++##
++## Allow piranha-lvs domain to connect to the network using TCP.
++##
++##
++gen_tunable(piranha_lvs_can_network_connect, false)
++
++attribute piranha_domain;
++
++piranha_domain_template(fos)
++
++piranha_domain_template(lvs)
++
++piranha_domain_template(pulse)
++
++type piranha_pulse_initrc_exec_t;
++init_script_file(piranha_pulse_initrc_exec_t)
++
++piranha_domain_template(web)
++
++permissive piranha_fos_t;
++permissive piranha_lvs_t;
++permissive piranha_pulse_t;
++permissive piranha_web_t;
++
++type piranha_etc_rw_t;
++files_type(piranha_etc_rw_t)
++
++type piranha_log_t;
++logging_log_file(piranha_log_t)
++
++#######################################
++#
++# piranha-fos local policy
++#
++
++kernel_read_kernel_sysctls(piranha_fos_t)
++
++domain_read_all_domains_state(piranha_fos_t)
++
++consoletype_exec(piranha_fos_t)
++
++# start and stop services
++init_domtrans_script(piranha_fos_t)
++
++########################################
++#
++# piranha-gui local policy
++#
++
++allow piranha_web_t self:capability { setuid sys_nice kill setgid };
++allow piranha_web_t self:process { getsched setsched signal };
++
++allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms;
++allow piranha_web_t self:sem create_sem_perms;
++allow piranha_web_t self:shm create_shm_perms;
++
++rw_files_pattern(piranha_web_t, piranha_etc_rw_t, piranha_etc_rw_t)
++
++manage_dirs_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
++manage_files_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
++logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file } )
++
++piranha_pulse_initrc_domtrans(piranha_web_t)
++
++kernel_read_kernel_sysctls(piranha_web_t)
++
++corenet_tcp_bind_piranha_port(piranha_web_t)
++
++dev_read_urand(piranha_web_t)
++
++domain_read_all_domains_state(piranha_web_t)
++
++files_read_usr_files(piranha_web_t)
++
++consoletype_exec(piranha_web_t)
++
++optional_policy(`
++ apache_exec_modules(piranha_web_t)
++ apache_exec(piranha_web_t)
++')
++
++######################################
++#
++# piranha-lvs local policy
++#
++
++# neede by nanny
++allow piranha_lvs_t self:capability { net_raw sys_nice };
++
++allow piranha_lvs_t self:process signal;
++
++allow piranha_lvs_t self:unix_dgram_socket create_socket_perms;
++allow piranha_lvs_t self:rawip_socket create_socket_perms;
++
++kernel_read_kernel_sysctls(piranha_lvs_t)
++
++# needed by nanny
++corenet_tcp_connect_ftp_port(piranha_lvs_t)
++corenet_tcp_connect_http_port(piranha_lvs_t)
++
++sysnet_dns_name_resolve(piranha_lvs_t)
++
++# needed by nanny
++tunable_policy(`piranha_lvs_can_network_connect',`
++ corenet_tcp_connect_all_ports(piranha_lvs_t)
++')
++
++# needed by ipvsadm
++optional_policy(`
++ iptables_domtrans(piranha_lvs_t)
++')
++
++#######################################
++#
++# piranha-pulse local policy
++#
++
++allow piranha_pulse_t self:packet_socket create_socket_perms;
++
++# pulse starts fos and lvs daemon
++domtrans_pattern(piranha_fos_t, piranha_fos_exec_t, piranha_fos_t)
++allow piranha_pulse_t piranha_fos_t:process signal;
++
++domtrans_pattern(piranha_pulse_t, piranha_lvs_exec_t, piranha_lvs_t)
++allow piranha_pulse_t piranha_lvs_t:process signal;
++
++corenet_udp_bind_apertus_ldp_port(piranha_pulse_t)
++
++sysnet_dns_name_resolve(piranha_pulse_t)
++
++optional_policy(`
++ netutils_domtrans_ping(piranha_pulse_t)
++')
++
++optional_policy(`
++ sysnet_domtrans_ifconfig(piranha_pulse_t)
++')
++
++####################################
++#
++# piranha domains common policy
++#
++
++allow piranha_domain self:fifo_file rw_fifo_file_perms;
++allow piranha_domain self:tcp_socket create_stream_socket_perms;
++allow piranha_domain self:udp_socket create_socket_perms;
++allow piranha_domain self:unix_stream_socket create_stream_socket_perms;
++
++read_files_pattern(piranha_domain, piranha_etc_rw_t, piranha_etc_rw_t)
++
++kernel_read_system_state(piranha_domain)
++kernel_read_network_state(piranha_domain)
++
++corenet_all_recvfrom_unlabeled(piranha_domain)
++corenet_all_recvfrom_netlabel(piranha_domain)
