##
@@ -12524,31 +12186,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
+##
+##
-+## Allow Apache to communicate with avahi service via dbus
-+##
-+##
-+gen_tunable(httpd_dbus_avahi, false)
-+
-+##
-+##
## Allow httpd to use built in scripting (usually php)
##
##
-@@ -44,6 +60,13 @@
-
- ##
- ##
-+## Allow http daemon to send mail
-+##
-+##
-+gen_tunable(httpd_can_sendmail, false)
-+
-+##
-+##
- ## Allow HTTPD scripts and modules to connect to the network using TCP.
- ##
- ##
-@@ -51,6 +74,13 @@
+@@ -51,6 +60,13 @@
##
##
@@ -12562,7 +12203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Allow HTTPD scripts and modules to connect to databases over the network.
##
##
-@@ -87,6 +117,13 @@
+@@ -101,6 +117,13 @@
##
##
@@ -12576,7 +12217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
##
##
-@@ -94,6 +131,13 @@
+@@ -108,6 +131,13 @@
##
##
@@ -12590,116 +12231,51 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Unify HTTPD to communicate with the terminal.
## Needed for entering the passphrase for certificates at
## the terminal.
-@@ -108,6 +152,36 @@
+@@ -143,6 +173,13 @@
##
- gen_tunable(httpd_unified, false)
+ gen_tunable(httpd_use_nfs, false)
+##
+##
-+## Allow httpd to access nfs file systems
-+##
-+##
-+gen_tunable(httpd_use_nfs, false)
-+
-+##
-+##
-+## Allow httpd to access cifs file systems
-+##
-+##
-+gen_tunable(httpd_use_cifs, false)
-+
-+##
-+##
-+## Allow httpd to run gpg
-+##
-+##
-+gen_tunable(httpd_use_gpg, false)
-+
-+##
-+##
-+## Allow apache scripts to write to public content. Directories/Files must be labeled public_content_rw_t.
++## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t.
+##
+##
+gen_tunable(allow_httpd_sys_script_anon_write, false)
+
-+attribute httpd_ro_content;
-+attribute httpd_rw_content;
attribute httpdcontent;
attribute httpd_user_content_type;
-@@ -140,6 +214,9 @@
- domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
- role system_r types httpd_helper_t;
-
-+type httpd_initrc_exec_t;
-+init_script_file(httpd_initrc_exec_t)
-+
- type httpd_lock_t;
- files_lock_file(httpd_lock_t)
-
-@@ -180,6 +257,10 @@
+@@ -218,6 +255,10 @@
# setup the system domain for system CGI scripts
apache_content_template(sys)
-+typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable
-+typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable
-+typeattribute httpd_sys_content_ra_t httpdcontent; # customizable
++typeattribute httpd_sys_content_t httpdcontent; # customizable
++typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
++typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
+
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -187,28 +268,28 @@
- files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +267,10 @@
apache_content_template(user)
-+
ubac_constrained(httpd_user_script_t)
+typeattribute httpd_user_content_t httpdcontent;
-+typeattribute httpd_user_content_rw_t httpdcontent;
-+typeattribute httpd_user_content_ra_t httpdcontent;
++typeattribute httpd_user_rw_content_t httpdcontent;
++typeattribute httpd_user_ra_content_t httpdcontent;
+
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
--userdom_user_home_content(httpd_user_script_ra_t)
--userdom_user_home_content(httpd_user_script_ro_t)
--userdom_user_home_content(httpd_user_script_rw_t)
-+userdom_user_home_content(httpd_user_content_ra_t)
-+userdom_user_home_content(httpd_user_content_rw_t)
+@@ -233,6 +278,7 @@
+ userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
+typealias httpd_user_content_t alias httpd_unconfined_content_t;
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
- typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
- typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
--typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
--typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
--typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
--typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
--typealias httpd_user_script_ro_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
--typealias httpd_user_script_ro_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
--typealias httpd_user_script_rw_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
--typealias httpd_user_script_rw_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
--typealias httpd_user_script_ra_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
--typealias httpd_user_script_ra_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
-+typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t httpd_auditadm_script_t httpd_secadm_script_t };
-+typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
-+typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-+typealias httpd_user_content_rw_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
-+typealias httpd_user_content_ra_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
-
- # for apache2 memory mapped files
- type httpd_var_lib_t;
-@@ -230,7 +311,7 @@
- # Apache server local policy
- #
-
--allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config };
-+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
- dontaudit httpd_t self:capability { net_admin sys_tty_config };
- allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow httpd_t self:fd use;
-@@ -249,6 +330,7 @@
+ typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
+ typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
+@@ -286,6 +332,7 @@
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
@@ -12707,47 +12283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -272,6 +354,7 @@
- allow httpd_t httpd_modules_t:dir list_dir_perms;
- mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
- read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
-+read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
-
- apache_domtrans_rotatelogs(httpd_t)
- # Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -283,13 +366,14 @@
-
- allow httpd_t httpd_suexec_exec_t:file read_file_perms;
-
--allow httpd_t httpd_sys_content_t:dir list_dir_perms;
--read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
--read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
-+allow httpd_t httpd_ro_content:dir list_dir_perms;
-+read_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content)
-+read_lnk_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content)
-
- manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
- manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
--files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir })
-+manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-+files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file })
-
- manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
- manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -301,9 +385,11 @@
- manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
- files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
-
-+setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-+manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
- manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
- manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
--files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file })
-+files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir })
-
- manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
- manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
-@@ -312,18 +398,21 @@
+@@ -355,6 +402,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -12755,26 +12291,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
--corenet_tcp_sendrecv_generic_if(httpd_t)
--corenet_udp_sendrecv_generic_if(httpd_t)
--corenet_tcp_sendrecv_generic_node(httpd_t)
--corenet_udp_sendrecv_generic_node(httpd_t)
-+corenet_tcp_sendrecv_all_if(httpd_t)
-+corenet_udp_sendrecv_all_if(httpd_t)
-+corenet_tcp_sendrecv_all_nodes(httpd_t)
-+corenet_udp_sendrecv_all_nodes(httpd_t)
+@@ -365,8 +413,10 @@
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
--corenet_tcp_bind_generic_node(httpd_t)
-+corenet_tcp_bind_all_nodes(httpd_t)
-+corenet_udp_bind_all_nodes(httpd_t)
+ corenet_tcp_bind_generic_node(httpd_t)
++corenet_udp_bind_generic_node(httpd_t)
corenet_tcp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
+corenet_tcp_bind_ntop_port(httpd_t)
corenet_sendrecv_http_server_packets(httpd_t)
# Signal self for shutdown
corenet_tcp_connect_http_port(httpd_t)
-@@ -335,15 +424,16 @@
+@@ -378,12 +428,12 @@
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -12790,30 +12318,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
domain_use_interactive_fds(httpd_t)
-+files_dontaudit_getattr_all_pids(httpd_t)
- files_read_usr_files(httpd_t)
- files_list_mnt(httpd_t)
- files_search_spool(httpd_t)
-@@ -358,6 +448,10 @@
+@@ -402,6 +452,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
+# php uploads a file to /tmp and then execs programs to acton them
+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
-+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_content_rw_t, { dir file lnk_file sock_file fifo_file })
++files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
libs_read_lib_files(httpd_t)
-@@ -372,18 +466,27 @@
-
- userdom_use_unpriv_users_fds(httpd_t)
-
--mta_send_mail(httpd_t)
--
- tunable_policy(`allow_httpd_anon_write',`
+@@ -420,12 +474,23 @@
miscfiles_manage_public_files(httpd_t)
- ')
+ ')
-ifdef(`TODO', `
#
@@ -12837,37 +12355,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -391,32 +494,71 @@
- corenet_tcp_connect_all_ports(httpd_t)
- ')
-
-+tunable_policy(`httpd_can_sendmail',`
-+ # allow httpd to connect to mail servers
-+ corenet_tcp_connect_smtp_port(httpd_t)
-+ corenet_sendrecv_smtp_client_packets(httpd_t)
-+ corenet_tcp_connect_pop_port(httpd_t)
-+ corenet_sendrecv_pop_client_packets(httpd_t)
-+ mta_send_mail(httpd_t)
-+ mta_signal(httpd_t)
-+ mta_send_mail(httpd_sys_script_t)
-+')
-+
- tunable_policy(`httpd_can_network_relay',`
- # allow httpd to work as a relay
- corenet_tcp_connect_gopher_port(httpd_t)
- corenet_tcp_connect_ftp_port(httpd_t)
- corenet_tcp_connect_http_port(httpd_t)
- corenet_tcp_connect_http_cache_port(httpd_t)
-+ corenet_tcp_connect_memcache_port(httpd_t)
- corenet_sendrecv_gopher_client_packets(httpd_t)
- corenet_sendrecv_ftp_client_packets(httpd_t)
- corenet_sendrecv_http_client_packets(httpd_t)
+@@ -446,6 +511,16 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
-+ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file })
++ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+ can_exec(httpd_sys_script_t, httpd_sys_content_t)
+')
+
@@ -12875,46 +12369,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ miscfiles_manage_public_files(httpd_sys_script_t)
+')
+
-+tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-+ fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
-+')
-+
-+tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
-+ fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
-+')
-+
-+
+ tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
+ fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
+ ')
+@@ -456,6 +531,10 @@
+
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
-- domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
-+ domtrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_script_t)
-+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file })
-+ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t)
-+ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t)
-+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t)
+ domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
++ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
++ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
++ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
++ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
- manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
+@@ -470,11 +549,25 @@
+ userdom_read_user_home_content_files(httpd_t)
')
--tunable_policy(`httpd_enable_ftp_server',`
-- corenet_tcp_bind_ftp_port(httpd_t)
+tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
+ can_exec(httpd_t, httpd_tmp_t)
- ')
-
--tunable_policy(`httpd_enable_homedirs',`
-- userdom_read_user_home_content_files(httpd_t)
++')
++
+tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
+ can_exec(httpd_sys_script_t, httpd_tmp_t)
+')
+
-+tunable_policy(`httpd_enable_ftp_server',`
-+ corenet_tcp_bind_ftp_port(httpd_t)
- ')
-
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -424,11 +566,23 @@
+ fs_read_nfs_files(httpd_t)
fs_read_nfs_symlinks(httpd_t)
')
@@ -12927,29 +12409,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
- ')
-
+@@ -484,7 +577,16 @@
+ # allow httpd to connect to mail servers
+ corenet_tcp_connect_smtp_port(httpd_t)
+ corenet_sendrecv_smtp_client_packets(httpd_t)
++ corenet_tcp_connect_pop_port(httpd_t)
++ corenet_sendrecv_pop_client_packets(httpd_t)
+ mta_send_mail(httpd_t)
++ mta_signal(httpd_t)
++')
++
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
-+')
-+
- tunable_policy(`httpd_ssi_exec',`
- corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
- allow httpd_sys_script_t httpd_t:fd use;
-@@ -451,7 +605,18 @@
')
+ tunable_policy(`httpd_ssi_exec',`
+@@ -514,6 +616,9 @@
+
optional_policy(`
-+ ccs_read_config(httpd_t)
-+')
-+
-+optional_policy(`
-+ cvs_read_data(httpd_t)
-+')
-+
-+optional_policy(`
cobbler_search_lib(httpd_t)
+ tunable_policy(`httpd_can_network_connect_cobbler',`
+ corenet_tcp_connect_cobbler_port(httpd_t)
@@ -12957,60 +12436,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -463,8 +628,24 @@
+@@ -528,7 +633,7 @@
+ daemontools_service_domain(httpd_t, httpd_exec_t)
')
- optional_policy(`
-- kerberos_use(httpd_t)
-- kerberos_read_kdc_config(httpd_t)
-+ dbus_system_bus_client(httpd_t)
-+ tunable_policy(`httpd_dbus_avahi',`
-+ avahi_dbus_chat(httpd_t)
-+ ')
-+')
-+
+- optional_policy(`
+optional_policy(`
+ dbus_system_bus_client(httpd_t)
+
+ tunable_policy(`httpd_dbus_avahi',`
+@@ -537,6 +642,10 @@
+ ')
+
+ optional_policy(`
+ gitosis_read_lib_files(httpd_t)
+')
+
+optional_policy(`
-+tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
-+ gpg_domtrans(httpd_t)
-+')
-+')
-+
-+optional_policy(`
-+ kerberos_keytab_template(httpd, httpd_t)
- ')
-
- optional_policy(`
-@@ -472,22 +653,19 @@
- mailman_domtrans_cgi(httpd_t)
- # should have separate types for public and private archives
- mailman_search_data(httpd_t)
-+ mailman_read_data_files(httpd_t)
- mailman_read_archive(httpd_t)
- ')
+ tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
+ gpg_domtrans(httpd_t)
+ ')
+@@ -557,6 +666,7 @@
optional_policy(`
-- # Allow httpd to work with mysql
+ # Allow httpd to work with mysql
