diff --git a/modules-minimum.conf b/modules-minimum.conf
index fa24579..3197745 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -32,6 +32,13 @@ alsa = base
#
ada = module
+# Layer: services
+# Module: cachefilesd
+#
+# CacheFiles userspace management daemon
+#
+cachefilesd = module
+
# Layer: apps
# Module: cpufreqselector
#
diff --git a/modules-mls.conf b/modules-mls.conf
index bb5cb43..be8b528 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -33,11 +33,11 @@ alsa = base
ada = module
# Layer: services
-# Module: cgroup
+# Module: cachefilesd
#
-# Tools and libraries to control and monitor control groups
+# CacheFiles userspace management daemon
#
-cgroup = module
+cachefilesd = module
# Layer: apps
# Module: cpufreqselector
@@ -46,6 +46,13 @@ cgroup = module
#
cpufreqselector = module
+# Layer: apps
+# Module: chrome
+#
+# chrome sandbox
+#
+chrome = module
+
# Layer: modules
# Module: awstats
#
@@ -219,13 +226,20 @@ certwatch = module
certmaster = module
# Layer: services
+# Module: certmonger
+#
+# Certificate status monitor and PKI enrollment client
+#
+certmonger = module
+
+# Layer: services
# Module: chronyd
#
# Daemon for maintaining clock time
#
chronyd = module
-# Layer: services
+q# Layer: services
# Module: cipe
#
# Encrypted tunnel daemon
@@ -433,12 +447,26 @@ domain = base
#
dovecot = module
+# Layer: services
+# Module: git
+#
+# Policy for the stupid content tracker
+#
+git = module
+
+# Layer: apps
+# Module: gitosis
+#
+# Policy for gitosis
+#
+gitosis = module
+
# Layer: apps
# Module: gpg
#
# Policy for GNU Privacy Guard and related programs.
#
-gpg = off
+gpg = module
# Layer: services
# Module: gpsd
@@ -507,6 +535,20 @@ finger = module
#
firstboot = base
+# Layer: apps
+# Module: firewallgui
+#
+# policy for system-config-firewall
+#
+firewallgui = module
+
+# Layer: services
+# Module: fprintd
+#
+# finger print server
+#
+fprintd = module
+
# Layer: system
# Module: fstools
#
@@ -557,11 +599,11 @@ gnomeclock = module
hal = module
# Layer: services
-# Module: plymouthd
+# Module: plymouth
#
# Plymouth
#
-plymouthd = module
+plymouth = module
# Layer: services
# Module: policykit
@@ -570,6 +612,13 @@ plymouthd = module
#
policykit = module
+# Layer: apps
+# Module: ptchown
+#
+# helper function for grantpt(3), changes ownship and permissions of pseudotty
+#
+ptchown = module
+
# Layer: services
# Module: psad
#
@@ -802,7 +851,7 @@ lvm = base
# Layer: admin
# Module: mcelog
#
-# Policy for mcelog.
+# mcelog is a daemon that collects and decodes Machine Check Exception data on x86-64 machines.
#
mcelog = base
@@ -871,6 +920,20 @@ mount = base
#
mozilla = module
+# Layer: services
+# Module: ntop
+#
+# Policy for ntop
+#
+ntop = module
+
+# Layer: services
+# Module: nslcd
+#
+# Policy for nslcd
+#
+nslcd = module
+
# Layer: apps
# Module: nsplugin
#
@@ -1143,6 +1206,13 @@ razor = module
readahead = base
# Layer: services
+# Module: rgmanager
+#
+# Red Hat Resource Group Manager
+#
+rgmanager = module
+
+# Layer: services
# Module: rhgb
#
# X windows login display manager
@@ -1214,6 +1284,13 @@ rshd = module
rsync = module
# Layer: services
+# Module: rtkit
+#
+# Real Time Kit Daemon
+#
+rtkit = module
+
+# Layer: services
# Module: rwho
#
# who is logged in on local machines
@@ -1234,6 +1311,13 @@ sasl = module
#
sendmail = base
+# Layer: apps
+# Module: seunshare
+#
+# seunshare executable
+#
+seunshare = module
+
# Layer: services
# Module: samba
#
@@ -1244,6 +1328,13 @@ sendmail = base
samba = module
# Layer: apps
+# Module: sandbox
+#
+# Experimental policy for running apps within a sandbox
+#
+sandbox = module
+
+# Layer: apps
# Module: sambagui
#
# policy for system-config-samba
@@ -1527,6 +1618,13 @@ timidity = off
tftp = module
# Layer: services
+# Module: tuned
+#
+# Dynamic adaptive system tuning daemon
+#
+tuned = module
+
+# Layer: services
# Module: uucp
#
# Unix to Unix Copy
diff --git a/modules-targeted.conf b/modules-targeted.conf
index fa24579..3197745 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -32,6 +32,13 @@ alsa = base
#
ada = module
+# Layer: services
+# Module: cachefilesd
+#
+# CacheFiles userspace management daemon
+#
+cachefilesd = module
+
# Layer: apps
# Module: cpufreqselector
#
diff --git a/policy-F13.patch b/policy-F13.patch
index ad7575f..73f0c15 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -744,7 +744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.10/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/admin/rpm.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/admin/rpm.if 2010-02-26 09:12:28.000000000 -0500
@@ -13,11 +13,36 @@
interface(`rpm_domtrans',`
gen_require(`
@@ -930,7 +930,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
## Inherit and use file descriptors from RPM scripts.
##
##
-@@ -219,7 +364,51 @@
+@@ -219,7 +364,71 @@
')
files_search_tmp($1)
@@ -939,6 +939,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
+ manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+')
+
++#####################################
++##
++## Allow the specified domain to append
++## to rpm tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rpm_append_tmp',`
++ gen_require(`
++ type rpm_tmp_t;
++ ')
++
++ files_search_tmps($1)
++ append_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
++')
++
+########################################
+##
+## Create, read, write, and delete RPM
@@ -982,7 +1002,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
')
########################################
-@@ -241,6 +430,25 @@
+@@ -241,6 +450,25 @@
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -1008,7 +1028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
')