++corenet_tcp_sendrecv_generic_if(piranha_domain)
++corenet_udp_sendrecv_generic_if(piranha_domain)
++corenet_tcp_sendrecv_generic_node(piranha_domain)
++corenet_udp_sendrecv_generic_node(piranha_domain)
++corenet_tcp_sendrecv_all_ports(piranha_domain)
++corenet_udp_sendrecv_all_ports(piranha_domain)
++corenet_tcp_bind_generic_node(piranha_domain)
++corenet_udp_bind_generic_node(piranha_domain)
++
++files_read_etc_files(piranha_domain)
++
++corecmd_exec_bin(piranha_domain)
++corecmd_exec_shell(piranha_domain)
++
++libs_use_ld_so(piranha_domain)
++libs_use_shared_libs(piranha_domain)
++
++logging_send_syslog_msg(piranha_domain)
++
++miscfiles_read_localization(piranha_domain)
++
++sysnet_read_config(piranha_domain)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.fc serefpolicy-3.7.19/policy/modules/services/plymouthd.fc
--- nsaserefpolicy/policy/modules/services/plymouthd.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.19/policy/modules/services/plymouthd.fc 2010-04-14 10:48:18.000000000 -0400
@@ -21767,10 +22376,39 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.fc serefpolicy-3.7.19/policy/modules/services/portreserve.fc
+--- nsaserefpolicy/policy/modules/services/portreserve.fc 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/portreserve.fc 2010-04-30 09:53:00.000000000 -0400
+@@ -1,3 +1,6 @@
++
++/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
++
+ /etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0)
+
+ /sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.7.19/policy/modules/services/portreserve.te
+--- nsaserefpolicy/policy/modules/services/portreserve.te 2010-04-06 15:15:38.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/portreserve.te 2010-04-30 09:53:00.000000000 -0400
+@@ -10,6 +10,9 @@
+ type portreserve_exec_t;
+ init_daemon_domain(portreserve_t, portreserve_exec_t)
+
++type portreserve_initrc_exec_t;
++init_script_file(portreserve_initrc_exec_t)
++
+ type portreserve_etc_t;
+ files_type(portreserve_etc_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.19/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/postfix.fc 2010-04-14 10:48:18.000000000 -0400
-@@ -29,12 +29,10 @@
++++ serefpolicy-3.7.19/policy/modules/services/postfix.fc 2010-04-30 09:53:00.000000000 -0400
+@@ -1,4 +1,5 @@
+ # postfix
++/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
+ /etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0)
+ ifdef(`distro_redhat', `
+ /usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+@@ -29,12 +30,10 @@
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
@@ -22082,7 +22720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.19/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/postfix.te 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/postfix.te 2010-04-30 09:53:00.000000000 -0400
@@ -6,6 +6,15 @@
# Declarations
#
@@ -22138,7 +22776,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
type postfix_map_tmp_t;
files_tmp_file(postfix_map_tmp_t)
-@@ -68,13 +84,13 @@
+@@ -44,6 +60,9 @@
+ # generation macro work
+ mta_mailserver(postfix_t, postfix_master_exec_t)
+
++type postfix_initrc_exec_t;
++init_script_file(postfix_initrc_exec_t)
++
+ postfix_server_domain_template(pickup)
+
+ postfix_server_domain_template(pipe)
+@@ -68,13 +87,13 @@
postfix_server_domain_template(smtpd)
@@ -22155,7 +22803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
files_type(postfix_spool_flush_t)
type postfix_public_t;
-@@ -90,9 +106,6 @@
+@@ -90,9 +109,6 @@
postfix_server_domain_template(virtual)
mta_mailserver_delivery(postfix_virtual_t)
@@ -22165,7 +22813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix master process local policy
-@@ -103,6 +116,7 @@
+@@ -103,6 +119,7 @@
allow postfix_master_t self:fifo_file rw_fifo_file_perms;
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
allow postfix_master_t self:udp_socket create_socket_perms;
@@ -22173,7 +22821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
allow postfix_master_t postfix_etc_t:file rw_file_perms;
-@@ -132,6 +146,7 @@
+@@ -132,6 +149,7 @@
