diff --git a/modules-minimum.conf b/modules-minimum.conf
index 4363833..4b4483b 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -1081,6 +1081,20 @@ mysql = module
nagios = module
# Layer: admin
+# Module: ncftool
+#
+# Tool to modify the network configuration of a system
+#
+ncftool = module
+
+# Layer: admin
+# Module: ncftool
+#
+# Tool to modify the network configuration of a system
+#
+ncftool = module
+
+# Layer: admin
# Module: netutils
#
# Network analysis utilities
diff --git a/modules-mls.conf b/modules-mls.conf
index 6caf71e..3fc955a 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -1012,6 +1012,13 @@ mysql = module
nagios = module
# Layer: admin
+# Module: ncftool
+#
+# Tool to modify the network configuration of a system
+#
+ncftool = module
+
+# Layer: admin
# Module: netutils
#
# Network analysis utilities
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 4363833..4b4483b 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1081,6 +1081,20 @@ mysql = module
nagios = module
# Layer: admin
+# Module: ncftool
+#
+# Tool to modify the network configuration of a system
+#
+ncftool = module
+
+# Layer: admin
+# Module: ncftool
+#
+# Tool to modify the network configuration of a system
+#
+ncftool = module
+
+# Layer: admin
# Module: netutils
#
# Network analysis utilities
diff --git a/policy-F14.patch b/policy-F14.patch
index 8545ce1..4c43c1a 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -486,12 +486,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.8.3/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/admin/consoletype.te 2010-06-08 11:32:10.000000000 -0400
-@@ -85,6 +85,7 @@
++++ serefpolicy-3.8.3/policy/modules/admin/consoletype.te 2010-06-14 18:54:06.000000000 -0400
+@@ -85,6 +85,8 @@
hal_dontaudit_use_fds(consoletype_t)
hal_dontaudit_rw_pipes(consoletype_t)
hal_dontaudit_rw_dgram_sockets(consoletype_t)
+ hal_dontaudit_write_log(consoletype_t)
++ hal_dontaudit_read_pid_files(consoletype_t)
')
optional_policy(`
@@ -592,6 +593,173 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te
netutils_domtrans_ping(mrtg_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.fc serefpolicy-3.8.3/policy/modules/admin/ncftool.fc
+--- nsaserefpolicy/policy/modules/admin/ncftool.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.8.3/policy/modules/admin/ncftool.fc 2010-06-15 14:59:28.000000000 -0400
+@@ -0,0 +1,2 @@
++
++/usr/bin/ncftool -- gen_context(system_u:object_r:ncftool_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.if serefpolicy-3.8.3/policy/modules/admin/ncftool.if
+--- nsaserefpolicy/policy/modules/admin/ncftool.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.8.3/policy/modules/admin/ncftool.if 2010-06-15 15:00:09.000000000 -0400
+@@ -0,0 +1,74 @@
++
++## <summary>policy for ncftool</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run ncftool.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ncftool_domtrans',`
++ gen_require(`
++ type ncftool_t, ncftool_exec_t;
++ ')
++
++ domtrans_pattern($1, ncftool_exec_t, ncftool_t)
++')
++
++########################################
++## <summary>
++## Execute ncftool in the ncftool domain, and
++## allow the specified role the ncftool domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the ncftool domain.
++## </summary>
++## </param>
++#
++interface(`ncftool_run',`
++ gen_require(`
++ type ncftool_t;
++ ')
++
++ ncftool_domtrans($1)
++ role $2 types ncftool_t;
++')
++
++########################################
++## <summary>
++## Role access for ncftool
++## </summary>
++## <param name="role">
++## <summary>
++## Role allowed access
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## User domain for the role
++## </summary>
++## </param>
++#
++interface(`ncftool_role',`
++ gen_require(`
++ type ncftool_t;
++ ')
++
++ role $1 types ncftool_t;
++
++ ncftool_domtrans($2)
++
++ ps_process_pattern($2, ncftool_t)
++ allow $2 ncftool_t:process signal;
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.te serefpolicy-3.8.3/policy/modules/admin/ncftool.te
+--- nsaserefpolicy/policy/modules/admin/ncftool.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.8.3/policy/modules/admin/ncftool.te 2010-06-15 15:02:33.000000000 -0400
+@@ -0,0 +1,79 @@
++
++policy_module(ncftool, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type ncftool_t;
++type ncftool_exec_t;
++application_domain(ncftool_t, ncftool_exec_t)
++domain_obj_id_change_exemption(ncftool_t)
++domain_system_change_exemption(ncftool_t)
++role system_r types ncftool_t;
++
++permissive ncftool_t;
++
++########################################
++#
++# ncftool local policy
++#
++
++allow ncftool_t self:capability { net_admin sys_ptrace };
++
++allow ncftool_t self:process signal;
++
++allow ncftool_t self:fifo_file manage_fifo_file_perms;
++allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
++
++allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
++allow ncftool_t self:tcp_socket create_stream_socket_perms;
++
++kernel_read_kernel_sysctls(ncftool_t)
++kernel_read_modprobe_sysctls(ncftool_t)
++kernel_read_network_state(ncftool_t)
++kernel_read_system_state(ncftool_t)
++kernel_request_load_module(ncftool_t)
++kernel_rw_net_sysctls(ncftool_t)
++
++corecmd_exec_bin(ncftool_t)
++corecmd_exec_shell(ncftool_t)
++
++domain_read_all_domains_state(ncftool_t)
++
++dev_read_sysfs(ncftool_t)
++
