diff --git a/policy-F13.patch b/policy-F13.patch
index 293b678..9cac576 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -231,7 +231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.5/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/admin/logrotate.te 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/admin/logrotate.te 2010-01-04 11:33:12.000000000 -0500
@@ -32,7 +32,7 @@
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
@@ -271,12 +271,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
acct_domtrans(logrotate_t)
acct_manage_data(logrotate_t)
acct_exec_data(logrotate_t)
-@@ -149,6 +155,15 @@
+@@ -149,6 +155,16 @@
')
optional_policy(`
+ asterisk_exec(logrotate_t)
+ asterisk_stream_connect(logrotate_t)
++ asterisk_manage_lib_files(logrotate_t)
+')
+
+optional_policy(`
@@ -287,7 +288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
consoletype_exec(logrotate_t)
')
-@@ -157,6 +172,10 @@
+@@ -157,6 +173,10 @@
')
optional_policy(`
@@ -298,7 +299,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
hostname_exec(logrotate_t)
')
-@@ -183,6 +202,10 @@
+@@ -183,6 +203,10 @@
')
optional_policy(`
@@ -2194,7 +2195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.5/policy/modules/apps/firewallgui.te
--- nsaserefpolicy/policy/modules/apps/firewallgui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/apps/firewallgui.te 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/apps/firewallgui.te 2010-01-04 13:22:20.000000000 -0500
@@ -0,0 +1,64 @@
+
+policy_module(firewallgui,1.0.0)
@@ -2226,8 +2227,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall
+manage_dirs_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
+files_tmp_filetrans(firewallgui_t,firewallgui_tmp_t, { file dir })
+
-+iptables_manage_config(firewallgui_t)
-+iptables_etc_filetrans_config(firewallgui_t)
++files_manage_system_conf_files(firewallgui_t)
++files_etc_filetrans_system_conf(firewallgui_t)
+
+corecmd_exec_shell(firewallgui_t)
+corecmd_exec_bin(firewallgui_t)
@@ -5772,7 +5773,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.5/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/kernel/corecommands.if 2009-12-22 08:22:45.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/kernel/corecommands.if 2010-01-04 12:24:32.000000000 -0500
@@ -893,6 +893,7 @@
read_lnk_files_pattern($1, bin_t, bin_t)
@@ -5817,7 +5818,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.5/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/kernel/corenetwork.te.in 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/kernel/corenetwork.te.in 2010-01-04 12:10:28.000000000 -0500
@@ -65,6 +65,7 @@
type server_packet_t, packet_type, server_packet_type;
@@ -5871,16 +5872,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
network_port(ircd, tcp,6667,s0)
network_port(isakmp, udp,500,s0)
-@@ -129,7 +139,7 @@
+@@ -128,8 +138,9 @@
+ network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
network_port(lmtp, tcp,24,s0, udp,24,s0)
++network_port(lirc, tcp,8765,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
-network_port(mail, tcp,2000,s0)
+network_port(mail, tcp,2000,s0, tcp,3905,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
-@@ -138,21 +148,29 @@
+@@ -138,21 +149,29 @@
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
@@ -5911,7 +5914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -172,30 +190,38 @@
+@@ -172,30 +191,38 @@
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(rwho, udp,513,s0)
network_port(sap, tcp,9875,s0, udp,9875,s0)
@@ -5953,7 +5956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -224,6 +250,8 @@
+@@ -224,6 +251,8 @@
type node_t, node_type;
sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
@@ -5964,7 +5967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.5/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-11-20 10:51:41.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/kernel/devices.fc 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/kernel/devices.fc 2010-01-04 11:56:55.000000000 -0500
@@ -16,13 +16,16 @@
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
@@ -5982,9 +5985,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/event.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
+@@ -100,6 +103,7 @@
+ /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
+ /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
+ /dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0)
++/dev/usbmon.+ -c gen_context(system_u:object_r:usbmon_device_t,s0)
+ /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0)
+ /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+ ifdef(`distro_suse', `
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.5/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/kernel/devices.if 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/kernel/devices.if 2010-01-04 12:04:02.000000000 -0500
@@ -801,6 +801,24 @@
########################################
@@ -6060,6 +6071,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Read raw memory devices (e.g. /dev/mem).
##
##
+@@ -3515,6 +3569,24 @@
+
+ ########################################
+ ##
++## Read USB monitor devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_read_usbmon_dev',`
++ gen_require(`
++ type device_t, usbmon_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, usbmon_device_t)
++')
++
++########################################
++##
+ ## Mount a usbfs filesystem.