# allow access to deferred queue and allow removing bogus incoming entries
manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
@@ -22181,7 +22829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
allow postfix_master_t postfix_spool_bounce_t:file getattr;
-@@ -142,6 +157,7 @@
+@@ -142,6 +160,7 @@
delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
@@ -22189,7 +22837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
kernel_read_all_sysctls(postfix_master_t)
-@@ -153,6 +169,9 @@
+@@ -153,6 +172,9 @@
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -22199,7 +22847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
corenet_tcp_bind_generic_node(postfix_master_t)
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
corenet_tcp_bind_smtp_port(postfix_master_t)
-@@ -170,6 +189,8 @@
+@@ -170,6 +192,8 @@
domain_use_interactive_fds(postfix_master_t)
files_read_usr_files(postfix_master_t)
@@ -22208,7 +22856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
term_dontaudit_search_ptys(postfix_master_t)
-@@ -181,6 +202,7 @@
+@@ -181,6 +205,7 @@
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
@@ -22216,7 +22864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
ifdef(`distro_redhat',`
# for newer main.cf that uses /etc/aliases
-@@ -193,6 +215,10 @@
+@@ -193,6 +218,10 @@
')
optional_policy(`
@@ -22227,7 +22875,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
# for postalias
mailman_manage_data_files(postfix_master_t)
')
-@@ -202,6 +228,10 @@
+@@ -202,6 +231,10 @@
')
optional_policy(`
@@ -22238,7 +22886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
sendmail_signal(postfix_master_t)
')
-@@ -219,6 +249,7 @@
+@@ -219,6 +252,7 @@
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
@@ -22246,7 +22894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -240,11 +271,18 @@
+@@ -240,11 +274,18 @@
manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
@@ -22265,7 +22913,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix local local policy
-@@ -253,10 +291,6 @@
+@@ -253,10 +294,6 @@
allow postfix_local_t self:fifo_file rw_fifo_file_perms;
allow postfix_local_t self:process { setsched setrlimit };
@@ -22276,7 +22924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
# connect to master process
stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
-@@ -270,18 +304,31 @@
+@@ -270,18 +307,31 @@
files_read_etc_files(postfix_local_t)
@@ -22308,7 +22956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
optional_policy(`
-@@ -292,8 +339,7 @@
+@@ -292,8 +342,7 @@
#
# Postfix map local policy
#
@@ -22318,7 +22966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
-@@ -340,14 +386,15 @@
+@@ -340,14 +389,15 @@
miscfiles_read_localization(postfix_map_t)
@@ -22338,7 +22986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix pickup local policy
-@@ -372,6 +419,7 @@
+@@ -372,6 +422,7 @@
#
allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
@@ -22346,7 +22994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -379,6 +427,12 @@
+@@ -379,6 +430,12 @@
rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
@@ -22359,7 +23007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
optional_policy(`
procmail_domtrans(postfix_pipe_t)
')
-@@ -388,6 +442,16 @@
+@@ -388,6 +445,16 @@
')
optional_policy(`
@@ -22376,7 +23024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
uucp_domtrans_uux(postfix_pipe_t)
')
-@@ -415,6 +479,10 @@
+@@ -415,6 +482,10 @@
mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
optional_policy(`
@@ -22387,7 +23035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
-@@ -424,8 +492,11 @@
+@@ -424,8 +495,11 @@
')
optional_policy(`
@@ -22401,7 +23049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
#######################################
-@@ -451,6 +522,15 @@
+@@ -451,6 +525,15 @@
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
@@ -22417,7 +23065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix qmgr local policy
-@@ -464,6 +544,7 @@
+@@ -464,6 +547,7 @@
manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
