diff --git a/modules-targeted.conf b/modules-targeted.conf
index 3ced518..16ec8ba 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1505,3 +1505,12 @@ logadm = module
# Minimally prived root role for managing apache
#
webadm = module
+
+#
+# Layer: services
+# Module: exim
+#
+# exim mail server
+#
+exim = module
+
diff --git a/policy-20070703.patch b/policy-20070703.patch
index d196d98..5ea282a 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -495,12 +495,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmidecode.te serefpolicy-3.0.7/policy/modules/admin/dmidecode.te
--- nsaserefpolicy/policy/modules/admin/dmidecode.te 2007-08-22 07:14:14.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/admin/dmidecode.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/admin/dmidecode.te 2007-09-07 17:05:59.000000000 -0400
@@ -20,6 +20,7 @@
# Allow dmidecode to read /dev/mem
dev_read_raw_memory(dmidecode_t)
-+dev_search_sysfs(dmidecode_t)
++dev_read_sysfs(dmidecode_t)
mls_file_read_all_levels(dmidecode_t)
@@ -2745,7 +2745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.7/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/files.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/kernel/files.if 2007-09-10 16:27:16.000000000 -0400
@@ -343,8 +343,7 @@
########################################
@@ -2830,7 +2830,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## List the contents of the root directory.
##
##
-@@ -3323,6 +3359,42 @@
+@@ -3107,6 +3143,24 @@
+
+ ########################################
+ ##
++## Manage temporary directories in /tmp.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`files_manage_generic_tmp_dirs',`
++ gen_require(`
++ type tmp_t;
++ ')
++
++ manage_dirs_pattern($1,tmp_t,tmp_t)
++')
++
++########################################
++##
+ ## Manage temporary files and directories in /tmp.
+ ##
+ ##
+@@ -3323,6 +3377,42 @@
########################################
##
@@ -2873,7 +2898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Get the attributes of files in /usr.
##
##
-@@ -3381,7 +3453,7 @@
+@@ -3381,7 +3471,7 @@
########################################
##
@@ -2882,7 +2907,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
##
##
##
-@@ -3389,17 +3461,17 @@
+@@ -3389,17 +3479,17 @@
##
##
#
@@ -2903,7 +2928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
##
##
##
-@@ -3407,12 +3479,12 @@
+@@ -3407,12 +3497,12 @@
##
##
#
@@ -2918,7 +2943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -4043,7 +4115,7 @@
+@@ -4043,7 +4133,7 @@
type var_t, var_lock_t;
')
@@ -2927,7 +2952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -4560,6 +4632,8 @@
+@@ -4560,6 +4650,8 @@
# Need to give access to /selinux/member
selinux_compute_member($1)
@@ -2936,7 +2961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
# Need sys_admin capability for mounting
allow $1 self:capability { chown fsetid sys_admin };
-@@ -4582,6 +4656,11 @@
+@@ -4582,6 +4674,11 @@
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -2948,7 +2973,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -4619,3 +4698,28 @@
+@@ -4619,3 +4716,28 @@
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
')
@@ -3171,6 +3196,99 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read };
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.0.7/policy/modules/kernel/storage.fc
+--- nsaserefpolicy/policy/modules/kernel/storage.fc 2007-08-22 07:14:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/kernel/storage.fc 2007-09-10 15:52:30.000000000 -0400
+@@ -52,7 +52,7 @@
+
+ /dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
+-/dev/fuse -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/dev/fuse -c gen_context(system_u:object_r:fuse_device_t,mls_systemhigh)
+ /dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
+
+ /dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.0.7/policy/modules/kernel/storage.if
+--- nsaserefpolicy/policy/modules/kernel/storage.if 2007-08-22 07:14:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/kernel/storage.if 2007-09-10 15:54:45.000000000 -0400
+@@ -673,3 +673,61 @@
+
+ typeattribute $1 storage_unconfined_type;
+ ')
++
++########################################
++##
++## Allow the caller to get the attributes
++## of device nodes of fuse devices.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`storage_getattr_fuse_dev',`
++ gen_require(`
++ type fuse_device_t;
++ ')
++
++ dev_list_all_dev_nodes($1)
++ allow $1 fuse_device_t:chr_file getattr;
++')
++
++########################################
++##
++## read or write fuse device interfaces.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`storage_rw_fuse',`
++ gen_require(`
++ type fuse_device_t;
++ ')
++
++ allow $1 fuse_device_t:chr_file rw_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read or write
++## fuse device interfaces.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`storage_dontaudit_rw_fuse',`
++ gen_require(`
++ type fuse_device_t;
++ ')
++
++ dontaudit $1 fuse_device_t:chr_file rw_file_perms;
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.te serefpolicy-3.0.7/policy/modules/kernel/storage.te
+--- nsaserefpolicy/policy/modules/kernel/storage.te 2007-08-22 07:14:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/kernel/storage.te 2007-09-10 15:38:30.000000000 -0400
+@@ -23,6 +23,12 @@
+ neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write };
+
+ #
++# fuse_device_t is the type of /dev/fuse
++#
++type fuse_device_t;
++dev_node(fuse_device_t)
++
++#