########################################
-@@ -265,6 +473,48 @@
+@@ -265,6 +493,48 @@
########################################
##
@@ -1057,7 +1077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
## Do not audit attempts to create, read,
## write, and delete the RPM package database.
##
-@@ -283,3 +533,120 @@
+@@ -283,3 +553,120 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
@@ -1169,7 +1189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
+##
+##
+#
-+interface(`rpm_inerited_fifo',`
++interface(`rpm_inherited_fifo',`
+ gen_require(`
+ attribute rpm_transition_domain;
+ ')
@@ -1180,19 +1200,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.10/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/admin/rpm.te 2010-02-23 15:54:38.000000000 -0500
-@@ -14,6 +14,10 @@
- domain_system_change_exemption(rpm_t)
- domain_interactive_fd(rpm_t)
- role system_r types rpm_t;
++++ serefpolicy-3.7.10/policy/modules/admin/rpm.te 2010-02-26 09:13:01.000000000 -0500
+@@ -1,6 +1,8 @@
+
+ policy_module(rpm, 1.10.0)
+
+attribute rpm_transition_domain;
+
+ ########################################
+ #
+ # Declarations
+@@ -15,6 +17,9 @@
+ domain_interactive_fd(rpm_t)
+ role system_r types rpm_t;
+
+type debuginfo_exec_t;
+domain_entry_file(rpm_t, debuginfo_exec_t)
-
++
type rpm_file_t;
files_type(rpm_file_t)
-@@ -31,11 +35,18 @@
+
+@@ -31,11 +36,18 @@
files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
@@ -1211,7 +1239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
domain_type(rpm_script_t)
domain_entry_file(rpm_t, rpm_script_exec_t)
domain_interactive_fd(rpm_script_t)
-@@ -52,8 +63,9 @@
+@@ -52,8 +64,9 @@
# rpm Local policy
#
@@ -1223,7 +1251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
allow rpm_t self:fd use;
allow rpm_t self:fifo_file rw_fifo_file_perms;
-@@ -68,6 +80,8 @@
+@@ -68,6 +81,8 @@
allow rpm_t self:sem create_sem_perms;
allow rpm_t self:msgq create_msgq_perms;
allow rpm_t self:msg { send receive };
@@ -1232,7 +1260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
allow rpm_t rpm_log_t:file manage_file_perms;
logging_log_filetrans(rpm_t, rpm_log_t, file)
-@@ -83,12 +97,21 @@
+@@ -83,12 +98,21 @@
manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -1254,7 +1282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
corecmd_exec_all_executables(rpm_t)
-@@ -108,12 +131,15 @@
+@@ -108,12 +132,15 @@
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t)
@@ -1271,7 +1299,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
fs_search_auto_mountpoints(rpm_t)
mls_file_read_all_levels(rpm_t)
-@@ -132,6 +158,8 @@
+@@ -132,6 +159,8 @@
# for installing kernel packages
storage_raw_read_fixed_disk(rpm_t)
@@ -1280,7 +1308,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
auth_relabel_all_files_except_shadow(rpm_t)
auth_manage_all_files_except_shadow(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
-@@ -155,6 +183,7 @@
+@@ -155,6 +184,7 @@
files_exec_etc_files(rpm_t)
init_domtrans_script(rpm_t)
@@ -1288,7 +1316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
-@@ -174,7 +203,19 @@
+@@ -174,7 +204,19 @@
')
optional_policy(`
@@ -1309,7 +1337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
')
optional_policy(`
-@@ -182,36 +223,19 @@
+@@ -182,36 +224,19 @@
')
optional_policy(`
@@ -1350,7 +1378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
-@@ -222,12 +246,15 @@
+@@ -222,12 +247,15 @@
allow rpm_script_t self:sem create_sem_perms;
allow rpm_script_t self:msgq create_msgq_perms;
allow rpm_script_t self:msg { send receive };
@@ -1366,7 +1394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
-@@ -239,6 +266,9 @@
+@@ -239,6 +267,9 @@
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
@@ -1376,7 +1404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
dev_list_sysfs(rpm_script_t)
-@@ -254,7 +284,9 @@
+@@ -254,7 +285,9 @@
fs_getattr_xattr_fs(rpm_script_t)
fs_mount_xattr_fs(rpm_script_t)
fs_unmount_xattr_fs(rpm_script_t)
@@ -1386,7 +1414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
mcs_killall(rpm_script_t)
mcs_ptrace_all(rpm_script_t)
-@@ -272,14 +304,19 @@
+@@ -272,14 +305,19 @@
storage_raw_read_fixed_disk(rpm_script_t)
storage_raw_write_fixed_disk(rpm_script_t)
@@ -1406,7 +1434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
-@@ -291,8 +328,10 @@
+@@ -291,8 +329,10 @@
files_exec_etc_files(rpm_script_t)
files_read_etc_runtime_files(rpm_script_t)
files_exec_usr_files(rpm_script_t)
@@ -1417,7 +1445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
libs_exec_ld_so(rpm_script_t)
libs_exec_lib_files(rpm_script_t)
-@@ -308,12 +347,15 @@
+@@ -308,12 +348,15 @@
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
@@ -1433,7 +1461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
')
')
-@@ -326,13 +368,22 @@
+@@ -326,13 +369,22 @@
')
optional_policy(`
@@ -1584,8 +1612,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltcl
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.10/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/admin/sudo.if 2010-02-23 15:54:38.000000000 -0500
-@@ -78,7 +78,7 @@
++++ serefpolicy-3.7.10/policy/modules/admin/sudo.if 2010-02-26 14:44:57.000000000 -0500
+@@ -73,12 +73,16 @@
+ # Enter this derived domain from the user domain
+ domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
+
++ ifdef(`hide_broken_symptoms', `
++ dontaudit $1_sudo_t $3:socket_class_set { read write };
++ ')
++
+ # By default, revert to the calling domain when a shell is executed.
+ corecmd_shell_domtrans($1_sudo_t, $3)
corecmd_bin_domtrans($1_sudo_t, $3)
allow $3 $1_sudo_t:fd use;
allow $3 $1_sudo_t:fifo_file rw_file_perms;
@@ -1594,7 +1631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
kernel_read_kernel_sysctls($1_sudo_t)
kernel_read_system_state($1_sudo_t)
-@@ -135,6 +135,9 @@
+@@ -135,6 +139,9 @@
userdom_use_user_terminals($1_sudo_t)
# for some PAM modules and for cwd
userdom_dontaudit_search_user_home_content($1_sudo_t)
@@ -1604,6 +1641,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_sudo_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.7.10/policy/modules/admin/su.if
+--- nsaserefpolicy/policy/modules/admin/su.if 2010-02-12 10:33:09.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/admin/su.if 2010-02-26 14:44:23.000000000 -0500
+@@ -58,6 +58,10 @@
+ allow $2 $1_su_t:fifo_file rw_file_perms;
+ allow $2 $1_su_t:process sigchld;
+
++ifdef(`hide_broken_symptoms', `
++ dontaudit $1_su_t $2:socket_class_set { read write };
++')
++
+ kernel_read_system_state($1_su_t)
+ kernel_read_kernel_sysctls($1_su_t)
+ kernel_search_key($1_su_t)
+@@ -183,6 +187,10 @@
+
+ # Transition from the user domain to this domain.
+ domtrans_pattern($3, su_exec_t, $1_su_t)
++ifdef(`hide_broken_symptoms', `
++ dontaudit $1_su_t $3:socket_class_set { read write };
++')
++
+
+ ps_process_pattern($3, $1_su_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.10/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.10/policy/modules/admin/tmpreaper.te 2010-02-24 17:01:02.000000000 -0500
@@ -1647,8 +1709,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.7.10/policy/modules/admin/usermanage.if
--- nsaserefpolicy/policy/modules/admin/usermanage.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/admin/usermanage.if 2010-02-23 15:54:38.000000000 -0500
-@@ -113,6 +113,10 @@
++++ serefpolicy-3.7.10/policy/modules/admin/usermanage.if 2010-02-26 14:43:39.000000000 -0500
+@@ -18,6 +18,10 @@
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, chfn_exec_t, chfn_t)
++
++ifdef(`hide_broken_symptoms', `
++ dontaudit chfn_t $1:socket_class_set { read write };
++')
+ ')
+
+ ########################################
+@@ -63,6 +67,10 @@
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, groupadd_exec_t, groupadd_t)
++
++ifdef(`hide_broken_symptoms', `
++ dontaudit groupadd_t $1:socket_class_set { read write };
++')
+ ')
+
+ ########################################
+@@ -113,6 +121,10 @@
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, passwd_exec_t, passwd_t)
@@ -1659,7 +1743,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
')
########################################
-@@ -274,6 +278,11 @@
+@@ -247,6 +259,9 @@
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, useradd_exec_t, useradd_t)
++ifdef(`hide_broken_symptoms', `
++ dontaudit useradd_t $1:socket_class_set { read write };
++')
+ ')
+
+ ########################################
+@@ -274,6 +289,11 @@
usermanage_domtrans_useradd($1)
role $2 types useradd_t;
@@ -1744,8 +1838,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.7.10/policy/modules/admin/vbetool.te
--- nsaserefpolicy/policy/modules/admin/vbetool.te 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/admin/vbetool.te 2010-02-23 15:54:38.000000000 -0500
-@@ -25,7 +25,10 @@
++++ serefpolicy-3.7.10/policy/modules/admin/vbetool.te 2010-02-25 18:25:39.000000000 -0500
+@@ -25,7 +25,13 @@
dev_rw_xserver_misc(vbetool_t)
dev_rw_mtrr(vbetool_t)
@@ -1753,6 +1847,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool
+tunable_policy(`mmap_low_allowed',`
domain_mmap_low(vbetool_t)
+')
++
++mls_file_read_all_levels(vbetool_t)
++mls_file_write_all_levels(vbetool_t)
term_use_unallocated_ttys(vbetool_t)
