diff --git a/policy-20070703.patch b/policy-20070703.patch
index f284787..5b92dd5 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -1,6 +1,6 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.0.7/config/appconfig-mcs/default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.0.8/config/appconfig-mcs/default_contexts
--- nsaserefpolicy/config/appconfig-mcs/default_contexts 2007-08-02 08:17:32.000000000 -0400
-+++ serefpolicy-3.0.7/config/appconfig-mcs/default_contexts 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/config/appconfig-mcs/default_contexts 2007-09-17 16:20:18.000000000 -0400
@@ -1,15 +1,9 @@
-system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
@@ -26,32 +26,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default
+system_r:sysadm_su_t:s0 system_r:unconfined_t:s0
+system_r:unconfined_t:s0 system_r:unconfined_t:s0
+system_r:xdm_t:s0 system_r:unconfined_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_type serefpolicy-3.0.7/config/appconfig-mcs/default_type
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_type serefpolicy-3.0.8/config/appconfig-mcs/default_type
--- nsaserefpolicy/config/appconfig-mcs/default_type 2007-08-02 08:17:32.000000000 -0400
-+++ serefpolicy-3.0.7/config/appconfig-mcs/default_type 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/config/appconfig-mcs/default_type 2007-09-17 16:20:18.000000000 -0400
@@ -1,4 +1,4 @@
+system_r:unconfined_t
sysadm_r:sysadm_t
staff_r:staff_t
-unconfined_r:unconfined_t
user_r:user_t
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.0.7/config/appconfig-mcs/failsafe_context
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.0.8/config/appconfig-mcs/failsafe_context
--- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2007-08-02 08:17:32.000000000 -0400
-+++ serefpolicy-3.0.7/config/appconfig-mcs/failsafe_context 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/config/appconfig-mcs/failsafe_context 2007-09-17 16:20:18.000000000 -0400
@@ -1 +1 @@
-sysadm_r:sysadm_t:s0
+system_r:unconfined_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.0.7/config/appconfig-mcs/guest_u_default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.0.8/config/appconfig-mcs/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/config/appconfig-mcs/guest_u_default_contexts 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/config/appconfig-mcs/guest_u_default_contexts 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1,4 @@
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
+system_r:sshd_t:s0 guest_r:guest_t:s0
+system_r:crond_t:s0 guest_r:guest_crond_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.0.7/config/appconfig-mcs/root_default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.0.8/config/appconfig-mcs/root_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2007-08-02 08:17:32.000000000 -0400
-+++ serefpolicy-3.0.7/config/appconfig-mcs/root_default_contexts 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/config/appconfig-mcs/root_default_contexts 2007-09-17 16:20:18.000000000 -0400
@@ -1,11 +1,10 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
-system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
@@ -71,17 +71,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_de
-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.0.7/config/appconfig-mcs/seusers
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.0.8/config/appconfig-mcs/seusers
--- nsaserefpolicy/config/appconfig-mcs/seusers 2007-08-02 08:17:32.000000000 -0400
-+++ serefpolicy-3.0.7/config/appconfig-mcs/seusers 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/config/appconfig-mcs/seusers 2007-09-17 16:20:18.000000000 -0400
@@ -1,3 +1,2 @@
-system_u:system_u:s0-mcs_systemhigh
root:root:s0-mcs_systemhigh
-__default__:user_u:s0
+__default__:system_u:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.0.7/config/appconfig-mcs/staff_u_default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.0.8/config/appconfig-mcs/staff_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/config/appconfig-mcs/staff_u_default_contexts 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/config/appconfig-mcs/staff_u_default_contexts 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1,9 @@
+system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:remote_login_t:s0 staff_r:staff_t:s0
@@ -92,15 +92,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u
+staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.0.7/config/appconfig-mcs/userhelper_context
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.0.8/config/appconfig-mcs/userhelper_context
--- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2007-08-02 08:17:32.000000000 -0400
-+++ serefpolicy-3.0.7/config/appconfig-mcs/userhelper_context 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/config/appconfig-mcs/userhelper_context 2007-09-17 16:20:18.000000000 -0400
@@ -1 +1 @@
-system_u:sysadm_r:sysadm_t:s0
+system_u:system_r:unconfined_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.0.7/config/appconfig-mcs/user_u_default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.0.8/config/appconfig-mcs/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/config/appconfig-mcs/user_u_default_contexts 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/config/appconfig-mcs/user_u_default_contexts 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1,7 @@
+system_r:local_login_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
+system_r:remote_login_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
@@ -109,18 +109,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_
+system_r:xdm_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
+user_r:user_sudo_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.0.7/config/appconfig-mcs/xguest_u_default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.0.8/config/appconfig-mcs/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/config/appconfig-mcs/xguest_u_default_contexts 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/config/appconfig-mcs/xguest_u_default_contexts 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1,5 @@
+system_r:local_login_t xguest_r:xguest_t:s0
+system_r:remote_login_t xguest_r:xguest_t:s0
+system_r:sshd_t xguest_r:xguest_t:s0
+system_r:crond_t xguest_r:xguest_crond_t:s0
+system_r:xdm_t xguest_r:xguest_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.0.7/config/appconfig-mls/default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.0.8/config/appconfig-mls/default_contexts
--- nsaserefpolicy/config/appconfig-mls/default_contexts 2007-08-02 08:17:30.000000000 -0400
-+++ serefpolicy-3.0.7/config/appconfig-mls/default_contexts 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/config/appconfig-mls/default_contexts 2007-09-17 16:20:18.000000000 -0400
@@ -1,15 +1,12 @@
-system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
@@ -148,29 +148,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default
-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
+staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_type serefpolicy-3.0.7/config/appconfig-mls/default_type
---- nsaserefpolicy/config/appconfig-mls/default_type 2007-08-02 08:17:30.000000000 -0400
-+++ serefpolicy-3.0.7/config/appconfig-mls/default_type 2007-09-06 15:43:06.000000000 -0400
-@@ -1,6 +1,5 @@
--auditadm_r:auditadm_t
--secadm_r:secadm_t
- sysadm_r:sysadm_t
-+secadm_r:secadm_t
- staff_r:staff_t
--unconfined_r:unconfined_t
- user_r:user_t
-+auditadm_r:auditadm_t
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.0.7/config/appconfig-mls/guest_u_default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.0.8/config/appconfig-mls/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/config/appconfig-mls/guest_u_default_contexts 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/config/appconfig-mls/guest_u_default_contexts 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1,4 @@
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
+system_r:sshd_t:s0 guest_r:guest_t:s0
+system_r:crond_t:s0 guest_r:guest_crond_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.0.7/config/appconfig-mls/root_default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.0.8/config/appconfig-mls/root_default_contexts
--- nsaserefpolicy/config/appconfig-mls/root_default_contexts 2007-08-02 08:17:30.000000000 -0400
-+++ serefpolicy-3.0.7/config/appconfig-mls/root_default_contexts 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/config/appconfig-mls/root_default_contexts 2007-09-17 16:20:18.000000000 -0400
@@ -1,11 +1,9 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
-system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
@@ -189,9 +177,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_de
#
-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/staff_u_default_contexts serefpolicy-3.0.7/config/appconfig-mls/staff_u_default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/staff_u_default_contexts serefpolicy-3.0.8/config/appconfig-mls/staff_u_default_contexts
--- nsaserefpolicy/config/appconfig-mls/staff_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/config/appconfig-mls/staff_u_default_contexts 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/config/appconfig-mls/staff_u_default_contexts 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1,9 @@
+system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:remote_login_t:s0 staff_r:staff_t:s0
@@ -202,9 +190,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/staff_u
+staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/user_u_default_contexts serefpolicy-3.0.7/config/appconfig-mls/user_u_default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/user_u_default_contexts serefpolicy-3.0.8/config/appconfig-mls/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-mls/user_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/config/appconfig-mls/user_u_default_contexts 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/config/appconfig-mls/user_u_default_contexts 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1,7 @@
+system_r:local_login_t:s0 user_r:user_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0
@@ -213,17 +201,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/user_u_
+system_r:xdm_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0 user_r:user_t:s0
+user_r:user_sudo_t:s0 user_r:user_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts serefpolicy-3.0.7/config/appconfig-standard/guest_u_default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts serefpolicy-3.0.8/config/appconfig-standard/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/config/appconfig-standard/guest_u_default_contexts 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/config/appconfig-standard/guest_u_default_contexts 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1,4 @@
+system_r:local_login_t guest_r:guest_t
+system_r:remote_login_t guest_r:guest_t
+system_r:sshd_t guest_r:guest_t
+system_r:crond_t guest_r:guest_crond_t
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/staff_u_default_contexts serefpolicy-3.0.7/config/appconfig-standard/staff_u_default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/staff_u_default_contexts serefpolicy-3.0.8/config/appconfig-standard/staff_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/staff_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/config/appconfig-standard/staff_u_default_contexts 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/config/appconfig-standard/staff_u_default_contexts 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1,9 @@
+system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t
+system_r:remote_login_t staff_r:staff_t
@@ -234,9 +222,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/st
+staff_r:staff_sudo_t staff_r:staff_t
+sysadm_r:sysadm_su_t sysadm_r:sysadm_t
+sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/user_u_default_contexts serefpolicy-3.0.7/config/appconfig-standard/user_u_default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/user_u_default_contexts serefpolicy-3.0.8/config/appconfig-standard/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/user_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/config/appconfig-standard/user_u_default_contexts 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/config/appconfig-standard/user_u_default_contexts 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1,7 @@
+system_r:local_login_t system_r:unconfined_t user_r:user_t
+system_r:remote_login_t system_r:unconfined_t user_r:user_t
@@ -245,18 +233,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/us
+system_r:xdm_t system_r:unconfined_t user_r:user_t
+user_r:user_su_t system_r:unconfined_t user_r:user_t
+user_r:user_sudo_t system_r:unconfined_t user_r:user_t
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.0.7/config/appconfig-standard/xguest_u_default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.0.8/config/appconfig-standard/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/config/appconfig-standard/xguest_u_default_contexts 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/config/appconfig-standard/xguest_u_default_contexts 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1,5 @@
+system_r:local_login_t xguest_r:xguest_t
+system_r:remote_login_t xguest_r:xguest_t
+system_r:sshd_t xguest_r:xguest_t
+system_r:crond_t xguest_r:xguest_crond_t
+system_r:xdm_t xguest_r:xguest_t
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 serefpolicy-3.0.7/man/man8/ftpd_selinux.8
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 serefpolicy-3.0.8/man/man8/ftpd_selinux.8
--- nsaserefpolicy/man/man8/ftpd_selinux.8 2007-05-25 09:09:10.000000000 -0400
-+++ serefpolicy-3.0.7/man/man8/ftpd_selinux.8 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/man/man8/ftpd_selinux.8 2007-09-17 16:20:18.000000000 -0400
@@ -12,7 +12,7 @@
.TP
chcon -R -t public_content_t /var/ftp
@@ -266,9 +254,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 sere
.TP
chcon -t public_content_rw_t /var/ftp/incoming
.TP
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.0.7/man/man8/httpd_selinux.8
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.0.8/man/man8/httpd_selinux.8
--- nsaserefpolicy/man/man8/httpd_selinux.8 2007-05-25 09:09:10.000000000 -0400
-+++ serefpolicy-3.0.7/man/man8/httpd_selinux.8 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/man/man8/httpd_selinux.8 2007-09-17 16:20:18.000000000 -0400
@@ -30,7 +30,7 @@
.EX
httpd_sys_script_ro_t
@@ -278,9 +266,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 ser
.EX
httpd_sys_script_rw_t
.EE
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.0.7/policy/flask/access_vectors
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.0.8/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2007-08-22 07:14:04.000000000 -0400
-+++ serefpolicy-3.0.7/policy/flask/access_vectors 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/flask/access_vectors 2007-09-17 16:20:18.000000000 -0400
@@ -639,6 +639,8 @@
send
recv
@@ -290,9 +278,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors
}
class key
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.0.7/policy/global_tunables
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.0.8/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.7/policy/global_tunables 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/global_tunables 2007-09-17 16:20:18.000000000 -0400
@@ -133,3 +133,18 @@
##
gen_tunable(write_untrusted_content,false)
@@ -312,9 +300,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
+##
+gen_tunable(xen_use_nfs,false)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.0.7/policy/modules/admin/alsa.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.0.8/policy/modules/admin/alsa.fc
--- nsaserefpolicy/policy/modules/admin/alsa.fc 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/alsa.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/alsa.fc 2007-09-17 16:20:18.000000000 -0400
@@ -1,4 +1,7 @@
/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
@@ -323,9 +311,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
+/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.0.7/policy/modules/admin/alsa.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.0.8/policy/modules/admin/alsa.te
--- nsaserefpolicy/policy/modules/admin/alsa.te 2007-07-25 10:37:43.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/alsa.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/alsa.te 2007-09-17 16:20:18.000000000 -0400
@@ -19,20 +19,24 @@
# Local policy
#
@@ -368,9 +356,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
+ hal_use_fds(alsa_t)
+ hal_write_log(alsa_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.if serefpolicy-3.0.7/policy/modules/admin/amanda.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.if serefpolicy-3.0.8/policy/modules/admin/amanda.if
--- nsaserefpolicy/policy/modules/admin/amanda.if 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/amanda.if 2007-09-11 08:55:05.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/amanda.if 2007-09-17 16:20:18.000000000 -0400
@@ -71,6 +71,26 @@
########################################
@@ -403,9 +391,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.
allow $1 amanda_log_t:file { read_file_perms append_file_perms };
')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-3.0.7/policy/modules/admin/amanda.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-3.0.8/policy/modules/admin/amanda.te
--- nsaserefpolicy/policy/modules/admin/amanda.te 2007-07-25 10:37:43.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/amanda.te 2007-09-11 08:54:52.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/amanda.te 2007-09-17 16:20:18.000000000 -0400
@@ -74,7 +74,6 @@
allow amanda_t self:unix_dgram_socket create_socket_perms;
allow amanda_t self:tcp_socket create_stream_socket_perms;
@@ -471,9 +459,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.
-optional_policy(`
- nscd_socket_use(amanda_recover_t)
-')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.0.7/policy/modules/admin/anaconda.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.0.8/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/anaconda.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/anaconda.te 2007-09-17 16:20:18.000000000 -0400
@@ -31,16 +31,13 @@
modutils_domtrans_insmod(anaconda_t)
@@ -492,32 +480,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond
kudzu_domtrans(anaconda_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-3.0.7/policy/modules/admin/bootloader.te
---- nsaserefpolicy/policy/modules/admin/bootloader.te 2007-08-22 07:14:14.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/bootloader.te 2007-09-06 15:43:06.000000000 -0400
-@@ -180,6 +180,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.if serefpolicy-3.0.8/policy/modules/admin/brctl.if
+--- nsaserefpolicy/policy/modules/admin/brctl.if 2007-09-12 10:34:51.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/brctl.if 2007-09-17 16:20:18.000000000 -0400
+@@ -17,3 +17,21 @@
- optional_policy(`
- hal_dontaudit_append_lib_files(bootloader_t)
-+ hal_write_log(bootloader_t)
+ domtrans_pattern($1,brctl_exec_t,brctl_t)
')
++
++########################################
++##
++## Get attributes brctl executable.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`brctl_getattr',`
++ gen_require(`
++ type brctl_exec_t;
++ ')
++
++ allow $1 brctl_exec_t:file getattr;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.0.8/policy/modules/admin/brctl.te
+--- nsaserefpolicy/policy/modules/admin/brctl.te 2007-09-12 10:34:51.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/brctl.te 2007-09-17 16:20:18.000000000 -0400
+@@ -25,6 +25,7 @@
+ kernel_read_network_state(brctl_t)
+ kernel_read_sysctl(brctl_t)
- optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.if serefpolicy-3.0.7/policy/modules/admin/certwatch.if
---- nsaserefpolicy/policy/modules/admin/certwatch.if 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/certwatch.if 2007-09-06 15:43:06.000000000 -0400
-@@ -44,7 +44,7 @@
- ##
- ##
- #
--interface(`certwatach_run',`
-+interface(`certwatch_run',`
- gen_require(`
- type certwatch_t;
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.0.7/policy/modules/admin/consoletype.te
++dev_write_sysfs_dirs(brctl_t)
+ dev_rw_sysfs(brctl_t)
+
+ # Init script handling
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.0.8/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-08-22 07:14:14.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/consoletype.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/consoletype.te 2007-09-17 16:20:18.000000000 -0400
@@ -8,9 +8,11 @@
type consoletype_t;
@@ -561,9 +562,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console
+optional_policy(`
+ unconfined_use_terminals(consoletype_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmidecode.te serefpolicy-3.0.7/policy/modules/admin/dmidecode.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmidecode.te serefpolicy-3.0.8/policy/modules/admin/dmidecode.te
--- nsaserefpolicy/policy/modules/admin/dmidecode.te 2007-08-22 07:14:14.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/dmidecode.te 2007-09-07 17:05:59.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/dmidecode.te 2007-09-17 16:20:18.000000000 -0400
@@ -20,6 +20,7 @@
# Allow dmidecode to read /dev/mem
@@ -572,9 +573,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmideco
mls_file_read_all_levels(dmidecode_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.0.7/policy/modules/admin/firstboot.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.0.8/policy/modules/admin/firstboot.te
--- nsaserefpolicy/policy/modules/admin/firstboot.te 2007-07-25 10:37:43.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/firstboot.te 2007-09-06 19:24:23.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/firstboot.te 2007-09-17 16:20:18.000000000 -0400
@@ -120,6 +120,10 @@
usermanage_domtrans_admin_passwd(firstboot_t)
')
@@ -594,9 +595,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo
- domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t)
-')
') dnl end TODO
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.0.7/policy/modules/admin/kudzu.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.0.8/policy/modules/admin/kudzu.te
--- nsaserefpolicy/policy/modules/admin/kudzu.te 2007-08-22 07:14:14.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/kudzu.te 2007-09-06 19:20:53.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/kudzu.te 2007-09-17 16:20:18.000000000 -0400
@@ -21,8 +21,8 @@
# Local policy
#
@@ -641,18 +642,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.t
')
ifdef(`TODO',`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.0.7/policy/modules/admin/logrotate.te
---- nsaserefpolicy/policy/modules/admin/logrotate.te 2007-08-22 07:14:14.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/logrotate.te 2007-09-06 15:43:06.000000000 -0400
-@@ -80,6 +80,7 @@
- selinux_get_enforce_mode(logrotate_t)
-
- auth_manage_login_records(logrotate_t)
-+auth_use_nsswitch(logrotate_t)
-
- # Run helper programs.
- corecmd_exec_bin(logrotate_t)
-@@ -95,6 +96,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.0.8/policy/modules/admin/logrotate.te
+--- nsaserefpolicy/policy/modules/admin/logrotate.te 2007-09-12 10:34:51.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/logrotate.te 2007-09-17 16:20:18.000000000 -0400
+@@ -96,6 +96,7 @@
files_read_etc_files(logrotate_t)
files_read_etc_runtime_files(logrotate_t)
files_read_all_pids(logrotate_t)
@@ -660,42 +653,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
# Write to /var/spool/slrnpull - should be moved into its own type.
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
-@@ -114,8 +116,6 @@
-
- seutil_dontaudit_read_config(logrotate_t)
-
--sysnet_read_config(logrotate_t)
--
- userdom_dontaudit_search_sysadm_home_dirs(logrotate_t)
- userdom_use_unpriv_users_fds(logrotate_t)
-
-@@ -177,14 +177,6 @@
- ')
-
- optional_policy(`
-- nis_use_ypbind(logrotate_t)
--')
--
--optional_policy(`
-- nscd_socket_use(logrotate_t)
--')
--
--optional_policy(`
- slrnpull_manage_spool(logrotate_t)
- ')
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.0.7/policy/modules/admin/logwatch.te
---- nsaserefpolicy/policy/modules/admin/logwatch.te 2007-07-25 10:37:43.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/logwatch.te 2007-09-06 15:43:06.000000000 -0400
-@@ -29,7 +29,6 @@
- allow logwatch_t self:process signal;
- allow logwatch_t self:fifo_file rw_file_perms;
- allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
--allow logwatch_t self:netlink_route_socket r_netlink_socket_perms;
-
- manage_dirs_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t)
- manage_files_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t)
-@@ -49,7 +48,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.0.8/policy/modules/admin/logwatch.te
+--- nsaserefpolicy/policy/modules/admin/logwatch.te 2007-09-12 10:34:51.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/logwatch.te 2007-09-17 16:20:18.000000000 -0400
+@@ -48,7 +48,7 @@
corecmd_exec_shell(logwatch_t)
dev_read_urand(logwatch_t)
@@ -704,51 +665,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
# Read /proc/PID directories for all domains.
domain_read_all_domains_state(logwatch_t)
-@@ -68,6 +67,9 @@
- fs_getattr_all_fs(logwatch_t)
- fs_dontaudit_list_auto_mountpoints(logwatch_t)
-
-+init_read_utmp(logwatch_t)
-+init_dontaudit_write_utmp(logwatch_t)
-+
- term_dontaudit_getattr_pty_dirs(logwatch_t)
- term_dontaudit_list_ptys(logwatch_t)
-
-@@ -96,6 +98,10 @@
- ')
-
- optional_policy(`
-+ auth_use_nsswitch(logwatch_t)
-+')
-+
-+optional_policy(`
- avahi_dontaudit_search_pid(logwatch_t)
- ')
-
-@@ -117,14 +123,6 @@
- ')
-
- optional_policy(`
-- nis_use_ypbind(logwatch_t)
--')
--
--optional_policy(`
-- nscd_socket_use(logwatch_t)
--')
--
--optional_policy(`
- ntp_domtrans(logwatch_t)
- ')
-
-@@ -134,4 +132,5 @@
+@@ -132,4 +132,5 @@
optional_policy(`
samba_read_log(logwatch_t)
+ samba_read_share_files(logwatch_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.0.7/policy/modules/admin/netutils.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.0.8/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2007-07-25 10:37:43.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/netutils.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/netutils.te 2007-09-17 16:20:18.000000000 -0400
@@ -94,9 +94,18 @@
')
@@ -776,9 +701,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
corenet_tcp_sendrecv_all_nodes(ping_t)
corenet_tcp_sendrecv_all_ports(ping_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.if serefpolicy-3.0.7/policy/modules/admin/portage.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.if serefpolicy-3.0.8/policy/modules/admin/portage.if
--- nsaserefpolicy/policy/modules/admin/portage.if 2007-07-03 07:06:36.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/portage.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/portage.if 2007-09-17 16:20:18.000000000 -0400
@@ -324,6 +324,7 @@
seutil_domtrans_setfiles($1)
# run semodule
@@ -787,9 +712,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage
portage_domtrans_gcc_config($1)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.0.7/policy/modules/admin/prelink.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.0.8/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2007-08-02 08:17:29.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/prelink.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/prelink.te 2007-09-17 16:20:18.000000000 -0400
@@ -26,7 +26,7 @@
# Local policy
#
@@ -839,74 +764,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
optional_policy(`
amanda_manage_lib(prelink_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.fc serefpolicy-3.0.7/policy/modules/admin/readahead.fc
---- nsaserefpolicy/policy/modules/admin/readahead.fc 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/readahead.fc 2007-09-06 15:43:06.000000000 -0400
-@@ -2,3 +2,4 @@
- # /usr
- #
- /usr/sbin/readahead -- gen_context(system_u:object_r:readahead_exec_t,s0)
-+/etc/readahead.d(/.*)? gen_context(system_u:object_r:readahead_etc_rw_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.0.7/policy/modules/admin/readahead.te
---- nsaserefpolicy/policy/modules/admin/readahead.te 2007-08-22 07:14:14.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/readahead.te 2007-09-06 15:43:06.000000000 -0400
-@@ -9,19 +9,24 @@
- type readahead_t;
- type readahead_exec_t;
- init_daemon_domain(readahead_t,readahead_exec_t)
--application_domain(readahead_t,readahead_exec_t)
-
- type readahead_var_run_t;
- files_pid_file(readahead_var_run_t)
-
-+type readahead_etc_rw_t;
-+files_pid_file(readahead_etc_rw_t)
-+
- ########################################
- #
- # Local policy
- #
-
--dontaudit readahead_t self:capability { dac_override dac_read_search sys_tty_config };
-+allow readahead_t self:capability { dac_override dac_read_search };
-+dontaudit readahead_t self:capability sys_tty_config;
- allow readahead_t self:process signal_perms;
-
-+manage_files_pattern(readahead_t,readahead_etc_rw_t,readahead_etc_rw_t)
-+
- manage_files_pattern(readahead_t,readahead_var_run_t,readahead_var_run_t)
- files_pid_filetrans(readahead_t,readahead_var_run_t,file)
-
-@@ -37,7 +42,7 @@
- dev_dontaudit_read_all_blk_files(readahead_t)
- dev_dontaudit_getattr_memory_dev(readahead_t)
- dev_dontaudit_getattr_nvram_dev(readahead_t)
--storage_dontaudit_getattr_fixed_disk_dev(readahead_t)
-+storage_raw_read_fixed_disk(readahead_t)
-
- domain_use_interactive_fds(readahead_t)
-
-@@ -68,6 +73,7 @@
- libs_use_shared_libs(readahead_t)
-
- logging_send_syslog_msg(readahead_t)
-+logging_dontaudit_search_audit_config(readahead_t)
-
- miscfiles_read_localization(readahead_t)
-
-@@ -75,5 +81,9 @@
- userdom_dontaudit_search_sysadm_home_dirs(readahead_t)
-
- optional_policy(`
-+ cron_system_entry(readahead_t, readahead_exec_t)
-+')
-+
-+optional_policy(`
- seutil_sigchld_newrole(readahead_t)
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.0.7/policy/modules/admin/rpm.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.0.8/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/rpm.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/rpm.fc 2007-09-17 16:20:18.000000000 -0400
@@ -21,6 +21,9 @@
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -917,9 +777,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
')
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.0.7/policy/modules/admin/rpm.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.0.8/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/rpm.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/rpm.if 2007-09-17 16:20:18.000000000 -0400
@@ -210,6 +210,24 @@
########################################
@@ -1061,9 +921,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
+
+ dontaudit $1 rpm_t:shm rw_shm_perms;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.0.7/policy/modules/admin/rpm.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.0.8/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2007-08-22 07:14:14.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/rpm.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/rpm.te 2007-09-17 16:20:18.000000000 -0400
@@ -321,6 +321,7 @@
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
@@ -1072,9 +932,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
userdom_use_all_users_fds(rpm_script_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.0.7/policy/modules/admin/sudo.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.0.8/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2007-07-25 10:37:43.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/sudo.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/sudo.if 2007-09-17 16:20:18.000000000 -0400
@@ -55,7 +55,7 @@
#
@@ -1146,9 +1006,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
nis_use_ypbind($1_sudo_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.0.7/policy/modules/admin/su.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.0.8/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2007-08-22 07:14:14.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/su.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/su.if 2007-09-17 16:20:18.000000000 -0400
@@ -41,12 +41,11 @@
allow $2 $1_su_t:process signal;
@@ -1243,19 +1103,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
ifdef(`TODO',`
allow $1_su_t $1_home_t:file manage_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.0.7/policy/modules/admin/usermanage.if
---- nsaserefpolicy/policy/modules/admin/usermanage.if 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/usermanage.if 2007-09-06 15:43:06.000000000 -0400
-@@ -278,5 +278,5 @@
- type crack_db_t;
- ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.0.8/policy/modules/admin/usermanage.if
+--- nsaserefpolicy/policy/modules/admin/usermanage.if 2007-09-12 10:34:51.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/usermanage.if 2007-09-17 16:20:18.000000000 -0400
+@@ -265,6 +265,24 @@
-- allow $1 crack_db_t:file read_file_perms;
-+ read_files_pattern($1,crack_db_t,crack_db_t)
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.0.7/policy/modules/admin/usermanage.te
---- nsaserefpolicy/policy/modules/admin/usermanage.te 2007-08-22 07:14:14.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/usermanage.te 2007-09-06 15:43:06.000000000 -0400
+ ########################################
+ ##
++## Dontaudit attempts to use useradd fds
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`usermanage_dontaudit_useradd_use_fds',`
++ gen_require(`
++ type useradd_t;
++ ')
++
++ dontaudit $1 useradd_t:fd use;
++')
++
++########################################
++##
+ ## Read the crack database.
