+##
-+## Ignore wine mmap_zero errors
++## Ignore unconfined mmap_zero errors
+##
+##
+gen_tunable(unconfined_mmap_zero_ignore, false)
@@ -18578,7 +18694,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.19/policy/modules/services/chronyd.te
--- nsaserefpolicy/policy/modules/services/chronyd.te 2010-04-13 20:44:36.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/chronyd.te 2010-05-28 09:42:00.077610724 +0200
++++ serefpolicy-3.7.19/policy/modules/services/chronyd.te 2011-01-14 14:47:12.321041202 +0100
@@ -16,6 +16,9 @@
type chronyd_keys_t;
files_type(chronyd_keys_t)
@@ -18608,16 +18724,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
-@@ -51,7 +59,9 @@
+@@ -51,7 +59,13 @@
manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
files_pid_filetrans(chronyd_t, chronyd_var_run_t, file)
++kernel_read_system_state(chronyd_t)
++
++corecmd_exec_shell(chronyd_t)
++
+corenet_udp_bind_generic_node(chronyd_t)
corenet_udp_bind_ntp_port(chronyd_t)
+
# bind to udp/323
corenet_udp_bind_chronyd_port(chronyd_t)
+@@ -64,6 +78,8 @@
+
+ miscfiles_read_localization(chronyd_t)
+
++mta_send_mail(chronyd_t)
++
+ optional_policy(`
+ gpsd_rw_shm(chronyd_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.7.19/policy/modules/services/clamav.if
--- nsaserefpolicy/policy/modules/services/clamav.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/clamav.if 2010-10-18 15:38:09.251650866 +0200
@@ -22688,7 +22817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.19/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-12-15 15:26:48.255042227 +0100
++++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2011-01-14 14:46:52.457041882 +0100
@@ -9,6 +9,9 @@
type dovecot_exec_t;
init_daemon_domain(dovecot_t, dovecot_exec_t)
@@ -22882,7 +23011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
miscfiles_read_localization(dovecot_deliver_t)
-@@ -263,15 +313,24 @@
+@@ -263,15 +313,30 @@
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
tunable_policy(`use_nfs_home_dirs',`
@@ -22906,6 +23035,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
+ mta_read_queue(dovecot_deliver_t)
++')
++
++optional_policy(`
++ # Handle sieve scripts
++ allow dovecot_deliver_t self:fifo_file rw_fifo_file_perms;
++ sendmail_domtrans(dovecot_deliver_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.7.19/policy/modules/services/exim.fc
--- nsaserefpolicy/policy/modules/services/exim.fc 2010-04-13 20:44:37.000000000 +0200
@@ -36598,7 +36733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.19/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2011-01-04 16:02:58.400042759 +0100
++++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2011-01-14 14:36:33.523041523 +0100
@@ -34,13 +34,12 @@
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
@@ -36616,7 +36751,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
ifdef(`enable_mcs',`
init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
')
-@@ -97,14 +96,11 @@
+@@ -79,6 +78,7 @@
+ typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
+ files_type(ssh_home_t)
+ userdom_user_home_content(ssh_home_t)
++files_poly_parent(ssh_home_t)
+
+ ##############################
+ #
+@@ -97,14 +97,11 @@
allow ssh_t self:msg { send receive };
allow ssh_t self:tcp_socket create_stream_socket_perms;
@@ -36633,7 +36776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -114,6 +110,7 @@
+@@ -114,6 +111,7 @@
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
@@ -36641,7 +36784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
-@@ -125,9 +122,10 @@
+@@ -125,9 +123,10 @@
read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
# ssh servers can read the user keys and config
@@ -36655,7 +36798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
kernel_read_kernel_sysctls(ssh_t)
kernel_read_system_state(ssh_t)
-@@ -139,6 +137,8 @@
+@@ -139,6 +138,8 @@
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
@@ -36664,7 +36807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
dev_read_urand(ssh_t)
-@@ -170,8 +170,10 @@
+@@ -170,8 +171,10 @@
userdom_search_user_home_dirs(ssh_t)