++files_read_etc_files(ncftool_t)
++files_read_etc_runtime_files(ncftool_t)
++files_read_usr_files(ncftool_t)
++
++term_use_all_terms(ncftool_t)
++
++miscfiles_read_localization(ncftool_t)
++
++modutils_read_module_config(ncftool_t)
++modutils_domtrans_insmod(ncftool_t)
++
++sysnet_delete_dhcpc_pid(ncftool_t)
++sysnet_domtrans_dhcpc(ncftool_t)
++sysnet_domtrans_ifconfig(ncftool_t)
++sysnet_etc_filetrans_config(ncftool_t)
++sysnet_manage_config(ncftool_t)
++sysnet_read_dhcpc_state(ncftool_t)
++sysnet_relabelfrom_net_conf(ncftool_t)
++sysnet_relabelto_net_conf(ncftool_t)
++
++userdom_read_user_tmp_files(ncftool_t)
++
++optional_policy(`
++ brctl_domtrans(ncftool_t)
++')
++
++optional_policy(`
++ consoletype_exec(ncftool_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client(ncftool_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.8.3/policy/modules/admin/netutils.fc
--- nsaserefpolicy/policy/modules/admin/netutils.fc 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/admin/netutils.fc 2010-06-08 11:32:10.000000000 -0400
@@ -6640,8 +6808,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.8.3/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-06-08 10:35:48.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/kernel/corecommands.fc 2010-06-08 11:32:10.000000000 -0400
-@@ -145,6 +145,10 @@
++++ serefpolicy-3.8.3/policy/modules/kernel/corecommands.fc 2010-06-16 11:44:23.000000000 -0400
+@@ -101,6 +101,9 @@
+ /etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/X11/xinit(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
++/etc/pki/tls/certs/make-dummy-cert -- gen_context(system_u:object_r:bin_t,s0)
++/etc/pki/tls/misc(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
++
+ /etc/profile.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /etc/xen/qemu-ifup -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+@@ -145,6 +148,10 @@
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -6652,7 +6830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
ifdef(`distro_gentoo',`
/opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
/opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -228,6 +232,8 @@
+@@ -228,6 +235,8 @@
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -6661,10 +6839,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -340,3 +346,21 @@
+@@ -340,3 +349,22 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
++/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
+/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -7238,7 +7417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+dontaudit can_change_object_identity can_change_object_identity:key link;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.8.3/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/kernel/files.fc 2010-06-08 11:32:10.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/kernel/files.fc 2010-06-16 13:20:15.000000000 -0400
@@ -18,6 +18,7 @@
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -7292,7 +7471,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
HOME_ROOT/\.journal <<none>>
HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
HOME_ROOT/lost\+found/.* <<none>>
-@@ -170,12 +179,6 @@
+@@ -157,6 +166,10 @@
+ /proc -d <<none>>
+ /proc/.* <<none>>
+
++ifdef(`distro_redhat',`
++/rhev -d gen_context(system_u:object_r:mnt_t,s0)
++')
++
+ #
+ # /selinux
+ #
+@@ -170,12 +183,6 @@
/srv/.* gen_context(system_u:object_r:var_t,s0)
#
@@ -7305,7 +7495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
# /tmp
#
/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
-@@ -205,15 +208,19 @@
+@@ -205,15 +212,19 @@
/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/usr/local/lost\+found/.* <<none>>
@@ -7325,7 +7515,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/usr/tmp/.* <<none>>
-@@ -229,6 +236,8 @@
+@@ -229,6 +240,8 @@
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -7334,7 +7524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
-@@ -254,3 +263,5 @@
+@@ -254,3 +267,5 @@
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
@@ -8231,7 +8421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.8.3/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-06-08 10:35:48.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/kernel/filesystem.if 2010-06-08 11:32:10.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/kernel/filesystem.if 2010-06-16 13:24:53.000000000 -0400
@@ -1207,7 +1207,7 @@
type cifs_t;
')
@@ -9018,7 +9208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.8.3/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-02-17 10:37:39.000000000 -0500
-+++ serefpolicy-3.8.3/policy/modules/roles/sysadm.te 2010-06-08 11:32:10.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/roles/sysadm.te 2010-06-14 18:23:23.000000000 -0400
@@ -28,17 +28,29 @@
corecmd_exec_shell(sysadm_t)
@@ -9215,7 +9405,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
mta_role(sysadm_r, sysadm_t)
-@@ -308,8 +353,14 @@
+@@ -275,6 +320,10 @@
+ ')
+
+ optional_policy(`
++ ncftool_run(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
+ netutils_run(sysadm_t, sysadm_r)
+ netutils_run_ping(sysadm_t, sysadm_r)
+ netutils_run_traceroute(sysadm_t, sysadm_r)
+@@ -308,8 +357,14 @@
')
optional_policy(`
@@ -9230,7 +9431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
quota_run(sysadm_t, sysadm_r)
-@@ -319,9 +370,11 @@