+ ##
+ ##
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.0.8/policy/modules/admin/usermanage.te
+--- nsaserefpolicy/policy/modules/admin/usermanage.te 2007-09-12 10:34:51.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/usermanage.te 2007-09-17 16:20:18.000000000 -0400
@@ -92,6 +92,7 @@
dev_read_urand(chfn_t)
@@ -1264,113 +1142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
auth_dontaudit_read_shadow(chfn_t)
# allow checking if a shell is executable
-@@ -191,7 +192,6 @@
- allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
- allow groupadd_t self:unix_dgram_socket sendto;
- allow groupadd_t self:unix_stream_socket connectto;
--allow groupadd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
- fs_getattr_xattr_fs(groupadd_t)
- fs_search_auto_mountpoints(groupadd_t)
-@@ -223,6 +223,7 @@
- # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
- corecmd_exec_bin(groupadd_t)
-
-+logging_send_audit_msgs(groupadd_t)
- logging_send_syslog_msg(groupadd_t)
-
- miscfiles_read_localization(groupadd_t)
-@@ -245,8 +246,13 @@
- ')
-
- optional_policy(`
-+ nscd_domtrans(groupadd_t)
-+')
-+
-+optional_policy(`
- rpm_use_fds(groupadd_t)
- rpm_rw_pipes(groupadd_t)
-+ rpm_dontaudit_rw_tmp_files(groupadd_t)
- ')
-
- ########################################
-@@ -254,7 +260,7 @@
- # Passwd local policy
- #
-
--allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource audit_control audit_write };
-+allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
- allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow passwd_t self:process { setrlimit setfscreate };
- allow passwd_t self:fd use;
-@@ -264,7 +270,6 @@
- allow passwd_t self:unix_stream_socket create_stream_socket_perms;
- allow passwd_t self:unix_dgram_socket sendto;
- allow passwd_t self:unix_stream_socket connectto;
--allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
- allow passwd_t self:shm create_shm_perms;
- allow passwd_t self:sem create_sem_perms;
- allow passwd_t self:msgq create_msgq_perms;
-@@ -316,6 +321,7 @@
- libs_use_ld_so(passwd_t)
- libs_use_shared_libs(passwd_t)
-
-+logging_send_audit_msgs(passwd_t)
- logging_send_syslog_msg(passwd_t)
-
- miscfiles_read_localization(passwd_t)
-@@ -336,6 +342,7 @@
-
- optional_policy(`
- nscd_socket_use(passwd_t)
-+ nscd_domtrans(passwd_t)
- ')
-
- ########################################
-@@ -426,6 +433,7 @@
-
- optional_policy(`
- nscd_socket_use(sysadm_passwd_t)
-+ nscd_domtrans(sysadm_passwd_t)
- ')
-
- ########################################
-@@ -433,7 +441,7 @@
- # Useradd local policy
- #
-
--allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource audit_write };
-+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
- dontaudit useradd_t self:capability sys_tty_config;
- allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow useradd_t self:process setfscreate;
-@@ -447,7 +455,6 @@
- allow useradd_t self:unix_stream_socket create_stream_socket_perms;
- allow useradd_t self:unix_dgram_socket sendto;
- allow useradd_t self:unix_stream_socket connectto;
--allow useradd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
- # for getting the number of groups
- kernel_read_kernel_sysctls(useradd_t)
-@@ -492,6 +499,7 @@
- libs_use_ld_so(useradd_t)
- libs_use_shared_libs(useradd_t)
-
-+logging_send_audit_msgs(useradd_t)
- logging_send_syslog_msg(useradd_t)
-
- miscfiles_read_localization(useradd_t)
-@@ -501,6 +509,9 @@
- seutil_read_default_contexts(useradd_t)
- seutil_domtrans_semanage(useradd_t)
- seutil_domtrans_setfiles(useradd_t)
-+# Required because semanage execs these and hands them useradd_t:fd
-+seutil_domtrans_setfiles(useradd_t)
-+seutil_domtrans_loadpolicy(useradd_t)
-
- userdom_use_unpriv_users_fds(useradd_t)
- # for when /root is the cwd
-@@ -514,11 +525,26 @@
+@@ -520,6 +521,10 @@
mta_manage_spool(useradd_t)
optional_policy(`
@@ -1381,12 +1153,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
dpkg_use_fds(useradd_t)
dpkg_rw_pipes(useradd_t)
')
+@@ -529,6 +534,12 @@
+ ')
optional_policy(`
-+ nscd_domtrans(useradd_t)
-+')
-+
-+optional_policy(`
+ tunable_policy(`samba_domain_controller',`
+ samba_append_log(useradd_t)
+ ')
@@ -1395,20 +1165,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
+optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
-+ rpm_dontaudit_rw_tmp_files(useradd_t)
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.0.7/policy/modules/admin/vbetool.te
---- nsaserefpolicy/policy/modules/admin/vbetool.te 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/vbetool.te 2007-09-06 15:43:06.000000000 -0400
-@@ -32,4 +32,5 @@
-
- optional_policy(`
- hal_rw_pid_files(vbetool_t)
-+ hal_write_log(vbetool_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ada.if serefpolicy-3.0.7/policy/modules/apps/ada.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ada.if serefpolicy-3.0.8/policy/modules/apps/ada.if
--- nsaserefpolicy/policy/modules/apps/ada.if 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/apps/ada.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/ada.if 2007-09-17 16:20:18.000000000 -0400
@@ -18,3 +18,34 @@
corecmd_search_bin($1)
domtrans_pattern($1, ada_exec_t, ada_t)
@@ -1444,38 +1204,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ada.if s
+ role $2 types ada_t;
+ allow ada_t $3:chr_file rw_term_perms;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/games.fc serefpolicy-3.0.7/policy/modules/apps/games.fc
---- nsaserefpolicy/policy/modules/apps/games.fc 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/apps/games.fc 2007-09-06 15:43:06.000000000 -0400
-@@ -1,22 +1,16 @@
- #
- # /usr
- #
--/usr/games/powermanga -- gen_context(system_u:object_r:games_exec_t,s0)
--/usr/games/nethack-3.4.3/nethack -- gen_context(system_u:object_r:games_exec_t,s0)
--/usr/games/vulturesclaw/vulturesclaw -- gen_context(system_u:object_r:games_exec_t,s0)
--/usr/games/vultureseye/vultureseye -- gen_context(system_u:object_r:games_exec_t,s0)
--
- /usr/lib/games(/.*)? gen_context(system_u:object_r:games_exec_t,s0)
-+/usr/games/.* -- gen_context(system_u:object_r:games_exec_t,s0)
-
- #
- # /var
- #
- /var/lib/games(/.*)? gen_context(system_u:object_r:games_data_t,s0)
--
--ifdef(`distro_debian', `
--/usr/games/.* -- gen_context(system_u:object_r:games_exec_t,s0)
- /var/games(/.*)? gen_context(system_u:object_r:games_data_t,s0)
--', `
-+
-+ifdef(`distro_debian', `', `
- /usr/bin/micq -- gen_context(system_u:object_r:games_exec_t,s0)
- /usr/bin/blackjack -- gen_context(system_u:object_r:games_exec_t,s0)
- /usr/bin/gataxx -- gen_context(system_u:object_r:games_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.0.7/policy/modules/apps/gnome.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.0.8/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/apps/gnome.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/gnome.fc 2007-09-17 16:20:18.000000000 -0400
@@ -1,8 +1,7 @@
+HOME_DIR/.gnome2(/.*)? gen_context(system_u:object_r:ROLE_gnome_home_t,s0)
HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:ROLE_gnome_home_t,s0)
@@ -1486,9 +1217,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:ROLE_gconf_tmp_t,s0)
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.0.7/policy/modules/apps/gnome.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.0.8/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2007-07-25 10:37:37.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/apps/gnome.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/gnome.if 2007-09-17 16:20:18.000000000 -0400
@@ -33,6 +33,51 @@
##
#
@@ -1674,9 +1405,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
+ can_exec($1, gconfd_exec_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.0.7/policy/modules/apps/gnome.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.0.8/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2007-07-25 10:37:37.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/apps/gnome.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/gnome.te 2007-09-17 16:20:18.000000000 -0400
@@ -8,8 +8,5 @@
attribute gnomedomain;
@@ -1686,9 +1417,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te
-
type gconfd_exec_t;
application_executable_file(gconfd_exec_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.0.7/policy/modules/apps/java.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.0.8/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/apps/java.fc 2007-09-06 19:17:45.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/java.fc 2007-09-17 16:20:18.000000000 -0400
@@ -11,6 +11,7 @@
#
/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -1707,9 +1438,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc
+
+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.7/policy/modules/apps/java.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.8/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2007-08-02 08:17:26.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/apps/java.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/java.if 2007-09-17 16:20:18.000000000 -0400
@@ -32,7 +32,7 @@
##
##
@@ -1850,9 +1581,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if
+ role $2 types java_t;
+ allow java_t $3:chr_file rw_term_perms;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.0.7/policy/modules/apps/java.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.0.8/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2007-07-25 10:37:37.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/apps/java.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/java.te 2007-09-17 16:20:18.000000000 -0400
@@ -31,3 +31,7 @@
unconfined_domain_noaudit(java_t)
unconfined_dbus_chat(java_t)
@@ -1861,30 +1592,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te
+optional_policy(`
+ xserver_xdm_rw_shm(java_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.0.7/policy/modules/apps/loadkeys.te
---- nsaserefpolicy/policy/modules/apps/loadkeys.te 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/apps/loadkeys.te 2007-09-06 15:43:06.000000000 -0400
-@@ -30,7 +30,7 @@
- files_read_etc_runtime_files(loadkeys_t)
-
- term_dontaudit_use_console(loadkeys_t)
--term_dontaudit_use_unallocated_ttys(loadkeys_t)
-+term_use_unallocated_ttys(loadkeys_t)
-
- init_dontaudit_use_script_ptys(loadkeys_t)
-
-@@ -40,3 +40,8 @@
- locallogin_use_fds(loadkeys_t)
-
- miscfiles_read_localization(loadkeys_t)
-+
-+optional_policy(`
-+ nscd_dontaudit_search_pid(loadkeys_t)
-+')
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.0.7/policy/modules/apps/mono.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.0.8/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/apps/mono.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/mono.if 2007-09-17 16:20:18.000000000 -0400
@@ -18,3 +18,98 @@
corecmd_search_bin($1)
domtrans_pattern($1, mono_exec_t, mono_t)
@@ -1984,9 +1694,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if
+ xserver_xdm_rw_shm($1_mono_t)
+ ')
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.0.7/policy/modules/apps/mono.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.0.8/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/apps/mono.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/mono.te 2007-09-17 16:20:18.000000000 -0400
@@ -46,3 +46,7 @@
unconfined_dbus_chat(mono_t)
unconfined_dbus_connect(mono_t)
@@ -1995,9 +1705,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te
+optional_policy(`
+ xserver_xdm_rw_shm(mono_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.7/policy/modules/apps/mozilla.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.8/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-08-02 08:17:26.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/apps/mozilla.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/mozilla.if 2007-09-17 16:20:18.000000000 -0400
@@ -36,6 +36,8 @@
gen_require(`
type mozilla_conf_t, mozilla_exec_t;
@@ -2341,9 +2051,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
+
+ allow $2 $1_mozilla_t:unix_stream_socket connectto;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.0.7/policy/modules/apps/mozilla.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.0.8/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2007-07-25 10:37:37.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/apps/mozilla.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/mozilla.te 2007-09-17 16:20:18.000000000 -0400
@@ -6,13 +6,6 @@
# Declarations
#
@@ -2358,21 +2068,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
type mozilla_conf_t;
files_config_file(mozilla_conf_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.0.7/policy/modules/apps/slocate.te
---- nsaserefpolicy/policy/modules/apps/slocate.te 2007-07-25 10:37:37.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/apps/slocate.te 2007-09-06 15:43:06.000000000 -0400
-@@ -29,6 +29,8 @@
- manage_dirs_pattern(locate_t,locate_var_lib_t,locate_var_lib_t)
- manage_files_pattern(locate_t,locate_var_lib_t,locate_var_lib_t)
-
-+auth_use_nsswitch(locate_t)
-+
- kernel_read_system_state(locate_t)
- kernel_dontaudit_search_sysctl(locate_t)
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.0.7/policy/modules/apps/userhelper.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.0.8/policy/modules/apps/userhelper.if
--- nsaserefpolicy/policy/modules/apps/userhelper.if 2007-07-25 10:37:37.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/apps/userhelper.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/userhelper.if 2007-09-17 16:20:18.000000000 -0400
@@ -130,6 +130,7 @@
term_use_all_user_ptys($1_userhelper_t)
@@ -2381,38 +2079,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
auth_manage_pam_pid($1_userhelper_t)
auth_manage_var_auth($1_userhelper_t)
auth_search_pam_console_data($1_userhelper_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/usernetctl.te serefpolicy-3.0.7/policy/modules/apps/usernetctl.te
---- nsaserefpolicy/policy/modules/apps/usernetctl.te 2007-07-25 10:37:37.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/apps/usernetctl.te 2007-09-06 15:43:06.000000000 -0400
-@@ -6,14 +6,6 @@
- # Declarations
- #
-
--##
--##
--## Allow users to control network interfaces
--## (also needs USERCTL=true)
--##
--##
--gen_tunable(user_net_control,false)
--
- type usernetctl_t;
- type usernetctl_exec_t;
- application_domain(usernetctl_t,usernetctl_exec_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.0.7/policy/modules/apps/vmware.fc
---- nsaserefpolicy/policy/modules/apps/vmware.fc 2007-07-03 07:05:43.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/apps/vmware.fc 2007-09-06 15:43:06.000000000 -0400
-@@ -23,6 +23,7 @@
- /usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
- /usr/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
- /usr/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-+/usr/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
- /usr/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
- /usr/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.0.7/policy/modules/apps/vmware.te
---- nsaserefpolicy/policy/modules/apps/vmware.te 2007-07-25 10:37:37.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/apps/vmware.te 2007-09-06 15:43:06.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.0.8/policy/modules/apps/vmware.te
+--- nsaserefpolicy/policy/modules/apps/vmware.te 2007-09-12 10:34:49.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/vmware.te 2007-09-17 16:20:18.000000000 -0400
@@ -29,7 +29,7 @@
allow vmware_host_t self:capability { setuid net_raw };
@@ -2422,18 +2091,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t
allow vmware_host_t self:fifo_file rw_fifo_file_perms;
allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
allow vmware_host_t self:rawip_socket create_socket_perms;
-@@ -56,6 +56,8 @@
- corenet_tcp_sendrecv_all_ports(vmware_host_t)
- corenet_udp_sendrecv_all_ports(vmware_host_t)
- corenet_raw_bind_all_nodes(vmware_host_t)
-+corenet_tcp_bind_all_nodes(vmware_host_t)
-+corenet_udp_bind_all_nodes(vmware_host_t)
- corenet_tcp_connect_all_ports(vmware_host_t)
- corenet_sendrecv_all_client_packets(vmware_host_t)
- corenet_sendrecv_all_server_packets(vmware_host_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.0.7/policy/modules/apps/wine.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.0.8/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/apps/wine.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/wine.if 2007-09-17 16:20:18.000000000 -0400
@@ -18,3 +18,34 @@
corecmd_search_bin($1)
domtrans_pattern($1, wine_exec_t, wine_t)
@@ -2469,9 +2129,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if
+ role $2 types wine_t;
+ allow wine_t $3:chr_file rw_term_perms;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.0.7/policy/modules/apps/wine.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.0.8/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2007-07-25 10:37:37.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/apps/wine.te 2007-09-07 09:04:03.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/wine.te 2007-09-17 16:20:18.000000000 -0400
@@ -9,6 +9,7 @@
type wine_t;
type wine_exec_t;
@@ -2480,9 +2140,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
########################################
#
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.7/policy/modules/kernel/corecommands.fc
+@@ -20,7 +21,12 @@
+ unconfined_domain_noaudit(wine_t)
+ files_execmod_all_files(wine_t)
+
+- optional_policy(`
+- hal_dbus_chat(wine_t)
+- ')
++')
++
++optional_policy(`
++ hal_dbus_chat(wine_t)
++')
++
++optional_policy(`
++ xserver_xdm_rw_shm(mono_t)
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/corecommands.fc 2007-09-07 13:47:17.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2007-09-17 16:20:18.000000000 -0400
@@ -36,6 +36,11 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -2524,9 +2200,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
+/etc/gdm/XKeepsCrashing[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
+/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.0.7/policy/modules/kernel/corenetwork.if.in
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/corenetwork.if.in 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in 2007-09-17 16:20:18.000000000 -0400
@@ -1449,6 +1449,43 @@
########################################
@@ -2571,9 +2247,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
## Read and write the TUN/TAP virtual network device.
##
##
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.7/policy/modules/kernel/corenetwork.te.in
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/corenetwork.te.in 2007-09-11 09:22:25.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2007-09-17 16:20:18.000000000 -0400
@@ -55,6 +55,11 @@
type reserved_port_t, port_type, reserved_port_type;
@@ -2645,18 +2321,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
portcon tcp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.7/policy/modules/kernel/devices.fc
---- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-06-15 14:54:30.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/devices.fc 2007-09-06 15:43:06.000000000 -0400
-@@ -12,6 +12,7 @@
- /dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
-+/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
- /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -19,6 +20,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc
+--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-09-12 10:34:49.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-09-17 16:20:18.000000000 -0400
+@@ -20,6 +20,7 @@
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
@@ -2664,64 +2332,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
-@@ -53,7 +55,7 @@
- /dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
- /dev/random -c gen_context(system_u:object_r:random_device_t,s0)
- /dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0)
--/dev/(misc/)?rtc -c gen_context(system_u:object_r:clock_device_t,s0)
-+/dev/(misc/)?rtc[0-9]* -c gen_context(system_u:object_r:clock_device_t,s0)
- /dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/smpte.* -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -64,7 +66,9 @@
- /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
- /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
- /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
-+/dev/usbmon[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
- /dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0)
-+/dev/usb[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
- /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
- ifdef(`distro_suse', `
- /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -127,3 +131,7 @@
- /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
- /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
- ')
-+
-+/etc/udev/devices -d gen_context(system_u:object_r:device_t,s0)
-+/lib/udev/devices -d gen_context(system_u:object_r:device_t,s0)
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.7/policy/modules/kernel/devices.if
---- nsaserefpolicy/policy/modules/kernel/devices.if 2007-06-15 14:54:30.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/devices.if 2007-09-06 15:43:06.000000000 -0400
-@@ -2803,6 +2803,24 @@
-
- ########################################
- ##
-+## Get the attributes of a directory in the usb filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_search_usbfs_dirs',`
-+ gen_require(`
-+ type usbfs_t;
-+ ')
-+
-+ allow $1 usbfs_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to get the attributes
- ## of a directory in the usb filesystem.
- ##
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.0.7/policy/modules/kernel/domain.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.0.8/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2007-06-19 16:23:34.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/domain.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/domain.if 2007-09-17 16:20:18.000000000 -0400
@@ -45,6 +45,11 @@
# start with basic domain
domain_base_type($1)
@@ -2763,9 +2376,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+
+ allow $1 domain:association { sendto recvfrom };
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.7/policy/modules/kernel/domain.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.8/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-07-25 10:37:36.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/domain.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-09-17 16:20:18.000000000 -0400
@@ -6,6 +6,22 @@
# Declarations
#
@@ -2812,9 +2425,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+ kernel_udp_recvfrom_unlabeled(domain)
+ ')
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.7/policy/modules/kernel/files.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.8/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/files.if 2007-09-11 14:40:00.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2007-09-17 16:20:18.000000000 -0400
@@ -343,8 +343,7 @@
########################################
@@ -3071,9 +2684,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+ allow $1 root_t:dir rw_dir_perms;
+ allow $1 root_t:file { create getattr write };
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.0.7/policy/modules/kernel/files.te
---- nsaserefpolicy/policy/modules/kernel/files.te 2007-07-25 10:37:36.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/files.te 2007-09-11 10:46:12.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.0.8/policy/modules/kernel/files.te
+--- nsaserefpolicy/policy/modules/kernel/files.te 2007-09-12 10:34:49.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/files.te 2007-09-17 16:20:18.000000000 -0400
+@@ -1,5 +1,5 @@
+
+-policy_module(files,1.6.1)
++policy_module(files,1.6.0)
+
+ ########################################
+ #
@@ -55,6 +55,8 @@
# compatibility aliases for removed types:
typealias etc_t alias automount_etc_t;
@@ -3091,9 +2711,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
#
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.7/policy/modules/kernel/filesystem.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/filesystem.if 2007-09-11 10:45:23.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-09-17 16:20:18.000000000 -0400
@@ -271,45 +271,6 @@
########################################
@@ -3234,9 +2854,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+ rw_files_pattern($1,anon_inodefs_t,anon_inodefs_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.7/policy/modules/kernel/filesystem.te
---- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/filesystem.te 2007-09-06 15:43:06.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.8/policy/modules/kernel/filesystem.te
+--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-09-12 10:34:49.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te 2007-09-17 16:20:18.000000000 -0400
@@ -80,6 +80,7 @@
type fusefs_t;
fs_noxattr_type(fusefs_t)
@@ -3245,9 +2865,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.7/policy/modules/kernel/kernel.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.8/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/kernel.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2007-09-17 16:20:18.000000000 -0400
@@ -1867,6 +1867,27 @@
########################################
@@ -3276,9 +2896,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
## Do not audit attempts to list unlabeled directories.
##
##
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.0.7/policy/modules/kernel/kernel.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.0.8/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/kernel.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/kernel.te 2007-09-17 16:20:18.000000000 -0400
@@ -278,6 +278,7 @@
optional_policy(`
@@ -3287,9 +2907,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.0.7/policy/modules/kernel/selinux.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.0.8/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/selinux.if 2007-09-11 13:01:12.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/selinux.if 2007-09-17 16:20:18.000000000 -0400
@@ -138,6 +138,7 @@
type security_t;
')
@@ -3306,53 +2926,169 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read };
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.0.7/policy/modules/kernel/storage.fc
---- nsaserefpolicy/policy/modules/kernel/storage.fc 2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/storage.fc 2007-09-10 15:52:30.000000000 -0400
-@@ -52,7 +52,7 @@
+@@ -239,6 +241,34 @@
- /dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ ########################################
+ ##
++## Allow caller to read the state of Booleans
++##
++##
++##
++## Allow caller read the state of Booleans
++##
++##
++##
++##
++## The process type allowed to set the Boolean.
++##
++##
++##
++#
++interface(`selinux_get_boolean',`
++ gen_require(`
++ type security_t;
++ attribute booleans_type;
++ bool secure_mode_policyload;
++ ')
++
++ allow $1 security_t:dir list_dir_perms;
++ allow $1 booleans_type:dir list_dir_perms;
++ allow $1 booleans_type:file read_file_perms;
++')
++
++########################################
++##
+ ## Allow caller to set the state of Booleans to
+ ## enable or disable conditional portions of the policy.
+ ##
+@@ -262,11 +292,13 @@
+ interface(`selinux_set_boolean',`
+ gen_require(`
+ type security_t;
++ attribute booleans_type;
+ bool secure_mode_policyload;
+ ')
--/dev/fuse -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-+/dev/fuse -c gen_context(system_u:object_r:fuse_device_t,mls_systemhigh)
- /dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
+ allow $1 security_t:dir list_dir_perms;
+- allow $1 security_t:file { getattr read write };
++ allow $1 booleans_type:dir list_dir_perms;
++ allow $1 booleans_type:file { getattr read write };
- /dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.0.7/policy/modules/kernel/storage.if
---- nsaserefpolicy/policy/modules/kernel/storage.if 2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/storage.if 2007-09-10 15:54:45.000000000 -0400
-@@ -673,3 +673,61 @@
+ if(!secure_mode_policyload) {
+ allow $1 security_t:security setbool;
+@@ -463,3 +495,42 @@
- typeattribute $1 storage_unconfined_type;
+ typeattribute $1 selinux_unconfined_type;
')
+
+########################################
+##
-+## Allow the caller to get the attributes
-+## of device nodes of fuse devices.
++## Generate a file context for a boolean type
+##
+##
+##
-+## The type of the process performing this action.
++## Domain allowed access.
+##
+##
+#
-+interface(`storage_getattr_fuse_dev',`
++interface(`selinux_genbool',`
+ gen_require(`
-+ type fuse_device_t;
++ attribute booleans_type;
+ ')
+
-+ dev_list_all_dev_nodes($1)
-+ allow $1 fuse_device_t:chr_file getattr;
++ type $1, booleans_type;
++ fs_type($1)
++ mls_trusted_object($1)
+')
+
+########################################
+##
-+## read or write fuse device interfaces.
++## Generate a file context for a boolean type
+##
-+##
++##
+##
-+## Domain to not audit.
++## Type of the boolean
++##
++##
++##
++##
++## name of the boolean
++##
++##
++#
++interface(`selinux_genbool_mapping',`
++ genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-3.0.8/policy/modules/kernel/selinux.te
+--- nsaserefpolicy/policy/modules/kernel/selinux.te 2007-07-25 10:37:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/selinux.te 2007-09-17 16:20:18.000000000 -0400
+@@ -10,6 +10,7 @@
+ attribute can_setenforce;
+ attribute can_setsecparam;
+ attribute selinux_unconfined_type;
++attribute booleans_type;
+
+ #
+ # security_t is the target type when checking
+@@ -22,6 +23,11 @@
+ sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
+ genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
+
++type boolean_t, booleans_type;
++fs_type(boolean_t)
++mls_trusted_object(boolean_t)
++#genfscon selinuxfs /booleans gen_context(system_u:object_r:boolean_t,s0)
++
+ neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
+ neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
+ neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.0.8/policy/modules/kernel/storage.fc
+--- nsaserefpolicy/policy/modules/kernel/storage.fc 2007-08-22 07:14:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/storage.fc 2007-09-17 16:20:18.000000000 -0400
+@@ -52,7 +52,7 @@
+
+ /dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
+-/dev/fuse -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/dev/fuse -c gen_context(system_u:object_r:fuse_device_t,mls_systemhigh)
+ /dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
+
+ /dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.0.8/policy/modules/kernel/storage.if
+--- nsaserefpolicy/policy/modules/kernel/storage.if 2007-08-22 07:14:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/storage.if 2007-09-17 16:20:18.000000000 -0400
+@@ -673,3 +673,61 @@
+
+ typeattribute $1 storage_unconfined_type;
+ ')
++
++########################################
++##
++## Allow the caller to get the attributes
++## of device nodes of fuse devices.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`storage_getattr_fuse_dev',`
++ gen_require(`
++ type fuse_device_t;
++ ')
++
++ dev_list_all_dev_nodes($1)
++ allow $1 fuse_device_t:chr_file getattr;
++')
++
++########################################
++##
++## read or write fuse device interfaces.
++##
++##
++##
++## Domain to not audit.
+##
+##
+#
@@ -3383,9 +3119,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
+ dontaudit $1 fuse_device_t:chr_file rw_file_perms;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.te serefpolicy-3.0.7/policy/modules/kernel/storage.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.te serefpolicy-3.0.8/policy/modules/kernel/storage.te
--- nsaserefpolicy/policy/modules/kernel/storage.te 2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/storage.te 2007-09-10 15:38:30.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/storage.te 2007-09-17 16:20:18.000000000 -0400
@@ -23,6 +23,12 @@
neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write };
@@ -3399,9 +3135,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
# scsi_generic_device_t is the type of /dev/sg*
# it gives access to ALL SCSI devices (both fixed and removable)
#
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.0.7/policy/modules/kernel/terminal.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.0.8/policy/modules/kernel/terminal.fc
--- nsaserefpolicy/policy/modules/kernel/terminal.fc 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/terminal.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/terminal.fc 2007-09-17 16:20:18.000000000 -0400
@@ -8,6 +8,7 @@
/dev/dcbri[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/hvc.* -c gen_context(system_u:object_r:tty_device_t,s0)
@@ -3410,10 +3146,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
/dev/ircomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-3.0.7/policy/modules/kernel/terminal.te
---- nsaserefpolicy/policy/modules/kernel/terminal.te 2007-07-25 10:37:36.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/terminal.te 2007-09-06 15:43:06.000000000 -0400
-@@ -28,9 +28,15 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-3.0.8/policy/modules/kernel/terminal.te
+--- nsaserefpolicy/policy/modules/kernel/terminal.te 2007-09-12 10:34:49.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/terminal.te 2007-09-17 16:38:07.000000000 -0400
+@@ -28,6 +28,7 @@
type devpts_t;
files_mountpoint(devpts_t)
fs_associate_tmpfs(devpts_t)
@@ -3421,39 +3157,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
fs_type(devpts_t)
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
-+ifdef(`targeted_policy',`
-+ # cjp: the ttynode should probably be removed.
-+ typeattribute devpts_t ttynode, ptynode;
-+')
-+
- #
- # devtty_t is the type of /dev/tty.