+ # scsi_generic_device_t is the type of /dev/sg*
+ # it gives access to ALL SCSI devices (both fixed and removable)
+ #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.0.7/policy/modules/kernel/terminal.fc
--- nsaserefpolicy/policy/modules/kernel/terminal.fc 2007-05-29 14:10:48.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/kernel/terminal.fc 2007-09-06 15:43:06.000000000 -0400
@@ -3664,7 +3782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.7/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/apache.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/apache.te 2007-09-10 15:07:38.000000000 -0400
@@ -30,6 +30,13 @@
##
@@ -3884,7 +4002,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
calamaris_read_www_files(httpd_t)
')
-@@ -442,6 +536,13 @@
+@@ -442,8 +536,15 @@
')
optional_policy(`
@@ -3896,8 +4014,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+')
+optional_policy(`
kerberos_use(httpd_t)
- kerberos_read_kdc_config(httpd_t)
+- kerberos_read_kdc_config(httpd_t)
++ kerberos_read_keytab(httpd_t)
')
+
+ optional_policy(`
@@ -461,7 +562,6 @@
optional_policy(`
@@ -4174,7 +4295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.0.7/policy/modules/services/apcupsd.te
--- nsaserefpolicy/policy/modules/services/apcupsd.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/apcupsd.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/apcupsd.te 2007-09-10 10:56:09.000000000 -0400
@@ -16,6 +16,9 @@
type apcupsd_log_t;
logging_log_file(apcupsd_log_t)
@@ -4233,11 +4354,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
libs_use_ld_so(apcupsd_t)
libs_use_shared_libs(apcupsd_t)
-@@ -62,3 +82,41 @@
+@@ -62,3 +82,43 @@
logging_send_syslog_msg(apcupsd_t)
miscfiles_read_localization(apcupsd_t)
+
++sysnet_dns_name_resolve(apcupsd_t)
++
+# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805
+term_use_unallocated_ttys(apcupsd_t)
+
@@ -4362,7 +4485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
+/var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.0.7/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/bind.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/bind.te 2007-09-10 11:12:34.000000000 -0400
@@ -66,7 +66,6 @@
allow named_t self:unix_dgram_socket create_socket_perms;
allow named_t self:tcp_socket create_stream_socket_perms;
@@ -4380,7 +4503,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
# read zone files
allow named_t named_zone_t:dir list_dir_perms;
read_files_pattern(named_t,named_zone_t,named_zone_t)
-@@ -175,6 +176,10 @@
+@@ -119,6 +120,7 @@
+ corenet_sendrecv_dns_client_packets(named_t)
+ corenet_sendrecv_rndc_server_packets(named_t)
+ corenet_sendrecv_rndc_client_packets(named_t)
++corenet_udp_bind_all_unreserved_ports(named_t)
+
+ dev_read_sysfs(named_t)
+ dev_read_rand(named_t)
+@@ -175,6 +177,10 @@
')
optional_policy(`
@@ -4391,7 +4522,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
# this seems like fds that arent being
# closed. these should probably be
# dontaudits instead.
-@@ -184,14 +189,6 @@
+@@ -184,14 +190,6 @@
')
optional_policy(`
@@ -4406,7 +4537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
seutil_sigchld_newrole(named_t)
')
-@@ -232,6 +229,7 @@
+@@ -232,6 +230,7 @@
corenet_tcp_sendrecv_all_nodes(ndc_t)
corenet_tcp_sendrecv_all_ports(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t)
@@ -5576,18 +5707,475 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+files_read_etc_files(dovecot_deliver_t)
+files_read_etc_runtime_files(dovecot_deliver_t)
+
-+libs_use_ld_so(dovecot_deliver_t)
-+libs_use_shared_libs(dovecot_deliver_t)
++libs_use_ld_so(dovecot_deliver_t)
++libs_use_shared_libs(dovecot_deliver_t)
++
++miscfiles_read_localization(dovecot_deliver_t)
++
++optional_policy(`
++ mta_manage_spool(dovecot_deliver_t)
+ ')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.0.7/policy/modules/services/exim.fc
+--- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.7/policy/modules/services/exim.fc 2007-09-10 12:01:03.000000000 -0400
+@@ -0,0 +1,6 @@
++
++/usr/sbin/exim -- gen_context(system_u:object_r:exim_exec_t,s0)
++/etc/rc.d/init.d/exim -- gen_context(system_u:object_r:exim_script_exec_t,s0)
++/var/run/exim.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
++/var/log/exim(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
++/var/spool/exim(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.0.7/policy/modules/services/exim.if
+--- nsaserefpolicy/policy/modules/services/exim.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.7/policy/modules/services/exim.if 2007-09-10 12:01:03.000000000 -0400
+@@ -0,0 +1,330 @@
++
++## policy for exim
++
++########################################
++##
++## Execute a domain transition to run exim.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`exim_domtrans',`
++ gen_require(`
++ type exim_t;
++ type exim_exec_t;
++ ')
++
++ domain_auto_trans($1,exim_exec_t,exim_t)
++
++ allow exim_t $1:fd use;
++ allow exim_t $1:fifo_file rw_file_perms;
++ allow exim_t $1:process sigchld;
++')
++
++
++########################################
++##
++## Execute exim server in the exim domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`exim_script_domtrans',`
++ gen_require(`
++ type exim_script_exec_t;
++ ')
++
++ init_script_domtrans_spec($1,exim_script_exec_t)
++')
++
++########################################
++##
++## Do not audit attempts to read,
++## exim tmp files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`exim_dontaudit_read_tmp_files',`