+@@ -319,9 +374,11 @@
raid_domtrans_mdadm(sysadm_t)
')
@@ -9242,7 +9443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
rpc_domtrans_nfsd(sysadm_t)
-@@ -331,9 +384,11 @@
+@@ -331,9 +388,11 @@
rpm_run(sysadm_t, sysadm_r)
')
@@ -9254,7 +9455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
rsync_exec(sysadm_t)
-@@ -358,8 +413,14 @@
+@@ -358,8 +417,14 @@
')
optional_policy(`
@@ -9269,7 +9470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
ssh_role_template(sysadm, sysadm_r, sysadm_t)
-@@ -382,9 +443,11 @@
+@@ -382,9 +447,11 @@
sysnet_run_dhcpc(sysadm_t, sysadm_r)
')
@@ -9281,7 +9482,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
tripwire_run_siggen(sysadm_t, sysadm_r)
-@@ -393,17 +456,21 @@
+@@ -393,17 +460,21 @@
tripwire_run_twprint(sysadm_t, sysadm_r)
')
@@ -9303,7 +9504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
unconfined_domtrans(sysadm_t)
-@@ -417,9 +484,11 @@
+@@ -417,9 +488,11 @@
usbmodules_run(sysadm_t, sysadm_r)
')
@@ -9315,7 +9516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
-@@ -427,9 +496,15 @@
+@@ -427,9 +500,15 @@
usermanage_run_useradd(sysadm_t, sysadm_r)
')
@@ -9331,7 +9532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
vpn_run(sysadm_t, sysadm_r)
-@@ -440,13 +515,30 @@
+@@ -440,13 +519,30 @@
')
optional_policy(`
@@ -10047,8 +10248,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.8.3/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.3/policy/modules/roles/unconfineduser.te 2010-06-08 11:32:10.000000000 -0400
-@@ -0,0 +1,439 @@
++++ serefpolicy-3.8.3/policy/modules/roles/unconfineduser.te 2010-06-14 18:23:51.000000000 -0400
+@@ -0,0 +1,443 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -10365,6 +10566,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+')
+
+optional_policy(`
++ ncftool_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
+ oddjob_run_mkhomedir(unconfined_t, unconfined_r)
+')
+
@@ -10773,7 +10978,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.8.3/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/services/abrt.te 2010-06-09 15:57:41.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/services/abrt.te 2010-06-14 18:29:51.000000000 -0400
+@@ -51,7 +51,7 @@
+
+ allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
+ dontaudit abrt_t self:capability sys_rawio;
+-allow abrt_t self:process { signal signull setsched getsched };
++allow abrt_t self:process { sigkill signal signull setsched getsched };
+
+ allow abrt_t self:fifo_file rw_fifo_file_perms;
+ allow abrt_t self:tcp_socket create_stream_socket_perms;
@@ -70,16 +70,19 @@
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
@@ -11189,7 +11403,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.8.3/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-04-06 15:15:38.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/services/apache.if 2010-06-09 16:00:04.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/services/apache.if 2010-06-15 16:54:36.000000000 -0400
@@ -13,17 +13,13 @@
#
template(`apache_content_template',`
@@ -12133,7 +12347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw
fs_getattr_all_fs(arpwatch_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.8.3/policy/modules/services/asterisk.te
--- nsaserefpolicy/policy/modules/services/asterisk.te 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/services/asterisk.te 2010-06-08 11:32:10.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/services/asterisk.te 2010-06-16 13:34:52.000000000 -0400
@@ -100,6 +100,7 @@
corenet_tcp_bind_generic_node(asterisk_t)
corenet_udp_bind_generic_node(asterisk_t)
@@ -13388,7 +13602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.8.3/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/services/corosync.te 2010-06-11 11:31:01.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/services/corosync.te 2010-06-16 10:50:34.000000000 -0400
@@ -33,8 +33,8 @@
# corosync local policy
#
@@ -13436,7 +13650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
userdom_rw_user_tmpfs_files(corosync_t)
optional_policy(`
-@@ -91,12 +97,12 @@
+@@ -91,12 +97,13 @@
')
optional_policy(`
@@ -13451,6 +13665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+optional_policy(`
+ # to communication with RHCS
+ rhcs_rw_cluster_shm(corosync_t)
++ rhcs_rw_cluster_semaphores(corosync_t)
')
optional_policy(`
@@ -16065,8 +16280,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.te serefpolicy-3.8.3/policy/modules/services/mock.te
--- nsaserefpolicy/policy/modules/services/mock.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.3/policy/modules/services/mock.te 2010-06-09 17:44:30.000000000 -0400
-@@ -0,0 +1,94 @@
++++ serefpolicy-3.8.3/policy/modules/services/mock.te 2010-06-16 11:45:16.000000000 -0400
+@@ -0,0 +1,93 @@
+policy_module(mock,1.0.0)
+
+########################################
@@ -16132,7 +16347,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock
+
+dev_read_urand(mock_t)
+
-+domain_poly(mock_t)
+domain_read_all_domains_state(mock_t)
+domain_use_interactive_fds(mock_t)
+
@@ -16602,7 +16816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.8.3/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/services/mta.if 2010-06-08 11:32:10.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/services/mta.if 2010-06-14 19:03:36.000000000 -0400
@@ -220,6 +220,25 @@
application_executable_file($1)
')