@@ -1795,8 +1892,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.f
+/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.10/policy/modules/apps/chrome.if
--- nsaserefpolicy/policy/modules/apps/chrome.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/chrome.if 2010-02-23 15:54:38.000000000 -0500
-@@ -0,0 +1,86 @@
++++ serefpolicy-3.7.10/policy/modules/apps/chrome.if 2010-02-26 14:30:20.000000000 -0500
+@@ -0,0 +1,90 @@
+
+## policy for chrome
+
@@ -1817,6 +1914,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i
+
+ domtrans_pattern($1,chrome_sandbox_exec_t,chrome_sandbox_t)
+ ps_process_pattern(chrome_sandbox_t, $1)
++ifdef(`hide_broken_symptoms', `
++ dontaudit chrome_sandbox_t $1:socket_class_set { read write };
++ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
++')
+')
+
+
@@ -1885,7 +1986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.10/policy/modules/apps/chrome.te
--- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/chrome.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/apps/chrome.te 2010-02-26 10:42:14.000000000 -0500
@@ -0,0 +1,82 @@
+policy_module(chrome,1.0.0)
+
@@ -2743,6 +2844,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.7.10/policy/modules/apps/gpg.if
+--- nsaserefpolicy/policy/modules/apps/gpg.if 2009-09-09 09:23:16.000000000 -0400
++++ serefpolicy-3.7.10/policy/modules/apps/gpg.if 2010-02-26 14:31:45.000000000 -0500
+@@ -52,11 +52,8 @@
+
+ ifdef(`hide_broken_symptoms',`
+ #Leaked File Descriptors
++ dontaudit gpg_t $1:socket_class_set { read write };
+ dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
+- dontaudit gpg_t $2:tcp_socket rw_socket_perms;
+- dontaudit gpg_t $2:udp_socket rw_socket_perms;
+- dontaudit gpg_t $2:unix_stream_socket rw_socket_perms;
+- dontaudit gpg_t $2:unix_dgram_socket rw_socket_perms;
+ ')
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.10/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2009-12-04 09:43:33.000000000 -0500
+++ serefpolicy-3.7.10/policy/modules/apps/gpg.te 2010-02-23 15:54:38.000000000 -0500
@@ -3031,6 +3148,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.t
+
+seutil_domtrans_setfiles_mac(livecd_t)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.if serefpolicy-3.7.10/policy/modules/apps/loadkeys.if
+--- nsaserefpolicy/policy/modules/apps/loadkeys.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.10/policy/modules/apps/loadkeys.if 2010-02-26 14:41:38.000000000 -0500
+@@ -17,6 +17,9 @@
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, loadkeys_exec_t, loadkeys_t)
++ifdef(`hide_broken_symptoms', `
++ dontaudit loadkeys_t $1:socket_class_set { read write };
++')
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.7.10/policy/modules/apps/loadkeys.te
--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.10/policy/modules/apps/loadkeys.te 2010-02-23 15:54:38.000000000 -0500
@@ -3207,8 +3337,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.10/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/nsplugin.if 2010-02-23 15:54:38.000000000 -0500
-@@ -0,0 +1,358 @@
++++ serefpolicy-3.7.10/policy/modules/apps/nsplugin.if 2010-02-26 14:31:12.000000000 -0500
+@@ -0,0 +1,363 @@
+
+## policy for nsplugin
+
@@ -3376,6 +3506,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+
+ domtrans_pattern($2, nsplugin_exec_t, nsplugin_t)
+ domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)
++
++ifdef(`hide_broken_symptoms', `
++ dontaudit nsplugin_t $1:socket_class_set { read write };
++ dontaudit nsplugin_config_t $1:socket_class_set { read write };
++')
+')
+
+#######################################
@@ -4161,8 +4296,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.10/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/pulseaudio.te 2010-02-23 15:54:38.000000000 -0500
-@@ -11,6 +11,15 @@
++++ serefpolicy-3.7.10/policy/modules/apps/pulseaudio.te 2010-02-26 11:04:50.000000000 -0500
+@@ -8,9 +8,19 @@
+
+ type pulseaudio_t;
+ type pulseaudio_exec_t;
++init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
application_domain(pulseaudio_t, pulseaudio_exec_t)
role system_r types pulseaudio_t;
@@ -4178,7 +4317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
########################################
#
# pulseaudio local policy
-@@ -18,7 +27,7 @@
+@@ -18,7 +28,7 @@
allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
allow pulseaudio_t self:fifo_file rw_file_perms;
@@ -4187,7 +4326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
allow pulseaudio_t self:udp_socket create_socket_perms;
-@@ -26,6 +35,7 @@
+@@ -26,6 +36,7 @@
can_exec(pulseaudio_t, pulseaudio_exec_t)
@@ -4195,7 +4334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
kernel_read_system_state(pulseaudio_t)
kernel_read_kernel_sysctls(pulseaudio_t)
-@@ -66,11 +76,17 @@
+@@ -66,11 +77,17 @@
bluetooth_stream_connect(pulseaudio_t)
')
@@ -4216,7 +4355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
dbus_system_bus_client(pulseaudio_t)
dbus_session_bus_client(pulseaudio_t)
dbus_connect_session_bus(pulseaudio_t)
-@@ -93,6 +109,10 @@
+@@ -93,6 +110,10 @@
')
optional_policy(`
@@ -4227,7 +4366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
policykit_domtrans_auth(pulseaudio_t)
policykit_read_lib(pulseaudio_t)
policykit_read_reload(pulseaudio_t)
-@@ -103,6 +123,9 @@
+@@ -103,6 +124,9 @@
')
optional_policy(`
@@ -4330,7 +4469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.10/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/qemu.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/apps/qemu.te 2010-02-26 10:43:41.000000000 -0500
@@ -50,6 +50,8 @@
#
# qemu local policy
@@ -4351,11 +4490,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te
########################################
#
# Unconfined qemu local policy
-@@ -110,6 +116,8 @@
+@@ -110,6 +116,9 @@
typealias unconfined_qemu_t alias qemu_unconfined_t;
application_type(unconfined_qemu_t)
unconfined_domain_noaudit(unconfined_qemu_t)
+ userdom_manage_tmpfs_role(unconfined_r, unconfined_qemu_t)
++ userdom_unpriv_usertype(unconfined, unconfined_qemu_t)
allow unconfined_qemu_t self:process { execstack execmem };
+ allow unconfined_qemu_t qemu_exec_t:file execmod;
@@ -5079,7 +5219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.i
fs_cifs_domtrans($1_screen_t, $3)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.10/policy/modules/apps/seunshare.if
--- nsaserefpolicy/policy/modules/apps/seunshare.if 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/seunshare.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/apps/seunshare.if 2010-02-26 14:42:02.000000000 -0500
@@ -2,59 +2,14 @@
########################################
@@ -5144,7 +5284,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
##
##
## Role allowed access.
-@@ -66,15 +21,28 @@
+@@ -66,15 +21,26 @@
##
##
#
@@ -5174,9 +5314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
+ dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh };
+
+ ifdef(`hide_broken_symptoms', `
-+ dontaudit $1_seunshare_t $3:tcp_socket rw_socket_perms;
-+ dontaudit $1_seunshare_t $3:udp_socket rw_socket_perms;
-+ dontaudit $1_seunshare_t $3:unix_stream_socket rw_socket_perms;
++ dontaudit $1_seunshare_t $3:socket_class_set { read write };
+ ')
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.10/policy/modules/apps/seunshare.te
@@ -5383,7 +5521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.10/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/kernel/corecommands.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/kernel/corecommands.fc 2010-02-26 11:12:57.000000000 -0500
@@ -44,15 +44,17 @@
/etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0)
/etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0)
@@ -5424,7 +5562,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
#
# /usr
#
-@@ -214,6 +220,7 @@
+@@ -158,6 +164,7 @@
+ /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
++/usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+@@ -214,6 +221,7 @@
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
@@ -5432,7 +5578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
-@@ -228,12 +235,15 @@
+@@ -228,12 +236,15 @@
/usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -5448,7 +5594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
-@@ -323,3 +333,21 @@
+@@ -323,3 +334,21 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -6077,7 +6223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.10/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/kernel/domain.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/kernel/domain.if 2010-02-25 16:40:56.000000000 -0500
@@ -44,34 +44,6 @@
interface(`domain_type',`
# start with basic domain
@@ -6124,10 +6270,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
')
########################################
-@@ -791,6 +759,24 @@
+@@ -791,6 +759,42 @@
########################################
##
++## Get the process group ID of all domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`domain_getpgid_all_domains',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ allow $1 domain:process getpgid;
++')
++
++########################################
++##
+## Get the scheduler information of all domains.