++ gen_require(`
++ type exim_tmp_t;
++ ')
++
++ dontaudit $1 exim_tmp_t:file r_file_perms;
++')
++
++########################################
++##
++## Allow domain to read, exim tmp files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`exim_read_tmp_files',`
++ gen_require(`
++ type exim_tmp_t;
++ ')
++
++ allow $1 exim_tmp_t:file r_file_perms;
++')
++
++########################################
++##
++## Allow domain to manage exim tmp files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`exim_manage_tmp',`
++ gen_require(`
++ type exim_tmp_t;
++ ')
++
++ manage_dir_perms($1,exim_tmp_t,exim_tmp_t)
++ manage_file_perms($1,exim_tmp_t,exim_tmp_t)
++ manage_lnk_file_perms($1,exim_tmp_t,exim_tmp_t)
++')
++
++########################################
++##
++## Read exim PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`exim_read_pid_files',`
++ gen_require(`
++ type exim_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 exim_var_run_t:file r_file_perms;
++')
++
++########################################
++##
++## Manage exim var_run files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`exim_manage_var_run',`
++ gen_require(`
++ type exim_var_run_t;
++ ')
++
++ manage_dir_perms($1,exim_var_run_t,exim_var_run_t)
++ manage_file_perms($1,exim_var_run_t,exim_var_run_t)
++ manage_lnk_file_perms($1,exim_var_run_t,exim_var_run_t)
++')
++
++
++########################################
++##
++## Allow the specified domain to read exim's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`exim_read_log',`
++ gen_require(`
++ type exim_log_t;
++ ')
++
++ logging_search_logs($1)
++ allow $1 exim_log_t:dir r_dir_perms;
++ allow $1 exim_log_t:file { read getattr lock };
++')
++
++########################################
++##
++## Allow the specified domain to append
++## exim log files.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`exim_append_log',`
++ gen_require(`
++ type var_log_t, exim_log_t;
++ ')
++
++ logging_search_logs($1)
++ allow $1 exim_log_t:dir r_dir_perms;
++ allow $1 exim_log_t:file { getattr append };
++')
++
++########################################
++##
++## Allow domain to manage exim log files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`exim_manage_log',`
++ gen_require(`
++ type exim_log_t;
++ ')
++
++ manage_dir_perms($1,exim_log_t,exim_log_t)
++ manage_file_perms($1,exim_log_t,exim_log_t)
++ manage_lnk_file_perms($1,exim_log_t,exim_log_t)
++')
++
++########################################
++##
++## Search exim spool directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`exim_search_spool',`
++ gen_require(`
++ type exim_spool_t;
++ ')
++
++ allow $1 exim_spool_t:dir search_dir_perms;
++ files_search_spool($1)
++')
++
++########################################
++##
++## Read exim spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`exim_read_spool_files',`
++ gen_require(`
++ type exim_spool_t;
++ ')
++
++ allow $1 exim_spool_t:file r_file_perms;
++ allow $1 exim_spool_t:dir list_dir_perms;
++ files_search_spool($1)
++')
++
++########################################
++##
++## Create, read, write, and delete
++## exim spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`exim_manage_spool_files',`
++ gen_require(`
++ type exim_spool_t;
++ ')
++
++ allow $1 exim_spool_t:file manage_file_perms;
++ allow $1 exim_spool_t:dir rw_dir_perms;
++ files_search_spool($1)
++')
++
++########################################
++##
++## Allow domain to manage exim spool files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`exim_manage_spool',`
++ gen_require(`
++ type exim_spool_t;
++ ')
++
++ manage_dir_perms($1,exim_spool_t,exim_spool_t)
++ manage_file_perms($1,exim_spool_t,exim_spool_t)
++ manage_lnk_file_perms($1,exim_spool_t,exim_spool_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate an exim environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed to manage the exim domain.
++##
++##
++##
++##
++## The type of the terminal allow the dmidecode domain to use.
++##
++##
++##
++#
++interface(`exim_admin',`
++ gen_require(`
++ type exim_t;
++ ')
++
++ allow $1 exim_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, exim_t, exim_t)
++
++
++ # Allow $1 to restart the apache service
++ exim_script_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 exim_script_exec_t system_r;
++ allow $2 system_r;
++
++ exim_manage_tmp($1)
++
++ exim_manage_var_run($1)
++
++ exim_manage_log($1)
++
++ exim_manage_spool($1)
++
++')
+Binary files nsaserefpolicy/policy/modules/services/exim.pp and serefpolicy-3.0.7/policy/modules/services/exim.pp differ
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.0.7/policy/modules/services/exim.te
+--- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.7/policy/modules/services/exim.te 2007-09-10 15:45:46.000000000 -0400
+@@ -0,0 +1,108 @@
++policy_module(exim,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type exim_t;
++type exim_exec_t;
++domain_type(exim_t)
++init_daemon_domain(exim_t, exim_exec_t)
++
++type exim_script_exec_t;
++init_script_type(exim_script_exec_t)
++
++type exim_tmp_t;
++files_tmp_file(exim_tmp_t)
++
++type exim_var_run_t;
++files_pid_file(exim_var_run_t)
++
++type exim_log_t;
++logging_log_file(exim_log_t)
++
++type exim_spool_t;
++files_type(exim_spool_t)
++
++########################################
++#
++# exim local policy
++#
++
++allow exim_t self:capability { dac_override dac_read_search setuid setgid };
++
++## internal communication is often done using fifo and unix sockets.
