From 9281e2cc41216b2dbc20d2546bdba0bb4ac73378 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 11 2007 06:03:18 +0000 Subject: - Update to upstream - Allow httpd_sys_script_t to search users homedirs --- diff --git a/modules-targeted.conf b/modules-targeted.conf index 474c0b5..f2fc695 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -479,6 +479,13 @@ gnome = module # hal = module +# Layer: services +# Module: polkit +# +# Hardware abstraction layer +# +polkit = module + # Layer: system # Module: hostname # diff --git a/policy-20071130.patch b/policy-20071130.patch index 03f871f..03e1063 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -1,6 +1,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.2.3/config/appconfig-mcs/default_contexts --- nsaserefpolicy/config/appconfig-mcs/default_contexts 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.3/config/appconfig-mcs/default_contexts 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/config/appconfig-mcs/default_contexts 2007-12-06 16:37:24.000000000 -0500 @@ -1,15 +1,9 @@ -system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0 -system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 @@ -28,13 +28,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default +system_r:xdm_t:s0 system_r:unconfined_t:s0 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.2.3/config/appconfig-mcs/failsafe_context --- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.3/config/appconfig-mcs/failsafe_context 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/config/appconfig-mcs/failsafe_context 2007-12-06 16:37:24.000000000 -0500 @@ -1 +1 @@ -sysadm_r:sysadm_t:s0 +system_r:unconfined_t:s0 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.2.3/config/appconfig-mcs/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/config/appconfig-mcs/guest_u_default_contexts 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/config/appconfig-mcs/guest_u_default_contexts 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1,4 @@ +system_r:local_login_t:s0 guest_r:guest_t:s0 +system_r:remote_login_t:s0 guest_r:guest_t:s0 @@ -42,7 +42,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u +system_r:crond_t:s0 guest_r:guest_crond_t:s0 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.2.3/config/appconfig-mcs/root_default_contexts --- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.3/config/appconfig-mcs/root_default_contexts 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/config/appconfig-mcs/root_default_contexts 2007-12-06 16:37:24.000000000 -0500 @@ -1,11 +1,10 @@ -system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0 -system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 @@ -64,7 +64,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_de + diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.2.3/config/appconfig-mcs/seusers --- nsaserefpolicy/config/appconfig-mcs/seusers 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.3/config/appconfig-mcs/seusers 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/config/appconfig-mcs/seusers 2007-12-06 16:37:24.000000000 -0500 @@ -1,3 +1,2 @@ -system_u:system_u:s0-mcs_systemhigh root:root:s0-mcs_systemhigh @@ -72,13 +72,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers +__default__:system_u:s0 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.2.3/config/appconfig-mcs/userhelper_context --- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.3/config/appconfig-mcs/userhelper_context 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/config/appconfig-mcs/userhelper_context 2007-12-06 16:37:24.000000000 -0500 @@ -1 +1 @@ -system_u:sysadm_r:sysadm_t:s0 +system_u:system_r:unconfined_t:s0 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.2.3/config/appconfig-mcs/user_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2007-11-05 10:28:59.000000000 -0500 -+++ serefpolicy-3.2.3/config/appconfig-mcs/user_u_default_contexts 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/config/appconfig-mcs/user_u_default_contexts 2007-12-06 16:37:24.000000000 -0500 @@ -1,8 +1,7 @@ -system_r:local_login_t:s0 user_r:user_t:s0 -system_r:remote_login_t:s0 user_r:user_t:s0 @@ -97,7 +97,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_ +user_r:user_sudo_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.2.3/config/appconfig-mcs/xguest_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/config/appconfig-mcs/xguest_u_default_contexts 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/config/appconfig-mcs/xguest_u_default_contexts 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1,5 @@ +system_r:local_login_t xguest_r:xguest_t:s0 +system_r:remote_login_t xguest_r:xguest_t:s0 @@ -106,7 +106,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_ +system_r:xdm_t xguest_r:xguest_t:s0 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.2.3/config/appconfig-mls/default_contexts --- nsaserefpolicy/config/appconfig-mls/default_contexts 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.3/config/appconfig-mls/default_contexts 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/config/appconfig-mls/default_contexts 2007-12-06 16:37:24.000000000 -0500 @@ -1,15 +1,12 @@ -system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0 -system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 @@ -136,7 +136,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default +user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.2.3/config/appconfig-mls/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/config/appconfig-mls/guest_u_default_contexts 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/config/appconfig-mls/guest_u_default_contexts 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1,4 @@ +system_r:local_login_t:s0 guest_r:guest_t:s0 +system_r:remote_login_t:s0 guest_r:guest_t:s0 @@ -144,7 +144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u +system_r:crond_t:s0 guest_r:guest_crond_t:s0 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts serefpolicy-3.2.3/config/appconfig-standard/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/config/appconfig-standard/guest_u_default_contexts 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/config/appconfig-standard/guest_u_default_contexts 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1,4 @@ +system_r:local_login_t guest_r:guest_t +system_r:remote_login_t guest_r:guest_t @@ -152,16 +152,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/gu +system_r:crond_t guest_r:guest_crond_t diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.2.3/config/appconfig-standard/xguest_u_default_contexts --- nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/config/appconfig-standard/xguest_u_default_contexts 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/config/appconfig-standard/xguest_u_default_contexts 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1,5 @@ +system_r:local_login_t xguest_r:xguest_t +system_r:remote_login_t xguest_r:xguest_t +system_r:sshd_t xguest_r:xguest_t +system_r:crond_t xguest_r:xguest_crond_t +system_r:xdm_t xguest_r:xguest_t +diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.2.3/Makefile +--- nsaserefpolicy/Makefile 2007-10-12 08:56:10.000000000 -0400 ++++ serefpolicy-3.2.3/Makefile 2007-12-11 00:02:37.000000000 -0500 +@@ -305,20 +305,22 @@ + + # parse-rolemap modulename,outputfile + define parse-rolemap +- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ +- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 ++ echo "" >> $2 ++# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ ++# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 + endef + + # perrole-expansion modulename,outputfile + define perrole-expansion +- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 +- $(call parse-rolemap,$1,$2) +- $(verbose) echo "')" >> $2 +- +- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 +- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 +- $(call parse-rolemap-compat,$1,$2) +- $(verbose) echo "')" >> $2 ++ echo "No longer doing perrole-expansion" ++# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 ++# $(call parse-rolemap,$1,$2) ++# $(verbose) echo "')" >> $2 ++ ++# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 ++# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 ++# $(call parse-rolemap-compat,$1,$2) ++# $(verbose) echo "')" >> $2 + endef + + # create-base-per-role-tmpl modulenames,outputfile diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.2.3/policy/flask/access_vectors --- nsaserefpolicy/policy/flask/access_vectors 2007-08-11 06:22:29.000000000 -0400 -+++ serefpolicy-3.2.3/policy/flask/access_vectors 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/flask/access_vectors 2007-12-06 16:37:24.000000000 -0500 @@ -639,6 +639,8 @@ send recv @@ -173,7 +209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors class key diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.2.3/policy/global_tunables --- nsaserefpolicy/policy/global_tunables 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.3/policy/global_tunables 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/global_tunables 2007-12-06 16:37:24.000000000 -0500 @@ -6,38 +6,35 @@ ## @@ -259,7 +295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.2.3/policy/modules/admin/alsa.fc --- nsaserefpolicy/policy/modules/admin/alsa.fc 2007-10-29 18:02:32.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/admin/alsa.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/admin/alsa.fc 2007-12-06 16:37:24.000000000 -0500 @@ -1,8 +1,11 @@ +/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) @@ -276,7 +312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc +/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.2.3/policy/modules/admin/alsa.if --- nsaserefpolicy/policy/modules/admin/alsa.if 2007-01-02 12:57:51.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/admin/alsa.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/admin/alsa.if 2007-12-06 16:37:24.000000000 -0500 @@ -74,3 +74,21 @@ read_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t) read_lnk_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t) @@ -301,7 +337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.2.3/policy/modules/admin/alsa.te --- nsaserefpolicy/policy/modules/admin/alsa.te 2007-10-29 18:02:32.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/admin/alsa.te 2007-12-06 14:18:59.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/admin/alsa.te 2007-12-06 16:37:24.000000000 -0500 @@ -8,12 +8,15 @@ type alsa_t; @@ -352,7 +388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te hal_use_fds(alsa_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.2.3/policy/modules/admin/anaconda.te --- nsaserefpolicy/policy/modules/admin/anaconda.te 2007-01-02 12:57:51.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/admin/anaconda.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/admin/anaconda.te 2007-12-06 16:37:24.000000000 -0500 @@ -31,16 +31,13 @@ modutils_domtrans_insmod(anaconda_t) @@ -373,7 +409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.2.3/policy/modules/admin/brctl.te --- nsaserefpolicy/policy/modules/admin/brctl.te 2007-10-23 07:37:52.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/admin/brctl.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/admin/brctl.te 2007-12-06 16:37:24.000000000 -0500 @@ -40,4 +40,5 @@ optional_policy(` @@ -382,7 +418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.t ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.2.3/policy/modules/admin/consoletype.te --- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/admin/consoletype.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/admin/consoletype.te 2007-12-06 16:37:24.000000000 -0500 @@ -8,9 +8,11 @@ type consoletype_t; @@ -431,7 +467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.2.3/policy/modules/admin/firstboot.te --- nsaserefpolicy/policy/modules/admin/firstboot.te 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/admin/firstboot.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/admin/firstboot.te 2007-12-06 16:37:24.000000000 -0500 @@ -120,6 +120,10 @@ usermanage_domtrans_admin_passwd(firstboot_t) ') @@ -453,7 +489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo ') dnl end TODO diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.fc serefpolicy-3.2.3/policy/modules/admin/kismet.fc --- nsaserefpolicy/policy/modules/admin/kismet.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/admin/kismet.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/admin/kismet.fc 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1,5 @@ + +/usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0) @@ -462,7 +498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. +/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.2.3/policy/modules/admin/kismet.if --- nsaserefpolicy/policy/modules/admin/kismet.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/admin/kismet.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/admin/kismet.if 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1,275 @@ + +## policy for kismet @@ -741,7 +777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.2.3/policy/modules/admin/kismet.te --- nsaserefpolicy/policy/modules/admin/kismet.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/admin/kismet.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/admin/kismet.te 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1,58 @@ +policy_module(kismet,1.0.0) + @@ -803,7 +839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.2.3/policy/modules/admin/kudzu.te --- nsaserefpolicy/policy/modules/admin/kudzu.te 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/admin/kudzu.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/admin/kudzu.te 2007-12-06 16:37:24.000000000 -0500 @@ -21,8 +21,8 @@ # Local policy # @@ -865,7 +901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.t -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.2.3/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/admin/logrotate.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/admin/logrotate.te 2007-12-06 16:37:24.000000000 -0500 @@ -96,6 +96,7 @@ files_read_etc_files(logrotate_t) files_read_etc_runtime_files(logrotate_t) @@ -876,7 +912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota files_manage_generic_spool_dirs(logrotate_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.2.3/policy/modules/admin/logwatch.te --- nsaserefpolicy/policy/modules/admin/logwatch.te 2007-10-23 07:37:52.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/admin/logwatch.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/admin/logwatch.te 2007-12-06 16:37:24.000000000 -0500 @@ -59,10 +59,8 @@ files_read_usr_files(logwatch_t) files_search_spool(logwatch_t) @@ -907,7 +943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.2.3/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/admin/netutils.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/admin/netutils.te 2007-12-06 16:37:24.000000000 -0500 @@ -94,6 +94,10 @@ ') @@ -936,7 +972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.2.3/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/admin/prelink.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/admin/prelink.te 2007-12-06 16:37:24.000000000 -0500 @@ -26,7 +26,7 @@ # Local policy # @@ -996,7 +1032,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.2.3/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2006-11-16 17:15:26.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/admin/rpm.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/admin/rpm.fc 2007-12-06 16:37:24.000000000 -0500 @@ -11,6 +11,7 @@ /usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -1017,7 +1053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.2.3/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-18 11:12:44.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/admin/rpm.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/admin/rpm.if 2007-12-06 16:37:24.000000000 -0500 @@ -152,6 +152,24 @@ ######################################## @@ -1213,7 +1249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.2.3/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2007-12-04 11:02:51.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/admin/rpm.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/admin/rpm.te 2007-12-06 16:37:24.000000000 -0500 @@ -179,7 +179,17 @@ ') @@ -1268,7 +1304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te java_domtrans(rpm_script_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.2.3/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2007-12-04 11:02:51.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/admin/sudo.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/admin/sudo.if 2007-12-06 16:37:24.000000000 -0500 @@ -55,7 +55,7 @@ # @@ -1340,7 +1376,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.2.3/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/admin/su.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/admin/su.if 2007-12-06 16:37:24.000000000 -0500 @@ -41,12 +41,11 @@ allow $2 $1_su_t:process signal; @@ -1442,7 +1478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s ####################################### diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.2.3/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2007-10-02 09:54:52.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/admin/tmpreaper.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/admin/tmpreaper.te 2007-12-06 16:37:24.000000000 -0500 @@ -28,6 +28,7 @@ files_purge_tmp(tmpreaper_t) # why does it need setattr? @@ -1464,7 +1500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.2.3/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2007-12-04 11:02:51.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/admin/usermanage.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/admin/usermanage.te 2007-12-06 16:37:24.000000000 -0500 @@ -92,6 +92,7 @@ dev_read_urand(chfn_t) @@ -1504,7 +1540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.fc serefpolicy-3.2.3/policy/modules/admin/vpn.fc --- nsaserefpolicy/policy/modules/admin/vpn.fc 2006-11-16 17:15:26.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/admin/vpn.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/admin/vpn.fc 2007-12-06 16:37:24.000000000 -0500 @@ -7,3 +7,5 @@ # sbin # @@ -1513,7 +1549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.fc +/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.2.3/policy/modules/admin/vpn.if --- nsaserefpolicy/policy/modules/admin/vpn.if 2007-01-02 12:57:51.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/admin/vpn.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/admin/vpn.if 2007-12-06 16:37:24.000000000 -0500 @@ -67,3 +67,25 @@ allow $1 vpnc_t:process signal; @@ -1542,7 +1578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.2.3/policy/modules/admin/vpn.te --- nsaserefpolicy/policy/modules/admin/vpn.te 2007-12-06 13:12:04.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/admin/vpn.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/admin/vpn.te 2007-12-06 16:37:24.000000000 -0500 @@ -22,10 +22,9 @@ # Local policy # @@ -1597,7 +1633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.fc serefpolicy-3.2.3/policy/modules/apps/ethereal.fc --- nsaserefpolicy/policy/modules/apps/ethereal.