From 3798ee962aa9263c03e2483e0458cbb1fc732722 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Aug 17 2010 11:22:11 +0000 Subject: - label dead.letter as mail_home_t --- diff --git a/policy-F14.patch b/policy-F14.patch index 855dace..06cd7c3 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -1346,8 +1346,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.8.8/policy/modules/admin/firstboot.te --- nsaserefpolicy/policy/modules/admin/firstboot.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/firstboot.te 2010-07-30 14:06:53.000000000 -0400 -@@ -121,6 +121,7 @@ ++++ serefpolicy-3.8.8/policy/modules/admin/firstboot.te 2010-08-11 09:17:15.000000000 -0400 +@@ -91,6 +91,10 @@ + userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) + + optional_policy(` ++ consoletype_domtrans(firstboot_t) ++') ++ ++optional_policy(` + dbus_system_bus_client(firstboot_t) + + optional_policy(` +@@ -121,6 +125,7 @@ ') optional_policy(` @@ -1452,7 +1463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc +/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.8.8/policy/modules/admin/logwatch.te --- nsaserefpolicy/policy/modules/admin/logwatch.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/logwatch.te 2010-07-30 14:06:53.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/admin/logwatch.te 2010-08-17 07:18:59.000000000 -0400 @@ -19,6 +19,9 @@ type logwatch_tmp_t; files_tmp_file(logwatch_tmp_t) @@ -1473,7 +1484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc kernel_read_fs_sysctls(logwatch_t) kernel_read_kernel_sysctls(logwatch_t) kernel_read_system_state(logwatch_t) -@@ -92,8 +98,15 @@ +@@ -92,8 +98,16 @@ sysnet_exec_ifconfig(logwatch_t) userdom_dontaudit_search_user_home_dirs(logwatch_t) @@ -1487,6 +1498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc +logging_read_all_logs(logwatch_mail_t) +manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t) +allow logwatch_mail_t self:capability { dac_read_search dac_override }; ++mta_read_home(logwatch_mail_t) ifdef(`distro_redhat',` files_search_all(logwatch_t) @@ -1771,7 +1783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.8.8/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/prelink.te 2010-08-11 08:24:20.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/admin/prelink.te 2010-08-13 11:29:37.000000000 -0400 @@ -59,6 +59,7 @@ manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) @@ -1825,6 +1837,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) allow prelink_cron_system_t prelink_t:process noatsecure; +@@ -148,7 +159,7 @@ + files_read_etc_files(prelink_cron_system_t) + files_search_var_lib(prelink_cron_system_t) + +- init_exec(prelink_cron_system_t) ++ init_telinit(prelink_cron_system_t) + + libs_exec_ld_so(prelink_cron_system_t) + @@ -158,6 +169,8 @@ cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t) @@ -2317,8 +2338,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sectool mount_exec(sectoolm_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.8.8/policy/modules/admin/shorewall.if --- nsaserefpolicy/policy/modules/admin/shorewall.if 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/shorewall.if 2010-07-30 14:06:53.000000000 -0400 -@@ -134,9 +134,10 @@ ++++ serefpolicy-3.8.8/policy/modules/admin/shorewall.if 2010-08-17 06:09:36.000000000 -0400 +@@ -18,6 +18,24 @@ + domtrans_pattern($1, shorewall_exec_t, shorewall_t) + ') + ++###################################### ++## ++## Execute a domain transition to run shorewall. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`shorewall_domtrans_lib',` ++ gen_require(` ++ type shorewall_t, shorewall_var_lib_t; ++ ') ++ ++ domtrans_pattern($1, shorewall_var_lib_t, shorewall_t) ++') ++ + ####################################### + ## + ## Read shorewall etc configuration files. +@@ -134,9 +152,10 @@ # interface(`shorewall_admin',` gen_require(` @@ -2331,7 +2377,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa ') allow $1 shorewall_t:process { ptrace signal_perms }; -@@ -153,12 +154,12 @@ +@@ -153,12 +172,12 @@ files_search_locks($1) admin_pattern($1, shorewall_lock_t) @@ -2349,8 +2395,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.8.8/policy/modules/admin/shorewall.te --- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/shorewall.te 2010-07-30 14:06:53.000000000 -0400 -@@ -80,13 +80,14 @@ ++++ serefpolicy-3.8.8/policy/modules/admin/shorewall.te 2010-08-17 06:09:36.000000000 -0400 +@@ -58,6 +58,9 @@ + manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) + manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) + files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file }) ++allow shorewall_t shorewall_var_lib_t:file entrypoint; ++ ++allow shorewall_t shorewall_initrc_exec_t:file read_file_perms; + + kernel_read_kernel_sysctls(shorewall_t) + kernel_read_network_state(shorewall_t) +@@ -80,13 +83,18 @@ init_rw_utmp(shorewall_t) @@ -2363,6 +2419,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa -userdom_dontaudit_list_user_home_dirs(shorewall_t) +userdom_dontaudit_list_admin_dir(shorewall_t) ++ ++optional_policy(` ++ brctl_domtrans(shorewall_t) ++') optional_policy(` hostname_exec(shorewall_t) @@ -3020,8 +3080,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqs dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.8.8/policy/modules/apps/execmem.fc --- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/execmem.fc 2010-07-30 14:06:53.000000000 -0400 -@@ -0,0 +1,49 @@ ++++ serefpolicy-3.8.8/policy/modules/apps/execmem.fc 2010-08-13 16:54:24.000000000 -0400 +@@ -0,0 +1,48 @@ + +/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/compiz -- gen_context(system_u:object_r:execmem_exec_t,s0) @@ -3029,7 +3089,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. +/usr/bin/dosbox -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/mutter -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/plasma-desktop -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0) @@ -4379,8 +4438,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.8.8/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/java.te 2010-07-30 14:06:53.000000000 -0400 -@@ -82,6 +82,7 @@ ++++ serefpolicy-3.8.8/policy/modules/apps/java.te 2010-08-13 15:48:49.000000000 -0400 +@@ -82,12 +82,12 @@ dev_read_rand(java_t) dev_dontaudit_append_rand(java_t) @@ -4388,7 +4447,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te files_read_usr_files(java_t) files_search_home(java_t) files_search_var_lib(java_t) -@@ -143,12 +144,15 @@ + files_read_etc_runtime_files(java_t) + # Read global fonts and font config +-files_read_etc_files(java_t) + + fs_getattr_xattr_fs(java_t) + fs_dontaudit_rw_tmpfs_files(java_t) +@@ -143,12 +143,15 @@ # execheap is needed for itanium/BEA jrocket allow unconfined_java_t self:process { execstack execmem execheap }; @@ -4491,7 +4556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.8.8/policy/modules/apps/livecd.if --- nsaserefpolicy/policy/modules/apps/livecd.if 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/livecd.if 2010-07-30 14:06:53.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/apps/livecd.if 2010-08-12 08:05:10.000000000 -0400 @@ -41,6 +41,8 @@ livecd_domtrans($1) @@ -4526,6 +4591,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.i ## Read livecd temporary files. ## ## +@@ -82,7 +102,7 @@ + ') + + files_search_tmp($1) +- allow $1 livecd_tmp_t:file rw_file_perms; ++ rw_files_pattern($1, livecd_tmp_t, livecd_tmp_t) + ') + + ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.8.8/policy/modules/apps/livecd.te --- nsaserefpolicy/policy/modules/apps/livecd.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/livecd.te 2010-07-30 14:06:53.000000000 -0400 @@ -5189,7 +5263,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.8.8/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te 2010-08-11 08:01:15.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te 2010-08-13 15:48:58.000000000 -0400 @@ -0,0 +1,301 @@ +policy_module(nsplugin, 1.0.0) + @@ -5310,8 +5384,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + +files_dontaudit_getattr_lost_found_dirs(nsplugin_t) +files_dontaudit_list_home(nsplugin_t) -+files_read_usr_files(nsplugin_t) +files_read_etc_files(nsplugin_t) ++files_read_usr_files(nsplugin_t) +files_read_config_files(nsplugin_t) + +fs_getattr_tmpfs(nsplugin_t) @@ -5870,7 +5944,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.8.8/policy/modules/apps/sambagui.te --- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/sambagui.te 2010-07-30 14:06:53.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/apps/sambagui.te 2010-08-13 15:50:28.000000000 -0400 @@ -0,0 +1,66 @@ +policy_module(sambagui,1.0.0) + @@ -5906,8 +5980,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui +corecmd_exec_bin(sambagui_t) + +files_read_etc_files(sambagui_t) ++files_read_usr_files(sambagui_t) +files_search_var_lib(sambagui_t) -+files_search_usr(sambagui_t) + +# reading shadow by pdbedit +#auth_read_shadow(sambagui_t) @@ -6263,8 +6337,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.8.8/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/sandbox.te 2010-08-03 13:19:32.000000000 -0400 -@@ -0,0 +1,390 @@ ++++ serefpolicy-3.8.8/policy/modules/apps/sandbox.te 2010-08-16 07:01:26.000000000 -0400 +@@ -0,0 +1,392 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -6464,6 +6538,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + +miscfiles_read_fonts(sandbox_x_domain) + ++storage_dontaudit_rw_fuse(sandbox_x_domain) ++ +optional_policy(` + cups_stream_connect(sandbox_x_domain) + cups_read_rw_config(sandbox_x_domain) @@ -7441,6 +7517,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp +optional_policy(` + xserver_stream_connect(consolehelper_domain) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.8.8/policy/modules/apps/vmware.fc +--- nsaserefpolicy/policy/modules/apps/vmware.fc 2010-07-27 16:06:04.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/apps/vmware.fc 2010-08-13 14:51:09.000000000 -0400 +@@ -66,5 +66,6 @@ + /var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0) + /var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0) + ++/var/run/vmnet.* gen_context(system_u:object_r:vmware_var_run_t,s0) + /var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0) + /var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.8.8/policy/modules/apps/vmware.te --- nsaserefpolicy/policy/modules/apps/vmware.te 2010-07-27 16:06:04.