++allow exim_t self:fifo_file rw_file_perms;
++allow exim_t self:unix_stream_socket create_stream_socket_perms;
++
++allow exim_t exim_tmp_t:file manage_file_perms;
++allow exim_t exim_tmp_t:dir create_dir_perms;
++files_tmp_filetrans(exim_t,exim_tmp_t, { file dir })
++
++allow exim_t exim_var_run_t:file manage_file_perms;
++allow exim_t exim_var_run_t:dir manage_dir_perms;
++files_pid_filetrans(exim_t,exim_var_run_t, { file dir })
++
++allow exim_t exim_log_t:file manage_file_perms;
++allow exim_t exim_log_t:dir { rw_dir_perms setattr };
++logging_log_filetrans(exim_t,exim_log_t,{ file dir })
++
++allow exim_t exim_spool_t:dir manage_dir_perms;
++allow exim_t exim_spool_t:file manage_file_perms;
++allow exim_t exim_spool_t:sock_file create_file_perms;
++files_spool_filetrans(exim_t,exim_spool_t, { file dir sock_file })
++
++auth_use_nsswitch(exim_t)
++
++can_exec(exim_t,exim_exec_t)
++
++# Init script handling
++domain_use_interactive_fds(exim_t)
++
++files_read_etc_files(exim_t)
++
++sysnet_dns_name_resolve(exim_t)
++corenet_all_recvfrom_unlabeled(exim_t)
++
++allow exim_t self:tcp_socket create_stream_socket_perms;
++corenet_tcp_sendrecv_all_if(exim_t)
++corenet_tcp_sendrecv_all_nodes(exim_t)
++corenet_tcp_sendrecv_all_ports(exim_t)
++corenet_tcp_bind_all_nodes(exim_t)
++corenet_tcp_bind_smtp_port(exim_t)
++corenet_tcp_bind_amavisd_send_port(exim_t)
++corenet_tcp_connect_auth_port(exim_t)
++corenet_tcp_connect_inetd_child_port(exim_t)
++
++corecmd_search_bin(exim_t)
++
++libs_use_ld_so(exim_t)
++libs_use_shared_libs(exim_t)
++logging_send_syslog_msg(exim_t)
++
++miscfiles_read_localization(exim_t)
++
++kernel_read_kernel_sysctls(exim_t)
++
++mta_mailclient(exim_exec_t)
++mta_read_aliases(exim_t)
++mta_rw_spool(exim_t)
++
++userdom_dontaudit_search_sysadm_home_dirs(exim_t)
++userdom_dontaudit_search_generic_user_home_dirs(exim_t)
+
-+miscfiles_read_localization(dovecot_deliver_t)
++bool exim_read_user_files false;
++bool exim_manage_user_files false;
+
-+optional_policy(`
-+ mta_manage_spool(dovecot_deliver_t)
- ')
++if (exim_read_user_files) {
++ userdom_read_unpriv_users_home_content_files(exim_t)
++ userdom_read_unpriv_users_tmp_files(exim_t)
++}
++
++if (exim_manage_user_files) {
++ userdom_manage_unpriv_users_home_content_dirs(exim_t)
++ userdom_read_unpriv_users_tmp_files(exim_t)
++ userdom_write_unpriv_users_tmp_files(exim_t)
++}
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.0.7/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/ftp.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/ftp.te 2007-09-10 14:54:57.000000000 -0400
@@ -88,6 +88,7 @@
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
@@ -5629,6 +6217,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
+@@ -252,7 +264,9 @@
+ ')
+
+ optional_policy(`
++ kerberos_use(ftpd_t)
+ kerberos_read_keytab(ftpd_t)
++ kerberos_manage_host_rcache(ftpd_t)
+ ')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.0.7/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2007-05-30 11:47:29.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/hal.fc 2007-09-06 15:43:06.000000000 -0400
@@ -5863,8 +6461,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
+dev_rw_input_dev(hald_keymap_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.0.7/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/inetd.te 2007-09-06 15:43:06.000000000 -0400
-@@ -80,16 +80,21 @@
++++ serefpolicy-3.0.7/policy/modules/services/inetd.te 2007-09-10 16:31:50.000000000 -0400
+@@ -53,6 +53,8 @@
+ allow inetd_t inetd_var_run_t:file manage_file_perms;
+ files_pid_filetrans(inetd_t,inetd_var_run_t,file)
+
++auth_search_key(inetd_t)
++
+ kernel_read_kernel_sysctls(inetd_t)
+ kernel_list_proc(inetd_t)
+ kernel_read_proc_symlinks(inetd_t)
+@@ -80,16 +82,21 @@
corenet_udp_bind_comsat_port(inetd_t)
corenet_tcp_bind_dbskkd_port(inetd_t)
corenet_udp_bind_dbskkd_port(inetd_t)
@@ -5886,7 +6493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
corenet_udp_bind_tftp_port(inetd_t)
corenet_tcp_bind_ssh_port(inetd_t)
-@@ -135,14 +140,19 @@
+@@ -135,14 +142,19 @@
mls_fd_use_all_levels(inetd_t)
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
@@ -5907,7 +6514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
optional_policy(`
amanda_search_lib(inetd_t)
')
-@@ -172,6 +182,9 @@
+@@ -172,6 +184,9 @@
# for identd
allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow inetd_child_t self:capability { setuid setgid };
@@ -5917,7 +6524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
files_search_home(inetd_child_t)
manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t)
-@@ -214,13 +227,10 @@
+@@ -214,13 +229,10 @@
')
optional_policy(`
@@ -5933,9 +6540,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
unconfined_domain(inetd_child_t)
+ inetd_service_domain(inetd_child_t,bin_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.0.7/policy/modules/services/kerberos.fc
+--- nsaserefpolicy/policy/modules/services/kerberos.fc 2007-05-29 14:10:57.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/kerberos.fc 2007-09-10 14:42:55.000000000 -0400
+@@ -16,3 +16,4 @@
+
+ /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
+ /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
++/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.0.7/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/kerberos.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/kerberos.if 2007-09-10 17:37:40.000000000 -0400
@@ -42,6 +42,10 @@
dontaudit $1 krb5_conf_t:file write;
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
@@ -5947,10 +6562,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
tunable_policy(`allow_kerberos',`
allow $1 self:tcp_socket create_socket_perms;
+@@ -172,3 +176,25 @@
+ allow $1 krb5kdc_conf_t:file read_file_perms;
+
+ ')
++
++########################################
++##
++## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`kerberos_manage_host_rcache',`
++ gen_require(`
++ type krb5_host_rcache_t;
++ ')
++
++ files_search_tmp($1)
++ allow $1 self:process setfscreate;
++ seutil_read_file_contexts($1)
++ allow $1 krb5_host_rcache_t:file manage_file_perms;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.0.7/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/kerberos.te 2007-09-07 10:31:47.000000000 -0400
-@@ -62,7 +62,7 @@
++++ serefpolicy-3.0.7/policy/modules/services/kerberos.te 2007-09-10 14:42:59.000000000 -0400
+@@ -54,6 +54,9 @@
+ type krb5kdc_var_run_t;
+ files_pid_file(krb5kdc_var_run_t)
+
++type krb5_host_rcache_t;
++files_tmp_file(krb5_host_rcache_t)