+ ##
+ ##
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.5/policy/modules/kernel/devices.te
+--- nsaserefpolicy/policy/modules/kernel/devices.te 2009-12-18 11:38:25.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/kernel/devices.te 2010-01-04 12:07:21.000000000 -0500
+@@ -227,6 +227,12 @@
+ genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)
+
+ #
++# usb_device_t is the type for /dev/usbmon
++#
++type usbmon_device_t;
++dev_node(usbmon_device_t)
++
++#
+ # usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+
+ #
+ type usb_device_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.5/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/kernel/domain.if 2009-12-21 13:07:09.000000000 -0500
@@ -6294,8 +6346,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.5/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/kernel/domain.te 2009-12-23 07:50:49.000000000 -0500
-@@ -5,6 +5,13 @@
++++ serefpolicy-3.7.5/policy/modules/kernel/domain.te 2010-01-04 11:15:20.000000000 -0500
+@@ -5,6 +5,21 @@
#
# Declarations
#
@@ -6306,10 +6358,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+##
+#
+gen_tunable(allow_domain_fd_use, true)
++
++##
++##
++## Allow all domains to have the kernel load modules
++##
++##
++#
++gen_tunable(domain_kernel_load_modules, false)
# Mark process types as domains
attribute domain;
-@@ -15,6 +22,8 @@
+@@ -15,6 +30,8 @@
# Domains that are unconfined
attribute unconfined_domain_type;
@@ -6318,7 +6378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
# Domains that can mmap low memory.
attribute mmap_low_domain_type;
neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
-@@ -80,6 +89,8 @@
+@@ -80,6 +97,8 @@
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
kernel_read_proc_symlinks(domain)
@@ -6327,17 +6387,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
# Every domain gets the key ring, so we should default
# to no one allowed to look at it; afs kernel support creates
# a keyring
-@@ -97,6 +108,9 @@
+@@ -97,6 +116,13 @@
# list the root directory
files_list_root(domain)
+# All executables should be able to search the directory they are in
+corecmd_search_bin(domain)
+
++tunable_policy(`domain_kernel_load_modules',`
++ kernel_request_load_module(domain)
++')
++
tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
# this should be enabled when all programs
-@@ -106,6 +120,10 @@
+@@ -106,6 +132,10 @@
')
optional_policy(`
@@ -6348,7 +6412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
libs_use_ld_so(domain)
libs_use_shared_libs(domain)
')
-@@ -118,6 +136,7 @@
+@@ -118,6 +148,7 @@
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
@@ -6356,7 +6420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
')
########################################
-@@ -136,6 +155,8 @@
+@@ -136,6 +167,8 @@
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
@@ -6365,7 +6429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -153,3 +174,73 @@
+@@ -153,3 +186,73 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -6441,7 +6505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.5/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/kernel/files.fc 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/kernel/files.fc 2010-01-04 13:22:20.000000000 -0500
@@ -18,6 +18,7 @@
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -6464,7 +6528,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -229,6 +232,8 @@
+@@ -62,6 +65,10 @@
+ /etc/reader\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/smartd\.conf.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
++/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0)
++/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0)
++/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0)
++
+ /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
+
+ /etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0)
+@@ -229,6 +236,8 @@
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -6475,7 +6550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
/var/lib/nfs/rpc_pipefs(/.*)? <>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.5/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/kernel/files.if 2009-12-29 18:04:05.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/kernel/files.if 2010-01-04 15:43:02.000000000 -0500
@@ -932,10 +932,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -6585,7 +6660,72 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -3496,6 +3555,32 @@
+@@ -3311,6 +3370,64 @@
+ allow $1 readable_t:sock_file read_sock_file_perms;
+ ')
+
++#######################################
++##
++## Read manageable system configuration files in /etc
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_read_system_conf_files',`
++ gen_require(`
++ type etc_t, system_conf_t;
++ ')
++
++ allow $1 etc_t:dir list_dir_perms;
++ read_files_pattern($1, etc_t, system_conf_t)
++ read_lnk_files_pattern($1, etc_t, system_conf_t)
++')
++
++######################################
++##
++## Manage manageable system configuration files in /etc.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_manage_system_conf_files',`
++ gen_require(`
++ type etc_t, system_conf_t;
++ ')
++
++ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
++')
++
++###################################
++##
++## Create files in /etc with the type used for
++## the manageable system config files.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`files_etc_filetrans_system_conf',`
++ gen_require(`
++ type etc_t, system_conf_t;
++ ')
++
++ filetrans_pattern($1, etc_t, system_conf_t, file)
++')
++
+ ########################################
+ ##
+ ## Allow the specified type to associate
+@@ -3496,6 +3613,32 @@
########################################
##
@@ -6618,7 +6758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Manage temporary files and directories in /tmp.
##
##
-@@ -3709,6 +3794,8 @@
+@@ -3709,6 +3852,8 @@
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -6627,7 +6767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -3817,7 +3904,12 @@
+@@ -3817,7 +3962,12 @@
type usr_t;
')
@@ -6641,7 +6781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -3856,6 +3948,7 @@
+@@ -3856,6 +4006,7 @@
allow $1 usr_t:dir list_dir_perms;
read_files_pattern($1, usr_t, usr_t)
read_lnk_files_pattern($1, usr_t, usr_t)
@@ -6649,7 +6789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -3880,6 +3973,24 @@
+@@ -3880,6 +4031,24 @@
########################################
##
@@ -6674,7 +6814,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## dontaudit write of /usr files
##
##
-@@ -4500,6 +4611,24 @@
+@@ -4500,6 +4669,24 @@
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -6699,7 +6839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -4772,6 +4901,25 @@
+@@ -4772,6 +4959,25 @@
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -6725,7 +6865,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
##
## Do not audit attempts to search
-@@ -4880,6 +5028,24 @@
+@@ -4831,6 +5037,24 @@
+
+ ########################################
+ ##
++## Write named generic process ID pipes
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_write_generic_pid_pipes',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ allow $1 var_run_t:fifo_file write;
++')
++
++########################################
++##
+ ## Create an object in the process ID directory, with a private
+ ## type using a type transition.