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/apps/vmware.te 2010-07-30 14:06:53.000000000 -0400 @@ -7942,7 +8028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.8.8/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/devices.if 2010-08-04 12:08:01.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/kernel/devices.if 2010-08-16 07:06:37.000000000 -0400 @@ -461,6 +461,24 @@ ######################################## @@ -8065,7 +8151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ######################################## ## -+## Relableto the autofs device node. ++## Relable the autofs device node. +## +## +## @@ -8073,12 +8159,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device +## +## +# -+interface(`dev_relabelto_autofs_dev',` ++interface(`dev_relabel_autofs_dev',` + gen_require(` + type autofs_device_t; + ') + -+ allow $1 autofs_device_t:chr_file relabelto; ++ allow $1 autofs_device_t:chr_file relabel_chr_file_perms; +') + +######################################## @@ -8499,7 +8585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.8.8/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/files.if 2010-08-10 05:23:35.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/kernel/files.if 2010-08-11 09:28:41.000000000 -0400 @@ -1053,10 +1053,8 @@ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -9112,7 +9198,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy +/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.8.8/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.if 2010-08-04 13:24:15.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.if 2010-08-13 10:09:00.000000000 -0400 @@ -1233,7 +1233,7 @@ type cifs_t; ') @@ -9593,7 +9679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag +/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.8.8/policy/modules/kernel/storage.if --- nsaserefpolicy/policy/modules/kernel/storage.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/storage.if 2010-08-05 14:41:46.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/kernel/storage.if 2010-08-16 07:00:32.000000000 -0400 @@ -101,6 +101,8 @@ dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file read_blk_file_perms; @@ -13367,8 +13453,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah kernel_read_kernel_sysctls(avahi_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.8.8/policy/modules/services/bind.if --- nsaserefpolicy/policy/modules/services/bind.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/bind.if 2010-07-30 14:06:53.000000000 -0400 -@@ -359,9 +359,9 @@ ++++ serefpolicy-3.8.8/policy/modules/services/bind.if 2010-08-12 16:43:18.000000000 -0400 +@@ -308,6 +308,27 @@ + + ######################################## + ## ++## Read BIND zone files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`bind_read_log',` ++ gen_require(` ++ type named_zone_t; ++ type named_log_t; ++ ') ++ ++ files_search_var($1) ++ allow $1 named_zone_t:dir search_dir_perms; ++ read_files_pattern($1, named_log_t, named_log_t) ++') ++ ++######################################## ++## + ## Manage BIND zone files. + ## + ## +@@ -359,9 +380,9 @@ interface(`bind_admin',` gen_require(` type named_t, named_tmp_t, named_log_t; @@ -13380,7 +13494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind type named_initrc_exec_t; ') -@@ -391,8 +391,7 @@ +@@ -391,8 +412,7 @@ admin_pattern($1, named_zone_t) admin_pattern($1, dnssec_t) @@ -14473,7 +14587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro corenet_udp_bind_chronyd_port(chronyd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.8.8/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/clamav.te 2010-08-11 08:54:31.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/clamav.te 2010-08-16 07:42:43.000000000 -0400 @@ -80,6 +80,7 @@ files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir }) @@ -14494,16 +14608,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam kernel_dontaudit_list_proc(clamd_t) kernel_read_sysctl(clamd_t) -@@ -182,6 +184,8 @@ +@@ -182,6 +184,9 @@ allow freshclam_t clamd_var_log_t:dir search_dir_perms; logging_log_filetrans(freshclam_t, freshclam_var_log_t, file) +kernel_read_kernel_sysctls(freshclam_t) ++kernel_read_system_state(freshclam_t) + corenet_all_recvfrom_unlabeled(freshclam_t) corenet_all_recvfrom_netlabel(freshclam_t) corenet_tcp_sendrecv_generic_if(freshclam_t) -@@ -189,6 +193,7 @@ +@@ -189,6 +194,7 @@ corenet_tcp_sendrecv_all_ports(freshclam_t) corenet_tcp_sendrecv_clamd_port(freshclam_t) corenet_tcp_connect_http_port(freshclam_t) @@ -14511,7 +14626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam corenet_sendrecv_http_client_packets(freshclam_t) dev_read_rand(freshclam_t) -@@ -207,6 +212,8 @@ +@@ -207,6 +213,8 @@ clamav_stream_connect(freshclam_t) @@ -15735,7 +15850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.8.8/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/cron.te 2010-07-30 14:06:53.