++
+ ########################################
+ #
+ # kadmind local policy
+@@ -62,7 +65,7 @@
# Use capabilities. Surplus capabilities may be allowed.
allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
dontaudit kadmind_t self:capability sys_tty_config;
@@ -5959,7 +6610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
allow kadmind_t self:unix_dgram_socket { connect create write };
allow kadmind_t self:tcp_socket connected_stream_socket_perms;
-@@ -91,6 +91,7 @@
+@@ -91,6 +94,7 @@
kernel_read_kernel_sysctls(kadmind_t)
kernel_list_proc(kadmind_t)
kernel_read_proc_symlinks(kadmind_t)
@@ -5967,7 +6618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
corenet_all_recvfrom_unlabeled(kadmind_t)
corenet_all_recvfrom_netlabel(kadmind_t)
-@@ -118,6 +119,9 @@
+@@ -118,6 +122,9 @@
domain_use_interactive_fds(kadmind_t)
files_read_etc_files(kadmind_t)
@@ -5977,7 +6628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
libs_use_ld_so(kadmind_t)
libs_use_shared_libs(kadmind_t)
-@@ -127,6 +131,7 @@
+@@ -127,6 +134,7 @@
miscfiles_read_localization(kadmind_t)
sysnet_read_config(kadmind_t)
@@ -5985,7 +6636,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
-@@ -137,6 +142,7 @@
+@@ -137,6 +145,7 @@
optional_policy(`
seutil_sigchld_newrole(kadmind_t)
@@ -5993,7 +6644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
')
optional_policy(`
-@@ -151,7 +157,7 @@
+@@ -151,7 +160,7 @@
# Use capabilities. Surplus capabilities may be allowed.
allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
dontaudit krb5kdc_t self:capability sys_tty_config;
@@ -6002,7 +6653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
allow krb5kdc_t self:udp_socket create_socket_perms;
-@@ -223,6 +229,7 @@
+@@ -223,6 +232,7 @@
miscfiles_read_localization(krb5kdc_t)
sysnet_read_config(krb5kdc_t)
@@ -6010,7 +6661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
-@@ -233,6 +240,7 @@
+@@ -233,6 +243,7 @@
optional_policy(`
seutil_sigchld_newrole(krb5kdc_t)
@@ -6169,7 +6820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
+files_type(mailscanner_spool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.7/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/mta.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/mta.if 2007-09-10 15:34:04.000000000 -0400
@@ -226,6 +226,15 @@
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_mail_t)
@@ -6186,7 +6837,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -392,6 +401,7 @@
+@@ -314,6 +323,24 @@
+
+ ########################################
+ ##
++## Make the specified type usable for a mta_send_mail.
++##
++##
++##
++## Type to be used as a mail client.
++##
++##
++#
++interface(`mta_mailclient',`
++ gen_require(`
++ attribute mailclient_exec_type;
++ ')
++
++ typeattribute $1 mailclient_exec_type;
++')
++
++########################################
++##
+ ## Modified mailserver interface for
+ ## sendmail daemon use.