@@ -16629,15 +16843,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
########################################
## <summary>
## Make the specified type by a system MTA.
-@@ -335,6 +354,7 @@
- # apache should set close-on-exec
- apache_dontaudit_rw_stream_sockets($1)
- apache_dontaudit_rw_sys_script_stream_sockets($1)
-+ apache_append_log($1)
+@@ -330,12 +349,6 @@
')
+
+ typeattribute $1 mta_user_agent;
+-
+- optional_policy(`
+- # apache should set close-on-exec
+- apache_dontaudit_rw_stream_sockets($1)
+- apache_dontaudit_rw_sys_script_stream_sockets($1)
+- ')
')
-@@ -362,6 +382,10 @@
+ ########################################
+@@ -362,6 +375,10 @@
allow mta_user_agent $1:fd use;
allow mta_user_agent $1:process sigchld;
allow mta_user_agent $1:fifo_file rw_fifo_file_perms;
@@ -16648,7 +16867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
########################################
-@@ -474,7 +498,8 @@
+@@ -474,7 +491,8 @@
type etc_mail_t;
')
@@ -16658,7 +16877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
########################################
-@@ -698,7 +723,7 @@
+@@ -698,7 +716,7 @@
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
allow $1 mail_spool_t:file setattr;
@@ -16669,7 +16888,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.8.3/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/services/mta.te 2010-06-08 11:32:10.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/services/mta.te 2010-06-14 19:01:55.000000000 -0400
@@ -71,10 +71,10 @@
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
@@ -16693,15 +16912,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
-@@ -93,6 +96,7 @@
+@@ -93,6 +96,12 @@
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
+ apache_dontaudit_write_tmp_files(system_mail_t)
++
++ # apache should set close-on-exec
++ apache_dontaudit_rw_stream_sockets(mta_user_agent)
++ apache_dontaudit_rw_sys_script_stream_sockets(mta_user_agent)
++ apache_append_log(mta_user_agent)
')
optional_policy(`
-@@ -104,6 +108,11 @@
+@@ -104,6 +113,11 @@
')
optional_policy(`
@@ -16713,7 +16937,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
clamav_stream_connect(system_mail_t)
clamav_append_log(system_mail_t)
')
-@@ -131,6 +140,7 @@
+@@ -131,6 +145,7 @@
optional_policy(`
fail2ban_append_log(system_mail_t)
@@ -16721,7 +16945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -147,6 +157,10 @@
+@@ -147,6 +162,10 @@
')
optional_policy(`
@@ -16732,7 +16956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
nagios_read_tmp_files(system_mail_t)
')
-@@ -190,6 +204,10 @@
+@@ -190,6 +209,10 @@
')
optional_policy(`
@@ -16743,7 +16967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
smartmon_read_tmp_files(system_mail_t)
')
-@@ -221,6 +239,7 @@
+@@ -221,6 +244,7 @@
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -18534,7 +18758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.8.3/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/services/postfix.te 2010-06-08 11:32:10.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/services/postfix.te 2010-06-14 19:02:47.000000000 -0400
@@ -6,6 +6,15 @@
# Declarations
#
@@ -18586,7 +18810,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
postfix_server_domain_template(pickup)
postfix_server_domain_template(pipe)
-@@ -66,13 +87,13 @@
+@@ -50,6 +71,7 @@
+ mta_mailserver_user_agent(postfix_postdrop_t)
+
+ postfix_user_domain_template(postqueue)
++mta_mailserver_user_agent(postfix_postqueue_t)
+
+ type postfix_private_t;
+ files_type(postfix_private_t)
+@@ -66,13 +88,13 @@
postfix_server_domain_template(smtpd)
@@ -18603,7 +18835,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
files_type(postfix_spool_flush_t)
type postfix_public_t;
-@@ -151,6 +172,9 @@
+@@ -151,6 +173,9 @@
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -18613,7 +18845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
corenet_tcp_bind_generic_node(postfix_master_t)
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
corenet_tcp_bind_smtp_port(postfix_master_t)
-@@ -168,6 +192,8 @@
+@@ -168,6 +193,8 @@
domain_use_interactive_fds(postfix_master_t)
files_read_usr_files(postfix_master_t)
@@ -18622,7 +18854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
term_dontaudit_search_ptys(postfix_master_t)
-@@ -305,6 +331,10 @@
+@@ -305,6 +332,10 @@
')
optional_policy(`
@@ -18633,7 +18865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
procmail_domtrans(postfix_local_t)
')
-@@ -421,6 +451,7 @@
+@@ -421,6 +452,7 @@
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -18641,7 +18873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
optional_policy(`
-@@ -589,6 +620,11 @@
+@@ -589,6 +621,11 @@
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -18653,7 +18885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
-@@ -631,3 +667,8 @@
+@@ -631,3 +668,8 @@
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -18743,6 +18975,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
pyzor_domtrans(procmail_t)
pyzor_signal(procmail_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.if serefpolicy-3.8.3/policy/modules/services/psad.if
+--- nsaserefpolicy/policy/modules/services/psad.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/services/psad.if 2010-06-16 13:11:38.000000000 -0400
+@@ -176,6 +176,26 @@
+
+ ########################################
+ ## <summary>
++## Allow the specified domain to write to psad's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`psad_write_log',`
++ gen_require(`
++ type psad_var_log_t;
++ ')
++
++ logging_search_logs($1)
++ write_files_pattern($1, psad_var_log_t, psad_var_log_t)
++')
++
++########################################
++## <summary>
+ ## Read and write psad fifo files.