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/cron.te 2010-08-13 11:29:11.000000000 -0400 @@ -63,9 +63,12 @@ type crond_tmp_t; @@ -16400,7 +16515,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.8.8/policy/modules/services/denyhosts.te --- nsaserefpolicy/policy/modules/services/denyhosts.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/denyhosts.te 2010-07-30 14:06:53.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/denyhosts.te 2010-08-13 13:33:16.000000000 -0400 @@ -25,7 +25,8 @@ # # DenyHosts personal policy. @@ -16411,7 +16526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms; allow denyhosts_t self:tcp_socket create_socket_perms; allow denyhosts_t self:udp_socket create_socket_perms; -@@ -53,6 +54,7 @@ +@@ -53,20 +54,28 @@ corenet_tcp_sendrecv_generic_node(denyhosts_t) corenet_tcp_bind_generic_node(denyhosts_t) corenet_tcp_connect_smtp_port(denyhosts_t) @@ -16419,7 +16534,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny corenet_sendrecv_smtp_client_packets(denyhosts_t) dev_read_urand(denyhosts_t) -@@ -61,12 +63,18 @@ + + files_read_etc_files(denyhosts_t) ++files_read_usr_files(denyhosts_t) # /var/log/secure logging_read_generic_logs(denyhosts_t) @@ -16621,7 +16738,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.8.8/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/dovecot.te 2010-08-03 15:18:00.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/dovecot.te 2010-08-16 07:30:39.000000000 -0400 +@@ -18,7 +18,7 @@ + files_tmp_file(dovecot_auth_tmp_t) + + type dovecot_cert_t; +-files_type(dovecot_cert_t) ++miscfiles_cert_type(dovecot_cert_t) + + type dovecot_deliver_t; + type dovecot_deliver_exec_t; @@ -58,7 +58,7 @@ allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot }; @@ -16631,16 +16757,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove allow dovecot_t self:fifo_file rw_fifo_file_perms; allow dovecot_t self:tcp_socket create_stream_socket_perms; allow dovecot_t self:unix_dgram_socket create_socket_perms; -@@ -72,7 +72,7 @@ +@@ -72,7 +72,8 @@ read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) -allow dovecot_t dovecot_etc_t:file read_file_perms; ++allow dovecot_t dovecot_etc_t:dir list_dir_perms; +read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t) files_search_etc(dovecot_t) can_exec(dovecot_t, dovecot_exec_t) -@@ -94,10 +94,11 @@ +@@ -94,10 +95,11 @@ manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) @@ -16653,7 +16780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove kernel_read_kernel_sysctls(dovecot_t) kernel_read_system_state(dovecot_t) -@@ -242,6 +243,7 @@ +@@ -242,6 +244,7 @@ ') optional_policy(` @@ -16661,7 +16788,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove postfix_search_spool(dovecot_auth_t) ') -@@ -253,19 +255,25 @@ +@@ -253,19 +256,26 @@ allow dovecot_deliver_t dovecot_t:process signull; @@ -16670,6 +16797,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; +allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; ++allow dovecot_deliver_t dovecot_var_log_t:dir search_dir_perms; + +can_exec(dovecot_deliver_t, dovecot_deliver_exec_t) + @@ -16689,7 +16817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove miscfiles_read_localization(dovecot_deliver_t) -@@ -302,4 +310,5 @@ +@@ -302,4 +312,5 @@ optional_policy(` mta_manage_spool(dovecot_deliver_t) @@ -18248,7 +18376,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.8.8/policy/modules/services/ldap.te --- nsaserefpolicy/policy/modules/services/ldap.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/ldap.te 2010-07-30 14:06:53.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/ldap.te 2010-08-12 15:47:23.000000000 -0400 +@@ -10,7 +10,7 @@ + init_daemon_domain(slapd_t, slapd_exec_t) + + type slapd_cert_t; +-files_type(slapd_cert_t) ++miscfiles_cert_type(slapd_cert_t) + + type slapd_db_t; + files_type(slapd_db_t) @@ -27,9 +27,15 @@ type slapd_replog_t; files_type(slapd_replog_t) @@ -19306,8 +19443,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.8.8/policy/modules/services/mta.fc --- nsaserefpolicy/policy/modules/services/mta.fc 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/mta.fc 2010-07-30 14:06:53.000000000 -0400 -@@ -13,6 +13,8 @@ ++++ serefpolicy-3.8.8/policy/modules/services/mta.fc 2010-08-17 07:18:28.000000000 -0400 +@@ -1,4 +1,7 @@ +-HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) ++HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_home_t,s0) ++HOME_DIR/dead.letter -- gen_context(system_u:object_r:mail_home_t,s0) ++/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0) ++/root/dead.letter -- gen_context(system_u:object_r:mail_home_t,s0) + + /bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) + +@@ -13,6 +16,8 @@ /usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) @@ -19318,7 +19464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.8.8/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/mta.if 2010-07-30 14:06:53.