+##
+##
@@ -6149,7 +6313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
## Do not audit attempts to get the
## session ID of all domains.
##
-@@ -1039,6 +1025,54 @@
+@@ -1039,6 +1043,54 @@
########################################
##
@@ -6204,7 +6368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
## Do not audit attempts to get the attributes
## of all domains unnamed pipes.
##
-@@ -1248,18 +1282,34 @@
+@@ -1248,18 +1300,34 @@
##
##
#
@@ -6242,7 +6406,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
## Allow specified type to receive labeled
## networking packets from all domains, over
## all protocols (TCP, UDP, etc)
-@@ -1280,6 +1330,24 @@
+@@ -1280,6 +1348,24 @@
########################################
##
@@ -6267,7 +6431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
## Unconfined access to domains.
##
##
-@@ -1304,3 +1372,39 @@
+@@ -1304,3 +1390,39 @@
typeattribute $1 process_uncond_exempt;
')
@@ -6309,7 +6473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.10/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/kernel/domain.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/kernel/domain.te 2010-02-26 09:13:18.000000000 -0500
@@ -5,6 +5,21 @@
#
# Declarations
@@ -6401,7 +6565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -153,3 +186,74 @@
+@@ -153,3 +186,75 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -6435,9 +6599,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+optional_policy(`
+ rpm_use_fds(domain)
+ rpm_read_pipes(domain)
++ rpm_append_tmp(domain)
+ rpm_dontaudit_leaks(domain)
+ rpm_read_script_tmp_files(domain)
-+ rpm_inerited_fifo(domain)
++ rpm_inherited_fifo(domain)
+')
+
+
@@ -8031,7 +8196,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.10/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/kernel/terminal.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/kernel/terminal.if 2010-02-25 17:44:00.000000000 -0500
@@ -292,9 +292,11 @@
interface(`term_dontaudit_use_console',`
gen_require(`
@@ -8044,6 +8209,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
')
########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.7.10/policy/modules/roles/auditadm.te
+--- nsaserefpolicy/policy/modules/roles/auditadm.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.7.10/policy/modules/roles/auditadm.te 2010-02-26 09:06:07.000000000 -0500
+@@ -33,6 +33,8 @@
+ seutil_run_runinit(auditadm_t, auditadm_r)
+ seutil_read_bin_policy(auditadm_t)
+
++userdom_dontaudit_search_admin_dir(auditadm_t)
++
+ optional_policy(`
+ consoletype_exec(auditadm_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/dbadm.if serefpolicy-3.7.10/policy/modules/roles/dbadm.if
--- nsaserefpolicy/policy/modules/roles/dbadm.if 2010-02-12 10:33:09.000000000 -0500
+++ serefpolicy-3.7.10/policy/modules/roles/dbadm.if 2010-02-23 15:54:38.000000000 -0500
@@ -8254,7 +8431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.10/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-02-17 10:37:39.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/roles/sysadm.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/roles/sysadm.te 2010-02-26 09:04:40.000000000 -0500
@@ -15,7 +15,7 @@
role sysadm_r;
@@ -8264,7 +8441,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
ifndef(`enable_mls',`
userdom_security_admin_template(sysadm_t, sysadm_r)
-@@ -34,11 +34,16 @@
+@@ -28,17 +28,25 @@
+
+ corecmd_exec_shell(sysadm_t)
+
++domain_dontaudit_read_all_domains_state(sysadm_t)
++
+ mls_process_read_up(sysadm_t)
++mls_file_read_to_clearance(sysadm_t)
+
+ ubac_process_exempt(sysadm_t)
ubac_file_exempt(sysadm_t)
ubac_fd_exempt(sysadm_t)
@@ -8281,7 +8467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -70,7 +75,9 @@
+@@ -70,7 +78,9 @@
apache_run_helper(sysadm_t, sysadm_r)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
@@ -8292,7 +8478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -86,9 +93,11 @@
+@@ -86,9 +96,11 @@
auditadm_role_change(sysadm_r)
')
@@ -8304,7 +8490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
backup_run(sysadm_t, sysadm_r)
-@@ -98,17 +107,25 @@
+@@ -98,17 +110,25 @@
bind_run_ndc(sysadm_t, sysadm_r)
')
@@ -8330,7 +8516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
certwatch_run(sysadm_t, sysadm_r)
-@@ -126,16 +143,18 @@
+@@ -126,16 +146,18 @@
consoletype_run(sysadm_t, sysadm_r)
')
@@ -8351,7 +8537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -165,9 +184,11 @@
+@@ -165,9 +187,11 @@
ethereal_run_tethereal(sysadm_t, sysadm_r)
')
@@ -8363,7 +8549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
firstboot_run(sysadm_t, sysadm_r)
-@@ -177,6 +198,7 @@
+@@ -177,6 +201,7 @@
fstools_run(sysadm_t, sysadm_r)
')
@@ -8371,7 +8557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
games_role(sysadm_r, sysadm_t)
')
-@@ -192,6 +214,7 @@
+@@ -192,6 +217,7 @@
optional_policy(`
gpg_role(sysadm_r, sysadm_t)
')
@@ -8379,7 +8565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
hostname_run(sysadm_t, sysadm_r)
-@@ -205,6 +228,9 @@
+@@ -205,6 +231,9 @@
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -8389,7 +8575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -212,12 +238,18 @@
+@@ -212,12 +241,18 @@
')
optional_policy(`
@@ -8408,7 +8594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
kudzu_run(sysadm_t, sysadm_r)
-@@ -227,9 +259,11 @@
+@@ -227,9 +262,11 @@
libs_run_ldconfig(sysadm_t, sysadm_r)
')
@@ -8420,7 +8606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
logrotate_run(sysadm_t, sysadm_r)
-@@ -254,6 +288,7 @@
+@@ -254,6 +291,7 @@
mount_run(sysadm_t, sysadm_r)
')
@@ -8428,7 +8614,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
mozilla_role(sysadm_r, sysadm_t)
')
-@@ -261,6 +296,7 @@
+@@ -261,6 +299,7 @@
optional_policy(`
mplayer_role(sysadm_r, sysadm_t)
')
@@ -8436,7 +8622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
mta_role(sysadm_r, sysadm_t)
-@@ -308,8 +344,14 @@
+@@ -308,8 +347,14 @@
')
optional_policy(`
@@ -8451,7 +8637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
quota_run(sysadm_t, sysadm_r)
-@@ -319,9 +361,11 @@
+@@ -319,9 +364,11 @@
raid_domtrans_mdadm(sysadm_t)
')
@@ -8463,7 +8649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
rpc_domtrans_nfsd(sysadm_t)
-@@ -331,9 +375,11 @@
+@@ -331,9 +378,11 @@
rpm_run(sysadm_t, sysadm_r)
')
@@ -8475,7 +8661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
rsync_exec(sysadm_t)
-@@ -357,9 +403,11 @@
+@@ -357,9 +406,11 @@
seutil_run_runinit(sysadm_t, sysadm_r)
')
@@ -8487,7 +8673,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
ssh_role_template(sysadm, sysadm_r, sysadm_t)
-@@ -369,6 +417,7 @@
+@@ -369,6 +420,7 @@
staff_role_change(sysadm_r)
')
@@ -8495,7 +8681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
su_role_template(sysadm, sysadm_r, sysadm_t)
')
-@@ -376,15 +425,18 @@
+@@ -376,15 +428,18 @@
optional_policy(`
sudo_role_template(sysadm, sysadm_r, sysadm_t)
')
@@ -8514,7 +8700,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
tripwire_run_siggen(sysadm_t, sysadm_r)
-@@ -393,17 +445,21 @@
+@@ -393,17 +448,21 @@
tripwire_run_twprint(sysadm_t, sysadm_r)
')
@@ -8536,7 +8722,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
unconfined_domtrans(sysadm_t)
-@@ -417,9 +473,11 @@
+@@ -417,9 +476,11 @@
usbmodules_run(sysadm_t, sysadm_r)
')
@@ -8548,7 +8734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
-@@ -427,9 +485,15 @@
+@@ -427,9 +488,15 @@
usermanage_run_useradd(sysadm_t, sysadm_r)
')
@@ -8564,7 +8750,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
vpn_run(sysadm_t, sysadm_r)
-@@ -440,13 +504,26 @@
+@@ -440,13 +507,26 @@
')
optional_policy(`
@@ -9278,7 +9464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.10/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/roles/unconfineduser.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/roles/unconfineduser.te 2010-02-26 10:43:24.000000000 -0500
@@ -0,0 +1,432 @@
+policy_module(unconfineduser, 1.0.0)
+
@@ -9901,7 +10087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
+/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.10/policy/modules/services/abrt.if
--- nsaserefpolicy/policy/modules/services/abrt.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/abrt.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/services/abrt.if 2010-02-26 14:29:34.000000000 -0500
@@ -19,6 +19,29 @@
domtrans_pattern($1, abrt_exec_t, abrt_t)
')
@@ -10069,7 +10255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.10/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/abrt.te 2010-02-24 11:05:21.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/services/abrt.te 2010-02-26 11:55:11.000000000 -0500
@@ -33,12 +33,24 @@
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -12792,6 +12978,233 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
corenet_all_recvfrom_unlabeled(bluetooth_t)
corenet_all_recvfrom_netlabel(bluetooth_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.7.10/policy/modules/services/cachefilesd.fc
+--- nsaserefpolicy/policy/modules/services/cachefilesd.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/services/cachefilesd.fc 2010-02-26 15:11:32.000000000 -0500
+@@ -0,0 +1,28 @@
++###############################################################################
++#
++# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
++# Written by David Howells (dhowells@redhat.com)
++# Karl MacMillan (kmacmill@redhat.com)
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License
++# as published by the Free Software Foundation; either version
++# 2 of the License, or (at your option) any later version.
++#
++###############################################################################
++
++#
++# Define the contexts to be assigned to various files and directories of
++# importance to the CacheFiles kernel module and userspace management daemon.
++#
++
++# cachefilesd executable will have:
++# label: system_u:object_r:cachefilesd_exec_t
++# MLS sensitivity: s0
++# MCS categories:
++
++/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
++/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0)
++/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
++
++/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.7.10/policy/modules/services/cachefilesd.if
+--- nsaserefpolicy/policy/modules/services/cachefilesd.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/services/cachefilesd.if 2010-02-26 15:09:20.000000000 -0500
+@@ -0,0 +1,41 @@
++###############################################################################
++#
++# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
++# Written by David Howells (dhowells@redhat.com)
++# Karl MacMillan (kmacmill@redhat.com)
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License
++# as published by the Free Software Foundation; either version
++# 2 of the License, or (at your option) any later version.