+ ##
+@@ -4880,6 +5104,24 @@
########################################
##
@@ -6750,7 +6915,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Do not audit attempts to write to daemon runtime data files.
##
##
-@@ -5001,6 +5167,24 @@
+@@ -4933,6 +5175,7 @@
+
+ list_dirs_pattern($1, var_t, pidfile)
+ read_files_pattern($1, pidfile, pidfile)
++ read_lnk_files_pattern($1, pidfile, pidfile)
+ ')
+
+ ########################################
+@@ -5001,6 +5244,24 @@
########################################
##
@@ -6775,7 +6948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Search the contents of generic spool
## directories (/var/spool).
##
-@@ -5189,12 +5373,15 @@
+@@ -5189,12 +5450,15 @@
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -6792,7 +6965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
')
-@@ -5215,3 +5402,192 @@
+@@ -5215,3 +5479,192 @@
typeattribute $1 files_unconfined_type;
')
@@ -6987,7 +7160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.5/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/kernel/files.te 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/kernel/files.te 2010-01-04 13:22:20.000000000 -0500
@@ -12,6 +12,7 @@
attribute mountpoint;
attribute pidfile;
@@ -7004,7 +7177,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
# default_t is the default type for files that do not
# match any specification in the file_contexts configuration
-@@ -194,6 +196,7 @@
+@@ -59,6 +61,15 @@
+ typealias etc_t alias automount_etc_t;
+ typealias etc_t alias snmpd_etc_t;
+
++# system_conf_t is a new type of various
++# files in /etc/ that can be managed and
++# created by several domains.
++#
++type system_conf_t, configfile;
++files_type(system_conf_t)
++# compatibility aliases for removed type:
++typealias system_conf_t alias iptables_conf_t;
++
+ #
+ # etc_runtime_t is the type of various
+ # files in /etc that are automatically
+@@ -194,6 +205,7 @@
fs_associate_noxattr(file_type)
fs_associate_tmpfs(file_type)
fs_associate_ramfs(file_type)
@@ -9777,7 +9966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.5/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/abrt.te 2009-12-29 19:58:38.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/abrt.te 2010-01-04 12:40:17.000000000 -0500
@@ -33,12 +33,24 @@
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -9862,7 +10051,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
sysnet_read_config(abrt_t)
-@@ -96,22 +129,94 @@
+@@ -96,22 +129,97 @@
miscfiles_read_certs(abrt_t)
miscfiles_read_localization(abrt_t)
@@ -9939,6 +10128,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
+manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+
++read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
++read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
++
+files_read_etc_files(abrt_helper_t)
+files_dontaudit_all_non_security_leaks(abrt_helper_t)
+
@@ -11898,8 +12090,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw
kernel_read_proc_symlinks(arpwatch_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.5/policy/modules/services/asterisk.if
--- nsaserefpolicy/policy/modules/services/asterisk.if 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/services/asterisk.if 2009-12-21 13:07:09.000000000 -0500
-@@ -2,27 +2,27 @@
++++ serefpolicy-3.7.5/policy/modules/services/asterisk.if 2010-01-04 11:33:56.000000000 -0500
+@@ -2,8 +2,28 @@
#####################################
##
@@ -11907,28 +12099,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
-## stream socket.
+## Connect to asterisk over a unix domain
+## stream socket.
- ##
- ##
--##
--## Domain allowed access.
--##
++##
++##
+##
+## Domain allowed access.
+##
- ##
- #
- interface(`asterisk_stream_connect',`
-- gen_require(`
-- type asterisk_t, asterisk_var_run_t;
-- ')
++##
++#
++interface(`asterisk_stream_connect',`
+ gen_require(`
+ type asterisk_t, asterisk_var_run_t;
+ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t)
++')
++
++########################################
++##
++## Create, read, write, and delete
++## asterisk lib files.