++ mysql_read_config(httpd_t)
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
--
-- tunable_policy(`httpd_can_network_connect_db',`
-- mysql_tcp_connect(httpd_t)
-- ')
-+ mysql_read_config(httpd_t)
- ')
+
+@@ -567,6 +677,7 @@
optional_policy(`
nagios_read_config(httpd_t)
-- nagios_domtrans_cgi(httpd_t)
+ nagios_read_log(httpd_t)
')
optional_policy(`
-@@ -498,12 +676,23 @@
+@@ -577,12 +688,23 @@
')
optional_policy(`
@@ -13034,7 +12496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -512,6 +701,11 @@
+@@ -591,6 +713,11 @@
')
optional_policy(`
@@ -13046,7 +12508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -539,6 +733,23 @@
+@@ -618,6 +745,10 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -13054,69 +12516,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ userdom_use_user_terminals(httpd_helper_t)
+')
+
-+optional_policy(`
-+ type httpd_unconfined_script_t;
-+ type httpd_unconfined_script_exec_t;
-+ domain_type(httpd_unconfined_script_t)
-+ domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
-+ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
-+ unconfined_domain(httpd_unconfined_script_t)
-+
-+ role system_r types httpd_unconfined_script_t;
-+ allow httpd_t httpd_unconfined_script_t:process signal_perms;
-+')
-+
-+
########################################
#
# Apache PHP script local policy
-@@ -568,20 +779,32 @@
-
- fs_search_auto_mountpoints(httpd_php_t)
-
-+auth_use_nsswitch(httpd_php_t)
-+
- libs_exec_lib_files(httpd_php_t)
-
- userdom_use_unpriv_users_fds(httpd_php_t)
-
--optional_policy(`
-- mysql_stream_connect(httpd_php_t)
-+tunable_policy(`httpd_can_network_connect_db',`
-+ corenet_tcp_connect_mysqld_port(httpd_t)
-+ corenet_sendrecv_mysqld_client_packets(httpd_t)
-+ corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
-+ corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
-+ corenet_tcp_connect_mysqld_port(httpd_suexec_t)
-+ corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
-+
-+ corenet_tcp_connect_mssql_port(httpd_t)
-+ corenet_sendrecv_mssql_client_packets(httpd_t)
-+ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
-+ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
-+ corenet_tcp_connect_mssql_port(httpd_suexec_t)
-+ corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
- ')
-
--optional_policy(`
-- nis_use_ypbind(httpd_php_t)
--')
-
- optional_policy(`
-- postgresql_stream_connect(httpd_php_t)
-+ mysql_stream_connect(httpd_php_t)
-+ mysql_read_config(httpd_php_t)
- ')
-
- ########################################
-@@ -599,23 +822,24 @@
- append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
- read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
-
--allow httpd_suexec_t httpd_t:fifo_file getattr;
-+allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
-
- manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +830,18 @@
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -13138,75 +12541,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -628,6 +852,7 @@
- logging_send_syslog_msg(httpd_suexec_t)
-
- miscfiles_read_localization(httpd_suexec_t)
-+miscfiles_read_public_files(httpd_suexec_t)
-
- tunable_policy(`httpd_can_network_connect',`
- allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
-@@ -635,22 +860,31 @@
-
- corenet_all_recvfrom_unlabeled(httpd_suexec_t)
- corenet_all_recvfrom_netlabel(httpd_suexec_t)
-- corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
-- corenet_udp_sendrecv_generic_if(httpd_suexec_t)
-- corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
-- corenet_udp_sendrecv_generic_node(httpd_suexec_t)
-+ corenet_tcp_sendrecv_all_if(httpd_suexec_t)
-+ corenet_udp_sendrecv_all_if(httpd_suexec_t)
-+ corenet_tcp_sendrecv_all_nodes(httpd_suexec_t)
-+ corenet_udp_sendrecv_all_nodes(httpd_suexec_t)
- corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
- corenet_udp_sendrecv_all_ports(httpd_suexec_t)
- corenet_tcp_connect_all_ports(httpd_suexec_t)
+@@ -740,10 +872,21 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
-+read_files_pattern(httpd_suexec_t, httpd_user_content_rw_t, httpd_user_content_rw_t)
-+read_files_pattern(httpd_suexec_t, httpd_user_content_ra_t, httpd_user_content_ra_t)
++read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
++read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-+ allow httpd_sys_script_t httpdcontent:file entrypoint;
+ allow httpd_sys_script_t httpdcontent:file entrypoint;
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+-
+ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
- ')
--
--tunable_policy(`httpd_enable_homedirs',`
-- userdom_read_user_home_content_files(httpd_suexec_t)
++')
+tunable_policy(`httpd_enable_cgi',`
+ domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -676,16 +910,16 @@
+@@ -769,6 +912,12 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
--optional_policy(`
-- nagios_domtrans_cgi(httpd_suexec_t)
--')
--
++optional_policy(`
++ mysql_stream_connect(httpd_suexec_t)
++ mysql_rw_db_sockets(httpd_suexec_t)
++ mysql_read_config(httpd_suexec_t)
++')
++
########################################
#
# Apache system script local policy
- #
-
-+allow httpd_sys_script_t self:process getsched;
-+
-+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
- allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-+allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
-
- dontaudit httpd_sys_script_t httpd_config_t:dir search;
-
-@@ -700,15 +934,29 @@
+@@ -792,9 +941,13 @@
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -13220,10 +12591,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
+@@ -803,6 +956,22 @@
+ mta_send_mail(httpd_sys_script_t)
+ ')
--tunable_policy(`httpd_enable_homedirs',`
-- userdom_read_user_home_content_files(httpd_sys_script_t)
++fs_cifs_entry_type(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
++fs_nfs_entry_type(httpd_sys_script_t)
+
+tunable_policy(`httpd_use_nfs',`
+ fs_manage_nfs_dirs(httpd_sys_script_t)
@@ -13235,32 +12609,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ fs_manage_nfs_files(httpd_suexec_t)
+ fs_manage_nfs_symlinks(httpd_suexec_t)
+ fs_exec_nfs_files(httpd_suexec_t)
- ')
-
- tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -716,6 +964,35 @@
++')
++
+ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
+@@ -830,6 +999,16 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
-+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
-+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
-+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
-+
-+ corenet_tcp_bind_all_nodes(httpd_sys_script_t)
-+ corenet_udp_bind_all_nodes(httpd_sys_script_t)
-+ corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
-+ corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-+ corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
-+ corenet_udp_sendrecv_all_if(httpd_sys_script_t)
-+ corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t)
-+ corenet_udp_sendrecv_all_nodes(httpd_sys_script_t)
-+ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
-+ corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
-+ corenet_tcp_connect_all_ports(httpd_sys_script_t)
-+ corenet_sendrecv_all_client_packets(httpd_sys_script_t)
-+')
-+
-+
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_sys_script_t)
+ fs_manage_cifs_files(httpd_sys_script_t)