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/ethereal.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/ethereal.fc 2007-12-06 16:37:24.000000000 -0500 @@ -1,4 +1,4 @@ -HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ROLE_ethereal_home_t,s0) +HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:user_ethereal_home_t,s0) @@ -1606,7 +1642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal /usr/sbin/tethereal.* -- gen_context(system_u:object_r:tethereal_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.if serefpolicy-3.2.3/policy/modules/apps/ethereal.if --- nsaserefpolicy/policy/modules/apps/ethereal.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/ethereal.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/ethereal.if 2007-12-06 16:37:24.000000000 -0500 @@ -48,12 +48,10 @@ application_domain($1_ethereal_t,ethereal_exec_t) role $3 types $1_ethereal_t; @@ -1644,7 +1680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal ####################################### diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.te serefpolicy-3.2.3/policy/modules/apps/ethereal.te --- nsaserefpolicy/policy/modules/apps/ethereal.te 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/ethereal.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/ethereal.te 2007-12-06 16:37:24.000000000 -0500 @@ -16,6 +16,13 @@ type tethereal_tmp_t; files_tmp_file(tethereal_tmp_t) @@ -1661,7 +1697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal # Tethereal policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/evolution.fc serefpolicy-3.2.3/policy/modules/apps/evolution.fc --- nsaserefpolicy/policy/modules/apps/evolution.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/evolution.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/evolution.fc 2007-12-06 16:37:24.000000000 -0500 @@ -2,13 +2,13 @@ # HOME_DIR/ # @@ -1681,7 +1717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/evolutio # /usr diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.fc serefpolicy-3.2.3/policy/modules/apps/gift.fc --- nsaserefpolicy/policy/modules/apps/gift.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/gift.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/gift.fc 2007-12-06 16:37:24.000000000 -0500 @@ -1,4 +1,4 @@ -HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:ROLE_gift_home_t,s0) +HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:user_gift_home_t,s0) @@ -1690,7 +1726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.fc /usr/(local/)?bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.if serefpolicy-3.2.3/policy/modules/apps/gift.if --- nsaserefpolicy/policy/modules/apps/gift.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/gift.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/gift.if 2007-12-06 16:37:24.000000000 -0500 @@ -43,9 +43,9 @@ application_domain($1_gift_t,gift_exec_t) role $3 types $1_gift_t; @@ -1755,7 +1791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.te serefpolicy-3.2.3/policy/modules/apps/gift.te --- nsaserefpolicy/policy/modules/apps/gift.te 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/gift.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/gift.te 2007-12-06 16:37:24.000000000 -0500 @@ -11,3 +11,7 @@ type giftd_exec_t; @@ -1766,7 +1802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.te + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.2.3/policy/modules/apps/gnome.fc --- nsaserefpolicy/policy/modules/apps/gnome.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/gnome.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/gnome.fc 2007-12-06 16:37:24.000000000 -0500 @@ -1,8 +1,7 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:ROLE_gnome_home_t,s0) -HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:ROLE_gconf_home_t,s0) @@ -1782,7 +1818,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc /usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.2.3/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/gnome.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/gnome.if 2007-12-06 16:37:24.000000000 -0500 @@ -33,9 +33,60 @@ ## # @@ -2015,7 +2051,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.2.3/policy/modules/apps/gnome.te --- nsaserefpolicy/policy/modules/apps/gnome.te 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/gnome.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/gnome.te 2007-12-06 16:37:24.000000000 -0500 @@ -8,8 +8,15 @@ attribute gnomedomain; @@ -2037,7 +2073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te +files_tmp_file(user_gconf_tmp_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.2.3/policy/modules/apps/gpg.fc --- nsaserefpolicy/policy/modules/apps/gpg.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/gpg.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/gpg.fc 2007-12-06 16:37:24.000000000 -0500 @@ -1,4 +1,4 @@ -HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0) +HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:user_gpg_secret_t,s0) @@ -2046,7 +2082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc serefpolicy-3.2.3/policy/modules/apps/irc.fc --- nsaserefpolicy/policy/modules/apps/irc.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/irc.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/irc.fc 2007-12-06 16:37:24.000000000 -0500 @@ -1,7 +1,7 @@ # # /home @@ -2058,7 +2094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc s # /usr diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.if serefpolicy-3.2.3/policy/modules/apps/irc.if --- nsaserefpolicy/policy/modules/apps/irc.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/irc.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/irc.if 2007-12-06 16:37:24.000000000 -0500 @@ -50,12 +50,11 @@ userdom_user_home_content($1,$1_irc_exec_t) application_domain($1_irc_t,$1_irc_exec_t) @@ -2107,7 +2143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.if s domtrans_pattern($2,irc_exec_t,$1_irc_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te serefpolicy-3.2.3/policy/modules/apps/irc.te --- nsaserefpolicy/policy/modules/apps/irc.te 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/irc.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/irc.te 2007-12-06 16:37:24.000000000 -0500 @@ -8,3 +8,10 @@ type irc_exec_t; @@ -2121,7 +2157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te s + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.2.3/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2007-03-01 10:01:48.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/apps/java.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/java.fc 2007-12-06 16:37:24.000000000 -0500 @@ -11,6 +11,7 @@ # /usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0) @@ -2144,7 +2180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.2.3/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/java.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/java.if 2007-12-06 16:37:24.000000000 -0500 @@ -32,7 +32,7 @@ ## ## @@ -2302,7 +2338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.2.3/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/java.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/java.te 2007-12-06 16:37:24.000000000 -0500 @@ -6,13 +6,6 @@ # Declarations # @@ -2346,7 +2382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.2.3/policy/modules/apps/loadkeys.te --- nsaserefpolicy/policy/modules/apps/loadkeys.te 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/loadkeys.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/loadkeys.te 2007-12-06 16:37:24.000000000 -0500 @@ -44,3 +44,5 @@ optional_policy(` nscd_dontaudit_search_pid(loadkeys_t) @@ -2355,7 +2391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys +userdom_dontaudit_write_unpriv_user_home_content_files(loadkeys_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.2.3/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2007-01-02 12:57:22.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/apps/mono.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/mono.if 2007-12-06 16:37:24.000000000 -0500 @@ -18,3 +18,105 @@ corecmd_search_bin($1) domtrans_pattern($1, mono_exec_t, mono_t) @@ -2464,7 +2500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.2.3/policy/modules/apps/mono.te --- nsaserefpolicy/policy/modules/apps/mono.te 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/mono.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/mono.te 2007-12-06 16:37:24.000000000 -0500 @@ -15,7 +15,7 @@ # Local policy # @@ -2484,7 +2520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.2.3/policy/modules/apps/mozilla.fc --- nsaserefpolicy/policy/modules/apps/mozilla.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/mozilla.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/mozilla.fc 2007-12-06 16:37:24.000000000 -0500 @@ -1,8 +1,8 @@ -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) -HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) @@ -2501,7 +2537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. # /bin diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.2.3/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-29 07:52:48.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/mozilla.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/mozilla.if 2007-12-11 00:24:49.000000000 -0500 @@ -35,7 +35,10 @@ template(`mozilla_per_role_template',` gen_require(` @@ -2628,7 +2664,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. # Look for plugins corecmd_list_bin($1_mozilla_t) -@@ -165,11 +197,21 @@ +@@ -165,11 +197,23 @@ files_read_var_files($1_mozilla_t) files_read_var_symlinks($1_mozilla_t) files_dontaudit_getattr_boot_dirs($1_mozilla_t) @@ -2643,6 +2679,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. fs_search_auto_mountpoints($1_mozilla_t) fs_list_inotifyfs($1_mozilla_t) ++ fs_manage_dos_dirs($1_mozilla_t) ++ fs_manage_dos_files($1_mozilla_t) fs_rw_tmpfs_files($1_mozilla_t) + selinux_dontaudit_getattr_fs($1_mozilla_t) @@ -2650,7 +2688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. term_dontaudit_getattr_pty_dirs($1_mozilla_t) libs_use_ld_so($1_mozilla_t) -@@ -184,12 +226,9 @@ +@@ -184,12 +228,9 @@ sysnet_dns_name_resolve($1_mozilla_t) sysnet_read_config($1_mozilla_t) @@ -2666,7 +2704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t) xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t) -@@ -211,131 +250,8 @@ +@@ -211,131 +252,8 @@ fs_manage_cifs_symlinks($1_mozilla_t) ') @@ -2800,7 +2838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') optional_policy(` -@@ -350,19 +266,25 @@ +@@ -350,19 +268,26 @@ optional_policy(` cups_read_rw_config($1_mozilla_t) cups_dbus_chat($1_mozilla_t) @@ -2810,6 +2848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. optional_policy(` dbus_system_bus_client_template($1_mozilla,$1_mozilla_t) - dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t) ++# dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t) ') optional_policy(` @@ -2828,7 +2867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') optional_policy(` -@@ -382,25 +304,6 @@ +@@ -382,25 +307,6 @@ thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t) ') @@ -2854,7 +2893,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') ######################################## -@@ -430,11 +333,11 @@ +@@ -430,11 +336,11 @@ # template(`mozilla_read_user_home_files',` gen_require(` @@ -2869,7 +2908,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') ######################################## -@@ -464,11 +367,11 @@ +@@ -464,11 +370,11 @@ # template(`mozilla_write_user_home_files',` gen_require(` @@ -2884,7 +2923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') ######################################## -@@ -573,3 +476,27 @@ +@@ -573,3 +479,27 @@ allow $2 $1_mozilla_t:tcp_socket rw_socket_perms; ') @@ -2914,7 +2953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.2.3/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/mozilla.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/mozilla.te 2007-12-06 16:37:24.000000000 -0500 @@ -6,15 +6,15 @@ # Declarations # @@ -2940,7 +2979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. +files_tmp_file(user_mozilla_tmp_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.2.3/policy/modules/apps/mplayer.fc --- nsaserefpolicy/policy/modules/apps/mplayer.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/mplayer.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/mplayer.fc 2007-12-06 16:37:24.000000000 -0500 @@ -10,4 +10,4 @@ /usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0) /usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0) @@ -2949,7 +2988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer. +HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:user_mplayer_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.2.3/policy/modules/apps/mplayer.if --- nsaserefpolicy/policy/modules/apps/mplayer.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/mplayer.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/mplayer.if 2007-12-06 16:37:24.000000000 -0500 @@ -35,6 +35,7 @@ template(`mplayer_per_role_template',` gen_require(` @@ -3029,7 +3068,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer. ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.te serefpolicy-3.2.3/policy/modules/apps/mplayer.te --- nsaserefpolicy/policy/modules/apps/mplayer.te 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/mplayer.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/mplayer.te 2007-12-06 16:37:24.000000000 -0500 @@ -22,3 +22,7 @@ type mplayer_exec_t; corecmd_executable_file(mplayer_exec_t) @@ -3040,7 +3079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.2.3/policy/modules/apps/screen.fc --- nsaserefpolicy/policy/modules/apps/screen.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/screen.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/screen.fc 2007-12-06 16:37:24.000000000 -0500 @@ -1,7 +1,7 @@ # # /home @@ -3052,7 +3091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.f # /usr diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.2.3/policy/modules/apps/screen.if --- nsaserefpolicy/policy/modules/apps/screen.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/screen.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/screen.if 2007-12-06 16:37:24.000000000 -0500 @@ -50,8 +50,9 @@ type $1_screen_tmp_t; files_tmp_file($1_screen_tmp_t) @@ -3099,7 +3138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.i kernel_read_kernel_sysctls($1_screen_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.te serefpolicy-3.2.3/policy/modules/apps/screen.te --- nsaserefpolicy/policy/modules/apps/screen.te 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/screen.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/screen.te 2007-12-06 16:37:24.000000000 -0500 @@ -11,3 +11,7 @@ type screen_exec_t; @@ -3110,7 +3149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.t + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.fc serefpolicy-3.2.3/policy/modules/apps/thunderbird.fc --- nsaserefpolicy/policy/modules/apps/thunderbird.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/thunderbird.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/thunderbird.fc 2007-12-06 16:37:24.000000000 -0500 @@ -3,4 +3,4 @@ # /usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0) @@ -3119,7 +3158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderb +HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:user_thunderbird_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-3.2.3/policy/modules/apps/thunderbird.if --- nsaserefpolicy/policy/modules/apps/thunderbird.if 2007-12-06 13:12:03.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/apps/thunderbird.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/thunderbird.if 2007-12-06 16:37:24.000000000 -0500 @@ -43,9 +43,9 @@ application_domain($1_thunderbird_t,thunderbird_exec_t) role $3 types $1_thunderbird_t; @@ -3169,7 +3208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderb kernel_read_network_state($1_thunderbird_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.te serefpolicy-3.2.3/policy/modules/apps/thunderbird.te --- nsaserefpolicy/policy/modules/apps/thunderbird.te 2007-12-06 13:12:03.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/apps/thunderbird.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/thunderbird.te 2007-12-06 16:37:24.000000000 -0500 @@ -8,3 +8,7 @@ type thunderbird_exec_t; @@ -3180,7 +3219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderb + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.if serefpolicy-3.2.3/policy/modules/apps/tvtime.if --- nsaserefpolicy/policy/modules/apps/tvtime.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/tvtime.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/tvtime.if 2007-12-06 16:37:24.000000000 -0500 @@ -46,12 +46,10 @@ application_domain($1_tvtime_t,tvtime_exec_t) role $3 types $1_tvtime_t; @@ -3242,7 +3281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.i ps_process_pattern($2,$1_tvtime_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.te serefpolicy-3.2.3/policy/modules/apps/tvtime.te --- nsaserefpolicy/policy/modules/apps/tvtime.te 2007-10-02 09:54:50.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/tvtime.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/tvtime.te 2007-12-06 16:37:24.000000000 -0500 @@ -11,3 +11,9 @@ type tvtime_dir_t; @@ -3255,7 +3294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.t +files_tmp_file(user_tvtime_tmp_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.fc serefpolicy-3.2.3/policy/modules/apps/uml.fc --- nsaserefpolicy/policy/modules/apps/uml.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/uml.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/uml.fc 2007-12-06 16:37:24.000000000 -0500 @@ -1,7 +1,7 @@ # # HOME_DIR/ @@ -3267,7 +3306,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.fc s # /usr diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.2.3/policy/modules/apps/userhelper.if --- nsaserefpolicy/policy/modules/apps/userhelper.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/userhelper.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/userhelper.if 2007-12-06 16:37:24.000000000 -0500 @@ -130,6 +130,7 @@ term_use_all_user_ptys($1_userhelper_t) @@ -3303,7 +3342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.2.3/policy/modules/apps/vmware.fc --- nsaserefpolicy/policy/modules/apps/vmware.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/vmware.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/vmware.fc 2007-12-06 16:37:24.000000000 -0500 @@ -1,9 +1,9 @@ # # HOME_DIR/ @@ -3350,7 +3389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.f +/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.2.3/policy/modules/apps/vmware.if --- nsaserefpolicy/policy/modules/apps/vmware.if 2007-02-19 11:32:52.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/apps/vmware.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/vmware.if 2007-12-06 16:37:24.000000000 -0500 @@ -202,3 +202,22 @@ allow $1 vmware_sys_conf_t:file append; @@ -3376,7 +3415,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.2.3/policy/modules/apps/vmware.te --- nsaserefpolicy/policy/modules/apps/vmware.te 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/vmware.