+ ##
+ ##
+ ##
+@@ -11,18 +31,18 @@
+ ##
+ ##
+ #
+-interface(`asterisk_stream_connect',`
++interface(`asterisk_manage_lib_files',`
+ gen_require(`
+- type asterisk_t, asterisk_var_run_t;
++ type asterisk_var_lib_t;
+ ')
- files_search_pids($1)
- stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t)
-+ files_search_pids($1)
-+ stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t)
++ manage_files_pattern($1, asterisk_var_lib_t, asterisk_var_lib_t)
++ files_search_var_lib($1)
')
########################################
@@ -11938,7 +12146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
## an asterisk environment
##
##
-@@ -71,3 +71,22 @@
+@@ -71,3 +91,22 @@
files_list_pids($1)
admin_pattern($1, asterisk_var_run_t)
')
@@ -11963,7 +12171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.5/policy/modules/services/asterisk.te
--- nsaserefpolicy/policy/modules/services/asterisk.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/services/asterisk.te 2009-12-30 08:24:30.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/asterisk.te 2010-01-04 15:26:15.000000000 -0500
@@ -34,18 +34,21 @@
type asterisk_var_run_t;
files_pid_file(asterisk_var_run_t)
@@ -12004,12 +12212,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
corenet_all_recvfrom_unlabeled(asterisk_t)
corenet_all_recvfrom_netlabel(asterisk_t)
-@@ -104,10 +111,12 @@
+@@ -104,10 +111,13 @@
corenet_udp_bind_generic_port(asterisk_t)
corenet_dontaudit_udp_bind_all_ports(asterisk_t)
corenet_sendrecv_generic_server_packets(asterisk_t)
+corenet_tcp_connect_postgresql_port(asterisk_t)
++dev_rw_generic_usb_dev(asterisk_t)
dev_read_sysfs(asterisk_t)
dev_read_sound(asterisk_t)
dev_write_sound(asterisk_t)
@@ -12017,7 +12226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
domain_use_interactive_fds(asterisk_t)
-@@ -120,17 +129,29 @@
+@@ -120,17 +130,29 @@
fs_getattr_all_fs(asterisk_t)
fs_search_auto_mountpoints(asterisk_t)
@@ -12050,7 +12259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
')
optional_policy(`
-@@ -138,10 +159,11 @@
+@@ -138,10 +160,11 @@
')
optional_policy(`
@@ -12134,7 +12343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.5/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/bind.if 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/bind.if 2010-01-04 16:21:41.000000000 -0500
@@ -235,7 +235,7 @@
########################################
@@ -12185,10 +12394,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
+#
+interface(`bind_initrc_domtrans',`
+ gen_require(`
-+ type bind_initrc_exec_t;
++ type named_initrc_exec_t;
+ ')
+
-+ init_labeled_script_domtrans($1, bind_initrc_exec_t)
++ init_labeled_script_domtrans($1, named_initrc_exec_t)
+')
+
+########################################
@@ -12196,6 +12405,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
## All of the rules required to administrate
## an bind environment
##
+@@ -319,7 +357,7 @@
+
+ bind_run_ndc($1, $2)
+
+- init_labeled_script_domtrans($1, bind_initrc_exec_t)
++ init_labeled_script_domtrans($1, named_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 named_initrc_exec_t system_r;
+ allow $2 system_r;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.7.5/policy/modules/services/bluetooth.if
--- nsaserefpolicy/policy/modules/services/bluetooth.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/bluetooth.if 2009-12-21 13:07:09.000000000 -0500
@@ -13735,7 +13953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cour
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.7.5/policy/modules/services/courier.te
--- nsaserefpolicy/policy/modules/services/courier.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/courier.te 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/courier.te 2010-01-04 09:35:48.000000000 -0500
@@ -10,6 +10,7 @@
type courier_etc_t;
@@ -14227,7 +14445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.5/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/cups.te 2009-12-30 08:05:46.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/cups.te 2010-01-04 16:23:36.000000000 -0500
@@ -23,6 +23,9 @@
type cupsd_initrc_exec_t;
init_script_file(cupsd_initrc_exec_t)
@@ -14314,7 +14532,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
seutil_read_config(cupsd_t)
sysnet_exec_ifconfig(cupsd_t)
-@@ -317,6 +331,10 @@
+@@ -285,8 +299,10 @@
+ hal_dbus_chat(cupsd_t)
+ ')
+
++ # talk to processes that do not have policy
+ optional_policy(`
+ unconfined_dbus_chat(cupsd_t)
++ files_write_generic_pid_pipes(cupsd_t)
+ ')
+ ')
+
+@@ -317,6 +333,10 @@
')
optional_policy(`
@@ -14325,7 +14554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
udev_read_db(cupsd_t)
')
-@@ -327,7 +345,7 @@
+@@ -327,7 +347,7 @@
allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
dontaudit cupsd_config_t self:capability sys_tty_config;
@@ -14334,7 +14563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
-@@ -378,6 +396,8 @@
+@@ -378,6 +398,8 @@
dev_read_rand(cupsd_config_t)
dev_rw_generic_usb_dev(cupsd_config_t)
@@ -14343,7 +14572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
-@@ -407,6 +427,7 @@
+@@ -407,6 +429,7 @@
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -14351,7 +14580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
cups_stream_connect(cupsd_config_t)
-@@ -419,12 +440,15 @@
+@@ -419,12 +442,15 @@
')
optional_policy(`
@@ -14369,7 +14598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
optional_policy(`
hal_dbus_chat(cupsd_config_t)
-@@ -446,6 +470,10 @@
+@@ -446,6 +472,10 @@
')
optional_policy(`
@@ -14380,7 +14609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