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/mta.if 2010-08-17 07:17:30.000000000 -0400 @@ -220,6 +220,25 @@ application_executable_file($1) ') @@ -19406,7 +19552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') -@@ -899,3 +920,23 @@ +@@ -899,3 +920,43 @@ allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -19430,15 +19576,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. +interface(`mta_filetrans_aliases',` + filetrans_pattern($1, $2, etc_aliases_t, file) +') ++ ++###################################### ++## ++## ALlow domain to read mail content in the homedir ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mta_read_home',` ++ gen_require(` ++ type mail_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ userdom_search_admin_dir($1) ++ read_files_pattern($1, mail_home_t, mail_home_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.8.8/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/mta.te 2010-07-30 14:06:53.000000000 -0400 -@@ -21,7 +21,7 @@ ++++ serefpolicy-3.8.8/policy/modules/services/mta.te 2010-08-17 07:17:58.000000000 -0400 +@@ -20,8 +20,8 @@ + type etc_mail_t; files_config_file(etc_mail_t) - type mail_forward_t; +-type mail_forward_t; -files_type(mail_forward_t) -+userdom_user_home_content(mail_forward_t) ++type mail_home_t alias mail_forward_t; ++userdom_user_home_content(mail_home_t) type mqueue_spool_t; files_mountpoint(mqueue_spool_t) @@ -19564,15 +19732,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. smartmon_read_tmp_files(system_mail_t) ') -@@ -220,6 +215,7 @@ +@@ -220,7 +215,8 @@ create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +-read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t) +userdom_search_admin_dir(mailserver_delivery) - read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t) ++read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t) read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) -@@ -292,3 +288,42 @@ + +@@ -249,6 +245,10 @@ + mailman_read_data_symlinks(mailserver_delivery) + ') + ++optional_policy(` ++ uucp_domtrans_uux(mailserver_delivery) ++') ++ + ######################################## + # + # User send mail local policy +@@ -292,3 +292,42 @@ postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -20580,7 +20761,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open kernel_list_proc(openct_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.8.8/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/openvpn.te 2010-07-30 14:06:53.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/openvpn.te 2010-08-12 16:38:44.000000000 -0400 @@ -24,6 +24,9 @@ type openvpn_etc_rw_t; files_config_file(openvpn_etc_rw_t) @@ -20605,7 +20786,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir }) -@@ -113,6 +120,7 @@ +@@ -68,6 +75,7 @@ + kernel_read_net_sysctls(openvpn_t) + kernel_read_network_state(openvpn_t) + kernel_read_system_state(openvpn_t) ++kernel_request_load_module(openvpn_t) + + corecmd_exec_bin(openvpn_t) + corecmd_exec_shell(openvpn_t) +@@ -113,6 +121,7 @@ sysnet_etc_filetrans_config(openvpn_t) userdom_use_user_terminals(openvpn_t) @@ -21296,7 +21485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.8.8/policy/modules/services/policykit.te --- nsaserefpolicy/policy/modules/services/policykit.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/policykit.te 2010-08-11 08:57:21.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/policykit.te 2010-08-11 09:09:19.000000000 -0400 @@ -24,6 +24,9 @@ type policykit_reload_t alias polkit_reload_t; files_type(policykit_reload_t) @@ -21324,7 +21513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli policykit_domtrans_auth(policykit_t) -@@ -56,10 +60,16 @@ +@@ -56,56 +60,107 @@ manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir }) @@ -21340,8 +21529,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli +fs_list_inotifyfs(policykit_t) auth_use_nsswitch(policykit_t) ++auth_read_var_auth(policykit_t) -@@ -67,45 +77,89 @@ + logging_send_syslog_msg(policykit_t) miscfiles_read_localization(policykit_t) @@ -21437,7 +21627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli dbus_session_bus_client(policykit_auth_t) optional_policy(` -@@ -118,6 +172,14 @@ +@@ -118,6 +173,14 @@ hal_read_state(policykit_auth_t) ') @@ -21452,7 +21642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli ######################################## # # polkit_grant local policy -@@ -125,7 +187,8 @@ +@@ -125,7 +188,8 @@ allow policykit_grant_t self:capability setuid; allow policykit_grant_t self:process getattr; @@ -21462,7 +21652,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; -@@ -155,9 +218,12 @@ +@@ -155,9 +219,12 @@ userdom_read_all_users_state(policykit_grant_t) optional_policy(` @@ -21476,7 +21666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli consolekit_dbus_chat(policykit_grant_t) ') ') -@@ -169,7 +235,8 @@ +@@ -169,7 +236,8 @@ allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace }; allow policykit_resolve_t self:process getattr; @@ -24271,7 +24461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.8.8/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/samba.te 2010-07-30 14:06:53.