+ ##
+@@ -392,6 +419,7 @@
allow $1 mail_spool_t:dir list_dir_perms;
create_files_pattern($1,mail_spool_t,mail_spool_t)
read_files_pattern($1,mail_spool_t,mail_spool_t)
@@ -6194,7 +6870,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
create_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
-@@ -595,6 +605,25 @@
+@@ -447,11 +475,12 @@
+ interface(`mta_send_mail',`
+ gen_require(`
+ attribute mta_user_agent;
+- type system_mail_t, sendmail_exec_t;
++ type system_mail_t;
++ attribute mailclient_exec_type;
+ ')
+
+- allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms;
+- domain_auto_trans($1, sendmail_exec_t, system_mail_t)
++ allow $1 mailclient_exec_type:lnk_file read_lnk_file_perms;
++ domain_auto_trans($1, mailclient_exec_type, system_mail_t)
+
+ allow $1 system_mail_t:fd use;
+ allow system_mail_t $1:fd use;
+@@ -461,6 +490,7 @@
+ allow mta_user_agent $1:fd use;
+ allow mta_user_agent $1:process sigchld;
+ allow mta_user_agent $1:fifo_file { read write };
++
+ ')
+
+ ########################################
+@@ -595,6 +625,25 @@
files_search_etc($1)
allow $1 etc_aliases_t:file { rw_file_perms setattr };
')
@@ -6222,8 +6922,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.7/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/mta.te 2007-09-06 15:43:06.000000000 -0400
-@@ -44,6 +44,7 @@
++++ serefpolicy-3.0.7/policy/modules/services/mta.te 2007-09-10 15:33:31.000000000 -0400
+@@ -6,6 +6,7 @@
+ # Declarations
+ #
+
++attribute mailclient_exec_type;
+ attribute mta_user_agent;
+ attribute mailserver_delivery;
+ attribute mailserver_domain;
+@@ -27,6 +28,7 @@
+
+ type sendmail_exec_t;
+ application_executable_file(sendmail_exec_t)
++mta_mailclient(sendmail_exec_t)
+
+ mta_base_mail_template(system)
+ role system_r types system_mail_t;
+@@ -44,6 +46,7 @@
kernel_read_system_state(system_mail_t)
kernel_read_network_state(system_mail_t)
@@ -6231,7 +6947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
-@@ -51,16 +52,46 @@
+@@ -51,16 +54,46 @@
userdom_use_sysadm_terms(system_mail_t)
userdom_dontaudit_search_sysadm_home_dirs(system_mail_t)
@@ -6278,7 +6994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -73,6 +104,7 @@
+@@ -73,6 +106,7 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
@@ -7725,7 +8441,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.0.7/policy/modules/services/rlogin.te
--- nsaserefpolicy/policy/modules/services/rlogin.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/rlogin.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/rlogin.te 2007-09-10 17:48:31.000000000 -0400
@@ -65,6 +65,7 @@
fs_search_auto_mountpoints(rlogind_t)
@@ -7734,6 +8450,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog
auth_rw_login_records(rlogind_t)
auth_use_nsswitch(rlogind_t)
+@@ -82,7 +83,7 @@
+
+ miscfiles_read_localization(rlogind_t)
+
+-seutil_dontaudit_search_config(rlogind_t)
++seutil_read_config(rlogind_t)
+
+ sysnet_read_config(rlogind_t)
+
+@@ -93,7 +94,9 @@
+ remotelogin_domtrans(rlogind_t)
+
+ optional_policy(`
++ kerberos_use(rlogind_t)
+ kerberos_read_keytab(rlogind_t)
++ kerberos_manage_host_rcache(rlogind_t)
+ ')
+
+ ifdef(`TODO',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.0.7/policy/modules/services/rpcbind.te
--- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-07-03 07:06:27.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/rpcbind.te 2007-09-06 15:43:06.000000000 -0400
@@ -7850,8 +8585,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
userdom_read_unpriv_users_tmp_files(gssd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.0.7/policy/modules/services/rshd.te
--- nsaserefpolicy/policy/modules/services/rshd.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/rshd.te 2007-09-06 15:43:06.000000000 -0400
-@@ -11,6 +11,7 @@
++++ serefpolicy-3.0.7/policy/modules/services/rshd.te 2007-09-10 16:54:18.000000000 -0400
+@@ -11,15 +11,17 @@
domain_subj_id_change_exemption(rshd_t)
domain_role_change_exemption(rshd_t)
role system_r types rshd_t;
@@ -7859,7 +8594,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
########################################
#
-@@ -33,6 +34,8 @@
+ # Local policy
+ #
+-allow rshd_t self:capability { setuid setgid fowner fsetid chown dac_override };
++allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override };
+ allow rshd_t self:process { signal_perms fork setsched setpgid setexec };
+ allow rshd_t self:fifo_file rw_fifo_file_perms;
+ allow rshd_t self:tcp_socket create_stream_socket_perms;
++allow rshd_t self:key {search write link};
+
+ kernel_read_kernel_sysctls(rshd_t)
+
+@@ -33,6 +35,8 @@
corenet_udp_sendrecv_all_ports(rshd_t)
corenet_tcp_bind_all_nodes(rshd_t)
corenet_tcp_bind_rsh_port(rshd_t)
@@ -7868,23 +8614,59 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
corenet_sendrecv_rsh_server_packets(rshd_t)
dev_read_urand(rshd_t)
-@@ -44,7 +47,9 @@
+@@ -44,26 +48,31 @@
selinux_compute_relabel_context(rshd_t)
selinux_compute_user_contexts(rshd_t)
+auth_use_nsswitch(rshd_t)
auth_domtrans_chk_passwd(rshd_t)
+auth_domtrans_upd_passwd_chk(rshd_t)
++auth_search_key(rshd_t)
++auth_write_login_records(rshd_t)
corecmd_read_bin_symlinks(rshd_t)
-@@ -85,6 +90,5 @@
+ files_list_home(rshd_t)
+ files_read_etc_files(rshd_t)
+-files_search_tmp(rshd_t)
++files_manage_generic_tmp_dirs(rshd_t)
++
++init_rw_utmp(rshd_t)
+
+ libs_use_ld_so(rshd_t)
+ libs_use_shared_libs(rshd_t)
+
+ logging_send_syslog_msg(rshd_t)
++logging_search_logs(rshd_t)
+
+ miscfiles_read_localization(rshd_t)
+
+ seutil_read_config(rshd_t)
+ seutil_read_default_contexts(rshd_t)
+
+-sysnet_read_config(rshd_t)
+-
+ userdom_search_all_users_home_content(rshd_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+@@ -78,13 +87,12 @@
+
+ optional_policy(`
+ kerberos_use(rshd_t)
++ kerberos_read_keytab(rshd_t)
++ kerberos_manage_host_rcache(rshd_t)
')
optional_policy(`
+- nscd_socket_use(rshd_t)
+-')
+-
+-optional_policy(`
- unconfined_domain(rshd_t)
unconfined_shell_domtrans(rshd_t)
++ unconfined_signal(rshd_t)
')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.0.7/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/rsync.te 2007-09-06 15:43:06.000000000 -0400
@@ -7986,8 +8768,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho
corenet_all_recvfrom_unlabeled(rwho_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.0.7/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2007-06-19 16:23:34.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/samba.fc 2007-09-06 15:43:06.000000000 -0400
