+##
@@ -15264,34 +15992,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+## Role allowed access.
+##
+##
-+##
+#
+interface(`denyhosts_admin', `
+ gen_require(`
+ type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t;
-+ type denyhosts_var_log_t;
++ type denyhosts_var_log_t, denyhosts_initrc_exec_t;
+ ')
+
+ allow $1 denyhosts_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, denyhosts_t, denyhosts_t)
-+
-+ admin_pattern($1, denyhosts_var_lib_t)
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, denyhosts_var_log_t)
-+
-+ files_search_locks($1)
-+ admin_pattern($1, denyhosts_var_lock_t)
-+
++
+ denyhosts_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 denyhosts_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ kernel_search_proc($1)
-+ allow $1 denyhosts_t:dir list_dir_perms;
+ ps_process_pattern($1, denyhosts_t)
-+ read_lnk_files_pattern($1, denyhosts_t, denyhosts_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, denyhosts_var_lib_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, denyhosts_var_log_t)
++
++ files_search_locks($1)
++ admin_pattern($1, denyhosts_var_lock_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.17/policy/modules/services/denyhosts.te
--- nsaserefpolicy/policy/modules/services/denyhosts.te 1969-12-31 19:00:00.000000000 -0500
@@ -16385,10 +17110,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.17/policy/modules/services/git.if
--- nsaserefpolicy/policy/modules/services/git.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/git.if 2010-03-29 15:35:14.000000000 -0400
-@@ -1 +1,535 @@
++++ serefpolicy-3.7.17/policy/modules/services/git.if 2010-03-30 12:56:01.000000000 -0400
+@@ -1 +1,532 @@
-## GIT revision control system
-+## Git - Fast Version Control System.
++## Fast Version Control System.
+##
+##
+## A really simple TCP git daemon that normally listens on
@@ -16416,6 +17141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+interface(`git_session_role',`
+ gen_require(`
+ type git_session_t, gitd_exec_t;
++ type git_session_content_t;
+ ')
+
+ ########################################
@@ -16434,6 +17160,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+
+ allow $2 git_session_t:process { ptrace signal_perms };
+ ps_process_pattern($2, git_session_t)
++
++ exec_files_pattern($2, git_session_content_t, git_session_content_t)
++ manage_dirs_pattern($2, git_session_content_t, git_session_content_t)
++ manage_files_pattern($2, git_session_content_t, git_session_content_t)
++
++ relabel_dirs_pattern($2, git_session_content_t, git_session_content_t)
++ relabel_files_pattern($2, git_session_content_t, git_session_content_t)
+')
+
+########################################
@@ -16562,7 +17295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+ exec_files_pattern($1, $2, $2)
+ manage_dirs_pattern($1, $2, $2)
+ manage_files_pattern($1, $2, $2)
-+ files_search_var($1)
++ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1)
@@ -16587,7 +17320,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+## Domain allowed access.
+##
+##
-+##
+#
+interface(`git_rwx_all_content',`
+ gen_require(`
@@ -16598,7 +17330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+ manage_dirs_pattern($1, git_content, git_content)
+ manage_files_pattern($1, git_content, git_content)
+ userdom_search_user_home_dirs($1)
-+ files_search_var($1)
++ files_search_var_lib($1)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_exec_nfs_files($1)
@@ -16635,7 +17367,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+## Domain allowed access.
+##
+##
-+##
+#
+interface(`git_rwx_all_system_content',`
+ gen_require(`
@@ -16645,7 +17376,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+ exec_files_pattern($1, git_system_content, git_system_content)
+ manage_dirs_pattern($1, git_system_content, git_system_content)
+ manage_files_pattern($1, git_system_content, git_system_content)
-+ files_search_var($1)
++ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1)
@@ -16670,7 +17401,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+## Domain allowed access.
+##
+##
-+##
+#
+interface(`git_rwx_generic_system_content',`
+ gen_require(`
@@ -16680,7 +17410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+ exec_files_pattern($1, git_system_content_t, git_system_content_t)
+ manage_dirs_pattern($1, git_system_content_t, git_system_content_t)
+ manage_files_pattern($1, git_system_content_t, git_system_content_t)
-+ files_search_var($1)
++ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1)
@@ -16705,7 +17435,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+## Domain allowed access.