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/vmware.te 2007-12-06 16:37:24.000000000 -0500 @@ -22,17 +22,21 @@ type vmware_var_run_t; files_pid_file(vmware_var_run_t) @@ -3423,7 +3462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t domain_use_interactive_fds(vmware_host_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.2.3/policy/modules/apps/wine.if --- nsaserefpolicy/policy/modules/apps/wine.if 2007-09-12 10:34:17.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/wine.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/wine.if 2007-12-06 16:37:24.000000000 -0500 @@ -49,3 +49,53 @@ role $2 types wine_t; allow wine_t $3:chr_file rw_term_perms; @@ -3480,7 +3519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.2.3/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/apps/wine.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/apps/wine.te 2007-12-06 16:37:24.000000000 -0500 @@ -9,6 +9,7 @@ type wine_t; type wine_exec_t; @@ -3507,7 +3546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.3/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/kernel/corecommands.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/kernel/corecommands.fc 2007-12-06 16:37:24.000000000 -0500 @@ -168,8 +168,10 @@ /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -3539,7 +3578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco +/etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.2.3/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-11-14 08:17:58.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/kernel/corecommands.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/kernel/corecommands.if 2007-12-06 16:37:24.000000000 -0500 @@ -875,6 +875,7 @@ read_lnk_files_pattern($1,bin_t,bin_t) @@ -3550,7 +3589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.3/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-11-29 13:29:34.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/kernel/corenetwork.te.in 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/kernel/corenetwork.te.in 2007-12-06 16:37:24.000000000 -0500 @@ -133,6 +133,7 @@ network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) @@ -3561,7 +3600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(postgresql, tcp,5432,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.2.3/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-11-14 16:20:13.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/kernel/devices.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/kernel/devices.fc 2007-12-06 16:37:24.000000000 -0500 @@ -4,6 +4,7 @@ /dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -3611,7 +3650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device # used by init scripts to initally populate udev /dev diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.2.3/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/kernel/devices.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/kernel/devices.if 2007-12-06 16:37:24.000000000 -0500 @@ -65,7 +65,7 @@ relabelfrom_dirs_pattern($1,device_t,device_node) @@ -3768,7 +3807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.2.3/policy/modules/kernel/devices.te --- nsaserefpolicy/policy/modules/kernel/devices.te 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/kernel/devices.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/kernel/devices.te 2007-12-06 16:37:24.000000000 -0500 @@ -72,6 +72,13 @@ dev_node(kmsg_device_t) @@ -3785,7 +3824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device type lvm_control_t; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.2.3/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2007-11-29 13:29:34.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/kernel/domain.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/kernel/domain.te 2007-12-06 16:37:24.000000000 -0500 @@ -148,3 +148,15 @@ # receive from all domains over labeled networking @@ -3804,7 +3843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.3/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/kernel/files.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/kernel/files.if 2007-12-06 16:37:24.000000000 -0500 @@ -1266,6 +1266,24 @@ ######################################## @@ -3895,7 +3934,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.2.3/policy/modules/kernel/files.te --- nsaserefpolicy/policy/modules/kernel/files.te 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/kernel/files.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/kernel/files.te 2007-12-06 16:37:24.000000000 -0500 @@ -55,6 +55,9 @@ # compatibility aliases for removed types: typealias etc_t alias automount_etc_t; @@ -3906,9 +3945,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # # etc_runtime_t is the type of various +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.2.3/policy/modules/kernel/filesystem.if +--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-24 15:00:24.000000000 -0400 ++++ serefpolicy-3.2.3/policy/modules/kernel/filesystem.if 2007-12-07 15:02:45.000000000 -0500 +@@ -1171,6 +1171,25 @@ + + ######################################## + ## ++## Create, read, write, and delete dirs ++## on a DOS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_manage_dos_dirs',` ++ gen_require(` ++ type dosfs_t; ++ ') ++ ++ manage_dirs_pattern($1,dosfs_t,dosfs_t) ++') ++ ++######################################## ++## + ## Create, read, write, and delete files + ## on a DOS filesystem. + ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.2.3/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/kernel/filesystem.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/kernel/filesystem.te 2007-12-07 13:27:59.000000000 -0500 @@ -25,6 +25,8 @@ fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); @@ -3932,8 +4000,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy files_mountpoint(vxfs_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.2.3/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/kernel/kernel.if 2007-12-06 14:13:13.000000000 -0500 -@@ -1194,6 +1194,7 @@ ++++ serefpolicy-3.2.3/policy/modules/kernel/kernel.if 2007-12-10 10:59:00.000000000 -0500 +@@ -851,9 +851,8 @@ + type proc_t, proc_afs_t; + ') + +- read_files_pattern($1,proc_t,proc_afs_t) +- + list_dirs_pattern($1,proc_t,proc_t) ++ rw_files_pattern($1,proc_afs_t,proc_afs_t) + ') + + ####################################### +@@ -1194,6 +1193,7 @@ ') dontaudit $1 proc_type:dir list_dir_perms; @@ -3941,7 +4020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ') ######################################## -@@ -1764,6 +1765,7 @@ +@@ -1764,6 +1764,7 @@ ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -3951,7 +4030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.2.3/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-11-16 13:45:14.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/kernel/selinux.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/kernel/selinux.if 2007-12-06 16:37:24.000000000 -0500 @@ -164,6 +164,7 @@ type security_t; ') @@ -4044,7 +4123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-3.2.3/policy/modules/kernel/selinux.te --- nsaserefpolicy/policy/modules/kernel/selinux.te 2007-11-16 13:45:14.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/kernel/selinux.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/kernel/selinux.te 2007-12-06 16:37:24.000000000 -0500 @@ -10,6 +10,7 @@ attribute can_setenforce; attribute can_setsecparam; @@ -4067,7 +4146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.2.3/policy/modules/kernel/terminal.fc --- nsaserefpolicy/policy/modules/kernel/terminal.fc 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/kernel/terminal.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/kernel/terminal.fc 2007-12-06 16:37:24.000000000 -0500 @@ -14,6 +14,7 @@ /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) @@ -4076,9 +4155,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.2.3/policy/modules/kernel/terminal.if +--- nsaserefpolicy/policy/modules/kernel/terminal.if 2007-09-12 10:34:17.000000000 -0400 ++++ serefpolicy-3.2.3/policy/modules/kernel/terminal.if 2007-12-10 09:31:12.000000000 -0500 +@@ -525,11 +525,13 @@ + interface(`term_use_generic_ptys',` + gen_require(` + type devpts_t; ++ attribute server_ptynode; + ') + + dev_list_all_dev_nodes($1) + allow $1 devpts_t:dir list_dir_perms; + allow $1 devpts_t:chr_file { rw_term_perms lock append }; ++ allow $1 server_ptynode:chr_file { getattr read write ioctl }; + ') + + ######################################## +@@ -547,9 +549,11 @@ + interface(`term_dontaudit_use_generic_ptys',` + gen_require(` + type devpts_t; ++ attribute server_ptynode; + ') + + dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; ++ dontaudit $1 server_ptynode:chr_file { getattr read write ioctl }; + ') + + ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.2.3/policy/modules/services/amavis.te --- nsaserefpolicy/policy/modules/services/amavis.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/amavis.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/amavis.te 2007-12-06 16:37:24.000000000 -0500 @@ -65,6 +65,7 @@ # Spool Files manage_dirs_pattern(amavis_t,amavis_spool_t,amavis_spool_t) @@ -4097,7 +4205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav dev_read_rand(amavis_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.2.3/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/apache.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/apache.fc 2007-12-06 16:37:24.000000000 -0500 @@ -16,7 +16,6 @@ /usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) @@ -4125,7 +4233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.2.3/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/apache.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/apache.if 2007-12-06 16:37:24.000000000 -0500 @@ -18,10 +18,6 @@ attribute httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; @@ -4434,7 +4542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.2.3/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/apache.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/apache.te 2007-12-06 16:37:24.000000000 -0500 @@ -20,20 +20,22 @@ # Declarations # @@ -4917,7 +5025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.2.3/policy/modules/services/apcupsd.if --- nsaserefpolicy/policy/modules/services/apcupsd.if 2007-09-12 10:34:18.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/apcupsd.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/apcupsd.if 2007-12-06 16:37:24.000000000 -0500 @@ -90,10 +90,29 @@ ## ## @@ -4951,7 +5059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.2.3/policy/modules/services/apcupsd.te --- nsaserefpolicy/policy/modules/services/apcupsd.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/apcupsd.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/apcupsd.te 2007-12-06 16:37:24.000000000 -0500 @@ -86,6 +86,11 @@ miscfiles_read_localization(apcupsd_t) @@ -4966,7 +5074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.fc serefpolicy-3.2.3/policy/modules/services/automount.fc --- nsaserefpolicy/policy/modules/services/automount.fc 2007-02-19 11:32:53.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/automount.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/automount.fc 2007-12-06 16:37:24.000000000 -0500 @@ -12,4 +12,4 @@ # /var # @@ -4975,7 +5083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto +/var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.2.3/policy/modules/services/automount.if --- nsaserefpolicy/policy/modules/services/automount.if 2007-03-26 10:39:04.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/automount.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/automount.if 2007-12-06 16:37:24.000000000 -0500 @@ -74,3 +74,21 @@ dontaudit $1 automount_tmp_t:dir getattr; @@ -5000,7 +5108,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.2.3/policy/modules/services/automount.te --- nsaserefpolicy/policy/modules/services/automount.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/automount.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/automount.te 2007-12-06 16:37:24.000000000 -0500 @@ -52,7 +52,8 @@ files_root_filetrans(automount_t,automount_tmp_t,dir) @@ -5042,7 +5150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.2.3/policy/modules/services/avahi.te --- nsaserefpolicy/policy/modules/services/avahi.te 2007-10-29 07:52:49.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/avahi.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/avahi.te 2007-12-06 16:37:24.000000000 -0500 @@ -85,6 +85,7 @@ dbus_connect_system_bus(avahi_t) @@ -5053,7 +5161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.2.3/policy/modules/services/bind.te --- nsaserefpolicy/policy/modules/services/bind.te 2007-10-29 07:52:49.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/bind.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/bind.te 2007-12-06 16:37:24.000000000 -0500 @@ -9,7 +9,7 @@ ## ##

@@ -5065,7 +5173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind gen_tunable(named_write_master_zones,false) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.2.3/policy/modules/services/bluetooth.fc --- nsaserefpolicy/policy/modules/services/bluetooth.fc 2006-11-16 17:15:20.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/bluetooth.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/bluetooth.fc 2007-12-06 16:37:24.000000000 -0500 @@ -22,3 +22,4 @@ # /var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0) @@ -5073,7 +5181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue +/var/run/bluetoothd_address gen_context(system_u:object_r:bluetooth_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.2.3/policy/modules/services/bluetooth.te --- nsaserefpolicy/policy/modules/services/bluetooth.te 2007-10-29 07:52:49.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/bluetooth.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/bluetooth.te 2007-12-06 16:37:24.000000000 -0500 @@ -44,7 +44,7 @@ allow bluetooth_t self:shm create_shm_perms; allow bluetooth_t self:socket create_stream_socket_perms; @@ -5093,7 +5201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.2.3/policy/modules/services/clamav.fc --- nsaserefpolicy/policy/modules/services/clamav.fc 2007-09-05 15:24:44.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/clamav.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/clamav.fc 2007-12-06 16:37:24.000000000 -0500 @@ -5,16 +5,18 @@ /usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0) @@ -5117,7 +5225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.2.3/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/clamav.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/clamav.te 2007-12-06 16:37:24.000000000 -0500 @@ -87,6 +87,7 @@ kernel_dontaudit_list_proc(clamd_t) kernel_read_sysctl(clamd_t) @@ -5156,7 +5264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.2.3/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/consolekit.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/consolekit.te 2007-12-06 16:37:24.000000000 -0500 @@ -36,6 +36,7 @@ domain_read_all_domains_state(consolekit_t) @@ -5193,7 +5301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.2.3/policy/modules/services/courier.te --- nsaserefpolicy/policy/modules/services/courier.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/courier.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/courier.te 2007-12-06 16:37:24.000000000 -0500 @@ -58,6 +58,7 @@ files_getattr_tmp_dirs(courier_authdaemon_t) @@ -5204,7 +5312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cour diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.2.3/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2006-11-16 17:15:21.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/cron.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/cron.fc 2007-12-11 00:59:24.000000000 -0500 @@ -17,6 +17,8 @@ /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) @@ -5221,7 +5329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron +/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.2.3/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/cron.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/cron.if 2007-12-06 16:37:24.000000000 -0500 @@ -35,38 +35,23 @@ # template(`cron_per_role_template',` @@ -5473,7 +5581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.2.3/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2007-12-06 13:12:03.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/cron.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/cron.te 2007-12-06 16:37:24.000000000 -0500 @@ -50,6 +50,7 @@ type crond_tmp_t; @@ -5668,7 +5776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ifdef(`TODO',` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.2.3/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2007-11-16 15:30:49.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/cups.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/cups.fc 2007-12-06 16:37:24.000000000 -0500 @@ -8,17 +8,15 @@ /etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -5719,7 +5827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +/usr/local/Printer/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.2.3/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/cups.