diff --git a/modules-mls.conf b/modules-mls.conf
index 3a7406e..f880c29 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -249,6 +249,13 @@ tmpreaper = base
dmidecode = base
# Layer: apps
+# Module: gitosis
+#
+# Policy for gitosis.
+#
+gitosis = module
+
+# Layer: apps
# Module: gpg
#
# Policy for GNU Privacy Guard and related programs.
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 045993d..622146c 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -386,6 +386,13 @@ domain = base
dovecot = base
# Layer: apps
+# Module: gitosis
+#
+# Policy for gitosis.
+#
+gitosis = module
+
+# Layer: apps
# Module: gpg
#
# Policy for GNU Privacy Guard and related programs.
diff --git a/policy-20071130.patch b/policy-20071130.patch
index a131b61..2d03154 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -574982,6 +574982,159 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.te
+type user_gift_home_t alias user_gift_rw_t;
+userdom_user_home_content(user,user_gift_home_t)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.3.1/policy/modules/apps/gitosis.fc
+--- nsaserefpolicy/policy/modules/apps/gitosis.fc 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/apps/gitosis.fc 2009-03-20 10:45:37.000000000 +0100
+@@ -0,0 +1,4 @@
++
++/usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0)
++
++/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.3.1/policy/modules/apps/gitosis.if
+--- nsaserefpolicy/policy/modules/apps/gitosis.if 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/apps/gitosis.if 2009-03-20 10:45:37.000000000 +0100
+@@ -0,0 +1,94 @@
++## gitosis interface
++
++#######################################
++##
++## Execute a domain transition to run gitosis.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`gitosis_domtrans',`
++ gen_require(`
++ type gitosis_t, gitosis_exec_t;
++ ')
++
++ domtrans_pattern($1, gitosis_exec_t, gitosis_t)
++')
++
++#######################################
++##
++## Execute gitosis-serve in the gitosis domain, and
++## allow the specified role the gitosis domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the gpsd domain.
++##
++##
++##
++##
++## The type of the role's terminal.
++##
++##
++#
++interface(`gitosis_run',`
++ gen_require(`
++ type gitosis_t;
++ ')
++
++ gitosis_domtrans($1)
++ role $2 types gitosis_t;
++ allow gitosis_t $3:chr_file rw_term_perms;
++')
++
++#######################################
++##
++## Allow the specified domain to read
++## gitosis lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gitosis_read_var_lib',`
++ gen_require(`
++ type gitosis_var_lib_t;
++
++ ')
++
++ read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
++ read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
++ list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
++')
++
++######################################
++##
++## Allow the specified domain to manage
++## gitosis lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gitosis_manage_var_lib',`
++ gen_require(`
++ type gitosis_var_lib_t;
++
++ ')
++
++ manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
++ manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
++ manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.te serefpolicy-3.3.1/policy/modules/apps/gitosis.te
+--- nsaserefpolicy/policy/modules/apps/gitosis.te 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/apps/gitosis.te 2009-03-20 10:45:37.000000000 +0100
+@@ -0,0 +1,43 @@
++policy_module(gitosis,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type gitosis_t;
++type gitosis_exec_t;
++application_domain(gitosis_t, gitosis_exec_t)
++role system_r types gitosis_t;
++
++type gitosis_var_lib_t;
++files_type(gitosis_var_lib_t)
++
++########################################
++#
++# gitosis local policy
++#
++
++allow gitosis_t self:fifo_file rw_fifo_file_perms;
++
++exec_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
++manage_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
++manage_lnk_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
++manage_dirs_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
++
++corecmd_exec_bin(gitosis_t)
++corecmd_exec_shell(gitosis_t)
++
++kernel_read_system_state(gitosis_t)
++
++files_read_usr_files(gitosis_t)
++files_search_var_lib(gitosis_t)
++
++libs_use_ld_so(gitosis_t)
++libs_use_shared_libs(gitosis_t)
++
++miscfiles_read_localization(gitosis_t)
++
++optional_policy(`
++ ssh_rw_pipes(gitosis_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.3.1/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2008-02-26 14:23:12.000000000 +0100
+++ serefpolicy-3.3.1/policy/modules/apps/gnome.fc 2009-02-12 22:21:57.000000000 +0100
@@ -578584,23 +578737,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.3.1/policy/modules/apps/wine.fc
--- nsaserefpolicy/policy/modules/apps/wine.fc 2008-02-26 14:23:12.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/apps/wine.fc 2009-03-05 19:08:30.000000000 +0100
-@@ -1,4 +1,13 @@
- /usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
-
--/opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
--/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
-+/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
-+/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
-+/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
-+HOME_DIR/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
++++ serefpolicy-3.3.1/policy/modules/apps/wine.fc 2009-03-20 10:56:49.000000000 +0100
+@@ -1,4 +1,22 @@
++HOME_DIR/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+ /usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
++
++/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+-/opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+-/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/google/picasa(/.*)?/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/google/picasa(/.*)?/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.3.1/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2008-02-26 14:23:12.000000000 +0100
+++ serefpolicy-3.3.1/policy/modules/apps/wine.if 2009-02-12 22:21:57.000000000 +0100
@@ -643198,7 +643360,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.3.1/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-02-26 14:23:11.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.te 2009-02-12 22:21:57.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.te 2009-03-20 09:51:44.000000000 +0100