-@@ -30,6 +30,8 @@
++++ serefpolicy-3.0.7/policy/modules/services/samba.fc 2007-09-10 14:04:38.000000000 -0400
+@@ -15,6 +15,7 @@
+ /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
+ /usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
+ /usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0)
++/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
+ /usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0)
+
+ /usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0)
+@@ -30,6 +31,8 @@
/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
@@ -7998,7 +8788,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.0.7/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2007-06-19 16:23:35.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/samba.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/samba.if 2007-09-10 14:06:00.000000000 -0400
@@ -349,6 +349,7 @@
files_search_var($1)
files_search_var_lib($1)
@@ -8007,7 +8797,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
########################################
-@@ -493,3 +494,52 @@
+@@ -493,3 +494,102 @@
allow $1 samba_var_t:dir search_dir_perms;
stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
')
@@ -8060,10 +8850,72 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+ read_files_pattern($1, samba_share_t, samba_share_t)
+')
+
++########################################
++##
++## Execute a domain transition to run smbcontrol.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`samba_domtrans_smbcontrol',`
++ gen_require(`
++ type smbcontrol_t;
++ type smbcontrol_exec_t;
++ ')
++
++ domtrans_pattern($1,smbcontrol_exec_t,smbcontrol_t)
++')
++
++
++########################################
++##
++## Execute smbcontrol in the smbcontrol domain, and
++## allow the specified role the smbcontrol domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the smbcontrol domain.
++##
++##
++##
++##
++## The type of the role's terminal.
++##
++##
++#
++interface(`samba_run_smbcontrol',`
++ gen_require(`
++ type smbcontrol_t;
++ ')
++
++ samba_domtrans_smbcontrol($1)
++ role $2 types smbcontrol_t;
++ dontaudit smbcontrol_t $3:chr_file rw_term_perms;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.7/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/samba.te 2007-09-06 15:43:06.000000000 -0400
-@@ -190,6 +190,8 @@
++++ serefpolicy-3.0.7/policy/modules/services/samba.te 2007-09-10 14:03:09.000000000 -0400
+@@ -137,6 +137,11 @@
+ type winbind_var_run_t;
+ files_pid_file(winbind_var_run_t)
+
++type smbcontrol_t;
++type smbcontrol_exec_t;
++application_domain(smbcontrol_t, smbcontrol_exec_t)
++role system_r types smbcontrol_t;
++
+ ########################################
+ #
+ # Samba net local policy
+@@ -190,6 +195,8 @@
miscfiles_read_localization(samba_net_t)
@@ -8072,7 +8924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
sysnet_read_config(samba_net_t)
sysnet_use_ldap(samba_net_t)
-@@ -226,8 +228,8 @@
+@@ -226,8 +233,8 @@
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
@@ -8083,7 +8935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow smbd_t samba_log_t:dir setattr;
dontaudit smbd_t samba_log_t:dir remove_name;
-@@ -298,6 +300,7 @@
+@@ -298,6 +305,7 @@
auth_use_nsswitch(smbd_t)
auth_domtrans_chk_passwd(smbd_t)
@@ -8091,7 +8943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -350,6 +353,14 @@
+@@ -350,6 +358,14 @@
')
optional_policy(`
@@ -8106,7 +8958,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
')
-@@ -533,6 +544,7 @@
+@@ -533,6 +549,7 @@
storage_raw_write_fixed_disk(smbmount_t)
term_list_ptys(smbmount_t)
@@ -8114,7 +8966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
corecmd_list_bin(smbmount_t)
-@@ -556,6 +568,11 @@
+@@ -556,6 +573,11 @@
sysnet_read_config(smbmount_t)
userdom_use_all_users_fds(smbmount_t)
@@ -8126,7 +8978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
optional_policy(`
nis_use_ypbind(smbmount_t)
-@@ -570,15 +587,18 @@
+@@ -570,15 +592,18 @@
# SWAT Local policy
#
@@ -8148,7 +9000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
rw_files_pattern(swat_t,samba_etc_t,samba_etc_t)
-@@ -597,7 +617,9 @@
+@@ -597,7 +622,9 @@
manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
files_pid_filetrans(swat_t,swat_var_run_t,file)
@@ -8159,7 +9011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -622,17 +644,20 @@
+@@ -622,17 +649,20 @@
dev_read_urand(swat_t)
@@ -8180,7 +9032,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
-@@ -660,6 +685,24 @@
+@@ -660,6 +690,24 @@
nscd_socket_use(swat_t)
')
@@ -8205,7 +9057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
########################################
#
# Winbind local policy
-@@ -672,7 +715,6 @@
+@@ -672,7 +720,6 @@
allow winbind_t self:fifo_file { read write };
allow winbind_t self:unix_dgram_socket create_socket_perms;
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
@@ -8213,7 +9065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow winbind_t self:tcp_socket create_stream_socket_perms;
allow winbind_t self:udp_socket create_socket_perms;
-@@ -709,6 +751,8 @@
+@@ -709,6 +756,8 @@
manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
files_pid_filetrans(winbind_t,winbind_var_run_t,file)
@@ -8222,7 +9074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
kernel_read_kernel_sysctls(winbind_t)
kernel_list_proc(winbind_t)
kernel_read_proc_symlinks(winbind_t)
-@@ -733,7 +777,9 @@
+@@ -733,7 +782,9 @@
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
@@ -8232,7 +9084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
domain_use_interactive_fds(winbind_t)
-@@ -746,9 +792,6 @@
+@@ -746,9 +797,6 @@
miscfiles_read_localization(winbind_t)
@@ -8242,7 +9094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
userdom_priveleged_home_dir_manager(winbind_t)
-@@ -758,10 +801,6 @@
+@@ -758,10 +806,6 @@
')
optional_policy(`
@@ -8253,7 +9105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
seutil_sigchld_newrole(winbind_t)
')
-@@ -804,6 +843,7 @@
+@@ -804,6 +848,7 @@
optional_policy(`
squid_read_log(winbind_helper_t)
squid_append_log(winbind_helper_t)
@@ -8261,6 +9113,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
########################################
+@@ -828,3 +873,36 @@
+ domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
+ ')
+ ')
++
++########################################
++#
++# smbcontrol local policy
++#
++
++## internal communication is often done using fifo and unix sockets.