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/cups.te 2007-12-11 00:11:19.000000000 -0500 @@ -43,14 +43,12 @@ type cupsd_var_run_t; @@ -5746,9 +5854,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') ######################################## -@@ -81,11 +81,12 @@ +@@ -79,13 +79,14 @@ + # + # /usr/lib/cups/backend/serial needs sys_admin(?!) - allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config }; +-allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config }; ++allow cupsd_t self:capability { dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_admin sys_rawio sys_resource sys_tty_config }; dontaudit cupsd_t self:capability { sys_tty_config net_admin }; -allow cupsd_t self:process { setsched signal_perms }; -allow cupsd_t self:fifo_file rw_file_perms; @@ -5792,7 +5903,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups allow cupsd_t hplip_var_run_t:file { read getattr }; stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t) -@@ -149,31 +156,39 @@ +@@ -149,32 +156,35 @@ corenet_tcp_bind_reserved_port(cupsd_t) corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) @@ -5818,24 +5929,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +mls_fd_use_all_levels(cupsd_t) mls_file_downgrade(cupsd_t) --mls_file_write_all_levels(cupsd_t) --mls_file_read_all_levels(cupsd_t) -+mls_file_write_down(cupsd_t) -+mls_file_read_up(cupsd_t) + mls_file_write_all_levels(cupsd_t) + mls_file_read_all_levels(cupsd_t) +mls_rangetrans_target(cupsd_t) mls_socket_write_all_levels(cupsd_t) term_use_unallocated_ttys(cupsd_t) term_search_ptys(cupsd_t) - auth_domtrans_chk_passwd(cupsd_t) -+auth_domtrans_upd_passwd_chk(cupsd_t) - auth_dontaudit_read_pam_pid(cupsd_t) -+auth_rw_faillog(cupsd_t) - +-auth_domtrans_chk_passwd(cupsd_t) +-auth_dontaudit_read_pam_pid(cupsd_t) +- # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp corecmd_exec_shell(cupsd_t) -@@ -186,7 +201,7 @@ + corecmd_exec_bin(cupsd_t) +@@ -186,7 +196,7 @@ # read python modules files_read_usr_files(cupsd_t) # for /var/lib/defoma @@ -5844,7 +5952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups files_list_world_readable(cupsd_t) files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) -@@ -195,12 +210,9 @@ +@@ -195,15 +205,16 @@ files_read_var_symlinks(cupsd_t) # for /etc/printcap files_dontaudit_write_etc_files(cupsd_t) @@ -5858,7 +5966,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups init_exec_script_files(cupsd_t) -@@ -220,16 +232,37 @@ ++auth_domtrans_chk_passwd(cupsd_t) ++auth_domtrans_upd_passwd_chk(cupsd_t) ++auth_dontaudit_read_pam_pid(cupsd_t) ++auth_rw_faillog(cupsd_t) + auth_use_nsswitch(cupsd_t) + + libs_use_ld_so(cupsd_t) +@@ -220,16 +231,37 @@ seutil_read_config(cupsd_t) @@ -5898,7 +6013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -242,6 +275,7 @@ +@@ -242,6 +274,7 @@ optional_policy(` dbus_system_bus_client_template(cupsd,cupsd_t) @@ -5906,7 +6021,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups userdom_dbus_send_all_users(cupsd_t) -@@ -263,6 +297,10 @@ +@@ -263,6 +296,10 @@ ') optional_policy(` @@ -5917,7 +6032,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) -@@ -326,11 +364,13 @@ +@@ -326,6 +363,7 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) @@ -5925,13 +6040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups fs_getattr_all_fs(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t) - - corecmd_exec_bin(cupsd_config_t) -+corecmd_exec_sbin(cupsd_config_t) - corecmd_exec_shell(cupsd_config_t) - - domain_use_interactive_fds(cupsd_config_t) -@@ -372,12 +412,17 @@ +@@ -372,12 +410,17 @@ ') optional_policy(` @@ -5949,7 +6058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups optional_policy(` hal_dbus_chat(cupsd_config_t) -@@ -387,6 +432,7 @@ +@@ -387,6 +430,7 @@ optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) @@ -5957,7 +6066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -499,14 +545,12 @@ +@@ -499,14 +543,12 @@ allow hplip_t self:udp_socket create_socket_perms; allow hplip_t self:rawip_socket create_socket_perms; @@ -5976,7 +6085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t) files_pid_filetrans(hplip_t,hplip_var_run_t,file) -@@ -537,13 +581,15 @@ +@@ -537,14 +579,14 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -5989,11 +6098,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups # for python corecmd_exec_bin(hplip_t) -+corecmd_search_sbin(hplip_t) - +- domain_use_interactive_fds(hplip_t) -@@ -565,6 +611,7 @@ + files_read_etc_files(hplip_t) +@@ -565,6 +607,7 @@ userdom_dontaudit_search_all_users_home_content(hplip_t) lpd_read_config(cupsd_t) @@ -6003,7 +6112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups seutil_sigchld_newrole(hplip_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.2.3/policy/modules/services/cvs.te --- nsaserefpolicy/policy/modules/services/cvs.te 2007-11-15 13:40:14.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/cvs.te 2007-12-06 14:18:05.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/cvs.te 2007-12-06 16:37:24.000000000 -0500 @@ -69,6 +69,8 @@ fs_getattr_xattr_fs(cvs_t) @@ -6036,7 +6145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs. -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.3/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/dbus.if 2007-12-06 14:22:51.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/dbus.if 2007-12-06 16:37:24.000000000 -0500 @@ -91,7 +91,7 @@ # SE-DBus specific permissions allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg; @@ -6101,9 +6210,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + +') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.2.3/policy/modules/services/dcc.te +--- nsaserefpolicy/policy/modules/services/dcc.te 2007-10-12 08:56:07.000000000 -0400 ++++ serefpolicy-3.2.3/policy/modules/services/dcc.te 2007-12-10 16:49:33.000000000 -0500 +@@ -124,7 +124,7 @@ + # dcc procmail interface local policy + # + +-allow dcc_client_t self:capability setuid; ++allow dcc_client_t self:capability { setgid setuid }; + allow dcc_client_t self:unix_dgram_socket create_socket_perms; + allow dcc_client_t self:udp_socket create_socket_perms; + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.fc serefpolicy-3.2.3/policy/modules/services/dictd.fc --- nsaserefpolicy/policy/modules/services/dictd.fc 2006-11-16 17:15:20.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/dictd.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/dictd.fc 2007-12-06 16:37:24.000000000 -0500 @@ -4,3 +4,4 @@ /usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0) @@ -6111,7 +6232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dict +/var/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.te serefpolicy-3.2.3/policy/modules/services/dictd.te --- nsaserefpolicy/policy/modules/services/dictd.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/dictd.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/dictd.te 2007-12-06 16:37:24.000000000 -0500 @@ -16,6 +16,9 @@ type dictd_var_lib_t alias var_lib_dictd_t; files_type(dictd_var_lib_t) @@ -6134,7 +6255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dict diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.2.3/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/dnsmasq.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/dnsmasq.te 2007-12-06 16:37:24.000000000 -0500 @@ -94,3 +94,7 @@ optional_policy(` udev_read_db(dnsmasq_t) @@ -6145,7 +6266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.2.3/policy/modules/services/dovecot.fc --- nsaserefpolicy/policy/modules/services/dovecot.fc 2006-11-16 17:15:21.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/dovecot.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/dovecot.fc 2007-12-06 16:37:24.000000000 -0500 @@ -17,19 +17,24 @@ ifdef(`distro_debian', ` @@ -6173,7 +6294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.2.3/policy/modules/services/dovecot.if --- nsaserefpolicy/policy/modules/services/dovecot.if 2007-01-02 12:57:43.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/dovecot.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/dovecot.if 2007-12-06 16:37:24.000000000 -0500 @@ -18,3 +18,43 @@ manage_files_pattern($1,dovecot_spool_t,dovecot_spool_t) manage_lnk_files_pattern($1,dovecot_spool_t,dovecot_spool_t) @@ -6220,7 +6341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.2.3/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/dovecot.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/dovecot.te 2007-12-06 20:31:31.000000000 -0500 @@ -15,6 +15,12 @@ domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t) role system_r types dovecot_auth_t; @@ -6308,14 +6429,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove files_read_usr_symlinks(dovecot_auth_t) files_search_tmp(dovecot_auth_t) files_read_var_lib_files(dovecot_t) -@@ -184,5 +203,45 @@ +@@ -184,5 +203,49 @@ ') optional_policy(` - logging_send_syslog_msg(dovecot_auth_t) + mysql_search_db(dovecot_auth_t) + mysql_stream_connect(dovecot_auth_t) - ') ++') + +optional_policy(` + nis_authenticate(dovecot_auth_t) @@ -6324,7 +6445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove +optional_policy(` + postfix_manage_pivate_sockets(dovecot_auth_t) + postfix_search_spool(dovecot_auth_t) -+') + ') + +# for gssapi (kerberos) +userdom_list_unpriv_users_tmp(dovecot_auth_t) @@ -6335,29 +6456,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove +# +# dovecot deliver local policy +# ++allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; ++ +allow dovecot_deliver_t dovecot_etc_t:file read_file_perms; +allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; + +kernel_read_all_sysctls(dovecot_deliver_t) +kernel_read_system_state(dovecot_deliver_t) + -+dovecot_auth_stream_connect(dovecot_deliver_t) -+ +files_read_etc_files(dovecot_deliver_t) +files_read_etc_runtime_files(dovecot_deliver_t) + +libs_use_ld_so(dovecot_deliver_t) +libs_use_shared_libs(dovecot_deliver_t) + ++logging_send_syslog_msg(dovecot_deliver_t) ++ +miscfiles_read_localization(dovecot_deliver_t) + ++dovecot_auth_stream_connect(dovecot_deliver_t) ++ +optional_policy(` + mta_manage_spool(dovecot_deliver_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.2.3/policy/modules/services/exim.if --- nsaserefpolicy/policy/modules/services/exim.if 2007-10-24 15:00:24.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/exim.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/exim.if 2007-12-06 16:37:24.000000000 -0500 @@ -117,6 +117,27 @@ ######################################## @@ -6388,7 +6513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.2.3/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 2007-10-24 15:17:31.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/exim.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/exim.te 2007-12-06 16:37:24.000000000 -0500 @@ -21,9 +21,20 @@ ## gen_tunable(exim_manage_user_files,false) @@ -6567,7 +6692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.2.3/policy/modules/services/ftp.if --- nsaserefpolicy/policy/modules/services/ftp.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/ftp.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/ftp.if 2007-12-06 16:37:24.000000000 -0500 @@ -28,11 +28,13 @@ type ftpd_t; ') @@ -6589,7 +6714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.2.3/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/ftp.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/ftp.te 2007-12-06 16:37:24.000000000 -0500 @@ -8,8 +8,8 @@ ## @@ -6672,8 +6797,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.2.3/policy/modules/services/hal.fc --- nsaserefpolicy/policy/modules/services/hal.fc 2007-11-14 08:17:58.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/hal.fc 2007-12-06 14:13:13.000000000 -0500 -@@ -8,18 +8,21 @@ ++++ serefpolicy-3.2.3/policy/modules/services/hal.fc 2007-12-10 23:43:33.000000000 -0500 +@@ -8,6 +8,7 @@ /usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0) /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) @@ -6681,9 +6806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. /usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0) - /var/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0) - -+/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0) +@@ -16,10 +17,11 @@ /var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0) /var/log/pm-suspend\.log gen_context(system_u:object_r:hald_log_t,s0) @@ -6697,9 +6820,55 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. ifdef(`distro_gentoo',` /var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.2.3/policy/modules/services/hal.if +--- nsaserefpolicy/policy/modules/services/hal.if 2007-09-05 15:24:44.000000000 -0400 ++++ serefpolicy-3.2.3/policy/modules/services/hal.if 2007-12-11 00:20:28.000000000 -0500 +@@ -302,3 +302,42 @@ + files_search_pids($1) + allow $1 hald_var_run_t:file rw_file_perms; + ') ++ ++######################################## ++##

++## Send a SIGCHLD signal to hal. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`hal_getattr',` ++ gen_require(` ++ type hald_t; ++ ') ++ ++ allow $1 hald_t:process getattr; ++') ++ ++######################################## ++## ++##f Read hal system state ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`hal_read_state',` ++ gen_require(` ++ type hald_t; ++ ') ++ kernel_search_proc($1) ++ allow $1 hald_t:dir list_dir_perms; ++ read_files_pattern($1,hald_t,hald_t) ++ read_lnk_files_pattern($1,hald_t,hald_t) ++ dontaudit $1 hald_t:process ptrace; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.2.3/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2007-11-14 08:17:58.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/hal.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/hal.te 2007-12-11 00:56:25.000000000 -0500 @@ -49,6 +49,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -6736,7 +6905,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. storage_raw_read_removable_device(hald_t) storage_raw_write_removable_device(hald_t) storage_raw_read_fixed_disk(hald_t) -@@ -291,6 +297,7 @@ +@@ -265,6 +271,10 @@ + ') + + optional_policy(` ++ polkit_domtrans_auth(hald_t) ++') ++ ++optional_policy(` + rpc_search_nfs_state_data(hald_t) + ') + +@@ -291,6 +301,7 @@ # allow hald_acl_t self:capability { dac_override fowner }; @@ -6744,7 +6924,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. allow hald_acl_t self:fifo_file read_fifo_file_perms; domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t) -@@ -338,10 +345,14 @@ +@@ -325,6 +336,11 @@ + + miscfiles_read_localization(hald_acl_t) + ++optional_policy(` ++ polkit_domtrans_auth(hald_acl_t) ++ polkit_search_lib(hald_acl_t) ++') ++ + ######################################## + # + # Local hald mac policy +@@ -338,10 +354,14 @@ manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t) files_search_var_lib(hald_mac_t) @@ -6759,9 +6951,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. libs_use_ld_so(hald_mac_t) libs_use_shared_libs(hald_mac_t) +@@ -391,3 +411,4 @@ + libs_use_shared_libs(hald_keymap_t) + + miscfiles_read_localization(hald_keymap_t) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.2.3/policy/modules/services/inetd.te --- nsaserefpolicy/policy/modules/services/inetd.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/inetd.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/inetd.te 2007-12-06 16:37:24.000000000 -0500 @@ -30,6 +30,10 @@ type inetd_child_var_run_t; files_pid_file(inetd_child_var_run_t) @@ -6817,7 +7014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.2.3/policy/modules/services/kerberos.fc --- nsaserefpolicy/policy/modules/services/kerberos.fc 2006-11-16 17:15:21.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/kerberos.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/kerberos.fc 2007-12-06 16:37:24.000000000 -0500 @@ -16,3 +16,4 @@ /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0) @@ -6825,7 +7022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb +/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.2.3/policy/modules/services/kerberos.if --- nsaserefpolicy/policy/modules/services/kerberos.if 2007-07-16 14:09:46.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/kerberos.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/kerberos.if 2007-12-06 16:37:24.000000000 -0500 @@ -43,7 +43,13 @@ dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; dontaudit $1 krb5kdc_conf_t:file rw_file_perms; @@ -6906,7 +7103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.2.3/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/kerberos.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/kerberos.te 2007-12-06 16:37:24.000000000 -0500 @@ -8,7 +8,7 @@ ## @@ -6996,7 +7193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.2.3/policy/modules/services/mailman.te --- nsaserefpolicy/policy/modules/services/mailman.te 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/mailman.te 2007-12-06 14:20:26.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/mailman.te 2007-12-06 16:37:24.000000000 -0500 @@ -53,10 +53,9 @@ apache_use_fds(mailman_cgi_t) apache_dontaudit_append_log(mailman_cgi_t) @@ -7031,13 +7228,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.2.3/policy/modules/services/mailscanner.fc --- nsaserefpolicy/policy/modules/services/mailscanner.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/mailscanner.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/mailscanner.fc 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1,2 @@ +/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mailscanner_spool_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.2.3/policy/modules/services/mailscanner.if --- nsaserefpolicy/policy/modules/services/mailscanner.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/mailscanner.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/mailscanner.if 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1,59 @@ +## Anti-Virus and Anti-Spam Filter + @@ -7100,7 +7297,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.2.3/policy/modules/services/mailscanner.te --- nsaserefpolicy/policy/modules/services/mailscanner.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/mailscanner.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/mailscanner.te 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1,5 @@ + +policy_module(mailscanner,1.0.0) @@ -7109,7 +7306,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail +files_type(mailscanner_spool_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.3/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2007-12-06 13:12:03.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/mta.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/mta.if 2007-12-06 16:48:23.000000000 -0500 @@ -133,6 +133,12 @@ sendmail_create_log($1_mail_t) ') @@ -7182,7 +7379,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## Modified mailserver interface for ## sendmail daemon use. ## -@@ -383,6 +434,7 @@ +@@ -383,11 +434,13 @@ allow $1 mail_spool_t:dir list_dir_perms; create_files_pattern($1,mail_spool_t,mail_spool_t) read_files_pattern($1,mail_spool_t,mail_spool_t) @@ -7190,7 +7387,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. create_lnk_files_pattern($1,mail_spool_t,mail_spool_t) read_lnk_files_pattern($1,mail_spool_t,mail_spool_t) -@@ -438,20 +490,18 @@ + optional_policy(` + dovecot_manage_spool($1) ++ dovecot_domtrans_deliver($1) + ') + + optional_policy(` +@@ -438,20 +491,18 @@ interface(`mta_send_mail',` gen_require(` attribute mta_user_agent; @@ -7217,7 +7420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ######################################## -@@ -586,6 +636,25 @@ +@@ -586,6 +637,25 @@ files_search_etc($1) allow $1 etc_aliases_t:file { rw_file_perms setattr }; ') @@ -7245,7 +7448,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.3/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2007-12-06 13:12:03.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/mta.te 2007-12-06 14:16:01.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/mta.te 2007-12-06 16:37:24.000000000 -0500 @@ -6,6 +6,8 @@ # Declarations # @@ -7341,7 +7544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.2.3/policy/modules/services/mysql.fc --- nsaserefpolicy/policy/modules/services/mysql.fc 2006-11-16 17:15:20.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/mysql.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/mysql.fc 2007-12-06 16:37:24.000000000 -0500 @@ -22,3 +22,5 @@ /var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) @@ -7350,7 +7553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq +/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.2.3/policy/modules/services/mysql.if --- nsaserefpolicy/policy/modules/services/mysql.if 2007-01-02 12:57:43.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/mysql.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/mysql.if 2007-12-06 16:37:24.000000000 -0500 @@ -157,3 +157,79 @@ logging_search_logs($1) allow $1 mysqld_log_t:file { write append setattr ioctl }; @@ -7433,7 +7636,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.2.3/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/mysql.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/mysql.te 2007-12-06 16:37:24.000000000 -0500 @@ -25,6 +25,9 @@ type mysqld_tmp_t; files_tmp_file(mysqld_tmp_t) @@ -7446,7 +7649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq # Local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.2.3/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2006-11-16 17:15:20.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/nagios.