- #
-@@ -51,6 +57,10 @@
- type tty_device_t, serial_device;
- dev_node(tty_device_t)
-
-+ifdef(`targeted_policy',`
-+ typeattribute tty_device_t ttynode;
-+')
-+
- #
- # usbtty_device_t is the type of /dev/usr/tty*
- #
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.0.7/policy/modules/services/amavis.te
---- nsaserefpolicy/policy/modules/services/amavis.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/amavis.te 2007-09-06 15:43:06.000000000 -0400
-@@ -166,6 +166,7 @@
-
- optional_policy(`
- pyzor_domtrans(amavis_t)
-+ pyzor_signal(amavis_t)
- ')
-
- optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.0.7/policy/modules/services/apache.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.0.8/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/apache.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/apache.fc 2007-09-17 16:20:18.000000000 -0400
@@ -16,7 +16,6 @@
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -3479,9 +3185,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.7/policy/modules/services/apache.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.8/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/apache.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/apache.if 2007-09-17 16:20:18.000000000 -0400
@@ -18,10 +18,6 @@
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
@@ -3726,7 +3432,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
##
##
##
-@@ -1013,46 +1047,141 @@
+@@ -1013,46 +1047,147 @@
##
##
#
@@ -3784,9 +3490,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
##
-## Domain run the cgi script in.
+## Domain allowed access.
- ##
- ##
--##
++##
++##
+#
+interface(`apache_search_bugzilla_dirs',`
+ gen_require(`
@@ -3802,21 +3507,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+## bugzill script unix domain stream sockets.
+##
+##
- ##
--## Type of the executable to enter the cgi domain.
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`apache_cgi_domain',`
++##
++##
++#
+interface(`apache_dontaudit_rw_bugzilla_script_stream_sockets',`
- gen_require(`
-- type httpd_t, httpd_sys_script_exec_t;
++ gen_require(`
+ type httpd_bugzilla_script_t;
- ')
-
-- domtrans_pattern(httpd_t, $2, $1)
-- apache_search_sys_scripts($1)
++ ')
++
+ dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
+')
+
@@ -3842,58 +3542,79 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+##
+## All of the rules required to administrate an apache environment
+##
-+##
++##
+##
-+## Domain allowed access.
++## Prefix of the domain. Example, user would be
++## the prefix for the uder_t domain.
+##
+##
-+##
++##
+##
++## Domain allowed access.
+ ##
+ ##
+-##
++##
+ ##
+-## Type of the executable to enter the cgi domain.
+## The role to be allowed to manage the apache domain.
-+##
-+##
-+##
-+##
-+## The type of the terminal allow the dmidecode domain to use.
-+##
-+##
+ ##
+ ##
+##
-+#
-+interface(`apache_admin',`
+ #
+-interface(`apache_cgi_domain',`
++template(`apache_admin',`
+
-+ gen_require(`
+ gen_require(`
+- type httpd_t, httpd_sys_script_exec_t;
+ type httpd_t;
++ type httpd_bool_t;
+ type httpd_script_exec_t;
-+ ')
-+
-+ allow $1 httpd_t:process { ptrace signal_perms };
+ ')
+
+- domtrans_pattern(httpd_t, $2, $1)
+- apache_search_sys_scripts($1)
++ allow $2 httpd_t:process { ptrace signal_perms };
+
+- allow httpd_t $1:process signal;
++ # Allow $2 to restart the apache service
++ apache_script_domtrans($2)
++ domain_system_change_exemption($2)
++ role_transition $3 httpd_script_exec_t system_r;
++ allow $3 system_r;
+
-+ # Allow $1 to restart the apache service
-+ apache_script_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 httpd_script_exec_t system_r;
-+ allow $2 system_r;
++ apache_manage_all_content($2)
++ apache_manage_config($2)
++ apache_manage_log($2)
++ apache_manage_modules($2)
++ apache_manage_lock($2)
++ apache_manage_pid($2)
++ apache_read_state($2)
++ apache_getattr($2)
++ apache_relabel($2)
+
-+ apache_manage_all_content($1)
-+ apache_manage_config($1)
-+ apache_manage_log($1)
-+ apache_manage_modules($1)
-+ apache_manage_lock($1)
-+ apache_manage_pid($1)
-+ apache_read_state($1)
-+ apache_getattr($1)
-+ apache_relabel($1)
++ seutil_domtrans_setfiles($2)
+
-+ seutil_domtrans_setfiles($1)
-
-- allow httpd_t $1:process signal;
++ seutil_setsebool_per_role_template($1, $2, $3)
++ allow $1_setsebool_t httpd_bool_t:dir list_dir_perms;
++ allow $1_setsebool_t httpd_bool_t:file rw_file_perms;
')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.7/policy/modules/services/apache.te
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.8/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/apache.te 2007-09-10 15:07:38.000000000 -0400
-@@ -30,6 +30,13 @@
++++ serefpolicy-3.0.8/policy/modules/services/apache.te 2007-09-17 16:20:18.000000000 -0400
+@@ -20,6 +20,8 @@
+ # Declarations
+ #
+
++selinux_genbool(httpd_bool_t)
++
+ ##
+ ##
+ ## Allow Apache to modify public files
+@@ -30,6 +32,13 @@
##
##
@@ -3907,7 +3628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Allow Apache to use mod_auth_pam
##
##
-@@ -47,6 +54,13 @@
+@@ -47,6 +56,13 @@
## Allow http daemon to tcp connect
##
##
@@ -3921,7 +3642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
gen_tunable(httpd_can_network_connect,false)
##
-@@ -97,7 +111,7 @@
+@@ -97,7 +113,7 @@
## Allow http daemon to communicate with the TTY
##
##
@@ -3930,7 +3651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
##
##
-@@ -106,6 +120,27 @@
+@@ -106,6 +122,27 @@
##
gen_tunable(httpd_unified,false)
@@ -3958,7 +3679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
attribute httpdcontent;
# domains that can exec all users scripts
-@@ -142,6 +177,9 @@
+@@ -142,6 +179,9 @@
type httpd_log_t;
logging_log_file(httpd_log_t)
@@ -3968,7 +3689,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# httpd_modules_t is the type given to module files (libraries)
# that come with Apache /etc/httpd/modules and /usr/lib/apache
type httpd_modules_t;
-@@ -182,6 +220,14 @@
+@@ -182,6 +222,14 @@
type httpd_tmpfs_t;
files_tmpfs_file(httpd_tmpfs_t)
@@ -3983,7 +3704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# for apache2 memory mapped files
type httpd_var_lib_t;
files_type(httpd_var_lib_t)
-@@ -202,9 +248,11 @@
+@@ -202,9 +250,11 @@
# Apache server local policy
#
@@ -3996,7 +3717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
allow httpd_t self:fifo_file rw_fifo_file_perms;
-@@ -244,6 +292,7 @@
+@@ -244,6 +294,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
@@ -4004,7 +3725,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -284,6 +333,7 @@
+@@ -284,6 +335,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -4012,7 +3733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -330,6 +380,10 @@
+@@ -330,6 +382,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -4023,7 +3744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -348,7 +402,9 @@
+@@ -348,7 +404,9 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -4034,7 +3755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
-@@ -360,6 +416,7 @@
+@@ -360,6 +418,7 @@
#
tunable_policy(`allow_httpd_mod_auth_pam',`
auth_domtrans_chk_passwd(httpd_t)
@@ -4042,7 +3763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -367,6 +424,16 @@
+@@ -367,6 +426,16 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -4059,7 +3780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_can_network_connect_db',`
# allow httpd to connect to mysql/posgresql
corenet_tcp_connect_postgresql_port(httpd_t)
-@@ -387,6 +454,17 @@
+@@ -387,6 +456,17 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
@@ -4077,7 +3798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
-@@ -404,11 +482,21 @@
+@@ -404,11 +484,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -4099,7 +3820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -430,6 +518,12 @@
+@@ -430,6 +520,12 @@
')
optional_policy(`
@@ -4112,7 +3833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
calamaris_read_www_files(httpd_t)
')
-@@ -442,8 +536,15 @@
+@@ -442,8 +538,15 @@
')
optional_policy(`
@@ -4129,7 +3850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -461,7 +562,6 @@
+@@ -461,7 +564,6 @@
optional_policy(`
nagios_read_config(httpd_t)
@@ -4137,7 +3858,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -481,6 +581,7 @@
+@@ -481,6 +583,7 @@
')
optional_policy(`
@@ -4145,7 +3866,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -512,10 +613,16 @@
+@@ -512,10 +615,16 @@
tunable_policy(`httpd_tty_comm',`
# cjp: this is redundant:
term_use_controlling_term(httpd_helper_t)
@@ -4163,7 +3884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -567,7 +674,6 @@
+@@ -567,7 +676,6 @@
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
@@ -4171,7 +3892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -581,6 +687,10 @@
+@@ -581,6 +689,10 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -4182,7 +3903,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -606,6 +716,10 @@
+@@ -606,6 +718,10 @@
miscfiles_read_localization(httpd_suexec_t)
@@ -4193,7 +3914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
allow httpd_suexec_t self:udp_socket create_socket_perms;
-@@ -620,10 +734,13 @@
+@@ -620,10 +736,13 @@
corenet_udp_sendrecv_all_ports(httpd_suexec_t)
corenet_tcp_connect_all_ports(httpd_suexec_t)
corenet_sendrecv_all_client_packets(httpd_suexec_t)
@@ -4208,7 +3929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
-@@ -634,6 +751,12 @@
+@@ -634,6 +753,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -4221,7 +3942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -651,18 +774,6 @@
+@@ -651,18 +776,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -4240,7 +3961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache system script local policy
-@@ -672,7 +783,8 @@
+@@ -672,7 +785,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -4250,7 +3971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -686,15 +798,66 @@
+@@ -686,15 +800,66 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -4318,7 +4039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -711,6 +874,19 @@
+@@ -711,6 +876,19 @@
########################################
#
@@ -4338,7 +4059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# httpd_rotatelogs local policy
#
-@@ -728,3 +904,20 @@
+@@ -728,3 +906,20 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -4359,158 +4080,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+optional_policy(`
+ postgresql_stream_connect(httpd_bugzilla_script_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.0.7/policy/modules/services/apcupsd.fc
---- nsaserefpolicy/policy/modules/services/apcupsd.fc 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/apcupsd.fc 2007-09-06 15:43:06.000000000 -0400
-@@ -5,5 +5,11 @@
- /usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
-
- /var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
-+/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
-
- /var/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0)
-+
-+/var/www/apcupsd/multimon.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
-+/var/www/apcupsd/upsfstats.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
-+/var/www/apcupsd/upsimage.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
-+/var/www/apcupsd/upsstats.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.0.7/policy/modules/services/apcupsd.if
---- nsaserefpolicy/policy/modules/services/apcupsd.if 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/apcupsd.if 2007-09-06 15:43:06.000000000 -0400
-@@ -79,3 +79,25 @@
- allow $1 apcupsd_log_t:dir list_dir_perms;
- allow $1 apcupsd_log_t:file { getattr append };
- ')
-+
-+########################################
-+##
-+## Execute a domain transition to run httpd_apcupsd_cgi_script.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`httpd_apcupsd_cgi_script_domtrans',`
-+ gen_require(`
-+ type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
-+ ')
-+
-+ domain_auto_trans($1,httpd_apcupsd_cgi_script_exec_t,httpd_apcupsd_cgi_script_t)
-+
-+ allow httpd_apcupsd_cgi_script_t $1:fd use;
-+ allow httpd_apcupsd_cgi_script_t $1:fifo_file rw_file_perms;
-+ allow httpd_apcupsd_cgi_script_t $1:process sigchld;
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.0.7/policy/modules/services/apcupsd.te
---- nsaserefpolicy/policy/modules/services/apcupsd.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/apcupsd.te 2007-09-10 10:56:09.000000000 -0400
-@@ -16,6 +16,9 @@
- type apcupsd_log_t;
- logging_log_file(apcupsd_log_t)
-
-+type apcupsd_tmp_t;
-+files_tmp_file(apcupsd_tmp_t)
-+
- type apcupsd_var_run_t;
- files_pid_file(apcupsd_var_run_t)
-
-@@ -24,6 +27,7 @@
- # apcupsd local policy
- #
-
-+allow apcupsd_t self:capability { dac_override setgid sys_tty_config };
- allow apcupsd_t self:process signal;
- allow apcupsd_t self:fifo_file rw_file_perms;
- allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -36,9 +40,15 @@
- manage_files_pattern(apcupsd_t,apcupsd_log_t,apcupsd_log_t)
- logging_log_filetrans(apcupsd_t,apcupsd_log_t,{ file dir })
-
-+manage_files_pattern(apcupsd_t,apcupsd_tmp_t,apcupsd_tmp_t)
-+files_tmp_filetrans(apcupsd_t,apcupsd_tmp_t,file)
-+
- manage_files_pattern(apcupsd_t,apcupsd_var_run_t,apcupsd_var_run_t)
- files_pid_filetrans(apcupsd_t,apcupsd_var_run_t, file)
-
-+corecmd_exec_bin(apcupsd_t)
-+corecmd_exec_shell(apcupsd_t)
-+
- corenet_all_recvfrom_unlabeled(apcupsd_t)
- corenet_all_recvfrom_netlabel(apcupsd_t)
- corenet_tcp_sendrecv_generic_if(apcupsd_t)
-@@ -47,6 +57,7 @@
- corenet_tcp_bind_all_nodes(apcupsd_t)
- corenet_tcp_bind_apcupsd_port(apcupsd_t)
- corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
-+corenet_tcp_connect_apcupsd_port(apcupsd_t)
-
- dev_rw_generic_usb_dev(apcupsd_t)
-
-@@ -55,6 +66,15 @@
-
- files_read_etc_files(apcupsd_t)
- files_search_locks(apcupsd_t)
-+# Creates /etc/nologin
-+files_manage_etc_runtime_files(apcupsd_t)
-+files_etc_filetrans_etc_runtime(apcupsd_t,file)
-+
-+#apcupsd runs shutdown, probably need a shutdown domain
-+init_rw_utmp(apcupsd_t)
-+init_telinit(apcupsd_t)
-+
-+kernel_read_system_state(apcupsd_t)
-
- libs_use_ld_so(apcupsd_t)
- libs_use_shared_libs(apcupsd_t)
-@@ -62,3 +82,43 @@
- logging_send_syslog_msg(apcupsd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.0.8/policy/modules/services/apcupsd.te
+--- nsaserefpolicy/policy/modules/services/apcupsd.te 2007-09-12 10:34:50.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/apcupsd.te 2007-09-17 16:20:18.000000000 -0400
+@@ -86,6 +86,11 @@
miscfiles_read_localization(apcupsd_t)
-+
+
+sysnet_dns_name_resolve(apcupsd_t)
+
-+# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805
-+term_use_unallocated_ttys(apcupsd_t)
-+
+userdom_use_unpriv_users_ttys(apcupsd_t)
+userdom_use_unpriv_users_ptys(apcupsd_t)
+
-+optional_policy(`
-+ hostname_exec(apcupsd_t)
-+')
-+
-+optional_policy(`
-+ mta_send_mail(apcupsd_t)
-+')
-+
-+########################################
-+#
-+# apcupsd_cgi Declarations
-+#
-+
-+apache_content_template(apcupsd_cgi)
-+
-+# Default Networking
-+sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t)
-+corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
-+corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
-+
-+allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
-+corenet_tcp_sendrecv_all_if(httpd_apcupsd_cgi_script_t)
-+corenet_tcp_sendrecv_all_nodes(httpd_apcupsd_cgi_script_t)
-+corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
-+corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t)
-+
-+allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
-+corenet_udp_sendrecv_all_if(httpd_apcupsd_cgi_script_t)
-+corenet_udp_sendrecv_all_nodes(httpd_apcupsd_cgi_script_t)
-+corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.te serefpolicy-3.0.7/policy/modules/services/audioentropy.te
+ optional_policy(`
+ hostname_exec(apcupsd_t)
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.te serefpolicy-3.0.8/policy/modules/services/audioentropy.te
--- nsaserefpolicy/policy/modules/services/audioentropy.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/audioentropy.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/audioentropy.te 2007-09-17 16:20:18.000000000 -0400
@@ -18,7 +18,7 @@
# Local policy
#
@@ -4529,9 +4116,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audi
dev_read_sound(entropyd_t)
fs_getattr_all_fs(entropyd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.0.7/policy/modules/services/automount.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.0.8/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/automount.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/automount.te 2007-09-17 16:20:18.000000000 -0400
@@ -69,6 +69,7 @@
files_mounton_all_mountpoints(automount_t)
files_mount_all_file_type_fs(automount_t)
@@ -4548,7 +4135,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
dev_read_urand(automount_t)
domain_use_interactive_fds(automount_t)
-@@ -147,10 +149,6 @@
+@@ -125,6 +127,8 @@
+ fs_mount_autofs(automount_t)
+ fs_manage_autofs_symlinks(automount_t)
+
++storage_rw_fuse(automount_t)
++
+ term_dontaudit_getattr_pty_dirs(automount_t)
+
+ libs_use_ld_so(automount_t)
+@@ -147,10 +151,6 @@
userdom_dontaudit_search_sysadm_home_dirs(automount_t)
optional_policy(`
@@ -4559,7 +4155,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
bind_search_cache(automount_t)
')
-@@ -173,6 +171,11 @@
+@@ -173,6 +173,11 @@
')
optional_policy(`
@@ -4571,20 +4167,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
seutil_sigchld_newrole(automount_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.0.7/policy/modules/services/avahi.te
---- nsaserefpolicy/policy/modules/services/avahi.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/avahi.te 2007-09-06 15:43:06.000000000 -0400
-@@ -57,6 +57,7 @@
-
- fs_getattr_all_fs(avahi_t)
- fs_search_auto_mountpoints(avahi_t)
-+fs_list_inotifyfs(avahi_t)
-
- domain_use_interactive_fds(avahi_t)
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.0.7/policy/modules/services/bind.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.0.8/policy/modules/services/bind.fc
--- nsaserefpolicy/policy/modules/services/bind.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/bind.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/bind.fc 2007-09-17 16:20:18.000000000 -0400
@@ -45,4 +45,7 @@
/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
@@ -4593,9 +4178,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
+/var/named/chroot/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
')
+/var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.0.7/policy/modules/services/bind.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.0.8/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/bind.te 2007-09-10 11:12:34.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/bind.te 2007-09-17 16:20:18.000000000 -0400
@@ -66,7 +66,6 @@
allow named_t self:unix_dgram_socket create_socket_perms;
allow named_t self:tcp_socket create_stream_socket_perms;
@@ -4655,60 +4240,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
corenet_sendrecv_rndc_client_packets(ndc_t)
fs_getattr_xattr_fs(ndc_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.0.7/policy/modules/services/clamav.fc
---- nsaserefpolicy/policy/modules/services/clamav.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/clamav.fc 2007-09-06 15:43:06.000000000 -0400
-@@ -9,6 +9,8 @@
-
- /var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
- /var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
-+/var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
-+/var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
- /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
- /var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0)
- /var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.0.7/policy/modules/services/clamav.te
---- nsaserefpolicy/policy/modules/services/clamav.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/clamav.te 2007-09-06 15:43:06.000000000 -0400
-@@ -74,17 +74,20 @@
- manage_files_pattern(clamd_t,clamd_var_lib_t,clamd_var_lib_t)
-
- # log files
--allow clamd_t clamd_var_log_t:dir setattr;
-+manage_dirs_pattern(clamd_t,clamd_var_log_t,clamd_var_log_t)
- manage_files_pattern(clamd_t,clamd_var_log_t,clamd_var_log_t)
--logging_log_filetrans(clamd_t,clamd_var_log_t,file)
-+logging_log_filetrans(clamd_t,clamd_var_log_t,{ dir file })
-
- # pid file
-+manage_dirs_pattern(clamd_t,clamd_var_log_t,clamd_var_log_t)
- manage_files_pattern(clamd_t,clamd_var_run_t,clamd_var_run_t)
- manage_sock_files_pattern(clamd_t,clamd_var_run_t,clamd_var_run_t)
--files_pid_filetrans(clamd_t,clamd_var_run_t,file)
-+files_pid_filetrans(clamd_t,clamd_var_run_t,{ file dir })
-
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.0.8/policy/modules/services/clamav.te
+--- nsaserefpolicy/policy/modules/services/clamav.te 2007-09-12 10:34:50.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/clamav.te 2007-09-17 16:20:18.000000000 -0400
+@@ -87,6 +87,7 @@
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
-+kernel_read_kernel_sysctls(clamd_t)
+ kernel_read_kernel_sysctls(clamd_t)
+kernel_read_system_state(clamd_t)
corenet_all_recvfrom_unlabeled(clamd_t)
corenet_all_recvfrom_netlabel(clamd_t)
-@@ -208,9 +211,12 @@
- files_tmp_filetrans(clamscan_t,clamscan_tmp_t,{ file dir })
-
- # var/lib files together with clamd
--read_files_pattern(clamscan_t,clamd_var_lib_t,clamd_var_lib_t)
-+manage_files_pattern(clamscan_t,clamd_var_lib_t,clamd_var_lib_t)
- allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
-
-+init_read_utmp(clamscan_t)
-+init_dontaudit_write_utmp(clamscan_t)
-+
- kernel_read_kernel_sysctls(clamscan_t)
-
- files_read_etc_files(clamscan_t)
-@@ -228,3 +234,7 @@
+@@ -233,3 +234,7 @@
optional_policy(`
apache_read_sys_content(clamscan_t)
')
@@ -4716,9 +4259,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
+optional_policy(`
+ mailscanner_manage_spool(clamscan_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.0.7/policy/modules/services/consolekit.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.0.8/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/consolekit.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/consolekit.te 2007-09-17 16:20:18.000000000 -0400
@@ -10,7 +10,6 @@
type consolekit_exec_t;
init_daemon_domain(consolekit_t, consolekit_exec_t)
@@ -4776,9 +4319,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
+ unconfined_ptrace(consolekit_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.0.7/policy/modules/services/courier.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.0.8/policy/modules/services/courier.te
--- nsaserefpolicy/policy/modules/services/courier.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/courier.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/courier.te 2007-09-17 16:20:18.000000000 -0400
@@ -58,6 +58,7 @@
files_getattr_tmp_dirs(courier_authdaemon_t)
@@ -4787,9 +4330,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cour
libs_read_lib_files(courier_authdaemon_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cpucontrol.te serefpolicy-3.0.7/policy/modules/services/cpucontrol.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cpucontrol.te serefpolicy-3.0.8/policy/modules/services/cpucontrol.te
--- nsaserefpolicy/policy/modules/services/cpucontrol.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/cpucontrol.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/cpucontrol.te 2007-09-17 16:20:18.000000000 -0400
@@ -63,6 +63,10 @@
')
@@ -4801,9 +4344,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cpuc
seutil_sigchld_newrole(cpucontrol_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.0.7/policy/modules/services/cron.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.0.8/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/cron.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/cron.fc 2007-09-17 16:20:18.000000000 -0400
@@ -17,6 +17,8 @@
/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -4818,9 +4361,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.0.7/policy/modules/services/cron.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.0.8/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/cron.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/cron.if 2007-09-17 16:20:18.000000000 -0400
@@ -35,6 +35,7 @@
#
template(`cron_per_role_template',`
@@ -4962,9 +4505,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
## Read, and write cron daemon TCP sockets.
##
##
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.0.7/policy/modules/services/cron.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.0.8/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/cron.te 2007-09-11 09:00:57.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/cron.te 2007-09-17 16:20:18.000000000 -0400
@@ -50,6 +50,7 @@
type crond_tmp_t;
@@ -4995,7 +4538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
-@@ -99,18 +106,18 @@
+@@ -99,18 +106,20 @@
allow crond_t crond_var_run_t:file manage_file_perms;
files_pid_filetrans(crond_t,crond_var_run_t,file)
@@ -5011,6 +4554,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
-allow crond_t system_cron_spool_t:file read_file_perms;
+list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
++
++auth_use_nsswitch(crond_t)
kernel_read_kernel_sysctls(crond_t)
kernel_search_key(crond_t)
@@ -5018,7 +4563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
dev_read_sysfs(crond_t)
selinux_get_fs_mount(crond_t)
-@@ -127,6 +134,8 @@
+@@ -127,6 +136,8 @@
# need auth_chkpwd to check for locked accounts.
auth_domtrans_chk_passwd(crond_t)
@@ -5027,7 +4572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
corecmd_exec_shell(crond_t)
corecmd_list_bin(crond_t)
-@@ -146,7 +155,9 @@
+@@ -146,7 +157,9 @@
libs_use_ld_so(crond_t)
libs_use_shared_libs(crond_t)
@@ -5037,7 +4582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
-@@ -160,6 +171,16 @@
+@@ -160,6 +173,16 @@
mta_send_mail(crond_t)
@@ -5054,32 +4599,50 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
ifdef(`distro_debian',`
optional_policy(`
# Debian logcheck has the home dir set to its cache
-@@ -180,11 +201,24 @@
+@@ -180,29 +203,34 @@
locallogin_link_keys(crond_t)
')
+-tunable_policy(`fcron_crond', `
+- allow crond_t system_cron_spool_t:file manage_file_perms;
+optional_policy(`
+ # these should probably be unconfined_crond_t
+ init_dbus_send_script(crond_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- amavis_search_lib(crond_t)
+ mono_domtrans(crond_t)
+')
+
- tunable_policy(`fcron_crond', `
- allow crond_t system_cron_spool_t:file manage_file_perms;
++tunable_policy(`fcron_crond', `
++ allow crond_t system_cron_spool_t:file manage_file_perms;
')
optional_policy(`
+- hal_dbus_send(crond_t)
+ amanda_search_var_lib(crond_t)
-+')
-+
-+optional_policy(`
- amavis_search_lib(crond_t)
')
-@@ -239,7 +273,6 @@
+ optional_policy(`
+- # cjp: why?
+- munin_search_lib(crond_t)
++ amavis_search_lib(crond_t)
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(crond_t)
++ hal_dbus_send(crond_t)
+ ')
+
+ optional_policy(`
+- nscd_socket_use(crond_t)
++ # cjp: why?