@@ -13274,36 +12631,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -728,6 +1005,10 @@
+@@ -842,6 +1021,7 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
+ mysql_read_config(httpd_sys_script_t)
-+ mysql_stream_connect(httpd_suexec_t)
-+ mysql_rw_db_sockets(httpd_suexec_t)
-+ mysql_read_config(httpd_suexec_t)
')
optional_policy(`
-@@ -739,6 +1020,8 @@
- # httpd_rotatelogs local policy
- #
-
-+allow httpd_rotatelogs_t self:capability dac_override;
-+
- manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
-
- kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -758,11 +1041,88 @@
+@@ -891,11 +1071,33 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
-+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t)
-+ manage_files_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t)
-+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_rw_t, httpd_user_content_rw_t)
-+ manage_files_pattern(httpd_user_script_t, httpd_user_content_rw_t, httpd_user_content_rw_t)
++ manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
++ manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
')
# allow accessing files/dirs below the users home dir
@@ -13319,76 +12662,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_user_script_t)
+ userdom_read_user_home_content_files(httpd_suexec_t)
-+')
+ ')
+
+tunable_policy(`httpd_read_user_content && httpd_builtin_scripting',`
+ userdom_read_user_home_content_files(httpd_t)
+')
+
-+#============= bugzilla policy ==============
-+apache_content_template(bugzilla)
-+
-+type httpd_bugzilla_tmp_t;
-+files_tmp_file(httpd_bugzilla_tmp_t)
-+
-+allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
-+allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms;
-+allow httpd_bugzilla_script_t self:udp_socket create_socket_perms;
-+
-+corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
-+corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
-+corenet_tcp_sendrecv_all_if(httpd_bugzilla_script_t)
-+corenet_udp_sendrecv_all_if(httpd_bugzilla_script_t)
-+corenet_tcp_sendrecv_all_nodes(httpd_bugzilla_script_t)
-+corenet_udp_sendrecv_all_nodes(httpd_bugzilla_script_t)
-+corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t)
-+corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t)
-+corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t)
-+corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t)
-+corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
-+corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
-+corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
-+corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
-+
-+manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
-+manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
-+files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir })
-+
-+files_search_var_lib(httpd_bugzilla_script_t)
-+
-+mta_send_mail(httpd_bugzilla_script_t)
-+
-+sysnet_read_config(httpd_bugzilla_script_t)
-+sysnet_use_ldap(httpd_bugzilla_script_t)
-+
-+optional_policy(`
-+ mysql_search_db(httpd_bugzilla_script_t)
-+ mysql_stream_connect(httpd_bugzilla_script_t)
- ')
-+
-+optional_policy(`
-+ postgresql_stream_connect(httpd_bugzilla_script_t)
-+')
-+
-+manage_dirs_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content)
-+manage_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content)
-+manage_lnk_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content)
-+
-+manage_dirs_pattern(httpd_t,httpdcontent,httpd_rw_content)
-+manage_files_pattern(httpd_t,httpdcontent,httpd_rw_content)
-+manage_lnk_files_pattern(httpd_t,httpdcontent,httpd_rw_content)
-+
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
-+typealias httpd_sys_content_rw_t alias { httpd_fastcgi_content_rw_t httpd_fastcgi_script_rw_t };
-+typealias httpd_sys_content_ra_t alias httpd_fastcgi_script_ra_t;
++typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
++typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.7.17/policy/modules/services/apcupsd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.7.18/policy/modules/services/apcupsd.te
--- nsaserefpolicy/policy/modules/services/apcupsd.te 2010-03-04 11:17:25.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/apcupsd.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/apcupsd.te 2010-04-08 15:25:24.000000000 -0400
@@ -95,6 +95,10 @@
')
@@ -13400,9 +12690,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
mta_send_mail(apcupsd_t)
mta_system_content(apcupsd_tmp_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.17/policy/modules/services/arpwatch.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.18/policy/modules/services/arpwatch.te
--- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-03-04 11:17:25.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/arpwatch.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/arpwatch.te 2010-04-08 15:25:24.000000000 -0400
@@ -34,6 +34,7 @@
allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
allow arpwatch_t self:udp_socket create_socket_perms;
@@ -13428,9 +12718,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw
fs_getattr_all_fs(arpwatch_t)
fs_search_auto_mountpoints(arpwatch_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.17/policy/modules/services/asterisk.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.18/policy/modules/services/asterisk.if
--- nsaserefpolicy/policy/modules/services/asterisk.if 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/asterisk.if 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/asterisk.if 2010-04-08 15:25:24.000000000 -0400
@@ -1,5 +1,24 @@
## Asterisk IP telephony server
@@ -13456,9 +12746,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
#####################################
##
## Connect to asterisk over a unix domain
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.17/policy/modules/services/asterisk.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.18/policy/modules/services/asterisk.te
--- nsaserefpolicy/policy/modules/services/asterisk.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/asterisk.te 2010-04-05 12:07:40.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/asterisk.te 2010-04-08 15:25:24.000000000 -0400
@@ -40,12 +40,13 @@
#
@@ -13568,9 +12858,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
+ udev_read_db(asterisk_t)
')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.7.17/policy/modules/services/avahi.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.7.18/policy/modules/services/avahi.if
--- nsaserefpolicy/policy/modules/services/avahi.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/avahi.if 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/avahi.if 2010-04-08 15:25:24.000000000 -0400
@@ -90,6 +90,7 @@
class dbus send_msg;
')
@@ -13579,9 +12869,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
allow $1 avahi_t:dbus send_msg;
allow avahi_t $1:dbus send_msg;
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.fc serefpolicy-3.7.17/policy/modules/services/boinc.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.fc serefpolicy-3.7.18/policy/modules/services/boinc.fc
--- nsaserefpolicy/policy/modules/services/boinc.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/boinc.fc 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/boinc.fc 2010-04-08 15:25:24.000000000 -0400
@@ -0,0 +1,6 @@