+##
+##
-+##
+#
+interface(`git_read_all_content_files',`
+ gen_require(`
@@ -16748,7 +17477,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+## Domain allowed access.
+##
+##
-+##
+#
+interface(`git_read_session_content_files',`
+ gen_require(`
@@ -16780,7 +17508,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+## Domain allowed access.
+##
+##
-+##
+#
+interface(`git_read_all_system_content_files',`
+ gen_require(`
@@ -16812,7 +17539,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+## Domain allowed access.
+##
+##
-+##
+#
+interface(`git_read_generic_system_content_files',`
+ gen_require(`
@@ -16844,7 +17570,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+## Domain allowed access.
+##
+##
-+##
+#
+interface(`git_relabel_all_content',`
+ gen_require(`
@@ -16867,7 +17592,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+## Domain allowed access.
+##
+##
-+##
+#
+interface(`git_relabel_all_system_content',`
+ gen_require(`
@@ -16889,7 +17613,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+## Domain allowed access.
+##
+##
-+##
+#
+interface(`git_relabel_generic_system_content',`
+ gen_require(`
@@ -16911,7 +17634,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+## Domain allowed access.
+##
+##
-+##
+#
+interface(`git_relabel_session_content',`
+ gen_require(`
@@ -16925,8 +17647,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.17/policy/modules/services/git.te
--- nsaserefpolicy/policy/modules/services/git.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/git.te 2010-03-29 15:35:14.000000000 -0400
-@@ -1,9 +1,182 @@
++++ serefpolicy-3.7.17/policy/modules/services/git.te 2010-03-30 12:56:01.000000000 -0400
+@@ -1,9 +1,193 @@
-policy_module(git, 1.0)
+policy_module(git, 1.0.3)
@@ -17003,19 +17725,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+
+allow git_domains self:fifo_file rw_fifo_file_perms;
+allow git_domains self:netlink_route_socket create_netlink_socket_perms;
-+allow git_domains self:tcp_socket { create_socket_perms listen };
++allow git_domains self:tcp_socket create_socket_perms;
+allow git_domains self:udp_socket create_socket_perms;
+allow git_domains self:unix_dgram_socket create_socket_perms;
+
+corenet_all_recvfrom_netlabel(git_domains)
+corenet_all_recvfrom_unlabeled(git_domains)
-+
+corenet_tcp_bind_generic_node(git_domains)
-+
+corenet_tcp_sendrecv_generic_if(git_domains)
+corenet_tcp_sendrecv_generic_node(git_domains)
+corenet_tcp_sendrecv_generic_port(git_domains)
-+
+corenet_tcp_bind_git_port(git_domains)
+corenet_sendrecv_git_server_packets(git_domains)
+
@@ -17034,6 +17753,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+
+miscfiles_read_localization(git_domains)
+
++sysnet_read_config(git_domains)
++
++optional_policy(`
++ automount_dontaudit_getattr_tmp_dirs(git_domains)
++')
++
++optional_policy(`
++ nis_use_ypbind(git_domains)
++')
++
+########################################
+#
+# Git daemon system repository private policy.
@@ -17041,7 +17770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+
+list_dirs_pattern(git_system_t, git_content, git_content)
+read_files_pattern(git_system_t, git_content, git_content)
-+files_search_var(git_system_t)
++files_search_var_lib(git_system_t)
+
+tunable_policy(`git_system_enable_homedirs', `
+ userdom_search_user_home_dirs(git_system_t)
@@ -17066,11 +17795,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+ fs_list_nfs(git_system_t)
+ fs_read_nfs_files(git_system_t)
+')
-+
-+########################################
-+#
+
+ ########################################
+ #
+-# Declarations
+# Git daemon session repository private policy.
-+#
+ #
+
+-apache_content_template(git)
++allow git_session_t self:tcp_socket { accept listen };
+
+list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t)
+read_files_pattern(git_session_t, git_session_content_t, git_session_content_t)
@@ -17080,6 +17813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+
+tunable_policy(`git_session_bind_all_unreserved_ports', `
+ corenet_tcp_bind_all_unreserved_ports(git_session_t)
++ corenet_sendrecv_generic_server_packets(git_session_t)
+')
+
+tunable_policy(`use_nfs_home_dirs', `
@@ -17102,16 +17836,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+ git_read_session_content_files(httpd_git_script_t)
+ files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
+')
-
- ########################################
- #
--# Declarations
++
++########################################
++#
+# Git-shell private policy.