++ munin_search_lib(crond_t)
+ ')
+
+ optional_policy(`
+@@ -239,7 +267,6 @@
allow system_crond_t cron_var_lib_t:file manage_file_perms;
files_var_lib_filetrans(system_crond_t,cron_var_lib_t,file)
@@ -5087,7 +4650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -249,6 +282,8 @@
+@@ -249,6 +276,8 @@
# for this purpose.
allow system_crond_t system_cron_spool_t:file entrypoint;
@@ -5096,7 +4659,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
# Permit a transition from the crond_t domain to this domain.
# The transition is requested explicitly by the modified crond
# via setexeccon. There is no way to set up an automatic
-@@ -270,9 +305,16 @@
+@@ -270,9 +299,16 @@
filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file })
files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
@@ -5114,7 +4677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
kernel_read_kernel_sysctls(system_crond_t)
kernel_read_system_state(system_crond_t)
-@@ -326,7 +368,7 @@
+@@ -326,7 +362,7 @@
init_read_utmp(system_crond_t)
init_dontaudit_rw_utmp(system_crond_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
@@ -5123,7 +4686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
libs_use_ld_so(system_crond_t)
libs_use_shared_libs(system_crond_t)
-@@ -334,6 +376,7 @@
+@@ -334,6 +370,7 @@
libs_exec_ld_so(system_crond_t)
logging_read_generic_logs(system_crond_t)
@@ -5131,7 +4694,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
logging_send_syslog_msg(system_crond_t)
miscfiles_read_localization(system_crond_t)
-@@ -384,6 +427,14 @@
+@@ -384,6 +421,14 @@
')
optional_policy(`
@@ -5146,7 +4709,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
mrtg_append_create_logs(system_crond_t)
')
-@@ -424,8 +475,7 @@
+@@ -424,8 +469,7 @@
')
optional_policy(`
@@ -5156,7 +4719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -433,9 +483,13 @@
+@@ -433,9 +477,13 @@
')
optional_policy(`
@@ -5171,9 +4734,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
ifdef(`TODO',`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.0.7/policy/modules/services/cups.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.0.8/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/cups.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/cups.fc 2007-09-17 16:20:18.000000000 -0400
@@ -8,6 +8,7 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -5196,9 +4759,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
+/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.7/policy/modules/services/cups.te
---- nsaserefpolicy/policy/modules/services/cups.te 2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/cups.te 2007-09-06 15:43:06.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.8/policy/modules/services/cups.te
+--- nsaserefpolicy/policy/modules/services/cups.te 2007-09-12 10:34:50.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/cups.te 2007-09-17 16:20:18.000000000 -0400
@@ -81,12 +81,11 @@
# /usr/lib/cups/backend/serial needs sys_admin(?!)
allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
@@ -5222,7 +4785,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
allow cupsd_t cupsd_exec_t:lnk_file read;
manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t)
-@@ -150,20 +149,24 @@
+@@ -129,6 +128,8 @@
+ stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t)
+ allow cupsd_t ptal_var_run_t : sock_file setattr;
+
++auth_use_nsswitch(cupsd_t)
++
+ kernel_read_system_state(cupsd_t)
+ kernel_read_network_state(cupsd_t)
+ kernel_read_all_sysctls(cupsd_t)
+@@ -150,21 +151,26 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -5246,9 +4818,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
fs_search_auto_mountpoints(cupsd_t)
+fs_read_anon_inodefs_files(cupsd_t)
- mls_fd_use_all_levels(cupsd_t)
++mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
-@@ -175,6 +178,7 @@
+ mls_file_write_all_levels(cupsd_t)
+ mls_file_read_all_levels(cupsd_t)
+@@ -174,6 +180,7 @@
term_search_ptys(cupsd_t)
auth_domtrans_chk_passwd(cupsd_t)
@@ -5256,7 +4830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
auth_dontaudit_read_pam_pid(cupsd_t)
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
-@@ -188,7 +192,7 @@
+@@ -187,7 +194,7 @@
# read python modules
files_read_usr_files(cupsd_t)
# for /var/lib/defoma
@@ -5265,7 +4839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
-@@ -222,21 +226,45 @@
+@@ -221,17 +228,37 @@
sysnet_read_config(cupsd_t)
@@ -5303,15 +4877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
apm_domtrans_client(cupsd_t)
')
- optional_policy(`
-+ auth_use_nsswitch(cupsd_t)
-+')
-+
-+optional_policy(`
- cron_system_entry(cupsd_t, cupsd_exec_t)
- ')
-
-@@ -264,16 +292,16 @@
+@@ -263,16 +290,16 @@
')
optional_policy(`
@@ -5332,7 +4898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
seutil_sigchld_newrole(cupsd_t)
')
-@@ -378,6 +406,14 @@
+@@ -377,6 +404,14 @@
')
optional_policy(`
@@ -5347,7 +4913,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-@@ -561,7 +597,7 @@
+@@ -560,7 +595,7 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -5356,7 +4922,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
-@@ -588,8 +624,6 @@
+@@ -587,8 +622,6 @@
userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
userdom_dontaudit_search_all_users_home_content(hplip_t)
@@ -5365,9 +4931,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
optional_policy(`
seutil_sigchld_newrole(hplip_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.0.7/policy/modules/services/cvs.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.0.8/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/cvs.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/cvs.te 2007-09-17 16:20:18.000000000 -0400
@@ -16,6 +16,7 @@
type cvs_t;
type cvs_exec_t;
@@ -5392,9 +4958,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
miscfiles_read_localization(cvs_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.0.7/policy/modules/services/dbus.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.0.8/policy/modules/services/dbus.fc
--- nsaserefpolicy/policy/modules/services/dbus.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/dbus.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dbus.fc 2007-09-17 16:20:18.000000000 -0400
@@ -5,6 +5,8 @@
/bin/dbus-daemon -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
@@ -5404,9 +4970,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
ifdef(`distro_redhat',`
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.7/policy/modules/services/dbus.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.8/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/dbus.if 2007-09-11 11:08:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2007-09-17 16:20:18.000000000 -0400
@@ -50,6 +50,12 @@
##
#
@@ -5534,9 +5100,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.0.7/policy/modules/services/dbus.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.0.8/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/dbus.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dbus.te 2007-09-17 16:20:18.000000000 -0400
@@ -23,6 +23,9 @@
type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
@@ -5575,21 +5141,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+ unconfined_use_terminals(system_dbusd_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.0.7/policy/modules/services/dhcp.te
---- nsaserefpolicy/policy/modules/services/dhcp.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/dhcp.te 2007-09-06 15:43:06.000000000 -0400
-@@ -114,6 +114,8 @@
- dbus_system_bus_client_template(dhcpd,dhcpd_t)
- dbus_connect_system_bus(dhcpd_t)
- dbus_send_system_bus(dhcpd_t)
-+ dbus_read_config(dhcpd_t)
-+ dbus_dontaudit_rw_system_selinux_socket(dhcpd_t)
- ')
-
- optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.0.7/policy/modules/services/dnsmasq.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.0.8/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/dnsmasq.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dnsmasq.te 2007-09-17 16:20:18.000000000 -0400
@@ -94,3 +94,8 @@
optional_policy(`
udev_read_db(dnsmasq_t)
@@ -5599,9 +5153,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
+ virt_read_lib_files(dnsmasq_t)
+ virt_append_lib_files(dnsmasq_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.0.7/policy/modules/services/dovecot.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.0.8/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/dovecot.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dovecot.fc 2007-09-17 16:20:18.000000000 -0400
@@ -17,16 +17,19 @@
ifdef(`distro_debian', `
@@ -5622,9 +5176,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.0.7/policy/modules/services/dovecot.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.0.8/policy/modules/services/dovecot.if
--- nsaserefpolicy/policy/modules/services/dovecot.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/dovecot.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dovecot.if 2007-09-17 16:20:18.000000000 -0400
@@ -18,3 +18,43 @@
manage_files_pattern($1,dovecot_spool_t,dovecot_spool_t)
manage_lnk_files_pattern($1,dovecot_spool_t,dovecot_spool_t)
@@ -5669,9 +5223,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+ domtrans_pattern($1,dovecot_deliver_exec_t,dovecot_deliver_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.0.7/policy/modules/services/dovecot.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.0.8/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/dovecot.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dovecot.te 2007-09-17 16:20:18.000000000 -0400
@@ -15,6 +15,12 @@
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -5826,9 +5380,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+ mta_manage_spool(dovecot_deliver_t)
')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.0.7/policy/modules/services/exim.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.0.8/policy/modules/services/exim.fc
--- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/services/exim.fc 2007-09-10 12:01:03.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/exim.fc 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1,6 @@
+
+/usr/sbin/exim -- gen_context(system_u:object_r:exim_exec_t,s0)
@@ -5836,9 +5390,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
+/var/run/exim.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
+/var/log/exim(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
+/var/spool/exim(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.0.7/policy/modules/services/exim.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.0.8/policy/modules/services/exim.if
--- nsaserefpolicy/policy/modules/services/exim.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/services/exim.if 2007-09-10 12:01:03.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/exim.if 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1,330 @@
+
+## policy for exim
@@ -6170,10 +5724,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
+ exim_manage_spool($1)
+
+')
-Binary files nsaserefpolicy/policy/modules/services/exim.pp and serefpolicy-3.0.7/policy/modules/services/exim.pp differ
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.0.7/policy/modules/services/exim.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.0.8/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/services/exim.te 2007-09-10 15:45:46.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/exim.te 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1,108 @@
+policy_module(exim,1.0.0)
+
@@ -6283,9 +5836,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
+ userdom_write_unpriv_users_tmp_files(exim_t)
+}
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.0.7/policy/modules/services/ftp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.0.8/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/ftp.te 2007-09-11 14:32:19.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/ftp.te 2007-09-17 16:39:01.000000000 -0400
@@ -88,6 +88,7 @@
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
@@ -6312,22 +5865,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
miscfiles_read_localization(ftpd_t)
miscfiles_read_public_files(ftpd_t)
-@@ -217,6 +221,14 @@
+@@ -217,6 +221,11 @@
userdom_manage_all_users_home_content_dirs(ftpd_t)
userdom_manage_all_users_home_content_files(ftpd_t)
userdom_manage_all_users_home_content_symlinks(ftpd_t)
+ auth_manage_all_files_except_shadow(ftpd_t)
+
-+ ifdef(`targeted_policy',`
-+ files_manage_generic_tmp_files(ftpd_t)
-+ ')
+ auth_read_all_dirs_except_shadow(ftpd_t)
+ auth_read_all_files_except_shadow(ftpd_t)
+ auth_read_all_symlinks_except_shadow(ftpd_t)
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -252,7 +264,10 @@
+@@ -252,7 +261,10 @@
')
optional_policy(`
@@ -6338,248 +5888,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.0.7/policy/modules/services/hal.fc
---- nsaserefpolicy/policy/modules/services/hal.fc 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/hal.fc 2007-09-11 15:14:05.000000000 -0400
-@@ -8,9 +8,17 @@
- /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
-
- /usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
-+/usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.0.8/policy/modules/services/hal.fc
+--- nsaserefpolicy/policy/modules/services/hal.fc 2007-09-12 10:34:50.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/hal.fc 2007-09-17 16:20:18.000000000 -0400
+@@ -13,9 +13,12 @@
/var/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
- /var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
+/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
+ /var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
+
+ /var/log/pm-suspend.log gen_context(system_u:object_r:hald_log_t,s0)
++/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0)
++/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
/var/run/haldaemon.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
-+/var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0)
-+
-+/var/log/pm-suspend.log gen_context(system_u:object_r:hald_log_t,s0)
-+
-+/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
-+/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.0.7/policy/modules/services/hal.if
---- nsaserefpolicy/policy/modules/services/hal.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/hal.if 2007-09-06 15:43:06.000000000 -0400
-@@ -208,3 +208,98 @@
- files_search_pids($1)
- allow $1 hald_var_run_t:file rw_file_perms;
- ')
-+
-+########################################
-+##
-+## Do not audit attempts to write the hal
-+## log files.
-+##
-+##
-+##
-+## Domain to not audit
-+##
-+##
-+#
-+interface(`hal_dontaudit_write_log',`
-+ gen_require(`
-+ type hald_log_t;
-+ ')
-+
-+ dontaudit $1 hald_log_t:file { append write };
-+')
-+
-+########################################
-+##
-+## Allow attempts to write the hal
-+## log files.
-+##
-+##
-+##
-+## Domain to not audit
-+##
-+##
-+#
-+interface(`hal_write_log',`
-+ gen_require(`
-+ type hald_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ allow $1 hald_log_t:file rw_file_perms;
-+')
-+
-+########################################
-+##
-+## Allow domain to use file descriptors from hal.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`hal_use_fds',`
-+ gen_require(`
-+ type hald_t;
-+ ')
-+
-+ allow $1 hald_t:fd use;
-+')
-+
-+########################################
-+##
-+## Allow attempts to read and write to
-+## hald unnamed pipes.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`hal_rw_pipes',`
-+ gen_require(`
-+ type hald_t;
-+ ')
-+
-+ allow $1 hald_t:fifo_file rw_fifo_file_perms;
-+')
-+
-+########################################
-+##
-+## Allow ptrace of hal domain
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`hal_ptrace',`
-+ gen_require(`
-+ type hald_t;
-+ ')
-+
-+ allow $1 hald_t:process ptrace;
-+')
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.7/policy/modules/services/hal.te
---- nsaserefpolicy/policy/modules/services/hal.te 2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/hal.te 2007-09-06 15:43:06.000000000 -0400
-@@ -22,6 +22,12 @@
- type hald_log_t;
- files_type(hald_log_t)
-
-+type hald_keymap_t;
-+type hald_keymap_exec_t;
-+domain_type(hald_keymap_t)
-+domain_entry_file(hald_keymap_t,hald_keymap_exec_t)
-+role system_r types hald_keymap_t;
-+
- type hald_mac_t;
- type hald_mac_exec_t;
- domain_type(hald_mac_t)
-@@ -81,6 +87,7 @@
-
- kernel_read_system_state(hald_t)
- kernel_read_network_state(hald_t)
-+kernel_read_software_raid_state(hald_t)
- kernel_rw_kernel_sysctl(hald_t)
- kernel_read_fs_sysctls(hald_t)
- kernel_rw_irq_sysctls(hald_t)
-@@ -114,6 +121,9 @@
- dev_rw_power_management(hald_t)
- # hal is now execing pm-suspend
- dev_rw_sysfs(hald_t)
-+dev_read_sound(hald_t)
-+dev_write_sound(hald_t)
-+dev_read_raw_memory(hald_t)
-
- domain_use_interactive_fds(hald_t)
- domain_read_all_domains_state(hald_t)
-@@ -131,6 +141,7 @@
- files_create_boot_flag(hald_t)
- files_getattr_all_dirs(hald_t)
- files_read_kernel_img(hald_t)
-+files_rw_lock_dirs(hald_t)
-
- fs_getattr_all_fs(hald_t)
- fs_search_all(hald_t)
-@@ -163,6 +174,7 @@
- #hal runs shutdown, probably need a shutdown domain
- init_rw_utmp(hald_t)
- init_telinit(hald_t)
-+init_dontaudit_use_fds(hald_t)
-
- libs_use_ld_so(hald_t)
- libs_use_shared_libs(hald_t)
-@@ -180,6 +192,7 @@
-
- seutil_read_config(hald_t)
- seutil_read_default_contexts(hald_t)
-+seutil_read_file_contexts(hald_t)
-
- sysnet_read_config(hald_t)
-
-@@ -187,6 +200,7 @@
- userdom_dontaudit_search_sysadm_home_dirs(hald_t)
-
- optional_policy(`
-+ alsa_domtrans(hald_t)
- alsa_read_rw_config(hald_t)
- ')
-
-@@ -283,6 +297,7 @@
- #
-
- allow hald_acl_t self:capability { dac_override fowner };
-+allow hald_acl_t self:process signal;
- allow hald_acl_t self:fifo_file read_fifo_file_perms;
-
- domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
-@@ -296,7 +311,10 @@
- corecmd_exec_bin(hald_acl_t)
-
- dev_getattr_all_chr_files(hald_acl_t)
-+dev_getattr_generic_usb_dev(hald_acl_t)
-+dev_getattr_video_dev(hald_acl_t)
- dev_setattr_video_dev(hald_acl_t)
-+dev_getattr_sound_dev(hald_acl_t)
- dev_setattr_sound_dev(hald_acl_t)
- dev_setattr_generic_usb_dev(hald_acl_t)
- dev_setattr_usbfs_files(hald_acl_t)
-@@ -358,3 +376,25 @@
- libs_use_shared_libs(hald_sonypic_t)
-
- miscfiles_read_localization(hald_sonypic_t)
-+
-+########################################
-+#
-+# Local hald keymap policy
-+#
-+
-+domtrans_pattern(hald_t, hald_keymap_exec_t, hald_keymap_t)
-+allow hald_t hald_keymap_t:process signal;
-+allow hald_keymap_t hald_t:unix_stream_socket connectto;
-+
-+manage_dirs_pattern(hald_keymap_t,hald_var_lib_t,hald_var_lib_t)
-+manage_files_pattern(hald_keymap_t,hald_var_lib_t,hald_var_lib_t)
-+files_search_var_lib(hald_keymap_t)
-+
-+files_read_usr_files(hald_keymap_t)
-+
-+libs_use_ld_so(hald_keymap_t)
-+libs_use_shared_libs(hald_keymap_t)
-+
-+miscfiles_read_localization(hald_keymap_t)
-+
-+dev_rw_input_dev(hald_keymap_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.0.7/policy/modules/services/inetd.te
---- nsaserefpolicy/policy/modules/services/inetd.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/inetd.te 2007-09-10 16:31:50.000000000 -0400
-@@ -53,6 +53,8 @@
- allow inetd_t inetd_var_run_t:file manage_file_perms;
- files_pid_filetrans(inetd_t,inetd_var_run_t,file)
-
-+auth_search_key(inetd_t)
+ /var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.8/policy/modules/services/hal.te
+--- nsaserefpolicy/policy/modules/services/hal.te 2007-09-12 10:34:50.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/hal.te 2007-09-17 16:20:18.000000000 -0400
+@@ -293,6 +293,7 @@
+ #
+
+ allow hald_acl_t self:capability { dac_override fowner };
++allow hald_acl_t self:process signal;
+ allow hald_acl_t self:fifo_file read_fifo_file_perms;
+
+ domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.0.8/policy/modules/services/inetd.te
+--- nsaserefpolicy/policy/modules/services/inetd.te 2007-09-12 10:34:50.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/inetd.te 2007-09-17 16:20:18.000000000 -0400
+@@ -53,6 +53,8 @@
+ allow inetd_t inetd_var_run_t:file manage_file_perms;
+ files_pid_filetrans(inetd_t,inetd_var_run_t,file)
+
++auth_search_key(inetd_t)
+
kernel_read_kernel_sysctls(inetd_t)
kernel_list_proc(inetd_t)
@@ -6606,16 +5949,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
corenet_udp_bind_tftp_port(inetd_t)
corenet_tcp_bind_ssh_port(inetd_t)
-@@ -135,14 +142,19 @@
- mls_fd_use_all_levels(inetd_t)
+@@ -132,8 +139,10 @@
+ miscfiles_read_localization(inetd_t)
+
+ # xinetd needs MLS override privileges to work
++mls_fd_use_all_levels(inetd_t)
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
+mls_socket_write_to_clearance(inetd_t)
mls_process_set_level(inetd_t)
--mls_socket_read_to_clearance(inetd_t)
sysnet_read_config(inetd_t)
-
+@@ -141,6 +150,11 @@
userdom_dontaudit_use_unpriv_user_fds(inetd_t)
userdom_dontaudit_search_sysadm_home_dirs(inetd_t)
@@ -6627,7 +5972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
optional_policy(`
amanda_search_lib(inetd_t)
')
-@@ -172,6 +184,9 @@
+@@ -170,6 +184,9 @@
# for identd
allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow inetd_child_t self:capability { setuid setgid };
@@ -6637,7 +5982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
files_search_home(inetd_child_t)
manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t)
-@@ -214,13 +229,10 @@
+@@ -212,13 +229,10 @@
')
optional_policy(`
@@ -6653,17 +5998,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
unconfined_domain(inetd_child_t)
+ inetd_service_domain(inetd_child_t,bin_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.0.7/policy/modules/services/kerberos.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.0.8/policy/modules/services/kerberos.fc
--- nsaserefpolicy/policy/modules/services/kerberos.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/kerberos.fc 2007-09-11 09:03:41.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/kerberos.fc 2007-09-17 16:20:18.000000000 -0400
@@ -16,3 +16,4 @@
/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.0.7/policy/modules/services/kerberos.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.0.8/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/kerberos.if 2007-09-11 09:02:54.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/kerberos.if 2007-09-17 16:20:18.000000000 -0400
@@ -42,6 +42,10 @@
dontaudit $1 krb5_conf_t:file write;
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
@@ -6701,9 +6046,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
+ seutil_read_file_contexts($1)
+ allow $1 krb5_host_rcache_t:file manage_file_perms;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.0.7/policy/modules/services/kerberos.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.0.8/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/kerberos.te 2007-09-11 09:02:44.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/kerberos.te 2007-09-17 16:20:18.000000000 -0400
@@ -54,6 +54,9 @@
type krb5kdc_var_run_t;
files_pid_file(krb5kdc_var_run_t)
@@ -6782,9 +6127,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.0.7/policy/modules/services/ktalk.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.0.8/policy/modules/services/ktalk.te
--- nsaserefpolicy/policy/modules/services/ktalk.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/ktalk.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/ktalk.te 2007-09-17 16:20:18.000000000 -0400
@@ -49,6 +49,8 @@
manage_files_pattern(ktalkd_t,ktalkd_var_run_t,ktalkd_var_run_t)
files_pid_filetrans(ktalkd_t,ktalkd_var_run_t,file)
@@ -6808,9 +6153,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktal
- nscd_socket_use(ktalkd_t)
-')
+term_search_ptys(ktalkd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.0.7/policy/modules/services/lpd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.0.8/policy/modules/services/lpd.if
--- nsaserefpolicy/policy/modules/services/lpd.if 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/lpd.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/lpd.if 2007-09-17 16:20:18.000000000 -0400
@@ -394,3 +394,22 @@
domtrans_pattern($2, lpr_exec_t, $1_lpr_t)
@@ -6834,9 +6179,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.
+
+ can_exec($1,lpr_exec_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.0.7/policy/modules/services/mailman.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.0.8/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/mailman.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/mailman.te 2007-09-17 16:20:18.000000000 -0400
@@ -55,6 +55,7 @@
apache_use_fds(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t)
@@ -6853,15 +6198,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
files_dontaudit_search_pids(mailman_queue_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.0.7/policy/modules/services/mailscanner.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.0.8/policy/modules/services/mailscanner.fc
--- nsaserefpolicy/policy/modules/services/mailscanner.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/services/mailscanner.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/mailscanner.fc 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1,2 @@
+/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mailscanner_spool_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.0.7/policy/modules/services/mailscanner.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.0.8/policy/modules/services/mailscanner.if
--- nsaserefpolicy/policy/modules/services/mailscanner.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/services/mailscanner.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/mailscanner.if 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1,59 @@
+## Anti-Virus and Anti-Spam Filter
+
@@ -6922,18 +6267,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
+ files_search_spool($1)
+ manage_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.0.7/policy/modules/services/mailscanner.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.0.8/policy/modules/services/mailscanner.te
--- nsaserefpolicy/policy/modules/services/mailscanner.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/services/mailscanner.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/mailscanner.te 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1,5 @@
+
+policy_module(mailscanner,1.0.0)
+
+type mailscanner_spool_t;
+files_type(mailscanner_spool_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.7/policy/modules/services/mta.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.8/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/mta.if 2007-09-10 15:34:04.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/mta.if 2007-09-17 16:20:18.000000000 -0400
@@ -226,6 +226,15 @@
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_mail_t)
@@ -7033,9 +6378,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
#######################################
##
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.7/policy/modules/services/mta.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/mta.te 2007-09-10 15:33:31.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-09-17 16:26:13.000000000 -0400
@@ -6,6 +6,7 @@
# Declarations
#
@@ -7060,38 +6405,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
-@@ -51,16 +54,46 @@
+@@ -51,16 +54,19 @@
userdom_use_sysadm_terms(system_mail_t)
userdom_dontaudit_search_sysadm_home_dirs(system_mail_t)
+userdom_dontaudit_search_all_users_home_content(system_mail_t)
-+
-+ifdef(`targeted_policy',`
-+
-+ manage_dirs_pattern(system_mail_t,mail_spool_t,mail_spool_t)
-+ manage_files_pattern(system_mail_t,mail_spool_t,mail_spool_t)
-+ manage_lnk_files_pattern(system_mail_t,mail_spool_t,mail_spool_t)
-+ manage_fifo_files_pattern(system_mail_t,mail_spool_t,mail_spool_t)
-+
-+ # for reading .forward - maybe we need a new type for it?
-+ # also for delivering mail to maildir
-+ userdom_manage_generic_user_home_content_dirs(mailserver_delivery)
-+ userdom_manage_generic_user_home_content_files(mailserver_delivery)
-+ userdom_manage_generic_user_home_content_symlinks(mailserver_delivery)
-+ userdom_manage_generic_user_home_content_sockets(mailserver_delivery)
-+ userdom_manage_generic_user_home_content_pipes(mailserver_delivery)
-+ userdom_generic_user_home_dir_filetrans_generic_user_home_content(mailserver_delivery,{ dir file lnk_file sock_file fifo_file })
-+
-+# cjp: another require-in-else to resolve
-+# optional_policy(`',`
-+ corecmd_exec_all_executables(system_mail_t)
-+
-+ files_exec_etc_files(system_mail_t)
-+
-+ libs_exec_ld_so(system_mail_t)
-+ libs_exec_lib_files(system_mail_t)
-+# ')
-+')
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
@@ -7107,7 +6425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -73,6 +106,7 @@
+@@ -73,6 +79,7 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
@@ -7115,18 +6433,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
cron_dontaudit_write_pipes(system_mail_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.0.7/policy/modules/services/mysql.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.0.8/policy/modules/services/mysql.fc
--- nsaserefpolicy/policy/modules/services/mysql.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/mysql.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/mysql.fc 2007-09-17 16:20:18.000000000 -0400
@@ -22,3 +22,5 @@
/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
+
+/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.0.7/policy/modules/services/mysql.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.0.8/policy/modules/services/mysql.if
--- nsaserefpolicy/policy/modules/services/mysql.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/mysql.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/mysql.if 2007-09-17 16:20:18.000000000 -0400
@@ -157,3 +157,79 @@
logging_search_logs($1)
allow $1 mysqld_log_t:file { write append setattr ioctl };
@@ -7207,9 +6525,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
+ manage_dirs_pattern($1,mysqld_tmp_t,mysqld_tmp_t)
+ manage_files_pattern($1,mysqld_tmp_t,mysqld_tmp_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.0.7/policy/modules/services/mysql.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.0.8/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/mysql.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/mysql.te 2007-09-17 16:20:18.000000000 -0400
@@ -25,6 +25,9 @@
type mysqld_tmp_t;
files_tmp_file(mysqld_tmp_t)
@@ -7220,9 +6538,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
########################################
#
# Local policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.0.7/policy/modules/services/nagios.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.0.8/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/nagios.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/nagios.fc 2007-09-17 16:20:18.000000000 -0400
@@ -4,13 +4,15 @@
/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
@@ -7242,9 +6560,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
-/usr/lib/cgi-bin/nagios/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
')
+/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.0.7/policy/modules/services/nagios.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.0.8/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/nagios.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/nagios.if 2007-09-17 16:20:18.000000000 -0400
@@ -44,25 +44,6 @@
########################################
@@ -7271,9 +6589,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
## Execute the nagios NRPE with
## a domain transition.
##
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.0.7/policy/modules/services/nagios.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.0.8/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/nagios.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/nagios.te 2007-09-17 16:20:18.000000000 -0400
@@ -10,10 +10,6 @@
type nagios_exec_t;
init_daemon_domain(nagios_t,nagios_exec_t)
@@ -7377,19 +6695,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
########################################
#
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.0.7/policy/modules/services/networkmanager.fc
---- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/networkmanager.fc 2007-09-06 15:43:06.000000000 -0400
-@@ -1,5 +1,6 @@
-
- /usr/(s)?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-+/usr/(s)?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
- /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
- /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
- /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.7/policy/modules/services/networkmanager.te
---- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/networkmanager.te 2007-09-11 14:21:48.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.8/policy/modules/services/networkmanager.te
+--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-09-12 10:34:50.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2007-09-17 16:20:18.000000000 -0400
@@ -20,7 +20,7 @@
# networkmanager will ptrace itself if gdb is installed
@@ -7399,16 +6707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
-@@ -41,6 +41,8 @@
- kernel_read_kernel_sysctls(NetworkManager_t)
- kernel_load_module(NetworkManager_t)
-
-+can_exec(NetworkManager_t, NetworkManager_exec_t)
-+
- corenet_all_recvfrom_unlabeled(NetworkManager_t)
- corenet_all_recvfrom_netlabel(NetworkManager_t)
- corenet_tcp_sendrecv_all_if(NetworkManager_t)
-@@ -136,6 +138,9 @@
+@@ -138,6 +138,9 @@
dbus_system_bus_client_template(NetworkManager,NetworkManager_t)
dbus_connect_system_bus(NetworkManager_t)
dbus_send_system_bus(NetworkManager_t)
@@ -7418,19 +6717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
-@@ -152,6 +157,11 @@
- ')
-
- optional_policy(`
-+ openvpn_domtrans(NetworkManager_t)
-+ openvpn_signal(NetworkManager_t)
-+')
-+
-+optional_policy(`
- ppp_domtrans(NetworkManager_t)
- ppp_read_pid_files(NetworkManager_t)
- ppp_signal(NetworkManager_t)
-@@ -166,8 +176,10 @@
+@@ -173,8 +176,10 @@
')
optional_policy(`
@@ -7441,9 +6728,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.0.7/policy/modules/services/nis.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.0.8/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/nis.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/nis.fc 2007-09-17 16:20:18.000000000 -0400
@@ -4,6 +4,7 @@
/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
@@ -7452,9 +6739,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.0.7/policy/modules/services/nis.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.0.8/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/nis.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/nis.if 2007-09-17 16:20:18.000000000 -0400
@@ -49,8 +49,8 @@
corenet_udp_bind_all_nodes($1)
corenet_tcp_bind_generic_port($1)
@@ -7466,9 +6753,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
corenet_dontaudit_tcp_bind_all_ports($1)
corenet_dontaudit_udp_bind_all_ports($1)
corenet_tcp_connect_portmap_port($1)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.0.7/policy/modules/services/nis.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.0.8/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/nis.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/nis.te 2007-09-17 16:20:18.000000000 -0400
@@ -113,6 +113,14 @@
userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
userdom_dontaudit_search_sysadm_home_dirs(ypbind_t)
@@ -7521,9 +6808,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
corenet_tcp_connect_all_ports(ypxfr_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.0.7/policy/modules/services/nscd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.0.8/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/nscd.te 2007-09-11 10:21:10.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/nscd.te 2007-09-17 16:20:18.000000000 -0400
@@ -28,14 +28,14 @@
# Local policy
#
@@ -7572,9 +6859,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.fc serefpolicy-3.0.7/policy/modules/services/ntp.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.fc serefpolicy-3.0.8/policy/modules/services/ntp.fc
--- nsaserefpolicy/policy/modules/services/ntp.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/ntp.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/ntp.fc 2007-09-17 16:20:18.000000000 -0400
@@ -17,3 +17,8 @@
/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
@@ -7584,9 +6871,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
+/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
+
+/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.0.7/policy/modules/services/ntp.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.0.8/policy/modules/services/ntp.if
--- nsaserefpolicy/policy/modules/services/ntp.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/ntp.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/ntp.if 2007-09-17 16:20:18.000000000 -0400
@@ -53,3 +53,59 @@
corecmd_search_bin($1)
domtrans_pattern($1,ntpdate_exec_t,ntpd_t)
@@ -7647,9 +6934,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
+ allow $1 ntpd_t:process signal;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.0.7/policy/modules/services/ntp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.0.8/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/ntp.te 2007-09-11 10:21:22.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/ntp.te 2007-09-17 16:20:18.000000000 -0400
@@ -25,6 +25,12 @@
type ntpdate_exec_t;
init_system_domain(ntpd_t,ntpdate_exec_t)
@@ -7710,157 +6997,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
logrotate_exec(ntpd_t)
')
-@@ -132,3 +150,4 @@
- optional_policy(`
- udev_read_db(ntpd_t)
- ')
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.if serefpolicy-3.0.7/policy/modules/services/openvpn.if
---- nsaserefpolicy/policy/modules/services/openvpn.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/openvpn.if 2007-09-06 15:43:06.000000000 -0400
-@@ -22,3 +22,71 @@
- read_files_pattern($1,openvpn_etc_t,openvpn_etc_t)
- read_lnk_files_pattern($1,openvpn_etc_t,openvpn_etc_t)
- ')
-+
-+########################################
-+##
-+## Execute OPENVPN clients in the openvpn domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openvpn_domtrans',`
-+ gen_require(`
-+ type openvpn_t, openvpn_exec_t;
-+ ')
-+
-+ domtrans_pattern($1,openvpn_exec_t,openvpn_t)
-+')
-+
-+########################################
-+##
-+## Execute OPENVPN clients in the openvpn domain, and
-+## allow the specified role the openvpn domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The role to be allowed the openvpn domain.