+
+/etc/rc\.d/init\.d/boinc_client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
@@ -13589,9 +12879,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
+
+/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.if serefpolicy-3.7.17/policy/modules/services/boinc.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.if serefpolicy-3.7.18/policy/modules/services/boinc.if
--- nsaserefpolicy/policy/modules/services/boinc.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/boinc.if 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/boinc.if 2010-04-08 15:25:24.000000000 -0400
@@ -0,0 +1,151 @@
+
+## policy for boinc
@@ -13744,9 +13034,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+ files_list_var_lib($1)
+ admin_pattern($1, boinc_var_lib_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.17/policy/modules/services/boinc.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.18/policy/modules/services/boinc.te
--- nsaserefpolicy/policy/modules/services/boinc.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/boinc.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/boinc.te 2010-04-08 15:25:24.000000000 -0400
@@ -0,0 +1,81 @@
+
+policy_module(boinc,1.0.0)
@@ -13829,9 +13119,121 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+
+sysnet_dns_name_resolve(boinc_t)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.7.17/policy/modules/services/cachefilesd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.fc serefpolicy-3.7.18/policy/modules/services/bugzilla.fc
+--- nsaserefpolicy/policy/modules/services/bugzilla.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.18/policy/modules/services/bugzilla.fc 2010-04-08 15:25:24.000000000 -0400
+@@ -0,0 +1,4 @@
++
++/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
++/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
++/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.if serefpolicy-3.7.18/policy/modules/services/bugzilla.if
+--- nsaserefpolicy/policy/modules/services/bugzilla.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.18/policy/modules/services/bugzilla.if 2010-04-08 15:25:23.000000000 -0400
+@@ -0,0 +1,39 @@
++## Bugzilla server
++
++########################################
++##
++## Allow the specified domain to search
++## bugzilla directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`bugzilla_search_dirs',`
++ gen_require(`
++ type httpd_bugzilla_content_t;
++ ')
++
++ allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read and write
++## bugzilla script unix domain stream sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`bugzilla_dontaudit_rw_script_stream_sockets',`
++ gen_require(`
++ type httpd_bugzilla_script_t;
++ ')
++
++ dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.te serefpolicy-3.7.18/policy/modules/services/bugzilla.te
+--- nsaserefpolicy/policy/modules/services/bugzilla.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.18/policy/modules/services/bugzilla.te 2010-04-08 15:25:24.000000000 -0400
+@@ -0,0 +1,57 @@
++
++policy_module(bugzilla, 1.0)
++
++########################################
++#
++# Declarations
++#
++
++apache_content_template(bugzilla)
++
++type httpd_bugzilla_tmp_t;
++files_tmp_file(httpd_bugzilla_tmp_t)
++
++########################################
++#
++# bugzilla local policy
++#
++
++allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
++allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms;
++allow httpd_bugzilla_script_t self:udp_socket create_socket_perms;
++
++corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
++corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
++corenet_tcp_sendrecv_all_if(httpd_bugzilla_script_t)
++corenet_udp_sendrecv_all_if(httpd_bugzilla_script_t)
++corenet_tcp_sendrecv_all_nodes(httpd_bugzilla_script_t)
++corenet_udp_sendrecv_all_nodes(httpd_bugzilla_script_t)
++corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t)
++corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t)
++corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t)
++corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t)
++corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
++corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
++corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
++corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
++
++manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
++manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
++files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir })
++
++files_search_var_lib(httpd_bugzilla_script_t)
++
++mta_send_mail(httpd_bugzilla_script_t)
++
++sysnet_read_config(httpd_bugzilla_script_t)
++sysnet_use_ldap(httpd_bugzilla_script_t)
++
++optional_policy(`
++ mysql_search_db(httpd_bugzilla_script_t)
++ mysql_stream_connect(httpd_bugzilla_script_t)
++')
++
++optional_policy(`
++ postgresql_stream_connect(httpd_bugzilla_script_t)
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.7.18/policy/modules/services/cachefilesd.fc
--- nsaserefpolicy/policy/modules/services/cachefilesd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/cachefilesd.fc 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/cachefilesd.fc 2010-04-08 15:25:23.000000000 -0400
@@ -0,0 +1,28 @@
+###############################################################################
+#
@@ -13861,9 +13263,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach
+/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
+
+/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.7.17/policy/modules/services/cachefilesd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.7.18/policy/modules/services/cachefilesd.if
--- nsaserefpolicy/policy/modules/services/cachefilesd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/cachefilesd.if 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/cachefilesd.if 2010-04-08 15:25:24.000000000 -0400
@@ -0,0 +1,41 @@
+###############################################################################
+#
@@ -13906,9 +13308,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach
+ allow cachefilesd_t $1:fifo_file rw_file_perms;
+ allow cachefilesd_t $1:process sigchld;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.7.17/policy/modules/services/cachefilesd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.7.18/policy/modules/services/cachefilesd.te
--- nsaserefpolicy/policy/modules/services/cachefilesd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/cachefilesd.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/cachefilesd.te 2010-04-08 15:25:24.000000000 -0400
@@ -0,0 +1,146 @@
+###############################################################################
+#
@@ -14056,9 +13458,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach
+fs_getattr_xattr_fs(cachefiles_kernel_t)
+
+dev_search_sysfs(cachefiles_kernel_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.17/policy/modules/services/ccs.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.18/policy/modules/services/ccs.te
--- nsaserefpolicy/policy/modules/services/ccs.te 2010-02-16 14:58:22.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/ccs.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/ccs.te 2010-04-08 15:25:24.000000000 -0400
@@ -114,5 +114,15 @@
')
@@ -14075,9 +13477,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.