@@ -22425,7 +23073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
-@@ -499,13 +580,14 @@
+@@ -499,13 +583,14 @@
#
# connect to master process
@@ -22441,7 +23089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
-@@ -535,9 +617,18 @@
+@@ -535,9 +620,18 @@
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -22460,7 +23108,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
mailman_read_data_files(postfix_smtpd_t)
')
-@@ -559,20 +650,22 @@
+@@ -559,20 +653,22 @@
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
@@ -23166,8 +23814,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.19/policy/modules/services/rgmanager.fc
--- nsaserefpolicy/policy/modules/services/rgmanager.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/rgmanager.fc 2010-04-14 10:48:18.000000000 -0400
-@@ -0,0 +1,8 @@
++++ serefpolicy-3.7.19/policy/modules/services/rgmanager.fc 2010-04-30 09:53:00.000000000 -0400
+@@ -0,0 +1,10 @@
++
++/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
+
+/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+
@@ -23280,8 +23930,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.19/policy/modules/services/rgmanager.te
--- nsaserefpolicy/policy/modules/services/rgmanager.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/rgmanager.te 2010-04-14 10:48:18.000000000 -0400
-@@ -0,0 +1,226 @@
++++ serefpolicy-3.7.19/policy/modules/services/rgmanager.te 2010-04-30 09:53:00.000000000 -0400
+@@ -0,0 +1,229 @@
+
+policy_module(rgmanager,1.0.0)
+
@@ -23302,6 +23952,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+domain_type(rgmanager_t)
+init_daemon_domain(rgmanager_t, rgmanager_exec_t)
+
++type rgmanager_initrc_exec_t;
++init_script_file(rgmanager_initrc_exec_t)
++
+# tmp files
+type rgmanager_tmp_t;
+files_tmp_file(rgmanager_tmp_t)
@@ -23965,7 +24618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.19/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-04-29 14:10:35.000000000 -0400
@@ -0,0 +1,239 @@
+
+policy_module(rhcs,1.1.0)
@@ -24033,7 +24686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+#
+
+allow fenced_t self:capability { sys_rawio sys_resource };
-+allow fenced_t self:process getsched;
++allow fenced_t self:process { getsched signal_perms };
+
+allow fenced_t self:tcp_socket create_stream_socket_perms;
+allow fenced_t self:udp_socket create_socket_perms;
@@ -24206,10 +24859,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+optional_policy(`
+ corosync_stream_connect(cluster_domain)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.fc serefpolicy-3.7.19/policy/modules/services/ricci.fc
+--- nsaserefpolicy/policy/modules/services/ricci.fc 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/ricci.fc 2010-04-30 09:53:00.000000000 -0400
+@@ -1,3 +1,6 @@
++
++/etc/rc\.d/init\.d/ricci -- gen_context(system_u:object_r:ricci_initrc_exec_t,s0)
++
+ /usr/libexec/modcluster -- gen_context(system_u:object_r:ricci_modcluster_exec_t,s0)
+ /usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0)
+ /usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.19/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/ricci.te 2010-04-14 10:48:18.000000000 -0400
-@@ -194,10 +194,13 @@
++++ serefpolicy-3.7.19/policy/modules/services/ricci.te 2010-04-30 09:53:00.000000000 -0400
+@@ -11,6 +11,9 @@
+ domain_type(ricci_t)
+ init_daemon_domain(ricci_t, ricci_exec_t)
+
++type ricci_initrc_exec_t;
++init_script_file(ricci_initrc_exec_t)
++
+ # tmp files
+ type ricci_tmp_t;
+ files_tmp_file(ricci_tmp_t)
+@@ -194,10 +197,13 @@
# ricci_modcluster local policy
#
@@ -24224,7 +24897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
kernel_read_kernel_sysctls(ricci_modcluster_t)
kernel_read_system_state(ricci_modcluster_t)
-@@ -227,6 +230,11 @@
+@@ -227,6 +233,11 @@
ricci_stream_connect_modclusterd(ricci_modcluster_t)
optional_policy(`
@@ -24236,7 +24909,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
ccs_stream_connect(ricci_modcluster_t)
ccs_domtrans(ricci_modcluster_t)
ccs_manage_config(ricci_modcluster_t)
-@@ -245,6 +253,10 @@
+@@ -245,6 +256,10 @@
')