++#
++###############################################################################
++
++#
++# Define the policy interface for the CacheFiles userspace management daemon.
++#
++
++## policy for cachefilesd
++
++########################################
++##
++## Execute a domain transition to run cachefilesd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`cachefilesd_domtrans',`
++ gen_require(`
++ type cachefilesd_t, cachefilesd_exec_t;
++ ')
++
++ domain_auto_trans($1,cachefilesd_exec_t,cachefilesd_t)
++
++ allow $1 cachefilesd_t:fd use;
++ allow cachefilesd_t $1:fd use;
++ allow cachefilesd_t $1:fifo_file rw_file_perms;
++ allow cachefilesd_t $1:process sigchld;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.7.10/policy/modules/services/cachefilesd.te
+--- nsaserefpolicy/policy/modules/services/cachefilesd.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/services/cachefilesd.te 2010-02-26 15:09:20.000000000 -0500
+@@ -0,0 +1,146 @@
++###############################################################################
++#
++# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
++# Written by David Howells (dhowells@redhat.com)
++# Karl MacMillan (kmacmill@redhat.com)
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License
++# as published by the Free Software Foundation; either version
++# 2 of the License, or (at your option) any later version.
++#
++###############################################################################
++
++#
++# This security policy governs access by the CacheFiles kernel module and
++# userspace management daemon to the files and directories in the on-disk
++# cache, on behalf of the processes accessing the cache through a network
++# filesystem such as NFS
++#
++policy_module(cachefilesd,1.0.17)
++
++###############################################################################
++#
++# Declarations
++#
++require { type kernel_t; }
++
++#
++# Files in the cache are created by the cachefiles module with security ID
++# cachefiles_var_t
++#
++type cachefiles_var_t;
++files_type(cachefiles_var_t)
++
++#
++# The /dev/cachefiles character device has security ID cachefiles_dev_t
++#
++type cachefiles_dev_t;
++dev_node(cachefiles_dev_t)
++
++#
++# The cachefilesd daemon normally runs with security ID cachefilesd_t
++#
++type cachefilesd_t;
++type cachefilesd_exec_t;
++domain_type(cachefilesd_t)
++init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
++
++#
++# The cachefilesd daemon pid file context
++#
++type cachefilesd_var_run_t;
++files_pid_file(cachefilesd_var_run_t)
++
++#
++# The CacheFiles kernel module causes processes accessing the cache files to do
++# so acting as security ID cachefiles_kernel_t
++#
++type cachefiles_kernel_t;
++domain_type(cachefiles_kernel_t)
++domain_obj_id_change_exemption(cachefiles_kernel_t)
++role system_r types cachefiles_kernel_t;
++
++###############################################################################
++#
++# Permit RPM to deal with files in the cache
++#
++rpm_use_script_fds(cachefilesd_t)
++
++###############################################################################
++#
++# cachefilesd local policy
++#
++# These define what cachefilesd is permitted to do. This doesn't include very
++# much: startup stuff, logging, pid file, scanning the cache superstructure and
++# deleting files from the cache. It is not permitted to read/write files in
++# the cache.
++#
++# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
++# rules.
++#
++allow cachefilesd_t self : capability { setuid setgid sys_admin dac_override };
++
++# Basic access
++files_read_etc_files(cachefilesd_t)
++libs_use_ld_so(cachefilesd_t)
++libs_use_shared_libs(cachefilesd_t)
++miscfiles_read_localization(cachefilesd_t)
++logging_send_syslog_msg(cachefilesd_t)
++init_dontaudit_use_script_ptys(cachefilesd_t)
++term_dontaudit_use_generic_ptys(cachefilesd_t)
++term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
++
++# Allow manipulation of pid file
++allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
++manage_files_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
++manage_dirs_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
++files_pid_file(cachefilesd_var_run_t)
++files_pid_filetrans(cachefilesd_t,cachefilesd_var_run_t,file)
++
++# Allow access to cachefiles device file
++allow cachefilesd_t cachefiles_dev_t : chr_file rw_file_perms;
++
++# Allow access to cache superstructure
++allow cachefilesd_t cachefiles_var_t : dir rw_dir_perms;
++allow cachefilesd_t cachefiles_var_t : file { getattr rename unlink };
++
++# Permit statfs on the backing filesystem
++fs_getattr_xattr_fs(cachefilesd_t)
++
++###############################################################################
++#
++# When cachefilesd invokes the kernel module to begin caching, it has to tell
++# the kernel module the security context in which it should act, and this
++# policy has to approve that.
++#
++# There are two parts to this:
++#
++# (1) the security context used by the module to access files in the cache,
++# as set by the 'secctx' command in /etc/cachefilesd.conf, and
++#
++allow cachefilesd_t cachefiles_kernel_t : kernel_service { use_as_override };
++
++#
++# (2) the label that will be assigned to new files and directories created in
++# the cache by the module, which will be the same as the label on the
++# directory pointed to by the 'dir' command.
++#
++allow cachefilesd_t cachefiles_var_t : kernel_service { create_files_as };
++
++###############################################################################
++#
++# cachefiles kernel module local policy
++#
++# This governs what the kernel module is allowed to do the contents of the
++# cache.
++#
++allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
++allow cachefiles_kernel_t initrc_t:process sigchld;
++
++manage_dirs_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
++manage_files_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
++
++fs_getattr_xattr_fs(cachefiles_kernel_t)
++
++dev_search_sysfs(cachefiles_kernel_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.10/policy/modules/services/ccs.te
--- nsaserefpolicy/policy/modules/services/ccs.te 2010-02-16 14:58:22.000000000 -0500
+++ serefpolicy-3.7.10/policy/modules/services/ccs.te 2010-02-23 15:54:38.000000000 -0500
@@ -15162,7 +15575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.10/policy/modules/services/devicekit.fc
--- nsaserefpolicy/policy/modules/services/devicekit.fc 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/devicekit.fc 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/services/devicekit.fc 2010-02-25 14:52:32.000000000 -0500
@@ -1,8 +1,12 @@
/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
@@ -15174,11 +15587,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
+/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
- /var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+-/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
++/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.10/policy/modules/services/devicekit.if
--- nsaserefpolicy/policy/modules/services/devicekit.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/devicekit.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/services/devicekit.if 2010-02-25 14:53:23.000000000 -0500
@@ -139,6 +139,26 @@
########################################
@@ -15206,9 +15620,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
## All of the rules required to administrate
## an devicekit environment
##
+@@ -162,7 +182,7 @@
+ interface(`devicekit_admin',`
+ gen_require(`
+ type devicekit_t, devicekit_disk_t, devicekit_power_t;
+- type devicekit_var_run_t;
++ type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
+ ')
+
+ allow $1 devicekit_t:process { ptrace signal_perms getattr };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.10/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/devicekit.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/services/devicekit.te 2010-02-26 09:03:13.000000000 -0500
@@ -42,6 +42,8 @@
files_read_etc_files(devicekit_t)
@@ -15230,7 +15653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
-@@ -71,29 +75,58 @@
+@@ -71,29 +75,61 @@
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
@@ -15286,12 +15709,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
storage_raw_read_removable_device(devicekit_disk_t)
storage_raw_write_removable_device(devicekit_disk_t)
++mls_file_read_all_levels(devicekit_disk_t)
++mls_file_write_to_clearance(devicekit_disk_t)
++
+term_use_all_terms(devicekit_disk_t)
+
auth_use_nsswitch(devicekit_disk_t)
miscfiles_read_localization(devicekit_disk_t)
-@@ -102,6 +135,16 @@
+@@ -102,6 +138,16 @@
userdom_search_user_home_dirs(devicekit_disk_t)
optional_policy(`
@@ -15308,7 +15734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
fstools_domtrans(devicekit_disk_t)
')
-@@ -110,6 +153,7 @@
+@@ -110,6 +156,7 @@
')
optional_policy(`
@@ -15316,7 +15742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
policykit_domtrans_auth(devicekit_disk_t)
policykit_read_lib(devicekit_disk_t)
policykit_read_reload(devicekit_disk_t)
-@@ -120,18 +164,12 @@
+@@ -120,18 +167,12 @@
')
optional_policy(`
@@ -15338,7 +15764,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
')
########################################
-@@ -139,9 +177,11 @@
+@@ -139,9 +180,11 @@
# DeviceKit-Power local policy
#
@@ -15351,7 +15777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
-@@ -151,6 +191,7 @@
+@@ -151,6 +194,7 @@
kernel_read_system_state(devicekit_power_t)
kernel_rw_hotplug_sysctls(devicekit_power_t)
kernel_rw_kernel_sysctl(devicekit_power_t)
@@ -15359,7 +15785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t)
-@@ -159,7 +200,9 @@
+@@ -159,7 +203,9 @@
domain_read_all_domains_state(devicekit_power_t)
@@ -15369,7 +15795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
-@@ -167,12 +210,16 @@
+@@ -167,12 +213,16 @@
files_read_etc_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
@@ -15386,7 +15812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
userdom_read_all_users_state(devicekit_power_t)
optional_policy(`
-@@ -180,6 +227,10 @@
+@@ -180,6 +230,10 @@
')
optional_policy(`
@@ -15397,7 +15823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
dbus_system_bus_client(devicekit_power_t)
allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -203,17 +254,23 @@
+@@ -203,17 +257,23 @@
optional_policy(`
hal_domtrans_mac(devicekit_power_t)
@@ -17673,7 +18099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.10/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/mta.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/services/mta.if 2010-02-26 14:53:51.000000000 -0500
@@ -220,6 +220,25 @@
application_executable_file($1)
')
@@ -17708,7 +18134,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
')
-@@ -356,6 +376,7 @@
+@@ -356,11 +376,35 @@
')
allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
@@ -17716,10 +18142,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
domtrans_pattern($1, mta_exec_type, system_mail_t)
allow mta_user_agent $1:fd use;
-@@ -365,6 +386,25 @@
-
- ########################################
- ##
+ allow mta_user_agent $1:process sigchld;
+ allow mta_user_agent $1:fifo_file rw_fifo_file_perms;
++
++ ifdef(`hide_broken_symptoms', `
++ dontaudit system_mail_t $1:socket_class_set { read write };
++ ')
++')
++
++########################################
++##
+## Send mail client a signal
+##
+##
@@ -17735,14 +18167,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
+ ')
+
+ allow $1 system_mail_t:process signal;
-+')
-+
-+########################################
-+##
- ## Execute send mail in a specified domain.