# Write to the user domain tty.
userdom_use_user_terminals(ssh_t)
@@ -36676,7 +36819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
tunable_policy(`allow_ssh_keysign',`
domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-@@ -217,6 +219,9 @@
+@@ -217,6 +220,9 @@
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
@@ -36686,7 +36829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
kernel_read_kernel_sysctls(ssh_keygen_t)
fs_search_auto_mountpoints(ssh_keygen_t)
-@@ -282,36 +287,39 @@
+@@ -282,36 +288,39 @@
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -36735,7 +36878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
optional_policy(`
-@@ -319,10 +327,27 @@
+@@ -319,10 +328,27 @@
')
optional_policy(`
@@ -36763,7 +36906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
rpm_use_script_fds(sshd_t)
')
-@@ -333,10 +358,18 @@
+@@ -333,10 +359,18 @@
')
optional_policy(`
@@ -39980,7 +40123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.19/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-12-06 18:48:03.147042522 +0100
++++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2011-01-14 14:33:19.234041121 +0100
@@ -41,7 +41,6 @@
##
#
@@ -39989,16 +40132,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
# for SSP/ProPolice
dev_read_urand($1)
# for encrypted homedir
-@@ -94,6 +93,8 @@
+@@ -91,9 +90,12 @@
+ interface(`auth_login_pgm_domain',`
+ gen_require(`
+ type var_auth_t, auth_cache_t;
++ attribute polydomain;
')
domain_type($1)
-+ domain_poly($1)
++ typeattribute $1 polydomain;
+
domain_subj_id_change_exemption($1)
domain_role_change_exemption($1)
domain_obj_id_change_exemption($1)
-@@ -107,6 +108,7 @@
+@@ -107,6 +109,7 @@
allow $1 self:capability ipc_lock;
allow $1 self:process setkeycreate;
allow $1 self:key manage_key_perms;
@@ -40006,7 +40153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
files_list_var_lib($1)
manage_files_pattern($1, var_auth_t, var_auth_t)
-@@ -141,6 +143,7 @@
+@@ -141,6 +144,7 @@
mls_process_set_level($1)
mls_fd_share_all_levels($1)
@@ -40014,10 +40161,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
auth_use_pam($1)
init_rw_utmp($1)
-@@ -151,6 +154,45 @@
+@@ -151,8 +155,43 @@
seutil_read_config($1)
seutil_read_default_contexts($1)
+- tunable_policy(`allow_polyinstantiation',`
+- files_polyinstantiate_all($1)
+ userdom_set_rlimitnh($1)
+ userdom_stream_connect($1)
+ userdom_read_user_home_content_symlinks($1)
@@ -40055,12 +40204,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+ ssh_agent_exec($1)
+ ssh_read_user_home_files($1)
+ userdom_read_user_home_content_files($1)
-+ ')
-+
- tunable_policy(`allow_polyinstantiation',`
- files_polyinstantiate_all($1)
')
-@@ -365,13 +407,21 @@
+ ')
+
+@@ -365,13 +404,21 @@
')
optional_policy(`
@@ -40083,7 +40230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
########################################
-@@ -418,6 +468,7 @@
+@@ -418,6 +465,7 @@
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -40091,7 +40238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
########################################
-@@ -694,7 +745,7 @@
+@@ -694,7 +742,7 @@
')
files_search_etc($1)
@@ -40100,7 +40247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
typeattribute $1 can_relabelto_shadow_passwords;
')
-@@ -1500,6 +1551,8 @@
+@@ -1500,6 +1548,8 @@
#
interface(`auth_use_nsswitch',`
@@ -40109,7 +40256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
files_list_var_lib($1)
# read /etc/nsswitch.conf
-@@ -1531,7 +1584,15 @@
+@@ -1531,7 +1581,15 @@
')
optional_policy(`
@@ -40128,8 +40275,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.19/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/authlogin.te 2010-11-02 16:58:56.412650880 +0100
-@@ -6,6 +6,13 @@
++++ serefpolicy-3.7.19/policy/modules/system/authlogin.te 2011-01-14 14:32:33.697042630 +0100
+@@ -6,9 +6,17 @@
# Declarations
#
@@ -40143,7 +40290,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;
-@@ -84,7 +91,7 @@
++attribute polydomain;
+
+ type auth_cache_t;
+ logging_log_file(auth_cache_t)
+@@ -84,7 +92,7 @@
allow chkpwd_t self:capability { dac_override setuid };
dontaudit chkpwd_t self:capability sys_tty_config;
@@ -40152,6 +40303,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
allow chkpwd_t shadow_t:file read_file_perms;
files_list_etc(chkpwd_t)
+@@ -395,3 +403,13 @@
+ xserver_use_xdm_fds(utempter_t)
+ xserver_rw_xdm_pipes(utempter_t)
+ ')
++
++tunable_policy(`allow_polyinstantiation',`
++ files_polyinstantiate_all(polydomain)
++')
++
++optional_policy(`
++ tunable_policy(`allow_polyinstantiation',`
++ namespace_init_domtrans(polydomain)
++ ')
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.7.19/policy/modules/system/daemontools.if
--- nsaserefpolicy/policy/modules/system/daemontools.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/system/daemontools.if 2010-05-28 09:42:00.211610814 +0200
@@ -40454,7 +40619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
# /var
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.19/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/init.if 2010-10-26 10:34:57.510650962 +0200
++++ serefpolicy-3.7.19/policy/modules/system/init.if 2011-01-14 14:25:37.423041886 +0100
@@ -193,8 +193,10 @@
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
@@ -40589,7 +40754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
')
-@@ -781,23 +832,45 @@
+@@ -781,19 +832,41 @@
#
interface(`init_domtrans_script',`
gen_require(`
@@ -40612,11 +40777,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
- ')
- ')
-
- ########################################
- ##