diff --git a/.cvsignore b/.cvsignore index 23f8547..fdfed60 100644 --- a/.cvsignore +++ b/.cvsignore @@ -202,3 +202,4 @@ serefpolicy-3.7.8.tgz setroubleshoot-2.2.58.tar.gz serefpolicy-3.7.9.tgz serefpolicy-3.7.11.tgz +serefpolicy-3.7.12.tgz diff --git a/nsadiff b/nsadiff index 8a38a9d..b96333f 100755 --- a/nsadiff +++ b/nsadiff @@ -1 +1 @@ -diff --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.7.10 > /tmp/diff +diff --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.7.12 > /tmp/diff diff --git a/policy-F13.patch b/policy-F13.patch index 36b088e..4274020 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -1,6 +1,6 @@ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.11/Makefile +diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.12/Makefile --- nsaserefpolicy/Makefile 2009-08-18 11:41:14.000000000 -0400 -+++ serefpolicy-3.7.11/Makefile 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/Makefile 2010-03-05 17:18:51.000000000 -0500 @@ -244,7 +244,7 @@ appdir := $(contextpath) user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) @@ -10,9 +10,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.11/ net_contexts := $(builddir)net_contexts all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.11/policy/global_tunables +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.12/policy/global_tunables --- nsaserefpolicy/policy/global_tunables 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.11/policy/global_tunables 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/global_tunables 2010-03-05 17:18:51.000000000 -0500 @@ -61,15 +61,6 @@ ## @@ -48,9 +48,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref +## +gen_tunable(mmap_low_allowed, false) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-3.7.11/policy/modules/admin/acct.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-3.7.12/policy/modules/admin/acct.te --- nsaserefpolicy/policy/modules/admin/acct.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/admin/acct.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/acct.te 2010-03-05 17:18:51.000000000 -0500 @@ -43,6 +43,7 @@ fs_getattr_xattr_fs(acct_t) @@ -59,9 +59,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te corecmd_exec_bin(acct_t) corecmd_exec_shell(acct_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.7.11/policy/modules/admin/alsa.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.7.12/policy/modules/admin/alsa.if --- nsaserefpolicy/policy/modules/admin/alsa.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/admin/alsa.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/alsa.if 2010-03-05 17:18:51.000000000 -0500 @@ -76,6 +76,26 @@ ######################################## @@ -89,9 +89,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if ## Read alsa lib files. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.7.11/policy/modules/admin/alsa.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.7.12/policy/modules/admin/alsa.te --- nsaserefpolicy/policy/modules/admin/alsa.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/admin/alsa.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/alsa.te 2010-03-05 17:18:51.000000000 -0500 @@ -51,6 +51,8 @@ files_read_etc_files(alsa_t) files_read_usr_files(alsa_t) @@ -101,9 +101,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te auth_use_nsswitch(alsa_t) init_use_fds(alsa_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.7.11/policy/modules/admin/anaconda.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.7.12/policy/modules/admin/anaconda.te --- nsaserefpolicy/policy/modules/admin/anaconda.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/admin/anaconda.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/anaconda.te 2010-03-05 17:18:51.000000000 -0500 @@ -31,6 +31,7 @@ modutils_domtrans_insmod(anaconda_t) @@ -121,9 +121,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.7.11/policy/modules/admin/brctl.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.7.12/policy/modules/admin/brctl.te --- nsaserefpolicy/policy/modules/admin/brctl.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/admin/brctl.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/brctl.te 2010-03-05 17:18:51.000000000 -0500 @@ -21,7 +21,7 @@ allow brctl_t self:unix_dgram_socket create_socket_perms; allow brctl_t self:tcp_socket create_socket_perms; @@ -133,9 +133,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.t kernel_read_network_state(brctl_t) kernel_read_sysctl(brctl_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.7.11/policy/modules/admin/certwatch.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.7.12/policy/modules/admin/certwatch.te --- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/admin/certwatch.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/certwatch.te 2010-03-05 17:18:51.000000000 -0500 @@ -36,7 +36,7 @@ miscfiles_read_localization(certwatch_t) @@ -145,9 +145,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwat optional_policy(` apache_exec_modules(certwatch_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.if serefpolicy-3.7.11/policy/modules/admin/consoletype.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.if serefpolicy-3.7.12/policy/modules/admin/consoletype.if --- nsaserefpolicy/policy/modules/admin/consoletype.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/admin/consoletype.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/consoletype.if 2010-03-05 17:18:51.000000000 -0500 @@ -19,6 +19,9 @@ corecmd_search_bin($1) @@ -158,9 +158,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.7.11/policy/modules/admin/consoletype.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.7.12/policy/modules/admin/consoletype.te --- nsaserefpolicy/policy/modules/admin/consoletype.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/admin/consoletype.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/consoletype.te 2010-03-05 17:18:51.000000000 -0500 @@ -10,7 +10,6 @@ type consoletype_exec_t; application_executable_file(consoletype_exec_t) @@ -169,9 +169,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console role system_r types consoletype_t; ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.11/policy/modules/admin/firstboot.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.12/policy/modules/admin/firstboot.te --- nsaserefpolicy/policy/modules/admin/firstboot.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/admin/firstboot.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/firstboot.te 2010-03-05 17:18:51.000000000 -0500 @@ -91,8 +91,12 @@ userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) @@ -194,9 +194,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.7.11/policy/modules/admin/kismet.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.7.12/policy/modules/admin/kismet.te --- nsaserefpolicy/policy/modules/admin/kismet.te 2009-11-25 15:15:48.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/admin/kismet.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/kismet.te 2010-03-05 17:18:51.000000000 -0500 @@ -45,6 +45,7 @@ manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t) manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t) @@ -223,9 +223,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. corecmd_exec_bin(kismet_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.11/policy/modules/admin/logrotate.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.12/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/admin/logrotate.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/logrotate.te 2010-03-05 17:18:51.000000000 -0500 @@ -32,7 +32,7 @@ # Change ownership on log files. allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; @@ -325,9 +325,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota +optional_policy(` varnishd_manage_log(logrotate_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.7.11/policy/modules/admin/logwatch.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.7.12/policy/modules/admin/logwatch.te --- nsaserefpolicy/policy/modules/admin/logwatch.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/admin/logwatch.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/logwatch.te 2010-03-05 17:18:51.000000000 -0500 @@ -93,6 +93,13 @@ sysnet_exec_ifconfig(logwatch_t) @@ -348,15 +348,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc samba_read_log(logwatch_t) + samba_read_share_files(logwatch_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.fc serefpolicy-3.7.11/policy/modules/admin/mcelog.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.fc serefpolicy-3.7.12/policy/modules/admin/mcelog.fc --- nsaserefpolicy/policy/modules/admin/mcelog.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/admin/mcelog.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/mcelog.fc 2010-03-05 17:18:51.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.if serefpolicy-3.7.11/policy/modules/admin/mcelog.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.if serefpolicy-3.7.12/policy/modules/admin/mcelog.if --- nsaserefpolicy/policy/modules/admin/mcelog.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/admin/mcelog.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/mcelog.if 2010-03-05 17:18:51.000000000 -0500 @@ -0,0 +1,21 @@ + +## policy for mcelog @@ -379,9 +379,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog. + domtrans_pattern($1, mcelog_exec_t, mcelog_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.7.11/policy/modules/admin/mcelog.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.7.12/policy/modules/admin/mcelog.te --- nsaserefpolicy/policy/modules/admin/mcelog.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/admin/mcelog.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/mcelog.te 2010-03-05 17:18:51.000000000 -0500 @@ -0,0 +1,32 @@ + +policy_module(mcelog,1.0.0) @@ -415,9 +415,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog. +miscfiles_read_localization(mcelog_t) + +logging_send_syslog_msg(mcelog_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.7.11/policy/modules/admin/mrtg.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.7.12/policy/modules/admin/mrtg.te --- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/admin/mrtg.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/mrtg.te 2010-03-05 17:18:51.000000000 -0500 @@ -116,6 +116,7 @@ userdom_use_user_terminals(mrtg_t) userdom_dontaudit_read_user_home_content_files(mrtg_t) @@ -426,9 +426,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te netutils_domtrans_ping(mrtg_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.7.11/policy/modules/admin/netutils.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.7.12/policy/modules/admin/netutils.fc --- nsaserefpolicy/policy/modules/admin/netutils.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/admin/netutils.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/netutils.fc 2010-03-05 17:18:51.000000000 -0500 @@ -9,6 +9,7 @@ /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) @@ -437,9 +437,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil /usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0) /usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.11/policy/modules/admin/netutils.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.12/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/admin/netutils.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/netutils.te 2010-03-05 17:18:51.000000000 -0500 @@ -44,6 +44,7 @@ allow netutils_t self:packet_socket create_socket_perms; allow netutils_t self:udp_socket create_socket_perms; @@ -490,17 +490,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil + term_use_all_ttys(traceroute_t) + term_use_all_ptys(traceroute_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.7.11/policy/modules/admin/prelink.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.7.12/policy/modules/admin/prelink.fc --- nsaserefpolicy/policy/modules/admin/prelink.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/admin/prelink.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/prelink.fc 2010-03-05 17:18:51.000000000 -0500 @@ -1,3 +1,4 @@ +/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0) /etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.7.11/policy/modules/admin/prelink.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.7.12/policy/modules/admin/prelink.if --- nsaserefpolicy/policy/modules/admin/prelink.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/admin/prelink.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/prelink.if 2010-03-05 17:18:51.000000000 -0500 @@ -21,6 +21,25 @@ ######################################## @@ -541,9 +541,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink - relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) + relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.11/policy/modules/admin/prelink.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.12/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/admin/prelink.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/prelink.te 2010-03-05 17:18:51.000000000 -0500 @@ -21,8 +21,21 @@ type prelink_tmp_t; files_tmp_file(prelink_tmp_t) @@ -608,7 +608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink optional_policy(` amanda_manage_lib(prelink_t) -@@ -99,5 +118,58 @@ +@@ -99,5 +118,59 @@ ') optional_policy(` @@ -649,7 +649,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink +files_read_etc_files(prelink_cron_system_t) + +files_search_var_lib(prelink_cron_system_t) -+files_search_var_log(prelink_cron_system_t) + +init_chat(prelink_cron_system_t) +init_exec(prelink_cron_system_t) @@ -658,6 +657,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink + +libs_exec_ld_so(prelink_cron_system_t) + ++logging_search_logs(prelink_cron_system_t) ++ +miscfiles_read_localization(prelink_cron_system_t) + +optional_policy(` @@ -667,9 +668,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink +optional_policy(` + rpm_read_db(prelink_cron_system_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-3.7.11/policy/modules/admin/quota.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-3.7.12/policy/modules/admin/quota.te --- nsaserefpolicy/policy/modules/admin/quota.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/admin/quota.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/quota.te 2010-03-05 17:18:51.000000000 -0500 @@ -39,6 +39,7 @@ kernel_list_proc(quota_t) kernel_read_proc_symlinks(quota_t) @@ -678,9 +679,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.t dev_read_sysfs(quota_t) dev_getattr_all_blk_files(quota_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.11/policy/modules/admin/readahead.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.12/policy/modules/admin/readahead.te --- nsaserefpolicy/policy/modules/admin/readahead.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/admin/readahead.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/readahead.te 2010-03-05 17:18:51.000000000 -0500 @@ -52,6 +52,7 @@ files_list_non_security(readahead_t) @@ -698,9 +699,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahe fs_read_tmpfs_symlinks(readahead_t) fs_list_inotifyfs(readahead_t) fs_dontaudit_search_ramfs(readahead_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.11/policy/modules/admin/rpm.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.12/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/admin/rpm.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/rpm.fc 2010-03-05 17:18:51.000000000 -0500 @@ -1,18 +1,19 @@ /bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -751,9 +752,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc # SuSE ifdef(`distro_suse', ` /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.11/policy/modules/admin/rpm.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.12/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/admin/rpm.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/rpm.if 2010-03-05 17:18:51.000000000 -0500 @@ -13,11 +13,36 @@ interface(`rpm_domtrans',` gen_require(` @@ -1207,9 +1208,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.11/policy/modules/admin/rpm.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.12/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/admin/rpm.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/rpm.te 2010-03-05 17:18:51.000000000 -0500 @@ -1,6 +1,8 @@ policy_module(rpm, 1.10.0) @@ -1494,18 +1495,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te optional_policy(` java_domtrans_unconfined(rpm_script_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.7.11/policy/modules/admin/shorewall.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.7.12/policy/modules/admin/shorewall.fc --- nsaserefpolicy/policy/modules/admin/shorewall.fc 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/admin/shorewall.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/shorewall.fc 2010-03-05 17:18:51.000000000 -0500 @@ -10,3 +10,5 @@ /var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) /var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) /var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) + +/var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.11/policy/modules/admin/shorewall.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.12/policy/modules/admin/shorewall.te --- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/admin/shorewall.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/shorewall.te 2010-03-05 17:18:51.000000000 -0500 @@ -29,6 +29,9 @@ type shorewall_var_lib_t; files_type(shorewall_var_lib_t) @@ -1536,22 +1537,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa optional_policy(` iptables_domtrans(shorewall_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.7.11/policy/modules/admin/smoltclient.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.7.12/policy/modules/admin/smoltclient.fc --- nsaserefpolicy/policy/modules/admin/smoltclient.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/admin/smoltclient.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/smoltclient.fc 2010-03-05 17:18:51.000000000 -0500 @@ -0,0 +1,4 @@ + +/usr/share/smolt/client/sendProfile.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0) + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.if serefpolicy-3.7.11/policy/modules/admin/smoltclient.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.if serefpolicy-3.7.12/policy/modules/admin/smoltclient.if --- nsaserefpolicy/policy/modules/admin/smoltclient.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/admin/smoltclient.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/smoltclient.if 2010-03-05 17:18:51.000000000 -0500 @@ -0,0 +1 @@ +## The Fedora hardware profiler client -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.7.11/policy/modules/admin/smoltclient.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.7.12/policy/modules/admin/smoltclient.te --- nsaserefpolicy/policy/modules/admin/smoltclient.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/admin/smoltclient.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/smoltclient.te 2010-03-05 17:18:51.000000000 -0500 @@ -0,0 +1,66 @@ +policy_module(smoltclient,1.0.0) + @@ -1619,9 +1620,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltcl + rpm_exec(smoltclient_t) + rpm_read_db(smoltclient_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.11/policy/modules/admin/sudo.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.12/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/admin/sudo.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/sudo.if 2010-03-05 17:18:51.000000000 -0500 @@ -73,12 +73,16 @@ # Enter this derived domain from the user domain domtrans_pattern($3, sudo_exec_t, $1_sudo_t) @@ -1650,9 +1651,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files($1_sudo_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.7.11/policy/modules/admin/su.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.7.12/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/admin/su.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/su.if 2010-03-05 17:18:51.000000000 -0500 @@ -58,6 +58,10 @@ allow $2 $1_su_t:fifo_file rw_file_perms; allow $2 $1_su_t:process sigchld; @@ -1675,9 +1676,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s ps_process_pattern($3, $1_su_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.11/policy/modules/admin/tmpreaper.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.12/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/admin/tmpreaper.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/tmpreaper.te 2010-03-05 17:18:51.000000000 -0500 @@ -42,6 +42,7 @@ cron_system_entry(tmpreaper_t, tmpreaper_exec_t) @@ -1716,9 +1717,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap +optional_policy(` unconfined_domain(tmpreaper_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.7.11/policy/modules/admin/usermanage.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.7.12/policy/modules/admin/usermanage.if --- nsaserefpolicy/policy/modules/admin/usermanage.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/admin/usermanage.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/usermanage.if 2010-03-05 17:18:51.000000000 -0500 @@ -18,6 +18,10 @@ files_search_usr($1) corecmd_search_bin($1) @@ -1774,9 +1775,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman optional_policy(` nscd_run(useradd_t, $2) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.11/policy/modules/admin/usermanage.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.12/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/admin/usermanage.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/usermanage.te 2010-03-05 17:18:51.000000000 -0500 @@ -209,6 +209,7 @@ files_manage_etc_files(groupadd_t) files_relabel_etc_files(groupadd_t) @@ -1845,9 +1846,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman puppet_rw_tmp(useradd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.7.11/policy/modules/admin/vbetool.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.7.12/policy/modules/admin/vbetool.te --- nsaserefpolicy/policy/modules/admin/vbetool.te 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/admin/vbetool.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/vbetool.te 2010-03-05 17:18:51.000000000 -0500 @@ -25,7 +25,13 @@ dev_rw_xserver_misc(vbetool_t) dev_rw_mtrr(vbetool_t) @@ -1862,9 +1863,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool term_use_unallocated_ttys(vbetool_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.11/policy/modules/admin/vpn.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.12/policy/modules/admin/vpn.te --- nsaserefpolicy/policy/modules/admin/vpn.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/admin/vpn.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/admin/vpn.te 2010-03-05 17:18:51.000000000 -0500 @@ -46,6 +46,7 @@ kernel_read_system_state(vpnc_t) kernel_read_network_state(vpnc_t) @@ -1881,9 +1882,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te optional_policy(` dbus_system_bus_client(vpnc_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.te serefpolicy-3.7.11/policy/modules/apps/cdrecord.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.te serefpolicy-3.7.12/policy/modules/apps/cdrecord.te --- nsaserefpolicy/policy/modules/apps/cdrecord.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/cdrecord.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/cdrecord.te 2010-03-05 17:18:51.000000000 -0500 @@ -32,6 +32,8 @@ allow cdrecord_t self:unix_dgram_socket create_socket_perms; allow cdrecord_t self:unix_stream_socket create_stream_socket_perms; @@ -1893,15 +1894,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord # allow searching for cdrom-drive dev_list_all_dev_nodes(cdrecord_t) dev_read_sysfs(cdrecord_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.7.11/policy/modules/apps/chrome.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.7.12/policy/modules/apps/chrome.fc --- nsaserefpolicy/policy/modules/apps/chrome.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/chrome.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/chrome.fc 2010-03-05 17:18:51.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.11/policy/modules/apps/chrome.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.12/policy/modules/apps/chrome.if --- nsaserefpolicy/policy/modules/apps/chrome.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/chrome.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/chrome.if 2010-03-05 17:18:51.000000000 -0500 @@ -0,0 +1,90 @@ + +## policy for chrome @@ -1993,9 +1994,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i + allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.11/policy/modules/apps/chrome.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.12/policy/modules/apps/chrome.te --- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/chrome.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/chrome.te 2010-03-05 17:18:51.000000000 -0500 @@ -0,0 +1,81 @@ +policy_module(chrome,1.0.0) + @@ -2078,9 +2079,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t + fs_dontaudit_append_cifs_files(chrome_sandbox_t) + fs_dontaudit_read_cifs_files(chrome_sandbox_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.7.11/policy/modules/apps/cpufreqselector.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.7.12/policy/modules/apps/cpufreqselector.te --- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/cpufreqselector.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/cpufreqselector.te 2010-03-05 17:18:51.000000000 -0500 @@ -26,7 +26,7 @@ dev_rw_sysfs(cpufreqselector_t) @@ -2090,9 +2091,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqs optional_policy(` dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.7.11/policy/modules/apps/execmem.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.7.12/policy/modules/apps/execmem.fc --- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/execmem.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/execmem.fc 2010-03-05 17:18:51.000000000 -0500 @@ -0,0 +1,43 @@ +/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0) @@ -2137,9 +2138,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. + +/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0) +/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.11/policy/modules/apps/execmem.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.12/policy/modules/apps/execmem.if --- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/execmem.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/execmem.if 2010-03-05 17:18:51.000000000 -0500 @@ -0,0 +1,108 @@ +## execmem domain + @@ -2249,9 +2250,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. + + domtrans_pattern($1, execmem_exec_t, $2) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.7.11/policy/modules/apps/execmem.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.7.12/policy/modules/apps/execmem.te --- nsaserefpolicy/policy/modules/apps/execmem.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/execmem.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/execmem.te 2010-03-05 17:18:51.000000000 -0500 @@ -0,0 +1,11 @@ + +policy_module(execmem, 1.0.0) @@ -2264,16 +2265,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. +type execmem_exec_t alias unconfined_execmem_exec_t; +application_executable_file(execmem_exec_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.7.11/policy/modules/apps/firewallgui.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.7.12/policy/modules/apps/firewallgui.fc --- nsaserefpolicy/policy/modules/apps/firewallgui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/firewallgui.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/firewallgui.fc 2010-03-05 17:18:51.000000000 -0500 @@ -0,0 +1,3 @@ + +/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.7.11/policy/modules/apps/firewallgui.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.7.12/policy/modules/apps/firewallgui.if --- nsaserefpolicy/policy/modules/apps/firewallgui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/firewallgui.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/firewallgui.if 2010-03-05 17:18:51.000000000 -0500 @@ -0,0 +1,23 @@ + +## policy for firewallgui @@ -2298,9 +2299,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall + allow $1 firewallgui_t:dbus send_msg; + allow firewallgui_t $1:dbus send_msg; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.11/policy/modules/apps/firewallgui.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.12/policy/modules/apps/firewallgui.te --- nsaserefpolicy/policy/modules/apps/firewallgui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/firewallgui.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/firewallgui.te 2010-03-05 17:18:51.000000000 -0500 @@ -0,0 +1,66 @@ + +policy_module(firewallgui,1.0.0) @@ -2368,9 +2369,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall + policykit_dbus_chat(firewallgui_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.7.11/policy/modules/apps/gitosis.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.7.12/policy/modules/apps/gitosis.if --- nsaserefpolicy/policy/modules/apps/gitosis.if 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/apps/gitosis.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/gitosis.if 2010-03-05 17:18:51.000000000 -0500 @@ -43,3 +43,47 @@ role $2 types gitosis_t; ') @@ -2419,9 +2420,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis. + manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) + manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.11/policy/modules/apps/gnome.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.12/policy/modules/apps/gnome.fc --- nsaserefpolicy/policy/modules/apps/gnome.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/apps/gnome.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/gnome.fc 2010-03-05 17:18:51.000000000 -0500 @@ -1,8 +1,28 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) @@ -2453,9 +2454,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc + +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.11/policy/modules/apps/gnome.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.12/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/apps/gnome.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/gnome.if 2010-03-05 17:18:51.000000000 -0500 @@ -74,6 +74,24 @@ ######################################## @@ -2692,9 +2693,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if + + allow $1 gnome_home_type:file rw_inherited_file_perms; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.7.11/policy/modules/apps/gnome.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.7.12/policy/modules/apps/gnome.te --- nsaserefpolicy/policy/modules/apps/gnome.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/apps/gnome.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/gnome.te 2010-03-05 17:18:51.000000000 -0500 @@ -7,18 +7,33 @@ # @@ -2843,18 +2844,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te + policykit_read_lib(gnomesystemmm_t) + policykit_read_reload(gnomesystemmm_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.7.11/policy/modules/apps/gpg.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.7.12/policy/modules/apps/gpg.fc --- nsaserefpolicy/policy/modules/apps/gpg.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/apps/gpg.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/gpg.fc 2010-03-05 17:18:51.000000000 -0500 @@ -1,4 +1,5 @@ HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) +/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.7.11/policy/modules/apps/gpg.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.7.12/policy/modules/apps/gpg.if --- nsaserefpolicy/policy/modules/apps/gpg.if 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/apps/gpg.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/gpg.if 2010-03-05 17:18:51.000000000 -0500 @@ -52,11 +52,8 @@ ifdef(`hide_broken_symptoms',` @@ -2868,9 +2869,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s ') ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.11/policy/modules/apps/gpg.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.12/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/gpg.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/gpg.te 2010-03-05 17:18:51.000000000 -0500 @@ -20,6 +20,7 @@ typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t }; application_domain(gpg_t, gpg_exec_t) @@ -2911,9 +2912,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s ######################################## # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.7.11/policy/modules/apps/java.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.7.12/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/java.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/java.fc 2010-03-05 17:18:51.000000000 -0500 @@ -9,6 +9,7 @@ # # /usr @@ -2933,9 +2934,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc + +/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.7.11/policy/modules/apps/java.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.7.12/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/java.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/java.if 2010-03-05 17:18:51.000000000 -0500 @@ -72,6 +72,7 @@ domain_interactive_fd($1_java_t) @@ -2961,9 +2962,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.11/policy/modules/apps/java.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.12/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/java.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/java.te 2010-03-05 17:18:51.000000000 -0500 @@ -147,6 +147,14 @@ init_dbus_chat_script(unconfined_java_t) @@ -2979,21 +2980,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te + rpm_domtrans(unconfined_java_t) + ') ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.7.11/policy/modules/apps/kdumpgui.