-+##
-+##
-+##
-+##
-+## The type of the terminal allow the openvpn domain to use.
-+##
-+##
-+##
-+#
-+interface(`openvpn_run',`
-+ gen_require(`
-+ type openvpn_t;
-+ ')
-+
-+ openvpn_domtrans($1)
-+ role $2 types openvpn_t;
-+ allow openvpn_t $3:chr_file rw_term_perms;
-+')
-+
-+########################################
-+##
-+## Send generic signals to OPENVPN clients.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`openvpn_signal',`
-+ gen_require(`
-+ type openvpn_t;
-+ ')
-+
-+ allow $1 openvpn_t:process signal;
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.0.7/policy/modules/services/openvpn.te
---- nsaserefpolicy/policy/modules/services/openvpn.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/openvpn.te 2007-09-06 15:43:06.000000000 -0400
-@@ -6,6 +6,13 @@
- # Declarations
- #
-
-+##
-+##
-+## Allow openvpn to read home directories
-+##
-+##
-+gen_tunable(openvpn_enable_homedirs,false)
-+
- # main openvpn domain
- type openvpn_t;
- type openvpn_exec_t;
-@@ -28,7 +35,9 @@
- # openvpn local policy
- #
-
--allow openvpn_t self:capability { net_bind_service net_admin setgid setuid sys_tty_config };
-+allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_tty_config };
-+allow openvpn_t self:process { signal getsched };
-+
- allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
- allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow openvpn_t self:udp_socket create_socket_perms;
-@@ -42,8 +51,8 @@
- allow openvpn_t openvpn_var_log_t:file manage_file_perms;
- logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)
-
--allow openvpn_t openvpn_var_run_t:file manage_file_perms;
--files_pid_filetrans(openvpn_t, openvpn_var_run_t, file)
-+manage_files_pattern(openvpn_t,openvpn_var_run_t,openvpn_var_run_t)
-+files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
-
- kernel_read_kernel_sysctls(openvpn_t)
- kernel_read_net_sysctls(openvpn_t)
-@@ -67,6 +76,7 @@
- corenet_udp_bind_openvpn_port(openvpn_t)
- corenet_sendrecv_openvpn_server_packets(openvpn_t)
- corenet_rw_tun_tap_dev(openvpn_t)
-+corenet_tcp_connect_openvpn_port(openvpn_t)
-
- dev_search_sysfs(openvpn_t)
- dev_read_rand(openvpn_t)
-@@ -81,10 +91,31 @@
- logging_send_syslog_msg(openvpn_t)
-
- miscfiles_read_localization(openvpn_t)
-+miscfiles_read_certs(openvpn_t)
-
- sysnet_dns_name_resolve(openvpn_t)
- sysnet_exec_ifconfig(openvpn_t)
-
-+tunable_policy(`openvpn_enable_homedirs',`
-+ userdom_read_unpriv_users_home_content_files(openvpn_t)
-+')
-+
- optional_policy(`
- daemontools_service_domain(openvpn_t,openvpn_exec_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.0.8/policy/modules/services/openvpn.te
+--- nsaserefpolicy/policy/modules/services/openvpn.te 2007-09-12 10:34:50.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/openvpn.te 2007-09-17 16:20:18.000000000 -0400
+@@ -108,6 +108,14 @@
+ dbus_system_bus_client_template(openvpn,openvpn_t)
+ dbus_connect_system_bus(openvpn_t)
+ dbus_send_system_bus(openvpn_t)
+-
+ networkmanager_dbus_chat(openvpn_t)
')
+
-+optional_policy(`
-+ dbus_system_bus_client_template(openvpn,openvpn_t)
-+ dbus_connect_system_bus(openvpn_t)
-+ dbus_send_system_bus(openvpn_t)
-+ networkmanager_dbus_chat(openvpn_t)
-+')
-+
+
+# Need to interact with terminals if config option "auth-user-pass" is used
+userdom_use_sysadm_terms(openvpn_t)
@@ -7869,9 +7016,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
+ unconfined_use_terminals(openvpn_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-3.0.7/policy/modules/services/pegasus.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-3.0.8/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/pegasus.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/pegasus.if 2007-09-17 16:20:18.000000000 -0400
@@ -1 +1,19 @@
## The Open Group Pegasus CIM/WBEM Server.
+
@@ -7892,9 +7039,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
+
+ domtrans_pattern($1,pegasus_exec_t,pegasus_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.0.7/policy/modules/services/pegasus.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.0.8/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/pegasus.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/pegasus.te 2007-09-17 16:20:18.000000000 -0400
@@ -42,6 +42,7 @@
allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
@@ -7942,9 +7089,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
rpm_exec(pegasus_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portslave.te serefpolicy-3.0.7/policy/modules/services/portslave.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portslave.te serefpolicy-3.0.8/policy/modules/services/portslave.te
--- nsaserefpolicy/policy/modules/services/portslave.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/portslave.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/portslave.te 2007-09-17 16:20:18.000000000 -0400
@@ -85,6 +85,7 @@
auth_rw_login_records(portslave_t)
@@ -7953,9 +7100,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port
init_rw_utmp(portslave_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.0.7/policy/modules/services/postfix.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.0.8/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/postfix.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/postfix.fc 2007-09-17 16:20:18.000000000 -0400
@@ -14,6 +14,7 @@
/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
@@ -7964,9 +7111,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
', `
/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.0.7/policy/modules/services/postfix.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.0.8/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/postfix.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/postfix.if 2007-09-17 16:20:18.000000000 -0400
@@ -41,6 +41,8 @@
allow postfix_$1_t self:unix_stream_socket connectto;
@@ -8088,9 +7235,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+ allow $1 postfix_private_t:dir list_dir_perms;
+ create_sock_files_pattern($1,postfix_private_t,postfix_private_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.0.7/policy/modules/services/postfix.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.0.8/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/postfix.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/postfix.te 2007-09-17 16:20:18.000000000 -0400
@@ -6,6 +6,14 @@
# Declarations
#
@@ -8265,18 +7412,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+# For reading spamassasin
+mta_read_config(postfix_virtual_t)
+mta_manage_spool(postfix_virtual_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.0.7/policy/modules/services/postgresql.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.0.8/policy/modules/services/postgresql.fc
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/postgresql.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/postgresql.fc 2007-09-17 16:20:18.000000000 -0400
@@ -38,3 +38,5 @@
')
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
+
+/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.0.7/policy/modules/services/postgresql.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.0.8/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/postgresql.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/postgresql.if 2007-09-17 16:20:18.000000000 -0400
@@ -113,3 +113,77 @@
# Some versions of postgresql put the sock file in /tmp
allow $1 postgresql_tmp_t:sock_file write;
@@ -8355,9 +7502,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+ manage_dirs_pattern($1,postgresql_tmp_t,postgresql_tmp_t)
+ manage_files_pattern($1,postgresql_tmp_t,postgresql_tmp_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.0.7/policy/modules/services/postgresql.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.0.8/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/postgresql.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/postgresql.te 2007-09-17 16:20:18.000000000 -0400
@@ -27,6 +27,9 @@
type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)
@@ -8368,9 +7515,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# postgresql Local policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.0.7/policy/modules/services/procmail.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.0.8/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/procmail.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/procmail.te 2007-09-17 16:20:18.000000000 -0400
@@ -30,6 +30,8 @@
allow procmail_t procmail_tmp_t:file manage_file_perms;
files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
@@ -8406,9 +7553,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
+optional_policy(`
+ mailscanner_read_spool(procmail_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.0.7/policy/modules/services/pyzor.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.0.8/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if 2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/pyzor.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/pyzor.if 2007-09-17 16:20:18.000000000 -0400
@@ -25,16 +25,16 @@
#
template(`pyzor_per_role_template',`
@@ -8431,43 +7578,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.0.7/policy/modules/services/pyzor.te
---- nsaserefpolicy/policy/modules/services/pyzor.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/pyzor.te 2007-09-06 15:43:06.000000000 -0400
-@@ -70,6 +70,11 @@
-
- userdom_dontaudit_search_sysadm_home_dirs(pyzor_t)
-
-+ifdef(`targeted_policy',`
-+ userdom_dontaudit_write_sysadm_home_dirs(pyzor_t)
-+ userdom_read_generic_user_home_content_files(pyzor_t)
-+')
-+
- optional_policy(`
- amavis_manage_lib_files(pyzor_t)
- amavis_manage_spool_files(pyzor_t)
-@@ -133,6 +138,10 @@
-
- mta_manage_spool(pyzord_t)
-
-+ifdef(`targeted_policy',`
-+ userdom_read_generic_user_home_content_files(pyzord_t)
-+')
-+
- optional_policy(`
- logging_send_syslog_msg(pyzord_t)
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.fc serefpolicy-3.0.7/policy/modules/services/radius.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.fc serefpolicy-3.0.8/policy/modules/services/radius.fc
--- nsaserefpolicy/policy/modules/services/radius.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/radius.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/radius.fc 2007-09-17 16:20:18.000000000 -0400
@@ -18,3 +18,4 @@
/var/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_run_t,s0)
/var/run/radiusd\.pid -- gen_context(system_u:object_r:radiusd_var_run_t,s0)
+/var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.0.7/policy/modules/services/radius.te
---- nsaserefpolicy/policy/modules/services/radius.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/radius.te 2007-09-06 15:43:06.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.0.8/policy/modules/services/radius.te
+--- nsaserefpolicy/policy/modules/services/radius.te 2007-09-12 10:34:50.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/radius.te 2007-09-17 16:20:18.000000000 -0400
@@ -19,6 +19,9 @@
type radiusd_log_t;
logging_log_file(radiusd_log_t)
@@ -8495,17 +7616,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi
corecmd_exec_bin(radiusd_t)
corecmd_exec_shell(radiusd_t)
-@@ -99,6 +105,7 @@
- logging_send_syslog_msg(radiusd_t)
-
- miscfiles_read_localization(radiusd_t)
-+miscfiles_read_certs(radiusd_t)
-
- sysnet_read_config(radiusd_t)
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.0.7/policy/modules/services/remotelogin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.0.8/policy/modules/services/remotelogin.te
--- nsaserefpolicy/policy/modules/services/remotelogin.te 2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/remotelogin.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/remotelogin.te 2007-09-17 16:20:18.000000000 -0400
@@ -85,6 +85,7 @@
miscfiles_read_localization(remote_login_t)
@@ -8514,9 +7627,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remo
userdom_use_unpriv_users_fds(remote_login_t)
userdom_search_all_users_home_content(remote_login_t)
# Only permit unprivileged user domains to be entered via rlogin,
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.0.7/policy/modules/services/rhgb.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.0.8/policy/modules/services/rhgb.te
--- nsaserefpolicy/policy/modules/services/rhgb.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/rhgb.te 2007-09-11 11:38:16.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/rhgb.te 2007-09-17 16:20:18.000000000 -0400
@@ -59,6 +59,7 @@
corenet_sendrecv_all_client_packets(rhgb_t)
@@ -8541,9 +7654,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb
optional_policy(`
consoletype_exec(rhgb_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.0.7/policy/modules/services/ricci.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.0.8/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/ricci.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/ricci.te 2007-09-17 16:20:18.000000000 -0400
@@ -138,6 +138,7 @@
files_create_boot_flag(ricci_t)
@@ -8563,17 +7676,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
unconfined_use_fds(ricci_modclusterd_t)
')
-@@ -349,6 +354,7 @@
-
- miscfiles_read_localization(ricci_modlog_t)
-
-+
- optional_policy(`
- nscd_dontaudit_search_pid(ricci_modlog_t)
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.0.7/policy/modules/services/rlogin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.0.8/policy/modules/services/rlogin.te
--- nsaserefpolicy/policy/modules/services/rlogin.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/rlogin.te 2007-09-11 08:27:48.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/rlogin.te 2007-09-17 16:20:18.000000000 -0400
@@ -64,9 +64,10 @@
fs_getattr_xattr_fs(rlogind_t)
fs_search_auto_mountpoints(rlogind_t)
@@ -8605,9 +7710,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog
')
ifdef(`TODO',`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.0.7/policy/modules/services/rpcbind.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.0.8/policy/modules/services/rpcbind.te
--- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/rpcbind.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/rpcbind.te 2007-09-17 16:20:18.000000000 -0400
@@ -21,11 +21,13 @@
# rpcbind local policy
#
@@ -8623,18 +7728,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcb
allow rpcbind_t self:tcp_socket create_stream_socket_perms;
manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.0.7/policy/modules/services/rpc.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.0.8/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/rpc.if 2007-09-06 15:43:06.000000000 -0400
-@@ -81,6 +81,7 @@
- corenet_tcp_bind_all_nodes($1_t)
- corenet_udp_bind_all_nodes($1_t)
- corenet_tcp_bind_reserved_port($1_t)
-+ corenet_tcp_bind_reserved_port($1_t)
- corenet_tcp_connect_all_ports($1_t)
- corenet_sendrecv_portmap_client_packets($1_t)
- # do not log when it tries to bind to a port belonging to another domain
-@@ -89,8 +90,11 @@
++++ serefpolicy-3.0.8/policy/modules/services/rpc.if 2007-09-17 16:20:18.000000000 -0400
+@@ -89,8 +89,11 @@
# bind to arbitary unused ports
corenet_tcp_bind_generic_port($1_t)
corenet_udp_bind_generic_port($1_t)
@@ -8647,9 +7744,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
fs_rw_rpc_named_pipes($1_t)
fs_search_auto_mountpoints($1_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.7/policy/modules/services/rpc.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.8/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/rpc.te 2007-09-07 10:32:33.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/rpc.te 2007-09-17 16:20:18.000000000 -0400
@@ -59,10 +59,14 @@
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@@ -8719,16 +7816,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_unpriv_users_tmp(gssd_t)
userdom_read_unpriv_users_tmp_files(gssd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.0.7/policy/modules/services/rshd.te
---- nsaserefpolicy/policy/modules/services/rshd.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/rshd.te 2007-09-11 09:10:14.000000000 -0400
-@@ -11,15 +11,17 @@
- domain_subj_id_change_exemption(rshd_t)
- domain_role_change_exemption(rshd_t)
- role system_r types rshd_t;
-+domain_interactive_fd(rshd_t)
-
- ########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.0.8/policy/modules/services/rshd.te
+--- nsaserefpolicy/policy/modules/services/rshd.te 2007-09-12 10:34:50.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/rshd.te 2007-09-17 16:20:18.000000000 -0400
+@@ -16,10 +16,11 @@
#
# Local policy
#
@@ -8741,7 +7832,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
kernel_read_kernel_sysctls(rshd_t)
-@@ -33,6 +35,8 @@
+@@ -33,6 +34,8 @@
corenet_udp_sendrecv_all_ports(rshd_t)
corenet_tcp_bind_all_nodes(rshd_t)
corenet_tcp_bind_rsh_port(rshd_t)
@@ -8750,7 +7841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
corenet_sendrecv_rsh_server_packets(rshd_t)
dev_read_urand(rshd_t)
-@@ -44,28 +48,44 @@
+@@ -44,28 +47,44 @@
selinux_compute_relabel_context(rshd_t)
selinux_compute_user_contexts(rshd_t)
@@ -8798,7 +7889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(rshd_t)
fs_read_nfs_symlinks(rshd_t)
-@@ -76,15 +96,3 @@
+@@ -76,15 +95,3 @@
fs_read_cifs_symlinks(rshd_t)
')
@@ -8814,9 +7905,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
- unconfined_domain(rshd_t)
- unconfined_shell_domtrans(rshd_t)
-')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.0.7/policy/modules/services/rsync.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.0.8/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/rsync.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/rsync.te 2007-09-17 16:20:18.000000000 -0400
@@ -17,6 +17,7 @@
type rsync_t;
type rsync_exec_t;
@@ -8825,117 +7916,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
role system_r types rsync_t;
type rsync_data_t;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.fc serefpolicy-3.0.7/policy/modules/services/rwho.fc
---- nsaserefpolicy/policy/modules/services/rwho.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/rwho.fc 2007-09-06 15:43:06.000000000 -0400
-@@ -1,3 +1,4 @@
- /usr/sbin/rwhod -- gen_context(system_u:object_r:rwho_exec_t,s0)
-
- /var/spool/rwho(/.*)? gen_context(system_u:object_r:rwho_spool_t,s0)
-+/var/log/rwhod(/.*)? gen_context(system_u:object_r:rwho_log_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.if serefpolicy-3.0.7/policy/modules/services/rwho.if
---- nsaserefpolicy/policy/modules/services/rwho.if 2007-06-15 14:54:33.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/rwho.if 2007-09-06 15:43:06.000000000 -0400
-@@ -72,6 +72,47 @@
- type rwho_spool_t;
- ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.0.8/policy/modules/services/samba.fc
+--- nsaserefpolicy/policy/modules/services/samba.fc 2007-06-19 16:23:34.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/samba.fc 2007-09-17 16:20:18.000000000 -0400
+@@ -15,6 +15,7 @@
+ /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
+ /usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
+ /usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0)
++/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
+ /usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0)
-- manage_files_pattern($1,rwho_spool_t,rwho_spool_t)
-+ allow $1 rwho_spool_t:file manage_file_perms;
-+ allow $1 rwho_spool_t:dir rw_dir_perms;
- files_search_spool($1)
- ')
-+
-+########################################
-+##
-+## Search rwho log directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rwho_search_log',`
-+ gen_require(`
-+ type rwho_log_t;
-+ ')
-+
-+ allow $1 rwho_log_t:dir search_dir_perms;
-+ logging_search_logs($1)
-+')
-+
-+########################################
-+##
-+## Read rwho log files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`rwho_read_log_files',`
-+ gen_require(`
-+ type rwho_log_t;
-+ ')
-+
-+ allow $1 rwho_log_t:file r_file_perms;
-+ allow $1 rwho_log_t:dir list_dir_perms;
-+ logging_search_logs($1)
-+')
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.te serefpolicy-3.0.7/policy/modules/services/rwho.te
---- nsaserefpolicy/policy/modules/services/rwho.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/rwho.te 2007-09-06 15:43:06.000000000 -0400
-@@ -10,10 +10,12 @@
- type rwho_exec_t;
- init_daemon_domain(rwho_t, rwho_exec_t)
-
--# var/spool files
- type rwho_spool_t;
- files_type(rwho_spool_t)
-
-+type rwho_log_t;
-+files_type(rwho_log_t)
-+
- ########################################
- #
- # rwho local policy
-@@ -30,6 +32,10 @@
- allow rwho_t rwho_spool_t:file manage_file_perms;
- files_spool_filetrans(rwho_t,rwho_spool_t, { file dir })
-
-+allow rwho_t rwho_log_t:dir manage_dir_perms;
-+allow rwho_t rwho_log_t:file manage_file_perms;
-+logging_log_filetrans(rwho_t,rwho_log_t, { file dir })
-+
- kernel_read_system_state(rwho_t)
-
- corenet_all_recvfrom_unlabeled(rwho_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.0.7/policy/modules/services/samba.fc
---- nsaserefpolicy/policy/modules/services/samba.fc 2007-06-19 16:23:34.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/samba.fc 2007-09-11 09:23:37.000000000 -0400
-@@ -15,6 +15,7 @@
- /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
- /usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
- /usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0)
-+/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
- /usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0)
-
- /usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0)
-@@ -30,6 +31,8 @@
- /var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
- /var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
-
-+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+ /usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0)
+@@ -30,6 +31,8 @@
+ /var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
+ /var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+
++/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+
/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.0.7/policy/modules/services/samba.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.0.8/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2007-06-19 16:23:35.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/samba.if 2007-09-11 09:24:00.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/samba.if 2007-09-17 16:20:18.000000000 -0400
@@ -349,6 +349,7 @@
files_search_var($1)
files_search_var_lib($1)
@@ -9047,9 +8050,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+ role $2 types smbcontrol_t;
+ dontaudit smbcontrol_t $3:chr_file rw_term_perms;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.7/policy/modules/services/samba.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.8/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/samba.te 2007-09-11 10:50:53.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/samba.te 2007-09-17 16:20:18.000000000 -0400
@@ -137,6 +137,11 @@
type winbind_var_run_t;
files_pid_file(winbind_var_run_t)
@@ -9100,7 +8103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
########################################
#
# smbd Local policy
-@@ -217,17 +218,16 @@
+@@ -217,19 +218,16 @@
allow smbd_t self:msgq create_msgq_perms;
allow smbd_t self:sem create_sem_perms;
allow smbd_t self:shm create_shm_perms;
@@ -9116,12 +8119,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
-create_dirs_pattern(smbd_t,samba_log_t,samba_log_t)
-create_files_pattern(smbd_t,samba_log_t,samba_log_t)
+-allow smbd_t samba_log_t:dir setattr;
+-dontaudit smbd_t samba_log_t:dir remove_name;
+manage_dirs_pattern(smbd_t,samba_log_t,samba_log_t)
+manage_files_pattern(smbd_t,samba_log_t,samba_log_t)
- allow smbd_t samba_log_t:dir setattr;
- dontaudit smbd_t samba_log_t:dir remove_name;
-@@ -256,7 +256,7 @@
+ allow smbd_t samba_net_tmp_t:file getattr;
+
+@@ -256,7 +254,7 @@
manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t)
files_pid_filetrans(smbd_t,smbd_var_run_t,file)
@@ -9130,7 +8135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
-@@ -298,6 +298,7 @@
+@@ -298,6 +296,7 @@
auth_use_nsswitch(smbd_t)
auth_domtrans_chk_passwd(smbd_t)
@@ -9138,7 +8143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -321,8 +322,6 @@
+@@ -321,8 +320,6 @@
miscfiles_read_localization(smbd_t)
miscfiles_read_public_files(smbd_t)
@@ -9147,7 +8152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
userdom_dontaudit_search_sysadm_home_dirs(smbd_t)
userdom_dontaudit_use_unpriv_user_fds(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)
-@@ -350,6 +349,14 @@
+@@ -350,6 +347,14 @@
')
optional_policy(`
@@ -9162,7 +8167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
')
-@@ -398,7 +405,7 @@
+@@ -398,7 +403,7 @@
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -9171,7 +8176,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow nmbd_t self:tcp_socket create_stream_socket_perms;
allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -421,6 +428,8 @@
+@@ -410,8 +415,7 @@
+ read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
+
+ manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
+-append_files_pattern(nmbd_t,samba_log_t,samba_log_t)
+-allow nmbd_t samba_log_t:file unlink;
++manage_files_pattern(nmbd_t,samba_log_t,samba_log_t)
+
+ read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
+ create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
+@@ -421,6 +425,8 @@
allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
@@ -9180,7 +8195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
kernel_read_kernel_sysctls(nmbd_t)
-@@ -462,17 +471,11 @@
+@@ -462,17 +468,11 @@
miscfiles_read_localization(nmbd_t)
@@ -9198,7 +8213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
seutil_sigchld_newrole(nmbd_t)
')
-@@ -506,6 +509,8 @@
+@@ -506,6 +506,8 @@
manage_lnk_files_pattern(smbmount_t,samba_var_t,samba_var_t)
files_list_var_lib(smbmount_t)
@@ -9207,7 +8222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
kernel_read_system_state(smbmount_t)
corenet_all_recvfrom_unlabeled(smbmount_t)
-@@ -533,6 +538,7 @@
+@@ -533,6 +535,7 @@
storage_raw_write_fixed_disk(smbmount_t)
term_list_ptys(smbmount_t)
@@ -9215,7 +8230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
corecmd_list_bin(smbmount_t)
-@@ -553,16 +559,11 @@
+@@ -553,16 +556,11 @@
logging_search_logs(smbmount_t)
@@ -9234,7 +8249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
########################################
-@@ -570,24 +571,28 @@
+@@ -570,24 +568,28 @@
# SWAT Local policy
#
@@ -9271,7 +8286,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t smbd_var_run_t:file read;
manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t)
-@@ -597,7 +602,11 @@
+@@ -597,7 +599,11 @@
manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
files_pid_filetrans(swat_t,swat_var_run_t,file)
@@ -9284,7 +8299,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -622,23 +631,24 @@
+@@ -622,23 +628,24 @@
dev_read_urand(swat_t)
@@ -9311,7 +8326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -652,13 +662,16 @@
+@@ -652,13 +659,16 @@
kerberos_use(swat_t)
')
@@ -9334,7 +8349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
########################################
#
-@@ -672,7 +685,6 @@
+@@ -672,7 +682,6 @@
allow winbind_t self:fifo_file { read write };
allow winbind_t self:unix_dgram_socket create_socket_perms;
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
@@ -9342,7 +8357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow winbind_t self:tcp_socket create_stream_socket_perms;
allow winbind_t self:udp_socket create_socket_perms;
-@@ -709,6 +721,8 @@
+@@ -709,6 +718,8 @@
manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
files_pid_filetrans(winbind_t,winbind_var_run_t,file)
@@ -9351,7 +8366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
kernel_read_kernel_sysctls(winbind_t)
kernel_list_proc(winbind_t)
kernel_read_proc_symlinks(winbind_t)
-@@ -733,7 +747,9 @@
+@@ -733,7 +744,9 @@
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
@@ -9361,7 +8376,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
domain_use_interactive_fds(winbind_t)
-@@ -746,9 +762,6 @@
+@@ -746,9 +759,6 @@
miscfiles_read_localization(winbind_t)
@@ -9371,7 +8386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
userdom_priveleged_home_dir_manager(winbind_t)
-@@ -758,10 +771,6 @@
+@@ -758,10 +768,6 @@
')
optional_policy(`
@@ -9382,7 +8397,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
seutil_sigchld_newrole(winbind_t)
')
-@@ -784,6 +793,8 @@
+@@ -784,6 +790,8 @@
allow winbind_helper_t samba_var_t:dir search;
files_list_var_lib(winbind_helper_t)
@@ -9391,7 +8406,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t)
term_list_ptys(winbind_helper_t)
-@@ -804,6 +815,7 @@
+@@ -804,6 +812,7 @@
optional_policy(`
squid_read_log(winbind_helper_t)
squid_append_log(winbind_helper_t)
@@ -9399,7 +8414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
########################################
-@@ -828,3 +840,36 @@
+@@ -828,3 +837,36 @@
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
')
')
@@ -9436,9 +8451,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+allow winbind_t smbcontrol_t:process signal;
+
+allow smbcontrol_t nmbd_var_run_t:file { read lock };
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.0.7/policy/modules/services/sasl.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.0.8/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/sasl.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/sasl.te 2007-09-17 16:20:18.000000000 -0400
@@ -64,6 +64,7 @@
selinux_compute_access_vector(saslauthd_t)
@@ -9447,33 +8462,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl
auth_use_nsswitch(saslauthd_t)
domain_use_interactive_fds(saslauthd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.0.7/policy/modules/services/sendmail.if
---- nsaserefpolicy/policy/modules/services/sendmail.if 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/sendmail.if 2007-09-10 16:44:21.000000000 -0400
-@@ -131,3 +131,102 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.0.8/policy/modules/services/sendmail.if
+--- nsaserefpolicy/policy/modules/services/sendmail.if 2007-09-12 10:34:50.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/sendmail.if 2007-09-17 16:20:18.000000000 -0400
+@@ -149,3 +149,85 @@
logging_log_filetrans($1,sendmail_log_t,file)
')
+
+########################################
+##
-+##f allow domain to signal sendmail
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`sendmail_signal',`
-+ gen_require(`
-+ type sendmail_t;
-+ ')
-+ allow $1 sendmail_t:process signal;
-+')
-+
-+########################################
-+##
+## Execute the sendmail program in the sendmail domain.