rpm_read_db(cupsd_config_t)
')
-@@ -457,6 +485,10 @@
+@@ -457,6 +487,10 @@
udev_read_db(cupsd_config_t)
')
@@ -14391,7 +14620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
########################################
#
# Cups lpd support
-@@ -542,6 +574,8 @@
+@@ -542,6 +576,8 @@
manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
@@ -14400,7 +14629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
kernel_read_system_state(cups_pdf_t)
files_read_etc_files(cups_pdf_t)
-@@ -556,11 +590,15 @@
+@@ -556,11 +592,15 @@
miscfiles_read_fonts(cups_pdf_t)
userdom_home_filetrans_user_home_dir(cups_pdf_t)
@@ -14416,7 +14645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(cups_pdf_t)
-@@ -601,6 +639,9 @@
+@@ -601,6 +641,9 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
@@ -14426,7 +14655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
-@@ -627,6 +668,7 @@
+@@ -627,6 +670,7 @@
corenet_tcp_connect_ipp_port(hplip_t)
corenet_sendrecv_hplip_client_packets(hplip_t)
corenet_receive_hplip_server_packets(hplip_t)
@@ -14923,7 +15152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
+/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.5/policy/modules/services/devicekit.if
--- nsaserefpolicy/policy/modules/services/devicekit.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/devicekit.if 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/devicekit.if 2010-01-04 12:18:22.000000000 -0500
@@ -139,6 +139,26 @@
########################################
@@ -14953,7 +15182,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.5/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/devicekit.te 2009-12-29 19:15:17.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/devicekit.te 2010-01-04 12:47:46.000000000 -0500
@@ -42,6 +42,8 @@
files_read_etc_files(devicekit_t)
@@ -14963,18 +15192,93 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
miscfiles_read_localization(devicekit_t)
optional_policy(`
-@@ -60,8 +62,9 @@
+@@ -60,8 +62,10 @@
# DeviceKit disk local policy
#
-allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio };
-+allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_admin sys_ptrace sys_rawio };
++allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_nice sys_ptrace sys_rawio };
++allow devicekit_disk_t self:process signal_perms;
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
+allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
-@@ -110,6 +113,7 @@
+@@ -71,29 +75,55 @@
+ manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
+ files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
+
++allow devicekit_disk_t devicekit_var_run_t:dir mounton;
++manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
++manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
++files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir })
++
++kernel_getattr_message_if(devicekit_disk_t)
++kernel_read_fs_sysctls(devicekit_disk_t)
+ kernel_read_software_raid_state(devicekit_disk_t)
++kernel_read_system_state(devicekit_disk_t)
++kernel_request_load_module(devicekit_disk_t)
+ kernel_setsched(devicekit_disk_t)
+
+ corecmd_exec_bin(devicekit_disk_t)
++corecmd_exec_shell(devicekit_disk_t)
++corecmd_getattr_all_executables(devicekit_disk_t)
+
+ dev_rw_sysfs(devicekit_disk_t)
+ dev_read_urand(devicekit_disk_t)
+ dev_getattr_usbfs_dirs(devicekit_disk_t)
++dev_manage_generic_files(devicekit_disk_t)
++dev_getattr_all_chr_files(devicekit_disk_t)
+
++domain_getattr_all_pipes(devicekit_disk_t)
++domain_getattr_all_sockets(devicekit_disk_t)
++domain_getattr_all_stream_sockets(devicekit_disk_t)
++domain_read_all_domains_state(devicekit_disk_t)
++
++files_getattr_all_sockets(devicekit_disk_t)
++files_getattr_all_mountpoints(devicekit_disk_t)
++files_getattr_all_files(devicekit_disk_t)
++files_manage_isid_type_dirs(devicekit_disk_t)
+ files_manage_mnt_dirs(devicekit_disk_t)
+ files_read_etc_files(devicekit_disk_t)
+ files_read_etc_runtime_files(devicekit_disk_t)
+ files_read_usr_files(devicekit_disk_t)
+
++fs_list_inotifyfs(devicekit_disk_t)
++fs_manage_fusefs_dirs(devicekit_disk_t)
+ fs_mount_all_fs(devicekit_disk_t)
+ fs_unmount_all_fs(devicekit_disk_t)
+-fs_manage_fusefs_dirs(devicekit_disk_t)
++fs_search_all(devicekit_disk_t)
+
+ storage_raw_read_fixed_disk(devicekit_disk_t)
+ storage_raw_write_fixed_disk(devicekit_disk_t)
+ storage_raw_read_removable_device(devicekit_disk_t)
+ storage_raw_write_removable_device(devicekit_disk_t)
+
++term_use_all_terms(devicekit_disk_t)
++
+ auth_use_nsswitch(devicekit_disk_t)
+
+ miscfiles_read_localization(devicekit_disk_t)
+@@ -102,6 +132,16 @@
+ userdom_search_user_home_dirs(devicekit_disk_t)
+
+ optional_policy(`
++ dbus_system_bus_client(devicekit_disk_t)
++
++ allow devicekit_disk_t devicekit_t:dbus send_msg;
++
++ optional_policy(`
++ consolekit_dbus_chat(devicekit_disk_t)
++ ')
++')
++
++optional_policy(`
+ fstools_domtrans(devicekit_disk_t)
+ ')
+
+@@ -110,6 +150,7 @@
')
optional_policy(`
@@ -14982,7 +15286,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
policykit_domtrans_auth(devicekit_disk_t)
policykit_read_lib(devicekit_disk_t)
policykit_read_reload(devicekit_disk_t)
-@@ -139,9 +143,10 @@
+@@ -120,18 +161,12 @@
+ ')
+
+ optional_policy(`
+- dbus_system_bus_client(devicekit_disk_t)
+-
+- allow devicekit_disk_t devicekit_t:dbus send_msg;
+-
+- optional_policy(`
+- consolekit_dbus_chat(devicekit_disk_t)
+- ')
++ udev_domtrans(devicekit_disk_t)
++ udev_read_db(devicekit_disk_t)
+ ')
+
+ optional_policy(`
+- udev_domtrans(devicekit_disk_t)