@@ -21,10 +21,11 @@
# Use xattrs for the following filesystem types.
@@ -643237,7 +643399,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
type vxfs_t;
fs_noxattr_type(vxfs_t)
files_mountpoint(vxfs_t)
-@@ -199,6 +211,7 @@
+@@ -192,6 +204,11 @@
+ genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0)
+ genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)
+ genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0)
++# Labeling dosfs_t since these are removable file systems with the i
++# same security properties as dosfs_t
++genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0)
++genfscon hfsplus / gen_context(system_u:object_r:dosfs_t,s0)
++
+
+ type fusefs_t;
+ fs_noxattr_type(fusefs_t)
+@@ -199,6 +216,7 @@
allow fusefs_t fs_t:filesystem associate;
genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
@@ -643245,13 +643419,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
#
# iso9660_t is the type for CD filesystems
-@@ -228,9 +241,14 @@
+@@ -228,9 +246,12 @@
genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0)
genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
genfscon coda / gen_context(system_u:object_r:nfs_t,s0)
+-genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
+-genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
+genfscon dazukofs / gen_context(system_u:object_r:nfs_t,s0)
- genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
- genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
+genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -653809,20 +653983,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
+files_type(mailscanner_spool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.3.1/policy/modules/services/milter.fc
--- nsaserefpolicy/policy/modules/services/milter.fc 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/milter.fc 2009-02-12 22:21:57.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/milter.fc 2009-03-20 10:52:45.000000000 +0100
@@ -0,0 +1,8 @@
+
+/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
+/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
-+
++/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
+/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
+
+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.3.1/policy/modules/services/milter.if
--- nsaserefpolicy/policy/modules/services/milter.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/milter.if 2009-02-13 09:54:07.000000000 +0100
-@@ -0,0 +1,84 @@
++++ serefpolicy-3.3.1/policy/modules/services/milter.if 2009-03-20 10:54:05.000000000 +0100
+@@ -0,0 +1,105 @@
+## Milter mail filters
+
+########################################
@@ -653907,10 +654081,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt
+ getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
+')
+
++#######################################
++##
++## Manage spamassassin milter state
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`spamass_milter_manage_state',`
++ gen_require(`
++ type spamass_milter_state_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
++ manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
++ manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.te serefpolicy-3.3.1/policy/modules/services/milter.te
--- nsaserefpolicy/policy/modules/services/milter.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/milter.te 2009-02-12 22:21:57.000000000 +0100
-@@ -0,0 +1,55 @@
++++ serefpolicy-3.3.1/policy/modules/services/milter.te 2009-03-20 10:52:02.000000000 +0100
+@@ -0,0 +1,65 @@
+
+policy_module(milter, 1.0.0)
+
@@ -653927,6 +654122,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt
+milter_template(regex)
+milter_template(spamass)
+
++# Type for the spamass-milter home directory, under which spamassassin will
++# store system-wide preferences, bayes databases etc. if not configured to
++# use per-user configuration
++type spamass_milter_state_t;
++files_type(spamass_milter_state_t);
++
+########################################
+#
+# milter-regex local policy
@@ -653954,6 +654155,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt
+# http://savannah.nongnu.org/projects/spamass-milt/
+#
+
++# The milter runs from /var/lib/spamass-milter
++files_search_var_lib(spamass_milter_t);
++allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
++
+kernel_read_system_state(spamass_milter_t)
+
+# When used with -b or -B options, the milter invokes sendmail to send mail
@@ -654686,7 +654891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
+/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.3.1/policy/modules/services/mysql.if
--- nsaserefpolicy/policy/modules/services/mysql.if 2008-02-26 14:23:10.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/mysql.if 2009-02-27 09:20:53.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/mysql.if 2009-03-20 09:44:03.000000000 +0100
@@ -32,9 +32,11 @@
interface(`mysql_stream_connect',`
gen_require(`
@@ -654709,12 +654914,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
')
########################################
-@@ -118,6 +121,25 @@
+@@ -118,6 +121,44 @@
allow $1 mysqld_db_t:dir manage_dir_perms;
')
+######################################
+##
++## Append to the MySQL database directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mysql_append_db_files',`
++ gen_require(`
++ type mysqld_db_t;
++ ')
++
++ files_search_var_lib($1)
++ append_files_pattern($1, mysqld_db_t, mysqld_db_t)
++')
++
++######################################
++##
+## Create, read, write, and delete MySQL database files.