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.7.12/policy/modules/apps/kdumpgui.fc --- nsaserefpolicy/policy/modules/apps/kdumpgui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/kdumpgui.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/kdumpgui.fc 2010-03-05 17:18:51.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/share/system-config-kdump/system-config-kdump-backend.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.7.11/policy/modules/apps/kdumpgui.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.7.12/policy/modules/apps/kdumpgui.if --- nsaserefpolicy/policy/modules/apps/kdumpgui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/kdumpgui.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/kdumpgui.if 2010-03-05 17:18:51.000000000 -0500 @@ -0,0 +1,2 @@ +## system-config-kdump policy + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.11/policy/modules/apps/kdumpgui.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.12/policy/modules/apps/kdumpgui.te --- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/kdumpgui.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/kdumpgui.te 2010-03-05 17:18:51.000000000 -0500 @@ -0,0 +1,68 @@ +policy_module(kdumpgui,1.0.0) + @@ -3063,15 +3064,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui +optional_policy(` + policykit_dbus_chat(kdumpgui_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.7.11/policy/modules/apps/livecd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.7.12/policy/modules/apps/livecd.fc --- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/livecd.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/livecd.fc 2010-03-05 17:18:51.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.7.11/policy/modules/apps/livecd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.7.12/policy/modules/apps/livecd.if --- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/livecd.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/livecd.if 2010-03-05 17:18:51.000000000 -0500 @@ -0,0 +1,52 @@ + +## policy for livecd @@ -3125,9 +3126,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.i + usermanage_run_chfn(livecd_t, $2) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.7.11/policy/modules/apps/livecd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.7.12/policy/modules/apps/livecd.te --- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/livecd.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/livecd.te 2010-03-05 17:18:51.000000000 -0500 @@ -0,0 +1,27 @@ +policy_module(livecd, 1.0.0) + @@ -3156,9 +3157,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.t + +seutil_domtrans_setfiles_mac(livecd_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.if serefpolicy-3.7.11/policy/modules/apps/loadkeys.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.if serefpolicy-3.7.12/policy/modules/apps/loadkeys.if --- nsaserefpolicy/policy/modules/apps/loadkeys.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/apps/loadkeys.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/loadkeys.if 2010-03-05 17:18:52.000000000 -0500 @@ -17,6 +17,9 @@ corecmd_search_bin($1) @@ -3169,9 +3170,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.7.11/policy/modules/apps/loadkeys.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.7.12/policy/modules/apps/loadkeys.te --- nsaserefpolicy/policy/modules/apps/loadkeys.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/apps/loadkeys.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/loadkeys.te 2010-03-05 17:18:52.000000000 -0500 @@ -40,8 +40,12 @@ miscfiles_read_localization(loadkeys_t) @@ -3186,9 +3187,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys +ifdef(`hide_broken_symptoms',` + dev_dontaudit_rw_lvm_control(loadkeys_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.11/policy/modules/apps/mono.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.12/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/mono.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/mono.if 2010-03-05 17:18:52.000000000 -0500 @@ -40,10 +40,10 @@ domain_interactive_fd($1_mono_t) application_type($1_mono_t) @@ -3201,9 +3202,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; domtrans_pattern($3, mono_exec_t, $1_mono_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.7.11/policy/modules/apps/mozilla.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.7.12/policy/modules/apps/mozilla.fc --- nsaserefpolicy/policy/modules/apps/mozilla.fc 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/apps/mozilla.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/mozilla.fc 2010-03-05 17:18:52.000000000 -0500 @@ -1,6 +1,7 @@ HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) @@ -3220,9 +3221,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. /usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.7.11/policy/modules/apps/mozilla.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.7.12/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/mozilla.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/mozilla.if 2010-03-05 17:18:52.000000000 -0500 @@ -48,6 +48,12 @@ mozilla_dbus_chat($2) @@ -3268,9 +3269,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. + allow $1 mozilla_home_t:file execmod; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.11/policy/modules/apps/mozilla.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.12/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/mozilla.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/mozilla.te 2010-03-05 17:18:52.000000000 -0500 @@ -91,6 +91,7 @@ corenet_raw_sendrecv_generic_node(mozilla_t) corenet_tcp_sendrecv_http_port(mozilla_t) @@ -3329,9 +3330,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. +optional_policy(` thunderbird_domtrans(mozilla_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.7.11/policy/modules/apps/nsplugin.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.7.12/policy/modules/apps/nsplugin.fc --- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/nsplugin.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/nsplugin.fc 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,10 @@ +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) @@ -3343,9 +3344,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) +/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0) +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.11/policy/modules/apps/nsplugin.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.12/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/nsplugin.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/nsplugin.if 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,355 @@ + +## policy for nsplugin @@ -3702,9 +3703,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + allow $1 nsplugin_t:sem rw_sem_perms; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.11/policy/modules/apps/nsplugin.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.12/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/nsplugin.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/nsplugin.te 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,296 @@ + +policy_module(nsplugin, 1.0.0) @@ -4002,16 +4003,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.7.11/policy/modules/apps/openoffice.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.7.12/policy/modules/apps/openoffice.fc --- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/openoffice.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/openoffice.fc 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,3 @@ +/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) +/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.7.11/policy/modules/apps/openoffice.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.7.12/policy/modules/apps/openoffice.if --- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/openoffice.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/openoffice.if 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,92 @@ +## Openoffice + @@ -4105,9 +4106,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi + xserver_common_x_domain_template($1, $1_openoffice_t) + ') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.7.11/policy/modules/apps/openoffice.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.7.12/policy/modules/apps/openoffice.te --- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/openoffice.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/openoffice.te 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,11 @@ + +policy_module(openoffice, 1.0.0) @@ -4120,9 +4121,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi +type openoffice_t; +type openoffice_exec_t; +application_domain(openoffice_t, openoffice_exec_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.7.11/policy/modules/apps/podsleuth.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.7.12/policy/modules/apps/podsleuth.te --- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/podsleuth.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/podsleuth.te 2010-03-05 17:18:52.000000000 -0500 @@ -50,6 +50,7 @@ fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file }) @@ -4146,9 +4147,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut optional_policy(` dbus_system_bus_client(podsleuth_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.7.11/policy/modules/apps/ptchown.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.7.12/policy/modules/apps/ptchown.if --- nsaserefpolicy/policy/modules/apps/ptchown.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/apps/ptchown.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/ptchown.if 2010-03-05 17:18:52.000000000 -0500 @@ -18,3 +18,27 @@ domtrans_pattern($1, ptchown_exec_t, ptchown_t) ') @@ -4177,9 +4178,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown. + ptchown_domtrans($1) + role $2 types ptchown_t; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.7.11/policy/modules/apps/pulseaudio.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.te serefpolicy-3.7.12/policy/modules/apps/ptchown.te +--- nsaserefpolicy/policy/modules/apps/ptchown.te 2010-02-12 10:33:09.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/ptchown.te 2010-03-05 17:18:52.000000000 -0500 +@@ -24,6 +24,7 @@ + fs_rw_anon_inodefs_files(ptchown_t) + + term_setattr_generic_ptys(ptchown_t) ++term_getattr_all_ptys(ptchown_t) + term_setattr_all_ptys(ptchown_t) + term_use_generic_ptys(ptchown_t) + term_use_ptmx(ptchown_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.7.12/policy/modules/apps/pulseaudio.fc --- nsaserefpolicy/policy/modules/apps/pulseaudio.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/apps/pulseaudio.fc 2010-03-04 09:44:00.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/pulseaudio.fc 2010-03-05 17:18:52.000000000 -0500 @@ -1 +1,9 @@ +HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) +HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0) @@ -4190,9 +4202,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud + /usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.11/policy/modules/apps/pulseaudio.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.12/policy/modules/apps/pulseaudio.if --- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/apps/pulseaudio.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/pulseaudio.if 2010-03-05 17:18:52.000000000 -0500 @@ -29,7 +29,7 @@ ps_process_pattern($2, pulseaudio_t) @@ -4296,10 +4308,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud - allow $1 pulseaudio_t:unix_stream_socket connectto; + stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.11/policy/modules/apps/pulseaudio.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.12/policy/modules/apps/pulseaudio.te --- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/pulseaudio.te 2010-03-04 11:08:17.000000000 -0500 -@@ -8,24 +8,51 @@ ++++ serefpolicy-3.7.12/policy/modules/apps/pulseaudio.te 2010-03-05 17:18:52.000000000 -0500 +@@ -8,24 +8,52 @@ type pulseaudio_t; type pulseaudio_exec_t; @@ -4324,7 +4336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud # pulseaudio local policy # - -+allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource }; ++allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config }; allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull }; allow pulseaudio_t self:fifo_file rw_file_perms; -allow pulseaudio_t self:unix_stream_socket create_stream_socket_perms; @@ -4335,6 +4347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; +userdom_search_user_home_dirs(pulseaudio_t) ++userdom_search_admin_dir(pulseaudio_t) +manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) +manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) + @@ -4353,7 +4366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud kernel_read_system_state(pulseaudio_t) kernel_read_kernel_sysctls(pulseaudio_t) -@@ -67,10 +94,7 @@ +@@ -67,10 +95,7 @@ ') optional_policy(` @@ -4365,7 +4378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud dbus_system_bus_client(pulseaudio_t) dbus_session_bus_client(pulseaudio_t) dbus_connect_session_bus(pulseaudio_t) -@@ -93,6 +117,10 @@ +@@ -93,6 +118,10 @@ ') optional_policy(` @@ -4376,7 +4389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud policykit_domtrans_auth(pulseaudio_t) policykit_read_lib(pulseaudio_t) policykit_read_reload(pulseaudio_t) -@@ -103,6 +131,9 @@ +@@ -103,6 +132,9 @@ ') optional_policy(` @@ -4386,9 +4399,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud + xserver_read_xdm_pid(pulseaudio_t) + xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.11/policy/modules/apps/qemu.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.12/policy/modules/apps/qemu.if --- nsaserefpolicy/policy/modules/apps/qemu.if 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/qemu.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/qemu.if 2010-03-05 17:18:52.000000000 -0500 @@ -127,12 +127,14 @@ template(`qemu_role',` gen_require(` @@ -4477,9 +4490,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.11/policy/modules/apps/qemu.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.12/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/qemu.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/qemu.te 2010-03-05 17:18:52.000000000 -0500 @@ -50,6 +50,8 @@ # # qemu local policy @@ -4510,20 +4523,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te allow unconfined_qemu_t self:process { execstack execmem }; + allow unconfined_qemu_t qemu_exec_t:file execmod; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.7.11/policy/modules/apps/sambagui.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.7.12/policy/modules/apps/sambagui.fc --- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/sambagui.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/sambagui.fc 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1 @@ +/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.7.11/policy/modules/apps/sambagui.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.7.12/policy/modules/apps/sambagui.if --- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/sambagui.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/sambagui.if 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,2 @@ +## system-config-samba policy + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.11/policy/modules/apps/sambagui.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.12/policy/modules/apps/sambagui.te --- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/sambagui.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/sambagui.te 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,66 @@ +policy_module(sambagui,1.0.0) + @@ -4591,14 +4604,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui +optional_policy(` + policykit_dbus_chat(sambagui_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.11/policy/modules/apps/sandbox.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.12/policy/modules/apps/sandbox.fc --- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/sandbox.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/sandbox.fc 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1 @@ +# No types are sandbox_exec_t -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.11/policy/modules/apps/sandbox.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.12/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/sandbox.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/sandbox.if 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,248 @@ + +## policy for sandbox @@ -4848,9 +4861,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + + allow $1 sandbox_file_type:dir list_dir_perms; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.11/policy/modules/apps/sandbox.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.12/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/sandbox.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/sandbox.te 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,365 @@ +policy_module(sandbox,1.0.0) +dbus_stub() @@ -5217,9 +5230,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +optional_policy(` + hal_dbus_chat(sandbox_net_client_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.7.11/policy/modules/apps/screen.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.7.12/policy/modules/apps/screen.if --- nsaserefpolicy/policy/modules/apps/screen.if 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/screen.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/screen.if 2010-03-05 17:18:52.000000000 -0500 @@ -141,6 +141,7 @@ userdom_create_user_pty($1_screen_t) userdom_user_home_domtrans($1_screen_t, $3) @@ -5228,9 +5241,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.i tunable_policy(`use_samba_home_dirs',` fs_cifs_domtrans($1_screen_t, $3) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.11/policy/modules/apps/seunshare.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.12/policy/modules/apps/seunshare.if --- nsaserefpolicy/policy/modules/apps/seunshare.if 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/seunshare.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/seunshare.if 2010-03-05 17:18:52.000000000 -0500 @@ -2,59 +2,14 @@ ######################################## @@ -5328,9 +5341,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar + dontaudit $1_seunshare_t $3:socket_class_set { read write }; + ') ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.11/policy/modules/apps/seunshare.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.12/policy/modules/apps/seunshare.te --- nsaserefpolicy/policy/modules/apps/seunshare.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/seunshare.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/seunshare.te 2010-03-05 17:18:52.000000000 -0500 @@ -6,40 +6,39 @@ # Declarations # @@ -5389,9 +5402,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar + mozilla_dontaudit_manage_user_home_files(seunshare_domain) ') ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.7.11/policy/modules/apps/slocate.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.7.12/policy/modules/apps/slocate.te --- nsaserefpolicy/policy/modules/apps/slocate.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/apps/slocate.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/slocate.te 2010-03-05 17:18:52.000000000 -0500 @@ -30,6 +30,7 @@ manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t) @@ -5408,9 +5421,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate. # getpwnam auth_use_nsswitch(locate_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.7.11/policy/modules/apps/vmware.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.7.12/policy/modules/apps/vmware.if --- nsaserefpolicy/policy/modules/apps/vmware.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/apps/vmware.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/vmware.if 2010-03-05 17:18:52.000000000 -0500 @@ -84,3 +84,22 @@ logging_search_logs($1) append_files_pattern($1, vmware_log_t, vmware_log_t) @@ -5434,9 +5447,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.i + can_exec($1, vmware_host_exec_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.11/policy/modules/apps/vmware.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.12/policy/modules/apps/vmware.te --- nsaserefpolicy/policy/modules/apps/vmware.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/vmware.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/vmware.te 2010-03-05 17:18:52.000000000 -0500 @@ -29,6 +29,10 @@ type vmware_host_exec_t; init_daemon_domain(vmware_host_t, vmware_host_exec_t) @@ -5460,9 +5473,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t) manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t) files_pid_filetrans(vmware_host_t, vmware_var_run_t, { file sock_file }) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.7.11/policy/modules/apps/wine.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.7.12/policy/modules/apps/wine.if --- nsaserefpolicy/policy/modules/apps/wine.if 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/wine.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/wine.if 2010-03-05 17:18:52.000000000 -0500 @@ -35,6 +35,8 @@ role $1 types wine_t; @@ -5488,9 +5501,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if optional_policy(` xserver_role($1_r, $1_wine_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.7.11/policy/modules/apps/wine.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.7.12/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/apps/wine.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/wine.te 2010-03-05 17:18:52.000000000 -0500 @@ -1,6 +1,14 @@ policy_module(wine, 1.6.1) @@ -5521,9 +5534,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te files_execmod_all_files(wine_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.7.11/policy/modules/apps/wm.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.7.12/policy/modules/apps/wm.if --- nsaserefpolicy/policy/modules/apps/wm.if 2009-07-27 18:11:17.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/apps/wm.if 2010-03-04 09:20:55.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/apps/wm.if 2010-03-05 17:18:52.000000000 -0500 @@ -30,6 +30,7 @@ template(`wm_role_template',` gen_require(` @@ -5573,40 +5586,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.11/policy/modules/kernel/corecommands.fc ---- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/kernel/corecommands.fc 2010-03-03 23:48:01.000000000 -0500 -@@ -44,15 +44,17 @@ - /etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0) - /etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0) - -+/etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0) -+ - /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) - /etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0) - - /etc/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0) - --/etc/cron.daily/.* -- gen_context(system_u:object_r:bin_t,s0) --/etc/cron.hourly/.* -- gen_context(system_u:object_r:bin_t,s0) --/etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0) --/etc/cron.monthly/.* -- gen_context(system_u:object_r:bin_t,s0) -+/etc/cron.daily(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/etc/cron.hourly(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/etc/cron.weekly(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/etc/cron.monthly(/.*)? gen_context(system_u:object_r:bin_t,s0) - - /etc/dhcp/dhclient\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) - -@@ -64,6 +66,7 @@ - /etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) - - /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0) -+/etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0) - - /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) - -@@ -144,6 +147,9 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.12/policy/modules/kernel/corecommands.fc +--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-03-05 17:14:56.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/kernel/corecommands.fc 2010-03-05 17:18:52.000000000 -0500 +@@ -147,6 +147,9 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -5616,39 +5599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco # # /usr # -@@ -158,6 +164,7 @@ - /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) - -+/usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -214,6 +221,7 @@ - /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) -+/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) -@@ -228,12 +236,15 @@ - /usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) -+/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) - - /usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) - -@@ -323,3 +334,21 @@ +@@ -331,3 +334,21 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -5670,9 +5621,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco +/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) + +/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.11/policy/modules/kernel/corecommands.if ---- nsaserefpolicy/policy/modules/kernel/corecommands.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/kernel/corecommands.if 2010-03-03 23:48:01.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.12/policy/modules/kernel/corecommands.if +--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2010-03-05 17:14:56.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/kernel/corecommands.if 2010-03-05 17:18:52.000000000 -0500 @@ -931,6 +931,7 @@ read_lnk_files_pattern($1, bin_t, bin_t) @@ -5681,33 +5632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ') ######################################## -@@ -956,6 +957,25 @@ - - ######################################## - ## -+## Read all executable files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`corecmd_read_all_executables',` -+ gen_require(` -+ attribute exec_type; -+ ') -+ -+ read_files_pattern($1, exec_type, exec_type) -+') -+ -+######################################## -+## - ## Execute all executable files. - ## - ## -@@ -1011,6 +1031,7 @@ +@@ -1030,6 +1031,7 @@ type bin_t; ') @@ -5715,37 +5640,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.7.11/policy/modules/kernel/corenetwork.if.in ---- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/kernel/corenetwork.if.in 2010-03-03 23:48:01.000000000 -0500 -@@ -1920,6 +1920,24 @@ - - ######################################## - ## -+## dontaudit Read and write the TUN/TAP virtual network device. -+## -+## -+## -+## The domain allowed access. -+## -+## -+# -+interface(`corenet_dontaudit_rw_tun_tap_dev',` -+ gen_require(` -+ type tun_tap_device_t; -+ ') -+ -+ dontaudit $1 tun_tap_device_t:chr_file { read write }; -+') -+ -+######################################## -+## - ## Getattr the point-to-point device. - ## - ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.11/policy/modules/kernel/corenetwork.te.in ---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/kernel/corenetwork.te.in 2010-03-04 09:58:31.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.12/policy/modules/kernel/corenetwork.te.in +--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-03-05 17:14:56.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/kernel/corenetwork.te.in 2010-03-05 17:27:08.000000000 -0500 @@ -65,6 +65,7 @@ type server_packet_t, packet_type, server_packet_type; @@ -5754,22 +5651,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0) network_port(afs_ka, udp,7004,s0) network_port(afs_pt, udp,7002,s0) -@@ -86,18 +87,23 @@ +@@ -86,6 +87,7 @@ network_port(clockspeed, udp,4041,s0) network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0) network_port(cobbler, tcp,25151,s0) +network_port(commplex, tcp,5000,s0, udp,5000,s0, tcp,5001,s0, udp,5001,s0) network_port(comsat, udp,512,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) - network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0) -+portcon tcp 6780-6799 gen_context(system_u:object_r:cyphesis_port_t, s0) - network_port(dbskkd, tcp,1178,s0) - network_port(dcc, udp,6276,s0, udp,6277,s0) - network_port(dccm, tcp,5679,s0, udp,5679,s0) --network_port(dhcpc, udp,68,s0) --network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) -+network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0) -+network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) + network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) +@@ -97,7 +99,10 @@ network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) network_port(dns, udp,53,s0, tcp,53,s0) @@ -5780,30 +5670,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) -@@ -110,12 +116,15 @@ +@@ -109,7 +114,7 @@ + network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port - network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy -+portcon tcp 10001-10010 gen_context(system_u:object_r:http_cache_port_t, s0) +-network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010) # 8118 is for privoxy ++network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) - network_port(innd, tcp,119,s0) - network_port(ipmi, udp,623,s0, udp,664,s0) - network_port(ipp, tcp,631,s0, udp,631,s0) -+portcon tcp 8610-8614 gen_context(system_u:object_r:ipp_port_t, s0) -+portcon udp 8610-8614 gen_context(system_u:object_r:ipp_port_t, s0) - network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) - network_port(ircd, tcp,6667,s0) - network_port(isakmp, udp,500,s0) -@@ -131,32 +140,42 @@ +@@ -131,12 +136,14 @@ network_port(ktalkd, udp,517,s0, udp,518,s0) network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) network_port(lmtp, tcp,24,s0, udp,24,s0) +network_port(lirc, tcp,8765,s0) type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon --network_port(mail, tcp,2000,s0) -+network_port(mail, tcp,2000,s0, tcp,3905,s0) + network_port(mail, tcp,2000,s0, tcp,3905,s0) network_port(memcache, tcp,11211,s0, udp,11211,s0) network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) @@ -5812,10 +5694,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0) portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) - network_port(mysqlmanagerd, tcp,2273,s0) - network_port(nessus, tcp,1241,s0) --network_port(netsupport, tcp,5405,s0, udp,5405,s0) -+network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) +@@ -145,18 +152,26 @@ + network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) network_port(nmbd, udp,137,s0, udp,138,s0) network_port(ntp, udp,123,s0) +network_port(ntop, tcp,3000,s0, udp,3000,s0, tcp,3001,s0, udp,3001,s0) @@ -5841,7 +5721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -176,22 +195,24 @@ +@@ -176,6 +191,7 @@ network_port(rsync, tcp,873,s0, udp,873,s0) network_port(rwho, udp,513,s0) network_port(sap, tcp,9875,s0, udp,9875,s0) @@ -5849,11 +5729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0) network_port(smbd, tcp,137-139,s0, tcp,445,s0) network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) --network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0) -+network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0) - type socks_port_t, port_type; dnl network_port(socks) # no defined portcon - network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) - network_port(spamd, tcp,783,s0) +@@ -186,6 +202,7 @@ network_port(speech, tcp,8036,s0) network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp network_port(ssh, tcp,22,s0) @@ -5861,73 +5737,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict network_port(swat, tcp,901,s0) network_port(syslogd, udp,514,s0) - network_port(telnetd, tcp,23,s0) - network_port(tftp, udp,69,s0) --network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0) -+network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0) - network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0) - network_port(transproxy, tcp,8081,s0) - network_port(ups, tcp,3493,s0) -@@ -200,9 +221,12 @@ +@@ -200,7 +217,8 @@ network_port(varnishd, tcp,6081,s0, tcp,6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) - network_port(virt_migration, tcp,49152,s0) -+portcon tcp 49153-49216 gen_context(system_u:object_r:virt_migration_port_t,s0) - network_port(vnc, tcp,5900,s0) + network_port(virt_migration, tcp,49152-49216,s0) +-network_port(vnc, tcp,5900,s0) +# Reserve 100 ports for vnc/virt machines -+portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t,s0) ++network_port(vnc, tcp,5901-5999,s0) network_port(wccp, udp,2048,s0) --network_port(whois, tcp,43,s0, udp,43,s0) -+network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 ) + network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 ) network_port(xdmcp, udp,177,s0, tcp,177,s0) - network_port(xen, tcp,8002,s0) - network_port(xfs, tcp,7100,s0) -@@ -231,6 +255,8 @@ - type node_t, node_type; - sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh) - -+typealias node_t alias { compat_ipv4_node_t lo_node_t link_local_node_t inaddr_any_node_t unspec_node_t }; -+ - # network_node examples: - #network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255) - #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.11/policy/modules/kernel/devices.fc ---- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-11-20 10:51:41.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/kernel/devices.fc 2010-03-03 23:48:01.000000000 -0500 -@@ -16,13 +16,16 @@ - /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0) - /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0) -+/dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0) - /dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -+/dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) - /dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0) -+/dev/etherd/.+ -c gen_context(system_u:object_r:lvm_control_t,s0) - /dev/event.* -c gen_context(system_u:object_r:event_device_t,s0) - /dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) - /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0) -@@ -61,6 +64,7 @@ - /dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0) - /dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0) -+/dev/misc/dlm.