- #
-
--apache_content_template(git)
-+#git_role_template(git_shell)
-+#gen_user(git_shell_u, user, git_shell_r, s0, s0)
++#
++
++git_role_template(git_shell)
++gen_user(git_shell_u, user, git_shell_r, s0, s0)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.17/policy/modules/services/gpsd.te
--- nsaserefpolicy/policy/modules/services/gpsd.te 2010-01-07 14:53:53.000000000 -0500
+++ serefpolicy-3.7.17/policy/modules/services/gpsd.te 2010-03-29 15:35:14.000000000 -0400
@@ -18379,7 +19112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.17/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/nagios.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/services/nagios.te 2010-03-30 12:57:22.000000000 -0400
@@ -6,17 +6,23 @@
# Declarations
#
@@ -18663,7 +19396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
+
+files_read_etc_files(nagios_mail_plugin_t)
+
-+libs_use_lib_files(nagios_mail_plugin_t)
++libs_use_shared_libs(nagios_mail_plugin_t)
+libs_use_ld_so(nagios_mail_plugin_t)
+
+logging_send_syslog_msg(nagios_mail_plugin_t)
@@ -19791,6 +20524,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj
+userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
+userdom_manage_user_home_content(oddjob_mkhomedir_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oident.te serefpolicy-3.7.17/policy/modules/services/oident.te
+--- nsaserefpolicy/policy/modules/services/oident.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/services/oident.te 2010-03-30 12:57:38.000000000 -0400
+@@ -49,6 +49,7 @@
+ kernel_read_network_state(oidentd_t)
+ kernel_read_network_state_symlinks(oidentd_t)
+ kernel_read_sysctl(oidentd_t)
++kernel_request_load_module(oidentd_t)
+
+ logging_send_syslog_msg(oidentd_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.17/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2010-03-23 10:55:15.000000000 -0400
+++ serefpolicy-3.7.17/policy/modules/services/openvpn.te 2010-03-30 09:05:45.000000000 -0400
@@ -25143,7 +25887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.17/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/ssh.if 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/services/ssh.if 2010-03-30 12:59:11.000000000 -0400
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -25283,7 +26027,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
userdom_user_home_domtrans($1_ssh_agent_t, $3)
allow $3 $1_ssh_agent_t:fd use;
allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
-@@ -696,6 +708,27 @@
+@@ -696,6 +708,50 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
@@ -25308,6 +26052,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+ userdom_search_user_home_dirs($1)
+')
+
++########################################
++##
++## Create Secure Shell home directory
++## content.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ssh_create_user_home_files',`
++ gen_require(`
++ type home_ssh_t;
++ ')
++
++ # This is only for Seahorse. May no longer be required in future.
++ create_dirs_pattern($1, home_ssh_t, home_ssh_t)
++ create_files_pattern($1, home_ssh_t, home_ssh_t)
++ userdom_user_home_dir_filetrans($1, home_ssh_t, { dir file })
++ userdom_search_user_home_dirs($1)
++')
++
#######################################
##
## Delete from the ssh temp files.
@@ -34153,21 +34920,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.17/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/system/userdomain.te 2010-03-29 15:35:15.000000000 -0400
-@@ -29,10 +29,10 @@
++++ serefpolicy-3.7.17/policy/modules/system/userdomain.te 2010-03-30 12:40:26.000000000 -0400
+@@ -29,13 +29,6 @@
##
##
-## Allow users to read system messages.
-+## Allow regular users direct dri device access
- ##
- ##
+-##
+-##
-gen_tunable(user_dmesg, false)
-+gen_tunable(user_direct_dri, false)
-
- ##
- ##
-@@ -54,11 +54,20 @@
+-
+-##
+-##
+ ## Allow user to r/w files on filesystems
+ ## that do not have extended attributes (FAT, CDROM, FLOPPY)
+ ##
+@@ -54,11 +47,20 @@
# all user domains
attribute userdomain;
@@ -34190,7 +34958,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
-@@ -72,6 +81,7 @@
+@@ -72,6 +74,7 @@
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -34198,7 +34966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_user_home_content(user_home_t)
fs_associate_tmpfs(user_home_t)
files_associate_tmp(user_home_t)
-@@ -97,3 +107,29 @@
+@@ -97,3 +100,29 @@
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)