+##
+##
@@ -654735,12 +654959,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
########################################
##
## Read and write to the MySQL database
-@@ -155,5 +177,95 @@
+@@ -155,5 +196,95 @@
')
logging_search_logs($1)
- allow $1 mysqld_log_t:file { write append setattr ioctl };
-+ write_files_pattern($1,mysqld_log_t,mysqld_log_t)
++ allow $1 mysqld_log_t:file { write_file_perms setattr getattr };
+')
+
+####################################
@@ -654834,7 +655058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.3.1/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2008-02-26 14:23:10.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/mysql.te 2009-02-27 09:18:38.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/mysql.te 2009-03-20 09:44:49.000000000 +0100
@@ -10,6 +10,10 @@
type mysqld_exec_t;
init_daemon_domain(mysqld_t,mysqld_exec_t)
@@ -654876,7 +655100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
domain_use_interactive_fds(mysqld_t)
-@@ -119,3 +128,38 @@
+@@ -119,3 +128,37 @@
optional_policy(`
udev_read_db(mysqld_t)
')
@@ -654891,8 +655115,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
+allow mysqld_safe_t self:capability { dac_override fowner chown };
+allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
+
-+append_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-+
++mysql_append_db_files(mysqld_safe_t)
+mysql_read_config(mysqld_safe_t)
+mysql_search_pid_files(mysqld_safe_t)
+mysql_write_log(mysqld_safe_t)
@@ -664696,7 +664919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.3.1/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-02-26 14:23:10.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/spamassassin.te 2009-02-12 22:21:57.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/spamassassin.te 2009-03-20 10:50:40.000000000 +0100
@@ -21,8 +21,10 @@
gen_tunable(spamd_enable_home_dirs,true)
@@ -664837,7 +665060,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
')
optional_policy(`
-@@ -212,3 +267,221 @@
+@@ -209,6 +264,228 @@
+ mta_read_config(spamd_t)
+ ')
+
++ optional_policy(`
++ spamass_milter_manage_state(spamd_t)
++')
++
optional_policy(`
udev_read_db(spamd_t)
')
@@ -665277,7 +665507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.3.1/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2008-02-26 14:23:10.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/ssh.if 2009-02-12 22:21:57.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/ssh.if 2009-03-20 10:49:05.000000000 +0100
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -665471,9 +665701,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_all_ports($1_t)
+ corenet_tcp_bind_all_unreserved_ports($1_t)
- corenet_sendrecv_ssh_server_packets($1_t)
-+ # -R qualifier
+ corenet_sendrecv_ssh_server_packets($1_t)
++ # -R qualifier
+ corenet_sendrecv_ssh_server_packets($1_t)
+ # tunnel feature and -w (net_admin capability also)
+ corenet_rw_tun_tap_dev($1_t)
@@ -665516,7 +665746,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
optional_policy(`
-@@ -710,3 +731,22 @@
+@@ -638,6 +659,25 @@
+ refpolicywarn(`$0($*) has been deprecated.')