+optional_policy(`
unconfined_use_fds(ccs_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.fc serefpolicy-3.7.17/policy/modules/services/certmonger.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.fc serefpolicy-3.7.18/policy/modules/services/certmonger.fc
--- nsaserefpolicy/policy/modules/services/certmonger.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/certmonger.fc 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/certmonger.fc 2010-04-08 15:25:24.000000000 -0400
@@ -0,0 +1,6 @@
+/etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0)
+
@@ -14085,9 +13487,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+
+/var/run/certmonger.pid -- gen_context(system_u:object_r:certmonger_var_run_t,s0)
+/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.7.17/policy/modules/services/certmonger.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.7.18/policy/modules/services/certmonger.if
--- nsaserefpolicy/policy/modules/services/certmonger.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/certmonger.if 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/certmonger.if 2010-04-08 15:25:23.000000000 -0400
@@ -0,0 +1,217 @@
+
+## Certificate status monitor and PKI enrollment client
@@ -14306,9 +13708,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+ files_search_pids($1)
+ admin_pattern($1, cermonger_var_run_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.17/policy/modules/services/certmonger.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.18/policy/modules/services/certmonger.te
--- nsaserefpolicy/policy/modules/services/certmonger.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/certmonger.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/certmonger.te 2010-04-08 15:25:23.000000000 -0400
@@ -0,0 +1,74 @@
+policy_module(certmonger,1.0.0)
+
@@ -14384,9 +13786,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+optional_policy(`
+ unconfined_dbus_send(certmonger_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.17/policy/modules/services/cgroup.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.18/policy/modules/services/cgroup.fc
--- nsaserefpolicy/policy/modules/services/cgroup.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/cgroup.fc 2010-03-31 14:29:22.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/cgroup.fc 2010-04-08 15:25:24.000000000 -0400
@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t, s0)
+/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t, s0)
@@ -14397,9 +13799,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t, s0)
+
+/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t, s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.17/policy/modules/services/cgroup.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.18/policy/modules/services/cgroup.if
--- nsaserefpolicy/policy/modules/services/cgroup.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/cgroup.if 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/cgroup.if 2010-04-08 15:25:24.000000000 -0400
@@ -0,0 +1,35 @@
+## Control group rules engine daemon.
+##
@@ -14436,9 +13838,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+ stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.17/policy/modules/services/cgroup.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.18/policy/modules/services/cgroup.te
--- nsaserefpolicy/policy/modules/services/cgroup.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/cgroup.te 2010-03-30 16:22:28.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/cgroup.te 2010-04-08 15:25:23.000000000 -0400
@@ -0,0 +1,87 @@
+policy_module(cgroup, 1.0.0)
+
@@ -14527,9 +13929,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+fs_rw_cgroup_files(cgconfigparser_t)
+fs_setattr_cgroup_files(cgconfigparser_t)
+fs_mount_cgroup(cgconfigparser_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.17/policy/modules/services/clamav.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.18/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/clamav.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/clamav.te 2010-04-08 15:25:23.000000000 -0400
@@ -1,6 +1,13 @@
policy_module(clamav, 1.7.1)
@@ -14580,17 +13982,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
optional_policy(`
amavis_read_spool_files(clamscan_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.17/policy/modules/services/clogd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.18/policy/modules/services/clogd.fc
--- nsaserefpolicy/policy/modules/services/clogd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/clogd.fc 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/clogd.fc 2010-04-08 15:25:24.000000000 -0400
@@ -0,0 +1,4 @@
+
+/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0)
+
+/var/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.17/policy/modules/services/clogd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.18/policy/modules/services/clogd.if
--- nsaserefpolicy/policy/modules/services/clogd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/clogd.if 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/clogd.if 2010-04-08 15:25:23.000000000 -0400
@@ -0,0 +1,82 @@
+## clogd - clustered mirror log server
+
@@ -14674,9 +14076,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog
+ fs_search_tmpfs($1)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.7.17/policy/modules/services/clogd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.7.18/policy/modules/services/clogd.te
--- nsaserefpolicy/policy/modules/services/clogd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/clogd.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/clogd.te 2010-04-08 15:25:24.000000000 -0400
@@ -0,0 +1,65 @@
+
+policy_module(clogd,1.0.0)
@@ -14743,9 +14145,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog
+')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.17/policy/modules/services/cobbler.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.18/policy/modules/services/cobbler.if
--- nsaserefpolicy/policy/modules/services/cobbler.if 2010-03-05 10:46:32.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/cobbler.if 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/cobbler.if 2010-04-08 15:25:24.000000000 -0400
@@ -173,9 +173,11 @@
files_list_var_lib($1)
admin_pattern($1, cobbler_var_lib_t)
@@ -14759,9 +14161,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
cobblerd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 cobblerd_initrc_exec_t system_r;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.17/policy/modules/services/cobbler.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.18/policy/modules/services/cobbler.te
--- nsaserefpolicy/policy/modules/services/cobbler.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/cobbler.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/cobbler.te 2010-04-08 15:25:23.000000000 -0400
@@ -40,6 +40,7 @@
allow cobblerd_t self:fifo_file rw_fifo_file_perms;
allow cobblerd_t self:tcp_socket create_stream_socket_perms;
@@ -14792,9 +14194,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
+apache_content_template(cobbler)
+manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
+manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.17/policy/modules/services/consolekit.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.18/policy/modules/services/consolekit.fc
--- nsaserefpolicy/policy/modules/services/consolekit.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/consolekit.fc 2010-03-31 09:50:46.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/consolekit.fc 2010-04-08 15:25:23.000000000 -0400
@@ -1,5 +1,7 @@
/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
@@ -14804,9 +14206,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
-/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
+/var/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
+/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.17/policy/modules/services/consolekit.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.18/policy/modules/services/consolekit.if
--- nsaserefpolicy/policy/modules/services/consolekit.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/consolekit.if 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/consolekit.if 2010-04-08 15:25:23.000000000 -0400
@@ -55,5 +55,44 @@
')
@@ -14852,9 +14254,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
+ read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.17/policy/modules/services/consolekit.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.18/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/consolekit.te 2010-03-31 09:06:51.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/consolekit.te 2010-04-08 15:25:24.000000000 -0400
@@ -16,12 +16,15 @@
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
@@ -14944,9 +14346,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
+ unconfined_ptrace(consolekit_t)
unconfined_stream_connect(consolekit_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.7.17/policy/modules/services/corosync.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.7.18/policy/modules/services/corosync.fc
--- nsaserefpolicy/policy/modules/services/corosync.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/corosync.fc 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/corosync.fc 2010-04-08 15:25:24.000000000 -0400
@@ -0,0 +1,15 @@
+
+/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