optional_policy(`
@@ -24247,7 +24920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
# XXX This has got to go.
unconfined_domain(ricci_modcluster_t)
')
-@@ -259,11 +271,11 @@
+@@ -259,11 +274,11 @@
allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms;
allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms;
@@ -24260,7 +24933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
# log files
allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
-@@ -294,6 +306,8 @@
+@@ -294,6 +309,8 @@
fs_getattr_xattr_fs(ricci_modclusterd_t)
@@ -24269,7 +24942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
init_stream_connect_script(ricci_modclusterd_t)
locallogin_dontaudit_use_fds(ricci_modclusterd_t)
-@@ -303,7 +317,11 @@
+@@ -303,7 +320,11 @@
miscfiles_read_localization(ricci_modclusterd_t)
sysnet_domtrans_ifconfig(ricci_modclusterd_t)
@@ -24282,7 +24955,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
optional_policy(`
ccs_domtrans(ricci_modclusterd_t)
-@@ -312,6 +330,10 @@
+@@ -312,6 +333,10 @@
')
optional_policy(`
@@ -24293,7 +24966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
unconfined_use_fds(ricci_modclusterd_t)
')
-@@ -440,6 +462,12 @@
+@@ -440,6 +465,12 @@
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
@@ -24306,7 +24979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
storage_raw_read_fixed_disk(ricci_modstorage_t)
term_dontaudit_use_console(ricci_modstorage_t)
-@@ -457,6 +485,11 @@
+@@ -457,6 +488,11 @@
mount_domtrans(ricci_modstorage_t)
optional_policy(`
@@ -25091,6 +25764,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl
corenet_all_recvfrom_unlabeled(saslauthd_t)
corenet_all_recvfrom_netlabel(saslauthd_t)
corenet_tcp_sendrecv_generic_if(saslauthd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.fc serefpolicy-3.7.19/policy/modules/services/sendmail.fc
+--- nsaserefpolicy/policy/modules/services/sendmail.fc 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/sendmail.fc 2010-04-30 09:53:00.000000000 -0400
+@@ -1,4 +1,6 @@
+
++/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0)
++
+ /var/log/sendmail\.st -- gen_context(system_u:object_r:sendmail_log_t,s0)
+ /var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.19/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2010-01-11 09:40:36.000000000 -0500
+++ serefpolicy-3.7.19/policy/modules/services/sendmail.if 2010-04-14 10:48:18.000000000 -0400
@@ -25119,8 +25802,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.19/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-11 09:40:36.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/sendmail.te 2010-04-14 10:48:18.000000000 -0400
-@@ -30,7 +30,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/sendmail.te 2010-04-30 09:53:00.000000000 -0400
+@@ -20,6 +20,9 @@
+ mta_mailserver_delivery(sendmail_t)
+ mta_mailserver_sender(sendmail_t)
+
++type sendmail_initrc_exec_t;
++init_script_file(sendmail_initrc_exec_t)
++
+ type unconfined_sendmail_t;
+ application_domain(unconfined_sendmail_t, sendmail_exec_t)
+ role system_r types unconfined_sendmail_t;
+@@ -30,7 +33,7 @@
#
allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
@@ -25129,7 +25822,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
allow sendmail_t self:fifo_file rw_fifo_file_perms;
allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
allow sendmail_t self:unix_dgram_socket create_socket_perms;
-@@ -72,6 +72,7 @@