* -c gen_context(system_u:object_r:dlm_control_device_t,s0) - /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0) - /dev/modem -c gen_context(system_u:object_r:modem_device_t,s0) -@@ -80,6 +84,7 @@ - /dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0) - /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) - /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) -+/dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0) - /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0) -@@ -101,6 +106,7 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.12/policy/modules/kernel/devices.fc +--- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-03-05 10:46:32.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/kernel/devices.fc 2010-03-05 17:18:52.000000000 -0500 +@@ -108,6 +108,7 @@ /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) /dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) @@ -5935,102 +5758,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) -@@ -142,6 +148,7 @@ - /dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0) -+/dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) - - /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0) - -@@ -159,6 +166,8 @@ - /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) - /dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0) - -+/dev/uio[0-9]+ -c gen_context(system_u:object_r:userio_device_t,s0) -+ - /dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0) - /dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.11/policy/modules/kernel/devices.if ---- nsaserefpolicy/policy/modules/kernel/devices.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/kernel/devices.if 2010-03-03 23:48:01.000000000 -0500 -@@ -461,6 +461,24 @@ - - ######################################## - ## -+## Dontaudit getattr for generic character device files. -+## -+## -+## -+## Domain to dontaudit access. -+## -+## -+# -+interface(`dev_rw_generic_chr_files',` -+ gen_require(` -+ type device_t; -+ ') -+ -+ allow $1 device_t:chr_file rw_chr_file_perms; -+') -+ -+######################################## -+## - ## Dontaudit setattr for generic character device files. - ## - ## -@@ -826,6 +844,24 @@ - - ######################################## - ## -+## Dontaudit write on all block file device nodes. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dev_dontaudit_write_all_blk_files',` -+ gen_require(` -+ attribute device_node; -+ ') -+ -+ dontaudit $1 device_node:blk_file write; -+') -+ -+######################################## -+## - ## Dontaudit read on all character file device nodes. - ## - ## -@@ -844,6 +880,24 @@ - - ######################################## - ## -+## Dontaudit write on all character file device nodes. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dev_dontaudit_write_all_chr_files',` -+ gen_require(` -+ attribute device_node; -+ ') -+ -+ dontaudit $1 device_node:chr_file write; -+') -+ -+######################################## -+## - ## Create all block device files. - ## - ## -@@ -880,6 +934,42 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.12/policy/modules/kernel/devices.if +--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-03-05 10:46:32.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/kernel/devices.if 2010-03-05 17:18:52.000000000 -0500 +@@ -934,6 +934,42 @@ ######################################## ## @@ -6073,125 +5804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Delete all block device files. ## ## -@@ -1405,6 +1495,42 @@ - rw_chr_files_pattern($1, device_t, crypt_device_t) - ') - -+####################################### -+## -+## Set the attributes of the dlm control devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_setattr_dlm_control',` -+ gen_require(` -+ type device_t, kvm_device_t; -+ ') -+ -+ setattr_chr_files_pattern($1, device_t, dlm_control_device_t) -+') -+ -+####################################### -+## -+## Read and write the the dlm control device -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_dlm_control',` -+ gen_require(` -+ type device_t, dlm_control_device_t; -+ ') -+ -+ rw_chr_files_pattern($1, device_t, dlm_control_device_t) -+') -+ - ######################################## - ## - ## getattr the dri devices. -@@ -1735,6 +1861,24 @@ - - ######################################## - ## -+## Write to the kernel messages device -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_write_kmsg',` -+ gen_require(` -+ type device_t, kmsg_device_t; -+ ') -+ -+ write_chr_files_pattern($1, device_t, kmsg_device_t) -+') -+ -+######################################## -+## - ## Get the attributes of the ksm devices. - ## - ## -@@ -2024,6 +2168,24 @@ - - ######################################## - ## -+## dontaudit getattr raw memory devices (e.g. /dev/mem). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_dontaudit_read_memory_dev',` -+ gen_require(` -+ type memory_device_t; -+ ') -+ -+ dontaudit $1 memory_device_t:chr_file read_chr_file_perms; -+') -+ -+######################################## -+## - ## Read raw memory devices (e.g. /dev/mem). - ## - ## -@@ -2475,6 +2637,24 @@ - - ######################################## - ## -+## Dontaudit write the memory type range registers (MTRR). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_dontaudit_write_mtrr',` -+ gen_require(` -+ type mtrr_device_t; -+ ') -+ -+ dontaudit $1 mtrr_device_t:chr_file write; -+') -+ -+######################################## -+## - ## Get the attributes of the network control device - ## - ## -@@ -3587,6 +3767,24 @@ +@@ -3733,6 +3769,24 @@ ######################################## ## @@ -6216,76 +5829,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Mount a usbfs filesystem. ## ## -@@ -3775,6 +3973,24 @@ - getattr_chr_files_pattern($1, device_t, v4l_device_t) - ') - -+###################################### -+## -+## Read or write userio device. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_userio_dev',` -+ gen_require(` -+ type device_t, userio_device_t; -+ ') -+ -+ rw_chr_files_pattern($1, device_t, userio_device_t) -+') -+ - ######################################## - ## - ## Do not audit attempts to get the attributes -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.11/policy/modules/kernel/devices.te ---- nsaserefpolicy/policy/modules/kernel/devices.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/kernel/devices.te 2010-03-03 23:48:01.000000000 -0500 -@@ -59,6 +59,12 @@ - type crypt_device_t; - dev_node(crypt_device_t) - -+# -+# dlm_misc_device_t is the type of /dev/misc/dlm.* -+# -+type dlm_control_device_t; -+dev_node(dlm_control_device_t) -+ - type dri_device_t; - dev_node(dri_device_t) - -@@ -232,6 +238,18 @@ - type usb_device_t; +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.12/policy/modules/kernel/devices.te +--- nsaserefpolicy/policy/modules/kernel/devices.te 2010-03-05 10:46:32.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/kernel/devices.te 2010-03-05 17:18:52.000000000 -0500 +@@ -239,6 +239,12 @@ dev_node(usb_device_t) -+# + # +# usb_device_t is the type for /dev/usbmon +# +type usbmon_device_t; +dev_node(usbmon_device_t) + +# -+# userio_device_t is the type for /dev/uio[0-9]+ -+# -+type userio_device_t; -+dev_node(userio_device_t) -+ - type v4l_device_t; - dev_node(v4l_device_t) - -@@ -277,5 +295,5 @@ + # userio_device_t is the type for /dev/uio[0-9]+ + # + type userio_device_t; +@@ -289,5 +295,5 @@ # allow devices_unconfined_type self:capability sys_rawio; -allow devices_unconfined_type device_node:{ blk_file chr_file } *; +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; allow devices_unconfined_type mtrr_device_t:file *; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.11/policy/modules/kernel/domain.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.12/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/kernel/domain.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/kernel/domain.if 2010-03-05 17:18:52.000000000 -0500 @@ -831,6 +831,42 @@ ######################################## @@ -6487,9 +6056,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain + + dontaudit $1 domain:socket_class_set { read write }; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.11/policy/modules/kernel/domain.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.12/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/kernel/domain.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/kernel/domain.te 2010-03-05 17:18:52.000000000 -0500 @@ -5,6 +5,21 @@ # # Declarations @@ -6658,9 +6227,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain + userdom_relabelto_user_home_dirs(polydomain) + userdom_relabelto_user_home_files(polydomain) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.11/policy/modules/kernel/files.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.12/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/kernel/files.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/kernel/files.fc 2010-03-05 17:18:52.000000000 -0500 @@ -18,6 +18,7 @@ /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0) /halt -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -6703,7 +6272,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. HOME_ROOT/\.journal <> HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) HOME_ROOT/lost\+found/.* <> -@@ -229,6 +236,8 @@ +@@ -205,15 +212,19 @@ + /usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) + /usr/local/lost\+found/.* <> + ++ifndef(`distro_redhat',` + /usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0) ++') + + /usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) + /usr/lost\+found/.* <> + + /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) + ++ifndef(`distro_redhat',` + /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) + /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ++') + + /usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) + /usr/tmp/.* <> +@@ -229,6 +240,8 @@ /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -6712,9 +6301,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) /var/lib/nfs/rpc_pipefs(/.*)? <> -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.11/policy/modules/kernel/files.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.12/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/kernel/files.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/kernel/files.if 2010-03-05 17:18:52.000000000 -0500 @@ -1053,10 +1053,8 @@ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -6837,19 +6426,109 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Execute generic files in /etc. ## ## -@@ -2785,6 +2857,11 @@ - ') +@@ -2789,6 +2861,101 @@ - delete_files_pattern($1, file_t, file_t) + ######################################## + ## ++## Delete lnk_files on new filesystems ++## that have not yet been labeled. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_isid_type_symlinks',` ++ gen_require(` ++ type file_t; ++ ') ++ + delete_lnk_files_pattern($1, file_t, file_t) ++') ++ ++######################################## ++## ++## Delete fifo files on new filesystems ++## that have not yet been labeled. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_isid_type_fifo_files',` ++ gen_require(` ++ type file_t; ++ ') ++ + delete_fifo_files_pattern($1, file_t, file_t) ++') ++ ++######################################## ++## ++## Delete sock files on new filesystems ++## that have not yet been labeled. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_isid_type_sock_files',` ++ gen_require(` ++ type file_t; ++ ') ++ + delete_sock_files_pattern($1, file_t, file_t) ++') ++ ++######################################## ++## ++## Delete blk files on new filesystems ++## that have not yet been labeled. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_isid_type_blk_files',` ++ gen_require(` ++ type file_t; ++ ') ++ + delete_blk_files_pattern($1, file_t, file_t) ++') ++ ++######################################## ++## ++## Delete chr files on new filesystems ++## that have not yet been labeled. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_isid_type_chr_files',` ++ gen_require(` ++ type file_t; ++ ') ++ + delete_chr_files_pattern($1, file_t, file_t) - ') - - ######################################## -@@ -2899,6 +2976,7 @@ ++') ++ ++######################################## ++## + ## Create, read, write, and delete files + ## on new filesystems that have not yet been labeled. + ## +@@ -2899,6 +3066,7 @@ ') allow $1 home_root_t:dir getattr; @@ -6857,7 +6536,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2919,6 +2997,7 @@ +@@ -2919,6 +3087,7 @@ ') dontaudit $1 home_root_t:dir getattr; @@ -6865,7 +6544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2937,6 +3016,7 @@ +@@ -2937,6 +3106,7 @@ ') allow $1 home_root_t:dir search_dir_perms; @@ -6873,7 +6552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2956,6 +3036,7 @@ +@@ -2956,6 +3126,7 @@ ') dontaudit $1 home_root_t:dir search_dir_perms; @@ -6881,7 +6560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2975,6 +3056,7 @@ +@@ -2975,6 +3146,7 @@ ') dontaudit $1 home_root_t:dir list_dir_perms; @@ -6889,7 +6568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2993,6 +3075,7 @@ +@@ -2993,6 +3165,7 @@ ') allow $1 home_root_t:dir list_dir_perms; @@ -6897,7 +6576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -3502,6 +3585,64 @@ +@@ -3502,6 +3675,64 @@ allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -6962,7 +6641,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Allow the specified type to associate -@@ -3687,6 +3828,32 @@ +@@ -3687,6 +3918,32 @@ ######################################## ## @@ -6995,38 +6674,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Manage temporary files and directories in /tmp. ## ## -@@ -3900,6 +4067,8 @@ +@@ -3900,6 +4157,13 @@ delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) + files_delete_isid_type_dirs($1) + files_delete_isid_type_files($1) ++ files_delete_isid_type_symlinks($1) ++ files_delete_isid_type_fifo_files($1) ++ files_delete_isid_type_sock_files($1) ++ files_delete_isid_type_blk_files($1) ++ files_delete_isid_type_chr_files($1) ') ######################################## -@@ -4008,7 +4177,12 @@ +@@ -4008,7 +4272,7 @@ type usr_t; ') - allow $1 usr_t:file delete_file_perms; + delete_files_pattern($1, usr_t, usr_t) -+ delete_lnk_files_pattern($1, usr_t, usr_t) -+ delete_fifo_files_pattern($1, usr_t, usr_t) -+ delete_sock_files_pattern($1, usr_t, usr_t) -+ delete_blk_files_pattern($1, usr_t, usr_t) -+ delete_chr_files_pattern($1, usr_t, usr_t) - ') - - ######################################## -@@ -4065,6 +4239,7 @@ - allow $1 usr_t:dir list_dir_perms; - read_files_pattern($1, usr_t, usr_t) - read_lnk_files_pattern($1, usr_t, usr_t) -+ files_read_usr_src_files($1) ') ######################################## -@@ -4089,6 +4264,24 @@ +@@ -4089,6 +4353,24 @@ ######################################## ## @@ -7051,32 +6722,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## dontaudit write of /usr files ## ## -@@ -4742,6 +4935,24 @@ - read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) - ') - -+######################################## -+## -+## Search the /var/log directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_search_var_log',` -+ gen_require(` -+ type var_t, var_log_t; -+ ') -+ -+ search_dirs_pattern($1, var_t, var_log_t) -+') -+ - # cjp: the next two interfaces really need to be fixed - # in some way. They really neeed their own types. - -@@ -5014,6 +5225,25 @@ +@@ -5014,6 +5296,25 @@ search_dirs_pattern($1, var_t, var_run_t) ') @@ -7102,7 +6748,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Do not audit attempts to search -@@ -5073,6 +5303,24 @@ +@@ -5073,6 +5374,24 @@ ######################################## ## @@ -7127,7 +6773,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Create an object in the process ID directory, with a private type. ## ## -@@ -5148,6 +5396,24 @@ +@@ -5148,6 +5467,24 @@ ######################################## ## @@ -7152,7 +6798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Do not audit attempts to write to daemon runtime data files. ## ## -@@ -5201,6 +5467,7 @@ +@@ -5201,6 +5538,7 @@ list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -7160,7 +6806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -5269,6 +5536,24 @@ +@@ -5269,6 +5607,24 @@ ######################################## ## @@ -7185,7 +6831,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Search the contents of generic spool ## directories (/var/spool). ## -@@ -5457,12 +5742,15 @@ +@@ -5457,12 +5813,15 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -7202,7 +6848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ') -@@ -5483,3 +5771,212 @@ +@@ -5483,3 +5842,211 @@ typeattribute $1 files_unconfined_type; ') @@ -7223,7 +6869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. +## +## +# -+interface(`files_dump_core',` ++interface(`files_manage_root',` + gen_require(` + type root_t; + ') @@ -7233,11 +6879,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + +######################################## +## -+## Create a default directory in / ++## Create a default directory +## +## +##

-+## Create a default_t direcrory in / ++## Create a default_t direcrory +##

+## +## @@ -7249,30 +6895,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. +# +interface(`files_create_default_dir',` + gen_require(` -+ type root_t, default_t; ++ type default_t; + ') + + allow $1 default_t:dir create; -+ filetrans_pattern($1, root_t, default_t, dir) +') + +######################################## +## -+## manage generic symbolic links -+## in the /var/run directory. ++## Create, default_t objects with an automatic ++## type transition. +## +## +## +## Domain allowed access. +## +## ++## ++## ++## The class of the object being created. ++## ++## +# -+interface(`files_manage_generic_pids_symlinks',` -+ gen_require(` -+ type var_run_t; -+ ') ++interface(`files_root_filetrans_default',` ++ gen_require(` ++ type root_t, default_t; ++ ') + -+ manage_lnk_files_pattern($1,var_run_t,var_run_t) ++ filetrans_pattern($1, root_t, default_t, $2) +') + +######################################## @@ -7286,17 +6936,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. +## +## +# -+interface(`files_boot',` ++interface(`files_manage_generic_pids_symlinks',` + gen_require(` -+ type root_t; ++ type var_run_t; + ') + -+ allow $1 root_t:blk_file manage_blk_file_perms; -+ allow $1 root_t:chr_file manage_chr_file_perms; -+ manage_dirs_pattern($1, root_t, root_t) -+ manage_files_pattern($1, root_t, root_t) -+ manage_lnk_files_pattern($1, root_t, root_t) -+ can_exec(kernel_t, root_t) ++ manage_lnk_files_pattern($1,var_run_t,var_run_t) +') + +######################################## @@ -7415,17 +7060,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + dontaudit $1 file_type:file rw_inherited_file_perms; + dontaudit $1 file_type:lnk_file { read }; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.11/policy/modules/kernel/files.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.12/policy/modules/kernel/files.te --- nsaserefpolicy/policy/modules/kernel/files.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/kernel/files.te 2010-03-03 23:48:01.000000000 -0500 -@@ -43,6 +43,7 @@ - # - type boot_t; - files_mountpoint(boot_t) -+dev_node(boot_t) - - # default_t is the default type for files that do not - # match any specification in the file_contexts configuration ++++ serefpolicy-3.7.12/policy/modules/kernel/files.te 2010-03-05 17:18:52.000000000 -0500 +@@ -12,6 +12,7 @@ + attribute mountpoint; + attribute pidfile; + attribute configfile; ++attribute etcfile; + + # For labeling types that are to be polyinstantiated + attribute polydir; @@ -59,6 +60,15 @@ typealias etc_t alias automount_etc_t; typealias etc_t alias snmpd_etc_t; @@ -7450,9 +7095,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.11/policy/modules/kernel/filesystem.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.12/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/kernel/filesystem.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/kernel/filesystem.if 2010-03-07 08:32:52.000000000 -0500 @@ -929,7 +929,7 @@ type cifs_t; ') @@ -7850,9 +7495,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy + dontaudit $1 filesystem_type:file rw_inherited_file_perms; + dontaudit $1 filesystem_type:lnk_file { read }; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.11/policy/modules/kernel/filesystem.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.12/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/kernel/filesystem.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/kernel/filesystem.te 2010-03-05 17:18:52.000000000 -0500 @@ -29,6 +29,7 @@ fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0); fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0); @@ -7910,9 +7555,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy # # nfs_t is the default type for NFS file systems -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.11/policy/modules/kernel/kernel.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.12/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/kernel/kernel.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/kernel/kernel.if 2010-03-05 17:18:52.000000000 -0500 @@ -144,6 +144,24 @@ ######################################## @@ -8046,9 +7691,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel + + allow $1 kernel_t:unix_stream_socket connectto; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.11/policy/modules/kernel/kernel.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.12/policy/modules/kernel/kernel.te --- nsaserefpolicy/policy/modules/kernel/kernel.te 2010-03-04 08:02:45.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/kernel/kernel.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/kernel/kernel.te 2010-03-05 17:18:52.000000000 -0500 @@ -64,6 +64,15 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) @@ -8123,15 +7768,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ######################################## # # Unlabeled process local policy -@@ -389,3 +411,5 @@ - allow kern_unconfined unlabeled_t:association *; - allow kern_unconfined unlabeled_t:packet *; - allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; -+ -+files_boot(kernel_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.11/policy/modules/kernel/selinux.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.12/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/kernel/selinux.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/kernel/selinux.if 2010-03-05 17:18:52.000000000 -0500 @@ -40,7 +40,7 @@ # because of this statement, any module which @@ -8189,31 +7828,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu + fs_type($1) + mls_trusted_object($1) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.7.11/policy/modules/kernel/storage.fc ---- nsaserefpolicy/policy/modules/kernel/storage.fc 2009-11-20 10:51:41.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/kernel/storage.fc 2010-03-03 23:48:01.000000000 -0500 -@@ -14,6 +14,7 @@ - /dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /dev/drbd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -+/dev/etherd/.+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0) - /dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.7.11/policy/modules/kernel/storage.if ---- nsaserefpolicy/policy/modules/kernel/storage.if 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/kernel/storage.if 2010-03-03 23:48:01.000000000 -0500 -@@ -304,6 +304,7 @@ - - dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file relabel_blk_file_perms; -+ dontaudit $1 fixed_disk_device_t:lnk_file relabelto_lnk_file_perms; - ') - - ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.11/policy/modules/kernel/terminal.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.12/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/kernel/terminal.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/kernel/terminal.if 2010-03-05 17:18:52.000000000 -0500 @@ -292,9 +292,11 @@ interface(`term_dontaudit_use_console',` gen_require(` @@ -8254,9 +7871,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.7.11/policy/modules/roles/auditadm.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.7.12/policy/modules/roles/auditadm.te --- nsaserefpolicy/policy/modules/roles/auditadm.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/roles/auditadm.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/roles/auditadm.te 2010-03-05 17:18:52.000000000 -0500 @@ -33,6 +33,8 @@ seutil_run_runinit(auditadm_t, auditadm_r) seutil_read_bin_policy(auditadm_t) @@ -8266,26 +7883,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditad optional_policy(` consoletype_exec(auditadm_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.11/policy/modules/roles/guest.te ---- nsaserefpolicy/policy/modules/roles/guest.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/roles/guest.te 2010-03-03 23:48:01.000000000 -0500 -@@ -16,7 +16,11 @@ - # +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.12/policy/modules/roles/guest.te +--- nsaserefpolicy/policy/modules/roles/guest.te 2010-03-05 17:14:56.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/roles/guest.te 2010-03-05 17:18:52.000000000 -0500 +@@ -1,5 +1,5 @@ - optional_policy(` -- java_role(guest_r, guest_t) -+ java_role_template(guest, guest_r, guest_t) +-policy_module(guest, 1.0.1) ++policy_module(guest, 1.0.0) + + ######################################## + # +@@ -23,4 +23,4 @@ + mono_role_template(guest, guest_r, guest_t) ') -#gen_user(guest_u,, guest_r, s0, s0) -+optional_policy(` -+ mono_role_template(guest, guest_r, guest_t) -+') -+ +gen_user(guest_u, user, guest_r, s0, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.11/policy/modules/roles/staff.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.12/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2010-02-17 14:07:02.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/roles/staff.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/roles/staff.te 2010-03-05 17:18:52.000000000 -0500 @@ -10,11 +10,26 @@ userdom_unpriv_user_template(staff) @@ -8461,9 +8077,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t +optional_policy(` + virt_stream_connect(staff_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.11/policy/modules/roles/sysadm.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.12/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-02-17 10:37:39.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/roles/sysadm.te 2010-03-04 07:59:10.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/roles/sysadm.te 2010-03-05 17:18:52.000000000 -0500 @@ -15,7 +15,7 @@ role sysadm_r; @@ -8815,9 +8431,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. + +init_script_role_transition(sysadm_r) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.7.11/policy/modules/roles/unconfineduser.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.7.12/policy/modules/roles/unconfineduser.fc --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/roles/unconfineduser.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/roles/unconfineduser.fc 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,10 @@ +# Add programs here which should not be confined by SELinux +# e.g.: @@ -8829,9 +8445,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + +/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0) +/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.11/policy/modules/roles/unconfineduser.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.12/policy/modules/roles/unconfineduser.if --- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/roles/unconfineduser.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/roles/unconfineduser.if 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,667 @@ +## Unconfiend user role + @@ -9500,10 +9116,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + + allow $1 unconfined_r; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.11/policy/modules/roles/unconfineduser.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.12/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/roles/unconfineduser.te 2010-03-03 23:48:01.000000000 -0500 -@@ -0,0 +1,432 @@ ++++ serefpolicy-3.7.12/policy/modules/roles/unconfineduser.te 2010-03-05 17:18:52.000000000 -0500 +@@ -0,0 +1,433 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -9574,6 +9190,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + +files_create_boot_flag(unconfined_t) +files_create_default_dir(unconfined_t) ++files_root_filetrans_default(unconfined_t, dir) + +mcs_killall(unconfined_t) +mcs_ptrace_all(unconfined_t) @@ -9936,9 +9553,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.11/policy/modules/roles/unprivuser.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.12/policy/modules/roles/unprivuser.te --- nsaserefpolicy/policy/modules/roles/unprivuser.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/roles/unprivuser.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/roles/unprivuser.te 2010-03-05 17:18:52.000000000 -0500 @@ -13,6 +13,7 @@ userdom_unpriv_user_template(user) @@ -9982,9 +9599,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu +optional_policy(` + setroubleshoot_dontaudit_stream_connect(user_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.11/policy/modules/roles/xguest.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.12/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/roles/xguest.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/roles/xguest.te 2010-03-05 17:18:52.000000000 -0500 @@ -15,7 +15,7 @@ ## @@ -10101,9 +9718,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. -#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.11/policy/modules/services/abrt.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.12/policy/modules/services/abrt.fc --- nsaserefpolicy/policy/modules/services/abrt.fc 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/abrt.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/abrt.fc 2010-03-05 17:18:52.000000000 -0500 @@ -1,11 +1,17 @@ /etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) /etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) @@ -10123,9 +9740,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt /var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) /var/run/abrt\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) +/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.11/policy/modules/services/abrt.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.12/policy/modules/services/abrt.if --- nsaserefpolicy/policy/modules/services/abrt.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/abrt.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/abrt.if 2010-03-05 17:18:52.000000000 -0500 @@ -19,6 +19,28 @@ domtrans_pattern($1, abrt_exec_t, abrt_t) ') @@ -10290,9 +9907,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt ##################################### ## ## All of the rules required to administrate -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.11/policy/modules/services/abrt.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.12/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/abrt.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/abrt.te 2010-03-07 08:57:09.000000000 -0500 @@ -33,12 +33,24 @@ type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -10340,7 +9957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir }) kernel_read_ring_buffer(abrt_t) -@@ -75,25 +90,38 @@ +@@ -75,25 +90,39 @@ corecmd_exec_bin(abrt_t) corecmd_exec_shell(abrt_t) @@ -10360,8 +9977,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt +dev_getattr_all_chr_files(abrt_t) dev_read_urand(abrt_t) +dev_rw_sysfs(abrt_t) -+dev_dontaudit_read_memory_dev(abrt_t) ++dev_dontaudit_read_raw_memory(abrt_t) + ++domain_getattr_all_domains(abrt_t) +domain_read_all_domains_state(abrt_t) +domain_signull_all_domains(abrt_t) @@ -10386,7 +10004,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt sysnet_read_config(abrt_t) -@@ -103,22 +131,98 @@ +@@ -103,22 +132,98 @@ miscfiles_read_certs(abrt_t) miscfiles_read_localization(abrt_t) @@ -10492,9 +10110,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt + dev_dontaudit_write_all_blk_files(abrt_helper_t) + fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.7.11/policy/modules/services/afs.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.7.12/policy/modules/services/afs.if --- nsaserefpolicy/policy/modules/services/afs.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/afs.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/afs.if 2010-03-05 17:18:52.000000000 -0500 @@ -94,7 +94,7 @@ # interface(`afs_admin',` @@ -10504,9 +10122,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs. ') allow $1 afs_t:process { ptrace signal_perms getattr }; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.7.11/policy/modules/services/afs.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.7.12/policy/modules/services/afs.te --- nsaserefpolicy/policy/modules/services/afs.te 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/afs.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/afs.te 2010-03-05 17:18:52.000000000 -0500 @@ -71,8 +71,8 @@ # afs client local policy # @@ -10527,18 +10145,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs. ######################################## # # AFS bossserver local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.7.11/policy/modules/services/aiccu.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.7.12/policy/modules/services/aiccu.fc --- nsaserefpolicy/policy/modules/services/aiccu.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/aiccu.