+##
+##
@@ -9553,9 +8551,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
+ role $2 types unconfined_sendmail_t;
+ allow unconfined_sendmail_t $3:chr_file rw_file_perms;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.7/policy/modules/services/sendmail.te
---- nsaserefpolicy/policy/modules/services/sendmail.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/sendmail.te 2007-09-10 16:39:01.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.8/policy/modules/services/sendmail.te
+--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-09-12 10:34:50.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-09-17 16:20:18.000000000 -0400
@@ -20,19 +20,22 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -9590,11 +8588,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
corenet_all_recvfrom_unlabeled(sendmail_t)
corenet_all_recvfrom_netlabel(sendmail_t)
corenet_tcp_sendrecv_all_if(sendmail_t)
-@@ -91,32 +96,27 @@
-
- logging_send_syslog_msg(sendmail_t)
-
-+miscfiles_read_certs(sendmail_t)
+@@ -94,30 +99,24 @@
+ miscfiles_read_certs(sendmail_t)
miscfiles_read_localization(sendmail_t)
-sysnet_dns_name_resolve(sendmail_t)
@@ -9628,7 +8623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
')
optional_policy(`
-@@ -130,6 +130,10 @@
+@@ -131,6 +130,10 @@
')
optional_policy(`
@@ -9639,14 +8634,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
seutil_sigchld_newrole(sendmail_t)
')
-@@ -155,3 +159,14 @@
+@@ -156,3 +159,15 @@
dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
') dnl end TODO
+
+########################################
+#
-+# Unconfined mount local policy
++# Unconfined sendmail local policy
++# Allow unconfined domain to run newalias and have transitions work
+#
+
+optional_policy(`
@@ -9654,53 +8650,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
+ unconfined_domain(unconfined_sendmail_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.0.7/policy/modules/services/setroubleshoot.if
---- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/setroubleshoot.if 2007-09-06 15:43:06.000000000 -0400
-@@ -19,3 +19,22 @@
- allow $1 setroubleshoot_var_run_t:sock_file write;
- allow $1 setroubleshootd_t:unix_stream_socket connectto;
- ')
-+
-+########################################
-+##
-+## Dontaudit Connect to setroubleshootd over an unix stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`setroubleshoot_dontaudit_stream_connect',`
-+ gen_require(`
-+ type setroubleshootd_t, setroubleshoot_var_run_t;
-+ ')
-+
-+ dontaudit $1 setroubleshoot_var_run_t:sock_file write;
-+ dontaudit $1 setroubleshootd_t:unix_stream_socket connectto;
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.0.7/policy/modules/services/setroubleshoot.te
---- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/setroubleshoot.te 2007-09-11 15:24:02.000000000 -0400
-@@ -33,7 +33,6 @@
- allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
- allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow setroubleshootd_t self:unix_dgram_socket create_socket_perms;
--allow setroubleshootd_t self:netlink_route_socket r_netlink_socket_perms;
-
- # database files
- allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr;
-@@ -51,6 +50,8 @@
- manage_sock_files_pattern(setroubleshootd_t,setroubleshoot_var_run_t,setroubleshoot_var_run_t)
- files_pid_filetrans(setroubleshootd_t,setroubleshoot_var_run_t, { file sock_file })
-
-+auth_use_nsswitch(setroubleshootd_t)
-+
- kernel_read_kernel_sysctls(setroubleshootd_t)
- kernel_read_system_state(setroubleshootd_t)
- kernel_read_network_state(setroubleshootd_t)
-@@ -68,6 +69,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te
+--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-09-12 10:34:50.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te 2007-09-17 16:20:18.000000000 -0400
+@@ -67,6 +67,7 @@
corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
dev_read_urand(setroubleshootd_t)
@@ -9708,37 +8661,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
domain_dontaudit_search_all_domains_state(setroubleshootd_t)
-@@ -76,6 +78,9 @@
- files_getattr_all_dirs(setroubleshootd_t)
- files_getattr_all_files(setroubleshootd_t)
-
-+fs_getattr_all_dirs(setroubleshootd_t)
-+fs_getattr_all_files(setroubleshootd_t)
-+
- selinux_get_enforce_mode(setroubleshootd_t)
- selinux_validate_context(setroubleshootd_t)
-
-@@ -109,5 +114,8 @@
+@@ -111,3 +112,10 @@
+ rpm_dontaudit_manage_db(setroubleshootd_t)
+ rpm_use_script_fds(setroubleshootd_t)
')
-
- optional_policy(`
-- nis_use_ypbind(setroubleshootd_t)
++
++optional_policy(`
+ dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t)
+ dbus_send_system_bus(setroubleshootd_t)
+ dbus_connect_system_bus(setroubleshootd_t)
- ')
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.0.7/policy/modules/services/snmp.fc
---- nsaserefpolicy/policy/modules/services/snmp.fc 2007-06-19 16:23:35.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/snmp.fc 2007-09-06 15:43:06.000000000 -0400
-@@ -1,3 +1,4 @@
++')
+
- #
- # /usr
- #
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.0.7/policy/modules/services/snmp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.0.8/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/snmp.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/snmp.te 2007-09-17 16:20:18.000000000 -0400
@@ -81,8 +81,7 @@
files_read_usr_files(snmpd_t)
files_read_etc_runtime_files(snmpd_t)
@@ -9749,9 +8685,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp
fs_getattr_all_dirs(snmpd_t)
fs_getattr_all_fs(snmpd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.fc serefpolicy-3.0.7/policy/modules/services/soundserver.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.fc serefpolicy-3.0.8/policy/modules/services/soundserver.fc
--- nsaserefpolicy/policy/modules/services/soundserver.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/soundserver.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/soundserver.fc 2007-09-17 16:20:18.000000000 -0400
@@ -1,10 +1,16 @@
-/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
-/etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
@@ -9775,9 +8711,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
+#
+
+/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.if serefpolicy-3.0.7/policy/modules/services/soundserver.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.if serefpolicy-3.0.8/policy/modules/services/soundserver.if
--- nsaserefpolicy/policy/modules/services/soundserver.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/soundserver.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/soundserver.if 2007-09-17 16:20:18.000000000 -0400
@@ -13,3 +13,64 @@
interface(`soundserver_tcp_connect',`
refpolicywarn(`$0($*) has been deprecated.')
@@ -9843,9 +8779,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
+ allow $1 soundd_var_run_t:sock_file r_file_perms;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.0.7/policy/modules/services/soundserver.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.0.8/policy/modules/services/soundserver.te
--- nsaserefpolicy/policy/modules/services/soundserver.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/soundserver.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/soundserver.te 2007-09-17 16:20:18.000000000 -0400
@@ -10,9 +10,6 @@
type soundd_exec_t;
init_daemon_domain(soundd_t,soundd_exec_t)
@@ -9909,45 +8845,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
seutil_sigchld_newrole(soundd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.0.7/policy/modules/services/spamassassin.fc
---- nsaserefpolicy/policy/modules/services/spamassassin.fc 2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/spamassassin.fc 2007-09-06 15:43:06.000000000 -0400
-@@ -10,3 +10,9 @@
- /var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
-
- /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
-+/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
-+
-+/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
-+/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
-+
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.0.7/policy/modules/services/spamassassin.te
---- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-08-02 08:17:27.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/spamassassin.te 2007-09-06 15:43:06.000000000 -0400
-@@ -83,8 +83,9 @@
- allow spamd_t spamd_var_lib_t:dir list_dir_perms;
- read_files_pattern(spamd_t,spamd_var_lib_t,spamd_var_lib_t)
-
-+manage_dirs_pattern(spamd_t,spamd_var_run_t,spamd_var_run_t)
- manage_files_pattern(spamd_t,spamd_var_run_t,spamd_var_run_t)
--files_pid_filetrans(spamd_t,spamd_var_run_t,file)
-+files_pid_filetrans(spamd_t,spamd_var_run_t,{ file dir })
-
- kernel_read_all_sysctls(spamd_t)
- kernel_read_system_state(spamd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.0.7/policy/modules/services/squid.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.0.8/policy/modules/services/squid.fc
--- nsaserefpolicy/policy/modules/services/squid.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/squid.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/squid.fc 2007-09-17 16:20:18.000000000 -0400
@@ -12,3 +12,5 @@
/var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
+/usr/lib64/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.0.7/policy/modules/services/squid.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.0.8/policy/modules/services/squid.if
--- nsaserefpolicy/policy/modules/services/squid.if 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/squid.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/squid.if 2007-09-17 16:20:18.000000000 -0400
@@ -131,3 +131,22 @@
interface(`squid_use',`
refpolicywarn(`$0($*) has been deprecated.')
@@ -9971,9 +8880,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
+
+ allow $1 squid_t:unix_stream_socket { read write };
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.0.7/policy/modules/services/squid.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.0.8/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/squid.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/squid.te 2007-09-17 16:20:18.000000000 -0400
@@ -36,7 +36,7 @@
# Local policy
#
@@ -10057,9 +8966,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
+ corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
+ corenet_all_recvfrom_netlabel(httpd_squid_script_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.0.7/policy/modules/services/ssh.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.0.8/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/ssh.if 2007-09-11 09:12:11.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/ssh.if 2007-09-17 16:20:18.000000000 -0400
@@ -202,6 +202,7 @@
#
template(`ssh_per_role_template',`
@@ -10119,9 +9028,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+ dontaudit $2 $1_ssh_agent_t:fd use;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.0.7/policy/modules/services/ssh.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.0.8/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/ssh.te 2007-09-06 19:21:21.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/ssh.te 2007-09-17 16:20:18.000000000 -0400
@@ -24,7 +24,7 @@
# Type for the ssh-agent executable.
@@ -10131,16 +9040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
# ssh client executable.
type ssh_exec_t;
-@@ -73,6 +73,8 @@
- manage_sock_files_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t)
- files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
-
-+fs_search_auto_mountpoints(sshd_t)
-+
- kernel_search_key(sshd_t)
- kernel_link_key(sshd_t)
-
-@@ -80,6 +82,8 @@
+@@ -80,6 +80,8 @@
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
@@ -10149,7 +9049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
-@@ -100,6 +104,11 @@
+@@ -100,6 +102,11 @@
userdom_use_unpriv_users_ptys(sshd_t)
')
@@ -10161,7 +9061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
optional_policy(`
daemontools_service_domain(sshd_t, sshd_exec_t)
')
-@@ -119,7 +128,12 @@
+@@ -119,7 +126,12 @@
')
optional_policy(`
@@ -10175,7 +9075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
ifdef(`TODO',`
-@@ -231,9 +245,15 @@
+@@ -231,9 +243,15 @@
')
optional_policy(`
@@ -10191,9 +9091,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.0.7/policy/modules/services/telnet.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.0.8/policy/modules/services/telnet.te
--- nsaserefpolicy/policy/modules/services/telnet.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/telnet.te 2007-09-11 08:25:22.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/telnet.te 2007-09-17 16:20:18.000000000 -0400
@@ -32,7 +32,6 @@
allow telnetd_t self:udp_socket create_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules?
@@ -10251,9 +9151,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln
-# Allow krb5 telnetd to use fork and open /dev/tty for use
-allow telnetd_t userpty_type:chr_file setattr;
-')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.0.7/policy/modules/services/tftp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.0.8/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/tftp.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/tftp.te 2007-09-17 16:20:18.000000000 -0400
@@ -26,6 +26,7 @@
allow tftpd_t self:udp_socket create_socket_perms;
allow tftpd_t self:unix_dgram_socket create_socket_perms;
@@ -10262,9 +9162,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp
dontaudit tftpd_t self:capability sys_tty_config;
allow tftpd_t tftpdir_t:dir { getattr read search };
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwimap.te serefpolicy-3.0.7/policy/modules/services/uwimap.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwimap.te serefpolicy-3.0.8/policy/modules/services/uwimap.te
--- nsaserefpolicy/policy/modules/services/uwimap.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/uwimap.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/uwimap.te 2007-09-17 16:20:18.000000000 -0400
@@ -64,6 +64,7 @@
fs_search_auto_mountpoints(imapd_t)
@@ -10273,20 +9173,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwim
libs_use_ld_so(imapd_t)
libs_use_shared_libs(imapd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.fc serefpolicy-3.0.7/policy/modules/services/w3c.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.fc serefpolicy-3.0.8/policy/modules/services/w3c.fc
--- nsaserefpolicy/policy/modules/services/w3c.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/services/w3c.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/w3c.fc 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1,2 @@
+/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0)
+/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.if serefpolicy-3.0.7/policy/modules/services/w3c.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.if serefpolicy-3.0.8/policy/modules/services/w3c.if
--- nsaserefpolicy/policy/modules/services/w3c.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/services/w3c.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/w3c.if 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1 @@
+## W3C
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.0.7/policy/modules/services/w3c.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.0.8/policy/modules/services/w3c.te
--- nsaserefpolicy/policy/modules/services/w3c.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/services/w3c.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/w3c.te 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1,14 @@
+policy_module(w3c,1.2.1)
+
@@ -10302,9 +9202,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.
+corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
+
+miscfiles_read_certs(httpd_w3c_validator_script_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.te serefpolicy-3.0.7/policy/modules/services/xfs.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.te serefpolicy-3.0.8/policy/modules/services/xfs.te
--- nsaserefpolicy/policy/modules/services/xfs.te 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/xfs.te 2007-09-11 08:19:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xfs.te 2007-09-17 16:20:18.000000000 -0400
@@ -37,6 +37,15 @@
kernel_read_kernel_sysctls(xfs_t)
kernel_read_system_state(xfs_t)
@@ -10321,9 +9221,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.
corecmd_list_bin(xfs_t)
dev_read_sysfs(xfs_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.0.7/policy/modules/services/xserver.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.0.8/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/xserver.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.fc 2007-09-17 16:20:18.000000000 -0400
@@ -32,11 +32,6 @@
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -10347,9 +9247,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifdef(`distro_suse',`
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.7/policy/modules/services/xserver.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/xserver.if 2007-09-11 11:45:01.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-09-17 16:20:18.000000000 -0400
@@ -126,6 +126,8 @@
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev($1_xserver_t)
@@ -10680,9 +9580,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.7/policy/modules/services/xserver.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/xserver.te 2007-09-11 09:22:25.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-09-17 16:20:18.000000000 -0400
@@ -16,6 +16,13 @@
##
@@ -10854,9 +9754,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
-#
-allow pam_t xdm_t:fifo_file { getattr ioctl write };
-') dnl end TODO
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.0.7/policy/modules/system/application.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.0.8/policy/modules/system/application.if
--- nsaserefpolicy/policy/modules/system/application.if 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/application.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/application.if 2007-09-17 16:20:18.000000000 -0400
@@ -63,6 +63,26 @@
########################################
@@ -10884,9 +9784,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic
## Create a domain which can be started by users
##
##
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.0.7/policy/modules/system/authlogin.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.0.8/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/authlogin.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc 2007-09-17 16:20:18.000000000 -0400
@@ -14,6 +14,7 @@
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
@@ -10895,9 +9795,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
ifdef(`distro_suse', `
/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.7/policy/modules/system/authlogin.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/authlogin.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-17 16:20:18.000000000 -0400
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -10927,7 +9827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
domain_type($1)
domain_subj_id_change_exemption($1)
-@@ -176,6 +180,16 @@
+@@ -176,11 +180,23 @@
domain_obj_id_change_exemption($1)
role system_r types $1;
@@ -10944,7 +9844,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
# for SSP/ProPolice
dev_read_urand($1)
-@@ -196,22 +210,27 @@
+ files_read_etc_files($1)
+
++ fs_list_auto_mountpoints($1)
++
+ selinux_get_fs_mount($1)
+ selinux_validate_context($1)
+ selinux_compute_access_vector($1)
+@@ -196,22 +212,33 @@
mls_fd_share_all_levels($1)
auth_domtrans_chk_passwd($1)
@@ -10967,13 +9874,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
seutil_read_config($1)
seutil_read_default_contexts($1)
++ userdom_set_rlimitnh($1)
++
++ optional_policy(`
++ unconfined_set_rlimitnh($1)
++ ')
++
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all($1)
+ mount_domtrans($1)
')
')
-@@ -309,9 +328,6 @@
+@@ -309,9 +336,6 @@
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
')
@@ -10983,7 +9896,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
corecmd_search_bin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
-@@ -329,6 +345,7 @@
+@@ -329,6 +353,7 @@
optional_policy(`
kerberos_use($1)
@@ -10991,7 +9904,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
optional_policy(`
-@@ -347,6 +364,37 @@
+@@ -347,6 +372,37 @@
########################################
##
@@ -11029,7 +9942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
## Get the attributes of the shadow passwords file.
##
##
-@@ -695,6 +743,24 @@
+@@ -695,6 +751,24 @@
########################################
##
@@ -11054,7 +9967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
## Execute pam programs in the PAM domain.
##
##
-@@ -1318,14 +1384,9 @@
+@@ -1318,14 +1392,9 @@
##
#
interface(`auth_use_nsswitch',`
@@ -11069,7 +9982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
files_list_var_lib($1)
miscfiles_read_certs($1)
-@@ -1381,3 +1442,163 @@
+@@ -1381,3 +1450,163 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -11233,9 +10146,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+ allow system_chkpwd_t $3:chr_file rw_file_perms;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.7/policy/modules/system/authlogin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.8/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-08-22 07:14:12.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/authlogin.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2007-09-17 16:20:18.000000000 -0400
@@ -9,6 +9,13 @@
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
@@ -11308,117 +10221,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+files_manage_etc_files(updpwd_t)
+kernel_read_system_state(updpwd_t)
+logging_send_syslog_msg(updpwd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.fc serefpolicy-3.0.7/policy/modules/system/brctl.fc
---- nsaserefpolicy/policy/modules/system/brctl.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/system/brctl.fc 2007-09-06 15:43:06.000000000 -0400
-@@ -0,0 +1,2 @@
-+
-+/usr/sbin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.if serefpolicy-3.0.7/policy/modules/system/brctl.if
---- nsaserefpolicy/policy/modules/system/brctl.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/system/brctl.if 2007-09-11 14:23:37.000000000 -0400
-@@ -0,0 +1,43 @@
-+
-+## Utilities for configuring the linux ethernet bridge
-+
-+
-+########################################
-+##
-+## Execute a domain transition to run brctl.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`brctl_domtrans',`
-+ gen_require(`
-+ type brctl_t, brctl_exec_t;
-+ ')
-+
-+ domain_auto_trans($1,brctl_exec_t,brctl_t)
-+
-+ allow brctl_t $1:fd use;
-+ allow brctl_t $1:fifo_file rw_file_perms;
-+ allow brctl_t $1:process sigchld;
-+')
-+
-+########################################
-+##
-+## Get attributes brctl executable.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`brctl_getattr',`
-+ gen_require(`
-+ type brctl_exec_t;
-+ ')
-+
-+ allow $1 brctl_exec_t:file getattr;
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-3.0.7/policy/modules/system/brctl.te
---- nsaserefpolicy/policy/modules/system/brctl.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/system/brctl.te 2007-09-10 08:59:32.000000000 -0400
-@@ -0,0 +1,51 @@
-+policy_module(brctl,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type brctl_t;
-+type brctl_exec_t;
-+domain_type(brctl_t)
-+init_daemon_domain(brctl_t, brctl_exec_t)
-+
-+########################################
-+#
-+# brctl local policy
-+#
-+
-+allow brctl_t self:capability net_admin;
-+
-+allow brctl_t self:tcp_socket create_socket_perms;
-+allow brctl_t self:unix_dgram_socket create_socket_perms;
-+
-+dev_write_sysfs_dirs(brctl_t)
-+dev_rw_sysfs(brctl_t)
-+
-+# Init script handling
-+domain_use_interactive_fds(brctl_t)
-+
-+kernel_load_module(brctl_t)
-+kernel_read_network_state(brctl_t)
-+kernel_read_sysctl(brctl_t)
-+
-+## internal communication is often done using fifo and unix sockets.
-+allow brctl_t self:fifo_file rw_file_perms;
-+allow brctl_t self:unix_stream_socket create_stream_socket_perms;
-+
-+files_read_etc_files(brctl_t)
-+
-+libs_use_ld_so(brctl_t)
-+libs_use_shared_libs(brctl_t)
-+
-+miscfiles_read_localization(brctl_t)
-+
-+ifdef(`targeted_policy',`
-+ term_dontaudit_use_unallocated_ttys(brctl_t)
-+ term_dontaudit_use_generic_ptys(brctl_t)
-+')
-+
-+optional_policy(`
-+ xen_append_log(brctl_t)
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.0.7/policy/modules/system/fstools.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.0.8/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/fstools.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/fstools.fc 2007-09-17 16:20:18.000000000 -0400
@@ -20,7 +20,6 @@
/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -11427,44 +10232,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.0.7/policy/modules/system/fstools.if
---- nsaserefpolicy/policy/modules/system/fstools.if 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/fstools.if 2007-09-06 15:43:06.000000000 -0400
-@@ -124,3 +124,22 @@
-
- allow $1 swapfile_t:file getattr;
- ')
-+
-+########################################
-+##
-+## Read fstools unnamed pipes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fstools_read_pipes',`
-+ gen_require(`
-+ type fsdaemon_t;
-+ ')
-+
-+ allow $1 fsdaemon_t:fifo_file read_fifo_file_perms;
-+')
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.0.7/policy/modules/system/fstools.te
---- nsaserefpolicy/policy/modules/system/fstools.te 2007-08-22 07:14:11.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/fstools.te 2007-09-06 15:43:06.000000000 -0400
-@@ -69,6 +69,7 @@
-
- dev_getattr_all_chr_files(fsadm_t)
- dev_dontaudit_getattr_all_blk_files(fsadm_t)
-+dev_dontaudit_getattr_generic_files(fsadm_t)
- # mkreiserfs and other programs need this for UUID
- dev_read_rand(fsadm_t)
- dev_read_urand(fsadm_t)
-@@ -108,8 +109,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.0.8/policy/modules/system/fstools.te
+--- nsaserefpolicy/policy/modules/system/fstools.te 2007-09-12 10:34:51.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/fstools.te 2007-09-17 16:20:18.000000000 -0400
+@@ -109,8 +109,7 @@
term_use_console(fsadm_t)
@@ -11474,22 +10245,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
#RedHat bug #201164
corecmd_exec_shell(fsadm_t)
-@@ -179,3 +179,12 @@
- fs_dontaudit_write_ramfs_pipes(fsadm_t)
- rhgb_stub(fsadm_t)
- ')
-+
-+optional_policy(`
-+ xen_append_log(fsadm_t)
+@@ -183,4 +182,9 @@
+
+ optional_policy(`
+ xen_append_log(fsadm_t)
+ xen_rw_image_files(fsadm_t)
+')
+
+tunable_policy(`xen_use_nfs',`
+ fs_manage_nfs_files(fsadm_t)
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.fc serefpolicy-3.0.7/policy/modules/system/fusermount.fc
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.fc serefpolicy-3.0.8/policy/modules/system/fusermount.fc
--- nsaserefpolicy/policy/modules/system/fusermount.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/system/fusermount.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/fusermount.fc 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1,7 @@
+# fusermount executable will have:
+# label: system_u:object_r:fusermount_exec_t
@@ -11498,9 +10266,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fuserm
+
+/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
+/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.if serefpolicy-3.0.7/policy/modules/system/fusermount.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.if serefpolicy-3.0.8/policy/modules/system/fusermount.if
--- nsaserefpolicy/policy/modules/system/fusermount.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/system/fusermount.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/fusermount.if 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1,41 @@
+## policy for fusermount
+
@@ -11544,9 +10312,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fuserm
+ allow $1 fusermount_t:fd use;
+')
\ No newline at end of file
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.te serefpolicy-3.0.7/policy/modules/system/fusermount.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.te serefpolicy-3.0.8/policy/modules/system/fusermount.te
--- nsaserefpolicy/policy/modules/system/fusermount.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/system/fusermount.te 2007-09-10 15:56:07.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/fusermount.te 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1,45 @@
+policy_module(fusermount,1.0.0)
+
@@ -11593,9 +10361,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fuserm
+
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.0.7/policy/modules/system/getty.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.0.8/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/getty.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/getty.te 2007-09-17 16:20:18.000000000 -0400
@@ -33,7 +33,8 @@
#
@@ -11606,9 +10374,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.
dontaudit getty_t self:capability sys_tty_config;
allow getty_t self:process { getpgid setpgid getsession signal_perms };
allow getty_t self:fifo_file rw_fifo_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.0.7/policy/modules/system/hostname.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.0.8/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/hostname.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/hostname.te 2007-09-17 16:20:18.000000000 -0400
@@ -8,7 +8,9 @@
type hostname_t;
@@ -11632,9 +10400,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(hostname_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.0.7/policy/modules/system/init.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.0.8/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2007-08-22 07:14:12.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/init.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/init.if 2007-09-17 16:20:18.000000000 -0400
@@ -540,18 +540,19 @@
#
interface(`init_spec_domtrans_script',`
@@ -11848,9 +10616,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+ domain_entry_file(initrc_t,$1)
+
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.7/policy/modules/system/init.te
---- nsaserefpolicy/policy/modules/system/init.te 2007-08-22 07:14:12.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/init.te 2007-09-06 15:43:06.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.8/policy/modules/system/init.te
+--- nsaserefpolicy/policy/modules/system/init.te 2007-09-12 10:34:51.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/init.te 2007-09-17 16:37:06.000000000 -0400
@@ -10,6 +10,20 @@
# Declarations
#
@@ -11899,7 +10667,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -186,7 +202,7 @@
+@@ -175,9 +191,13 @@
+ unconfined_domain(init_t)
+ ')
+
+-# Run the shell in the sysadm_t domain for single-user mode.
+-optional_policy(`
++# Run the shell in the unconfined_t or sysadm_t domain for single-user mode.