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/samba.te 2010-08-12 16:45:59.000000000 -0400 @@ -152,9 +152,6 @@ type winbind_log_t; logging_log_file(winbind_log_t) @@ -24361,7 +24551,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -692,6 +687,7 @@ +@@ -677,7 +672,7 @@ + allow swat_t nmbd_t:process { signal signull }; + allow nmbd_t swat_t:process signal; + +-allow swat_t smbd_var_run_t:file { lock unlink }; ++allow swat_t nmbd_var_run_t:file read_file_perms; + + allow swat_t smbd_port_t:tcp_socket name_bind; + +@@ -692,12 +687,14 @@ manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) @@ -24369,7 +24568,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t smbd_exec_t:file mmap_file_perms ; -@@ -710,6 +706,7 @@ + allow swat_t smbd_t:process signull; + + allow swat_t smbd_var_run_t:file read_file_perms; ++allow swat_t smbd_var_run_t:file { lock unlink }; + + manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) + manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) +@@ -710,6 +707,7 @@ domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; @@ -24377,7 +24583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -754,6 +751,8 @@ +@@ -754,6 +752,8 @@ miscfiles_read_localization(swat_t) @@ -24386,7 +24592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -806,14 +805,14 @@ +@@ -806,14 +806,14 @@ allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -24406,7 +24612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) -@@ -833,6 +832,7 @@ +@@ -833,6 +833,7 @@ corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -24414,7 +24620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -922,6 +922,18 @@ +@@ -922,6 +923,18 @@ # optional_policy(` @@ -24433,7 +24639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -932,9 +944,12 @@ +@@ -932,9 +945,12 @@ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -26037,6 +26243,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucsp + daemontools_sigchld_run(ucspitcp_t) +') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.8.8/policy/modules/services/ulogd.te +--- nsaserefpolicy/policy/modules/services/ulogd.te 2010-07-27 16:06:06.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/ulogd.te 2010-08-17 06:53:12.000000000 -0400 +@@ -31,6 +31,7 @@ + + allow ulogd_t self:capability net_admin; + allow ulogd_t self:netlink_nflog_socket create_socket_perms; ++allow ulogd_t self:netlink_route_socket r_netlink_socket_perms; + + # config files + read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) +@@ -43,6 +44,15 @@ + manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) + logging_log_filetrans(ulogd_t, ulogd_var_log_t, file) + +-files_search_etc(ulogd_t) ++files_read_etc_files(ulogd_t) ++files_read_usr_files(ulogd_t) + + miscfiles_read_localization(ulogd_t) ++ ++optional_policy(` ++ mysql_stream_connect(ulogd_t) ++') ++ ++optional_policy(` ++ postgresql_stream_connect(ulogd_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.8.8/policy/modules/services/usbmuxd.fc --- nsaserefpolicy/policy/modules/services/usbmuxd.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/usbmuxd.fc 2010-07-30 14:06:53.000000000 -0400 @@ -26179,12 +26413,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.8.8/policy/modules/services/virt.fc --- nsaserefpolicy/policy/modules/services/virt.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/virt.fc 2010-07-30 14:06:53.000000000 -0400 -@@ -13,17 +13,18 @@ ++++ serefpolicy-3.8.8/policy/modules/services/virt.fc 2010-08-13 13:57:22.000000000 -0400 +@@ -13,17 +13,19 @@ /etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) ++/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) -/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0) +/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) @@ -28865,7 +29100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ifdef(`distro_suse', ` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.8.8/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/authlogin.if 2010-08-10 11:41:52.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/system/authlogin.if 2010-08-13 13:17:18.000000000 -0400 @@ -91,9 +91,12 @@ interface(`auth_login_pgm_domain',` gen_require(` @@ -28887,7 +29122,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo files_list_var_lib($1) manage_files_pattern($1, var_auth_t, var_auth_t) -@@ -141,6 +145,7 @@ +@@ -126,6 +130,8 @@ + files_read_etc_files($1) + + fs_list_auto_mountpoints($1) ++ fs_manage_cgroup_dirs($1) ++ fs_manage_cgroup_files($1) + + selinux_get_fs_mount($1) + selinux_validate_context($1) +@@ -141,6 +147,7 @@ mls_process_set_level($1) mls_fd_share_all_levels($1) @@ -28895,7 +29139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo auth_use_pam($1) init_rw_utmp($1) -@@ -151,8 +156,38 @@ +@@ -151,8 +158,38 @@ seutil_read_config($1) seutil_read_default_contexts($1) @@ -28936,7 +29180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ') -@@ -365,13 +400,15 @@ +@@ -365,13 +402,15 @@ ') optional_policy(` @@ -28953,7 +29197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -418,6 +455,7 @@ +@@ -418,6 +457,7 @@ auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -28961,7 +29205,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -1500,6 +1538,8 @@ +@@ -874,6 +914,26 @@ + + ######################################## + ## ++## Read var auth files. Used by various other applications ++## and pam applets etc. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_read_var_auth',` ++ gen_require(` ++ type var_auth_t; ++ ') ++ ++ files_search_var($1) ++ read_files_pattern($1, var_auth_t, var_auth_t) ++') ++ ++######################################## ++## + ## Manage var auth files. Used by various other applications + ## and pam applets etc. + ## +@@ -1500,6 +1560,8 @@ # interface(`auth_use_nsswitch',` @@ -28970,7 +29241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo files_list_var_lib($1) # read /etc/nsswitch.conf -@@ -1531,7 +1571,15 @@ +@@ -1531,7 +1593,15 @@ ') optional_policy(` @@ -29795,7 +30066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.8.8/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-08-10 05:23:35.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-08-17 06:09:36.000000000 -0400 @@ -16,6 +16,27 @@ ## gen_tunable(init_upstart, false) @@ -29907,7 +30178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -185,15 +216,66 @@ +@@ -185,15 +216,72 @@ sysadm_shell_domtrans(init_t) ') @@ -29928,9 +30199,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t + dev_write_kmsg(init_t) + dev_rw_autofs(init_t) + dev_manage_generic_dirs(init_t) ++ dev_manage_generic_files(init_t) + dev_read_generic_chr_files(init_t) + dev_relabelfrom_generic_chr_files(init_t) -+ dev_relabelto_autofs_dev(init_t) ++ dev_relabel_autofs_dev(init_t) ++ + files_mounton_all_mountpoints(init_t) + files_manage_all_pids_dirs(init_t) + @@ -29947,6 +30220,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t + init_read_script_state(init_t) + + seutil_read_file_contexts(init_t) ++ ++ optional_policy(` ++ udev_read_db(init_t) ++ ') +') + optional_policy(` @@ -29974,7 +30251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t nscd_socket_use(init_t) ') -@@ -211,7 +293,7 @@ +@@ -211,7 +299,7 @@ # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -29983,7 +30260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -240,6 +322,7 @@ +@@ -240,6 +328,7 @@ allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -29991,7 +30268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t can_exec(initrc_t, initrc_tmp_t) manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) -@@ -257,11 +340,22 @@ +@@ -257,11 +346,22 @@ kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -30014,7 +30291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t corecmd_exec_all_executables(initrc_t) -@@ -297,11 +391,13 @@ +@@ -297,11 +397,13 @@ dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -30028,7 +30305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -320,8 +416,10 @@ +@@ -320,8 +422,10 @@ files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -30040,7 +30317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -337,6 +435,8 @@ +@@ -337,6 +441,8 @@ files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -30049,7 +30326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t fs_delete_cgroup_dirs(initrc_t) fs_list_cgroup_dirs(initrc_t) -@@ -350,6 +450,8 @@ +@@ -350,6 +456,8 @@ fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -30058,7 +30335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -362,6 +464,7 @@ +@@ -362,6 +470,7 @@ mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -30066,7 +30343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t selinux_get_enforce_mode(initrc_t) -@@ -393,13 +496,14 @@ +@@ -393,13 +502,14 @@ miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -30082,7 +30359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such -@@ -472,7 +576,7 @@ +@@ -472,7 +582,7 @@ # Red Hat systems seem to have a stray # fd open from the initrd @@ -30091,7 +30368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -518,6 +622,19 @@ +@@ -518,6 +628,19 @@ optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -30111,7 +30388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -525,10 +642,17 @@ +@@ -525,10 +648,17 @@ rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -30129,7 +30406,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -543,6 +667,35 @@ +@@ -543,6 +673,35 @@ ') ') @@ -30165,7 +30442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -555,6 +708,8 @@ +@@ -555,6 +714,8 @@ optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -30174,7 +30451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -571,6 +726,7 @@ +@@ -571,6 +732,7 @@ optional_policy(` cgroup_stream_connect(initrc_t) @@ -30182,7 +30459,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -583,6 +739,11 @@ +@@ -583,6 +745,11 @@ ') optional_policy(` @@ -30194,7 +30471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -599,6 +760,7 @@ +@@ -599,6 +766,7 @@ dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -30202,7 +30479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` consolekit_dbus_chat(initrc_t) -@@ -700,7 +862,12 @@ +@@ -700,7 +868,12 @@ ') optional_policy(` @@ -30215,7 +30492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -723,6 +890,10 @@ +@@ -723,6 +896,10 @@ ') optional_policy(` @@ -30226,7 +30503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -744,6 +915,10 @@ +@@ -744,6 +921,10 @@ ') optional_policy(` @@ -30237,7 +30514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -765,8 +940,6 @@ +@@ -765,8 +946,6 @@ # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -30246,7 +30523,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -779,10 +952,12 @@ +@@ -775,14 +954,21 @@ + ') + + optional_policy(` ++ # shorewall-init script run /var/lib/shorewall/firewall ++ shorewall_domtrans_lib(initrc_t) ++') ++ ++optional_policy(` + squid_read_config(initrc_t) squid_manage_logs(initrc_t) ') @@ -30259,7 +30545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -804,11 +979,19 @@ +@@ -804,11 +990,19 @@ ') optional_policy(` @@ -30280,7 +30566,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -818,6 +1001,25 @@ +@@ -818,6 +1012,25 @@ optional_policy(` mono_domtrans(initrc_t) ') @@ -30306,7 +30592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -843,3 +1045,55 @@ +@@ -843,3 +1056,55 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -31737,8 +32023,76 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi /var/lib/msttcorefonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.8.8/policy/modules/system/miscfiles.if --- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/miscfiles.if 2010-07-30 14:06:53.000000000 -0400 -@@ -305,9 +305,6 @@ ++++ serefpolicy-3.8.8/policy/modules/system/miscfiles.if 2010-08-11 09:33:51.000000000 -0400 +@@ -2,6 +2,50 @@ + + ######################################## + ## ++## Make the specified type usable as a cert file. ++## ++## ++##

++## Make the specified type usable for cert files. ++## This will also make the type usable for files, making ++## calls to files_type() redundant. Failure to use this interface ++## for a temporary file may result in problems with ++## cert management tools. ++##

++##

++## Related interfaces: ++##

++## ++##

++## Example: ++##

++##

++## type mycertfile_t; ++## cert_type(mycertfile_t) ++## allow mydomain_t mycertfile_t:file read_file_perms; ++## files_search_etc(mydomain_t) ++##

++##
++## ++## ++## Type to be used for files. ++## ++## ++## ++# ++interface(`miscfiles_cert_type',` ++ gen_require(` ++ attribute cert_type; ++ ') ++ ++ typeattribute $1 cert_type; ++ files_type($1) ++') ++ ++######################################## ++## + ## Read system SSL certificates. + ## + ## +@@ -13,12 +57,12 @@ + # + interface(`miscfiles_read_certs',` + gen_require(` +- type cert_t; ++ attribute cert_type; + ') + +- allow $1 cert_t:dir list_dir_perms; +- read_files_pattern($1, cert_t, cert_t) +- read_lnk_files_pattern($1, cert_t, cert_t) ++ allow $1 cert_type:dir list_dir_perms; ++ read_files_pattern($1, cert_type, cert_type) ++ read_lnk_files_pattern($1, cert_type, cert_type) + ') + + ######################################## +@@ -305,9 +349,6 @@ allow $1 locale_t:dir list_dir_perms; read_files_pattern($1, locale_t, locale_t) read_lnk_files_pattern($1, locale_t, locale_t) @@ -31748,6 +32102,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi ') ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.8.8/policy/modules/system/miscfiles.te +--- nsaserefpolicy/policy/modules/system/miscfiles.te 2010-07-27 16:06:06.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/system/miscfiles.te 2010-08-11 09:33:09.000000000 -0400 +@@ -4,12 +4,13 @@ + # + # Declarations + # ++attribute cert_type; + + # + # cert_t is the type of files in the system certs directories. + # + type cert_t; +-files_type(cert_t) ++miscfiles_cert_type(cert_t) + + # + # fonts_t is the type of various font diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.8.8/policy/modules/system/modutils.if --- nsaserefpolicy/policy/modules/system/modutils.if 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/modutils.if 2010-07-30 14:06:53.000000000 -0400 @@ -32905,7 +33277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.8.8/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.te 2010-07-30 14:06:53.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.te 2010-08-13 15:47:08.000000000 -0400 @@ -22,6 +22,9 @@ type selinux_config_t; files_type(selinux_config_t) @@ -37436,7 +37808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.8.8/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/userdomain.te 2010-07-30 14:06:53.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/system/userdomain.te 2010-08-12 15:46:21.000000000 -0400 @@ -43,6 +43,13 @@ ## @@ -37490,7 +37862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t }; files_tmp_file(user_tmp_t) userdom_user_home_content(user_tmp_t) -@@ -94,3 +113,24 @@ +@@ -94,3 +113,25 @@ type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t) @@ -37504,6 +37876,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +ubac_constrained(home_bin_t) + +type home_cert_t; ++miscfiles_cert_type(home_cert_t) +userdom_user_home_content(home_cert_t) +ubac_constrained(home_cert_t) + diff --git a/selinux-policy.spec b/selinux-policy.spec index f45af40..3ec2e0a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.8.8 -Release: 12%{?dist} +Release: 15%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,15 @@ exit 0 %endif %changelog +* Tue Aug 17 2010 Dan Walsh 3.8.8-15 +- label dead.letter as mail_home_t + +* Fri Aug 13 2010 Dan Walsh 3.8.8-14 +- Allow login programs to search /cgroups + +* Thu Aug 12 2010 Dan Walsh 3.8.8-13 +- Fix cert handling + * Tue Aug 10 2010 Dan Walsh 3.8.8-12 - Fix devicekit_power bug - Allow policykit_auth_t more access.