+ ## </summary>
+ ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.te serefpolicy-3.8.3/policy/modules/services/psad.te
--- nsaserefpolicy/policy/modules/services/psad.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/psad.te 2010-06-08 11:32:10.000000000 -0400
@@ -19475,7 +19737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.8.3/policy/modules/services/rhcs.if
--- nsaserefpolicy/policy/modules/services/rhcs.if 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/services/rhcs.if 2010-06-11 11:30:32.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/services/rhcs.if 2010-06-16 10:51:03.000000000 -0400
@@ -14,6 +14,7 @@
template(`rhcs_domain_template',`
gen_require(`
@@ -19493,7 +19755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
files_tmpfs_file($1_tmpfs_t)
type $1_var_log_t;
-@@ -335,6 +336,28 @@
+@@ -335,6 +336,46 @@
manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
')
@@ -19519,10 +19781,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+ manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
+')
+
++####################################
++## <summary>
++## Read and write access to cluster domains semaphores.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhcs_rw_cluster_semaphores',`
++ gen_require(`
++ type cluster_domain;
++ ')
++
++ allow $1 cluster_domain:sem { rw_sem_perms destroy };
++')
++
######################################
## <summary>
## Execute a domain transition to run qdiskd.
-@@ -353,3 +376,21 @@
+@@ -353,3 +394,21 @@
corecmd_search_bin($1)
domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
')
@@ -21991,7 +22271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.8.3/policy/modules/services/w3c.te
--- nsaserefpolicy/policy/modules/services/w3c.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/services/w3c.te 2010-06-08 11:32:10.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/services/w3c.te 2010-06-15 16:55:19.000000000 -0400
@@ -8,11 +8,18 @@
apache_content_template(w3c_validator)
@@ -22011,6 +22291,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.
corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
+@@ -23,3 +30,5 @@
+ miscfiles_read_certs(httpd_w3c_validator_script_t)
+
+ sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
++
++apache_dontaudit_rw_tmp_files(httpd_w3c_validator_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.8.3/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/xserver.fc 2010-06-08 11:32:10.000000000 -0400
@@ -22737,7 +23023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.8.3/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/services/xserver.te 2010-06-08 11:32:10.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/services/xserver.te 2010-06-16 13:35:02.000000000 -0400
@@ -36,6 +36,13 @@
## <desc>
@@ -23127,7 +23413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -371,15 +505,21 @@
+@@ -371,15 +505,22 @@
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -23146,11 +23432,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_kernel_sysctls(xdm_t)
kernel_read_net_sysctls(xdm_t)
kernel_read_network_state(xdm_t)
++kernel_request_load_module(xdm_t)
+kernel_stream_connect(xdm_t)
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
-@@ -394,11 +534,14 @@
+@@ -394,11 +535,14 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -23165,7 +23452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -406,6 +549,7 @@
+@@ -406,6 +550,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -23173,7 +23460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -414,18 +558,22 @@
+@@ -414,18 +559,22 @@
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -23199,7 +23486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -436,9 +584,17 @@
+@@ -436,9 +585,17 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -23217,7 +23504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -447,14 +603,19 @@
+@@ -447,14 +604,19 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -23237,7 +23524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -465,10 +626,12 @@
+@@ -465,10 +627,12 @@
logging_read_generic_logs(xdm_t)
@@ -23252,7 +23539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -477,6 +640,11 @@
+@@ -477,6 +641,11 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -23264,7 +23551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -508,11 +676,17 @@
+@@ -508,11 +677,17 @@
')
optional_policy(`
@@ -23282,7 +23569,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -520,12 +694,50 @@
+@@ -520,12 +695,50 @@
')
optional_policy(`
@@ -23333,7 +23620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
hostname_exec(xdm_t)
')
-@@ -543,20 +755,59 @@
+@@ -543,20 +756,59 @@
')
optional_policy(`
@@ -23395,7 +23682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -565,7 +816,6 @@
+@@ -565,7 +817,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -23403,7 +23690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -576,6 +826,10 @@
+@@ -576,6 +827,10 @@
')
optional_policy(`
@@ -23414,7 +23701,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xdm_t)
')
-@@ -600,10 +854,9 @@
+@@ -600,10 +855,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -23426,7 +23713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -615,6 +868,18 @@
+@@ -615,6 +869,18 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -23445,7 +23732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -634,12 +899,19 @@
+@@ -634,12 +900,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -23467,7 +23754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -673,7 +945,6 @@
+@@ -673,7 +946,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -23475,7 +23762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -683,9 +954,12 @@