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/aiccu.fc 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,5 @@ + +/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0) + +/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0) +/var/run/aiccu.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.7.11/policy/modules/services/aiccu.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.7.12/policy/modules/services/aiccu.if --- nsaserefpolicy/policy/modules/services/aiccu.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/aiccu.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/aiccu.if 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,119 @@ + +## policy for aiccu @@ -10659,9 +10277,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc + aiccu_manage_var_run($1) + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.7.11/policy/modules/services/aiccu.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.7.12/policy/modules/services/aiccu.te --- nsaserefpolicy/policy/modules/services/aiccu.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/aiccu.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/aiccu.te 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,41 @@ +policy_module(aiccu,1.0.0) + @@ -10704,9 +10322,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc +manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) +manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) +files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir }) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.11/policy/modules/services/aisexec.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.12/policy/modules/services/aisexec.fc --- nsaserefpolicy/policy/modules/services/aisexec.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/aisexec.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/aisexec.fc 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,10 @@ + +/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:aisexec_initrc_exec_t,s0) @@ -10718,9 +10336,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise +/var/log/cluster/aisexec\.log -- gen_context(system_u:object_r:aisexec_var_log_t,s0) + +/var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.7.11/policy/modules/services/aisexec.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.7.12/policy/modules/services/aisexec.if --- nsaserefpolicy/policy/modules/services/aisexec.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/aisexec.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/aisexec.if 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,106 @@ +## SELinux policy for Aisexec Cluster Engine + @@ -10828,9 +10446,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise + + admin_pattern($1, aisexec_tmpfs_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.11/policy/modules/services/aisexec.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.12/policy/modules/services/aisexec.te --- nsaserefpolicy/policy/modules/services/aisexec.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/aisexec.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/aisexec.te 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,115 @@ + +policy_module(aisexec,1.0.0) @@ -10947,9 +10565,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise + groupd_rw_semaphores(aisexec_t) + groupd_rw_shm(aisexec_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-3.7.11/policy/modules/services/amavis.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-3.7.12/policy/modules/services/amavis.if --- nsaserefpolicy/policy/modules/services/amavis.if 2010-03-04 11:17:25.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/amavis.if 2010-03-03 23:27:40.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/amavis.if 2010-03-05 17:18:52.000000000 -0500 @@ -18,30 +18,11 @@ type amavis_t, amavis_exec_t; ') @@ -10997,9 +10615,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav domain_system_change_exemption($1) role_transition $2 amavis_initrc_exec_t system_r; allow $2 system_r; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.7.11/policy/modules/services/amavis.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.7.12/policy/modules/services/amavis.te --- nsaserefpolicy/policy/modules/services/amavis.te 2010-03-04 11:17:25.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/amavis.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/amavis.te 2010-03-06 10:17:14.000000000 -0500 @@ -1,5 +1,5 @@ -policy_module(amavis, 1.10.2) @@ -11021,9 +10639,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav sysnet_dns_name_resolve(amavis_t) sysnet_use_ldap(amavis_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.11/policy/modules/services/apache.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.12/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/apache.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/apache.fc 2010-03-05 17:18:52.000000000 -0500 @@ -2,12 +2,19 @@ /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) @@ -11151,9 +10769,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.11/policy/modules/services/apache.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.12/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/apache.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/apache.if 2010-03-05 17:18:52.000000000 -0500 @@ -13,21 +13,17 @@ # template(`apache_content_template',` @@ -11862,9 +11480,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + dontaudit $1 httpd_t:unix_dgram_socket { read write }; + dontaudit $1 httpd_t:unix_stream_socket { read write }; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.11/policy/modules/services/apache.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.12/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/apache.te 2010-03-04 09:59:11.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/apache.te 2010-03-05 17:18:52.000000000 -0500 @@ -19,6 +19,8 @@ # Declarations # @@ -12745,9 +12363,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +typealias httpd_sys_script_t alias httpd_fastcgi_script_t; +typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.7.11/policy/modules/services/apcupsd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.7.12/policy/modules/services/apcupsd.if --- nsaserefpolicy/policy/modules/services/apcupsd.if 2010-03-04 11:17:25.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/apcupsd.if 2010-03-03 23:27:42.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/apcupsd.if 2010-03-05 17:18:52.000000000 -0500 @@ -15,30 +15,11 @@ type apcupsd_t, apcupsd_exec_t; ') @@ -12808,9 +12426,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu domain_system_change_exemption($1) role_transition $2 apcupsd_initrc_exec_t system_r; allow $2 system_r; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.7.11/policy/modules/services/apcupsd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.7.12/policy/modules/services/apcupsd.te --- nsaserefpolicy/policy/modules/services/apcupsd.te 2010-03-04 11:17:25.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/apcupsd.te 2010-03-03 23:27:41.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/apcupsd.te 2010-03-05 17:18:52.000000000 -0500 @@ -1,5 +1,5 @@ -policy_module(apcupsd, 1.6.1) @@ -12818,9 +12436,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu ######################################## # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.7.11/policy/modules/services/apm.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.7.12/policy/modules/services/apm.te --- nsaserefpolicy/policy/modules/services/apm.te 2010-03-04 11:17:25.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/apm.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/apm.te 2010-03-05 17:18:52.000000000 -0500 @@ -1,5 +1,5 @@ -policy_module(apm, 1.10.2) @@ -12828,9 +12446,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm. ######################################## # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.if serefpolicy-3.7.11/policy/modules/services/arpwatch.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.if serefpolicy-3.7.12/policy/modules/services/arpwatch.if --- nsaserefpolicy/policy/modules/services/arpwatch.if 2010-03-04 11:17:25.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/arpwatch.if 2010-03-03 23:27:40.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/arpwatch.if 2010-03-05 17:18:52.000000000 -0500 @@ -2,24 +2,6 @@ ######################################## @@ -12897,9 +12515,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw domain_system_change_exemption($1) role_transition $2 arpwatch_initrc_exec_t system_r; allow $2 system_r; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.11/policy/modules/services/arpwatch.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.12/policy/modules/services/arpwatch.te --- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-03-04 11:17:25.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/arpwatch.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/arpwatch.te 2010-03-05 17:18:52.000000000 -0500 @@ -1,5 +1,5 @@ -policy_module(arpwatch, 1.8.1) @@ -12932,9 +12550,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw fs_getattr_all_fs(arpwatch_t) fs_search_auto_mountpoints(arpwatch_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.11/policy/modules/services/asterisk.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.12/policy/modules/services/asterisk.if --- nsaserefpolicy/policy/modules/services/asterisk.if 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/asterisk.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/asterisk.if 2010-03-05 17:18:52.000000000 -0500 @@ -2,8 +2,28 @@ ##################################### @@ -13013,9 +12631,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste + + can_exec($1, asterisk_exec_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.11/policy/modules/services/asterisk.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.12/policy/modules/services/asterisk.te --- nsaserefpolicy/policy/modules/services/asterisk.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/asterisk.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/asterisk.te 2010-03-05 17:18:52.000000000 -0500 @@ -40,12 +40,13 @@ # @@ -13116,18 +12734,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste + udev_read_db(asterisk_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.7.11/policy/modules/services/avahi.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.7.12/policy/modules/services/avahi.fc --- nsaserefpolicy/policy/modules/services/avahi.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/avahi.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/avahi.fc 2010-03-05 17:18:52.000000000 -0500 @@ -6,4 +6,4 @@ /var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0) -/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0) +/var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.11/policy/modules/services/avahi.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.12/policy/modules/services/avahi.te --- nsaserefpolicy/policy/modules/services/avahi.te 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/avahi.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/avahi.te 2010-03-05 17:18:52.000000000 -0500 @@ -24,7 +24,7 @@ # Local policy # @@ -13172,9 +12790,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah userdom_dontaudit_use_unpriv_user_fds(avahi_t) userdom_dontaudit_search_user_home_dirs(avahi_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.11/policy/modules/services/bind.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.12/policy/modules/services/bind.if --- nsaserefpolicy/policy/modules/services/bind.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/bind.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/bind.if 2010-03-05 17:18:52.000000000 -0500 @@ -253,7 +253,7 @@ ######################################## @@ -13219,9 +12837,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind domain_system_change_exemption($1) role_transition $2 named_initrc_exec_t system_r; allow $2 system_r; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.7.11/policy/modules/services/bind.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.7.12/policy/modules/services/bind.te --- nsaserefpolicy/policy/modules/services/bind.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/bind.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/bind.te 2010-03-05 17:18:52.000000000 -0500 @@ -142,11 +142,11 @@ logging_send_syslog_msg(named_t) @@ -13236,9 +12854,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind userdom_dontaudit_use_unpriv_user_fds(named_t) userdom_dontaudit_search_user_home_dirs(named_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.7.11/policy/modules/services/bluetooth.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.7.12/policy/modules/services/bluetooth.te --- nsaserefpolicy/policy/modules/services/bluetooth.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/bluetooth.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/bluetooth.te 2010-03-05 17:18:52.000000000 -0500 @@ -96,6 +96,7 @@ kernel_read_system_state(bluetooth_t) kernel_read_network_state(bluetooth_t) @@ -13247,9 +12865,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue corenet_all_recvfrom_unlabeled(bluetooth_t) corenet_all_recvfrom_netlabel(bluetooth_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.7.11/policy/modules/services/cachefilesd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.7.12/policy/modules/services/cachefilesd.fc --- nsaserefpolicy/policy/modules/services/cachefilesd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/cachefilesd.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/cachefilesd.fc 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,28 @@ +############################################################################### +# @@ -13279,9 +12897,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach +/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0) + +/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.7.11/policy/modules/services/cachefilesd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.7.12/policy/modules/services/cachefilesd.if --- nsaserefpolicy/policy/modules/services/cachefilesd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/cachefilesd.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/cachefilesd.if 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,41 @@ +############################################################################### +# @@ -13324,9 +12942,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach + allow cachefilesd_t $1:fifo_file rw_file_perms; + allow cachefilesd_t $1:process sigchld; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.7.11/policy/modules/services/cachefilesd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.7.12/policy/modules/services/cachefilesd.te --- nsaserefpolicy/policy/modules/services/cachefilesd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/cachefilesd.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/cachefilesd.te 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,146 @@ +############################################################################### +# @@ -13474,9 +13092,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach +fs_getattr_xattr_fs(cachefiles_kernel_t) + +dev_search_sysfs(cachefiles_kernel_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.11/policy/modules/services/ccs.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.12/policy/modules/services/ccs.te --- nsaserefpolicy/policy/modules/services/ccs.te 2010-02-16 14:58:22.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/ccs.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/ccs.te 2010-03-05 17:18:52.000000000 -0500 @@ -114,5 +114,10 @@ ') @@ -13488,9 +13106,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs. +optional_policy(` unconfined_use_fds(ccs_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.7.11/policy/modules/services/certmaster.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.7.12/policy/modules/services/certmaster.fc --- nsaserefpolicy/policy/modules/services/certmaster.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/certmaster.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/certmaster.fc 2010-03-05 17:18:52.000000000 -0500 @@ -3,5 +3,6 @@ /usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0) @@ -13498,9 +13116,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert +/var/lib/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_lib_t,s0) /var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0) /var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.fc serefpolicy-3.7.11/policy/modules/services/certmonger.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.fc serefpolicy-3.7.12/policy/modules/services/certmonger.fc --- nsaserefpolicy/policy/modules/services/certmonger.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/certmonger.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/certmonger.fc 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,6 @@ +/etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0) + @@ -13508,9 +13126,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert + +/var/run/certmonger.pid -- gen_context(system_u:object_r:certmonger_var_run_t,s0) +/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.7.11/policy/modules/services/certmonger.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.7.12/policy/modules/services/certmonger.if --- nsaserefpolicy/policy/modules/services/certmonger.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/certmonger.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/certmonger.if 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,217 @@ + +## Certificate status monitor and PKI enrollment client @@ -13729,9 +13347,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert + files_search_pids($1) + admin_pattern($1, cermonger_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.11/policy/modules/services/certmonger.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.12/policy/modules/services/certmonger.te --- nsaserefpolicy/policy/modules/services/certmonger.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/certmonger.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/certmonger.te 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,74 @@ +policy_module(certmonger,1.0.0) + @@ -13807,9 +13425,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert +optional_policy(` + unconfined_dbus_send(certmonger_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.11/policy/modules/services/cgroup.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.12/policy/modules/services/cgroup.fc --- nsaserefpolicy/policy/modules/services/cgroup.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/cgroup.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/cgroup.fc 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t, s0) +/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t, s0) @@ -13818,9 +13436,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro +/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfigparser_exec_t, s0) + +/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.11/policy/modules/services/cgroup.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.12/policy/modules/services/cgroup.if --- nsaserefpolicy/policy/modules/services/cgroup.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/cgroup.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/cgroup.if 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,35 @@ +## Control group rules engine daemon. +## @@ -13857,9 +13475,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro + stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.11/policy/modules/services/cgroup.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.12/policy/modules/services/cgroup.te --- nsaserefpolicy/policy/modules/services/cgroup.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/cgroup.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/cgroup.te 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,87 @@ +policy_module(cgroup, 1.0.0) + @@ -13948,18 +13566,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro +# /mnt/cgroups/cpu +kernel_list_unlabeled(cgconfigparser_t) +kernel_read_system_state(cgconfigparser_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.7.11/policy/modules/services/chronyd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.7.12/policy/modules/services/chronyd.fc --- nsaserefpolicy/policy/modules/services/chronyd.fc 2010-02-16 14:58:22.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/chronyd.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/chronyd.fc 2010-03-05 17:18:52.000000000 -0500 @@ -1,3 +1,5 @@ +/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0) + /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.11/policy/modules/services/chronyd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.12/policy/modules/services/chronyd.if --- nsaserefpolicy/policy/modules/services/chronyd.if 2010-02-16 14:58:22.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/chronyd.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/chronyd.if 2010-03-05 17:18:52.000000000 -0500 @@ -77,7 +77,7 @@ gen_require(` type chronyd_t, chronyd_var_log_t; @@ -13978,9 +13596,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro logging_search_logs($1) admin_pattern($1, chronyd_var_log_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.11/policy/modules/services/chronyd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.12/policy/modules/services/chronyd.te --- nsaserefpolicy/policy/modules/services/chronyd.te 2010-02-16 14:58:22.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/chronyd.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/chronyd.te 2010-03-05 17:18:52.000000000 -0500 @@ -13,6 +13,9 @@ type chronyd_initrc_exec_t; init_script_file(chronyd_initrc_exec_t) @@ -14029,9 +13647,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro +optional_policy(` + gpsd_rw_shm(chronyd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.11/policy/modules/services/clamav.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.12/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/clamav.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/clamav.te 2010-03-05 17:18:52.000000000 -0500 @@ -57,6 +57,7 @@ # @@ -14055,17 +13673,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam optional_policy(` cron_system_entry(freshclam_t, freshclam_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.11/policy/modules/services/clogd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.12/policy/modules/services/clogd.fc --- nsaserefpolicy/policy/modules/services/clogd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/clogd.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/clogd.fc 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,4 @@ + +/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0) + +/var/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.11/policy/modules/services/clogd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.12/policy/modules/services/clogd.if --- nsaserefpolicy/policy/modules/services/clogd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/clogd.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/clogd.if 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,82 @@ +## clogd - clustered mirror log server + @@ -14149,9 +13767,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog + fs_search_tmpfs($1) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.7.11/policy/modules/services/clogd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.7.12/policy/modules/services/clogd.te --- nsaserefpolicy/policy/modules/services/clogd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/clogd.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/clogd.te 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,65 @@ + +policy_module(clogd,1.0.0) @@ -14218,19 +13836,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.11/policy/modules/services/cobbler.if ---- nsaserefpolicy/policy/modules/services/cobbler.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/cobbler.if 2010-03-03 23:48:01.000000000 -0500 -@@ -162,6 +162,7 @@ - gen_require(` - type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; - type cobbler_etc_t; -+ type httpd_cobbler_content_rw_t; - ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.12/policy/modules/services/cobbler.if +--- nsaserefpolicy/policy/modules/services/cobbler.if 2010-03-05 10:46:32.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/cobbler.if 2010-03-05 17:18:52.000000000 -0500 +@@ -173,9 +173,11 @@ + files_list_var_lib($1) + admin_pattern($1, cobbler_var_lib_t) - allow $1 cobblerd_t:process { ptrace signal_perms getattr }; -@@ -176,6 +177,8 @@ - files_search_var_log($1) +- files_search_var_log($1) ++ logging_search_logs($1) admin_pattern($1, cobbler_var_log_t) + admin_pattern($1, httpd_cobbler_content_rw_t) @@ -14238,9 +13852,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb cobblerd_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 cobblerd_initrc_exec_t system_r; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.11/policy/modules/services/cobbler.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.12/policy/modules/services/cobbler.te --- nsaserefpolicy/policy/modules/services/cobbler.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/cobbler.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/cobbler.te 2010-03-05 17:18:52.000000000 -0500 @@ -40,6 +40,7 @@ allow cobblerd_t self:fifo_file rw_fifo_file_perms; allow cobblerd_t self:tcp_socket create_stream_socket_perms; @@ -14271,9 +13885,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb +apache_content_template(cobbler) +manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) +manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.11/policy/modules/services/consolekit.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.12/policy/modules/services/consolekit.fc --- nsaserefpolicy/policy/modules/services/consolekit.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/consolekit.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/consolekit.fc 2010-03-05 17:18:52.000000000 -0500 @@ -2,4 +2,5 @@ /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) @@ -14281,9 +13895,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons -/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0) + +/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.11/policy/modules/services/consolekit.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.12/policy/modules/services/consolekit.if --- nsaserefpolicy/policy/modules/services/consolekit.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/consolekit.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/consolekit.if 2010-03-05 17:18:52.000000000 -0500 @@ -57,3 +57,42 @@ read_files_pattern($1, consolekit_log_t, consolekit_log_t) files_search_pids($1) @@ -14327,9 +13941,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons + read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.11/policy/modules/services/consolekit.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.12/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/consolekit.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/consolekit.te 2010-03-05 17:18:52.000000000 -0500 @@ -16,12 +16,15 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -14415,9 +14029,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons + unconfined_ptrace(consolekit_t) unconfined_stream_connect(consolekit_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.7.11/policy/modules/services/corosync.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.7.12/policy/modules/services/corosync.fc --- nsaserefpolicy/policy/modules/services/corosync.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/corosync.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/corosync.fc 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,14 @@ + +/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0) @@ -14433,9 +14047,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro +/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0) +/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.11/policy/modules/services/corosync.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.12/policy/modules/services/corosync.if --- nsaserefpolicy/policy/modules/services/corosync.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/corosync.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/corosync.if 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,108 @@ +## SELinux policy for Corosync Cluster Engine + @@ -14545,9 +14159,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.11/policy/modules/services/corosync.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.12/policy/modules/services/corosync.te --- nsaserefpolicy/policy/modules/services/corosync.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/corosync.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/corosync.te 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,115 @@ + +policy_module(corosync,1.0.0) @@ -14664,9 +14278,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro +optional_policy(` + rgmanager_manage_tmpfs_files(corosync_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.11/policy/modules/services/cron.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.12/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/cron.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/cron.fc 2010-03-05 17:18:52.000000000 -0500 @@ -14,7 +14,7 @@ /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) @@ -14684,9 +14298,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron +/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) + +/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.11/policy/modules/services/cron.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.12/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/cron.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/cron.if 2010-03-05 17:18:52.000000000 -0500 @@ -12,6 +12,10 @@ ## # @@ -14837,9 +14451,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron + + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.11/policy/modules/services/cron.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.12/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/cron.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/cron.te 2010-03-05 17:18:52.000000000 -0500 @@ -38,8 +38,10 @@ type cron_var_lib_t; files_type(cron_var_lib_t) @@ -15117,9 +14731,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron unconfined_domain(system_cronjob_t) userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.11/policy/modules/services/cups.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.12/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/cups.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/cups.fc 2010-03-05 17:18:52.000000000 -0500 @@ -13,10 +13,14 @@ /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) @@ -15166,9 +14780,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.11/policy/modules/services/cups.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.12/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/cups.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/cups.te 2010-03-05 17:18:52.000000000 -0500 @@ -23,6 +23,9 @@ type cupsd_initrc_exec_t; init_script_file(cupsd_initrc_exec_t) @@ -15381,7 +14995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups kernel_read_system_state(cups_pdf_t) files_read_etc_files(cups_pdf_t) -@@ -556,11 +598,15 @@ +@@ -556,13 +598,18 @@ miscfiles_read_fonts(cups_pdf_t) userdom_home_filetrans_user_home_dir(cups_pdf_t) @@ -15396,8 +15010,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +') tunable_policy(`use_nfs_home_dirs',` ++ fs_search_auto_mountpoints(cups_pdf_t) fs_manage_nfs_dirs(cups_pdf_t) -@@ -601,6 +647,9 @@ + fs_manage_nfs_files(cups_pdf_t) + ') +@@ -601,6 +648,9 @@ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) @@ -15407,7 +15024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file ) -@@ -627,6 +676,7 @@ +@@ -627,6 +677,7 @@ corenet_tcp_connect_ipp_port(hplip_t) corenet_sendrecv_hplip_client_packets(hplip_t) corenet_receive_hplip_server_packets(hplip_t) @@ -15415,9 +15032,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups dev_read_sysfs(hplip_t) dev_rw_printer(hplip_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.7.11/policy/modules/services/cvs.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.7.12/policy/modules/services/cvs.te --- nsaserefpolicy/policy/modules/services/cvs.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/cvs.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/cvs.te 2010-03-05 17:18:52.000000000 -0500 @@ -93,6 +93,7 @@ auth_can_read_shadow_passwords(cvs_t) tunable_policy(`allow_cvs_read_shadow',` @@ -15432,9 +15049,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs. manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) + files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.11/policy/modules/services/cyrus.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.12/policy/modules/services/cyrus.te --- nsaserefpolicy/policy/modules/services/cyrus.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/cyrus.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/cyrus.te 2010-03-05 17:18:52.000000000 -0500 @@ -75,6 +75,7 @@ corenet_tcp_bind_mail_port(cyrus_t) corenet_tcp_bind_lmtp_port(cyrus_t) @@ -15451,9 +15068,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru snmp_read_snmp_var_lib_files(cyrus_t) snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) snmp_stream_connect(cyrus_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.11/policy/modules/services/dbus.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.12/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/dbus.