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/nagios.fc 2007-12-06 16:37:24.000000000 -0500 @@ -4,13 +4,15 @@ /usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) /usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) @@ -7468,7 +7671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.2.3/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2007-01-02 12:57:43.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/nagios.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/nagios.if 2007-12-06 16:37:24.000000000 -0500 @@ -44,25 +44,6 @@ ######################################## @@ -7497,7 +7700,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.2.3/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/nagios.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/nagios.te 2007-12-06 16:37:24.000000000 -0500 @@ -8,11 +8,7 @@ type nagios_t; @@ -7596,7 +7799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.2.3/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-09-12 10:34:18.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/networkmanager.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/networkmanager.fc 2007-12-06 16:37:24.000000000 -0500 @@ -5,3 +5,4 @@ /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) @@ -7604,7 +7807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw +/var/log/wpa_supplicant\.log -- gen_context(system_u:object_r:NetworkManager_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.3/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-10-29 07:52:49.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/networkmanager.te 2007-12-06 14:23:39.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/networkmanager.te 2007-12-06 16:37:24.000000000 -0500 @@ -13,6 +13,9 @@ type NetworkManager_var_run_t; files_pid_file(NetworkManager_var_run_t) @@ -7691,7 +7894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.2.3/policy/modules/services/nis.fc --- nsaserefpolicy/policy/modules/services/nis.fc 2007-02-19 11:32:53.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/nis.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/nis.fc 2007-12-06 16:37:24.000000000 -0500 @@ -4,6 +4,7 @@ /sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) @@ -7702,7 +7905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.2.3/policy/modules/services/nis.if --- nsaserefpolicy/policy/modules/services/nis.if 2007-07-16 14:09:46.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/nis.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/nis.if 2007-12-06 16:37:24.000000000 -0500 @@ -49,8 +49,8 @@ corenet_udp_bind_all_nodes($1) corenet_tcp_bind_generic_port($1) @@ -7742,7 +7945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.2.3/policy/modules/services/nis.te --- nsaserefpolicy/policy/modules/services/nis.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/nis.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/nis.te 2007-12-06 16:37:24.000000000 -0500 @@ -113,6 +113,17 @@ userdom_dontaudit_use_unpriv_user_fds(ypbind_t) userdom_dontaudit_search_sysadm_home_dirs(ypbind_t) @@ -7800,7 +8003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. corenet_tcp_connect_all_ports(ypxfr_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.2.3/policy/modules/services/nscd.fc --- nsaserefpolicy/policy/modules/services/nscd.fc 2006-11-16 17:15:20.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/nscd.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/nscd.fc 2007-12-06 16:37:24.000000000 -0500 @@ -9,3 +9,5 @@ /var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0) @@ -7809,7 +8012,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd +/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.2.3/policy/modules/services/nscd.if --- nsaserefpolicy/policy/modules/services/nscd.if 2007-03-26 10:39:04.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/nscd.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/nscd.if 2007-12-06 16:37:24.000000000 -0500 @@ -70,15 +70,14 @@ interface(`nscd_socket_use',` gen_require(` @@ -7853,7 +8056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.2.3/policy/modules/services/nscd.te --- nsaserefpolicy/policy/modules/services/nscd.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/nscd.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/nscd.te 2007-12-06 16:37:24.000000000 -0500 @@ -23,19 +23,22 @@ type nscd_log_t; logging_log_file(nscd_log_t) @@ -7921,7 +8124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.fc serefpolicy-3.2.3/policy/modules/services/ntp.fc --- nsaserefpolicy/policy/modules/services/ntp.fc 2006-11-16 17:15:21.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/ntp.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/ntp.fc 2007-12-06 16:37:24.000000000 -0500 @@ -17,3 +17,8 @@ /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) @@ -7933,7 +8136,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. +/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.2.3/policy/modules/services/ntp.if --- nsaserefpolicy/policy/modules/services/ntp.if 2007-03-26 10:39:05.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/ntp.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/ntp.if 2007-12-06 16:37:24.000000000 -0500 @@ -53,3 +53,22 @@ corecmd_search_bin($1) domtrans_pattern($1,ntpdate_exec_t,ntpd_t) @@ -7959,7 +8162,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.2.3/policy/modules/services/ntp.te --- nsaserefpolicy/policy/modules/services/ntp.te 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/ntp.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/ntp.te 2007-12-06 16:37:24.000000000 -0500 @@ -25,6 +25,12 @@ type ntpdate_exec_t; init_system_domain(ntpd_t,ntpdate_exec_t) @@ -8023,7 +8226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.2.3/policy/modules/services/openct.te --- nsaserefpolicy/policy/modules/services/openct.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/openct.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/openct.te 2007-12-06 16:37:24.000000000 -0500 @@ -22,6 +22,7 @@ allow openct_t self:process signal_perms; @@ -8034,7 +8237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open kernel_read_kernel_sysctls(openct_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-3.2.3/policy/modules/services/openvpn.fc --- nsaserefpolicy/policy/modules/services/openvpn.fc 2007-06-11 16:05:22.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/openvpn.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/openvpn.fc 2007-12-06 16:37:24.000000000 -0500 @@ -11,5 +11,5 @@ # # /var @@ -8044,7 +8247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open /var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.2.3/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2007-10-29 07:52:49.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/openvpn.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/openvpn.te 2007-12-10 09:37:01.000000000 -0500 @@ -8,7 +8,7 @@ ## @@ -8054,6 +8257,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open ##

##
gen_tunable(openvpn_enable_homedirs,false) +@@ -35,7 +35,7 @@ + # openvpn local policy + # + +-allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_tty_config }; ++allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config }; + allow openvpn_t self:process { signal getsched }; + + allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -110,3 +110,12 @@ networkmanager_dbus_chat(openvpn_t) @@ -8069,7 +8281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.2.3/policy/modules/services/pcscd.te --- nsaserefpolicy/policy/modules/services/pcscd.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/pcscd.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/pcscd.te 2007-12-06 16:37:24.000000000 -0500 @@ -45,6 +45,7 @@ files_read_etc_files(pcscd_t) files_read_etc_runtime_files(pcscd_t) @@ -8080,7 +8292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcsc libs_use_ld_so(pcscd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.2.3/policy/modules/services/pegasus.te --- nsaserefpolicy/policy/modules/services/pegasus.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/pegasus.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/pegasus.te 2007-12-06 16:37:24.000000000 -0500 @@ -42,6 +42,7 @@ allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink }; allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; @@ -8128,9 +8340,122 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega rpm_exec(pegasus_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.2.3/policy/modules/services/polkit.fc +--- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/polkit.fc 2007-12-11 00:42:20.000000000 -0500 +@@ -0,0 +1,5 @@ ++ ++/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0) ++ ++/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) ++/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.2.3/policy/modules/services/polkit.if +--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/polkit.if 2007-12-11 00:56:05.000000000 -0500 +@@ -0,0 +1,41 @@ ++ ++## policy for polkit_auth ++ ++######################################## ++## ++## Execute a domain transition to run polkit_auth. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`polkit_domtrans_auth',` ++ gen_require(` ++ type polkit_auth_t; ++ type polkit_auth_exec_t; ++ ') ++ ++ domtrans_pattern($1,polkit_auth_exec_t,polkit_auth_t) ++') ++ ++######################################## ++## ++## Search polkit lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`polkit_search_lib',` ++ gen_require(` ++ type polkit_var_lib_t; ++ ') ++ ++ allow $1 polkit_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.3/policy/modules/services/polkit.te +--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/polkit.te 2007-12-11 00:18:16.000000000 -0500 +@@ -0,0 +1,55 @@ ++policy_module(polkit_auth,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type polkit_auth_t; ++type polkit_auth_exec_t; ++domain_type(polkit_auth_t) ++init_daemon_domain(polkit_auth_t, polkit_auth_exec_t) ++ ++type polkit_var_lib_t; ++files_type(polkit_var_lib_t) ++ ++######################################## ++# ++# polkit_auth local policy ++# ++ ++allow polkit_auth_t self:process getattr; ++ ++allow polkit_auth_t self:unix_dgram_socket create_socket_perms; ++allow polkit_auth_t self:fifo_file rw_file_perms; ++allow polkit_auth_t self:unix_stream_socket create_stream_socket_perms; ++ ++can_exec(polkit_auth_t, polkit_auth_exec_t) ++corecmd_search_bin(polkit_auth_t) ++ ++domain_use_interactive_fds(polkit_auth_t) ++ ++files_read_etc_files(polkit_auth_t) ++files_read_usr_files(polkit_auth_t) ++ ++auth_use_nsswitch(polkit_auth_t) ++ ++libs_use_ld_so(polkit_auth_t) ++libs_use_shared_libs(polkit_auth_t) ++ ++miscfiles_read_localization(polkit_auth_t) ++ ++logging_send_syslog_msg(polkit_auth_t) ++ ++manage_files_pattern(polkit_auth_t, polkit_var_lib_t, polkit_var_lib_t) ++ ++optional_policy(` ++ dbus_system_bus_client_template(polkit_auth, polkit_auth_t) ++ consolekit_dbus_chat(polkit_auth_t) ++') ++ ++optional_policy(` ++ hal_getattr(polkit_auth_t) ++ hal_read_state(polkit_auth_t) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portslave.te serefpolicy-3.2.3/policy/modules/services/portslave.te --- nsaserefpolicy/policy/modules/services/portslave.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/portslave.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/portslave.te 2007-12-06 16:37:24.000000000 -0500 @@ -85,6 +85,7 @@ auth_rw_login_records(portslave_t) @@ -8141,7 +8466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.2.3/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2007-09-12 10:34:18.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/postfix.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/postfix.fc 2007-12-06 16:37:24.000000000 -0500 @@ -29,12 +29,10 @@ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) @@ -8157,7 +8482,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.2.3/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/postfix.if 2007-12-06 14:21:28.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/postfix.if 2007-12-06 16:37:24.000000000 -0500 @@ -427,6 +427,26 @@ ######################################## @@ -8187,7 +8512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.2.3/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/postfix.te 2007-12-06 14:16:10.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/postfix.te 2007-12-06 16:37:24.000000000 -0500 @@ -6,6 +6,14 @@ # Declarations # @@ -8309,7 +8634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post # Postfix virtual local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.2.3/policy/modules/services/postgresql.fc --- nsaserefpolicy/policy/modules/services/postgresql.fc 2006-11-16 17:15:21.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/postgresql.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/postgresql.fc 2007-12-06 16:37:24.000000000 -0500 @@ -38,3 +38,5 @@ ') @@ -8318,7 +8643,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.2.3/policy/modules/services/postgresql.if --- nsaserefpolicy/policy/modules/services/postgresql.if 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/postgresql.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/postgresql.if 2007-12-06 16:37:24.000000000 -0500 @@ -120,3 +120,77 @@ # Some versions of postgresql put the sock file in /tmp allow $1 postgresql_tmp_t:sock_file write; @@ -8399,7 +8724,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.2.3/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2007-12-06 13:12:03.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/postgresql.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/postgresql.te 2007-12-06 16:37:24.000000000 -0500 @@ -27,6 +27,9 @@ type postgresql_var_run_t; files_pid_file(postgresql_var_run_t) @@ -8412,7 +8737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post # postgresql Local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.2.3/policy/modules/services/ppp.fc --- nsaserefpolicy/policy/modules/services/ppp.fc 2006-11-16 17:15:20.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/ppp.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/ppp.fc 2007-12-06 16:37:24.000000000 -0500 @@ -25,7 +25,7 @@ # # /var @@ -8424,7 +8749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. # Fix pptp sockets diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.2.3/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2007-11-16 13:45:14.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/ppp.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/ppp.te 2007-12-06 16:37:24.000000000 -0500 @@ -194,6 +194,8 @@ optional_policy(` @@ -8436,7 +8761,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.3/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2007-11-16 13:45:14.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/procmail.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/procmail.te 2007-12-06 16:37:24.000000000 -0500 @@ -133,3 +133,7 @@ spamassassin_exec_client(procmail_t) spamassassin_read_lib_files(procmail_t) @@ -8447,7 +8772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.2.3/policy/modules/services/pyzor.fc --- nsaserefpolicy/policy/modules/services/pyzor.fc 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/pyzor.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/pyzor.fc 2007-12-06 16:37:24.000000000 -0500 @@ -1,6 +1,6 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) @@ -8458,7 +8783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.2.3/policy/modules/services/pyzor.if --- nsaserefpolicy/policy/modules/services/pyzor.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/pyzor.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/pyzor.if 2007-12-06 16:37:24.000000000 -0500 @@ -25,16 +25,18 @@ # template(`pyzor_per_role_template',` @@ -8487,7 +8812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.2.3/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/pyzor.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/pyzor.te 2007-12-10 16:52:47.000000000 -0500 @@ -28,6 +28,9 @@ type pyzor_var_lib_t; files_type(pyzor_var_lib_t) @@ -8500,7 +8825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo # Pyzor local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.2.3/policy/modules/services/radius.te --- nsaserefpolicy/policy/modules/services/radius.te 2007-11-16 13:45:14.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/radius.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/radius.te 2007-12-06 16:37:24.000000000 -0500 @@ -88,6 +88,7 @@ auth_read_shadow(radiusd_t) @@ -8511,7 +8836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi corecmd_exec_shell(radiusd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.2.3/policy/modules/services/razor.fc --- nsaserefpolicy/policy/modules/services/razor.fc 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/razor.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/razor.fc 2007-12-06 16:37:24.000000000 -0500 @@ -1,4 +1,4 @@ -HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:ROLE_razor_home_t,s0) +HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:user_razor_home_t,s0) @@ -8520,7 +8845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.2.3/policy/modules/services/razor.if --- nsaserefpolicy/policy/modules/services/razor.if 2007-07-16 14:09:46.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/razor.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/razor.if 2007-12-06 16:37:24.000000000 -0500 @@ -137,6 +137,7 @@ template(`razor_per_role_template',` gen_require(` @@ -8548,7 +8873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.2.3/policy/modules/services/razor.te --- nsaserefpolicy/policy/modules/services/razor.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/razor.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/razor.te 2007-12-06 16:37:24.000000000 -0500 @@ -23,6 +23,12 @@ razor_common_domain_template(razor) @@ -8564,7 +8889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo # Local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.if serefpolicy-3.2.3/policy/modules/services/remotelogin.if --- nsaserefpolicy/policy/modules/services/remotelogin.if 2006-11-16 17:15:21.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/remotelogin.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/remotelogin.if 2007-12-06 16:37:24.000000000 -0500 @@ -18,3 +18,20 @@ auth_domtrans_login_program($1,remote_login_t) ') @@ -8588,7 +8913,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remo +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.2.3/policy/modules/services/remotelogin.te --- nsaserefpolicy/policy/modules/services/remotelogin.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/remotelogin.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/remotelogin.te 2007-12-06 16:37:24.000000000 -0500 @@ -85,6 +85,7 @@ miscfiles_read_localization(remote_login_t) @@ -8599,7 +8924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remo # Only permit unprivileged user domains to be entered via rlogin, diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.2.3/policy/modules/services/ricci.te --- nsaserefpolicy/policy/modules/services/ricci.te 2007-11-16 13:45:14.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/ricci.