- ##
- ##
-@@ -454,7 +494,8 @@
+ ')
+
+ ########################################
+@@ -454,7 +498,8 @@
type etc_mail_t;
')
@@ -17752,7 +18180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
########################################
-@@ -678,7 +719,7 @@
+@@ -678,7 +723,7 @@
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
allow $1 mail_spool_t:file setattr;
@@ -17761,7 +18189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -765,6 +806,25 @@
+@@ -765,6 +810,25 @@
#######################################
##
@@ -17789,17 +18217,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.10/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/mta.te 2010-02-23 15:54:38.000000000 -0500
-@@ -63,6 +63,8 @@
++++ serefpolicy-3.7.10/policy/modules/services/mta.te 2010-02-25 08:06:42.000000000 -0500
+@@ -63,6 +63,9 @@
can_exec(system_mail_t, mta_exec_type)
+files_read_all_tmp_files(system_mail_t)
++files_read_usr_files(system_mail_t)
+
kernel_read_system_state(system_mail_t)
kernel_read_network_state(system_mail_t)
kernel_request_load_module(system_mail_t)
-@@ -75,20 +77,27 @@
+@@ -75,20 +78,27 @@
selinux_getattr_fs(system_mail_t)
@@ -17827,7 +18256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -107,6 +116,7 @@
+@@ -107,6 +117,7 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
@@ -17835,7 +18264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -126,6 +136,7 @@
+@@ -126,6 +137,7 @@
optional_policy(`
fail2ban_append_log(system_mail_t)
@@ -17843,7 +18272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -185,6 +196,10 @@
+@@ -185,6 +197,10 @@
')
optional_policy(`
@@ -17854,7 +18283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
smartmon_read_tmp_files(system_mail_t)
')
-@@ -216,6 +231,7 @@
+@@ -216,6 +232,7 @@
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -19487,7 +19916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.10/policy/modules/services/nut.te
--- nsaserefpolicy/policy/modules/services/nut.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/nut.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/services/nut.te 2010-02-26 08:33:54.000000000 -0500
@@ -29,7 +29,8 @@
# Local policy for upsd
#
@@ -19506,17 +19935,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.
# /usr/bin/wall
term_write_all_terms(nut_upsmon_t)
-@@ -123,7 +125,9 @@
+@@ -123,6 +125,7 @@
kernel_read_kernel_sysctls(nut_upsdrvctl_t)
# /sbin/upsdrvctl executes other drivers
+# can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
corecmd_exec_bin(nut_upsdrvctl_t)
-+corecmd_exec_sbin(nut_upsdrvctl_t)
dev_read_urand(nut_upsdrvctl_t)
- dev_rw_generic_usb_dev(nut_upsdrvctl_t)
-@@ -149,5 +153,15 @@
+@@ -149,5 +152,15 @@
read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t)
@@ -21827,7 +22254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.if serefpolicy-3.7.10/policy/modules/services/rdisc.if
--- nsaserefpolicy/policy/modules/services/rdisc.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/rdisc.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/services/rdisc.if 2010-02-26 08:34:00.000000000 -0500
@@ -1 +1,20 @@
## Network router discovery daemon
+
@@ -21846,7 +22273,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdis
+ type rdisc_exec_t;
+ ')
+
-+ corecmd_search_sbin($1)
++ corecmd_search_bin($1)
+ can_exec($1,rdisc_exec_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.10/policy/modules/services/rgmanager.fc
@@ -21965,8 +22392,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.10/policy/modules/services/rgmanager.te
--- nsaserefpolicy/policy/modules/services/rgmanager.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/rgmanager.te 2010-02-23 15:54:38.000000000 -0500
-@@ -0,0 +1,224 @@
++++ serefpolicy-3.7.10/policy/modules/services/rgmanager.te 2010-02-26 11:53:19.000000000 -0500
+@@ -0,0 +1,223 @@
+
+policy_module(rgmanager,1.0.0)
+
@@ -22007,7 +22434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+# rgmanager local policy
+#
+
-+allow rgmanager_t self:capability { dac_override sys_resource sys_nice ipc_lock };
++allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
+dontaudit rgmanager_t self:capability { sys_ptrace };
+allow rgmanager_t self:process { setsched signal };
+dontaudit rgmanager_t self:process { ptrace };
@@ -22036,7 +22463,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+files_pid_filetrans(rgmanager_t,rgmanager_var_run_t, { file sock_file })
+
+corecmd_exec_bin(rgmanager_t)
-+corecmd_exec_sbin(rgmanager_t)
+corecmd_exec_shell(rgmanager_t)
+consoletype_exec(rgmanager_t)
+
@@ -22648,8 +23074,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.10/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/rhcs.te 2010-02-23 15:54:38.000000000 -0500
-@@ -0,0 +1,247 @@
++++ serefpolicy-3.7.10/policy/modules/services/rhcs.te 2010-02-26 11:55:16.000000000 -0500
+@@ -0,0 +1,248 @@
+
+policy_module(rhcs,1.1.0)
+
@@ -22754,6 +23180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+
+files_read_usr_symlinks(fenced_t)
+
++corenet_tcp_connect_http_port(fenced_t)
+tunable_policy(`fenced_can_network_connect',`
+ corenet_tcp_connect_all_ports(fenced_t)
+')
@@ -22833,7 +23260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t)
+files_var_lib_filetrans(qdiskd_t,qdiskd_var_lib_t, { file dir sock_file })
+
-+corecmd_getattr_sbin_files(qdiskd_t)
++corecmd_getattr_bin_files(qdiskd_t)
+corecmd_exec_shell(qdiskd_t)
+
+kernel_read_system_state(qdiskd_t)
@@ -25636,7 +26063,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.10/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/sssd.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/services/sssd.te 2010-02-25 18:53:37.000000000 -0500
@@ -13,6 +13,9 @@
type sssd_initrc_exec_t;
init_script_file(sssd_initrc_exec_t)
@@ -25664,7 +26091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
-@@ -49,6 +55,9 @@
+@@ -49,12 +55,17 @@
dev_read_urand(sssd_t)
@@ -25674,7 +26101,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
files_list_tmp(sssd_t)
files_read_etc_files(sssd_t)
files_read_usr_files(sssd_t)
-@@ -66,6 +75,8 @@
+
+ fs_list_inotifyfs(sssd_t)
+
++mls_file_read_to_clearance(sssd_t)
++
+ auth_use_nsswitch(sssd_t)
+ auth_domtrans_chk_passwd(sssd_t)
+ auth_domtrans_upd_passwd(sssd_t)
+@@ -66,6 +77,8 @@
miscfiles_read_localization(sssd_t)
@@ -26346,7 +26781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.10/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/virt.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/services/virt.if 2010-02-26 11:14:28.000000000 -0500
@@ -22,6 +22,8 @@
domain_type($1_t)
role system_r types $1_t;
@@ -26730,7 +27165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.10/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/xserver.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/services/xserver.if 2010-02-26 14:29:51.000000000 -0500
@@ -19,7 +19,7 @@
interface(`xserver_restricted_role',`
gen_require(`
@@ -26827,20 +27262,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# X object manager
xserver_object_types_template($1)
-@@ -545,6 +555,12 @@
+@@ -545,6 +555,10 @@
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
+ifdef(`hide_broken_symptoms', `
-+ dontaudit xauth_t $1:unix_stream_socket rw_socket_perms;
-+ dontaudit xauth_t $1:tcp_socket rw_socket_perms;
-+ dontaudit xauth_t $1:udp_socket rw_socket_perms;
++ dontaudit xauth_t $1:socket_class_set { read write };
+ fs_dontaudit_rw_anon_inodefs_files(xauth_t)
+')
')
########################################
-@@ -598,6 +614,7 @@
+@@ -598,6 +612,7 @@
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -26848,7 +27281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -805,7 +822,7 @@
+@@ -805,7 +820,7 @@
')
files_search_pids($1)
@@ -26857,7 +27290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1250,3 +1267,329 @@
+@@ -1250,3 +1265,329 @@
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
@@ -28404,7 +28837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.10/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/authlogin.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/system/authlogin.te 2010-02-25 18:15:10.000000000 -0500
@@ -103,8 +103,10 @@
fs_dontaudit_getattr_xattr_fs(chkpwd_t)
@@ -29054,7 +29487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.10/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/init.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/system/init.te 2010-02-25 16:45:03.000000000 -0500
@@ -17,6 +17,20 @@
##
gen_tunable(init_upstart, false)
@@ -29121,7 +29554,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# For /var/run/shutdown.pid.