+@@ -72,6 +75,7 @@
fs_rw_anon_inodefs_files(sendmail_t)
term_dontaudit_use_console(sendmail_t)
@@ -25137,7 +25830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
# for piping mail to a command
corecmd_exec_shell(sendmail_t)
-@@ -84,12 +85,14 @@
+@@ -84,12 +88,14 @@
files_search_spool(sendmail_t)
# for piping mail to a command
files_read_etc_runtime_files(sendmail_t)
@@ -25152,7 +25845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
auth_use_nsswitch(sendmail_t)
-@@ -103,7 +106,7 @@
+@@ -103,7 +109,7 @@
miscfiles_read_localization(sendmail_t)
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
@@ -25161,7 +25854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
mta_read_config(sendmail_t)
mta_etc_filetrans_aliases(sendmail_t)
-@@ -133,6 +136,7 @@
+@@ -133,6 +139,7 @@
optional_policy(`
fail2ban_read_lib_files(sendmail_t)
@@ -25169,7 +25862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
')
optional_policy(`
-@@ -148,7 +152,9 @@
+@@ -148,7 +155,9 @@
')
optional_policy(`
@@ -25179,7 +25872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
')
-@@ -167,6 +173,10 @@
+@@ -167,6 +176,10 @@
')
optional_policy(`
@@ -25190,7 +25883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
udev_read_db(sendmail_t)
')
-@@ -184,3 +194,4 @@
+@@ -184,3 +197,4 @@
mta_etc_filetrans_aliases(unconfined_sendmail_t)
unconfined_domain(unconfined_sendmail_t)
')
@@ -26075,8 +26768,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.19/policy/modules/services/ssh.fc
--- nsaserefpolicy/policy/modules/services/ssh.fc 2010-01-18 15:04:31.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.fc 2010-04-14 10:48:18.000000000 -0400
-@@ -14,3 +14,5 @@
++++ serefpolicy-3.7.19/policy/modules/services/ssh.fc 2010-04-30 09:53:00.000000000 -0400
+@@ -1,5 +1,7 @@
+ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+
++/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0)
++
+ /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
+ /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
+ /etc/ssh/ssh_host_dsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
+@@ -14,3 +16,5 @@
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
@@ -26277,8 +26978,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
## Delete from the ssh temp files.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.19/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2010-04-14 10:48:18.000000000 -0400
-@@ -114,6 +114,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2010-04-30 09:53:00.000000000 -0400
+@@ -34,6 +34,9 @@
+ ssh_server_template(sshd)
+ init_daemon_domain(sshd_t, sshd_exec_t)
+
++type sshd_initrc_exec_t;
++init_script_file(sshd_initrc_exec_t)
++
+ type sshd_key_t;
+ files_type(sshd_key_t)
+
+@@ -114,6 +117,7 @@
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
@@ -26286,7 +26997,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
-@@ -125,9 +126,10 @@
+@@ -125,9 +129,10 @@
read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
# ssh servers can read the user keys and config
@@ -26300,7 +27011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
kernel_read_kernel_sysctls(ssh_t)
kernel_read_system_state(ssh_t)
-@@ -139,6 +141,8 @@
+@@ -139,6 +144,8 @@
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
@@ -26309,7 +27020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
dev_read_urand(ssh_t)
-@@ -170,8 +174,10 @@
+@@ -170,8 +177,10 @@
userdom_search_user_home_dirs(ssh_t)