@@ -14963,9 +14365,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0)
+/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.17/policy/modules/services/corosync.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.18/policy/modules/services/corosync.if
--- nsaserefpolicy/policy/modules/services/corosync.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/corosync.if 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/corosync.if 2010-04-08 15:25:24.000000000 -0400
@@ -0,0 +1,108 @@
+## SELinux policy for Corosync Cluster Engine
+
@@ -15075,9 +14477,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.17/policy/modules/services/corosync.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.18/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/corosync.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/corosync.te 2010-04-08 15:25:24.000000000 -0400
@@ -0,0 +1,122 @@
+
+policy_module(corosync,1.0.0)
@@ -15201,9 +14603,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+ rgmanager_manage_tmpfs_files(corosync_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.17/policy/modules/services/cron.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.18/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/cron.fc 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/cron.fc 2010-04-08 15:25:23.000000000 -0400
@@ -14,7 +14,7 @@
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -15221,9 +14623,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
+
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.17/policy/modules/services/cron.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.18/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/cron.if 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/cron.if 2010-04-08 15:25:23.000000000 -0400
@@ -12,6 +12,10 @@
##
#
@@ -15397,9 +14799,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
+
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.17/policy/modules/services/cron.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.18/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/cron.te 2010-03-31 10:09:23.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/cron.te 2010-04-08 15:25:24.000000000 -0400
@@ -38,8 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -15611,15 +15013,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
-@@ -435,6 +497,7 @@
+@@ -435,6 +497,8 @@
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
-+ apache_delete_cache(system_cronjob_t)
++ apache_delete_cache_dirs(system_cronjob_t)
++ apache_delete_cache_files(system_cronjob_t)
')
optional_policy(`
-@@ -442,6 +505,14 @@
+@@ -442,6 +506,14 @@
')
optional_policy(`
@@ -15634,7 +15037,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
ftp_read_log(system_cronjob_t)
')
-@@ -456,11 +527,16 @@
+@@ -456,11 +528,16 @@
')
optional_policy(`
@@ -15651,7 +15054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -476,7 +552,7 @@
+@@ -476,7 +553,7 @@
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -15660,7 +15063,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -491,6 +567,7 @@
+@@ -491,6 +568,7 @@
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -15668,7 +15071,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -498,6 +575,9 @@
+@@ -498,6 +576,9 @@
')
optional_policy(`
@@ -15678,7 +15081,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
unconfined_domain(system_cronjob_t)
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -591,6 +671,7 @@
+@@ -591,6 +672,7 @@
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -15686,9 +15089,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
tunable_policy(`fcron_crond', `
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.17/policy/modules/services/cups.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.18/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/cups.fc 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/cups.fc 2010-04-08 15:25:23.000000000 -0400
@@ -13,10 +13,14 @@
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
@@ -15735,9 +15138,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.17/policy/modules/services/cups.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.18/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/cups.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/cups.te 2010-04-08 15:25:24.000000000 -0400
@@ -23,6 +23,9 @@
type cupsd_initrc_exec_t;
init_script_file(cupsd_initrc_exec_t)
@@ -15987,9 +15390,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
dev_read_sysfs(hplip_t)
dev_rw_printer(hplip_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.7.17/policy/modules/services/cvs.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.7.18/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/cvs.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/cvs.te 2010-04-08 15:25:24.000000000 -0400
@@ -93,6 +93,7 @@
auth_can_read_shadow_passwords(cvs_t)
tunable_policy(`allow_cvs_read_shadow',`
@@ -16004,9 +15407,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.17/policy/modules/services/cyrus.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.18/policy/modules/services/cyrus.te
--- nsaserefpolicy/policy/modules/services/cyrus.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/cyrus.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/cyrus.te 2010-04-08 15:25:23.000000000 -0400
@@ -75,6 +75,7 @@
corenet_tcp_bind_mail_port(cyrus_t)
corenet_tcp_bind_lmtp_port(cyrus_t)
@@ -16023,9 +15426,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru
snmp_read_snmp_var_lib_files(cyrus_t)
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.17/policy/modules/services/dbus.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.18/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/dbus.if 2010-03-30 12:54:59.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/dbus.if 2010-04-08 15:25:24.000000000 -0400
@@ -42,8 +42,10 @@
gen_require(`
class dbus { send_msg acquire_svc };
@@ -16116,7 +15519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
## for service (acquire_svc).
##
##
-@@ -334,6 +342,41 @@
+@@ -334,6 +342,34 @@
########################################
##
@@ -16144,13 +15547,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+
+ dbus_session_bus_client($1)
+ dbus_connect_session_bus($1)
-+
-+ optional_policy(`
-+ # If unconfined_t wants to start a dbus_session_domain.
-+ # unconfined_dbusd_t should get implemented for F13.
-+ # Can just remove this when it is.
-+ unconfined_dbus_connect($1)
-+ ')
+')
+
+########################################
@@ -16158,7 +15554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
## Create a domain for processes
## which can be started by the system dbus
##
-@@ -364,6 +407,19 @@
+@@ -364,6 +400,19 @@
dbus_system_bus_client($1)
dbus_connect_system_bus($1)
@@ -16178,7 +15574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
ifdef(`hide_broken_symptoms', `
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
-@@ -405,3 +461,43 @@
+@@ -405,3 +454,43 @@
typeattribute $1 dbusd_unconfined;
')
@@ -16222,9 +15618,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+ read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.17/policy/modules/services/dbus.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.18/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/dbus.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/dbus.te 2010-04-08 15:25:23.000000000 -0400
@@ -86,6 +86,7 @@
dev_read_sysfs(system_dbusd_t)
@@ -16258,22 +15654,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
')
-@@ -156,5 +168,24 @@
+@@ -156,5 +168,12 @@
#
# Unconfined access to this module
#
-+optional_policy(`
-+ gen_require(`
-+ type unconfined_dbusd_t;
-+ ')
-+ unconfined_domain(unconfined_dbusd_t)
-+ unconfined_execmem_domtrans(unconfined_dbusd_t)
-+
-+ optional_policy(`
-+ xserver_rw_shm(unconfined_dbusd_t)
-+ ')
-+')
-
+-
allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
@@ -16283,9 +15668,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+ xserver_rw_xdm_pipes(session_bus_type)
+ xserver_append_xdm_home_files(session_bus_type)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.fc serefpolicy-3.7.17/policy/modules/services/denyhosts.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.fc serefpolicy-3.7.18/policy/modules/services/denyhosts.fc
--- nsaserefpolicy/policy/modules/services/denyhosts.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/denyhosts.fc 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/denyhosts.fc 2010-04-08 15:25:24.000000000 -0400
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/denyhosts -- gen_context(system_u:object_r:denyhosts_initrc_exec_t, s0)
+
@@ -16294,9 +15679,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+/var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t, s0)
+/var/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t, s0)
+/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t, s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.17/policy/modules/services/denyhosts.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.18/policy/modules/services/denyhosts.if
--- nsaserefpolicy/policy/modules/services/denyhosts.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/denyhosts.if 2010-03-30 12:55:47.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/denyhosts.if 2010-04-08 15:25:23.000000000 -0400
@@ -0,0 +1,87 @@
+## Deny Hosts.