+- udev_read_db(devicekit_disk_t)
++ virt_manage_images(devicekit_disk_t)
+ ')
+
+ ########################################
+@@ -139,9 +174,10 @@
# DeviceKit-Power local policy
#
@@ -14994,7 +15320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
-@@ -151,6 +156,7 @@
+@@ -151,6 +187,7 @@
kernel_read_system_state(devicekit_power_t)
kernel_rw_hotplug_sysctls(devicekit_power_t)
kernel_rw_kernel_sysctl(devicekit_power_t)
@@ -15002,7 +15328,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t)
-@@ -159,6 +165,7 @@
+@@ -159,6 +196,7 @@
domain_read_all_domains_state(devicekit_power_t)
@@ -15010,7 +15336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
-@@ -167,12 +174,17 @@
+@@ -167,12 +205,17 @@
files_read_etc_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
@@ -15028,7 +15354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
userdom_read_all_users_state(devicekit_power_t)
optional_policy(`
-@@ -180,8 +192,13 @@
+@@ -180,6 +223,10 @@
')
optional_policy(`
@@ -15038,11 +15364,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
+optional_policy(`
dbus_system_bus_client(devicekit_power_t)
-+ allow devicekit_disk_t devicekit_t:dbus send_msg;
allow devicekit_power_t devicekit_t:dbus send_msg;
-
- optional_policy(`
-@@ -203,17 +220,23 @@
+@@ -203,17 +250,23 @@
optional_policy(`
hal_domtrans_mac(devicekit_power_t)
@@ -16574,7 +16897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.5/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/lircd.te 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/lircd.te 2010-01-04 12:13:46.000000000 -0500
@@ -16,13 +16,9 @@
type lircd_etc_t;
files_type(lircd_etc_t)
@@ -16590,7 +16913,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc
########################################
#
# lircd local policy
-@@ -34,15 +30,27 @@
+@@ -30,19 +26,41 @@
+
+ allow lircd_t self:process signal;
+ allow lircd_t self:unix_dgram_socket create_socket_perms;
++allow lircd_t self:fifo_file rw_file_perms;
++allow lircd_t self:tcp_socket create_stream_socket_perms;
+
# etc file
read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
@@ -16600,6 +16929,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc
+manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file })
++corenet_tcp_bind_generic_node(lircd_t)
++corenet_tcp_bind_lirc_port(lircd_t)
++corenet_tcp_connect_lirc_port(lircd_t)
++corenet_tcp_sendrecv_all_ports(lircd_t)
++corenet_tcp_sendrecv_generic_if(lircd_t)
++
# /dev/lircd socket
-manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t)
-dev_filetrans(lircd_t, lircd_sock_t, sock_file )
@@ -16610,17 +16945,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc
+dev_rw_lirc(lircd_t)
+dev_rw_input_dev(lircd_t)
+
-+term_use_ptmx(lircd_t)
-
- logging_send_syslog_msg(lircd_t)
-
-+files_read_etc_files(lircd_t)
+files_list_var(lircd_t)
+files_manage_generic_locks(lircd_t)
+files_read_all_locks(lircd_t)
++files_read_etc_files(lircd_t)
+
++term_use_ptmx(lircd_t)
+
+ logging_send_syslog_msg(lircd_t)
+
miscfiles_read_localization(lircd_t)
+
++sysnet_dns_name_resolve(lircd_t)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.7.5/policy/modules/services/mailman.fc
--- nsaserefpolicy/policy/modules/services/mailman.fc 2009-07-23 14:11:04.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/mailman.fc 2009-12-30 08:22:07.000000000 -0500
@@ -16966,7 +17303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
## Send a generic signal to MySQL.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.5/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/services/mysql.te 2009-12-29 09:05:51.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/mysql.te 2010-01-04 10:36:36.000000000 -0500
@@ -1,6 +1,13 @@
policy_module(mysql, 1.11.1)
@@ -16993,12 +17330,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
ifdef(`distro_redhat',`
# because Fedora has the sock_file in the database directory
type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
-@@ -131,20 +143,24 @@
+@@ -131,20 +143,25 @@
# Local mysqld_safe policy
#
-allow mysqld_safe_t self:capability { dac_override fowner chown };
+allow mysqld_safe_t self:capability { chown dac_override fowner kill };
++dontaudit mysqld_safe_t self:capability sys_ptrace;
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
@@ -22661,7 +22999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.5/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/samba.te 2009-12-29 19:05:08.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/samba.te 2010-01-04 16:03:08.000000000 -0500
@@ -66,6 +66,13 @@
##
gen_tunable(samba_share_nfs, false)
@@ -22824,7 +23162,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
########################################
#
# smbmount Local policy
-@@ -638,6 +673,10 @@
+@@ -618,7 +653,7 @@
+ # SWAT Local policy
+ #
+
+-allow swat_t self:capability { setuid setgid sys_resource };
++allow swat_t self:capability { dac_override setuid setgid sys_resource };
+ allow swat_t self:process { setrlimit signal_perms };
+ allow swat_t self:fifo_file rw_fifo_file_perms;
+ allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+@@ -638,11 +673,13 @@
allow swat_t smbd_var_run_t:file { lock unlink };
@@ -22835,7 +23182,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t)
-@@ -657,7 +696,7 @@
+-append_files_pattern(swat_t, samba_log_t, samba_log_t)
+-
+ allow swat_t smbd_exec_t:file mmap_file_perms ;
+
+ allow swat_t smbd_t:process signull;
+@@ -657,7 +694,7 @@
files_pid_filetrans(swat_t, swat_var_run_t, file)
allow swat_t winbind_exec_t:file mmap_file_perms;