+ ')
+
++######################################
++##
++## Allow attempts to read and write to
++## sshd unnamed pipes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ssh_rw_pipes',`
++ gen_require(`
++ type sshd_t;
++ ')
++
++ allow $1 sshd_t:fifo_file rw_fifo_file_perms;
++')
++
+ ########################################
+ ##
+ ## Execute the ssh daemon sshd domain.
+@@ -710,3 +750,22 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
@@ -665541,7 +665797,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.3.1/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2008-02-26 14:23:10.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/ssh.te 2009-02-13 09:41:34.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/ssh.te 2009-03-20 10:47:26.000000000 +0100
@@ -24,7 +24,7 @@
# Type for the ssh-agent executable.
@@ -665590,7 +665846,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
-@@ -101,6 +119,10 @@
+@@ -101,6 +119,14 @@
')
optional_policy(`
@@ -665598,10 +665854,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+')
+
+optional_policy(`
++ gitosis_read_var_lib(sshd_t)
++')
++
++optional_policy(`
daemontools_service_domain(sshd_t, sshd_exec_t)
')
-@@ -119,7 +141,11 @@
+@@ -119,7 +145,11 @@
')
optional_policy(`
@@ -669988,7 +670248,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.3.1/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-02-26 14:23:09.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2009-03-05 13:40:29.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2009-03-20 09:46:49.000000000 +0100
@@ -69,8 +69,10 @@
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
@@ -670053,7 +670313,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -229,7 +238,8 @@
+@@ -204,6 +213,9 @@
+ /usr/lib(64)?/.*/program/libsoffice\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(.*/)?pcsc/drivers(/.*)?/lib(cm2020|cm4000|SCR24x)\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
++# Canon
++/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
++
+ # Fedora Extras packages: ladspa, imlib2, ocaml
+ /usr/lib(64)?/ladspa/analogue_osc_1416\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/ladspa/bandpass_a_iir_1893\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -229,7 +241,8 @@
/usr/lib(64)?/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
@@ -670063,7 +670333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -242,12 +252,13 @@
+@@ -242,12 +255,13 @@
# Flash plugin, Macromedia
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -670079,7 +670349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -263,6 +274,8 @@
+@@ -263,6 +277,8 @@
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -670088,7 +670358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -287,11 +300,15 @@
+@@ -287,11 +303,15 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -670104,7 +670374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-@@ -301,6 +318,28 @@
+@@ -301,6 +321,28 @@
/var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
')
@@ -671977,7 +672247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.t
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.3.1/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2008-02-26 14:23:09.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/raid.te 2009-02-12 22:21:57.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/system/raid.te 2009-03-20 09:45:43.000000000 +0100
@@ -19,7 +19,7 @@
# Local policy
#
@@ -671995,7 +672265,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t
fs_search_auto_mountpoints(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)
-@@ -85,3 +86,7 @@
+@@ -48,6 +49,9 @@
+ storage_dev_filetrans_fixed_disk(mdadm_t)
+ storage_read_scsi_generic(mdadm_t)
+
++mls_file_read_all_levels(mdadm_t)
++mls_file_write_all_levels(mdadm_t)
++
+ term_dontaudit_list_ptys(mdadm_t)
+
+ # Helper program access
+@@ -85,3 +89,7 @@
optional_policy(`
udev_read_db(mdadm_t)
')
@@ -673853,7 +674133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-02-26 14:23:09.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2009-02-12 22:21:57.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2009-03-20 10:46:32.000000000 +0100
@@ -6,35 +6,72 @@
# Declarations
#
@@ -674014,20 +674294,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -118,11 +174,7 @@
+@@ -118,11 +174,11 @@
')
optional_policy(`
- inn_domtrans(unconfined_t)
--')
--
--optional_policy(`
++ gitosis_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
+ ')
+
+ optional_policy(`
- java_domtrans(unconfined_t)
+ iptables_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
-@@ -134,82 +186,92 @@
+@@ -134,82 +190,92 @@
')
optional_policy(`
@@ -674148,7 +674429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
########################################
-@@ -219,14 +281,38 @@
+@@ -219,14 +285,38 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ec129bc..c5bf1a8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 127%{?dist}
+Release: 128%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -444,6 +444,9 @@ exit 0
%endif
%changelog
+* Fri Mar 20 2009 Miroslav Grepl 3.3.1-128
+- Add gitosis policy
+
* Fri Mar 13 2009 Miroslav Grepl 3.3.1-127
- Allow NetworkManager_t to execute udev