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/ricci.te 2007-12-06 16:37:24.000000000 -0500 @@ -138,6 +138,7 @@ files_create_boot_flag(ricci_t) @@ -8621,7 +8946,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.2.3/policy/modules/services/rlogin.te --- nsaserefpolicy/policy/modules/services/rlogin.te 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/rlogin.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/rlogin.te 2007-12-06 16:37:24.000000000 -0500 @@ -36,6 +36,8 @@ allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr }; term_create_pty(rlogind_t,rlogind_devpts_t) @@ -8669,7 +8994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.2.3/policy/modules/services/rpcbind.te --- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/rpcbind.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/rpcbind.te 2007-12-10 14:43:15.000000000 -0500 @@ -21,11 +21,13 @@ # rpcbind local policy # @@ -8687,7 +9012,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcb manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.2.3/policy/modules/services/rpc.if --- nsaserefpolicy/policy/modules/services/rpc.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/rpc.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/rpc.if 2007-12-06 16:37:24.000000000 -0500 @@ -88,8 +88,11 @@ # bind to arbitary unused ports corenet_tcp_bind_generic_port($1_t) @@ -8728,7 +9053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.2.3/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/rpc.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/rpc.te 2007-12-10 14:41:10.000000000 -0500 @@ -8,7 +8,7 @@ ## @@ -8827,7 +9152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. userdom_read_unpriv_users_tmp_files(gssd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.2.3/policy/modules/services/rshd.te --- nsaserefpolicy/policy/modules/services/rshd.te 2007-12-06 13:12:03.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/rshd.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/rshd.te 2007-12-06 16:37:24.000000000 -0500 @@ -16,7 +16,7 @@ # # Local policy @@ -8890,7 +9215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.2.3/policy/modules/services/rsync.fc --- nsaserefpolicy/policy/modules/services/rsync.fc 2006-11-16 17:15:21.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/rsync.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/rsync.fc 2007-12-06 16:37:24.000000000 -0500 @@ -1,2 +1,4 @@ /usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) @@ -8898,7 +9223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn +/var/log/rsync.log -- gen_context(system_u:object_r:rsync_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.2.3/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/rsync.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/rsync.te 2007-12-06 16:37:24.000000000 -0500 @@ -8,7 +8,7 @@ ## @@ -8964,7 +9289,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.2.3/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/samba.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/samba.fc 2007-12-06 16:37:24.000000000 -0500 @@ -15,6 +15,7 @@ /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) /usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0) @@ -8984,7 +9309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb /var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.2.3/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/samba.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/samba.if 2007-12-06 16:37:24.000000000 -0500 @@ -331,6 +331,25 @@ ######################################## @@ -9124,7 +9449,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.2.3/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2007-12-06 13:12:03.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/samba.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/samba.te 2007-12-06 16:37:24.000000000 -0500 @@ -9,14 +9,14 @@ ## ##

@@ -9449,7 +9774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +allow smbcontrol_t nmbd_var_run_t:file { read lock }; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.2.3/policy/modules/services/sasl.te --- nsaserefpolicy/policy/modules/services/sasl.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/sasl.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/sasl.te 2007-12-06 16:37:24.000000000 -0500 @@ -64,6 +64,7 @@ selinux_compute_access_vector(saslauthd_t) @@ -9471,7 +9796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.2.3/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2007-08-27 13:57:20.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/sendmail.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/sendmail.if 2007-12-06 16:37:24.000000000 -0500 @@ -149,3 +149,85 @@ logging_log_filetrans($1,sendmail_log_t,file) @@ -9560,7 +9885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.3/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2007-12-06 13:12:03.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/sendmail.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/sendmail.te 2007-12-06 16:37:24.000000000 -0500 @@ -20,12 +20,16 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -9660,7 +9985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send -') dnl end TODO diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.2.3/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-10-29 07:52:49.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/setroubleshoot.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/setroubleshoot.te 2007-12-06 16:37:24.000000000 -0500 @@ -27,8 +27,8 @@ # setroubleshootd local policy # @@ -9701,7 +10026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.2.3/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/snmp.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/snmp.te 2007-12-06 16:37:24.000000000 -0500 @@ -81,8 +81,7 @@ files_read_usr_files(snmpd_t) files_read_etc_runtime_files(snmpd_t) @@ -9714,7 +10039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp fs_getattr_all_fs(snmpd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.fc serefpolicy-3.2.3/policy/modules/services/soundserver.fc --- nsaserefpolicy/policy/modules/services/soundserver.fc 2006-11-16 17:15:20.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/soundserver.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/soundserver.fc 2007-12-06 16:37:24.000000000 -0500 @@ -1,5 +1,3 @@ -/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) -/etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) @@ -9730,7 +10055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun /var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.2.3/policy/modules/services/soundserver.te --- nsaserefpolicy/policy/modules/services/soundserver.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/soundserver.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/soundserver.te 2007-12-06 16:37:24.000000000 -0500 @@ -10,9 +10,6 @@ type soundd_exec_t; init_daemon_domain(soundd_t,soundd_exec_t) @@ -9793,7 +10118,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.2.3/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/spamassassin.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/spamassassin.fc 2007-12-06 16:37:24.000000000 -0500 @@ -1,4 +1,4 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:user_spamassassin_home_t,s0) @@ -9802,7 +10127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam /usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.3/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/spamassassin.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/spamassassin.if 2007-12-06 16:37:24.000000000 -0500 @@ -38,6 +38,8 @@ gen_require(` type spamc_exec_t, spamassassin_exec_t; @@ -9930,7 +10255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.3/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/spamassassin.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/spamassassin.te 2007-12-06 16:37:24.000000000 -0500 @@ -44,6 +44,15 @@ type spamassassin_exec_t; application_executable_file(spamassassin_exec_t) @@ -9975,7 +10300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.2.3/policy/modules/services/squid.fc --- nsaserefpolicy/policy/modules/services/squid.fc 2006-11-16 17:15:21.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/squid.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/squid.fc 2007-12-06 16:37:24.000000000 -0500 @@ -12,3 +12,5 @@ /var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0) @@ -9984,7 +10309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi +/usr/lib64/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.2.3/policy/modules/services/squid.if --- nsaserefpolicy/policy/modules/services/squid.if 2007-05-07 10:32:44.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/squid.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/squid.if 2007-12-06 16:37:24.000000000 -0500 @@ -131,3 +131,22 @@ interface(`squid_use',` refpolicywarn(`$0($*) has been deprecated.') @@ -10010,7 +10335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.2.3/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/squid.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/squid.te 2007-12-06 16:37:24.000000000 -0500 @@ -36,7 +36,7 @@ # Local policy # @@ -10069,7 +10394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.2.3/policy/modules/services/ssh.fc --- nsaserefpolicy/policy/modules/services/ssh.fc 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/ssh.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/ssh.fc 2007-12-06 16:37:24.000000000 -0500 @@ -1,4 +1,4 @@ -HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ROLE_home_ssh_t,s0) +HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:user_ssh_home_t,s0) @@ -10078,7 +10403,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.2.3/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2007-07-23 10:20:13.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/ssh.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/ssh.if 2007-12-06 16:37:24.000000000 -0500 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -10240,7 +10565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.2.3/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/ssh.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/ssh.te 2007-12-06 16:37:24.000000000 -0500 @@ -24,7 +24,7 @@ # Type for the ssh-agent executable. @@ -10299,7 +10624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.2.3/policy/modules/services/telnet.te --- nsaserefpolicy/policy/modules/services/telnet.te 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/telnet.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/telnet.te 2007-12-06 16:37:24.000000000 -0500 @@ -37,6 +37,8 @@ allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr }; term_create_pty(telnetd_t,telnetd_devpts_t) @@ -10350,7 +10675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-3.2.3/policy/modules/services/tftp.fc --- nsaserefpolicy/policy/modules/services/tftp.fc 2006-11-16 17:15:21.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/tftp.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/tftp.fc 2007-12-06 16:37:24.000000000 -0500 @@ -4,3 +4,4 @@ /tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0) @@ -10358,7 +10683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp +/var/lib/tftp(/.*)? gen_context(system_u:object_r:tftpdir_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwimap.te serefpolicy-3.2.3/policy/modules/services/uwimap.te --- nsaserefpolicy/policy/modules/services/uwimap.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/uwimap.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/uwimap.te 2007-12-06 16:37:24.000000000 -0500 @@ -64,6 +64,7 @@ fs_search_auto_mountpoints(imapd_t) @@ -10369,18 +10694,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwim libs_use_shared_libs(imapd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.fc serefpolicy-3.2.3/policy/modules/services/w3c.fc --- nsaserefpolicy/policy/modules/services/w3c.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/w3c.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/w3c.fc 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1,2 @@ +/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0) +/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.if serefpolicy-3.2.3/policy/modules/services/w3c.if --- nsaserefpolicy/policy/modules/services/w3c.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/w3c.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/w3c.if 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1 @@ +##

W3C diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.2.3/policy/modules/services/w3c.te --- nsaserefpolicy/policy/modules/services/w3c.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/w3c.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/w3c.te 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1,14 @@ +policy_module(w3c,1.2.1) + @@ -10398,7 +10723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c. +miscfiles_read_certs(httpd_w3c_validator_script_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.2.3/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2007-10-15 16:11:05.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/services/xserver.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/xserver.fc 2007-12-06 16:37:24.000000000 -0500 @@ -1,13 +1,13 @@ # # HOME_DIR @@ -10467,7 +10792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.3/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/xserver.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/xserver.if 2007-12-06 16:37:24.000000000 -0500 @@ -115,8 +115,7 @@ dev_rw_agp($1_xserver_t) dev_rw_framebuffer($1_xserver_t) @@ -10988,7 +11313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.3/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-06 13:12:03.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/xserver.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/xserver.te 2007-12-06 20:54:40.000000000 -0500 @@ -16,6 +16,13 @@ ## @@ -11153,9 +11478,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t) -@@ -305,6 +354,11 @@ +@@ -304,7 +353,16 @@ + ') optional_policy(` ++ bootloader_domtrans(xdm_t) ++') ++ ++optional_policy(` consolekit_dbus_chat(xdm_t) + dbus_system_bus_client_template(xdm, xdm_t) + dbus_per_role_template(xdm, xdm_t, system_r) @@ -11165,7 +11495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -322,6 +376,10 @@ +@@ -322,6 +380,10 @@ ') optional_policy(` @@ -11176,7 +11506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser loadkeys_exec(xdm_t) ') -@@ -343,8 +401,8 @@ +@@ -343,8 +405,8 @@ ') optional_policy(` @@ -11186,7 +11516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -380,7 +438,7 @@ +@@ -380,7 +442,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -11195,7 +11525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) -@@ -392,6 +450,15 @@ +@@ -392,6 +454,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -11211,7 +11541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -404,6 +471,7 @@ +@@ -404,6 +475,7 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_unpriv_users_home_content_files(xdm_xserver_t) @@ -11219,7 +11549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_use_all_users_fonts(xdm_xserver_t) -@@ -420,6 +488,14 @@ +@@ -420,6 +492,14 @@ ') optional_policy(` @@ -11234,7 +11564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser resmgr_stream_connect(xdm_t) ') -@@ -429,47 +505,30 @@ +@@ -429,47 +509,30 @@ ') optional_policy(` @@ -11305,17 +11635,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser -') dnl end TODO diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.2.3/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/system/authlogin.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/authlogin.fc 2007-12-11 00:57:25.000000000 -0500 @@ -41,3 +41,6 @@ /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0) /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) -+/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) ++/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.2.3/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/system/authlogin.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/authlogin.if 2007-12-06 16:37:24.000000000 -0500 @@ -169,6 +169,7 @@ interface(`auth_login_pgm_domain',` gen_require(` @@ -11496,7 +11826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.2.3/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2007-12-06 13:12:03.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/system/authlogin.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/authlogin.te 2007-12-10 14:49:03.000000000 -0500 @@ -59,6 +59,9 @@ type utempter_exec_t; application_domain(utempter_t,utempter_exec_t) @@ -11517,17 +11847,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ######################################## # # PAM local policy -@@ -121,6 +127,9 @@ +@@ -121,6 +127,10 @@ logging_send_syslog_msg(pam_t) userdom_use_unpriv_users_fds(pam_t) +userdom_write_unpriv_users_tmp_files(pam_t) -+userdom_dontaudit_read_unpriv_users_home_content_files(pam_t) +userdom_unlink_unpriv_users_tmp_files(pam_t) ++userdom_read_unpriv_users_home_content_files(pam_t) ++userdom_append_unpriv_users_home_content_files(pam_t) optional_policy(` locallogin_use_fds(pam_t) -@@ -279,8 +288,10 @@ +@@ -279,8 +289,10 @@ files_manage_etc_files(updpwd_t) term_dontaudit_use_console(updpwd_t) @@ -11539,7 +11870,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo auth_manage_shadow(updpwd_t) auth_use_nsswitch(updpwd_t) -@@ -329,11 +340,6 @@ +@@ -329,11 +341,6 @@ ') optional_policy(` @@ -11553,7 +11884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.2.3/policy/modules/system/fstools.fc --- nsaserefpolicy/policy/modules/system/fstools.fc 2007-09-26 12:15:01.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/system/fstools.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/fstools.fc 2007-12-06 16:37:24.000000000 -0500 @@ -1,4 +1,3 @@ -/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -11569,7 +11900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.2.3/policy/modules/system/fstools.if --- nsaserefpolicy/policy/modules/system/fstools.if 2007-08-22 17:33:53.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/system/fstools.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/fstools.if 2007-12-06 16:37:24.000000000 -0500 @@ -142,3 +142,20 @@ allow $1 swapfile_t:file getattr; @@ -11593,7 +11924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.2.3/policy/modules/system/fstools.te --- nsaserefpolicy/policy/modules/system/fstools.te 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/system/fstools.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/fstools.te 2007-12-06 16:37:24.000000000 -0500 @@ -109,8 +109,7 @@ term_use_console(fsadm_t) @@ -11612,7 +11943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.2.3/policy/modules/system/getty.te --- nsaserefpolicy/policy/modules/system/getty.te 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/system/getty.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/getty.te 2007-12-06 16:37:24.000000000 -0500 @@ -33,7 +33,8 @@ # @@ -11625,7 +11956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty. allow getty_t self:fifo_file rw_fifo_file_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.2.3/policy/modules/system/hostname.te --- nsaserefpolicy/policy/modules/system/hostname.te 2007-01-02 12:57:49.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/system/hostname.