# Write to the user domain tty.
userdom_use_user_terminals(ssh_t)
@@ -26321,7 +27032,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
tunable_policy(`allow_ssh_keysign',`
domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-@@ -282,6 +288,8 @@
+@@ -282,6 +291,8 @@
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -26330,7 +27041,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
-@@ -292,22 +300,30 @@
+@@ -292,22 +303,30 @@
term_use_all_ptys(sshd_t)
term_setattr_all_ptys(sshd_t)
@@ -26365,7 +27076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
optional_policy(`
-@@ -315,7 +331,12 @@
+@@ -315,7 +334,12 @@
')
optional_policy(`
@@ -26379,7 +27090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
optional_policy(`
-@@ -323,6 +344,10 @@
+@@ -323,6 +347,10 @@
')
optional_policy(`
@@ -26390,7 +27101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
rpm_use_script_fds(sshd_t)
')
-@@ -333,10 +358,18 @@
+@@ -333,10 +361,18 @@
')
optional_policy(`
@@ -28424,7 +29135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
ifdef(`distro_suse', `
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.19/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2010-03-18 10:35:11.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-04-30 08:25:24.000000000 -0400
@@ -41,7 +41,6 @@
##
#
@@ -29593,20 +30304,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
+userdom_read_user_tmp_files(setkey_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.19/policy/modules/system/iptables.fc
--- nsaserefpolicy/policy/modules/system/iptables.fc 2010-02-12 16:41:05.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/system/iptables.fc 2010-04-20 09:06:19.000000000 -0400
-@@ -1,6 +1,4 @@
++++ serefpolicy-3.7.19/policy/modules/system/iptables.fc 2010-04-30 08:55:43.000000000 -0400
+@@ -1,13 +1,18 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
-/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
-@@ -11,3 +9,5 @@
+ /sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+ /sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
++/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
++
+ /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
+/usr/bin/ncftool -- gen_context(system_u:object_r:iptables_exec_t,s0)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.19/policy/modules/system/iptables.if
--- nsaserefpolicy/policy/modules/system/iptables.if 2009-12-04 09:43:33.000000000 -0500
+++ serefpolicy-3.7.19/policy/modules/system/iptables.if 2010-04-14 10:48:18.000000000 -0400
@@ -29623,7 +30342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.19/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2010-03-18 10:35:11.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/system/iptables.te 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/iptables.te 2010-04-30 08:55:43.000000000 -0400
@@ -14,9 +14,6 @@
type iptables_initrc_exec_t;
init_script_file(iptables_initrc_exec_t)
@@ -29634,13 +30353,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
type iptables_tmp_t;
files_tmp_file(iptables_tmp_t)
-@@ -30,12 +27,12 @@
+@@ -30,12 +27,14 @@
allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
dontaudit iptables_t self:capability sys_tty_config;
-allow iptables_t self:fifo_file rw_fifo_file_perms;
+allow iptables_t self:fifo_file rw_file_perms;
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
++# needed by ipvsadm
++allow iptables_t self:netlink_socket create_socket_perms;
allow iptables_t self:rawip_socket create_socket_perms;
-manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
@@ -29650,7 +30371,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
files_pid_filetrans(iptables_t, iptables_var_run_t, file)
-@@ -57,6 +54,9 @@
+@@ -53,10 +52,16 @@
+ kernel_read_modprobe_sysctls(iptables_t)
+ kernel_use_fds(iptables_t)
+
++# needed by ipvsadm
++corecmd_exec_bin(iptables_t)
++
+ corenet_relabelto_all_packets(iptables_t)
corenet_dontaudit_rw_tun_tap_dev(iptables_t)
dev_read_sysfs(iptables_t)
@@ -29660,7 +30388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
fs_getattr_xattr_fs(iptables_t)
fs_search_auto_mountpoints(iptables_t)
-@@ -65,6 +65,7 @@
+@@ -65,6 +70,7 @@
mls_file_read_all_levels(iptables_t)
term_dontaudit_use_console(iptables_t)
@@ -29668,7 +30396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
domain_use_interactive_fds(iptables_t)
-@@ -78,6 +79,7 @@
+@@ -78,6 +84,7 @@
# to allow rules to be saved on reboot:
init_rw_script_tmp_files(iptables_t)
init_rw_script_stream_sockets(iptables_t)
@@ -29676,7 +30404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
logging_send_syslog_msg(iptables_t)
-@@ -91,6 +93,7 @@
+@@ -91,6 +98,7 @@
optional_policy(`
fail2ban_append_log(iptables_t)