allow init_t init_var_run_t:file manage_file_perms;
-@@ -140,6 +158,7 @@
+@@ -122,6 +140,7 @@
+
+ dev_read_sysfs(init_t)
+
++domain_getpgid_all_domains(init_t)
+ domain_kill_all_domains(init_t)
+ domain_signal_all_domains(init_t)
+ domain_signull_all_domains(init_t)
+@@ -140,6 +159,7 @@
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
@@ -29129,7 +29570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
-@@ -167,11 +186,14 @@
+@@ -167,11 +187,14 @@
miscfiles_read_localization(init_t)
@@ -29144,7 +29585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_rw_tmpfs_chr_files(init_t)
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
')
-@@ -189,10 +211,31 @@
+@@ -189,10 +212,31 @@
')
optional_policy(`
@@ -29176,7 +29617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
unconfined_domain(init_t)
')
-@@ -202,9 +245,10 @@
+@@ -202,9 +246,10 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -29188,7 +29629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# Allow IPC with self
allow initrc_t self:unix_dgram_socket create_socket_perms;
-@@ -217,7 +261,8 @@
+@@ -217,7 +262,8 @@
term_create_pty(initrc_t, initrc_devpts_t)
# Going to single user mode
@@ -29198,7 +29639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
can_exec(initrc_t, init_script_file_type)
-@@ -230,10 +275,12 @@
+@@ -230,10 +276,12 @@
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -29213,7 +29654,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
init_write_initctl(initrc_t)
-@@ -246,13 +293,19 @@
+@@ -246,13 +294,19 @@
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -29235,7 +29676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corenet_all_recvfrom_unlabeled(initrc_t)
corenet_all_recvfrom_netlabel(initrc_t)
-@@ -267,21 +320,29 @@
+@@ -267,21 +321,29 @@
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -29266,7 +29707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -291,7 +352,7 @@
+@@ -291,7 +353,7 @@
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -29275,7 +29716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -306,14 +367,15 @@
+@@ -306,14 +368,15 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -29293,7 +29734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_exec_etc_files(initrc_t)
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
-@@ -324,7 +386,10 @@
+@@ -324,7 +387,10 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -29304,7 +29745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
fs_write_ramfs_pipes(initrc_t)
-@@ -333,6 +398,11 @@
+@@ -333,6 +399,11 @@
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -29316,7 +29757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -365,7 +435,9 @@
+@@ -365,7 +436,9 @@
libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t)
@@ -29326,7 +29767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
logging_send_syslog_msg(initrc_t)
logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
-@@ -374,19 +446,22 @@
+@@ -374,19 +447,22 @@
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -29350,7 +29791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -431,7 +506,7 @@
+@@ -431,7 +507,7 @@
# /lib/rcscripts/net/system.sh rewrites resolv.conf :(
sysnet_create_config(initrc_t)
sysnet_write_config(initrc_t)
@@ -29359,7 +29800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
arpwatch_manage_data_files(initrc_t)
-@@ -450,11 +525,9 @@
+@@ -450,11 +526,9 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -29372,7 +29813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# These seem to be from the initrd
# during device initialization:
dev_create_generic_dirs(initrc_t)
-@@ -464,6 +537,7 @@
+@@ -464,6 +538,7 @@
storage_raw_read_fixed_disk(initrc_t)
storage_raw_write_fixed_disk(initrc_t)
@@ -29380,7 +29821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
# wants to read /.fonts directory
-@@ -472,6 +546,7 @@
+@@ -472,6 +547,7 @@
# Needs to cp localtime to /var dirs
files_write_var_dirs(initrc_t)
@@ -29388,7 +29829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_rw_tmpfs_chr_files(initrc_t)
storage_manage_fixed_disk(initrc_t)
-@@ -490,17 +565,32 @@
+@@ -490,17 +566,32 @@
miscfiles_read_hwdata(initrc_t)
optional_policy(`
@@ -29421,7 +29862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -515,6 +605,34 @@
+@@ -515,6 +606,34 @@
')
')
@@ -29456,7 +29897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -527,6 +645,8 @@
+@@ -527,6 +646,8 @@
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -29465,7 +29906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -567,10 +687,19 @@
+@@ -567,10 +688,19 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -29485,7 +29926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -590,6 +719,10 @@
+@@ -590,6 +720,10 @@
')
optional_policy(`
@@ -29496,7 +29937,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dev_read_usbfs(initrc_t)
# init scripts run /etc/hotplug/usb.rc
-@@ -646,20 +779,20 @@
+@@ -646,20 +780,20 @@
')
optional_policy(`
@@ -29523,7 +29964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ifdef(`distro_redhat',`
-@@ -668,6 +801,7 @@
+@@ -668,6 +802,7 @@
mysql_stream_connect(initrc_t)
mysql_write_log(initrc_t)
@@ -29531,7 +29972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -700,7 +834,6 @@
+@@ -700,7 +835,6 @@
')
optional_policy(`
@@ -29539,7 +29980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -722,8 +855,6 @@
+@@ -722,8 +856,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -29548,7 +29989,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -736,13 +867,16 @@
+@@ -736,13 +868,16 @@
squid_manage_logs(initrc_t)
')
@@ -29565,7 +30006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -751,6 +885,7 @@
+@@ -751,6 +886,7 @@
optional_policy(`
udev_rw_db(initrc_t)
@@ -29573,7 +30014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -758,7 +893,17 @@
+@@ -758,7 +894,17 @@
')
optional_policy(`
@@ -29591,7 +30032,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -768,6 +913,25 @@
+@@ -768,6 +914,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -29617,7 +30058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -793,3 +957,31 @@
+@@ -793,3 +958,31 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -30479,17 +30920,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.10/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/locallogin.te 2010-02-23 15:54:38.000000000 -0500
-@@ -33,7 +33,7 @@
++++ serefpolicy-3.7.10/policy/modules/system/locallogin.te 2010-02-25 18:19:19.000000000 -0500
+@@ -33,9 +33,8 @@
# Local login local policy
#
-allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
+-allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+-allow local_login_t self:process { setrlimit setexec };
+allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
- allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow local_login_t self:process { setrlimit setexec };
++allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap };
allow local_login_t self:fd use;
-@@ -74,6 +74,8 @@
+ allow local_login_t self:fifo_file rw_fifo_file_perms;
+ allow local_login_t self:sock_file read_sock_file_perms;
+@@ -74,6 +73,8 @@
dev_setattr_power_mgmt_dev(local_login_t)
dev_getattr_sound_dev(local_login_t)
dev_setattr_sound_dev(local_login_t)
@@ -30498,7 +30942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
dev_dontaudit_getattr_apm_bios_dev(local_login_t)
dev_dontaudit_setattr_apm_bios_dev(local_login_t)
dev_dontaudit_read_framebuffer(local_login_t)
-@@ -152,6 +154,11 @@
+@@ -152,6 +153,11 @@
fs_read_cifs_symlinks(local_login_t)
')
@@ -30510,7 +30954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
optional_policy(`
alsa_domtrans(local_login_t)
')
-@@ -181,7 +188,7 @@
+@@ -181,7 +187,7 @@
')
optional_policy(`
@@ -30519,7 +30963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
')
optional_policy(`
-@@ -198,9 +205,10 @@
+@@ -198,9 +204,10 @@
# Sulogin local policy
#
@@ -30531,7 +30975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
allow sulogin_t self:unix_dgram_socket create_socket_perms;
allow sulogin_t self:unix_stream_socket create_stream_socket_perms;
allow sulogin_t self:unix_dgram_socket sendto;
-@@ -220,6 +228,7 @@
+@@ -220,6 +227,7 @@
files_dontaudit_search_isid_type_dirs(sulogin_t)
auth_read_shadow(sulogin_t)
@@ -30539,17 +30983,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
init_getpgid_script(sulogin_t)
-@@ -233,11 +242,23 @@
+@@ -233,14 +241,23 @@
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
+-sysadm_shell_domtrans(sulogin_t)
+term_use_console(sulogin_t)
+term_use_unallocated_ttys(sulogin_t)
+
+ifdef(`enable_mls',`
- sysadm_shell_domtrans(sulogin_t)
++ sysadm_shell_domtrans(sulogin_t)
+',`
-+ optional_policy(`
++ optional_policy(`
+ unconfined_shell_domtrans(sulogin_t)
+ ')
+')