@@ -22844,7 +23196,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -700,6 +739,8 @@
+@@ -700,6 +737,8 @@
miscfiles_read_localization(swat_t)
@@ -22853,7 +23205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -713,12 +754,23 @@
+@@ -713,12 +752,23 @@
kerberos_use(swat_t)
')
@@ -22861,7 +23213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+init_dontaudit_write_utmp(swat_t)
+
+manage_dirs_pattern(swat_t, samba_log_t, samba_log_t)
-+create_files_pattern(swat_t, samba_log_t, samba_log_t)
++manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+
+manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
+
@@ -22878,7 +23230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process { signal_perms getsched setsched };
allow winbind_t self:fifo_file rw_fifo_file_perms;
-@@ -866,6 +918,18 @@
+@@ -866,6 +916,18 @@
#
optional_policy(`
@@ -22897,7 +23249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -876,9 +940,12 @@
+@@ -876,9 +938,12 @@
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -23701,7 +24053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp
dev_read_sysfs(snmpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.5/policy/modules/services/snort.te
--- nsaserefpolicy/policy/modules/services/snort.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/snort.te 2009-12-27 08:04:35.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/snort.te 2010-01-04 12:03:35.000000000 -0500
@@ -37,6 +37,7 @@
allow snort_t self:tcp_socket create_stream_socket_perms;
allow snort_t self:udp_socket create_socket_perms;
@@ -23726,6 +24078,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor
corenet_all_recvfrom_unlabeled(snort_t)
corenet_all_recvfrom_netlabel(snort_t)
+@@ -76,6 +78,7 @@
+ dev_read_sysfs(snort_t)
+ dev_read_rand(snort_t)
+ dev_read_urand(snort_t)
++dev_read_usbmon_dev(snort_t)
+
+ domain_use_interactive_fds(snort_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.5/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/spamassassin.fc 2009-12-21 13:07:09.000000000 -0500
@@ -25798,7 +26158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.5/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/services/virt.te 2009-12-29 16:41:45.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/virt.te 2010-01-04 13:22:20.000000000 -0500
@@ -8,6 +8,13 @@
##
@@ -25972,7 +26332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+files_read_usr_src_files(virtd_t)
+
+# Manages /etc/sysconfig/system-config-firewall
-+iptables_manage_config(virtd_t)
++files_manage_system_conf_files(virtd_t)
+files_manage_etc_files(virtd_t)
fs_list_auto_mountpoints(virtd_t)
@@ -29045,7 +29405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.5/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/system/ipsec.te 2009-12-29 17:01:28.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/system/ipsec.te 2010-01-04 09:23:53.000000000 -0500
@@ -29,9 +29,15 @@
type ipsec_key_file_t;
files_type(ipsec_key_file_t)
@@ -29082,7 +29442,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file })
-@@ -171,8 +181,9 @@
+@@ -99,6 +109,7 @@
+ allow ipsec_mgmt_t ipsec_t:fd use;
+ allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
+ allow ipsec_mgmt_t ipsec_t:process sigchld;
++sysnet_domtrans_ifconfig(ipsec_t)
+
+ kernel_read_kernel_sysctls(ipsec_t)
+ kernel_list_proc(ipsec_t)
+@@ -171,8 +182,9 @@
# ipsec_mgmt Local policy
#
@@ -29094,7 +29462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -182,6 +193,9 @@
+@@ -182,6 +194,9 @@
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
@@ -29104,7 +29472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
-@@ -259,6 +273,7 @@
+@@ -259,6 +274,7 @@
init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
@@ -29112,7 +29480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
logging_send_syslog_msg(ipsec_mgmt_t)
-@@ -323,6 +338,7 @@
+@@ -323,6 +339,7 @@
kernel_read_system_state(racoon_t)
kernel_read_network_state(racoon_t)
@@ -29120,7 +29488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
-@@ -362,6 +378,8 @@
+@@ -362,6 +379,8 @@
sysnet_exec_ifconfig(racoon_t)
@@ -29129,7 +29497,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -380,12 +398,15 @@
+@@ -380,12 +399,15 @@
read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
@@ -29145,19 +29513,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
-@@ -397,3 +418,4 @@
+@@ -397,3 +419,4 @@
seutil_read_config(setkey_t)
userdom_use_user_terminals(setkey_t)
+userdom_read_user_tmp_files(setkey_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.5/policy/modules/system/iptables.fc
--- nsaserefpolicy/policy/modules/system/iptables.fc 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/system/iptables.fc 2009-12-21 13:07:09.000000000 -0500
-@@ -1,13 +1,17 @@
++++ serefpolicy-3.7.5/policy/modules/system/iptables.fc 2010-01-04 13:35:59.000000000 -0500
+@@ -1,13 +1,16 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
- /etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
- /etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
--
+-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
+-/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
+
/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -29175,8 +29543,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.5/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/system/iptables.te 2009-12-21 13:07:09.000000000 -0500
-@@ -30,6 +30,7 @@
++++ serefpolicy-3.7.5/policy/modules/system/iptables.te 2010-01-04 13:22:20.000000000 -0500
+@@ -14,9 +14,6 @@
+ type iptables_initrc_exec_t;
+ init_script_file(iptables_initrc_exec_t)