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/dbus.if 2010-03-05 17:18:52.000000000 -0500 @@ -42,8 +42,10 @@ gen_require(` class dbus { send_msg acquire_svc }; @@ -15589,9 +15206,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.11/policy/modules/services/dbus.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.12/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/dbus.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/dbus.te 2010-03-05 17:18:52.000000000 -0500 @@ -86,6 +86,7 @@ dev_read_sysfs(system_dbusd_t) @@ -15650,9 +15267,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + xserver_rw_xdm_pipes(session_bus_type) + xserver_append_xdm_home_files(session_bus_type) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.7.11/policy/modules/services/dcc.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.7.12/policy/modules/services/dcc.te --- nsaserefpolicy/policy/modules/services/dcc.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/dcc.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/dcc.te 2010-03-05 17:18:52.000000000 -0500 @@ -81,7 +81,7 @@ # dcc daemon controller local policy # @@ -15662,9 +15279,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. allow cdcc_t self:unix_dgram_socket create_socket_perms; allow cdcc_t self:udp_socket create_socket_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.fc serefpolicy-3.7.11/policy/modules/services/denyhosts.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.fc serefpolicy-3.7.12/policy/modules/services/denyhosts.fc --- nsaserefpolicy/policy/modules/services/denyhosts.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/denyhosts.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/denyhosts.fc 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/denyhosts -- gen_context(system_u:object_r:denyhosts_initrc_exec_t, s0) + @@ -15673,9 +15290,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny +/var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t, s0) +/var/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t, s0) +/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.11/policy/modules/services/denyhosts.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.12/policy/modules/services/denyhosts.if --- nsaserefpolicy/policy/modules/services/denyhosts.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/denyhosts.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/denyhosts.if 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,90 @@ +## Deny Hosts. +## @@ -15767,9 +15384,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny + ps_process_pattern($1, denyhosts_t) + read_lnk_files_pattern($1, denyhosts_t, denyhosts_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.11/policy/modules/services/denyhosts.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.12/policy/modules/services/denyhosts.te --- nsaserefpolicy/policy/modules/services/denyhosts.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/denyhosts.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/denyhosts.te 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,72 @@ + +policy_module(denyhosts, 1.0.0) @@ -15843,9 +15460,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny +optional_policy(` + cron_system_entry(denyhosts_t, denyhosts_exec_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.11/policy/modules/services/devicekit.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.12/policy/modules/services/devicekit.fc --- nsaserefpolicy/policy/modules/services/devicekit.fc 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/devicekit.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/devicekit.fc 2010-03-05 17:18:52.000000000 -0500 @@ -1,8 +1,12 @@ /usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) /usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) @@ -15860,9 +15477,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi -/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.11/policy/modules/services/devicekit.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.12/policy/modules/services/devicekit.if --- nsaserefpolicy/policy/modules/services/devicekit.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/devicekit.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/devicekit.if 2010-03-05 17:18:52.000000000 -0500 @@ -139,6 +139,26 @@ ######################################## @@ -15899,9 +15516,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi ') allow $1 devicekit_t:process { ptrace signal_perms getattr }; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.11/policy/modules/services/devicekit.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.12/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/devicekit.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/devicekit.te 2010-03-05 17:18:52.000000000 -0500 @@ -42,6 +42,8 @@ files_read_etc_files(devicekit_t) @@ -16119,9 +15736,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi +optional_policy(` vbetool_domtrans(devicekit_power_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.7.11/policy/modules/services/dhcp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.7.12/policy/modules/services/dhcp.te --- nsaserefpolicy/policy/modules/services/dhcp.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/dhcp.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/dhcp.te 2010-03-05 17:18:52.000000000 -0500 @@ -112,6 +112,10 @@ ') @@ -16133,9 +15750,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp dbus_system_bus_client(dhcpd_t) dbus_connect_system_bus(dhcpd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.7.11/policy/modules/services/djbdns.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.7.12/policy/modules/services/djbdns.if --- nsaserefpolicy/policy/modules/services/djbdns.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/djbdns.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/djbdns.if 2010-03-05 17:18:52.000000000 -0500 @@ -26,6 +26,8 @@ daemontools_read_svc(djbdns_$1_t) @@ -16185,9 +15802,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd + + allow $1 djbdns_tinydn_t:key link; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.7.11/policy/modules/services/djbdns.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.7.12/policy/modules/services/djbdns.te --- nsaserefpolicy/policy/modules/services/djbdns.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/djbdns.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/djbdns.te 2010-03-05 17:18:52.000000000 -0500 @@ -42,3 +42,11 @@ files_search_var(djbdns_axfrdns_t) @@ -16200,9 +15817,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd + +init_dontaudit_use_script_fds(djbdns_tinydns_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.11/policy/modules/services/dnsmasq.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.12/policy/modules/services/dnsmasq.fc --- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/dnsmasq.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/dnsmasq.fc 2010-03-05 17:18:52.000000000 -0500 @@ -6,5 +6,7 @@ /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) /var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) @@ -16211,9 +15828,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm + /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.7.11/policy/modules/services/dnsmasq.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.7.12/policy/modules/services/dnsmasq.if --- nsaserefpolicy/policy/modules/services/dnsmasq.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/dnsmasq.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/dnsmasq.if 2010-03-05 17:18:52.000000000 -0500 @@ -111,7 +111,7 @@ type dnsmasq_etc_t; ') @@ -16232,9 +15849,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm files_search_etc($1) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.11/policy/modules/services/dnsmasq.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.12/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/dnsmasq.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/dnsmasq.te 2010-03-05 17:18:52.000000000 -0500 @@ -19,6 +19,9 @@ type dnsmasq_lease_t; files_type(dnsmasq_lease_t) @@ -16290,9 +15907,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm seutil_sigchld_newrole(dnsmasq_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.7.11/policy/modules/services/dovecot.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.7.12/policy/modules/services/dovecot.fc --- nsaserefpolicy/policy/modules/services/dovecot.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/dovecot.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/dovecot.fc 2010-03-05 17:18:52.000000000 -0500 @@ -34,6 +34,7 @@ /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) @@ -16301,9 +15918,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove /var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.11/policy/modules/services/dovecot.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.12/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/dovecot.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/dovecot.te 2010-03-05 17:18:52.000000000 -0500 @@ -73,14 +73,21 @@ can_exec(dovecot_t, dovecot_exec_t) @@ -16366,18 +15983,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) dovecot_stream_connect_auth(dovecot_auth_t) -@@ -197,8 +205,9 @@ +@@ -197,8 +205,8 @@ files_search_pids(dovecot_auth_t) files_read_usr_files(dovecot_auth_t) files_read_usr_symlinks(dovecot_auth_t) +files_read_var_lib_files(dovecot_auth_t) files_search_tmp(dovecot_auth_t) -files_read_var_lib_files(dovecot_t) -+files_search_var_log(dovecot_auth_t) init_rw_utmp(dovecot_auth_t) -@@ -225,6 +234,7 @@ +@@ -225,6 +233,7 @@ ') optional_policy(` @@ -16385,7 +16001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove postfix_search_spool(dovecot_auth_t) ') -@@ -234,6 +244,8 @@ +@@ -234,6 +243,8 @@ # allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; @@ -16394,6 +16010,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove allow dovecot_deliver_t dovecot_etc_t:file read_file_perms; allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; +@@ -246,6 +257,7 @@ + auth_use_nsswitch(dovecot_deliver_t) + + logging_send_syslog_msg(dovecot_deliver_t) ++logging_search_logs(dovecot_auth_t) + + miscfiles_read_localization(dovecot_deliver_t) + @@ -263,11 +275,19 @@ userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) @@ -16414,9 +16038,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove fs_manage_cifs_files(dovecot_t) fs_manage_cifs_symlinks(dovecot_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.7.11/policy/modules/services/exim.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.7.12/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 2010-03-04 11:17:25.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/exim.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/exim.te 2010-03-05 17:18:52.000000000 -0500 @@ -1,5 +1,5 @@ -policy_module(exim, 1.4.2) @@ -16434,9 +16058,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim sendmail_manage_tmp_files(exim_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.11/policy/modules/services/fail2ban.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.12/policy/modules/services/fail2ban.if --- nsaserefpolicy/policy/modules/services/fail2ban.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/fail2ban.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/fail2ban.if 2010-03-05 17:18:52.000000000 -0500 @@ -98,6 +98,46 @@ allow $1 fail2ban_var_run_t:file read_file_perms; ') @@ -16506,9 +16130,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail + + allow $1 fail2ban_t:unix_stream_socket { getattr read write ioctl }; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.7.11/policy/modules/services/fetchmail.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.7.12/policy/modules/services/fetchmail.te --- nsaserefpolicy/policy/modules/services/fetchmail.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/fetchmail.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/fetchmail.te 2010-03-05 17:18:52.000000000 -0500 @@ -48,6 +48,7 @@ kernel_dontaudit_read_system_state(fetchmail_t) @@ -16517,9 +16141,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetc corenet_all_recvfrom_unlabeled(fetchmail_t) corenet_all_recvfrom_netlabel(fetchmail_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.11/policy/modules/services/fprintd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.12/policy/modules/services/fprintd.te --- nsaserefpolicy/policy/modules/services/fprintd.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/fprintd.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/fprintd.te 2010-03-05 17:18:52.000000000 -0500 @@ -55,4 +55,6 @@ policykit_read_lib(fprintd_t) policykit_dbus_chat(fprintd_t) @@ -16527,9 +16151,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fpri + policykit_dbus_chat_auth(fprintd_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.7.11/policy/modules/services/ftp.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.7.12/policy/modules/services/ftp.fc --- nsaserefpolicy/policy/modules/services/ftp.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/ftp.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/ftp.fc 2010-03-05 17:18:52.000000000 -0500 @@ -22,7 +22,7 @@ # # /var @@ -16539,9 +16163,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. /var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.7.11/policy/modules/services/ftp.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.7.12/policy/modules/services/ftp.if --- nsaserefpolicy/policy/modules/services/ftp.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/ftp.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/ftp.if 2010-03-05 17:18:52.000000000 -0500 @@ -115,6 +115,44 @@ role $2 types ftpdctl_t; ') @@ -16587,9 +16211,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. ######################################## ## ## All of the rules required to administrate -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.11/policy/modules/services/ftp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.12/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/ftp.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/ftp.te 2010-03-05 17:18:52.000000000 -0500 @@ -41,11 +41,51 @@ ## @@ -16838,9 +16462,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. + fs_read_nfs_files(sftpd_t) + fs_read_nfs_symlinks(ftpd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.11/policy/modules/services/git.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.12/policy/modules/services/git.fc --- nsaserefpolicy/policy/modules/services/git.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/git.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/git.fc 2010-03-05 17:18:52.000000000 -0500 @@ -1,3 +1,16 @@ -/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0) -/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) @@ -16861,9 +16485,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. + +/var/lib/git(/.*)? gen_context(system_u:object_r:git_system_content_t, s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.11/policy/modules/services/git.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.12/policy/modules/services/git.if --- nsaserefpolicy/policy/modules/services/git.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/git.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/git.if 2010-03-05 17:18:52.000000000 -0500 @@ -1 +1,535 @@ -## GIT revision control system +## Git - Fast Version Control System. @@ -17401,9 +17025,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. + userdom_search_user_home_dirs($1) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.11/policy/modules/services/git.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.12/policy/modules/services/git.te --- nsaserefpolicy/policy/modules/services/git.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/git.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/git.te 2010-03-05 17:18:52.000000000 -0500 @@ -1,9 +1,182 @@ -policy_module(git, 1.0) @@ -17590,9 +17214,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. -apache_content_template(git) +#git_role_template(git_shell) +#gen_user(git_shell_u, user, git_shell_r, s0, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.11/policy/modules/services/gpsd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.12/policy/modules/services/gpsd.te --- nsaserefpolicy/policy/modules/services/gpsd.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/gpsd.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/gpsd.te 2010-03-05 17:18:52.000000000 -0500 @@ -25,7 +25,7 @@ # gpsd local policy # @@ -17602,9 +17226,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd allow gpsd_t self:process setsched; allow gpsd_t self:shm create_shm_perms; allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto }; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.11/policy/modules/services/hal.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.12/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/hal.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/hal.te 2010-03-05 17:18:52.000000000 -0500 @@ -55,6 +55,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -17648,6 +17272,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. files_getattr_all_mountpoints(hald_t) +@@ -180,7 +186,7 @@ + + # hal_probe_serial causes these + term_setattr_unallocated_ttys(hald_t) +-term_dontaudit_use_unallocated_ttys(hald_t) ++term_use_unallocated_ttys(hald_t) + + auth_use_nsswitch(hald_t) + @@ -266,6 +272,10 @@ ') @@ -17708,9 +17341,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. ######################################## # # Local hald dccm policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl.te serefpolicy-3.7.11/policy/modules/services/howl.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl.te serefpolicy-3.7.12/policy/modules/services/howl.te --- nsaserefpolicy/policy/modules/services/howl.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/howl.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/howl.te 2010-03-05 17:18:52.000000000 -0500 @@ -30,7 +30,7 @@ kernel_read_network_state(howl_t) @@ -17720,9 +17353,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl kernel_list_proc(howl_t) kernel_read_proc_symlinks(howl_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.fc serefpolicy-3.7.11/policy/modules/services/icecast.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.fc serefpolicy-3.7.12/policy/modules/services/icecast.fc --- nsaserefpolicy/policy/modules/services/icecast.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/icecast.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/icecast.fc 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/icecast -- gen_context(system_u:object_r:icecast_initrc_exec_t,s0) + @@ -17731,9 +17364,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec +/var/log/icecast(/.*)? gen_context(system_u:object_r:icecast_log_t,s0) + +/var/run/icecast(/.*)? gen_context(system_u:object_r:icecast_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.if serefpolicy-3.7.11/policy/modules/services/icecast.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.if serefpolicy-3.7.12/policy/modules/services/icecast.if --- nsaserefpolicy/policy/modules/services/icecast.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/icecast.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/icecast.if 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,199 @@ + +## ShoutCast compatible streaming media server @@ -17934,9 +17567,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec + icecast_manage_log($1) + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.7.11/policy/modules/services/icecast.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.7.12/policy/modules/services/icecast.te --- nsaserefpolicy/policy/modules/services/icecast.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/icecast.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/icecast.te 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,59 @@ +policy_module(icecast,1.0.0) + @@ -17997,9 +17630,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec +optional_policy(` + rtkit_daemon_system_domain(icecast_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.7.11/policy/modules/services/inn.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.7.12/policy/modules/services/inn.te --- nsaserefpolicy/policy/modules/services/inn.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/inn.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/inn.te 2010-03-05 17:18:52.000000000 -0500 @@ -106,6 +106,7 @@ userdom_dontaudit_use_unpriv_user_fds(innd_t) @@ -18008,9 +17641,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn. mta_send_mail(innd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.11/policy/modules/services/kerberos.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.12/policy/modules/services/kerberos.if --- nsaserefpolicy/policy/modules/services/kerberos.if 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/kerberos.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/kerberos.if 2010-03-05 17:18:52.000000000 -0500 @@ -74,7 +74,7 @@ ') @@ -18031,9 +17664,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb tunable_policy(`allow_kerberos',` allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.11/policy/modules/services/kerberos.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.12/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/kerberos.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/kerberos.te 2010-03-05 17:18:52.000000000 -0500 @@ -112,6 +112,7 @@ kernel_read_kernel_sysctls(kadmind_t) @@ -18051,18 +17684,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb allow kpropd_t krb5_keytab_t:file read_file_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.7.11/policy/modules/services/ksmtuned.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.7.12/policy/modules/services/ksmtuned.fc --- nsaserefpolicy/policy/modules/services/ksmtuned.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/ksmtuned.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/ksmtuned.fc 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,5 @@ +/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0) + +/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0) + +/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.7.11/policy/modules/services/ksmtuned.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.7.12/policy/modules/services/ksmtuned.if --- nsaserefpolicy/policy/modules/services/ksmtuned.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/ksmtuned.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/ksmtuned.if 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,76 @@ + +## policy for Kernel Samepage Merging (KSM) Tuning Daemon @@ -18140,9 +17773,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt + allow $2 system_r; + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.7.11/policy/modules/services/ksmtuned.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.7.12/policy/modules/services/ksmtuned.te --- nsaserefpolicy/policy/modules/services/ksmtuned.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/ksmtuned.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/ksmtuned.te 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,44 @@ +policy_module(ksmtuned,1.0.0) + @@ -18188,9 +17821,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt +files_read_etc_files(ksmtuned_t) + +miscfiles_read_localization(ksmtuned_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.7.11/policy/modules/services/ldap.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.7.12/policy/modules/services/ldap.fc --- nsaserefpolicy/policy/modules/services/ldap.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/ldap.fc 2010-03-04 13:06:45.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/ldap.fc 2010-03-05 17:18:52.000000000 -0500 @@ -1,5 +1,7 @@ /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) @@ -18204,9 +17837,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) +#/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.7.11/policy/modules/services/ldap.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.7.12/policy/modules/services/ldap.if --- nsaserefpolicy/policy/modules/services/ldap.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/ldap.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/ldap.if 2010-03-05 17:18:52.000000000 -0500 @@ -1,5 +1,43 @@ ## OpenLDAP directory server @@ -18251,9 +17884,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap ######################################## ## ## Read the contents of the OpenLDAP -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.7.11/policy/modules/services/ldap.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.7.12/policy/modules/services/ldap.te --- nsaserefpolicy/policy/modules/services/ldap.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/ldap.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/ldap.te 2010-03-05 17:18:52.000000000 -0500 @@ -28,9 +28,15 @@ type slapd_replog_t; files_type(slapd_replog_t) @@ -18288,9 +17921,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) files_pid_filetrans(slapd_t, slapd_var_run_t, { file sock_file }) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.11/policy/modules/services/lircd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.12/policy/modules/services/lircd.te --- nsaserefpolicy/policy/modules/services/lircd.te 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/lircd.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/lircd.te 2010-03-05 17:18:52.000000000 -0500 @@ -24,8 +24,11 @@ # lircd local policy # @@ -18339,9 +17972,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc + +sysnet_dns_name_resolve(lircd_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.7.11/policy/modules/services/mailman.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.7.12/policy/modules/services/mailman.fc --- nsaserefpolicy/policy/modules/services/mailman.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/mailman.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/mailman.fc 2010-03-05 17:18:52.000000000 -0500 @@ -1,4 +1,4 @@ -/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib(64)?/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) @@ -18363,9 +17996,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail /var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.7.11/policy/modules/services/memcached.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.7.12/policy/modules/services/memcached.te --- nsaserefpolicy/policy/modules/services/memcached.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/memcached.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/memcached.te 2010-03-05 17:18:52.000000000 -0500 @@ -22,9 +22,12 @@ # @@ -18396,9 +18029,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memc +term_dontaudit_use_all_ptys(memcached_t) +term_dontaudit_use_all_ttys(memcached_t) +term_dontaudit_use_console(memcached_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.11/policy/modules/services/modemmanager.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.12/policy/modules/services/modemmanager.te --- nsaserefpolicy/policy/modules/services/modemmanager.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/modemmanager.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/modemmanager.te 2010-03-05 17:18:52.000000000 -0500 @@ -16,8 +16,8 @@ # # ModemManager local policy @@ -18418,9 +18051,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mode term_use_unallocated_ttys(modemmanager_t) miscfiles_read_localization(modemmanager_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.11/policy/modules/services/mta.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.12/policy/modules/services/mta.fc --- nsaserefpolicy/policy/modules/services/mta.fc 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/mta.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/mta.fc 2010-03-05 17:18:52.000000000 -0500 @@ -13,6 +13,8 @@ /usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) @@ -18430,9 +18063,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.11/policy/modules/services/mta.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.12/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/mta.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/mta.if 2010-03-05 17:18:52.000000000 -0500 @@ -220,6 +220,25 @@ application_executable_file($1) ') @@ -18548,9 +18181,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## Read the mail queue. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.11/policy/modules/services/mta.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.12/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/mta.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/mta.te 2010-03-05 17:18:52.000000000 -0500 @@ -63,6 +63,9 @@ can_exec(system_mail_t, mta_exec_type) @@ -18624,9 +18257,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t) read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.11/policy/modules/services/munin.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.12/policy/modules/services/munin.fc --- nsaserefpolicy/policy/modules/services/munin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/munin.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/munin.fc 2010-03-05 17:18:52.000000000 -0500 @@ -9,3 +9,6 @@ /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) /var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) @@ -18634,9 +18267,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni +/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) +/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.11/policy/modules/services/munin.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.12/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/munin.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/munin.te 2010-03-06 10:17:33.000000000 -0500 @@ -33,7 +33,7 @@ # Local policy # @@ -18656,7 +18289,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni # Allow access to the munin databases manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) -@@ -131,8 +132,13 @@ +@@ -103,6 +104,8 @@ + + auth_use_nsswitch(munin_t) + ++init_read_utmp(munin_t) ++ + logging_send_syslog_msg(munin_t) + logging_read_all_logs(munin_t) + +@@ -131,8 +134,13 @@ ') optional_policy(` @@ -18670,7 +18312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni mta_read_queue(munin_t) ') -@@ -147,6 +153,7 @@ +@@ -147,6 +155,7 @@ optional_policy(` postfix_list_spool(munin_t) @@ -18678,9 +18320,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.7.11/policy/modules/services/mysql.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.7.12/policy/modules/services/mysql.if --- nsaserefpolicy/policy/modules/services/mysql.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/mysql.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/mysql.if 2010-03-05 17:18:52.000000000 -0500 @@ -1,5 +1,43 @@ ## Policy for MySQL @@ -18725,9 +18367,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq ######################################## ## ## Send a generic signal to MySQL. -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.11/policy/modules/services/mysql.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.12/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/mysql.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/mysql.te 2010-03-05 17:18:52.000000000 -0500 @@ -1,6 +1,13 @@ policy_module(mysql, 1.11.2) @@ -18800,9 +18442,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq mysql_read_config(mysqld_safe_t) mysql_search_pid_files(mysqld_safe_t) mysql_write_log(mysqld_safe_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.11/policy/modules/services/nagios.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.12/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/nagios.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/nagios.fc 2010-03-05 17:18:52.000000000 -0500 @@ -1,16 +1,89 @@ /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) /etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) @@ -18898,9 +18540,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi + +# unconfined plugins +/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.11/policy/modules/services/nagios.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.12/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/nagios.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/nagios.if 2010-03-05 17:18:52.000000000 -0500 @@ -64,8 +64,8 @@ ######################################## @@ -19064,9 +18706,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi + + admin_pattern($1, nrpe_etc_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.11/policy/modules/services/nagios.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.12/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/nagios.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/nagios.te 2010-03-05 17:18:52.000000000 -0500 @@ -6,17 +6,23 @@ # Declarations # @@ -19451,9 +19093,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +optional_policy(` + init_read_utmp(nagios_system_plugin_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.7.11/policy/modules/services/networkmanager.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.7.12/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/networkmanager.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/networkmanager.fc 2010-03-05 17:18:52.000000000 -0500 @@ -1,12 +1,32 @@ +/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0) +/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) @@ -19487,9 +19129,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.11/policy/modules/services/networkmanager.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.12/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/networkmanager.