self:fifo_file rw_fifo_file_perms;
+ sendmail_domtrans(dovecot_deliver_t)
++')
++
++optional_policy(`
++ postfix_rw_master_pipes(dovecot_deliver_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.7.19/policy/modules/services/exim.fc
--- nsaserefpolicy/policy/modules/services/exim.fc 2010-04-13 18:44:37.000000000 +0000
@@ -24377,7 +24429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.7.19/policy/modules/services/ftp.if
--- nsaserefpolicy/policy/modules/services/ftp.if 2010-04-13 18:44:36.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/ftp.if 2011-03-16 14:35:12.605107001 +0000
++++ serefpolicy-3.7.19/policy/modules/services/ftp.if 2011-04-05 17:51:09.974000002 +0000
@@ -1,5 +1,43 @@
##