+
+-type iptables_conf_t;
+-files_config_file(iptables_conf_t)
+-
+ type iptables_tmp_t;
+ files_tmp_file(iptables_tmp_t)
+
+@@ -30,11 +27,12 @@
allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
dontaudit iptables_t self:capability sys_tty_config;
@@ -29184,7 +29562,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
allow iptables_t self:rawip_socket create_socket_perms;
-@@ -63,6 +64,7 @@
+-manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
+-files_etc_filetrans(iptables_t, iptables_conf_t, file)
++files_manage_system_conf_files(iptables_t)
++files_etc_filetrans_system_conf(iptables_t)
+
+ manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
+ files_pid_filetrans(iptables_t, iptables_var_run_t, file)
+@@ -63,6 +61,7 @@
mls_file_read_all_levels(iptables_t)
term_dontaudit_use_console(iptables_t)
@@ -29192,7 +29577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
domain_use_interactive_fds(iptables_t)
-@@ -89,6 +91,7 @@
+@@ -89,6 +88,7 @@
optional_policy(`
fail2ban_append_log(iptables_t)
@@ -29200,7 +29585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
')
optional_policy(`
-@@ -122,5 +125,10 @@
+@@ -122,5 +122,10 @@
')
optional_policy(`
@@ -29244,7 +29629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.
+permissive kdump_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.5/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/system/libraries.fc 2009-12-31 08:59:50.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/system/libraries.fc 2010-01-04 11:01:42.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
@@ -29460,7 +29845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
') dnl end distro_redhat
#
-@@ -307,10 +316,127 @@
+@@ -307,10 +316,129 @@
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
@@ -29588,6 +29973,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+/usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib(64)?/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.5/policy/modules/system/libraries.if
--- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/libraries.if 2009-12-21 13:07:09.000000000 -0500
@@ -30194,7 +30581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.5/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/system/mount.if 2009-12-22 09:40:26.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/system/mount.if 2010-01-04 11:29:01.000000000 -0500
@@ -16,6 +16,7 @@
')
@@ -30203,7 +30590,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
########################################
-@@ -84,9 +85,11 @@
+@@ -44,6 +45,8 @@
+ mount_domtrans($1)
+ role $2 types mount_t;
+
++ fstools_run(mount_t, $2)
++
+ optional_policy(`
+ samba_run_smbmount($1, $2)
+ ')
+@@ -84,9 +87,11 @@
interface(`mount_signal',`
gen_require(`
type mount_t;
@@ -30215,7 +30611,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
########################################
-@@ -177,3 +180,57 @@
+@@ -177,3 +182,57 @@
mount_domtrans_unconfined($1)
role $2 types unconfined_mount_t;
')
@@ -30275,7 +30671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.5/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/system/mount.te 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/system/mount.te 2010-01-04 12:19:08.000000000 -0500
@@ -18,8 +18,15 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -30412,7 +30808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
ifdef(`distro_redhat',`
optional_policy(`
-@@ -132,6 +171,10 @@
+@@ -132,6 +171,12 @@
')
')
@@ -30420,10 +30816,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+
+modutils_domtrans_insmod(mount_t)
+
++fstools_domtrans(mount_t)
++
tunable_policy(`allow_mount_anyfile',`
auth_read_all_dirs_except_shadow(mount_t)
auth_read_all_files_except_shadow(mount_t)
-@@ -165,6 +208,8 @@
+@@ -165,6 +210,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -30432,7 +30830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -172,6 +217,25 @@
+@@ -172,6 +219,25 @@
')
optional_policy(`
@@ -30458,7 +30856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -179,6 +243,11 @@
+@@ -179,6 +245,11 @@
')
')
@@ -30470,7 +30868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -186,6 +255,7 @@
+@@ -186,6 +257,7 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -30478,7 +30876,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
########################################
-@@ -195,5 +265,8 @@
+@@ -195,5 +267,9 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
@@ -30486,6 +30884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+ unconfined_domain_noaudit(unconfined_mount_t)
+
+ rpc_domtrans_rpcd(unconfined_mount_t)
++ devicekit_dbus_chat_disk(unconfined_mount_t)
')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.7.5/policy/modules/system/raid.te
@@ -32561,7 +32960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.gvfs(/.*)? <>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.5/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/system/userdomain.if 2009-12-31 08:43:59.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/system/userdomain.if 2009-12-31 09:27:43.000000000 -0500
@@ -30,8 +30,9 @@
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index cd887d4..26f9afe 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.5
-Release: 5%{?dist}
+Release: 6%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -449,6 +449,10 @@ exit 0
%endif
%changelog
+* Mon Jan 4 2010 Dan Walsh 3.7.5-6
+- add usbmon device
+- Add allow rulse for devicekit_disk
+
* Wed Dec 30 2009 Dan Walsh 3.7.5-5
- Lots of fixes found in F12, fixes from Tom London