@@ -30557,13 +31002,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
# suse and debian do not use pam with sulogin...
ifdef(`distro_suse', `define(`sulogin_no_pam')')
ifdef(`distro_debian', `define(`sulogin_no_pam')')
-+ifdef(`distro_redhat',`define(`sulogin_no_pam')
-+ selinux_compute_user_contexts(sulogin_t)
-+')
++allow sulogin_t self:capability sys_tty_config;
ifdef(`sulogin_no_pam', `
- allow sulogin_t self:capability sys_tty_config;
-@@ -251,11 +272,3 @@
+- allow sulogin_t self:capability sys_tty_config;
+ init_getpgid(sulogin_t)
+ ', `
+ allow sulogin_t self:process setexec;
+@@ -251,11 +268,3 @@
selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
@@ -30689,7 +31135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.10/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/logging.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/system/logging.te 2010-02-25 18:10:25.000000000 -0500
@@ -101,6 +101,7 @@
kernel_read_kernel_sysctls(auditctl_t)
@@ -30733,7 +31179,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
allow audisp_t self:unix_stream_socket create_stream_socket_perms;
allow audisp_t self:unix_dgram_socket create_socket_perms;
-@@ -226,13 +229,18 @@
+@@ -226,13 +229,19 @@
manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
@@ -30746,6 +31192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
files_read_etc_files(audisp_t)
+files_read_etc_runtime_files(audisp_t)
++mls_file_read_all_levels(audisp_t)
mls_file_write_all_levels(audisp_t)
+mls_dbus_send_all_levels(audisp_t)
+
@@ -30753,7 +31200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
logging_send_syslog_msg(audisp_t)
-@@ -240,6 +248,14 @@
+@@ -240,6 +249,14 @@
sysnet_dns_name_resolve(audisp_t)
@@ -30768,7 +31215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
########################################
#
# Audit remote logger local policy
-@@ -253,11 +269,16 @@
+@@ -253,11 +270,16 @@
corenet_tcp_sendrecv_generic_node(audisp_remote_t)
corenet_tcp_connect_audit_port(audisp_remote_t)
corenet_sendrecv_audit_client_packets(audisp_remote_t)
@@ -30785,7 +31232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
miscfiles_read_localization(audisp_remote_t)
sysnet_dns_name_resolve(audisp_remote_t)
-@@ -332,13 +353,12 @@
+@@ -332,13 +354,12 @@
allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
dontaudit syslogd_t self:capability sys_tty_config;
# setpgid for metalog
@@ -30801,7 +31248,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
-@@ -462,10 +482,18 @@
+@@ -462,10 +483,18 @@
')
optional_policy(`
@@ -30820,7 +31267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
postgresql_stream_connect(syslogd_t)
')
-@@ -474,6 +502,10 @@
+@@ -474,6 +503,10 @@
')
optional_policy(`
@@ -30831,9 +31278,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
udev_read_db(syslogd_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.7.10/policy/modules/system/lvm.fc
+--- nsaserefpolicy/policy/modules/system/lvm.fc 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.10/policy/modules/system/lvm.fc 2010-02-25 18:42:51.000000000 -0500
+@@ -28,6 +28,7 @@
+ #
+ /lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0)
+
+ #
+ # /sbin
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.10/policy/modules/system/lvm.if
+--- nsaserefpolicy/policy/modules/system/lvm.if 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/system/lvm.if 2010-02-26 08:35:35.000000000 -0500
+@@ -34,7 +34,7 @@
+ type lvm_exec_t;
+ ')
+
+- corecmd_search_sbin($1)
++ corecmd_search_bin($1)
+ can_exec($1, lvm_exec_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.10/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/lvm.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/system/lvm.te 2010-02-26 08:56:01.000000000 -0500
@@ -142,6 +142,11 @@
')
@@ -30846,7 +31316,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
ccs_stream_connect(clvmd_t)
')
-@@ -244,6 +249,7 @@
+@@ -171,6 +176,7 @@
+ allow lvm_t self:process { sigchld sigkill sigstop signull signal };
+ # LVM will complain a lot if it cannot set its priority.
+ allow lvm_t self:process setsched;
++allow lvm_t self:sem create_sem_perms;
+ allow lvm_t self:file rw_file_perms;
+ allow lvm_t self:fifo_file manage_fifo_file_perms;
+ allow lvm_t self:unix_dgram_socket create_socket_perms;
+@@ -244,6 +250,7 @@
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -30854,7 +31332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
domain_use_interactive_fds(lvm_t)
domain_read_all_domains_state(lvm_t)
-@@ -253,6 +259,7 @@
+@@ -253,6 +260,7 @@
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(lvm_t)
@@ -30862,7 +31340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
fs_getattr_xattr_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
-@@ -311,6 +318,11 @@
+@@ -311,6 +319,11 @@
')
optional_policy(`
@@ -32754,7 +33232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.10/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/udev.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/system/udev.te 2010-02-25 18:43:22.000000000 -0500
@@ -50,6 +50,7 @@
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -33590,7 +34068,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.gvfs(/.*)? <>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.10/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/userdomain.if 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/system/userdomain.if 2010-02-26 09:05:50.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -36141,7 +36619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.10/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/xen.te 2010-02-23 15:54:38.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/system/xen.te 2010-02-26 11:35:15.000000000 -0500
@@ -5,6 +5,7 @@
#
# Declarations
@@ -36203,22 +36681,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
storage_raw_read_fixed_disk(xenstored_t)
storage_raw_write_fixed_disk(xenstored_t)
storage_raw_read_removable_device(xenstored_t)
-@@ -421,7 +433,14 @@
+@@ -421,7 +433,22 @@
xen_stream_connect_xenstore(xm_t)
optional_policy(`
++ dbus_system_bus(xm_t)
++ optional_policy(`
++ hal_dbus_chat(xm_t)
++ ')
++')
++
++optional_policy(`
+ vhostmd_rw_tmpfs_files(xm_t)
+ vhostmd_stream_connect(xm_t)
+ vhostmd_dontaudit_rw_stream_connect(xm_t)
+')
+
+optional_policy(`
++ virt_domtrans(xm_t)
virt_manage_images(xm_t)
+ virt_manage_config(xm_t)
virt_stream_connect(xm_t)
')
-@@ -435,9 +454,14 @@
+@@ -435,9 +462,14 @@
kernel_read_xen_state(xm_ssh_t)
kernel_write_xen_state(xm_ssh_t)
diff --git a/securetty_types-minimum b/securetty_types-minimum
index fe7ce17..7055096 100644
--- a/securetty_types-minimum
+++ b/securetty_types-minimum
@@ -1,3 +1,4 @@
+console_device_t
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t
diff --git a/securetty_types-mls b/securetty_types-mls
index 242dffe..89bf54d 100644
--- a/securetty_types-mls
+++ b/securetty_types-mls
@@ -1,3 +1,4 @@
+console_device_t
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t
diff --git a/securetty_types-targeted b/securetty_types-targeted
index fe7ce17..7055096 100644
--- a/securetty_types-targeted
+++ b/securetty_types-targeted
@@ -1,3 +1,4 @@
+console_device_t
sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a1091e8..4f06646 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.10
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,12 +466,19 @@ exit 0
%endif
%changelog
-* Wed Feb 22 2010 Dan Walsh 3.7.10-4
+* Fri Feb 26 2010 Dan Walsh 3.7.10-5
+- Add MLS fixes found in RHEL6 testing
+- Allow domains to append to rpm_tmp_t
+- Add cachefilesfd policy
+- Dontaudit leaks when transitioning
+
+* Wed Feb 23 2010 Dan Walsh 3.7.10-4
- Change allow_execstack and allow_execmem booleans to on
- dontaudit acct using console
- Add label for fping
- Allow tmpreaper to delete sandbox_file_t
- Fix wine dontaudit mmap_zero
+- Allow abrt to read var_t symlinks
* Tue Feb 22 2010 Dan Walsh 3.7.10-3
- Additional policy for rgmanager