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/networkmanager.if 2010-03-05 17:18:52.000000000 -0500 @@ -118,6 +118,24 @@ ######################################## @@ -19566,9 +19208,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw + role $2 types NetworkManager_t; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.11/policy/modules/services/networkmanager.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.12/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/networkmanager.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/networkmanager.te 2010-03-05 17:18:52.000000000 -0500 @@ -19,6 +19,9 @@ type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) @@ -19812,9 +19454,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.7.11/policy/modules/services/nis.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.7.12/policy/modules/services/nis.fc --- nsaserefpolicy/policy/modules/services/nis.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/nis.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/nis.fc 2010-03-05 17:18:52.000000000 -0500 @@ -1,4 +1,7 @@ - +/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) @@ -19833,9 +19475,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. +/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0) +/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0) +/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.7.11/policy/modules/services/nis.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.7.12/policy/modules/services/nis.if --- nsaserefpolicy/policy/modules/services/nis.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/nis.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/nis.if 2010-03-05 17:18:52.000000000 -0500 @@ -28,7 +28,7 @@ type var_yp_t; ') @@ -19953,9 +19595,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. + nis_domtrans_ypbind($1) + role $2 types ypbind_t; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.7.11/policy/modules/services/nis.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.7.12/policy/modules/services/nis.te --- nsaserefpolicy/policy/modules/services/nis.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/nis.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/nis.te 2010-03-05 17:18:52.000000000 -0500 @@ -13,6 +13,9 @@ type ypbind_exec_t; init_daemon_domain(ypbind_t, ypbind_exec_t) @@ -20027,9 +19669,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. corenet_tcp_bind_all_rpc_ports(ypxfr_t) corenet_udp_bind_all_rpc_ports(ypxfr_t) corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.7.11/policy/modules/services/nscd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.7.12/policy/modules/services/nscd.if --- nsaserefpolicy/policy/modules/services/nscd.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/nscd.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/nscd.if 2010-03-05 17:18:52.000000000 -0500 @@ -121,6 +121,24 @@ ######################################## @@ -20064,9 +19706,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.7.11/policy/modules/services/nscd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.7.12/policy/modules/services/nscd.te --- nsaserefpolicy/policy/modules/services/nscd.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/nscd.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/nscd.te 2010-03-05 17:18:52.000000000 -0500 @@ -1,10 +1,17 @@ -policy_module(nscd, 1.10.0) @@ -20111,9 +19753,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd +optional_policy(` + unconfined_dontaudit_rw_packet_sockets(nscd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.fc serefpolicy-3.7.11/policy/modules/services/ntop.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.fc serefpolicy-3.7.12/policy/modules/services/ntop.fc --- nsaserefpolicy/policy/modules/services/ntop.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/ntop.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/ntop.fc 2010-03-05 17:18:52.000000000 -0500 @@ -1,7 +1,6 @@ /etc/ntop(/.*)? gen_context(system_u:object_r:ntop_etc_t,s0) @@ -20122,9 +19764,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop /var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0) /var/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.7.11/policy/modules/services/ntop.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.7.12/policy/modules/services/ntop.te --- nsaserefpolicy/policy/modules/services/ntop.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/ntop.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/ntop.te 2010-03-05 17:18:52.000000000 -0500 @@ -11,12 +11,12 @@ init_daemon_domain(ntop_t, ntop_exec_t) application_domain(ntop_t, ntop_exec_t) @@ -20215,9 +19857,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop seutil_sigchld_newrole(ntop_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.7.11/policy/modules/services/ntp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.7.12/policy/modules/services/ntp.te --- nsaserefpolicy/policy/modules/services/ntp.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/ntp.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/ntp.te 2010-03-05 17:18:52.000000000 -0500 @@ -100,6 +100,8 @@ fs_getattr_all_fs(ntpd_t) @@ -20227,9 +19869,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. term_use_ptmx(ntpd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.11/policy/modules/services/nut.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.12/policy/modules/services/nut.te --- nsaserefpolicy/policy/modules/services/nut.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/nut.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/nut.te 2010-03-05 17:18:52.000000000 -0500 @@ -29,7 +29,8 @@ # Local policy for upsd # @@ -20272,9 +19914,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut. + + sysnet_dns_name_resolve(httpd_nutups_cgi_script_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.7.11/policy/modules/services/nx.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.7.12/policy/modules/services/nx.fc --- nsaserefpolicy/policy/modules/services/nx.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/nx.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/nx.fc 2010-03-05 17:18:52.000000000 -0500 @@ -1,7 +1,15 @@ /opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) @@ -20293,9 +19935,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.f +/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) + /usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.7.11/policy/modules/services/nx.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.7.12/policy/modules/services/nx.if --- nsaserefpolicy/policy/modules/services/nx.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/nx.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/nx.if 2010-03-05 17:18:52.000000000 -0500 @@ -17,3 +17,70 @@ spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t) @@ -20367,9 +20009,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.i + + filetrans_pattern($1, nx_server_var_lib_t, $2, $3) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.7.11/policy/modules/services/nx.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.7.12/policy/modules/services/nx.te --- nsaserefpolicy/policy/modules/services/nx.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/nx.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/nx.te 2010-03-05 17:18:52.000000000 -0500 @@ -25,6 +25,12 @@ type nx_server_var_run_t; files_pid_file(nx_server_var_run_t) @@ -20404,9 +20046,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.t kernel_read_system_state(nx_server_t) kernel_read_kernel_sysctls(nx_server_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.11/policy/modules/services/oddjob.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.12/policy/modules/services/oddjob.if --- nsaserefpolicy/policy/modules/services/oddjob.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/oddjob.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/oddjob.if 2010-03-05 17:18:52.000000000 -0500 @@ -44,6 +44,7 @@ ') @@ -20415,9 +20057,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.7.11/policy/modules/services/oddjob.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.7.12/policy/modules/services/oddjob.te --- nsaserefpolicy/policy/modules/services/oddjob.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/oddjob.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/oddjob.te 2010-03-05 17:18:52.000000000 -0500 @@ -100,8 +100,7 @@ # Add/remove user home directories @@ -20429,9 +20071,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj +userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) +userdom_manage_user_home_content(oddjob_mkhomedir_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.11/policy/modules/services/openvpn.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.12/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/openvpn.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/openvpn.te 2010-03-05 17:18:52.000000000 -0500 @@ -41,7 +41,7 @@ # openvpn local policy # @@ -20467,9 +20109,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open sysnet_etc_filetrans_config(openvpn_t) userdom_use_user_terminals(openvpn_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.7.11/policy/modules/services/pcscd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.7.12/policy/modules/services/pcscd.if --- nsaserefpolicy/policy/modules/services/pcscd.if 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/pcscd.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/pcscd.if 2010-03-05 17:18:52.000000000 -0500 @@ -39,6 +39,44 @@ ######################################## @@ -20515,9 +20157,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcsc ## Connect to pcscd over an unix stream socket. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.11/policy/modules/services/pegasus.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.12/policy/modules/services/pegasus.te --- nsaserefpolicy/policy/modules/services/pegasus.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/pegasus.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/pegasus.te 2010-03-05 17:18:52.000000000 -0500 @@ -30,7 +30,7 @@ # Local policy # @@ -20589,9 +20231,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega + xen_stream_connect(pegasus_t) + xen_stream_connect_xenstore(pegasus_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.fc serefpolicy-3.7.11/policy/modules/services/plymouthd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.fc serefpolicy-3.7.12/policy/modules/services/plymouthd.fc --- nsaserefpolicy/policy/modules/services/plymouthd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/plymouthd.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/plymouthd.fc 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,9 @@ +/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t, s0) + @@ -20602,9 +20244,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym +/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t, s0) + +/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.if serefpolicy-3.7.11/policy/modules/services/plymouthd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.if serefpolicy-3.7.12/policy/modules/services/plymouthd.if --- nsaserefpolicy/policy/modules/services/plymouthd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/plymouthd.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/plymouthd.if 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,322 @@ +## policy for plymouthd + @@ -20928,9 +20570,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym + + allow $1 plymouthd_t:unix_stream_socket connectto; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.7.11/policy/modules/services/plymouthd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.7.12/policy/modules/services/plymouthd.te --- nsaserefpolicy/policy/modules/services/plymouthd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/plymouthd.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/plymouthd.te 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,105 @@ +policy_module(plymouthd, 1.0.0) + @@ -21037,9 +20679,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym + hal_dontaudit_rw_pipes(plymouth_t) +') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.7.11/policy/modules/services/policykit.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.7.12/policy/modules/services/policykit.fc --- nsaserefpolicy/policy/modules/services/policykit.fc 2009-08-18 11:41:14.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/policykit.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/policykit.fc 2010-03-05 17:18:52.000000000 -0500 @@ -6,10 +6,13 @@ /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) /usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) @@ -21055,9 +20697,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli /var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) /var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.7.11/policy/modules/services/policykit.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.7.12/policy/modules/services/policykit.if --- nsaserefpolicy/policy/modules/services/policykit.if 2009-08-18 18:39:50.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/policykit.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/policykit.if 2010-03-05 17:18:52.000000000 -0500 @@ -17,12 +17,37 @@ class dbus send_msg; ') @@ -21154,9 +20796,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli + + allow $1 policykit_auth_t:process signal; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.11/policy/modules/services/policykit.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.12/policy/modules/services/policykit.te --- nsaserefpolicy/policy/modules/services/policykit.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/policykit.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/policykit.te 2010-03-05 17:18:52.000000000 -0500 @@ -36,11 +36,12 @@ # policykit local policy # @@ -21318,9 +20960,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.7.11/policy/modules/services/portreserve.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.7.12/policy/modules/services/portreserve.te --- nsaserefpolicy/policy/modules/services/portreserve.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/portreserve.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/portreserve.te 2010-03-05 17:18:52.000000000 -0500 @@ -21,6 +21,7 @@ # Portreserve local policy # @@ -21338,9 +20980,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port corenet_all_recvfrom_unlabeled(portreserve_t) corenet_all_recvfrom_netlabel(portreserve_t) corenet_tcp_bind_generic_node(portreserve_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.11/policy/modules/services/postfix.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.12/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/postfix.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/postfix.fc 2010-03-05 17:18:52.000000000 -0500 @@ -29,12 +29,10 @@ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) @@ -21354,9 +20996,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.11/policy/modules/services/postfix.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.12/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/postfix.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/postfix.if 2010-03-05 17:18:52.000000000 -0500 @@ -46,6 +46,7 @@ allow postfix_$1_t postfix_etc_t:dir list_dir_perms; @@ -21651,9 +21293,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + role $2 types postfix_postdrop_t; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.11/policy/modules/services/postfix.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.12/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/postfix.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/postfix.te 2010-03-05 17:18:52.000000000 -0500 @@ -6,6 +6,15 @@ # Declarations # @@ -22054,9 +21696,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +userdom_manage_user_home_content(postfix_virtual_t) +userdom_home_filetrans_user_home_dir(postfix_virtual_t) +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.7.11/policy/modules/services/postgresql.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.7.12/policy/modules/services/postgresql.fc --- nsaserefpolicy/policy/modules/services/postgresql.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/postgresql.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/postgresql.fc 2010-03-05 17:18:52.000000000 -0500 @@ -3,6 +3,7 @@ # /etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0) @@ -22083,9 +21725,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) + +/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.7.11/policy/modules/services/postgresql.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.7.12/policy/modules/services/postgresql.if --- nsaserefpolicy/policy/modules/services/postgresql.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/postgresql.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/postgresql.if 2010-03-05 17:18:52.000000000 -0500 @@ -125,6 +125,23 @@ typeattribute $1 sepgsql_table_type; ') @@ -22110,9 +21752,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## ## ## Marks as a SE-PostgreSQL system table/column/tuple object type -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.11/policy/modules/services/postgresql.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.12/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/postgresql.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/postgresql.te 2010-03-05 17:18:52.000000000 -0500 @@ -150,6 +150,7 @@ dontaudit postgresql_t self:capability { sys_tty_config sys_admin }; allow postgresql_t self:process signal_perms; @@ -22147,9 +21789,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post miscfiles_read_localization(postgresql_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.7.11/policy/modules/services/ppp.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.7.12/policy/modules/services/ppp.fc --- nsaserefpolicy/policy/modules/services/ppp.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/ppp.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/ppp.fc 2010-03-05 17:18:52.000000000 -0500 @@ -3,6 +3,7 @@ # /etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) @@ -22158,9 +21800,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. /etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0) /etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) /etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.11/policy/modules/services/ppp.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.12/policy/modules/services/ppp.if --- nsaserefpolicy/policy/modules/services/ppp.if 2010-01-18 15:04:31.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/ppp.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/ppp.if 2010-03-05 17:18:52.000000000 -0500 @@ -182,6 +182,10 @@ ppp_domtrans($1) role $2 types pppd_t; @@ -22172,9 +21814,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.7.11/policy/modules/services/ppp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.7.12/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2010-01-18 15:04:31.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/ppp.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/ppp.te 2010-03-05 17:18:52.000000000 -0500 @@ -71,9 +71,9 @@ # PPPD Local policy # @@ -22212,9 +21854,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. optional_policy(` consoletype_exec(pppd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.7.11/policy/modules/services/prelude.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.7.12/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/prelude.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/prelude.te 2010-03-05 17:18:52.000000000 -0500 @@ -90,6 +90,7 @@ corenet_tcp_bind_prelude_port(prelude_t) corenet_tcp_connect_prelude_port(prelude_t) @@ -22232,9 +21874,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel fs_rw_anon_inodefs_files(prelude_lml_t) auth_use_nsswitch(prelude_lml_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.11/policy/modules/services/procmail.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.12/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/procmail.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/procmail.te 2010-03-05 17:18:52.000000000 -0500 @@ -22,7 +22,7 @@ # Local policy # @@ -22282,9 +21924,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.11/policy/modules/services/pyzor.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.12/policy/modules/services/pyzor.fc --- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/pyzor.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/pyzor.fc 2010-03-05 17:18:52.000000000 -0500 @@ -1,6 +1,10 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) +/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) @@ -22296,9 +21938,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.7.11/policy/modules/services/pyzor.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.7.12/policy/modules/services/pyzor.if --- nsaserefpolicy/policy/modules/services/pyzor.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/pyzor.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/pyzor.if 2010-03-05 17:18:52.000000000 -0500 @@ -88,3 +88,50 @@ corecmd_search_bin($1) can_exec($1, pyzor_exec_t) @@ -22350,9 +21992,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.7.11/policy/modules/services/pyzor.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.7.12/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/pyzor.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/pyzor.te 2010-03-05 17:18:52.000000000 -0500 @@ -6,6 +6,38 @@ # Declarations # @@ -22417,9 +22059,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo userdom_dontaudit_search_user_home_dirs(pyzor_t) optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.7.11/policy/modules/services/radvd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.7.12/policy/modules/services/radvd.te --- nsaserefpolicy/policy/modules/services/radvd.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/radvd.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/radvd.te 2010-03-05 17:18:52.000000000 -0500 @@ -22,9 +22,9 @@ # # Local policy @@ -22455,17 +22097,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radv seutil_sigchld_newrole(radvd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.11/policy/modules/services/razor.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.12/policy/modules/services/razor.fc --- nsaserefpolicy/policy/modules/services/razor.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/razor.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/razor.fc 2010-03-05 17:18:52.000000000 -0500 @@ -1,3 +1,4 @@ +/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.7.11/policy/modules/services/razor.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.7.12/policy/modules/services/razor.if --- nsaserefpolicy/policy/modules/services/razor.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/razor.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/razor.if 2010-03-05 17:18:52.000000000 -0500 @@ -157,3 +157,45 @@ domtrans_pattern($1, razor_exec_t, razor_t) @@ -22512,9 +22154,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo + read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.7.11/policy/modules/services/razor.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.7.12/policy/modules/services/razor.te --- nsaserefpolicy/policy/modules/services/razor.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/razor.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/razor.te 2010-03-05 17:18:52.000000000 -0500 @@ -6,6 +6,32 @@ # Declarations # @@ -22566,9 +22208,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo +') + ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.if serefpolicy-3.7.11/policy/modules/services/rdisc.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.if serefpolicy-3.7.12/policy/modules/services/rdisc.if --- nsaserefpolicy/policy/modules/services/rdisc.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/rdisc.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/rdisc.if 2010-03-05 17:18:52.000000000 -0500 @@ -1 +1,20 @@ ## Network router discovery daemon + @@ -22590,9 +22232,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdis + corecmd_search_bin($1) + can_exec($1,rdisc_exec_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.11/policy/modules/services/rgmanager.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.12/policy/modules/services/rgmanager.fc --- nsaserefpolicy/policy/modules/services/rgmanager.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/rgmanager.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/rgmanager.fc 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,8 @@ + +/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) @@ -22602,9 +22244,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) + +/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.11/policy/modules/services/rgmanager.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.12/policy/modules/services/rgmanager.if --- nsaserefpolicy/policy/modules/services/rgmanager.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/rgmanager.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/rgmanager.if 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,98 @@ +## SELinux policy for rgmanager + @@ -22704,9 +22346,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma + manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t) + manage_lnk_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.11/policy/modules/services/rgmanager.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.12/policy/modules/services/rgmanager.te --- nsaserefpolicy/policy/modules/services/rgmanager.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/rgmanager.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/rgmanager.te 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,223 @@ + +policy_module(rgmanager,1.0.0) @@ -22931,9 +22573,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +optional_policy(` + xen_domtrans_xm(rgmanager_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.11/policy/modules/services/rhcs.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.12/policy/modules/services/rhcs.fc --- nsaserefpolicy/policy/modules/services/rhcs.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/rhcs.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/rhcs.fc 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,23 @@ +/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) +/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0) @@ -22958,9 +22600,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) +/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.11/policy/modules/services/rhcs.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.12/policy/modules/services/rhcs.if --- nsaserefpolicy/policy/modules/services/rhcs.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/rhcs.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/rhcs.if 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,424 @@ +## SELinux policy for RHCS - Red Hat Cluster Suite + @@ -23386,9 +23028,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.11/policy/modules/services/rhcs.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.12/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/rhcs.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/rhcs.te 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,248 @@ + +policy_module(rhcs,1.1.0) @@ -23638,9 +23280,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +optional_policy(` + corosync_stream_connect(cluster_domain) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.11/policy/modules/services/ricci.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.12/policy/modules/services/ricci.te --- nsaserefpolicy/policy/modules/services/ricci.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/ricci.te 2010-03-04 09:03:39.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/ricci.te 2010-03-05 17:18:52.000000000 -0500 @@ -194,10 +194,13 @@ # ricci_modcluster local policy # @@ -23725,11 +23367,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc unconfined_use_fds(ricci_modclusterd_t) ') -@@ -440,6 +462,11 @@ +@@ -440,6 +462,12 @@ files_read_usr_files(ricci_modstorage_t) files_read_kernel_modules(ricci_modstorage_t) +files_create_default_dir(ricci_modstorage_t) ++files_root_filetrans_default(ricci_modstorage_t, dir) +files_mounton_default(ricci_modstorage_t) +files_manage_default_dirs(ricci_modstorage_t) +files_manage_default_files(ricci_modstorage_t) @@ -23737,7 +23380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc storage_raw_read_fixed_disk(ricci_modstorage_t) term_dontaudit_use_console(ricci_modstorage_t) -@@ -457,6 +484,11 @@ +@@ -457,6 +485,11 @@ mount_domtrans(ricci_modstorage_t) optional_policy(` @@ -23749,9 +23392,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc ccs_stream_connect(ricci_modstorage_t) ccs_read_config(ricci_modstorage_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.7.11/policy/modules/services/rpc.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.7.12/policy/modules/services/rpc.fc --- nsaserefpolicy/policy/modules/services/rpc.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/rpc.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/rpc.fc 2010-03-05 17:18:52.000000000 -0500 @@ -1,6 +1,10 @@ # # /etc @@ -23763,9 +23406,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. /etc/exports -- gen_context(system_u:object_r:exports_t,s0) # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.11/policy/modules/services/rpc.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.12/policy/modules/services/rpc.if --- nsaserefpolicy/policy/modules/services/rpc.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/rpc.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/rpc.if 2010-03-05 17:18:52.000000000 -0500 @@ -54,7 +54,7 @@ allow $1_t self:unix_dgram_socket create_socket_perms; allow $1_t self:unix_stream_socket create_stream_socket_perms; @@ -23859,9 +23502,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) + allow $1 var_lib_nfs_t:file { relabelfrom relabelto }; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.11/policy/modules/services/rpc.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.12/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/rpc.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/rpc.te 2010-03-05 17:18:52.000000000 -0500 @@ -8,7 +8,7 @@ ## @@ -23996,9 +23639,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.7.11/policy/modules/services/rsync.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.7.12/policy/modules/services/rsync.if --- nsaserefpolicy/policy/modules/services/rsync.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/rsync.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/rsync.if 2010-03-05 17:18:52.000000000 -0500 @@ -119,7 +119,7 @@ type rsync_etc_t; ') @@ -24016,9 +23659,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn + write_files_pattern($1, rsync_etc_t, rsync_etc_t) files_search_etc($1) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.7.11/policy/modules/services/rsync.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.7.12/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/rsync.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/rsync.te 2010-03-05 17:18:52.000000000 -0500 @@ -8,6 +8,13 @@ ## @@ -24070,9 +23713,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn +') + auth_can_read_shadow_passwords(rsync_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.7.11/policy/modules/services/rtkit.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.7.12/policy/modules/services/rtkit.if --- nsaserefpolicy/policy/modules/services/rtkit.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/rtkit.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/rtkit.if 2010-03-05 17:18:52.000000000 -0500 @@ -38,3 +38,23 @@ allow $1 rtkit_daemon_t:dbus send_msg; allow rtkit_daemon_t $1:dbus send_msg; @@ -24097,9 +23740,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki + allow rtkit_daemon_t $1:process { getsched setsched }; + rtkit_daemon_dbus_chat($1) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.7.11/policy/modules/services/rtkit.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.7.12/policy/modules/services/rtkit.te --- nsaserefpolicy/policy/modules/services/rtkit.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/rtkit.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/rtkit.te 2010-03-05 17:18:52.000000000 -0500 @@ -17,9 +17,11 @@ allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace }; @@ -24121,9 +23764,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki optional_policy(` policykit_dbus_chat(rtkit_daemon_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.11/policy/modules/services/samba.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.12/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/samba.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/samba.fc 2010-03-05 17:18:52.000000000 -0500 @@ -51,3 +51,7 @@ /var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) @@ -24132,9 +23775,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +ifndef(`enable_mls',` +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.11/policy/modules/services/samba.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.12/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/samba.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/samba.if 2010-03-05 17:18:52.000000000 -0500 @@ -62,6 +62,25 @@ ######################################## @@ -24348,9 +23991,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb admin_pattern($1, winbind_var_run_t) + admin_pattern($1, samba_unconfined_script_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.11/policy/modules/services/samba.