++ifdef(`enable_mls',`
+ userdom_shell_domtrans_sysadm(init_t)
++',`
++ optional_policy(`
++ unconfined_shell_domtrans_sysadm(init_t)
++ ')
+ ')
+
+ ########################################
+@@ -186,7 +206,7 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -11908,7 +10692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
-@@ -201,10 +217,9 @@
+@@ -201,10 +221,9 @@
allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
term_create_pty(initrc_t,initrc_devpts_t)
@@ -11921,7 +10705,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
-@@ -496,6 +511,43 @@
+@@ -283,7 +302,6 @@
+ mls_process_read_up(initrc_t)
+ mls_process_write_down(initrc_t)
+ mls_rangetrans_source(initrc_t)
+-mls_fd_share_all_levels(initrc_t)
+
+ selinux_get_enforce_mode(initrc_t)
+
+@@ -497,6 +515,39 @@
')
optional_policy(`
@@ -11930,21 +10722,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+
+domain_dontaudit_use_interactive_fds(daemon)
+
-+ifdef(`targeted_policy',`
-+ domain_subj_id_change_exemption(initrc_t)
-+
-+ tunable_policy(`allow_daemons_use_tty',`
-+ term_use_unallocated_ttys(daemon)
-+ term_use_generic_ptys(daemon)
-+ ', `
-+ term_dontaudit_use_unallocated_ttys(daemon)
-+ term_dontaudit_use_generic_ptys(daemon)
-+ ')
++tunable_policy(`allow_daemons_use_tty',`
++ term_use_unallocated_ttys(daemon)
++ term_use_generic_ptys(daemon)
++', `
++ term_dontaudit_use_unallocated_ttys(daemon)
++ term_dontaudit_use_generic_ptys(daemon)
++ ')
+
-+ # system-config-services causes avc messages that should be dontaudited
-+ tunable_policy(`allow_daemons_dump_core',`
-+ files_dump_core(daemon)
-+ ')
++# system-config-services causes avc messages that should be dontaudited
++tunable_policy(`allow_daemons_dump_core',`
++ files_dump_core(daemon)
+')
+
+optional_policy(`
@@ -11965,7 +10753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
')
-@@ -631,12 +683,6 @@
+@@ -632,12 +683,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -11978,7 +10766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ifdef(`distro_redhat',`
-@@ -702,6 +748,9 @@
+@@ -703,6 +748,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -11988,9 +10776,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.0.7/policy/modules/system/ipsec.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.0.8/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/ipsec.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/ipsec.te 2007-09-17 16:20:18.000000000 -0400
@@ -283,6 +283,7 @@
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
@@ -11999,19 +10787,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# manage pid file
manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.0.7/policy/modules/system/iptables.te
---- nsaserefpolicy/policy/modules/system/iptables.te 2007-08-22 07:14:11.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/iptables.te 2007-09-06 15:43:06.000000000 -0400
-@@ -44,6 +44,8 @@
-
- corenet_relabelto_all_packets(iptables_t)
-
-+auth_use_nsswitch(iptables_t)
-+
- dev_read_sysfs(iptables_t)
-
- fs_getattr_xattr_fs(iptables_t)
-@@ -62,6 +64,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.0.8/policy/modules/system/iptables.te
+--- nsaserefpolicy/policy/modules/system/iptables.te 2007-09-12 10:34:51.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/iptables.te 2007-09-17 16:20:18.000000000 -0400
+@@ -64,6 +64,7 @@
init_use_script_ptys(iptables_t)
# to allow rules to be saved on reboot:
init_rw_script_tmp_files(iptables_t)
@@ -12019,23 +10798,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
libs_use_ld_so(iptables_t)
libs_use_shared_libs(iptables_t)
-@@ -96,11 +99,11 @@
- ')
-
- optional_policy(`
-- nscd_socket_use(iptables_t)
-+ ppp_dontaudit_use_fds(iptables_t)
+@@ -102,6 +103,10 @@
')
optional_policy(`
-- ppp_dontaudit_use_fds(iptables_t)
+ rhgb_dontaudit_use_ptys(iptables_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(iptables_t)
')
- optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.7/policy/modules/system/libraries.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.8/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-08-02 08:17:28.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/libraries.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2007-09-17 16:20:18.000000000 -0400
@@ -65,11 +65,12 @@
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -12068,7 +10844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# vmware
-@@ -284,3 +289,8 @@
+@@ -284,3 +289,9 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -12077,9 +10853,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+
+/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
+/usr/lib/libtheora\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.7/policy/modules/system/libraries.te
++/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.8/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-08-02 08:17:28.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/libraries.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/libraries.te 2007-09-17 16:20:18.000000000 -0400
@@ -23,6 +23,9 @@
init_system_domain(ldconfig_t,ldconfig_exec_t)
role system_r types ldconfig_t;
@@ -12128,9 +10905,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+ # run mkinitrd as unconfined user
+ unconfined_manage_tmp_files(ldconfig_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.0.7/policy/modules/system/locallogin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.0.8/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/locallogin.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/locallogin.te 2007-09-17 16:20:18.000000000 -0400
@@ -97,6 +97,11 @@
term_setattr_all_user_ttys(local_login_t)
term_setattr_unallocated_ttys(local_login_t)
@@ -12187,9 +10964,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
#################################
#
# Sulogin local policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.0.7/policy/modules/system/logging.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.0.8/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/logging.fc 2007-09-11 11:58:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/logging.fc 2007-09-17 16:20:18.000000000 -0400
@@ -1,12 +1,15 @@
-
/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
@@ -12227,9 +11004,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+
+/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_script_exec_t,s0)
+/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.7/policy/modules/system/logging.if
---- nsaserefpolicy/policy/modules/system/logging.if 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/logging.if 2007-09-06 15:43:06.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.8/policy/modules/system/logging.if
+--- nsaserefpolicy/policy/modules/system/logging.if 2007-09-12 10:34:51.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/logging.if 2007-09-17 16:20:18.000000000 -0400
@@ -33,8 +33,13 @@
##
#
@@ -12309,33 +11086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
## Create an object in the log directory, with a private
## type using a type transition.
##
-@@ -317,6 +379,25 @@
-
- ########################################
- ##
-+## dontaudit search of auditd configuration files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`logging_dontaudit_search_audit_config',`
-+ gen_require(`
-+ type auditd_etc_t;
-+ ')
-+
-+ dontaudit $1 auditd_etc_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
- ## Allows the domain to open a file in the
- ## log directory, but does not allow the listing
- ## of the contents of the log directory.
-@@ -451,7 +532,7 @@
+@@ -470,7 +532,7 @@
files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
@@ -12344,7 +11095,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
########################################
-@@ -495,6 +576,8 @@
+@@ -514,6 +576,8 @@
files_search_var($1)
manage_files_pattern($1,logfile,logfile)
read_lnk_files_pattern($1,logfile,logfile)
@@ -12353,7 +11104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
########################################
-@@ -578,3 +661,254 @@
+@@ -597,3 +661,258 @@
files_search_var($1)
manage_files_pattern($1,var_log_t,var_log_t)
')
@@ -12496,6 +11247,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+##
+## All of the rules required to administrate an audit environment
+##
++##
++##
++## Prefix of the domain. Example, user would be
++## the prefix for the uder_t domain.
++##
++##
+##
+##
+## Domain allowed access.
@@ -12506,46 +11263,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+## The role to be allowed to manage the audit domain.
+##
+##
-+##
-+##
-+## The type of the terminal allow the audit domain to use.
-+##
-+##
+##
+#
-+interface(`logging_audit_admin',`
++template(`logging_audit_admin',`
+
+ gen_require(`
+ type auditd_t;
-+ type audit_script_exec_t;
++ type auditd_script_exec_t;
+ type auditd_etc_t;
+ type auditd_log_t;
+ type auditd_var_run_t;
+ ')
+
-+ allow $1 auditd_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, auditd_t, auditd_t)
++ allow $2 auditd_t:process { ptrace signal_perms getattr };
++ read_files_pattern($2, auditd_t, auditd_t)
+
-+ # Allow $1 to restart the apache service
-+ audit_script_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 audit_script_exec_t system_r;
-+ allow $2 system_r;
++ # Allow $2 to restart the audit service
++ logging_audit_script_domtrans($2)
++ domain_system_change_exemption($2)
++ role_transition $3 auditd_script_exec_t system_r;
++ allow $3 system_r;
+
-+ manage_dir_perms($1,auditd_etc_t,auditd_etc_t)
-+ manage_file_perms($1,auditd_etc_t,auditd_etc_t)
++ manage_dirs_pattern($2,auditd_etc_t,auditd_etc_t)
++ manage_files_pattern($2,auditd_etc_t,auditd_etc_t)
+
-+ manage_dir_perms($1,auditd_log_t,auditd_log_t)
-+ manage_file_perms($1,auditd_log_t,auditd_log_t)
++ manage_dirs_pattern($2,auditd_log_t,auditd_log_t)
++ manage_files_pattern($2,auditd_log_t,auditd_log_t)
+
-+ manage_dir_perms($1,auditd_var_run_t,auditd_var_run_t)
-+ manage_file_perms($1,auditd_var_run_t,auditd_var_run_t)
++ manage_dirs_pattern($2,auditd_var_run_t,auditd_var_run_t)
++ manage_files_pattern($2,auditd_var_run_t,auditd_var_run_t)
++ logging_run_auditctl($2, $3,{ $1_devpts_t $1_tty_device_t })
+')
+
+########################################
+##
+## All of the rules required to administrate an audit environment
+##
++##
++##
++## Prefix of the domain. Example, user would be
++## the prefix for the uder_t domain.
++##
++##
+##
+##
+## Domain allowed access.
@@ -12556,19 +11315,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+## The role to be allowed to manage the audit domain.
+##
+##
-+##
-+##
-+## The type of the terminal allow the audit domain to use.
-+##
-+##
+##
+#
-+interface(`logging_syslog_admin',`
++template(`logging_syslog_admin',`
+
+ gen_require(`
+ type syslogd_t;
-+ type syslog_script_exec_t;
-+ type syslogd_conf_t;
++ type klogd_t;
++ type syslogd_script_exec_t;
++ type syslog_conf_t;
+ type syslogd_tmp_t;
+ type syslogd_var_lib_t;
+ type syslogd_var_run_t;
@@ -12577,40 +11332,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+ type var_log_t;
+ ')
+
-+ allow $1 syslogd_t:process { ptrace signal_perms getattr };
-+ allow $1 klogd_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, syslogd_t, syslogd_t)
-+ read_files_pattern($1, klogd_t, klogd_t)
++ allow $2 syslogd_t:process { ptrace signal_perms getattr };
++ allow $2 klogd_t:process { ptrace signal_perms getattr };
++ read_files_pattern($2, syslogd_t, syslogd_t)
++ read_files_pattern($2, klogd_t, klogd_t)
+
-+ # Allow $1 to restart the apache service
-+ syslog_script_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 syslog_script_exec_t system_r;
-+ allow $2 system_r;
++ # Allow $2 to restart the syslog service
++ logging_syslog_script_domtrans($2)
++ domain_system_change_exemption($2)
++ role_transition $3 syslogd_script_exec_t system_r;
++ allow $3 system_r;
+
-+ manage_dir_perms($1,klogd_var_run_t,klogd_var_run_t)
-+ manage_file_perms($1,klogd_var_run_t,klogd_var_run_t)
++ manage_dirs_pattern($2, klogd_var_run_t,klogd_var_run_t)
++ manage_files_pattern($2,klogd_var_run_t,klogd_var_run_t)
+
-+ manage_dir_perms($1,klogd_tmp_t,klogd_tmp_t)
-+ manage_file_perms($1,klogd_tmp_t,klogd_tmp_t)
++ manage_dirs_pattern($2,klogd_tmp_t,klogd_tmp_t)
++ manage_files_pattern($2,klogd_tmp_t,klogd_tmp_t)
+
-+ manage_dir_perms($1,syslogd_tmp_t,syslogd_tmp_t)
-+ manage_file_perms($1,syslogd_tmp_t,syslogd_tmp_t)
++ manage_dirs_pattern($2,syslogd_tmp_t,syslogd_tmp_t)
++ manage_files_pattern($2,syslogd_tmp_t,syslogd_tmp_t)
+
-+ manage_dir_perms($1,syslogd_conf_t,syslogd_conf_t)
-+ manage_file_perms($1,syslogd_conf_t,syslogd_conf_t)
++ manage_dirs_pattern($2,syslog_conf_t,syslog_conf_t)
++ manage_files_pattern($2,syslog_conf_t,syslog_conf_t)
+
-+ manage_dir_perms($1,syslogd_var_lib_t,syslogd_var_lib_t)
-+ manage_file_perms($1,syslogd_var_lib_t,syslogd_var_lib_t)
++ manage_dirs_pattern($2,syslogd_var_lib_t,syslogd_var_lib_t)
++ manage_files_pattern($2,syslogd_var_lib_t,syslogd_var_lib_t)
+
-+ manage_dir_perms($1,syslogd_var_run_t,syslogd_var_run_t)
-+ manage_file_perms($1,syslogd_var_run_t,syslogd_var_run_t)
++ manage_dirs_pattern($2,syslogd_var_run_t,syslogd_var_run_t)
++ manage_files_pattern($2,syslogd_var_run_t,syslogd_var_run_t)
+
-+ logging_manage_all_logs($1)
++ logging_manage_all_logs($2)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.7/policy/modules/system/logging.te
---- nsaserefpolicy/policy/modules/system/logging.te 2007-08-22 07:14:11.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/logging.te 2007-09-06 15:43:06.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.8/policy/modules/system/logging.te
+--- nsaserefpolicy/policy/modules/system/logging.te 2007-09-12 10:34:51.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/logging.te 2007-09-17 16:20:18.000000000 -0400
@@ -7,6 +7,10 @@
#
@@ -12707,7 +11462,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
logging_send_syslog_msg(auditd_t)
libs_use_ld_so(auditd_t)
-@@ -242,12 +265,18 @@
+@@ -150,6 +173,7 @@
+
+ mls_file_read_all_levels(auditd_t)
+ mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
++mls_fd_use_all_levels(auditd_t)
+
+ seutil_dontaudit_read_config(auditd_t)
+
+@@ -241,12 +265,18 @@
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
@@ -12726,7 +11489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -256,6 +285,9 @@
+@@ -255,6 +285,9 @@
manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file })
@@ -12736,7 +11499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
allow syslogd_t syslogd_var_run_t:file manage_file_perms;
files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
-@@ -313,6 +345,7 @@
+@@ -312,6 +345,7 @@
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
@@ -12744,9 +11507,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
files_read_etc_runtime_files(syslogd_t)
# /initrd is not umounted before minilog starts
files_dontaudit_search_isid_type_dirs(syslogd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.0.7/policy/modules/system/lvm.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.0.8/policy/modules/system/lvm.fc
--- nsaserefpolicy/policy/modules/system/lvm.fc 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/lvm.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/lvm.fc 2007-09-17 16:20:18.000000000 -0400
@@ -15,6 +15,7 @@
#
/etc/lvm(/.*)? gen_context(system_u:object_r:lvm_etc_t,s0)
@@ -12755,9 +11518,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc
/etc/lvm/archive(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/etc/lvm/backup(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/etc/lvm/lock(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.0.7/policy/modules/system/lvm.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.0.8/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/lvm.te 2007-09-07 09:00:42.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/lvm.te 2007-09-17 16:20:18.000000000 -0400
@@ -150,7 +150,9 @@
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
@@ -12811,20 +11574,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
+ xen_dontaudit_rw_unix_stream_sockets(lvm_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.0.7/policy/modules/system/miscfiles.fc
---- nsaserefpolicy/policy/modules/system/miscfiles.fc 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/miscfiles.fc 2007-09-06 15:43:06.000000000 -0400
-@@ -66,6 +66,7 @@
- /var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
-
- /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
-+/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_t,s0)
- /var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-
- /var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.7/policy/modules/system/modutils.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.8/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2007-08-22 07:14:12.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/modutils.te 2007-09-10 08:58:37.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/modutils.te 2007-09-17 16:20:18.000000000 -0400
@@ -42,7 +42,7 @@
# insmod local policy
#
@@ -12923,17 +11675,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.0.7/policy/modules/system/mount.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.0.8/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/mount.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/mount.fc 2007-09-17 16:20:18.000000000 -0400
@@ -1,4 +1,2 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.7/policy/modules/system/mount.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.8/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/mount.te 2007-09-10 16:38:20.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/mount.te 2007-09-17 16:20:18.000000000 -0400
@@ -8,6 +8,13 @@
##
@@ -13086,21 +11838,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+ hal_rw_pipes(mount_t)
')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlabel.te serefpolicy-3.0.7/policy/modules/system/netlabel.te
---- nsaserefpolicy/policy/modules/system/netlabel.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/netlabel.te 2007-09-06 15:43:06.000000000 -0400
-@@ -19,6 +19,8 @@
- allow netlabel_mgmt_t self:capability net_admin;
- allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
-
-+files_read_etc_files(netlabel_mgmt_t)
-+
- kernel_read_network_state(netlabel_mgmt_t)
-
- libs_use_ld_so(netlabel_mgmt_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.0.7/policy/modules/system/raid.te
---- nsaserefpolicy/policy/modules/system/raid.te 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/raid.te 2007-09-06 15:43:06.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.0.8/policy/modules/system/raid.te
+--- nsaserefpolicy/policy/modules/system/raid.te 2007-09-12 10:34:51.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/raid.te 2007-09-17 16:20:18.000000000 -0400
@@ -19,7 +19,7 @@
# Local policy
#
@@ -13110,17 +11850,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t
dontaudit mdadm_t self:capability sys_tty_config;
allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
allow mdadm_t self:fifo_file rw_fifo_file_perms;
-@@ -70,6 +70,7 @@
-
- userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
- userdom_dontaudit_use_sysadm_ttys(mdadm_t)
-+userdom_dontaudit_search_all_users_home_content(mdadm_t)
-
- mta_send_mail(mdadm_t)
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.0.7/policy/modules/system/selinuxutil.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.0.8/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/selinuxutil.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.fc 2007-09-17 16:20:18.000000000 -0400
@@ -38,8 +38,9 @@
/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
@@ -13132,9 +11864,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
#
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.7/policy/modules/system/selinuxutil.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.8/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/selinuxutil.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-09-17 16:20:18.000000000 -0400
@@ -432,6 +432,7 @@
role $2 types run_init_t;
allow run_init_t $3:chr_file rw_term_perms;
@@ -13248,7 +11980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
## Full management of the semanage
## module store.
##
-@@ -1058,3 +1134,119 @@
+@@ -1058,3 +1134,120 @@
files_search_etc($1)
rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t)
')
@@ -13298,86 +12030,80 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+ files_search_usr($2)
+ corecmd_search_bin($2)
+ domtrans_pattern($2,setsebool_exec_t,$1_setsebool_t)
++ seutil_semanage_policy($1_setsebool_t)
+')
+
-+
++#######################################
++##
++## All rules necessary to run semanage command
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`seutil_semanage_policy',`
-+allow $1 self:capability { dac_override audit_write };
-+allow $1 self:unix_stream_socket create_stream_socket_perms;
-+allow $1 self:unix_dgram_socket create_socket_perms;
-+logging_send_audit_msgs($1)
-+
-+allow $1 policy_config_t:file { read write };
-+
-+allow $1 semanage_tmp_t:dir manage_dir_perms;
-+allow $1 semanage_tmp_t:file manage_file_perms;
-+files_tmp_filetrans($1, semanage_tmp_t, { file dir })
-+
-+kernel_read_system_state($1)
-+kernel_read_kernel_sysctls($1)
++ gen_require(`
++ type semanage_tmp_t;
++ type policy_config_t;
++ ')
++ allow $1 self:capability { dac_override audit_write };
++ allow $1 self:unix_stream_socket create_stream_socket_perms;
++ allow $1 self:unix_dgram_socket create_socket_perms;
++ logging_send_audit_msgs($1)
+
-+can_exec($1, semanage_exec_t)
++ allow $1 policy_config_t:file { read write };
+
-+corecmd_exec_bin($1)
-+corecmd_exec_shell($1)
++ allow $1 semanage_tmp_t:dir manage_dir_perms;
++ allow $1 semanage_tmp_t:file manage_file_perms;
++ files_tmp_filetrans($1, semanage_tmp_t, { file dir })
+
-+dev_read_urand($1)
++ kernel_read_system_state($1)
++ kernel_read_kernel_sysctls($1)
+
-+domain_use_interactive_fds($1)
++ corecmd_exec_bin($1)
++ corecmd_exec_shell($1)
+
-+files_read_etc_files($1)
-+files_read_etc_runtime_files($1)
-+files_read_usr_files($1)
-+files_list_pids($1)
++ dev_read_urand($1)
+
-+mls_file_write_all_levels($1)
-+mls_file_read_all_levels($1)
++ domain_use_interactive_fds($1)
+
-+selinux_validate_context($1)
-+selinux_get_enforce_mode($1)
-+# for setsebool:
-+selinux_set_boolean($1)
++ files_read_etc_files($1)
++ files_read_etc_runtime_files($1)
++ files_read_usr_files($1)
++ files_list_pids($1)
++ fs_list_inotifyfs($1)
+
-+term_use_all_terms($1)
++ mls_file_write_all_levels($1)
++ mls_file_read_all_levels($1)
+
-+# Running genhomedircon requires this for finding all users
-+auth_use_nsswitch($1)
-+# Admins are creating pp files in random locations
-+auth_read_all_files_except_shadow($1)
++ selinux_getattr_fs($1)
++ selinux_validate_context($1)
++ selinux_get_enforce_mode($1)
+
-+libs_use_ld_so($1)
-+libs_use_shared_libs($1)
++ term_use_all_terms($1)
+
-+locallogin_use_fds($1)
++ libs_use_ld_so($1)
++ libs_use_shared_libs($1)
+
-+logging_send_syslog_msg($1)
++ locallogin_use_fds($1)
+
-+miscfiles_read_localization($1)
++ logging_send_syslog_msg($1)
+
-+seutil_manage_file_contexts($1)
-+seutil_manage_selinux_config($1)
-+seutil_domtrans_setfiles($1)
-+seutil_domtrans_loadpolicy($1)
-+seutil_read_config($1)
-+seutil_manage_bin_policy($1)
-+seutil_use_newrole_fds($1)
-+seutil_manage_module_store($1)
-+seutil_get_$1rans_lock($1)
-+seutil_get_semanage_read_lock($1)
-+# netfilter_contexts:
-+seutil_manage_default_contexts($1)
++ miscfiles_read_localization($1)
+
++ seutil_domtrans_loadpolicy($1)
++ seutil_read_config($1)
++ seutil_manage_bin_policy($1)
++ seutil_use_newrole_fds($1)
++ seutil_manage_module_store($1)
++ seutil_get_semanage_trans_lock($1)
++ seutil_get_semanage_read_lock($1)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.7/policy/modules/system/selinuxutil.te
---- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/selinuxutil.te 2007-09-10 14:35:10.000000000 -0400
-@@ -1,5 +1,5 @@
-
--policy_module(selinuxutil,1.6.2)
-+policy_module(selinuxutil,1.6.1)
-
- gen_require(`
- bool secure_mode;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.8/policy/modules/system/selinuxutil.te
+--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-09-12 10:34:51.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-09-17 16:20:18.000000000 -0400
@@ -76,7 +76,6 @@
type restorecond_exec_t;
init_daemon_domain(restorecond_t,restorecond_exec_t)
@@ -13386,26 +12112,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t)
-@@ -88,11 +87,17 @@
- role system_r types run_init_t;
-
- type semanage_t;
-+domain_interactive_fd(semanage_t)
-+
- type semanage_exec_t;
- application_domain(semanage_t,semanage_exec_t)
--domain_interactive_fd(semanage_t)
+@@ -93,6 +92,10 @@
+ domain_interactive_fd(semanage_t)
role system_r types semanage_t;
++type setsebool_t;
+type setsebool_exec_t;
-+init_system_domain(semanage_t, setsebool_exec_t)
-+domain_interactive_fd(semanage_t)
-+init_use_fds(semanage_t)
++init_system_domain(setsebool_t, setsebool_exec_t)
+
type semanage_store_t;
files_type(semanage_store_t)
-@@ -194,7 +199,7 @@
+@@ -194,10 +197,15 @@
# cjp: cover up stray file descriptors.
dontaudit load_policy_t selinux_config_t:file write;
optional_policy(`
@@ -13414,7 +12132,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
')
')
-@@ -215,7 +220,7 @@
++optional_policy(`
++ usermanage_dontaudit_useradd_use_fds(load_policy_t)
++')
++
++
+ ########################################
+ #
+ # Newrole local policy
+@@ -215,7 +223,7 @@
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -13423,9 +12149,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
read_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
read_lnk_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
-@@ -253,7 +258,9 @@
+@@ -252,8 +260,11 @@
+ term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
++auth_use_nsswitch(newrole_t)
auth_domtrans_chk_passwd(newrole_t)
+auth_domtrans_upd_passwd_chk(newrole_t)
auth_rw_faillog(newrole_t)
@@ -13433,7 +12161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
corecmd_list_bin(newrole_t)
corecmd_read_bin_symlinks(newrole_t)
-@@ -273,6 +280,7 @@
+@@ -273,6 +284,7 @@
libs_use_ld_so(newrole_t)
libs_use_shared_libs(newrole_t)
@@ -13441,7 +12169,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
logging_send_syslog_msg(newrole_t)
miscfiles_read_localization(newrole_t)
-@@ -343,6 +351,8 @@
+@@ -294,14 +306,6 @@
+ files_polyinstantiate_all(newrole_t)
+ ')
+
+-optional_policy(`
+- nis_use_ypbind(newrole_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(newrole_t)
+-')
+-
+ ########################################
+ #
+ # Restorecond local policy
+@@ -309,11 +313,12 @@
+
+ allow restorecond_t self:capability { dac_override dac_read_search fowner };
+ allow restorecond_t self:fifo_file rw_fifo_file_perms;
+-allow restorecond_t self:netlink_route_socket r_netlink_socket_perms;
+
+ allow restorecond_t restorecond_var_run_t:file manage_file_perms;
+ files_pid_filetrans(restorecond_t,restorecond_var_run_t, file)
+
++auth_use_nsswitch(restorecond_t)
++
+ kernel_use_fds(restorecond_t)
+ kernel_rw_pipes(restorecond_t)
+ kernel_read_system_state(restorecond_t)
+@@ -343,15 +348,12 @@
miscfiles_read_localization(restorecond_t)
@@ -13450,7 +12207,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
optional_policy(`
rpm_use_script_fds(restorecond_t)
')
-@@ -361,7 +371,7 @@
+
+-optional_policy(`
+- # restorecond watches for users logging in,
+- # so it getspwnam when a user logs in to find his homedir
+- nis_use_ypbind(restorecond_t)
+-')
+
+ #################################
+ #
+@@ -361,7 +363,7 @@
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@@ -13459,7 +12225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
-@@ -375,6 +385,7 @@
+@@ -375,6 +377,7 @@
term_dontaudit_list_ptys(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
@@ -13467,49 +12233,96 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
auth_dontaudit_read_shadow(run_init_t)
corecmd_exec_bin(run_init_t)
-@@ -431,7 +442,7 @@
- allow semanage_t self:capability { dac_override audit_write };
- allow semanage_t self:unix_stream_socket create_stream_socket_perms;
- allow semanage_t self:unix_dgram_socket create_socket_perms;
--allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-+logging_send_audit_msgs(semanage_t)
-
- allow semanage_t policy_config_t:file { read write };
+@@ -423,77 +426,50 @@
+ nscd_socket_use(run_init_t)
+ ')
-@@ -442,7 +453,10 @@
- kernel_read_system_state(semanage_t)
- kernel_read_kernel_sysctls(semanage_t)
-
-+can_exec(semanage_t, semanage_exec_t)
+
- corecmd_exec_bin(semanage_t)
-+corecmd_exec_shell(semanage_t)
-
- dev_read_urand(semanage_t)
+ ########################################
+ #
+-# semodule local policy
++# setsebool local policy
+ #
++seutil_semanage_policy(setsebool_t)
++selinux_set_boolean(setsebool_t)
-@@ -452,6 +466,7 @@
- files_read_etc_runtime_files(semanage_t)
- files_read_usr_files(semanage_t)
- files_list_pids(semanage_t)
-+fs_list_inotifyfs(semanage_t)
+-allow semanage_t self:capability { dac_override audit_write };
+-allow semanage_t self:unix_stream_socket create_stream_socket_perms;
+-allow semanage_t self:unix_dgram_socket create_socket_perms;
+-allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+-
+-allow semanage_t policy_config_t:file { read write };
+-
+-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
+-allow semanage_t semanage_tmp_t:file manage_file_perms;
+-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
+-
+-kernel_read_system_state(semanage_t)
+-kernel_read_kernel_sysctls(semanage_t)
+-
+-corecmd_exec_bin(semanage_t)
+-
+-dev_read_urand(semanage_t)
+-
+-domain_use_interactive_fds(semanage_t)
+-
+-files_read_etc_files(semanage_t)
+-files_read_etc_runtime_files(semanage_t)
+-files_read_usr_files(semanage_t)
+-files_list_pids(semanage_t)
+-
+-mls_file_write_all_levels(semanage_t)
+-mls_file_read_all_levels(semanage_t)
+-
+-selinux_validate_context(semanage_t)
+-selinux_get_enforce_mode(semanage_t)
+-selinux_getattr_fs(semanage_t)
+-# for setsebool:
+-selinux_set_boolean(semanage_t)
++########################################
++#
++# semodule local policy
++#
- mls_file_write_all_levels(semanage_t)
- mls_file_read_all_levels(semanage_t)
-@@ -465,6 +480,8 @@
+-term_use_all_terms(semanage_t)
++seutil_semanage_policy(semanage_t)
++can_exec(semanage_t, semanage_exec_t)
# Running genhomedircon requires this for finding all users
auth_use_nsswitch(semanage_t)
+-
+-libs_use_ld_so(semanage_t)
+-libs_use_shared_libs(semanage_t)
+-
+-locallogin_use_fds(semanage_t)
+-
+-logging_send_syslog_msg(semanage_t)
+-
+-miscfiles_read_localization(semanage_t)
+# Admins are creating pp files in random locations
+auth_read_all_files_except_shadow(semanage_t)
- libs_use_ld_so(semanage_t)
- libs_use_shared_libs(semanage_t)
-@@ -488,6 +505,17 @@
+ seutil_manage_file_contexts(semanage_t)
+ seutil_manage_selinux_config(semanage_t)
+ seutil_domtrans_setfiles(semanage_t)
+-seutil_domtrans_loadpolicy(semanage_t)
+-seutil_read_config(semanage_t)
+-seutil_manage_bin_policy(semanage_t)
+-seutil_use_newrole_fds(semanage_t)
+-seutil_manage_module_store(semanage_t)
+-seutil_get_semanage_trans_lock(semanage_t)
+-seutil_get_semanage_read_lock(semanage_t)
++
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
+userdom_search_sysadm_home_dirs(semanage_t)
+
+ ifdef(`distro_debian',`
+ files_read_var_lib_files(semanage_t)
+ files_read_var_lib_symlinks(semanage_t)
+ ')
+
+optional_policy(`
+ #signal mcstrans on reload
+ init_spec_domtrans_script(semanage_t)
@@ -13522,7 +12335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -515,6 +543,8 @@
+@@ -521,6 +497,8 @@
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
@@ -13531,7 +12344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
kernel_read_system_state(setfiles_t)
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
kernel_relabelfrom_unlabeled_files(setfiles_t)
-@@ -531,6 +561,7 @@
+@@ -537,6 +515,7 @@
fs_getattr_xattr_fs(setfiles_t)
fs_list_all(setfiles_t)
@@ -13539,7 +12352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
fs_search_auto_mountpoints(setfiles_t)
fs_relabelfrom_noxattr_fs(setfiles_t)
-@@ -586,6 +617,10 @@
+@@ -592,6 +571,10 @@
ifdef(`hide_broken_symptoms',`
optional_policy(`
@@ -13550,9 +12363,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
udev_dontaudit_rw_dgram_sockets(setfiles_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.0.7/policy/modules/system/sysnetwork.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.0.8/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/sysnetwork.if 2007-09-11 10:23:22.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.if 2007-09-17 16:20:18.000000000 -0400
@@ -522,6 +522,8 @@
files_search_etc($1)
@@ -13586,9 +12399,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+ dontaudit $1 dhcpc_t:fd use;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.0.7/policy/modules/system/sysnetwork.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.0.8/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/sysnetwork.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.te 2007-09-17 16:20:18.000000000 -0400
@@ -45,7 +45,7 @@
dontaudit dhcpc_t self:capability sys_tty_config;
# for access("/etc/bashrc", X_OK) on Red Hat
@@ -13598,7 +12411,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
allow dhcpc_t self:fifo_file rw_file_perms;
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
allow dhcpc_t self:udp_socket create_socket_perms;
-@@ -159,6 +159,10 @@
+@@ -136,6 +136,7 @@
+
+ modutils_domtrans_insmod(dhcpc_t)
+
++userdom_dontaudit_search_sysadm_home_dirs(dhcpc_t)
+ userdom_dontaudit_search_staff_home_dirs(dhcpc_t)
+
+ ifdef(`distro_redhat', `
+@@ -159,6 +160,10 @@
dbus_connect_system_bus(dhcpc_t)
dbus_send_system_bus(dhcpc_t)
@@ -13609,7 +12430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
optional_policy(`
networkmanager_dbus_chat(dhcpc_t)
')
-@@ -203,9 +207,7 @@
+@@ -203,9 +208,7 @@
')
optional_policy(`
@@ -13620,7 +12441,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
optional_policy(`
-@@ -216,6 +218,7 @@
+@@ -216,6 +219,7 @@
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -13628,7 +12449,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
optional_policy(`
-@@ -254,6 +257,7 @@
+@@ -254,6 +258,7 @@
allow ifconfig_t self:sem create_sem_perms;
allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
@@ -13636,7 +12457,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
-@@ -280,6 +284,8 @@
+@@ -280,6 +285,8 @@
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
@@ -13645,111 +12466,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
term_dontaudit_use_all_user_ttys(ifconfig_t)
term_dontaudit_use_all_user_ptys(ifconfig_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.7/policy/modules/system/udev.te
---- nsaserefpolicy/policy/modules/system/udev.te 2007-08-22 07:14:12.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/udev.te 2007-09-06 15:43:06.000000000 -0400
-@@ -68,8 +68,9 @@
- allow udev_t udev_tbl_t:file manage_file_perms;
- dev_filetrans(udev_t,udev_tbl_t,file)
-
-+manage_dirs_pattern(udev_t,udev_var_run_t,udev_var_run_t)
- manage_files_pattern(udev_t,udev_var_run_t,udev_var_run_t)
--files_pid_filetrans(udev_t,udev_var_run_t,file)
-+files_pid_filetrans(udev_t,udev_var_run_t,{ file dir })
-
- kernel_read_system_state(udev_t)
- kernel_getattr_core_if(udev_t)
-@@ -83,16 +84,23 @@
- kernel_dgram_send(udev_t)
- kernel_signal(udev_t)
-
-+#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
-+kernel_rw_net_sysctls(udev_t)
-+kernel_read_network_state(udev_t)
-+
- corecmd_exec_all_executables(udev_t)
-
- dev_rw_sysfs(udev_t)
- dev_manage_all_dev_nodes(udev_t)
- dev_rw_generic_files(udev_t)
- dev_delete_generic_files(udev_t)
-+dev_search_usbfs_dirs(udev_t)
-+dev_relabel_all_dev_nodes(udev_t)
-
- domain_read_all_domains_state(udev_t)
- domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
-
-+files_read_usr_files(udev_t)
- files_read_etc_runtime_files(udev_t)
- files_read_etc_files(udev_t)
- files_exec_etc_files(udev_t)
-@@ -142,9 +150,16 @@
- seutil_read_file_contexts(udev_t)
- seutil_domtrans_setfiles(udev_t)
-
-+sysnet_read_dhcpc_pid(udev_t)
-+sysnet_rw_dhcp_config(udev_t)
-+sysnet_delete_dhcpc_pid(udev_t)
- sysnet_domtrans_ifconfig(udev_t)
- sysnet_domtrans_dhcpc(udev_t)
-+sysnet_signal_dhcpc(udev_t)
-+sysnet_etc_filetrans_config(udev_t)
-+sysnet_manage_config(udev_t)
-
-+userdom_use_sysadm_ttys(udev_t)
- userdom_dontaudit_search_all_users_home_content(udev_t)
-
- ifdef(`distro_gentoo',`
-@@ -170,6 +185,10 @@
- ')
-
- optional_policy(`
-+ brctl_domtrans(udev_t)
-+')
-+
-+optional_policy(`
- consoletype_exec(udev_t)
- ')
-
-@@ -178,6 +197,10 @@
- ')
-
- optional_policy(`
-+ fstools_domtrans(udev_t)
-+')
-+
-+optional_policy(`
- hal_dgram_send(udev_t)
- ')
-
-@@ -188,5 +211,24 @@
- ')
-
- optional_policy(`
-+ openct_read_pid_files(udev_t)
-+ openct_domtrans(udev_t)
-+')
-+
-+optional_policy(`
-+ pcscd_read_pub_files(udev_t)
-+ pcscd_domtrans(udev_t)
-+')
-+
-+optional_policy(`
-+ xen_manage_log(udev_t)
-+ kernel_write_xen_state(udev_t)
-+ kernel_read_xen_state(udev_t)
-+ xen_read_image_files(udev_t)
-+')
-+
-+optional_policy(`
- xserver_read_xdm_pid(udev_t)
- ')
-+
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.7/policy/modules/system/unconfined.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/unconfined.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-09-17 16:20:18.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -13766,8 +12485,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
allow $1 self:fifo_file manage_fifo_file_perms;