+@@ -683,9 +955,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -23489,7 +23776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +974,13 @@
+@@ -700,8 +975,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -23503,7 +23790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -723,11 +1002,14 @@
+@@ -723,11 +1003,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -23518,7 +23805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -779,12 +1061,28 @@
+@@ -779,12 +1062,28 @@
')
optional_policy(`
@@ -23548,7 +23835,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -808,10 +1106,10 @@
+@@ -808,10 +1107,10 @@
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -23561,7 +23848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1130,14 @@
+@@ -832,9 +1131,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -23576,7 +23863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1152,14 @@
+@@ -849,11 +1153,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -23593,7 +23880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -999,3 +1305,33 @@
+@@ -999,3 +1306,33 @@
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -24068,7 +24355,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.8.3/policy/modules/system/hotplug.te
--- nsaserefpolicy/policy/modules/system/hotplug.te 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/system/hotplug.te 2010-06-08 11:32:10.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/system/hotplug.te 2010-06-16 13:23:05.000000000 -0400
+@@ -24,7 +24,7 @@
+ #
+
+ allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
+-dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config };
++dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config };
+ # for access("/etc/bashrc", X_OK) on Red Hat
+ dontaudit hotplug_t self:capability { dac_override dac_read_search };
+ allow hotplug_t self:process { setpgid getsession getattr signal_perms };
@@ -46,6 +46,7 @@
kernel_sigchld(hotplug_t)
kernel_setpgid(hotplug_t)
@@ -24092,7 +24388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
# /var
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.8.3/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2010-03-18 10:35:11.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/system/init.if 2010-06-09 17:42:17.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/system/init.if 2010-06-14 18:39:46.000000000 -0400
@@ -193,8 +193,10 @@
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
@@ -24185,7 +24481,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -682,6 +728,8 @@
+@@ -669,6 +715,8 @@
+ type initctl_t;
+ ')
+
++ corecmd_exec_bin($1)
++
+ dev_list_all_dev_nodes($1)
+ allow $1 initctl_t:fifo_file rw_fifo_file_perms;
+
+@@ -682,6 +730,8 @@
# upstart uses a datagram socket instead of initctl pipe
allow $1 self:unix_dgram_socket create_socket_perms;
allow $1 init_t:unix_dgram_socket sendto;
@@ -24194,7 +24499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
')
-@@ -754,18 +802,19 @@
+@@ -754,18 +804,19 @@
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -24218,7 +24523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
')
-@@ -781,19 +830,41 @@
+@@ -781,23 +832,45 @@
#
interface(`init_domtrans_script',`
gen_require(`
@@ -24241,11 +24546,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
-+ ')
-+')
-+
-+########################################
-+## <summary>
+ ')
+ ')
+
+ ########################################
+ ## <summary>
+## Execute a file in a bin directory
+## in the initrc_t domain
+## </summary>
@@ -24258,13 +24563,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
- ')
++ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
- ')
-
- ########################################
-@@ -849,8 +920,10 @@
++')
++
++########################################
++## <summary>
+ ## Execute a init script in a specified domain.
+ ## </summary>
+ ## <desc>
+@@ -849,8 +922,10 @@
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -24275,7 +24584,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
-@@ -1637,7 +1710,7 @@
+@@ -1637,7 +1712,7 @@
type initrc_var_run_t;
')
@@ -24284,7 +24593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -1712,3 +1785,56 @@
+@@ -1712,3 +1787,56 @@
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -24785,6 +25094,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+optional_policy(`
+ fail2ban_read_lib_files(daemon)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.8.3/policy/modules/system/ipsec.fc
+--- nsaserefpolicy/policy/modules/system/ipsec.fc 2010-03-18 06:48:09.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/system/ipsec.fc 2010-06-16 13:06:56.000000000 -0400
+@@ -25,6 +25,7 @@
+ /usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+ /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+ /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
++/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+
+ /usr/local/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+ /usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.8.3/policy/modules/system/ipsec.if
--- nsaserefpolicy/policy/modules/system/ipsec.if 2010-03-18 06:48:09.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/system/ipsec.if 2010-06-09 16:06:08.000000000 -0400
@@ -24903,8 +25223,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
+userdom_read_user_tmp_files(setkey_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.8.3/policy/modules/system/iptables.fc
--- nsaserefpolicy/policy/modules/system/iptables.fc 2010-02-12 16:41:05.000000000 -0500
-+++ serefpolicy-3.8.3/policy/modules/system/iptables.fc 2010-06-08 11:32:10.000000000 -0400