+##
@@ -16385,9 +15770,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+ files_search_locks($1)
+ admin_pattern($1, denyhosts_var_lock_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.17/policy/modules/services/denyhosts.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.18/policy/modules/services/denyhosts.te
--- nsaserefpolicy/policy/modules/services/denyhosts.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/denyhosts.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/denyhosts.te 2010-04-08 15:25:24.000000000 -0400
@@ -0,0 +1,73 @@
+
+policy_module(denyhosts, 1.0.0)
@@ -16462,9 +15847,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+optional_policy(`
+ cron_system_entry(denyhosts_t, denyhosts_exec_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.17/policy/modules/services/devicekit.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.18/policy/modules/services/devicekit.fc
--- nsaserefpolicy/policy/modules/services/devicekit.fc 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/devicekit.fc 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/devicekit.fc 2010-04-08 15:25:24.000000000 -0400
@@ -1,8 +1,14 @@
/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
@@ -16481,9 +15866,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
+/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.17/policy/modules/services/devicekit.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.18/policy/modules/services/devicekit.if
--- nsaserefpolicy/policy/modules/services/devicekit.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/devicekit.if 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/devicekit.if 2010-04-08 15:25:24.000000000 -0400
@@ -139,6 +139,26 @@
########################################
@@ -16520,9 +15905,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
')
allow $1 devicekit_t:process { ptrace signal_perms getattr };
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.17/policy/modules/services/devicekit.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.18/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/devicekit.te 2010-03-31 10:24:28.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/devicekit.te 2010-04-08 15:25:24.000000000 -0400
@@ -42,6 +42,8 @@
files_read_etc_files(devicekit_t)
@@ -16676,7 +16061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
-allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice sys_ptrace };
+allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
-+allow devicekit_power_t self:process getsched;
++allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
+allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -16755,9 +16140,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
+optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.7.17/policy/modules/services/dhcp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.7.18/policy/modules/services/dhcp.te
--- nsaserefpolicy/policy/modules/services/dhcp.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/dhcp.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/dhcp.te 2010-04-08 15:25:23.000000000 -0400
@@ -112,6 +112,10 @@
')
@@ -16769,9 +16154,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
dbus_system_bus_client(dhcpd_t)
dbus_connect_system_bus(dhcpd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.7.17/policy/modules/services/djbdns.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.7.18/policy/modules/services/djbdns.if
--- nsaserefpolicy/policy/modules/services/djbdns.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/djbdns.if 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/djbdns.if 2010-04-08 15:25:24.000000000 -0400
@@ -26,6 +26,8 @@
daemontools_read_svc(djbdns_$1_t)
@@ -16821,9 +16206,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd
+
+ allow $1 djbdns_tinydn_t:key link;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.7.17/policy/modules/services/djbdns.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.7.18/policy/modules/services/djbdns.te
--- nsaserefpolicy/policy/modules/services/djbdns.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/djbdns.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/djbdns.te 2010-04-08 15:25:23.000000000 -0400
@@ -42,3 +42,11 @@
files_search_var(djbdns_axfrdns_t)
@@ -16836,9 +16221,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd
+
+init_dontaudit_use_script_fds(djbdns_tinydns_t)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.17/policy/modules/services/dnsmasq.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.18/policy/modules/services/dnsmasq.fc
--- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/dnsmasq.fc 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/dnsmasq.fc 2010-04-08 15:25:24.000000000 -0400
@@ -6,5 +6,7 @@
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
@@ -16847,9 +16232,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
+
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.7.17/policy/modules/services/dnsmasq.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.7.18/policy/modules/services/dnsmasq.if
--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/dnsmasq.if 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/dnsmasq.if 2010-04-08 15:25:23.000000000 -0400
@@ -111,7 +111,7 @@
type dnsmasq_etc_t;
')
@@ -16868,9 +16253,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
files_search_etc($1)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.17/policy/modules/services/dnsmasq.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.18/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/dnsmasq.te 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/dnsmasq.te 2010-04-08 15:25:24.000000000 -0400
@@ -19,6 +19,9 @@
type dnsmasq_lease_t;
files_type(dnsmasq_lease_t)
@@ -16926,9 +16311,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
seutil_sigchld_newrole(dnsmasq_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.7.17/policy/modules/services/dovecot.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.7.18/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/dovecot.fc 2010-03-30 14:48:23.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/dovecot.fc 2010-04-08 15:25:23.000000000 -0400
@@ -3,6 +3,7 @@
# /etc
#
@@ -16956,9 +16341,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.17/policy/modules/services/dovecot.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.18/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/dovecot.te 2010-04-02 11:36:35.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/dovecot.te 2010-04-08 15:25:24.000000000 -0400
@@ -9,6 +9,9 @@
type dovecot_exec_t;
init_daemon_domain(dovecot_t, dovecot_exec_t)
@@ -17109,9 +16494,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
fs_manage_cifs_files(dovecot_t)
fs_manage_cifs_symlinks(dovecot_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.17/policy/modules/services/fail2ban.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.18/policy/modules/services/fail2ban.if
--- nsaserefpolicy/policy/modules/services/fail2ban.if 2010-03-18 06:48:09.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/fail2ban.if 2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.18/policy/modules/services/fail2ban.if 2010-04-08 15:25:23.000000000 -0400
@@ -138,6 +138,26 @@
########################################
@@ -17139,9 +16524,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
## All of the rules required to administrate
## an fail2ban environment
##