# Transition to myself, to make get_ordered_context_list happy.
-@@ -29,10 +28,10 @@
+@@ -27,12 +26,13 @@
+
+ # Write access is for setting attributes under /proc/self/attr.
allow $1 self:file rw_file_perms;
++ allow $1 self:dir rw_dir_perms;
# Userland object managers
- allow $1 self:nscd *;
@@ -13781,7 +12503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
kernel_unconfined($1)
corenet_unconfined($1)
-@@ -79,6 +78,10 @@
+@@ -79,6 +79,10 @@
')
optional_policy(`
@@ -13792,7 +12514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
nscd_unconfined($1)
')
-@@ -558,7 +561,7 @@
+@@ -558,7 +562,7 @@
')
files_search_home($1)
@@ -13801,7 +12523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
read_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t)
read_lnk_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t)
')
-@@ -601,3 +604,132 @@
+@@ -601,3 +605,149 @@
allow $1 unconfined_tmp_t:file { getattr write append };
')
@@ -13934,9 +12656,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+ dontaudit $1 unconfined_terminal:chr_file rw_term_perms;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.7/policy/modules/system/unconfined.te
++########################################
++##
++## Allow apps to set rlimits on userdomain
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_set_rlimitnh',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process rlimitinh;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/unconfined.te 2007-09-10 16:37:23.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-09-17 16:20:18.000000000 -0400
@@ -5,28 +5,36 @@
#
# Declarations
@@ -14007,17 +12746,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
optional_policy(`
- ada_domtrans(unconfined_t)
-+ ada_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
- ')
-
- optional_policy(`
+-')
+-
+-optional_policy(`
- apache_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
- apache_per_role_template(unconfined,unconfined_t,unconfined_r)
- # this is disallowed usage:
- unconfined_domain(httpd_unconfined_script_t)
--')
--
--optional_policy(`
++ ada_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ ')
+
+ optional_policy(`
- bind_run_ndc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ bootloader_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
@@ -14099,12 +12838,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -205,11 +194,12 @@
+@@ -205,11 +194,18 @@
')
optional_policy(`
- wine_domtrans(unconfined_t)
+ wine_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
++')
++
++optional_policy(`
++ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r)
++ unconfined_domain(unconfined_mozilla_t)
++ allow unconfined_mozilla_t self:process { execstack execmem };
')
optional_policy(`
@@ -14114,7 +12859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
########################################
-@@ -227,6 +217,17 @@
+@@ -227,6 +223,17 @@
unconfined_dbus_chat(unconfined_execmem_t)
optional_policy(`
@@ -14132,18 +12877,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
+
+corecmd_exec_all_executables(unconfined_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.0.7/policy/modules/system/userdomain.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.0.8/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/userdomain.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.fc 2007-09-17 16:20:18.000000000 -0400
@@ -1,4 +1,5 @@
HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0)
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.7/policy/modules/system/userdomain.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/userdomain.if 2007-09-07 15:05:57.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-17 16:20:18.000000000 -0400
@@ -45,7 +45,7 @@
type $1_tty_device_t;
term_user_tty($1_t,$1_tty_device_t)
@@ -14175,6 +12920,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
+@@ -184,7 +192,7 @@
+ files_list_home($1_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+- fs_list_nfs_dirs($1_t)
++ fs_list_nfs($1_t)
+ fs_read_nfs_files($1_t)
+ fs_read_nfs_symlinks($1_t)
+ fs_read_nfs_named_sockets($1_t)
+@@ -195,7 +203,7 @@
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+- fs_list_cifs_dirs($1_t)
++ fs_list_cifs($1_t)
+ fs_read_cifs_files($1_t)
+ fs_read_cifs_symlinks($1_t)
+ fs_read_cifs_named_sockets($1_t)
@@ -315,13 +323,19 @@
##
#
@@ -14814,22 +13577,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1856,17 +1940,53 @@
- ##
- ##
- #
--template(`userdom_dontaudit_list_user_home_dirs',`
-+template(`userdom_dontaudit_list_user_home_dirs',`
-+ gen_require(`
-+ type $1_home_dir_t;
-+ ')
-+
-+ dontaudit $2 $1_home_dir_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete directories
+@@ -1902,6 +1986,41 @@
+
+ ########################################
+ ##
++## dontaudit attemps to Create files
+## in a user home subdirectory.
+##
+##
@@ -14854,41 +13606,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+##
+##
+#
-+template(`userdom_manage_user_home_content_dirs',`
- gen_require(`
-- type $1_home_dir_t;
-+ type $1_home_dir_t, $1_home_t;
- ')
-
-- dontaudit $2 $1_home_dir_t:dir list_dir_perms;
-+ files_search_home($2)
-+ manage_dirs_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete directories
-+## dontaudit attemps to Create files
- ## in a user home subdirectory.
- ##
- ##
-@@ -1891,13 +2011,12 @@
- ##
- ##
- #
--template(`userdom_manage_user_home_content_dirs',`
+template(`userdom_dontaudit_create_user_home_content_files',`
- gen_require(`
-- type $1_home_dir_t, $1_home_t;
++ gen_require(`
+ type $1_home_dir_t;
- ')
-
-- files_search_home($2)
-- manage_dirs_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
++ ')
++
+ dontaudit $2 $1_home_dir_t:file create;
- ')
-
- ########################################
++')
++
++########################################
++##
+ ## Do not audit attempts to set the
+ ## attributes of user home files.
+ ##
@@ -3078,7 +3197,7 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
@@ -14898,13 +13628,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -4615,6 +4734,24 @@
- files_list_home($1)
- allow $1 home_dir_type:dir search_dir_perms;
- ')
-+########################################
-+##
-+## Read all users home directories symlinks.
+@@ -4599,7 +4718,25 @@
+
+ ########################################
+ ##
+-## Search all users home directories.
++## Search all users home directories.
+##
+##
+##
@@ -14912,18 +13641,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+##
+##
+#
-+interface(`userdom_read_all_users_home_dirs_symlinks',`
++interface(`userdom_search_all_users_home_dirs',`
+ gen_require(`
+ attribute home_dir_type;
+ ')
+
+ files_list_home($1)
-+ allow $1 home_dir_type:lnk_file read_lnk_file_perms;
++ allow $1 home_dir_type:dir search_dir_perms;
+')
++########################################
++##
++## Read all users home directories symlinks.
+ ##
+ ##
+ ##
+@@ -4607,13 +4744,13 @@
+ ##
+ ##
+ #
+-interface(`userdom_search_all_users_home_dirs',`
++interface(`userdom_read_all_users_home_dirs_symlinks',`
+ gen_require(`
+ attribute home_dir_type;
+ ')
+
+ files_list_home($1)
+- allow $1 home_dir_type:dir search_dir_perms;
++ allow $1 home_dir_type:lnk_file read_lnk_file_perms;
+ ')
########################################
- ##
-@@ -5323,7 +5460,7 @@
+@@ -4633,6 +4770,14 @@
+
+ files_list_home($1)
+ allow $1 home_dir_type:dir list_dir_perms;
++
++ tunable_policy(`use_nfs_home_dirs',`
++ fs_list_nfs(crond_t)
++ ')
++
++ tunable_policy(`use_samba_home_dirs',`
++ fs_list_cifs(crond_t)
++ ')
+ ')
+
+ ########################################
+@@ -5323,7 +5468,7 @@
attribute user_tmpfile;
')
@@ -14932,7 +13695,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -5559,3 +5696,299 @@
+@@ -5559,3 +5704,318 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -15232,10 +13995,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ files_search_home($1)
+ allow $1 user_home_type:file execute;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.7/policy/modules/system/userdomain.te
---- nsaserefpolicy/policy/modules/system/userdomain.te 2007-08-22 07:14:11.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/userdomain.te 2007-09-10 14:07:37.000000000 -0400
-@@ -74,6 +74,9 @@
++
++
++########################################
++##
++## Allow apps to set rlimits on userdomain
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_set_rlimitnh',`
++ gen_require(`
++ attribute userdomain;
++ ')
++ allow $1 userdomain:process rlimitinh;
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.8/policy/modules/system/userdomain.te
+--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-09-12 10:34:51.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.te 2007-09-17 16:20:18.000000000 -0400
+@@ -24,13 +24,6 @@
+
+ ##
+ ##
+-## Allow users to connect to mysql
+-##
+-##
+-gen_tunable(allow_user_mysql_connect,false)
+-
+-##
+-##
+ ## Allow users to connect to PostgreSQL
+ ##
+ ##
+@@ -74,6 +67,9 @@
# users home directory contents
attribute home_type;
@@ -15245,7 +14041,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
-@@ -136,13 +139,6 @@
+@@ -136,13 +132,6 @@
userdom_role_change_template(secadm,sysadm)
')
@@ -15259,7 +14055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
#
# Sysadm local policy
-@@ -161,6 +157,11 @@
+@@ -161,6 +150,11 @@
init_exec(sysadm_t)
@@ -15271,7 +14067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Following for sending reboot and wall messages
userdom_use_unpriv_users_ptys(sysadm_t)
userdom_use_unpriv_users_ttys(sysadm_t)
-@@ -231,6 +232,10 @@
+@@ -231,6 +225,10 @@
')
optional_policy(`
@@ -15282,16 +14078,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
#apache_run_all_scripts(sysadm_t,sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
-@@ -278,7 +283,7 @@
- ')
-
- optional_policy(`
-- certwatach_run(sysadm_t,sysadm_r,admin_terminal)
-+ certwatch_run(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
-@@ -286,14 +291,6 @@
+@@ -286,14 +284,6 @@
')
optional_policy(`
@@ -15306,7 +14093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
cron_admin_template(sysadm,sysadm_t,sysadm_r)
')
-@@ -394,6 +391,10 @@
+@@ -394,6 +384,10 @@
')
optional_policy(`
@@ -15317,7 +14104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
netutils_run(sysadm_t,sysadm_r,admin_terminal)
netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
-@@ -443,15 +444,20 @@
+@@ -443,15 +437,20 @@
optional_policy(`
samba_run_net(sysadm_t,sysadm_r,admin_terminal)
@@ -15338,7 +14125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
', `
userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal)
')
-@@ -494,3 +500,7 @@
+@@ -494,3 +493,7 @@
optional_policy(`
yam_run(sysadm_t,sysadm_r,admin_terminal)
')
@@ -15346,14 +14133,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+tunable_policy(`allow_console_login', `
+ term_use_console(userdomain)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.fc serefpolicy-3.0.7/policy/modules/system/virt.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.fc serefpolicy-3.0.8/policy/modules/system/virt.fc
--- nsaserefpolicy/policy/modules/system/virt.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/system/virt.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/virt.fc 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1 @@
+/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.0.7/policy/modules/system/virt.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.0.8/policy/modules/system/virt.if
--- nsaserefpolicy/policy/modules/system/virt.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/system/virt.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/virt.if 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1,58 @@
+## Virtualization
+
@@ -15413,16 +14200,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
+ files_list_var_lib($1)
+ rw_files_pattern($1,virt_var_lib_t,virt_var_lib_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.0.7/policy/modules/system/virt.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.0.8/policy/modules/system/virt.te
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/system/virt.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/virt.te 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1,3 @@
+# var/lib files
+type virt_var_lib_t;
+files_type(virt_var_lib_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.0.7/policy/modules/system/xen.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.0.8/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/xen.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/xen.if 2007-09-17 16:20:18.000000000 -0400
@@ -191,3 +191,24 @@
domtrans_pattern($1,xm_exec_t,xm_t)
@@ -15448,10 +14235,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
+ allow $1 xend_var_lib_t:dir search_dir_perms;
+ rw_files_pattern($1,xen_image_t,xen_image_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.0.7/policy/modules/system/xen.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.0.8/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/xen.te 2007-09-11 14:25:59.000000000 -0400
-@@ -95,7 +95,7 @@
++++ serefpolicy-3.0.8/policy/modules/system/xen.te 2007-09-17 16:20:18.000000000 -0400
+@@ -45,9 +45,7 @@
+
+ type xenstored_t;
+ type xenstored_exec_t;
+-domain_type(xenstored_t)
+-domain_entry_file(xenstored_t,xenstored_exec_t)
+-role system_r types xenstored_t;
++init_daemon_domain(xenstored_t,xenstored_exec_t)
+
+ # var/lib files
+ type xenstored_var_lib_t;
+@@ -59,8 +57,7 @@
+
+ type xenconsoled_t;
+ type xenconsoled_exec_t;
+-domain_type(xenconsoled_t)
+-domain_entry_file(xenconsoled_t,xenconsoled_exec_t)
++init_daemon_domain(xenconsoled_t,xenconsoled_exec_t)
+ role system_r types xenconsoled_t;
+
+ # pid files
+@@ -95,7 +92,7 @@
read_lnk_files_pattern(xend_t,xen_image_t,xen_image_t)
rw_blk_files_pattern(xend_t,xen_image_t,xen_image_t)
@@ -15460,22 +14268,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
dev_filetrans(xend_t, xenctl_t, fifo_file)
manage_files_pattern(xend_t,xend_tmp_t,xend_tmp_t)
-@@ -122,11 +122,13 @@
+@@ -122,15 +119,13 @@
manage_fifo_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t)
files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir })
+init_stream_connect_script(xend_t)
+
# transition to store
- domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
- allow xenstored_t xend_t:fd use;
- allow xenstored_t xend_t:process sigchld;
+-domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
+-allow xenstored_t xend_t:fd use;
+-allow xenstored_t xend_t:process sigchld;
-allow xenstored_t xend_t:fifo_file write;
-+allow xenstored_t xend_t:fifo_file write_fifo_file_perms;
++domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
# transition to console
- domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t)
-@@ -176,6 +178,7 @@
+-domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t)
+-allow xenconsoled_t xend_t:fd use;
++domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t)
+
+ kernel_read_kernel_sysctls(xend_t)
+ kernel_read_system_state(xend_t)
+@@ -176,6 +171,7 @@
files_manage_etc_runtime_files(xend_t)
files_etc_filetrans_etc_runtime(xend_t,file)
files_read_usr_files(xend_t)
@@ -15483,18 +14296,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
storage_raw_read_fixed_disk(xend_t)
storage_raw_write_fixed_disk(xend_t)
-@@ -214,6 +217,10 @@
+@@ -214,6 +210,10 @@
netutils_domtrans(xend_t)
optional_policy(`
-+ brctl_getattr(xend_t)
++ brctl_domtrans(xend_t)
+')
+
+optional_policy(`
consoletype_exec(xend_t)
')
-@@ -224,7 +231,7 @@
+@@ -224,7 +224,7 @@
allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
@@ -15503,7 +14316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
-@@ -257,7 +264,7 @@
+@@ -257,7 +257,7 @@
miscfiles_read_localization(xenconsoled_t)
@@ -15512,7 +14325,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
xen_stream_connect_xenstore(xenconsoled_t)
########################################
-@@ -265,7 +272,7 @@
+@@ -265,7 +265,7 @@
# Xen store local policy
#
@@ -15521,7 +14334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
allow xenstored_t self:unix_dgram_socket create_socket_perms;
-@@ -318,12 +325,13 @@
+@@ -318,12 +318,13 @@
allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
# internal communication is often done using fifo and unix sockets.
@@ -15536,7 +14349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
files_search_var_lib(xm_t)
allow xm_t xen_image_t:dir rw_dir_perms;
-@@ -336,6 +344,7 @@
+@@ -336,6 +337,7 @@
kernel_write_xen_state(xm_t)
corecmd_exec_bin(xm_t)
@@ -15544,7 +14357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
corenet_tcp_sendrecv_generic_if(xm_t)
corenet_tcp_sendrecv_all_nodes(xm_t)
-@@ -353,6 +362,7 @@
+@@ -353,6 +355,7 @@
term_use_all_terms(xm_t)
@@ -15552,7 +14365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
init_rw_script_stream_sockets(xm_t)
init_use_fds(xm_t)
-@@ -366,3 +376,14 @@
+@@ -366,3 +369,14 @@
xen_append_log(xm_t)
xen_stream_connect(xm_t)
xen_stream_connect_xenstore(xm_t)
@@ -15567,19 +14380,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
+ fs_manage_nfs_files(xend_t)
+ fs_read_nfs_symlinks(xend_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.fc serefpolicy-3.0.7/policy/modules/users/guest.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.fc serefpolicy-3.0.8/policy/modules/users/guest.fc
--- nsaserefpolicy/policy/modules/users/guest.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/users/guest.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/users/guest.fc 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1 @@
+# No guest file contexts.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.if serefpolicy-3.0.7/policy/modules/users/guest.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.if serefpolicy-3.0.8/policy/modules/users/guest.if
--- nsaserefpolicy/policy/modules/users/guest.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/users/guest.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/users/guest.if 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1 @@
+## Policy for guest user
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.0.7/policy/modules/users/guest.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.0.8/policy/modules/users/guest.te
--- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/users/guest.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/users/guest.te 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1,9 @@
+policy_module(guest,1.0.0)
+userdom_unpriv_login_user(guest)
@@ -15590,20 +14403,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.t
+optional_policy(`
+ hal_dbus_chat(xguest_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.0.7/policy/modules/users/logadm.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.0.8/policy/modules/users/logadm.fc
--- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/users/logadm.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/users/logadm.fc 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1 @@
+# No logadm file contexts.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.if serefpolicy-3.0.7/policy/modules/users/logadm.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.if serefpolicy-3.0.8/policy/modules/users/logadm.if
--- nsaserefpolicy/policy/modules/users/logadm.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/users/logadm.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/users/logadm.if 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1 @@
+## Policy for logadm user
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.te serefpolicy-3.0.7/policy/modules/users/logadm.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.te serefpolicy-3.0.8/policy/modules/users/logadm.te
--- nsaserefpolicy/policy/modules/users/logadm.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/users/logadm.te 2007-09-06 15:43:06.000000000 -0400
-@@ -0,0 +1,33 @@
++++ serefpolicy-3.0.8/policy/modules/users/logadm.te 2007-09-17 16:20:18.000000000 -0400
+@@ -0,0 +1,12 @@
+policy_module(logadm,1.0.0)
+
+########################################
@@ -15614,47 +14427,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.
+
+allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+
-+logging_etc_filetrans_syslog_conf(logadm_t)
-+logging_manage_syslog_config(logadm_t)
-+logging_manage_all_logs(logadm_t)
-+
-+seutil_run_runinit(logadm_t, logadm_r, { logadm_tty_device_t logadm_devpts_t })
-+
-+domain_kill_all_domains(logadm_t)
-+seutil_read_bin_policy(logadm_t)
-+corecmd_exec_shell(logadm_t)
-+logging_send_syslog_msg(logadm_t)
-+logging_read_generic_logs(logadm_t)
-+logging_manage_audit_log(logadm_t)
-+logging_manage_audit_config(logadm_t)
-+logging_run_auditctl(logadm_t,logadm_r,{ logadm_tty_device_t logadm_devpts_t })
-+logging_run_auditd(logadm_t, logadm_r, { logadm_tty_device_t logadm_devpts_t })
-+userdom_dontaudit_read_sysadm_home_content_files(logadm_t)
-+consoletype_exec(logadm_t)
-+
-+kernel_read_ring_buffer(logadm_t)
-+dmesg_exec(logadm_t)
-+
-+files_dontaudit_search_all_dirs(logadm_t)
-+files_dontaudit_getattr_all_files(logadm_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/metadata.xml serefpolicy-3.0.7/policy/modules/users/metadata.xml
++logging_syslog_admin(logadm, logadm_t, logadm_r)
++logging_audit_admin(logadm, logadm_t, logadm_r)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/metadata.xml serefpolicy-3.0.8/policy/modules/users/metadata.xml
--- nsaserefpolicy/policy/modules/users/metadata.xml 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/users/metadata.xml 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/users/metadata.xml 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1 @@
+Policy modules for users
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.fc serefpolicy-3.0.7/policy/modules/users/webadm.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.fc serefpolicy-3.0.8/policy/modules/users/webadm.fc
--- nsaserefpolicy/policy/modules/users/webadm.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/users/webadm.fc 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/users/webadm.fc 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1 @@
+# No webadm file contexts.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.if serefpolicy-3.0.7/policy/modules/users/webadm.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.if serefpolicy-3.0.8/policy/modules/users/webadm.if
--- nsaserefpolicy/policy/modules/users/webadm.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/users/webadm.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/users/webadm.if 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1 @@
+## Policy for webadm user
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.0.7/policy/modules/users/webadm.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.0.8/policy/modules/users/webadm.te
--- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/users/webadm.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/users/webadm.te 2007-09-17 16:20:18.000000000 -0400
@@ -0,0 +1,42 @@
+policy_module(webadm,1.0.0)
+
@@ -15691,16 +14483,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.
+userdom_dontaudit_search_sysadm_home_dirs(webadm_t)
+userdom_dontaudit_search_generic_user_home_dirs(webadm_t)
+
-+apache_admin(webadm_t, webadm_r, { webadm_tty_device_t webadm_devpts_t })
++apache_admin(webadm, webadm_t, webadm_r)
+
+gen_require(`
+ type gadmin_t;
+')
+allow gadmin_t webadm_t:process transition;
+allow webadm_t gadmin_t:dir getattr;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.0.7/policy/support/obj_perm_sets.spt
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.0.8/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-08-22 07:14:18.000000000 -0400
-+++ serefpolicy-3.0.7/policy/support/obj_perm_sets.spt 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/support/obj_perm_sets.spt 2007-09-17 16:20:18.000000000 -0400
@@ -216,7 +216,7 @@
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
@@ -15724,9 +14516,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets
+define(`all_association', `{ sendto recvfrom setcontext polmatch } ')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.0.7/policy/users
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.0.8/policy/users
--- nsaserefpolicy/policy/users 2007-07-17 14:52:27.000000000 -0400
-+++ serefpolicy-3.0.7/policy/users 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/policy/users 2007-09-17 16:20:18.000000000 -0400
@@ -16,7 +16,7 @@
# and a user process should never be assigned the system user
# identity.
@@ -15761,9 +14553,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.0
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
+gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.0.7/Rules.modular
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.0.8/Rules.modular
--- nsaserefpolicy/Rules.modular 2007-05-25 09:09:10.000000000 -0400
-+++ serefpolicy-3.0.7/Rules.modular 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.8/Rules.modular 2007-09-17 16:20:18.000000000 -0400
@@ -219,6 +219,16 @@
########################################
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 711dc3a..47a3f8c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -16,8 +16,8 @@
%define CHECKPOLICYVER 2.0.3-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.0.7
-Release: 10%{?dist}
+Version: 3.0.8
+Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -362,6 +362,9 @@ exit 0
%endif
%changelog
+* Mon Sep 17 2007 Dan Walsh 3.0.8-1
+- Allow cron to search nfs and samba homedirs
+
* Tue Sep 11 2007 Dan Walsh 3.0.7-10
- Allow NetworkManager to dbus chat with yum-updated