-@@ -1,13 +1,18 @@
++++ serefpolicy-3.8.3/policy/modules/system/iptables.fc 2010-06-14 18:22:08.000000000 -0400
+@@ -1,12 +1,14 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
-/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
@@ -24921,10 +25241,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
- /usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+
-+/usr/bin/ncftool -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.8.3/policy/modules/system/iptables.if
--- nsaserefpolicy/policy/modules/system/iptables.if 2009-12-04 09:43:33.000000000 -0500
+++ serefpolicy-3.8.3/policy/modules/system/iptables.if 2010-06-08 11:32:10.000000000 -0400
@@ -24941,7 +25257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.8.3/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/system/iptables.te 2010-06-08 11:32:10.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/system/iptables.te 2010-06-16 13:11:44.000000000 -0400
@@ -14,9 +14,6 @@
type iptables_initrc_exec_t;
init_script_file(iptables_initrc_exec_t)
@@ -25017,6 +25333,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
')
optional_policy(`
+@@ -113,6 +122,7 @@
+
+ optional_policy(`
+ psad_rw_tmp_files(iptables_t)
++ psad_write_log(iptables_t)
+ ')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.8.3/policy/modules/system/iscsi.if
--- nsaserefpolicy/policy/modules/system/iscsi.if 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.8.3/policy/modules/system/iscsi.if 2010-06-08 11:32:10.000000000 -0400
@@ -25056,7 +25380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
domain_dontaudit_read_all_domains_state(iscsid_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.8.3/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-03-23 11:19:40.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/system/libraries.fc 2010-06-08 11:32:10.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/system/libraries.fc 2010-06-16 13:32:10.000000000 -0400
@@ -131,13 +131,13 @@
/usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -25073,7 +25397,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -208,6 +208,7 @@
+@@ -151,6 +151,7 @@
+ /usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libzita-convolver\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -208,6 +209,7 @@
/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -25081,7 +25413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -247,6 +248,7 @@
+@@ -247,6 +249,7 @@
/usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -25089,7 +25421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
-@@ -302,13 +304,8 @@
+@@ -302,13 +305,8 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -25105,7 +25437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
') dnl end distro_redhat
#
-@@ -319,14 +316,148 @@
+@@ -319,14 +317,148 @@
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -25516,7 +25848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
domain_system_change_exemption($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.8.3/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/system/logging.te 2010-06-09 16:35:41.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/system/logging.te 2010-06-16 11:55:48.000000000 -0400
@@ -61,6 +61,7 @@
type syslogd_t;
type syslogd_exec_t;
@@ -25546,7 +25878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
logging_send_syslog_msg(audisp_t)
-@@ -245,6 +252,10 @@
+@@ -245,14 +252,22 @@
optional_policy(`
dbus_system_bus_client(audisp_t)
@@ -25557,28 +25889,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
########################################
-@@ -252,6 +263,7 @@
+ #
# Audit remote logger local policy
#
-
+-
++allow audisp_remote_t self:capability { setuid setpcap };
+allow audisp_remote_t self:process { getcap setcap };
allow audisp_remote_t self:tcp_socket create_socket_perms;
++allow audisp_remote_t var_log_t:dir search_dir_perms;
++
++corecmd_exec_bin(audisp_remote_t)
corenet_all_recvfrom_unlabeled(audisp_remote_t)
-@@ -268,8 +280,12 @@
+ corenet_all_recvfrom_netlabel(audisp_remote_t)
+@@ -267,9 +282,16 @@
+ files_read_etc_files(audisp_remote_t)
logging_send_syslog_msg(audisp_remote_t)
-
-+auth_use_nsswitch(audisp_remote_t)
++logging_send_audit_msgs(audisp_remote_t)
+
++auth_use_nsswitch(audisp_remote_t)
+
miscfiles_read_localization(audisp_remote_t)
+init_telinit(audisp_remote_t)
++init_read_utmp(audisp_remote_t)
++init_dontaudit_write_utmp(audisp_remote_t)
+
sysnet_dns_name_resolve(audisp_remote_t)
########################################
-@@ -373,8 +389,10 @@
+@@ -373,8 +395,10 @@
manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
files_search_var_lib(syslogd_t)
@@ -25591,7 +25932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
-@@ -492,6 +510,10 @@
+@@ -492,6 +516,10 @@
')
optional_policy(`
@@ -25724,6 +26065,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
')
########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.8.3/policy/modules/system/modutils.if
+--- nsaserefpolicy/policy/modules/system/modutils.if 2009-12-04 09:43:33.000000000 -0500
++++ serefpolicy-3.8.3/policy/modules/system/modutils.if 2010-06-14 18:25:54.000000000 -0400
+@@ -39,6 +39,26 @@
+
+ ########################################
+ ## <summary>
++## list the configuration options used when
++## loading modules.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`modutils_list_module_config',`
++ gen_require(`
++ type modules_conf_t;
++ ')
++
++ list_dirs_pattern($1, modules_conf_t, modules_conf_t)
++')
++
++########################################
++## <summary>
+ ## Read the configuration options used when
+ ## loading modules.
+ ## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.8.3/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/system/modutils.te 2010-06-08 11:32:10.000000000 -0400
@@ -26025,7 +26396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.8.3/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/system/mount.te 2010-06-08 11:32:10.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/system/mount.te 2010-06-16 13:27:43.000000000 -0400
@@ -18,8 +18,15 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -26126,7 +26497,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
files_mount_all_file_type_fs(mount_t)
files_unmount_all_file_type_fs(mount_t)
# for when /etc/mtab loses its type
-@@ -80,15 +122,18 @@
+@@ -80,15 +122,19 @@
files_read_usr_files(mount_t)
files_list_mnt(mount_t)
@@ -26145,10 +26516,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
fs_read_tmpfs_symlinks(mount_t)
+fs_read_fusefs_files(mount_t)
+fs_manage_nfs_dirs(mount_t)
++fs_read_nfs_symlinks(mount_t)
mls_file_read_all_levels(mount_t)
mls_file_write_all_levels(mount_t)
-@@ -99,6 +144,7 @@
+@@ -99,6 +145,7 @@
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@@ -26156,7 +26528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
term_use_all_terms(mount_t)
-@@ -107,6 +153,8 @@
+@@ -107,6 +154,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -26165,7 +26537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
logging_send_syslog_msg(mount_t)
-@@ -117,6 +165,12 @@
+@@ -117,6 +166,12 @@
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -26178,7 +26550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
ifdef(`distro_redhat',`
optional_policy(`
-@@ -132,10 +186,17 @@
+@@ -132,10 +187,17 @@
')
')
@@ -26196,7 +26568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -165,6 +226,8 @@
+@@ -165,6 +227,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -26205,7 +26577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -172,6 +235,25 @@
+@@ -172,6 +236,25 @@
')
optional_policy(`
@@ -26231,7 +26603,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -179,6 +261,11 @@
+@@ -179,6 +262,11 @@
')
')
@@ -26243,7 +26615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -186,6 +273,19 @@
+@@ -186,6 +274,19 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -26263,7 +26635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
########################################
-@@ -194,6 +294,42 @@
+@@ -194,6 +295,42 @@
#
optional_policy(`
@@ -27447,7 +27819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.8.3/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-03-23 10:55:15.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/system/sysnetwork.if 2010-06-08 11:32:10.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/system/sysnetwork.if 2010-06-15 15:03:31.000000000 -0400
@@ -60,25 +60,24 @@
netutils_run(dhcpc_t, $2)
netutils_run_ping(dhcpc_t, $2)
@@ -27533,7 +27905,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
#######################################
## <summary>
## Set the attributes of network config files.
-@@ -403,11 +439,8 @@
+@@ -270,6 +306,44 @@
+
+ #######################################
+ ## <summary>
++## Allow caller to relabel net_conf files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sysnet_relabelfrom_net_conf',`
++
++ gen_require(`
++ type net_conf_t;
++ ')
++
++ allow $1 net_conf_t:file relabelfrom;
++')
++
++######################################
++## <summary>
++## Allow caller to relabel net_conf files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sysnet_relabelto_net_conf',`
++
++ gen_require(`
++ type net_conf_t;
++ ')
++
++ allow $1 net_conf_t:file relabelto;
++')
++
++#######################################
++## <summary>
+ ## Read network config files.
+ ## </summary>
+ ## <desc>
+@@ -403,11 +477,8 @@
type net_conf_t;
')
@@ -27547,7 +27964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
#######################################
-@@ -464,6 +497,10 @@
+@@ -464,6 +535,10 @@
corecmd_search_bin($1)
domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
@@ -27558,7 +27975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
########################################
-@@ -534,6 +571,25 @@
+@@ -534,6 +609,25 @@
########################################
## <summary>
@@ -27584,7 +28001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
## Read the DHCP configuration files.
## </summary>
## <param name="domain">
-@@ -677,7 +733,10 @@
+@@ -677,7 +771,10 @@
corenet_tcp_connect_ldap_port($1)
corenet_sendrecv_ldap_client_packets($1)
@@ -27596,7 +28013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
########################################
-@@ -709,5 +768,52 @@
+@@ -709,5 +806,52 @@
corenet_tcp_connect_portmap_port($1)
corenet_sendrecv_portmap_client_packets($1)
@@ -27652,7 +28069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.8.3/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/system/sysnetwork.te 2010-06-08 11:32:10.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/system/sysnetwork.te 2010-06-14 18:53:49.000000000 -0400
@@ -20,6 +20,9 @@
init_daemon_domain(dhcpc_t, dhcpc_exec_t)
role system_r types dhcpc_t;
@@ -27699,15 +28116,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
init_dbus_chat_script(dhcpc_t)
dbus_system_bus_client(dhcpc_t)
-@@ -172,6 +183,7 @@
+@@ -172,6 +183,8 @@
optional_policy(`
hal_dontaudit_rw_dgram_sockets(dhcpc_t)
++ hal_dontaudit_read_pid_files(dhcpc_t)
+ hal_dontaudit_write_log(dhcpc_t)
')
optional_policy(`
-@@ -193,6 +205,12 @@
+@@ -193,6 +206,12 @@
')
optional_policy(`
@@ -27720,7 +28138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
nis_read_ypbind_pid(dhcpc_t)
')
-@@ -214,6 +232,7 @@
+@@ -214,6 +233,7 @@
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -27728,7 +28146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
optional_policy(`
-@@ -277,8 +296,11 @@
+@@ -277,8 +297,11 @@
domain_use_interactive_fds(ifconfig_t)
@@ -27740,7 +28158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -306,6 +328,8 @@
+@@ -306,6 +329,8 @@
seutil_use_runinit_fds(ifconfig_t)
@@ -27749,7 +28167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
userdom_use_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
-@@ -328,6 +352,8 @@
+@@ -328,6 +353,8 @@
optional_policy(`
hal_dontaudit_rw_pipes(ifconfig_t)
hal_dontaudit_rw_dgram_sockets(ifconfig_t)