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.12/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/samba.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/samba.te 2010-03-05 17:18:52.000000000 -0500 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -24670,9 +24313,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +',` + can_exec(smbd_t, samba_unconfined_script_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.11/policy/modules/services/sasl.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.12/policy/modules/services/sasl.te --- nsaserefpolicy/policy/modules/services/sasl.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/sasl.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/sasl.te 2010-03-05 17:18:52.000000000 -0500 @@ -31,7 +31,7 @@ # Local policy # @@ -24735,9 +24378,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl seutil_sigchld_newrole(saslauthd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.11/policy/modules/services/sendmail.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.12/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/sendmail.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/sendmail.if 2010-03-05 17:18:52.000000000 -0500 @@ -277,3 +277,22 @@ sendmail_domtrans_unconfined($1) role $2 types unconfined_sendmail_t; @@ -24761,9 +24404,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send + domtrans_pattern($1, sendmail_exec_t, unconfined_sendmail_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.11/policy/modules/services/sendmail.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.12/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/sendmail.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/sendmail.te 2010-03-05 17:18:52.000000000 -0500 @@ -30,7 +30,7 @@ # @@ -24842,18 +24485,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send + unconfined_domain_noaudit(unconfined_sendmail_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.7.11/policy/modules/services/setroubleshoot.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.7.12/policy/modules/services/setroubleshoot.fc --- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/setroubleshoot.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/setroubleshoot.fc 2010-03-05 17:18:52.000000000 -0500 @@ -5,3 +5,5 @@ /var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) /var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) + +/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.11/policy/modules/services/setroubleshoot.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.12/policy/modules/services/setroubleshoot.if --- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/setroubleshoot.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/setroubleshoot.if 2010-03-05 17:18:52.000000000 -0500 @@ -16,8 +16,8 @@ ') @@ -24991,9 +24634,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr + files_list_pids($1) + admin_pattern($1, setroubleshoot_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.11/policy/modules/services/setroubleshoot.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.12/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/setroubleshoot.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/setroubleshoot.te 2010-03-05 17:18:52.000000000 -0500 @@ -22,13 +22,19 @@ type setroubleshoot_var_run_t; files_pid_file(setroubleshoot_var_run_t) @@ -25139,9 +24782,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr + policykit_dbus_chat(setroubleshoot_fixit_t) + userdom_read_all_users_state(setroubleshoot_fixit_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.fc serefpolicy-3.7.11/policy/modules/services/smokeping.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.fc serefpolicy-3.7.12/policy/modules/services/smokeping.fc --- nsaserefpolicy/policy/modules/services/smokeping.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/smokeping.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/smokeping.fc 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,12 @@ + +/etc/rc\.d/init\.d/smokeping -- gen_context(system_u:object_r:smokeping_initrc_exec_t,s0) @@ -25155,9 +24798,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok +/var/run/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_run_t,s0) + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.if serefpolicy-3.7.11/policy/modules/services/smokeping.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.if serefpolicy-3.7.12/policy/modules/services/smokeping.if --- nsaserefpolicy/policy/modules/services/smokeping.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/smokeping.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/smokeping.if 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,193 @@ + +## policy for smokeping @@ -25352,9 +24995,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok + smokeping_manage_var_lib($1) + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.te serefpolicy-3.7.11/policy/modules/services/smokeping.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.te serefpolicy-3.7.12/policy/modules/services/smokeping.te --- nsaserefpolicy/policy/modules/services/smokeping.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/smokeping.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/smokeping.te 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,81 @@ + +policy_module(smokeping,1.0.0) @@ -25437,9 +25080,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok + + sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.11/policy/modules/services/snmp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.12/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/snmp.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/snmp.te 2010-03-05 17:18:52.000000000 -0500 @@ -25,7 +25,7 @@ # # Local policy @@ -25449,9 +25092,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp dontaudit snmpd_t self:capability { sys_module sys_tty_config }; allow snmpd_t self:process { signal_perms getsched setsched }; allow snmpd_t self:fifo_file rw_fifo_file_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.11/policy/modules/services/snort.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.12/policy/modules/services/snort.te --- nsaserefpolicy/policy/modules/services/snort.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/snort.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/snort.te 2010-03-05 17:18:52.000000000 -0500 @@ -37,6 +37,7 @@ allow snort_t self:tcp_socket create_stream_socket_perms; allow snort_t self:udp_socket create_socket_perms; @@ -25485,9 +25128,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor domain_use_interactive_fds(snort_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.11/policy/modules/services/spamassassin.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.12/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/spamassassin.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/spamassassin.fc 2010-03-05 17:18:52.000000000 -0500 @@ -1,15 +1,26 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) @@ -25517,9 +25160,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.11/policy/modules/services/spamassassin.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.12/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/spamassassin.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/spamassassin.if 2010-03-05 17:18:52.000000000 -0500 @@ -111,6 +111,45 @@ ') @@ -25646,9 +25289,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + files_list_pids($1) + admin_pattern($1, spamd_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.11/policy/modules/services/spamassassin.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.12/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/spamassassin.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/spamassassin.te 2010-03-05 17:18:52.000000000 -0500 @@ -20,6 +20,35 @@ ## gen_tunable(spamd_enable_home_dirs, true) @@ -25954,9 +25597,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +optional_policy(` udev_read_db(spamd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.11/policy/modules/services/squid.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.12/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/squid.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/squid.te 2010-03-05 17:18:52.000000000 -0500 @@ -67,7 +67,9 @@ can_exec(squid_t, squid_exec_t) @@ -25985,18 +25628,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi -#squid requires the following when run in diskd mode, the recommended setting -allow squid_t tmpfs_t:file { read write }; -') dnl end TODO -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.11/policy/modules/services/ssh.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.12/policy/modules/services/ssh.fc --- nsaserefpolicy/policy/modules/services/ssh.fc 2010-01-18 15:04:31.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/ssh.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/ssh.fc 2010-03-05 17:18:52.000000000 -0500 @@ -14,3 +14,5 @@ /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) + +/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.11/policy/modules/services/ssh.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.12/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/ssh.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/ssh.if 2010-03-05 17:18:52.000000000 -0500 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -26164,9 +25807,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ####################################### ## ## Delete from the ssh temp files. -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.11/policy/modules/services/ssh.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.12/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/ssh.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/ssh.te 2010-03-05 17:18:52.000000000 -0500 @@ -114,6 +114,7 @@ manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) @@ -26299,9 +25942,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ifdef(`TODO',` tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.7.11/policy/modules/services/sssd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.7.12/policy/modules/services/sssd.fc --- nsaserefpolicy/policy/modules/services/sssd.fc 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/sssd.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/sssd.fc 2010-03-05 17:18:52.000000000 -0500 @@ -4,6 +4,8 @@ /var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) @@ -26311,9 +25954,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd /var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) /var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.11/policy/modules/services/sssd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.12/policy/modules/services/sssd.if --- nsaserefpolicy/policy/modules/services/sssd.if 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/sssd.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/sssd.if 2010-03-05 17:18:52.000000000 -0500 @@ -38,6 +38,25 @@ ######################################## @@ -26392,9 +26035,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd + + admin_pattern($1, sssd_public_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.11/policy/modules/services/sssd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.12/policy/modules/services/sssd.te --- nsaserefpolicy/policy/modules/services/sssd.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/sssd.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/sssd.te 2010-03-05 17:18:52.000000000 -0500 @@ -13,6 +13,9 @@ type sssd_initrc_exec_t; init_script_file(sssd_initrc_exec_t) @@ -26449,9 +26092,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd optional_policy(` dbus_system_bus_client(sssd_t) dbus_connect_system_bus(sssd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.11/policy/modules/services/sysstat.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.12/policy/modules/services/sysstat.te --- nsaserefpolicy/policy/modules/services/sysstat.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/sysstat.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/sysstat.te 2010-03-05 17:18:52.000000000 -0500 @@ -19,14 +19,15 @@ # Local policy # @@ -26470,9 +26113,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/syss logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir }) # get info from /proc -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.7.11/policy/modules/services/telnet.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.7.12/policy/modules/services/telnet.te --- nsaserefpolicy/policy/modules/services/telnet.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/telnet.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/telnet.te 2010-03-05 17:18:52.000000000 -0500 @@ -85,6 +85,7 @@ remotelogin_domtrans(telnetd_t) @@ -26481,9 +26124,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln optional_policy(` kerberos_keytab_template(telnetd, telnetd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.7.11/policy/modules/services/tftp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.7.12/policy/modules/services/tftp.te --- nsaserefpolicy/policy/modules/services/tftp.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/tftp.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/tftp.te 2010-03-05 17:18:52.000000000 -0500 @@ -50,9 +50,8 @@ manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t) files_pid_filetrans(tftpd_t, tftpd_var_run_t, file) @@ -26495,9 +26138,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp corenet_all_recvfrom_unlabeled(tftpd_t) corenet_all_recvfrom_netlabel(tftpd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.if serefpolicy-3.7.11/policy/modules/services/tgtd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.if serefpolicy-3.7.12/policy/modules/services/tgtd.if --- nsaserefpolicy/policy/modules/services/tgtd.if 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/tgtd.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/tgtd.if 2010-03-05 17:18:52.000000000 -0500 @@ -9,3 +9,20 @@ ##

## @@ -26519,9 +26162,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd + + allow $1 tgtd_t:sem { rw_sem_perms }; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.7.11/policy/modules/services/tgtd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.7.12/policy/modules/services/tgtd.te --- nsaserefpolicy/policy/modules/services/tgtd.te 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/tgtd.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/tgtd.te 2010-03-05 17:18:52.000000000 -0500 @@ -60,7 +60,7 @@ files_read_etc_files(tgtd_t) @@ -26531,9 +26174,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd logging_send_syslog_msg(tgtd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.11/policy/modules/services/tor.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.12/policy/modules/services/tor.te --- nsaserefpolicy/policy/modules/services/tor.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/tor.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/tor.te 2010-03-05 17:18:52.000000000 -0500 @@ -6,6 +6,14 @@ # Declarations # @@ -26565,9 +26208,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor. +tunable_policy(`tor_bind_all_unreserved_ports', ` + corenet_tcp_bind_all_unreserved_ports(tor_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.fc serefpolicy-3.7.11/policy/modules/services/tuned.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.fc serefpolicy-3.7.12/policy/modules/services/tuned.fc --- nsaserefpolicy/policy/modules/services/tuned.fc 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/tuned.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/tuned.fc 2010-03-05 17:18:52.000000000 -0500 @@ -2,4 +2,7 @@ /usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0) @@ -26576,9 +26219,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune +/var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0) + /var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.7.11/policy/modules/services/tuned.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.7.12/policy/modules/services/tuned.te --- nsaserefpolicy/policy/modules/services/tuned.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/tuned.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/tuned.te 2010-03-05 17:18:52.000000000 -0500 @@ -13,6 +13,9 @@ type tuned_initrc_exec_t; init_script_file(tuned_initrc_exec_t) @@ -26632,9 +26275,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune # to allow network interface tuning optional_policy(` sysnet_domtrans_ifconfig(tuned_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.7.11/policy/modules/services/ucspitcp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.7.12/policy/modules/services/ucspitcp.te --- nsaserefpolicy/policy/modules/services/ucspitcp.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/ucspitcp.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/ucspitcp.te 2010-03-05 17:18:52.000000000 -0500 @@ -92,3 +92,8 @@ daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t) daemontools_read_svc(ucspitcp_t) @@ -26644,17 +26287,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucsp + daemontools_sigchld_run(ucspitcp_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.11/policy/modules/services/usbmuxd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.12/policy/modules/services/usbmuxd.fc --- nsaserefpolicy/policy/modules/services/usbmuxd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/usbmuxd.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/usbmuxd.fc 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,4 @@ + +/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0) + +/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.if serefpolicy-3.7.11/policy/modules/services/usbmuxd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.if serefpolicy-3.7.12/policy/modules/services/usbmuxd.if --- nsaserefpolicy/policy/modules/services/usbmuxd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/usbmuxd.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/usbmuxd.if 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,39 @@ +## Daemon for communicating with Apple's iPod Touch and iPhone + @@ -26695,9 +26338,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm + files_search_pids($1) + stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.7.11/policy/modules/services/usbmuxd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.7.12/policy/modules/services/usbmuxd.te --- nsaserefpolicy/policy/modules/services/usbmuxd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/usbmuxd.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/usbmuxd.te 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,48 @@ +policy_module(usbmuxd,1.0.0) + @@ -26747,9 +26390,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm +auth_use_nsswitch(usbmuxd_t) + +logging_send_syslog_msg(usbmuxd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.11/policy/modules/services/uucp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.12/policy/modules/services/uucp.te --- nsaserefpolicy/policy/modules/services/uucp.te 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/uucp.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/uucp.te 2010-03-05 17:18:52.000000000 -0500 @@ -90,6 +90,7 @@ fs_getattr_xattr_fs(uucpd_t) @@ -26767,9 +26410,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp optional_policy(` cron_system_entry(uucpd_t, uucpd_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.fc serefpolicy-3.7.11/policy/modules/services/vhostmd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.fc serefpolicy-3.7.12/policy/modules/services/vhostmd.fc --- nsaserefpolicy/policy/modules/services/vhostmd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/vhostmd.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/vhostmd.fc 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,6 @@ + +/usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0) @@ -26777,9 +26420,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos +/etc/rc.d/init.d/vhostmd -- gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0) +/var/run/vhostmd.pid -- gen_context(system_u:object_r:vhostmd_var_run_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.7.11/policy/modules/services/vhostmd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.7.12/policy/modules/services/vhostmd.if --- nsaserefpolicy/policy/modules/services/vhostmd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/vhostmd.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/vhostmd.if 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,228 @@ + +## policy for vhostmd @@ -27009,9 +26652,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos + vhostmd_manage_var_run($1) + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.7.11/policy/modules/services/vhostmd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.7.12/policy/modules/services/vhostmd.te --- nsaserefpolicy/policy/modules/services/vhostmd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/vhostmd.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/vhostmd.te 2010-03-05 17:18:52.000000000 -0500 @@ -0,0 +1,84 @@ + +policy_module(vhostmd,1.0.0) @@ -27097,9 +26740,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos + xen_stream_connect_xenstore(vhostmd_t) + xen_stream_connect_xm(vhostmd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.11/policy/modules/services/virt.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.12/policy/modules/services/virt.fc --- nsaserefpolicy/policy/modules/services/virt.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/virt.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/virt.fc 2010-03-05 17:18:52.000000000 -0500 @@ -8,6 +8,10 @@ /etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) /etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) @@ -27111,9 +26754,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) /var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.11/policy/modules/services/virt.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.12/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/virt.if 2010-03-04 08:13:56.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/virt.if 2010-03-05 17:18:52.000000000 -0500 @@ -22,6 +22,11 @@ domain_type($1_t) role system_r types $1_t; @@ -27187,9 +26830,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt + ptchown_run(svirt_t, $2) + ') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.11/policy/modules/services/virt.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.12/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/virt.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/virt.te 2010-03-05 17:18:52.000000000 -0500 @@ -15,6 +15,13 @@ ## @@ -27380,9 +27023,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt auth_use_nsswitch(virt_domain) logging_send_syslog_msg(virt_domain) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.7.11/policy/modules/services/w3c.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.7.12/policy/modules/services/w3c.te --- nsaserefpolicy/policy/modules/services/w3c.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/w3c.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/w3c.te 2010-03-05 17:18:52.000000000 -0500 @@ -8,11 +8,18 @@ apache_content_template(w3c_validator) @@ -27402,9 +27045,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c. corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.11/policy/modules/services/xserver.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.12/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/xserver.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/xserver.fc 2010-03-05 17:18:52.000000000 -0500 @@ -3,12 +3,21 @@ # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) @@ -27512,9 +27155,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +/var/lib/pqsql/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.11/policy/modules/services/xserver.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.12/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/xserver.if 2010-03-04 09:34:53.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/xserver.if 2010-03-05 17:18:52.000000000 -0500 @@ -19,7 +19,7 @@ interface(`xserver_restricted_role',` gen_require(` @@ -28013,9 +27656,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.11/policy/modules/services/xserver.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.12/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/services/xserver.te 2010-03-04 10:56:15.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/xserver.te 2010-03-05 17:18:52.000000000 -0500 @@ -36,6 +36,13 @@ ## @@ -28741,7 +28384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -779,12 +1023,20 @@ +@@ -779,12 +1023,24 @@ ') optional_policy(` @@ -28759,11 +28402,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') + +optional_policy(` ++ udev_read_db(xserver_t) ++') ++ ++optional_policy(` + unconfined_domain(xserver_t) unconfined_domtrans(xserver_t) ') -@@ -811,7 +1063,7 @@ +@@ -811,7 +1067,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -28772,7 +28419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -832,9 +1084,14 @@ +@@ -832,9 +1088,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -28787,7 +28434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -849,11 +1106,14 @@ +@@ -849,11 +1110,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -28804,7 +28451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -999,3 +1259,33 @@ +@@ -999,3 +1263,33 @@ allow xserver_unconfined_type xextension_type:x_extension *; allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -28838,9 +28485,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +tunable_policy(`use_samba_home_dirs',` + fs_append_cifs_files(xdmhomewriter) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.7.11/policy/modules/services/zebra.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.7.12/policy/modules/services/zebra.if --- nsaserefpolicy/policy/modules/services/zebra.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/services/zebra.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/services/zebra.if 2010-03-05 17:18:52.000000000 -0500 @@ -24,6 +24,26 @@ ######################################## @@ -28868,9 +28515,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr ## All of the rules required to administrate ## an zebra environment ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.11/policy/modules/system/application.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.12/policy/modules/system/application.te --- nsaserefpolicy/policy/modules/system/application.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/application.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/application.te 2010-03-05 17:18:52.000000000 -0500 @@ -7,6 +7,17 @@ # Executables to be run by user attribute application_exec_type; @@ -28889,9 +28536,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic optional_policy(` ssh_sigchld(application_domain_type) ssh_rw_stream_sockets(application_domain_type) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.11/policy/modules/system/authlogin.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.12/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/system/authlogin.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/authlogin.fc 2010-03-05 17:18:52.000000000 -0500 @@ -7,12 +7,10 @@ /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) @@ -28916,9 +28563,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.11/policy/modules/system/authlogin.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.12/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/authlogin.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/authlogin.if 2010-03-05 17:18:52.000000000 -0500 @@ -40,17 +40,76 @@ ## ## @@ -29243,9 +28890,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.11/policy/modules/system/authlogin.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.12/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/authlogin.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/authlogin.te 2010-03-05 17:18:52.000000000 -0500 @@ -103,8 +103,10 @@ fs_dontaudit_getattr_xattr_fs(chkpwd_t) @@ -29276,9 +28923,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ######################################## # # PAM local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.7.11/policy/modules/system/daemontools.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.7.12/policy/modules/system/daemontools.if --- nsaserefpolicy/policy/modules/system/daemontools.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/system/daemontools.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/daemontools.if 2010-03-05 17:18:52.000000000 -0500 @@ -71,6 +71,32 @@ domtrans_pattern($1, svc_start_exec_t, svc_start_t) ') @@ -29359,9 +29006,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon + + allow $1 svc_run_t:process sigchld; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.7.11/policy/modules/system/daemontools.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.7.12/policy/modules/system/daemontools.te --- nsaserefpolicy/policy/modules/system/daemontools.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/system/daemontools.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/daemontools.te 2010-03-05 17:18:52.000000000 -0500 @@ -39,7 +39,10 @@ # multilog creates /service/*/log/status manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t) @@ -29434,9 +29081,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon + daemontools_domtrans_run(svc_start_t) daemontools_manage_svc(svc_start_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.7.11/policy/modules/system/fstools.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.7.12/policy/modules/system/fstools.fc --- nsaserefpolicy/policy/modules/system/fstools.fc 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/fstools.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/fstools.fc 2010-03-05 17:18:52.000000000 -0500 @@ -1,4 +1,3 @@ -/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -29462,9 +29109,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.11/policy/modules/system/fstools.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.12/policy/modules/system/fstools.te --- nsaserefpolicy/policy/modules/system/fstools.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/fstools.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/fstools.te 2010-03-05 17:18:52.000000000 -0500 @@ -118,6 +118,8 @@ fs_search_tmpfs(fsadm_t) fs_getattr_tmpfs_dirs(fsadm_t) @@ -29484,9 +29131,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool ifdef(`distro_redhat',` optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.7.11/policy/modules/system/getty.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.7.12/policy/modules/system/getty.te --- nsaserefpolicy/policy/modules/system/getty.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/getty.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/getty.te 2010-03-05 17:18:52.000000000 -0500 @@ -56,11 +56,10 @@ manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t) files_pid_filetrans(getty_t, getty_var_run_t, file) @@ -29502,9 +29149,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty. dev_read_sysfs(getty_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.7.11/policy/modules/system/hostname.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.7.12/policy/modules/system/hostname.te --- nsaserefpolicy/policy/modules/system/hostname.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/hostname.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/hostname.te 2010-03-05 17:18:52.000000000 -0500 @@ -27,15 +27,18 @@ dev_read_sysfs(hostname_t) @@ -29524,9 +29171,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna fs_dontaudit_use_tmpfs_chr_dev(hostname_t) term_dontaudit_use_console(hostname_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.7.11/policy/modules/system/hotplug.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.7.12/policy/modules/system/hotplug.te --- nsaserefpolicy/policy/modules/system/hotplug.te 2010-03-04 11:17:25.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/hotplug.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/hotplug.te 2010-03-05 17:18:52.000000000 -0500 @@ -1,5 +1,5 @@ -policy_module(hotplug, 1.12.1) @@ -29534,9 +29181,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu ######################################## # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.11/policy/modules/system/init.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.12/policy/modules/system/init.fc --- nsaserefpolicy/policy/modules/system/init.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/system/init.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/init.fc 2010-03-05 17:18:52.000000000 -0500 @@ -4,10 +4,10 @@ /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -29560,9 +29207,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f # # /var -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.11/policy/modules/system/init.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.12/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/init.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/init.if 2010-03-05 17:18:52.000000000 -0500 @@ -193,8 +193,10 @@ gen_require(` attribute direct_run_init, direct_init, direct_init_entry; @@ -29889,9 +29536,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + init_dontaudit_use_script_fds($1) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.11/policy/modules/system/init.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.12/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/init.