From e0c99a57eddcdbae9653827857f5b943211439c4 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 31 2007 21:06:02 +0000 Subject: - Fix munin log, - Eliminate duplicate mozilla file context - fix wpa_supplicant spec --- diff --git a/policy-20071130.patch b/policy-20071130.patch index d84decb..fc895d6 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -3463,8 +3463,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc 2007-12-19 05:38:08.000000000 -0500 -@@ -127,6 +127,8 @@ ++++ serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc 2007-12-31 11:50:26.000000000 -0500 +@@ -7,6 +7,7 @@ + /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) +@@ -58,6 +59,8 @@ + + /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) + ++/etc/NetworkManager/dispatcher.d(/.*)? gen_context(system_u:object_r:bin_t,s0) ++ + /etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0) + /etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0) + /etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0) +@@ -127,6 +130,8 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -3473,7 +3490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco # # /usr # -@@ -147,7 +149,7 @@ +@@ -147,7 +152,7 @@ /usr/lib(64)?/cups/backend(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/cups/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -3482,7 +3499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) -@@ -186,6 +188,8 @@ +@@ -186,6 +191,8 @@ /usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -3504,16 +3521,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-11-29 13:29:34.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in 2007-12-19 05:38:08.000000000 -0500 -@@ -122,6 +122,7 @@ ++++ serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in 2007-12-31 07:12:10.000000000 -0500 +@@ -122,6 +122,8 @@ network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) +network_port(munin, tcp,4949,s0, udp,4949,s0) ++network_port(mythtv, tcp,6543,s0, udp,6543,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0) portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) network_port(nessus, tcp,1241,s0) -@@ -133,6 +134,7 @@ +@@ -133,6 +135,7 @@ network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) network_port(postfix_policyd, tcp,10031,s0) @@ -3523,7 +3541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(postgresql, tcp,5432,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.2.5/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-12-12 11:35:27.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/kernel/devices.fc 2007-12-19 05:38:08.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/kernel/devices.fc 2007-12-31 08:18:04.000000000 -0500 @@ -22,6 +22,7 @@ /dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0) @@ -3532,7 +3550,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/hidraw.* -c gen_context(system_u:object_r:usb_device_t,s0) -@@ -33,6 +34,7 @@ +@@ -29,10 +30,13 @@ + /dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0) + /dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0) + /dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0) ++/dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) ++/dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) + /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0) /dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) @@ -3702,8 +3726,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.2.5/policy/modules/kernel/devices.te --- nsaserefpolicy/policy/modules/kernel/devices.te 2007-12-19 05:32:07.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/kernel/devices.te 2007-12-19 05:38:08.000000000 -0500 -@@ -72,6 +72,13 @@ ++++ serefpolicy-3.2.5/policy/modules/kernel/devices.te 2007-12-31 08:18:37.000000000 -0500 +@@ -66,12 +66,25 @@ + dev_node(framebuf_device_t) + + # ++# Type for /dev/ipmi/0 ++# ++type ipmi_device_t; ++dev_node(ipmi_device_t) ++ ++# + # Type for /dev/kmsg + # + type kmsg_device_t; dev_node(kmsg_device_t) # @@ -4137,7 +4173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.2.5/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/apache.if 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/apache.if 2007-12-31 07:06:22.000000000 -0500 @@ -18,10 +18,6 @@ attribute httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; @@ -4166,7 +4202,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac kernel_dontaudit_search_sysctl(httpd_$1_script_t) kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) -@@ -120,10 +115,6 @@ +@@ -96,6 +91,7 @@ + dev_read_urand(httpd_$1_script_t) + + corecmd_exec_all_executables(httpd_$1_script_t) ++ application_exec_all(httpd_$1_script_t) + + files_exec_etc_files(httpd_$1_script_t) + files_read_etc_files(httpd_$1_script_t) +@@ -120,10 +116,6 @@ can_exec(httpd_$1_script_t, httpdcontent) ') @@ -4177,7 +4221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t) -@@ -177,48 +168,6 @@ +@@ -177,48 +169,6 @@ miscfiles_read_localization(httpd_$1_script_t) ') @@ -4226,7 +4270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac optional_policy(` tunable_policy(`httpd_enable_cgi && allow_ypbind',` nis_use_ypbind_uncond(httpd_$1_script_t) -@@ -267,7 +216,7 @@ +@@ -267,7 +217,7 @@ attribute httpdcontent, httpd_script_domains; attribute httpd_exec_scripts, httpd_user_content_type; attribute httpd_user_script_exec_type; @@ -4235,7 +4279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') apache_content_template($1) -@@ -331,6 +280,7 @@ +@@ -331,6 +281,7 @@ userdom_search_user_home_dirs($1,httpd_t) userdom_search_user_home_dirs($1,httpd_suexec_t) userdom_search_user_home_dirs($1,httpd_$1_script_t) @@ -4243,7 +4287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -352,12 +302,11 @@ +@@ -352,12 +303,11 @@ # template(`apache_read_user_scripts',` gen_require(` @@ -4260,7 +4304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -378,12 +327,12 @@ +@@ -378,12 +328,12 @@ # template(`apache_read_user_content',` gen_require(` @@ -4277,7 +4321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -761,6 +710,7 @@ +@@ -761,6 +711,7 @@ ') allow $1 httpd_modules_t:dir list_dir_perms; @@ -4285,7 +4329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -845,6 +795,10 @@ +@@ -845,6 +796,10 @@ type httpd_sys_script_t; ') @@ -4296,7 +4340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern($1, httpdcontent, httpd_sys_script_t) ') -@@ -932,7 +886,7 @@ +@@ -932,7 +887,7 @@ type httpd_squirrelmail_t; ') @@ -4305,7 +4349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -1088,3 +1042,138 @@ +@@ -1088,3 +1043,138 @@ allow httpd_t $1:process signal; ') @@ -4446,7 +4490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.2.5/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/apache.te 2007-12-26 19:16:19.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/apache.te 2007-12-31 07:20:25.000000000 -0500 @@ -20,6 +20,8 @@ # Declarations # @@ -4559,7 +4603,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -335,6 +370,10 @@ +@@ -315,9 +350,7 @@ + + auth_use_nsswitch(httpd_t) + +-# execute perl +-corecmd_exec_bin(httpd_t) +-corecmd_exec_shell(httpd_t) ++application_exec_all(httpd_t) + + domain_use_interactive_fds(httpd_t) + +@@ -335,6 +368,10 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -4570,7 +4625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac libs_use_ld_so(httpd_t) libs_use_shared_libs(httpd_t) -@@ -351,8 +390,6 @@ +@@ -351,8 +388,6 @@ userdom_use_unpriv_users_fds(httpd_t) @@ -4579,7 +4634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`allow_httpd_anon_write',` miscfiles_manage_public_files(httpd_t) ') -@@ -361,6 +398,13 @@ +@@ -361,6 +396,13 @@ # # We need optionals to be able to be within booleans to make this work # @@ -4593,7 +4648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`allow_httpd_mod_auth_pam',` auth_domtrans_chk_passwd(httpd_t) ') -@@ -370,6 +414,16 @@ +@@ -370,6 +412,16 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -4610,7 +4665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_relay',` # allow httpd to work as a relay corenet_tcp_connect_gopher_port(httpd_t) -@@ -382,6 +436,10 @@ +@@ -382,6 +434,10 @@ corenet_sendrecv_http_cache_client_packets(httpd_t) ') @@ -4621,7 +4676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) -@@ -399,11 +457,21 @@ +@@ -399,11 +455,21 @@ fs_read_nfs_symlinks(httpd_t) ') @@ -4643,18 +4698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -425,6 +493,10 @@ - ') - - optional_policy(` -+ application_exec(httpd_t) -+') -+ -+optional_policy(` - calamaris_read_www_files(httpd_t) - ') - -@@ -437,8 +509,14 @@ +@@ -437,8 +503,14 @@ ') optional_policy(` @@ -4670,7 +4714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -450,19 +528,13 @@ +@@ -450,19 +522,13 @@ ') optional_policy(` @@ -4691,7 +4735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -472,13 +544,14 @@ +@@ -472,13 +538,14 @@ openca_kill(httpd_t) ') @@ -4710,7 +4754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -486,6 +559,7 @@ +@@ -486,6 +553,7 @@ ') optional_policy(` @@ -4718,7 +4762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -521,6 +595,13 @@ +@@ -521,6 +589,13 @@ userdom_use_sysadm_terms(httpd_helper_t) ') @@ -4732,7 +4776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -550,18 +631,24 @@ +@@ -550,18 +625,24 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -4760,7 +4804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -585,6 +672,8 @@ +@@ -585,6 +666,8 @@ manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -4769,7 +4813,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -638,6 +727,12 @@ +@@ -593,9 +676,7 @@ + + fs_search_auto_mountpoints(httpd_suexec_t) + +-# for shell scripts +-corecmd_exec_bin(httpd_suexec_t) +-corecmd_exec_shell(httpd_suexec_t) ++application_exec_all(httpd_suexec_t) + + files_read_etc_files(httpd_suexec_t) + files_read_usr_files(httpd_suexec_t) +@@ -638,6 +719,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -4782,7 +4837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -655,10 +750,6 @@ +@@ -655,10 +742,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -4793,7 +4848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -668,7 +759,8 @@ +@@ -668,7 +751,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -4803,7 +4858,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -682,15 +774,44 @@ +@@ -682,15 +766,44 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -4815,15 +4870,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +tunable_policy(`httpd_use_nfs', ` - fs_read_nfs_files(httpd_sys_script_t) - fs_read_nfs_symlinks(httpd_sys_script_t) - ') - -+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', ` + fs_read_nfs_files(httpd_sys_script_t) + fs_read_nfs_symlinks(httpd_sys_script_t) +') + ++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', ` + fs_read_nfs_files(httpd_sys_script_t) + fs_read_nfs_symlinks(httpd_sys_script_t) + ') + +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` + allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; + allow httpd_sys_script_t self:udp_socket create_socket_perms; @@ -4849,7 +4904,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -700,9 +821,15 @@ +@@ -700,9 +813,15 @@ clamav_domtrans_clamscan(httpd_sys_script_t) ') @@ -4865,7 +4920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -724,3 +851,46 @@ +@@ -724,3 +843,46 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -5091,7 +5146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.2.5/policy/modules/services/clamav.fc --- nsaserefpolicy/policy/modules/services/clamav.fc 2007-09-05 15:24:44.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/clamav.fc 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/clamav.fc 2007-12-31 09:05:46.000000000 -0500 @@ -5,16 +5,18 @@ /usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0) @@ -5108,9 +5163,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam -/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0) -/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0) -+/var/log/clamav(/.*)? gen_context(system_u:object_r:clamd_var_log_t,s0) ++/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0) /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) -+/var/log/clamav.milter -- gen_context(system_u:object_r:clamd_var_log_t,s0) ++/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0) /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.2.5/policy/modules/services/clamav.te @@ -5208,7 +5263,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron +/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.2.5/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/cron.if 2007-12-20 14:02:12.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/cron.if 2007-12-31 15:17:06.000000000 -0500 @@ -35,38 +35,23 @@ # template(`cron_per_role_template',` @@ -7254,9 +7309,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb ') optional_policy(` +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.2.5/policy/modules/services/lpd.if +--- nsaserefpolicy/policy/modules/services/lpd.if 2007-11-16 13:45:14.