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/hostname.te 2007-12-06 16:37:24.000000000 -0500 @@ -8,7 +8,9 @@ type hostname_t; @@ -11651,7 +11982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.2.3/policy/modules/system/hotplug.te --- nsaserefpolicy/policy/modules/system/hotplug.te 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/system/hotplug.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/hotplug.te 2007-12-06 16:37:24.000000000 -0500 @@ -179,6 +179,7 @@ sysnet_read_dhcpc_pid(hotplug_t) sysnet_rw_dhcp_config(hotplug_t) @@ -11662,7 +11993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.2.3/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/system/init.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/init.if 2007-12-06 16:37:24.000000000 -0500 @@ -211,6 +211,13 @@ kernel_dontaudit_use_fds($1) ') @@ -11906,7 +12237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.2.3/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/system/init.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/init.te 2007-12-06 16:37:24.000000000 -0500 @@ -10,6 +10,20 @@ # Declarations # @@ -12073,7 +12404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.2.3/policy/modules/system/ipsec.fc --- nsaserefpolicy/policy/modules/system/ipsec.fc 2007-02-19 11:32:53.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/system/ipsec.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/ipsec.fc 2007-12-06 16:37:24.000000000 -0500 @@ -32,3 +32,4 @@ /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) @@ -12081,7 +12412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. +/var/run/racoon.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.2.3/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/system/ipsec.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/ipsec.te 2007-12-06 16:37:24.000000000 -0500 @@ -302,6 +302,7 @@ corenet_all_recvfrom_unlabeled(racoon_t) corenet_tcp_bind_all_nodes(racoon_t) @@ -12092,7 +12423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.3/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/system/libraries.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/libraries.fc 2007-12-06 16:37:24.000000000 -0500 @@ -65,11 +65,15 @@ /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -12171,7 +12502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.2.3/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/system/libraries.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/libraries.te 2007-12-06 16:37:24.000000000 -0500 @@ -23,6 +23,9 @@ init_system_domain(ldconfig_t,ldconfig_exec_t) role system_r types ldconfig_t; @@ -12226,7 +12557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.2.3/policy/modules/system/locallogin.te --- nsaserefpolicy/policy/modules/system/locallogin.te 2007-10-29 07:52:50.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/system/locallogin.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/locallogin.te 2007-12-06 16:37:24.000000000 -0500 @@ -25,7 +25,6 @@ domain_role_change_exemption(sulogin_t) domain_interactive_fd(sulogin_t) @@ -12266,7 +12597,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.2.3/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2007-11-06 09:18:37.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/system/logging.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/logging.fc 2007-12-06 16:37:24.000000000 -0500 @@ -29,6 +29,11 @@ /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) @@ -12297,7 +12628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.2.3/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2007-11-06 09:51:43.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/system/logging.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/logging.if 2007-12-06 16:37:24.000000000 -0500 @@ -577,6 +577,8 @@ files_search_var($1) manage_files_pattern($1,logfile,logfile) @@ -12396,7 +12727,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.2.3/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2007-11-06 09:18:37.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/system/logging.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/logging.te 2007-12-06 16:37:24.000000000 -0500 @@ -61,6 +61,12 @@ logging_log_file(var_log_t) files_mountpoint(var_log_t) @@ -12420,7 +12751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.2.3/policy/modules/system/lvm.fc --- nsaserefpolicy/policy/modules/system/lvm.fc 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/system/lvm.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/lvm.fc 2007-12-06 16:37:24.000000000 -0500 @@ -15,6 +15,7 @@ # /etc/lvm(/.*)? gen_context(system_u:object_r:lvm_etc_t,s0) @@ -12431,7 +12762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc /etc/lvm/lock(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.2.3/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/system/lvm.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/lvm.te 2007-12-06 16:37:24.000000000 -0500 @@ -44,9 +44,9 @@ # Cluster LVM daemon local policy # @@ -12579,7 +12910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.2.3/policy/modules/system/modutils.if --- nsaserefpolicy/policy/modules/system/modutils.if 2007-03-26 10:39:07.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/system/modutils.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/modutils.if 2007-12-06 16:37:24.000000000 -0500 @@ -66,6 +66,25 @@ ######################################## @@ -12608,7 +12939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.2.3/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/system/modutils.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/modutils.te 2007-12-06 16:37:24.000000000 -0500 @@ -42,7 +42,7 @@ # insmod local policy # @@ -12713,7 +13044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.2.3/policy/modules/system/mount.fc --- nsaserefpolicy/policy/modules/system/mount.fc 2006-11-16 17:15:24.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/system/mount.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/mount.fc 2007-12-06 16:37:24.000000000 -0500 @@ -1,4 +1,2 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) @@ -12721,7 +13052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. -/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.2.3/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2007-12-06 13:12:03.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/system/mount.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/mount.te 2007-12-06 16:37:24.000000000 -0500 @@ -8,7 +8,7 @@ ## @@ -12834,7 +13165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.2.3/policy/modules/system/raid.te --- nsaserefpolicy/policy/modules/system/raid.te 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/system/raid.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/raid.te 2007-12-06 16:37:24.000000000 -0500 @@ -19,7 +19,7 @@ # Local policy # @@ -12862,7 +13193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.2.3/policy/modules/system/selinuxutil.fc --- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2007-05-18 11:12:44.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/system/selinuxutil.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/selinuxutil.fc 2007-12-06 16:37:24.000000000 -0500 @@ -38,7 +38,7 @@ /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0) /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0) @@ -12874,7 +13205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.2.3/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/system/selinuxutil.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/selinuxutil.if 2007-12-06 16:37:24.000000000 -0500 @@ -215,8 +215,6 @@ seutil_domtrans_newrole($1) role $2 types newrole_t; @@ -13158,7 +13489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.2.3/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/system/selinuxutil.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/selinuxutil.te 2007-12-06 16:37:24.000000000 -0500 @@ -75,7 +75,6 @@ type restorecond_exec_t; init_daemon_domain(restorecond_t,restorecond_exec_t) @@ -13440,7 +13771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.2.3/policy/modules/system/sysnetwork.fc --- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2006-11-16 17:15:24.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/system/sysnetwork.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/sysnetwork.fc 2007-12-06 16:37:24.000000000 -0500 @@ -52,8 +52,7 @@ /var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) /var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) @@ -13453,7 +13784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.2.3/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-07-16 14:09:49.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/system/sysnetwork.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/sysnetwork.if 2007-12-06 16:37:24.000000000 -0500 @@ -145,6 +145,25 @@ ######################################## @@ -13526,7 +13857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.2.3/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2007-10-29 07:52:50.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/system/sysnetwork.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/sysnetwork.te 2007-12-06 16:37:24.000000000 -0500 @@ -45,7 +45,7 @@ dontaudit dhcpc_t self:capability sys_tty_config; # for access("/etc/bashrc", X_OK) on Red Hat @@ -13659,7 +13990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet xen_append_log(ifconfig_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.2.3/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/system/udev.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/udev.te 2007-12-06 16:37:24.000000000 -0500 @@ -96,9 +96,6 @@ dev_delete_generic_files(udev_t) dev_search_usbfs(udev_t) @@ -13680,8 +14011,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.2.3/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/system/unconfined.fc 2007-12-06 14:13:13.000000000 -0500 -@@ -10,3 +10,7 @@ ++++ serefpolicy-3.2.3/policy/modules/system/unconfined.fc 2007-12-10 14:53:22.000000000 -0500 +@@ -10,3 +10,8 @@ /usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) @@ -13689,9 +14020,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/bin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) +/usr/bin/livecd-creator -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) ++/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.2.3/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2007-11-16 15:30:49.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/system/unconfined.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/unconfined.if 2007-12-06 16:37:24.000000000 -0500 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -13941,7 +14273,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.3/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2007-11-16 15:30:49.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/system/unconfined.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/unconfined.te 2007-12-11 00:36:12.000000000 -0500 @@ -9,32 +9,46 @@ # usage in this module of types created by these # calls is not correct, however we dont currently @@ -14042,21 +14374,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -118,11 +139,11 @@ +@@ -118,11 +139,7 @@ ') optional_policy(` - inn_domtrans(unconfined_t) -+ iptables_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - ') - - optional_policy(` +-') +- +-optional_policy(` - java_domtrans(unconfined_t) -+ java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ++ iptables_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') optional_policy(` -@@ -134,11 +155,7 @@ +@@ -134,14 +151,6 @@ ') optional_policy(` @@ -14065,11 +14396,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf - -optional_policy(` - mta_per_role_template(unconfined, unconfined_t, unconfined_r) -+ mono_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +-') +- +-optional_policy(` + oddjob_domtrans_mkhomedir(unconfined_t) ') - optional_policy(` -@@ -154,33 +171,20 @@ +@@ -154,33 +163,20 @@ ') optional_policy(` @@ -14107,22 +14440,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -205,11 +209,22 @@ +@@ -205,11 +201,22 @@ ') optional_policy(` - wine_domtrans(unconfined_t) + wine_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ++') ++ ++optional_policy(` ++ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r) ++ unconfined_domain(unconfined_mozilla_t) ++ allow unconfined_mozilla_t self:process { execstack execmem }; ') optional_policy(` - xserver_domtrans_xdm_xserver(unconfined_t) -+ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r) -+ unconfined_domain(unconfined_mozilla_t) -+ allow unconfined_mozilla_t self:process { execstack execmem }; -+') -+ -+optional_policy(` + kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t }) +') + @@ -14132,7 +14465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -219,14 +234,35 @@ +@@ -219,14 +226,35 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -14162,15 +14495,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + +######################################## +# -+# Unconfined Execmem Local policy ++# Unconfined notrans Local policy +# + +allow unconfined_notrans_t self:process { execstack execmem }; +unconfined_domain_noaudit(unconfined_notrans_t) -+ ++domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.2.3/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2007-02-19 11:32:53.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/system/userdomain.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/userdomain.fc 2007-12-06 16:37:24.000000000 -0500 @@ -1,4 +1,5 @@ -HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh) -HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0) @@ -14183,7 +14516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*) gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.3/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/system/userdomain.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/userdomain.if 2007-12-10 23:50:13.000000000 -0500 @@ -29,8 +29,9 @@ ') @@ -14868,7 +15201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo typeattribute $1_tty_device_t user_ttynode; ############################## -@@ -1025,12 +991,12 @@ +@@ -1025,16 +991,37 @@ # # privileged home directory writers @@ -14884,10 +15217,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + manage_sock_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) + manage_fifo_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) + filetrans_pattern(privhome,user_home_dir_t,user_home_t,{ dir file lnk_file sock_file fifo_file }) ++ ++ optional_policy(` ++ dbus_per_role_template($1, $1_usertype, $1_r) ++ dbus_system_bus_client_template($1, $1_usertype) ++ ++ optional_policy(` ++ consolekit_dbus_chat($1_usertype) ++ ') ++ optional_policy(` ++ cups_dbus_chat($1_usertype) ++ ') ++ ') ++ ++ optional_policy(` ++ java_per_role_template($1, $1_t, $1_r) ++ ') optional_policy(` loadkeys_run($1_t,$1_r,$1_tty_device_t) -@@ -1062,6 +1028,13 @@ + ') ++ ++ optional_policy(` ++ mono_per_role_template($1, $1_t, $1_r) ++ ') ++ + ') + + ####################################### +@@ -1062,6 +1049,13 @@ userdom_restricted_user_template($1) @@ -14901,7 +15259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_xwindows_client_template($1) ############################## -@@ -1070,14 +1043,14 @@ +@@ -1070,14 +1064,14 @@ # authlogin_per_role_template($1, $1_t, $1_r) @@ -14921,33 +15279,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1085,19 +1058,18 @@ +@@ -1085,33 +1079,14 @@ selinux_get_enforce_mode($1_t) optional_policy(` - alsa_read_rw_config($1_t) -+ alsa_read_rw_config($1_usertype) - ') - - optional_policy(` +- ') +- +- optional_policy(` - dbus_per_role_template($1, $1_t, $1_r) - dbus_system_bus_client_template($1, $1_t) -+ dbus_per_role_template($1, $1_usertype, $1_r) -+ dbus_system_bus_client_template($1, $1_usertype) - - optional_policy(` +- +- optional_policy(` - consolekit_dbus_chat($1_t) -+ consolekit_dbus_chat($1_usertype) - ') +- ') - - optional_policy(` +- optional_policy(` - cups_dbus_chat($1_t) -+ cups_dbus_chat($1_usertype) - ') - ') - -@@ -1109,9 +1081,11 @@ - mono_per_role_template($1, $1_t, $1_r) +- ') +- ') +- +- optional_policy(` +- java_per_role_template($1, $1_t, $1_r) +- ') +- +- optional_policy(` +- mono_per_role_template($1, $1_t, $1_r) ++ alsa_read_rw_config($1_usertype) ') - optional_policy(` @@ -14961,7 +15319,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1121,10 +1095,10 @@ +@@ -1121,10 +1096,10 @@ ## ## ##

@@ -14976,7 +15334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. -@@ -1187,12 +1161,11 @@ +@@ -1187,12 +1162,11 @@ # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_all_nodes($1_t) @@ -14991,7 +15349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') # Run pppd in pppd_t by default for user -@@ -1278,8 +1251,6 @@ +@@ -1278,8 +1252,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -15000,7 +15358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1416,6 +1387,7 @@ +@@ -1416,6 +1388,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -15008,7 +15366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1781,10 +1753,14 @@ +@@ -1781,10 +1754,14 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -15024,7 +15382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1880,11 +1856,11 @@ +@@ -1880,11 +1857,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -15038,7 +15396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1914,11 +1890,11 @@ +@@ -1914,11 +1891,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -15052,7 +15410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1962,12 +1938,12 @@ +@@ -1962,12 +1939,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -15068,7 +15426,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1997,10 +1973,10 @@ +@@ -1997,10 +1974,10 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -15081,7 +15439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2032,11 +2008,47 @@ +@@ -2032,11 +2009,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -15131,7 +15489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2068,10 +2080,10 @@ +@@ -2068,10 +2081,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -15144,7 +15502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2101,11 +2113,11 @@ +@@ -2101,11 +2114,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -15158,7 +15516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2135,11 +2147,11 @@ +@@ -2135,11 +2148,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -15173,7 +15531,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2169,10 +2181,10 @@ +@@ -2169,10 +2182,10 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -15186,7 +15544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2202,11 +2214,11 @@ +@@ -2202,11 +2215,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -15200,7 +15558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2236,11 +2248,11 @@ +@@ -2236,11 +2249,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -15214,7 +15572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2270,10 +2282,10 @@ +@@ -2270,10 +2283,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -15227,7 +15585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2305,12 +2317,12 @@ +@@ -2305,12 +2318,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -15243,7 +15601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2342,10 +2354,10 @@ +@@ -2342,10 +2355,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -15256,7 +15614,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2377,12 +2389,12 @@ +@@ -2377,12 +2390,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -15272,7 +15630,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2414,12 +2426,12 @@ +@@ -2414,12 +2427,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -15288,7 +15646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2451,12 +2463,12 @@ +@@ -2451,12 +2464,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -15304,7 +15662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2501,11 +2513,11 @@ +@@ -2501,11 +2514,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -15318,7 +15676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2550,11 +2562,11 @@ +@@ -2550,11 +2563,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -15332,7 +15690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2594,11 +2606,11 @@ +@@ -2594,11 +2607,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -15346,7 +15704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2628,11 +2640,11 @@ +@@ -2628,11 +2641,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -15360,7 +15718,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2662,11 +2674,11 @@ +@@ -2662,11 +2675,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -15374,7 +15732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2698,10 +2710,10 @@ +@@ -2698,10 +2711,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -15387,7 +15745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2733,10 +2745,10 @@ +@@ -2733,10 +2746,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -15400,7 +15758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2766,12 +2778,12 @@ +@@ -2766,12 +2779,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -15416,7 +15774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2803,10 +2815,10 @@ +@@ -2803,10 +2816,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -15429,15 +15787,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2838,10 +2850,48 @@ +@@ -2838,10 +2851,48 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` - type $1_tmp_t; + type user_tmp_t; - ') - -- dontaudit $2 $1_tmp_t:file append; ++ ') ++ + dontaudit $2 user_tmp_t:file append; +') + @@ -15474,13 +15831,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + gen_require(` + attribute user_tmpfile; + attribute userdomain; -+ ') -+ + ') + +- dontaudit $2 $1_tmp_t:file append; + stream_connect_pattern($1, user_tmpfile, user_tmpfile, userdomain) ') ######################################## -@@ -2871,12 +2921,12 @@ +@@ -2871,12 +2922,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -15496,7 +15854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2908,10 +2958,10 @@ +@@ -2908,10 +2959,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -15509,7 +15867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2943,12 +2993,12 @@ +@@ -2943,12 +2994,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -15525,7 +15883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2980,11 +3030,11 @@ +@@ -2980,11 +3031,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -15539,7 +15897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3016,11 +3066,11 @@ +@@ -3016,11 +3067,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -15553,7 +15911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3052,11 +3102,11 @@ +@@ -3052,11 +3103,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -15567,7 +15925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3088,11 +3138,11 @@ +@@ -3088,11 +3139,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -15581,7 +15939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3124,11 +3174,11 @@ +@@ -3124,11 +3175,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -15595,7 +15953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3173,10 +3223,10 @@ +@@ -3173,10 +3224,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -15608,7 +15966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) ') -@@ -3217,10 +3267,10 @@ +@@ -3217,10 +3268,10 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -15621,7 +15979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4225,11 +4275,11 @@ +@@ -4225,11 +4276,11 @@ # interface(`userdom_search_staff_home_dirs',` gen_require(` @@ -15635,7 +15993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4245,10 +4295,10 @@ +@@ -4245,10 +4296,10 @@ # interface(`userdom_dontaudit_search_staff_home_dirs',` gen_require(` @@ -15648,7 +16006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4264,11 +4314,11 @@ +@@ -4264,11 +4315,11 @@ # interface(`userdom_manage_staff_home_dirs',` gen_require(` @@ -15662,7 +16020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4283,11 +4333,11 @@ +@@ -4283,11 +4334,11 @@ # interface(`userdom_relabelto_staff_home_dirs',` gen_require(` @@ -15676,7 +16034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4303,10 +4353,10 @@ +@@ -4303,10 +4354,10 @@ # interface(`userdom_dontaudit_append_staff_home_content_files',` gen_require(` @@ -15689,7 +16047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4321,13 +4371,13 @@ +@@ -4321,13 +4372,13 @@ # interface(`userdom_read_staff_home_content_files',` gen_require(` @@ -15707,7 +16065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4525,10 +4575,10 @@ +@@ -4525,10 +4576,10 @@ # interface(`userdom_getattr_sysadm_home_dirs',` gen_require(` @@ -15720,7 +16078,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4545,10 +4595,10 @@ +@@ -4545,10 +4596,10 @@ # interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` gen_require(` @@ -15733,7 +16091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4563,10 +4613,10 @@ +@@ -4563,10 +4614,10 @@ # interface(`userdom_search_sysadm_home_dirs',` gen_require(` @@ -15746,7 +16104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4582,10 +4632,10 @@ +@@ -4582,10 +4633,10 @@ # interface(`userdom_dontaudit_search_sysadm_home_dirs',` gen_require(` @@ -15759,7 +16117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4600,10 +4650,10 @@ +@@ -4600,10 +4651,10 @@ # interface(`userdom_list_sysadm_home_dirs',` gen_require(` @@ -15772,7 +16130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4619,10 +4669,10 @@ +@@ -4619,10 +4670,10 @@ # interface(`userdom_dontaudit_list_sysadm_home_dirs',` gen_require(` @@ -15785,7 +16143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4638,12 +4688,11 @@ +@@ -4638,12 +4689,11 @@ # interface(`userdom_dontaudit_read_sysadm_home_content_files',` gen_require(` @@ -15801,7 +16159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4670,10 +4719,10 @@ +@@ -4670,10 +4720,10 @@ # interface(`userdom_sysadm_home_dir_filetrans',` gen_require(` @@ -15814,7 +16172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4688,10 +4737,10 @@ +@@ -4688,10 +4738,10 @@ # interface(`userdom_search_sysadm_home_content_dirs',` gen_require(` @@ -15827,7 +16185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4706,13 +4755,13 @@ +@@ -4706,13 +4756,13 @@ # interface(`userdom_read_sysadm_home_content_files',` gen_require(` @@ -15845,7 +16203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4748,11 +4797,29 @@ +@@ -4748,11 +4798,29 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -15876,7 +16234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4772,6 +4839,14 @@ +@@ -4772,6 +4840,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -15891,7 +16249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5109,7 +5184,7 @@ +@@ -5109,7 +5185,7 @@ # interface(`userdom_relabelto_generic_user_home_dirs',` gen_require(` @@ -15900,10 +16258,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5298,6 +5373,28 @@ +@@ -5298,8 +5374,8 @@ ######################################## ##

+-## Create, read, write, and delete directories in +-## unprivileged users home directories. ++## append all unprivileged users home directory ++## files. + ## + ## + ## +@@ -5307,13 +5383,56 @@ + ## + ## + # +-interface(`userdom_manage_unpriv_users_home_content_dirs',` ++interface(`userdom_append_unpriv_users_home_content_files',` + gen_require(` + attribute user_home_dir_type, user_home_type; + ') + + files_search_home($1) +- manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type) ++ allow $1 user_home_type:dir list_dir_perms; ++ append_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type) ++') ++ ++######################################## ++## +## dontaudit Read all unprivileged users home directory +## files. +## @@ -15926,10 +16309,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + +######################################## +## - ## Create, read, write, and delete directories in - ## unprivileged users home directories. - ## -@@ -5503,6 +5600,24 @@ ++## Create, read, write, and delete directories in ++## unprivileged users home directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_manage_unpriv_users_home_content_dirs',` ++ gen_require(` ++ attribute user_home_dir_type, user_home_type; ++ ') ++ ++ files_search_home($1) ++ manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type) + ') + + ######################################## +@@ -5503,6 +5622,24 @@ ######################################## ## @@ -15954,7 +16353,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Read and write unprivileged user ttys. ## ## -@@ -5668,6 +5783,24 @@ +@@ -5668,6 +5805,24 @@ ######################################## ## @@ -15979,7 +16378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5698,3 +5831,277 @@ +@@ -5698,3 +5853,277 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -16259,7 +16658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.2.3/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/system/userdomain.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/userdomain.te 2007-12-06 16:37:24.000000000 -0500 @@ -17,20 +17,13 @@ ## @@ -16435,12 +16834,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.fc serefpolicy-3.2.3/policy/modules/system/virt.fc --- nsaserefpolicy/policy/modules/system/virt.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/system/virt.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/virt.fc 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1 @@ +/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.2.3/policy/modules/system/virt.if --- nsaserefpolicy/policy/modules/system/virt.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/system/virt.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/virt.if 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1,78 @@ +## Virtualization + @@ -16522,14 +16921,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.2.3/policy/modules/system/virt.te --- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/system/virt.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/virt.te 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1,3 @@ +# var/lib files +type virt_var_lib_t; +files_type(virt_var_lib_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.2.3/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2007-06-21 09:32:04.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/system/xen.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/xen.if 2007-12-06 16:37:24.000000000 -0500 @@ -191,3 +191,24 @@ domtrans_pattern($1,xm_exec_t,xm_t) @@ -16557,7 +16956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.2.3/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.2.3/policy/modules/system/xen.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/xen.te 2007-12-06 16:37:24.000000000 -0500 @@ -6,6 +6,13 @@ # Declarations # @@ -16744,17 +17143,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.fc serefpolicy-3.2.3/policy/modules/users/guest.fc --- nsaserefpolicy/policy/modules/users/guest.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/users/guest.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/users/guest.fc 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1 @@ +# No guest file contexts. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.if serefpolicy-3.2.3/policy/modules/users/guest.if --- nsaserefpolicy/policy/modules/users/guest.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/users/guest.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/users/guest.if 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1 @@ +## Policy for guest user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.2.3/policy/modules/users/guest.te --- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/users/guest.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/users/guest.te 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1,4 @@ +policy_module(guest,1.0.1) +userdom_restricted_user_template(guest) @@ -16762,17 +17161,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.t + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.2.3/policy/modules/users/logadm.fc --- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/users/logadm.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/users/logadm.fc 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1 @@ +# No logadm file contexts. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.if serefpolicy-3.2.3/policy/modules/users/logadm.if --- nsaserefpolicy/policy/modules/users/logadm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/users/logadm.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/users/logadm.if 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1 @@ +## Policy for logadm user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.te serefpolicy-3.2.3/policy/modules/users/logadm.te --- nsaserefpolicy/policy/modules/users/logadm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/users/logadm.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/users/logadm.te 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1,11 @@ +policy_module(logadm,1.0.0) + @@ -16787,22 +17186,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm. +logging_admin(logadm_t, logadm_r, { logadm_devpts_t logadm_tty_device_t }) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/metadata.xml serefpolicy-3.2.3/policy/modules/users/metadata.xml --- nsaserefpolicy/policy/modules/users/metadata.xml 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/users/metadata.xml 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/users/metadata.xml 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1 @@ +Policy modules for users diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.fc serefpolicy-3.2.3/policy/modules/users/webadm.fc --- nsaserefpolicy/policy/modules/users/webadm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/users/webadm.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/users/webadm.fc 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1 @@ +# No webadm file contexts. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.if serefpolicy-3.2.3/policy/modules/users/webadm.if --- nsaserefpolicy/policy/modules/users/webadm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/users/webadm.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/users/webadm.if 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1 @@ +## Policy for webadm user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.2.3/policy/modules/users/webadm.te --- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/users/webadm.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/users/webadm.te 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1,42 @@ +policy_module(webadm,1.0.0) + @@ -16848,17 +17247,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm. +allow webadm_t gadmin_t:dir getattr; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.fc serefpolicy-3.2.3/policy/modules/users/xguest.fc --- nsaserefpolicy/policy/modules/users/xguest.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/users/xguest.fc 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/users/xguest.fc 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1 @@ +# No xguest file contexts. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.if serefpolicy-3.2.3/policy/modules/users/xguest.if --- nsaserefpolicy/policy/modules/users/xguest.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/users/xguest.if 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/users/xguest.if 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1 @@ +## Policy for xguest user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.te serefpolicy-3.2.3/policy/modules/users/xguest.te --- nsaserefpolicy/policy/modules/users/xguest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/users/xguest.te 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/users/xguest.te 2007-12-06 16:37:24.000000000 -0500 @@ -0,0 +1,55 @@ +policy_module(xguest,1.0.1) + @@ -16917,7 +17316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.2.3/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.3/policy/support/obj_perm_sets.spt 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/support/obj_perm_sets.spt 2007-12-06 16:37:24.000000000 -0500 @@ -204,7 +204,7 @@ define(`getattr_file_perms',`{ getattr }') define(`setattr_file_perms',`{ setattr }') @@ -16943,7 +17342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets +define(`manage_key_perms', `{ create link read search setattr view write } ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.2.3/policy/users --- nsaserefpolicy/policy/users 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.3/policy/users 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/users 2007-12-06 16:37:24.000000000 -0500 @@ -16,7 +16,7 @@ # and a user process should never be assigned the system user # identity. @@ -16978,9 +17377,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.2 - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -') +gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.2.3/Rules.modular +--- nsaserefpolicy/Rules.modular 2007-10-02 09:54:53.000000000 -0400 ++++ serefpolicy-3.2.3/Rules.modular 2007-12-11 00:14:37.000000000 -0500 +@@ -74,8 +74,8 @@ + $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te + @echo "Compliling $(NAME) $(@F) module" + @test -d $(tmpdir) || mkdir -p $(tmpdir) +- $(call perrole-expansion,$(basename $(@F)),$@.role) +- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) ++# $(call perrole-expansion,$(basename $(@F)),$@.role) ++ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp) + $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ + + $(tmpdir)/%.mod.fc: $(m4support) %.fc +@@ -130,7 +130,7 @@ + @test -d $(tmpdir) || mkdir -p $(tmpdir) + # define all available object classes + $(verbose) $(genperm) $(avs) $(secclass) > $@ +- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) ++# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) + $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true + + $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy +@@ -148,7 +148,7 @@ + $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy + $(tmpdir)/rolemap.conf: $(rolemap) + $(verbose) echo "" > $@ +- $(call parse-rolemap,base,$@) ++# $(call parse-rolemap,base,$@) + + $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy + $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.2.3/Rules.monolithic --- nsaserefpolicy/Rules.monolithic 2007-11-20 06:55:20.000000000 -0500 -+++ serefpolicy-3.2.3/Rules.monolithic 2007-12-06 14:13:13.000000000 -0500 ++++ serefpolicy-3.2.3/Rules.monolithic 2007-12-06 16:37:24.000000000 -0500 @@ -96,7 +96,7 @@ # # Load the binary policy