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/init.te 2010-03-07 08:32:09.000000000 -0500 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart, false) @@ -30289,7 +29936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t + +# system-config-services causes avc messages that should be dontaudited +tunable_policy(`allow_daemons_dump_core',` -+ files_dump_core(daemon) ++ files_manage_root(daemon) +') + +optional_policy(` @@ -30497,9 +30144,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t +optional_policy(` + fail2ban_read_lib_files(daemon) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.7.11/policy/modules/system/ipsec.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.7.12/policy/modules/system/ipsec.fc --- nsaserefpolicy/policy/modules/system/ipsec.fc 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/ipsec.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/ipsec.fc 2010-03-05 17:18:52.000000000 -0500 @@ -37,6 +37,8 @@ /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) @@ -30510,9 +30157,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. +/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) -/var/run/racoon.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.11/policy/modules/system/ipsec.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.12/policy/modules/system/ipsec.if --- nsaserefpolicy/policy/modules/system/ipsec.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/ipsec.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/ipsec.if 2010-03-05 17:18:52.000000000 -0500 @@ -39,6 +39,25 @@ ######################################## @@ -30539,9 +30186,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. ## Get the attributes of an IPSEC key socket. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.11/policy/modules/system/ipsec.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.12/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/ipsec.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/ipsec.te 2010-03-05 17:18:52.000000000 -0500 @@ -29,9 +29,15 @@ type ipsec_key_file_t; files_type(ipsec_key_file_t) @@ -30588,19 +30235,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. kernel_read_kernel_sysctls(ipsec_t) kernel_list_proc(ipsec_t) -@@ -171,8 +183,9 @@ +@@ -171,8 +183,10 @@ # ipsec_mgmt Local policy # -allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search }; -allow ipsec_mgmt_t self:process { signal setrlimit }; ++allow ipsec_mgmt_t self:process setsched; +allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice }; +dontaudit ipsec_mgmt_t self:capability sys_tty_config; +allow ipsec_mgmt_t self:process { getsched ptrace setrlimit signal }; allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; -@@ -182,6 +195,13 @@ +@@ -182,6 +196,13 @@ allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) @@ -30614,7 +30262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) -@@ -209,7 +229,6 @@ +@@ -209,7 +230,6 @@ # whack needs to connect to pluto stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t) @@ -30622,7 +30270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t) allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read; -@@ -247,8 +266,10 @@ +@@ -247,8 +267,10 @@ files_read_etc_files(ipsec_mgmt_t) files_exec_etc_files(ipsec_mgmt_t) files_read_etc_runtime_files(ipsec_mgmt_t) @@ -30633,7 +30281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) -@@ -259,6 +280,7 @@ +@@ -259,6 +281,7 @@ init_use_script_ptys(ipsec_mgmt_t) init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) @@ -30641,7 +30289,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. logging_send_syslog_msg(ipsec_mgmt_t) -@@ -323,6 +345,7 @@ +@@ -323,6 +346,7 @@ kernel_read_system_state(racoon_t) kernel_read_network_state(racoon_t) @@ -30649,7 +30297,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) -@@ -362,6 +385,8 @@ +@@ -362,6 +386,8 @@ sysnet_exec_ifconfig(racoon_t) @@ -30658,7 +30306,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -380,12 +405,15 @@ +@@ -380,12 +406,15 @@ read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) @@ -30674,14 +30322,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. # allow setkey to set the context for ipsec SAs and policy. ipsec_setcontext_default_spd(setkey_t) -@@ -397,3 +425,4 @@ +@@ -397,3 +426,4 @@ seutil_read_config(setkey_t) userdom_use_user_terminals(setkey_t) +userdom_read_user_tmp_files(setkey_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.11/policy/modules/system/iptables.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.12/policy/modules/system/iptables.fc --- nsaserefpolicy/policy/modules/system/iptables.fc 2010-02-12 16:41:05.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/iptables.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/iptables.fc 2010-03-05 17:18:52.000000000 -0500 @@ -1,6 +1,4 @@ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) @@ -30689,9 +30337,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl /sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.11/policy/modules/system/iptables.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.12/policy/modules/system/iptables.if --- nsaserefpolicy/policy/modules/system/iptables.if 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/iptables.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/iptables.if 2010-03-05 17:18:52.000000000 -0500 @@ -17,6 +17,10 @@ corecmd_search_bin($1) @@ -30703,9 +30351,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.11/policy/modules/system/iptables.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.12/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/iptables.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/iptables.te 2010-03-05 17:18:52.000000000 -0500 @@ -14,9 +14,6 @@ type iptables_initrc_exec_t; init_script_file(iptables_initrc_exec_t) @@ -30779,9 +30427,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl udev_read_db(iptables_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.7.11/policy/modules/system/iscsi.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.7.12/policy/modules/system/iscsi.fc --- nsaserefpolicy/policy/modules/system/iscsi.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/system/iscsi.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/iscsi.fc 2010-03-05 17:18:52.000000000 -0500 @@ -1,5 +1,9 @@ /sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) +/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) @@ -30792,9 +30440,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. +/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0) + /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.7.11/policy/modules/system/iscsi.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.7.12/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/iscsi.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/iscsi.te 2010-03-05 17:18:52.000000000 -0500 @@ -14,6 +14,9 @@ type iscsi_lock_t; files_lock_file(iscsi_lock_t) @@ -30862,9 +30510,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. +optional_policy(` + tgtd_rw_semaphores(iscsid_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.11/policy/modules/system/libraries.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.12/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/system/libraries.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/libraries.fc 2010-03-05 17:18:52.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -31225,9 +30873,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/usr/lib(64)?/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.11/policy/modules/system/libraries.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.12/policy/modules/system/libraries.if --- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/system/libraries.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/libraries.if 2010-03-05 17:18:52.000000000 -0500 @@ -17,6 +17,7 @@ corecmd_search_bin($1) @@ -31254,9 +30902,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar allow $1 lib_t:dir list_dir_perms; read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.7.11/policy/modules/system/libraries.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.7.12/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/libraries.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/libraries.te 2010-03-05 17:18:52.000000000 -0500 @@ -58,11 +58,11 @@ # ldconfig local policy # @@ -31329,9 +30977,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +optional_policy(` + unconfined_domain(ldconfig_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.11/policy/modules/system/locallogin.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.12/policy/modules/system/locallogin.te --- nsaserefpolicy/policy/modules/system/locallogin.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/locallogin.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/locallogin.te 2010-03-05 17:18:52.000000000 -0500 @@ -33,9 +33,8 @@ # Local login local policy # @@ -31432,9 +31080,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall -optional_policy(` - nscd_socket_use(sulogin_t) -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.11/policy/modules/system/logging.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.12/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/system/logging.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/logging.fc 2010-03-05 17:18:52.000000000 -0500 @@ -17,6 +17,10 @@ /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) @@ -31474,9 +31122,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.11/policy/modules/system/logging.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.12/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/logging.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/logging.if 2010-03-05 17:18:52.000000000 -0500 @@ -96,6 +96,20 @@ ######################################## @@ -31536,9 +31184,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.11/policy/modules/system/logging.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.12/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/logging.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/logging.te 2010-03-05 17:18:52.000000000 -0500 @@ -101,6 +101,7 @@ kernel_read_kernel_sysctls(auditctl_t) @@ -31681,9 +31329,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin udev_read_db(syslogd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.7.11/policy/modules/system/lvm.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.7.12/policy/modules/system/lvm.fc --- nsaserefpolicy/policy/modules/system/lvm.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/system/lvm.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/lvm.fc 2010-03-05 17:18:52.000000000 -0500 @@ -28,6 +28,7 @@ # /lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) @@ -31692,9 +31340,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc # # /sbin -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.11/policy/modules/system/lvm.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.12/policy/modules/system/lvm.if --- nsaserefpolicy/policy/modules/system/lvm.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/lvm.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/lvm.if 2010-03-05 17:18:52.000000000 -0500 @@ -34,7 +34,7 @@ type lvm_exec_t; ') @@ -31704,9 +31352,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if can_exec($1, lvm_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.11/policy/modules/system/lvm.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.12/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/lvm.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/lvm.te 2010-03-07 08:47:06.000000000 -0500 @@ -142,6 +142,11 @@ ') @@ -31727,7 +31375,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te allow lvm_t self:file rw_file_perms; allow lvm_t self:fifo_file manage_fifo_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; -@@ -244,6 +250,7 @@ +@@ -218,6 +224,7 @@ + # it has no reason to need this + kernel_dontaudit_getattr_core_if(lvm_t) + kernel_use_fds(lvm_t) ++kernel_request_load_module(lvm_t) + kernel_search_debugfs(lvm_t) + + corecmd_exec_bin(lvm_t) +@@ -244,6 +251,7 @@ dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -31735,15 +31391,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t) -@@ -253,6 +260,7 @@ +@@ -253,8 +261,9 @@ files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) +files_dontaudit_getattr_tmpfs_files(lvm_t) - fs_getattr_xattr_fs(lvm_t) +-fs_getattr_xattr_fs(lvm_t) ++fs_getattr_all_fs(lvm_t) fs_search_auto_mountpoints(lvm_t) -@@ -311,6 +319,11 @@ + fs_list_tmpfs(lvm_t) + fs_read_tmpfs_symlinks(lvm_t) +@@ -311,6 +320,11 @@ ') optional_policy(` @@ -31755,9 +31414,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te bootloader_rw_tmp_files(lvm_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.7.11/policy/modules/system/miscfiles.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.7.12/policy/modules/system/miscfiles.fc --- nsaserefpolicy/policy/modules/system/miscfiles.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/miscfiles.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/miscfiles.fc 2010-03-05 17:18:52.000000000 -0500 @@ -42,6 +42,7 @@ /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0) @@ -31784,9 +31443,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi /var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) ifdef(`distro_debian',` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.11/policy/modules/system/miscfiles.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.12/policy/modules/system/miscfiles.if --- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/miscfiles.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/miscfiles.if 2010-03-05 17:18:52.000000000 -0500 @@ -73,7 +73,8 @@ # interface(`miscfiles_read_fonts',` @@ -31877,9 +31536,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.7.11/policy/modules/system/miscfiles.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.7.12/policy/modules/system/miscfiles.te --- nsaserefpolicy/policy/modules/system/miscfiles.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/miscfiles.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/miscfiles.te 2010-03-05 17:18:52.000000000 -0500 @@ -19,6 +19,9 @@ type fonts_t; files_type(fonts_t) @@ -31890,9 +31549,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi # # type for /usr/share/hwdata # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.11/policy/modules/system/modutils.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.12/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/modutils.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/modutils.te 2010-03-05 17:18:52.000000000 -0500 @@ -19,6 +19,7 @@ type insmod_exec_t; application_domain(insmod_t, insmod_exec_t) @@ -31998,9 +31657,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.7.11/policy/modules/system/mount.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.7.12/policy/modules/system/mount.fc --- nsaserefpolicy/policy/modules/system/mount.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/system/mount.fc 2010-03-04 07:59:10.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/mount.fc 2010-03-05 17:18:52.000000000 -0500 @@ -1,4 +1,10 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) @@ -32013,9 +31672,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. -/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) +/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.11/policy/modules/system/mount.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.12/policy/modules/system/mount.if --- nsaserefpolicy/policy/modules/system/mount.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/system/mount.if 2010-03-04 07:59:10.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/mount.if 2010-03-05 17:18:52.000000000 -0500 @@ -16,6 +16,14 @@ ') @@ -32153,9 +31812,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. + mount_domtrans_showmount($1) + role $2 types showmount_t; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.11/policy/modules/system/mount.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.12/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/system/mount.te 2010-03-04 07:59:10.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/mount.te 2010-03-05 17:18:52.000000000 -0500 @@ -18,8 +18,15 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -32430,9 +32089,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +sysnet_dns_name_resolve(showmount_t) + +userdom_use_user_terminals(showmount_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.7.11/policy/modules/system/raid.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.7.12/policy/modules/system/raid.te --- nsaserefpolicy/policy/modules/system/raid.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/raid.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/raid.te 2010-03-05 17:18:52.000000000 -0500 @@ -51,11 +51,13 @@ dev_dontaudit_getattr_generic_chr_files(mdadm_t) dev_dontaudit_getattr_generic_blk_files(mdadm_t) @@ -32447,9 +32106,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t fs_search_auto_mountpoints(mdadm_t) fs_dontaudit_list_tmpfs(mdadm_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.7.11/policy/modules/system/selinuxutil.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.7.12/policy/modules/system/selinuxutil.fc --- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/system/selinuxutil.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/selinuxutil.fc 2010-03-05 17:18:52.000000000 -0500 @@ -6,13 +6,13 @@ /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) @@ -32489,9 +32148,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.11/policy/modules/system/selinuxutil.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.12/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/selinuxutil.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/selinuxutil.if 2010-03-05 17:18:52.000000000 -0500 @@ -361,6 +361,27 @@ ######################################## @@ -32868,9 +32527,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + hotplug_use_fds($1) +') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.11/policy/modules/system/selinuxutil.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.12/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/selinuxutil.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/selinuxutil.te 2010-03-05 17:18:52.000000000 -0500 @@ -23,6 +23,9 @@ type selinux_config_t; files_type(selinux_config_t) @@ -33255,9 +32914,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu - hotplug_use_fds(setfiles_t) + unconfined_domain(setfiles_mac_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.11/policy/modules/system/sysnetwork.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.12/policy/modules/system/sysnetwork.fc --- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/sysnetwork.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/sysnetwork.fc 2010-03-05 17:18:52.000000000 -0500 @@ -13,6 +13,9 @@ /etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) @@ -33291,9 +32950,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.11/policy/modules/system/sysnetwork.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.12/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/sysnetwork.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/sysnetwork.if 2010-03-05 17:18:52.000000000 -0500 @@ -43,6 +43,41 @@ sysnet_domtrans_dhcpc($1) @@ -33497,9 +33156,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet + + role_transition $1 dhcpc_exec_t system_r; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.11/policy/modules/system/sysnetwork.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.12/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/sysnetwork.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/sysnetwork.te 2010-03-05 17:18:52.000000000 -0500 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpc_t, dhcpc_exec_t) role system_r types dhcpc_t; @@ -33712,9 +33371,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet + hal_dontaudit_rw_pipes(ifconfig_t) + hal_dontaudit_rw_dgram_sockets(ifconfig_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.11/policy/modules/system/udev.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.12/policy/modules/system/udev.if --- nsaserefpolicy/policy/modules/system/udev.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/udev.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/udev.if 2010-03-05 17:18:52.000000000 -0500 @@ -192,6 +192,7 @@ dev_list_all_dev_nodes($1) @@ -33723,9 +33382,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.11/policy/modules/system/udev.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.12/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/udev.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/udev.te 2010-03-05 17:18:52.000000000 -0500 @@ -50,6 +50,7 @@ allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -33785,9 +33444,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t kernel_write_xen_state(udev_t) kernel_read_xen_state(udev_t) xen_manage_log(udev_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.7.11/policy/modules/system/unconfined.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.7.12/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/unconfined.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/unconfined.fc 2010-03-05 17:18:52.000000000 -0500 @@ -1,15 +1 @@ # Add programs here which should not be confined by SELinux -# e.g.: @@ -33804,9 +33463,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf -ifdef(`distro_gentoo',` -/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.11/policy/modules/system/unconfined.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.12/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/unconfined.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/unconfined.if 2010-03-05 17:18:52.000000000 -0500 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -34301,9 +33960,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf - - allow $1 unconfined_t:dbus acquire_svc; -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.7.11/policy/modules/system/unconfined.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.7.12/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/unconfined.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/unconfined.te 2010-03-05 17:18:52.000000000 -0500 @@ -5,227 +5,5 @@ # # Declarations @@ -34533,9 +34192,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf - hal_dbus_chat(unconfined_execmem_t) - ') -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.11/policy/modules/system/userdomain.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.12/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/modules/system/userdomain.fc 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/userdomain.fc 2010-03-05 17:18:52.000000000 -0500 @@ -1,4 +1,11 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) @@ -34549,9 +34208,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.gvfs(/.*)? <> -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.11/policy/modules/system/userdomain.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.12/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/userdomain.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/userdomain.if 2010-03-05 17:18:52.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -35756,15 +35415,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` postgresql_unconfined($1_t) ') -@@ -1207,6 +1330,7 @@ +@@ -1207,6 +1330,8 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) + files_create_default_dir($1) ++ files_root_filetrans_default($1, dir) # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1272,11 +1396,15 @@ +@@ -1272,11 +1397,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -35780,7 +35440,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1313,7 +1441,7 @@ +@@ -1313,7 +1442,7 @@ type user_devpts_t; ') @@ -35789,7 +35449,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1387,26 +1515,19 @@ +@@ -1387,26 +1516,19 @@ ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -35819,7 +35479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # interface(`userdom_dontaudit_search_user_home_dirs',` gen_require(` -@@ -1433,6 +1554,14 @@ +@@ -1433,6 +1555,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -35834,7 +35494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1448,9 +1577,11 @@ +@@ -1448,9 +1578,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -35846,7 +35506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1507,6 +1638,42 @@ +@@ -1507,6 +1639,42 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -35889,7 +35549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ######################################## ## ## Create directories in the home dir root with -@@ -1581,11 +1748,14 @@ +@@ -1581,11 +1749,14 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -35905,7 +35565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -1593,18 +1763,18 @@ +@@ -1593,18 +1764,18 @@ ## ## # @@ -35929,7 +35589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -1612,18 +1782,17 @@ +@@ -1612,18 +1783,17 @@ ## ## # @@ -35952,7 +35612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -1631,12 +1800,12 @@ +@@ -1631,12 +1801,12 @@ ## ## # @@ -35967,7 +35627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1655,7 +1824,7 @@ +@@ -1655,7 +1825,7 @@ type user_home_t; ') @@ -35976,7 +35636,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1692,6 +1861,7 @@ +@@ -1692,6 +1862,7 @@ type user_home_dir_t, user_home_t; ') @@ -35984,7 +35644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1708,11 +1878,14 @@ +@@ -1708,11 +1879,14 @@ # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -36002,7 +35662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1730,7 +1903,7 @@ +@@ -1730,7 +1904,7 @@ type user_home_t; ') @@ -36011,7 +35671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1748,7 +1921,7 @@ +@@ -1748,7 +1922,7 @@ type user_home_t; ') @@ -36020,7 +35680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1819,19 +1992,32 @@ +@@ -1819,19 +1993,32 @@ # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -36060,7 +35720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1849,7 +2035,7 @@ +@@ -1849,7 +2036,7 @@ type user_home_t; ') @@ -36069,7 +35729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1866,6 +2052,7 @@ +@@ -1866,6 +2053,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -36077,7 +35737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2077,7 +2264,7 @@ +@@ -2077,7 +2265,7 @@ type user_tmp_t; ') @@ -36086,7 +35746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($1) ') -@@ -2102,7 +2289,7 @@ +@@ -2102,7 +2290,7 @@ ######################################## ## @@ -36095,7 +35755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## temporary directories. ## ## -@@ -2111,17 +2298,17 @@ +@@ -2111,17 +2299,17 @@ ## ## # @@ -36116,7 +35776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## temporary directories. ## ## -@@ -2130,18 +2317,37 @@ +@@ -2130,18 +2318,37 @@ ## ## # @@ -36158,7 +35818,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## Domain allowed access. -@@ -2193,7 +2399,7 @@ +@@ -2193,7 +2400,7 @@ type user_tmp_t; ') @@ -36167,7 +35827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2218,6 +2424,25 @@ +@@ -2218,6 +2425,25 @@ ######################################## ## @@ -36193,7 +35853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Do not audit attempts to manage users ## temporary files. ## -@@ -2298,6 +2523,46 @@ +@@ -2298,6 +2524,46 @@ ######################################## ## ## Create, read, write, and delete user @@ -36240,7 +35900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## temporary symbolic links. ## ## -@@ -2413,7 +2678,7 @@ +@@ -2413,7 +2679,7 @@ ######################################## ## @@ -36249,7 +35909,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -2421,19 +2686,21 @@ +@@ -2421,19 +2687,21 @@ ## ## # @@ -36275,7 +35935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -2441,15 +2708,14 @@ +@@ -2441,15 +2709,14 @@ ## ## # @@ -36295,7 +35955,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2467,7 +2733,7 @@ +@@ -2467,7 +2734,7 @@ type user_tty_device_t; ') @@ -36304,7 +35964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2485,7 +2751,7 @@ +@@ -2485,7 +2752,7 @@ type user_tty_device_t; ') @@ -36313,7 +35973,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2503,7 +2769,7 @@ +@@ -2503,7 +2770,7 @@ type user_tty_device_t; ') @@ -36322,7 +35982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2521,7 +2787,7 @@ +@@ -2521,7 +2788,7 @@ type user_tty_device_t; ') @@ -36331,7 +35991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2787,7 +3053,7 @@ +@@ -2787,7 +3054,7 @@ domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -36340,7 +36000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow unpriv_userdomain $1:process sigchld; ') -@@ -2803,11 +3069,33 @@ +@@ -2803,11 +3070,33 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -36376,7 +36036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2848,23 +3136,14 @@ +@@ -2848,23 +3137,14 @@ ######################################## ## @@ -36403,7 +36063,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # interface(`userdom_dontaudit_use_unpriv_user_fds',` gen_require(` -@@ -2931,6 +3210,25 @@ +@@ -2931,6 +3211,25 @@ ######################################## ## @@ -36429,7 +36089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Write all users files in /tmp ## ## -@@ -2944,7 +3242,43 @@ +@@ -2944,7 +3243,43 @@ type user_tmp_t; ') @@ -36474,7 +36134,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2981,6 +3315,7 @@ +@@ -2981,6 +3316,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -36482,7 +36142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_search_proc($1) ') -@@ -3111,3 +3446,674 @@ +@@ -3111,3 +3447,674 @@ allow $1 userdomain:dbus send_msg; ') @@ -37157,9 +36817,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + dontaudit $1 admin_home_t:file getattr; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.11/policy/modules/system/userdomain.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.12/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/userdomain.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/userdomain.te 2010-03-05 17:18:52.000000000 -0500 @@ -8,13 +8,6 @@ ## @@ -37248,9 +36908,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +') + +allow userdomain userdomain:process signull; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.7.11/policy/modules/system/xen.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.7.12/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/xen.if 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/xen.if 2010-03-05 17:18:52.000000000 -0500 @@ -180,6 +180,25 @@ ######################################## @@ -37287,9 +36947,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if + typeattribute $1 xm_transition_domain; domtrans_pattern($1, xm_exec_t, xm_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.11/policy/modules/system/xen.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.12/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.11/policy/modules/system/xen.te 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/modules/system/xen.te 2010-03-05 17:18:52.000000000 -0500 @@ -5,6 +5,7 @@ # # Declarations @@ -37389,9 +37049,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te #Should have a boolean wrapping these fs_list_auto_mountpoints(xend_t) files_search_mnt(xend_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.7.11/policy/support/misc_patterns.spt +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.7.12/policy/support/misc_patterns.spt --- nsaserefpolicy/policy/support/misc_patterns.spt 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.11/policy/support/misc_patterns.spt 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/support/misc_patterns.spt 2010-03-05 17:18:52.000000000 -0500 @@ -15,7 +15,7 @@ domain_transition_pattern($1,$2,$3) @@ -37410,9 +37070,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns allow $3 $1:process sigchld; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.11/policy/support/obj_perm_sets.spt +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.12/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-03-04 11:44:07.000000000 -0500 -+++ serefpolicy-3.7.11/policy/support/obj_perm_sets.spt 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/support/obj_perm_sets.spt 2010-03-05 17:18:52.000000000 -0500 @@ -28,7 +28,7 @@ # # All socket classes. @@ -37503,9 +37163,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets +define(`all_dbus_perms', `{ acquire_svc send_msg } ') +define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ') +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.11/policy/users +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.12/policy/users --- nsaserefpolicy/policy/users 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.11/policy/users 2010-03-03 23:48:01.000000000 -0500 ++++ serefpolicy-3.7.12/policy/users 2010-03-05 17:18:52.000000000 -0500 @@ -6,7 +6,7 @@ # # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) diff --git a/selinux-policy.spec b/selinux-policy.spec index 8ad573b..68294da 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ %define CHECKPOLICYVER 2.0.21-1 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.7.11 +Version: 3.7.12 Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base @@ -466,7 +466,11 @@ exit 0 %endif %changelog -* Tue Mar 2 2010 Dan Walsh 3.7.11-1 +* Thu Mar 4 2010 Dan Walsh 3.7.12-1 +- Update to upstream + + +* Thu Mar 4 2010 Dan Walsh 3.7.11-1 - Update to upstream - These are merges of my patches - Remove 389 labeling conflicts - Add MLS fixes found in RHEL6 testing diff --git a/sources b/sources index 64a46df..72def95 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 4c7d323036f1662a06a7a4f2a7da57a5 config.tgz -316c182558e4f2c4b6955d06a943d64e serefpolicy-3.7.11.tgz +c284968623d7634e4ce08e803d599dd7 serefpolicy-3.7.12.tgz