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/lpd.if 2007-12-31 06:40:50.000000000 -0500 +@@ -336,10 +336,8 @@ + ') + + files_search_spool($1) ++ manage_dirs_pattern($1,print_spool_t,print_spool_t) + manage_files_pattern($1,print_spool_t,print_spool_t) +- +- # cjp: cups wants setattr +- allow $1 print_spool_t:dir setattr; + ') + + ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.2.5/policy/modules/services/mailman.if --- nsaserefpolicy/policy/modules/services/mailman.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/mailman.if 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/mailman.if 2007-12-31 14:18:13.000000000 -0500 @@ -211,6 +211,7 @@ type mailman_data_t; ') @@ -7265,6 +7335,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail manage_files_pattern($1,mailman_data_t,mailman_data_t) ') +@@ -252,6 +253,25 @@ + + ####################################### + ## ++## read ++## mailman logs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mailman_read_log',` ++ gen_require(` ++ type mailman_log_t; ++ ') ++ ++ read_files_pattern($1,mailman_log_t,mailman_log_t) ++') ++ ++####################################### ++## + ## Append to mailman logs. + ## + ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.2.5/policy/modules/services/mailman.te --- nsaserefpolicy/policy/modules/services/mailman.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/mailman.te 2007-12-19 05:38:09.000000000 -0500 @@ -7644,18 +7740,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.2.5/policy/modules/services/munin.fc --- nsaserefpolicy/policy/modules/services/munin.fc 2007-04-30 10:41:38.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/munin.fc 2007-12-19 05:38:09.000000000 -0500 -@@ -8,4 +8,5 @@ ++++ serefpolicy-3.2.5/policy/modules/services/munin.fc 2007-12-31 05:55:51.000000000 -0500 +@@ -6,6 +6,7 @@ + /usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0) + /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) - /var/log/munin.* -- gen_context(system_u:object_r:munin_log_t,s0) +-/var/log/munin.* -- gen_context(system_u:object_r:munin_log_t,s0) ++/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) -/var/www/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) +/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) +/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.2.5/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/munin.te 2007-12-19 05:38:09.000000000 -0500 -@@ -37,6 +37,9 @@ ++++ serefpolicy-3.2.5/policy/modules/services/munin.te 2007-12-31 06:15:20.000000000 -0500 +@@ -37,14 +37,18 @@ allow munin_t self:unix_dgram_socket { create_socket_perms sendto }; allow munin_t self:tcp_socket create_stream_socket_perms; allow munin_t self:udp_socket create_socket_perms; @@ -7665,7 +7764,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni allow munin_t munin_etc_t:dir list_dir_perms; read_files_pattern(munin_t,munin_etc_t,munin_etc_t) -@@ -73,6 +76,7 @@ + read_lnk_files_pattern(munin_t,munin_etc_t,munin_etc_t) + files_search_etc(munin_t) + +-allow munin_t munin_log_t:file manage_file_perms; +-logging_log_filetrans(munin_t,munin_log_t,file) ++manage_dirs_pattern(munin_t, munin_log_t, munin_log_t) ++manage_files_pattern(munin_t, munin_log_t, munin_log_t) ++logging_log_filetrans(munin_t,munin_log_t,{ file dir }) + + manage_dirs_pattern(munin_t,munin_tmp_t,munin_tmp_t) + manage_files_pattern(munin_t,munin_tmp_t,munin_tmp_t) +@@ -73,6 +77,7 @@ corenet_udp_sendrecv_all_nodes(munin_t) corenet_tcp_sendrecv_all_ports(munin_t) corenet_udp_sendrecv_all_ports(munin_t) @@ -7673,7 +7783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni dev_read_sysfs(munin_t) dev_read_urand(munin_t) -@@ -91,6 +95,7 @@ +@@ -91,6 +96,7 @@ logging_send_syslog_msg(munin_t) @@ -7681,7 +7791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni miscfiles_read_localization(munin_t) sysnet_read_config(munin_t) -@@ -118,3 +123,9 @@ +@@ -118,3 +124,9 @@ optional_policy(` udev_read_db(munin_t) ') @@ -7785,8 +7895,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.2.5/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/mysql.te 2007-12-19 05:38:09.000000000 -0500 -@@ -25,6 +25,9 @@ ++++ serefpolicy-3.2.5/policy/modules/services/mysql.te 2007-12-31 06:59:38.000000000 -0500 +@@ -1,4 +1,3 @@ +- + policy_module(mysql,1.6.0) + + ######################################## +@@ -25,6 +24,9 @@ type mysqld_tmp_t; files_tmp_file(mysqld_tmp_t) @@ -7796,6 +7911,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq ######################################## # # Local policy +@@ -33,7 +35,8 @@ + allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service }; + dontaudit mysqld_t self:capability sys_tty_config; + allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; +-allow mysqld_t self:fifo_file { read write }; ++allow mysqld_t self:fifo_file rw_fifo_file_perms; ++allow mysqld_t self:shm create_shm_file_perms; + allow mysqld_t self:unix_stream_socket create_stream_socket_perms; + allow mysqld_t self:tcp_socket create_stream_socket_perms; + allow mysqld_t self:udp_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.2.5/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/nagios.fc 2007-12-19 05:38:09.000000000 -0500 @@ -7948,12 +8073,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.2.5/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-09-12 10:34:18.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.fc 2007-12-19 05:38:09.000000000 -0500 -@@ -5,3 +5,4 @@ ++++ serefpolicy-3.2.5/policy/modules/services/networkmanager.fc 2007-12-31 08:48:44.000000000 -0500 +@@ -1,7 +1,9 @@ + /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) + /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) + + /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -+/var/log/wpa_supplicant\.log -- gen_context(system_u:object_r:NetworkManager_log_t,s0) ++/var/log/wpa_supplicant\.log.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.2.5/policy/modules/services/networkmanager.if +--- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-06-12 10:15:45.000000000 -0400 ++++ serefpolicy-3.2.5/policy/modules/services/networkmanager.if 2007-12-31 08:55:52.000000000 -0500 +@@ -97,3 +97,21 @@ + allow $1 NetworkManager_t:dbus send_msg; + allow NetworkManager_t $1:dbus send_msg; + ') ++ ++######################################## ++## ++## Send a generic signal to NetworkManager ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`networkmanager_signal',` ++ gen_require(` ++ type NetworkManager_t; ++ ') ++ ++ allow $1 NetworkManager_t:process signal; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.5/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/networkmanager.te 2007-12-26 20:31:36.000000000 -0500 @@ -8687,7 +8842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.2.5/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/postfix.te 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/postfix.te 2007-12-31 14:18:01.000000000 -0500 @@ -6,6 +6,14 @@ # Declarations # @@ -8758,15 +8913,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post mta_read_aliases(postfix_local_t) mta_delete_spool(postfix_local_t) # For reading spamassasin -@@ -285,6 +306,7 @@ +@@ -285,6 +306,8 @@ optional_policy(` # for postalias mailman_manage_data_files(postfix_local_t) + mailman_append_log(postfix_local_t) ++ mailman_read_log(postfix_local_t) ') optional_policy(` -@@ -295,8 +317,7 @@ +@@ -295,8 +318,7 @@ # # Postfix map local policy # @@ -8776,7 +8932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; allow postfix_map_t self:unix_dgram_socket create_socket_perms; allow postfix_map_t self:tcp_socket create_stream_socket_perms; -@@ -346,8 +367,6 @@ +@@ -346,8 +368,6 @@ miscfiles_read_localization(postfix_map_t) @@ -8785,7 +8941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post tunable_policy(`read_default_t',` files_list_default(postfix_map_t) files_read_default_files(postfix_map_t) -@@ -360,6 +379,11 @@ +@@ -360,6 +380,11 @@ locallogin_dontaudit_use_fds(postfix_map_t) ') @@ -8797,7 +8953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix pickup local policy -@@ -392,6 +416,10 @@ +@@ -392,6 +417,10 @@ rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t) optional_policy(` @@ -8808,7 +8964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post procmail_domtrans(postfix_pipe_t) ') -@@ -400,6 +428,10 @@ +@@ -400,6 +429,10 @@ ') optional_policy(` @@ -8819,7 +8975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post uucp_domtrans_uux(postfix_pipe_t) ') -@@ -532,9 +564,6 @@ +@@ -532,9 +565,6 @@ # connect to master process stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t) @@ -8829,7 +8985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post # for prng_exch allow postfix_smtpd_t postfix_spool_t:file rw_file_perms; allow postfix_smtpd_t postfix_prng_t:file rw_file_perms; -@@ -557,6 +586,10 @@ +@@ -557,6 +587,10 @@ sasl_connect(postfix_smtpd_t) ') @@ -8957,8 +9113,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. # Fix pptp sockets diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.2.5/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/ppp.te 2007-12-19 05:38:09.000000000 -0500 -@@ -194,6 +194,8 @@ ++++ serefpolicy-3.2.5/policy/modules/services/ppp.te 2007-12-31 08:54:45.000000000 -0500 +@@ -162,6 +162,8 @@ + init_read_utmp(pppd_t) + init_dontaudit_write_utmp(pppd_t) + ++auth_use_nsswitch(pppd_t) ++ + libs_use_ld_so(pppd_t) + libs_use_shared_libs(pppd_t) + +@@ -194,14 +196,12 @@ optional_policy(` mta_send_mail(pppd_t) @@ -8967,6 +9132,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. ') optional_policy(` +- nis_use_ypbind(pppd_t) +-') +- +-optional_policy(` +- nscd_socket_use(pppd_t) ++ NetworkManager_signal(pppd_t) + ') + + optional_policy(` +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.2.5/policy/modules/services/procmail.if +--- nsaserefpolicy/policy/modules/services/procmail.if 2007-01-02 12:57:43.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/procmail.if 2007-12-31 15:18:55.000000000 -0500 +@@ -39,3 +39,22 @@ + corecmd_search_bin($1) + can_exec($1,procmail_exec_t) + ') ++ ++######################################## ++## ++## Read procmail tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`procmail_read_tmp_files',` ++ gen_require(` ++ type procmail_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ allow $1 procmail_tmp_t:file read_file_perms; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.5/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2007-12-26 18:16:54.000000000 -0500 @@ -9025,7 +9225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.2.5/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/pyzor.te 2007-12-27 11:44:33.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/pyzor.te 2007-12-31 15:19:10.000000000 -0500 @@ -28,6 +28,9 @@ type pyzor_var_lib_t; files_type(pyzor_var_lib_t) @@ -9045,6 +9245,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo userdom_dontaudit_search_sysadm_home_dirs(pyzor_t) optional_policy(` +@@ -76,8 +81,13 @@ + ') + + optional_policy(` ++ procmail_read_tmp_files(pyzor_t) ++') ++ ++optional_policy(` + spamassassin_signal_spamd(pyzor_t) + spamassassin_read_spamd_tmp_files(pyzor_t) ++ userdom_read_user_home_content_files(unconfined,pyzor_t) + ') + + ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.2.5/policy/modules/services/razor.fc --- nsaserefpolicy/policy/modules/services/razor.fc 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/services/razor.fc 2007-12-19 05:38:09.000000000 -0500 @@ -9991,8 +10205,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.5/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/sendmail.te 2007-12-19 05:38:09.000000000 -0500 -@@ -20,12 +20,16 @@ ++++ serefpolicy-3.2.5/policy/modules/services/sendmail.te 2007-12-31 15:42:11.000000000 -0500 +@@ -20,13 +20,17 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -10006,10 +10220,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send # -allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config }; +-allow sendmail_t self:process signal; +allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config }; - allow sendmail_t self:process signal; ++allow sendmail_t self:process { signal signull }; allow sendmail_t self:fifo_file rw_fifo_file_perms; allow sendmail_t self:unix_stream_socket create_stream_socket_perms; + allow sendmail_t self:unix_dgram_socket create_socket_perms; @@ -47,6 +51,7 @@ kernel_read_kernel_sysctls(sendmail_t) # for piping mail to a command @@ -12611,7 +12827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.5/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/libraries.fc 2007-12-27 11:40:35.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/libraries.fc 2007-12-31 05:53:37.000000000 -0500 @@ -183,6 +183,7 @@ /usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -12620,17 +12836,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -242,7 +243,8 @@ +@@ -242,7 +243,7 @@ # Flash plugin, Macromedia HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -292,6 +294,8 @@ +@@ -292,6 +293,8 @@ # # /var # @@ -12639,7 +12854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) -@@ -304,3 +308,4 @@ +@@ -304,3 +307,4 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)