++allow smbcontrol_t self:fifo_file rw_file_perms;
++allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
++
++files_read_etc_files(smbcontrol_t)
++
++libs_use_ld_so(smbcontrol_t)
++libs_use_shared_libs(smbcontrol_t)
++
++miscfiles_read_localization(smbcontrol_t)
++
++files_search_var_lib(smbcontrol_t)
++samba_read_config(smbcontrol_t)
++samba_rw_var_files(smbcontrol_t)
++samba_search_var(smbcontrol_t)
++samba_read_winbind_pid(smbcontrol_t)
++
++allow smbcontrol_t smbd_t:process signal;
++allow smbd_t smbcontrol_t:process { signal signull };
++
++allow nmbd_t smbcontrol_t:process signal;
++allow smbcontrol_t nmbd_t:process { signal signull };
++
++allow smbcontrol_t winbind_t:process { signal signull };
++allow winbind_t smbcontrol_t:process signal;
++
++allow smbcontrol_t nmbd_var_run_t:file { read lock };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.0.7/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/sasl.te 2007-09-06 15:43:06.000000000 -0400
@@ -8274,8 +9163,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl
domain_use_interactive_fds(saslauthd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.0.7/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/sendmail.if 2007-09-06 15:43:06.000000000 -0400
-@@ -131,3 +131,51 @@
++++ serefpolicy-3.0.7/policy/modules/services/sendmail.if 2007-09-10 16:44:21.000000000 -0400
+@@ -131,3 +131,102 @@
logging_log_filetrans($1,sendmail_log_t,file)
')
@@ -8327,10 +9216,78 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
+ role $2 types sendmail_t;
+ allow sendmail_t $3:chr_file rw_term_perms;
+')
++
++########################################
++##
++## Execute sendmail in the unconfined sendmail domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sendmail_domtrans_unconfined',`
++ gen_require(`
++ type unconfined_sendmail_t, sendmail_exec_t;
++ ')
++
++ domtrans_pattern($1,sendmail_exec_t,unconfined_sendmail_t)
++')
++
++########################################
++##
++## Execute sendmail in the unconfined sendmail domain, and
++## allow the specified role the unconfined sendmail domain,
++## and use the caller's terminal.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed the unconfined sendmail domain.
++##
++##
++##
++##
++## The type of the terminal allow the unconfined sendmail domain to use.
++##
++##
++##
++#
++interface(`sendmail_run_unconfined',`
++ gen_require(`
++ type unconfined_sendmail_t;
++ ')
++
++ sendmail_domtrans_unconfined($1)
++ role $2 types unconfined_sendmail_t;
++ allow unconfined_sendmail_t $3:chr_file rw_file_perms;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.7/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/sendmail.te 2007-09-06 15:43:06.000000000 -0400
-@@ -32,7 +32,6 @@
++++ serefpolicy-3.0.7/policy/modules/services/sendmail.te 2007-09-10 16:39:01.000000000 -0400
+@@ -20,19 +20,22 @@
+ mta_mailserver_delivery(sendmail_t)
+ mta_mailserver_sender(sendmail_t)
+
++type unconfined_sendmail_t;
++application_domain(unconfined_sendmail_t,sendmail_exec_t)
++role system_r types unconfined_sendmail_t;
++
+ ########################################
+ #
+ # Sendmail local policy
+ #
+
+-allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config };
++allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
+ allow sendmail_t self:process signal;
+ allow sendmail_t self:fifo_file rw_fifo_file_perms;
+ allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
allow sendmail_t self:unix_dgram_socket create_socket_perms;
allow sendmail_t self:tcp_socket create_stream_socket_perms;
allow sendmail_t self:udp_socket create_socket_perms;
@@ -8338,7 +9295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
allow sendmail_t sendmail_log_t:dir setattr;
manage_files_pattern(sendmail_t,sendmail_log_t,sendmail_log_t)
-@@ -49,6 +48,8 @@
+@@ -49,6 +52,8 @@
# for piping mail to a command
kernel_read_system_state(sendmail_t)
@@ -8347,7 +9304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
corenet_all_recvfrom_unlabeled(sendmail_t)
corenet_all_recvfrom_netlabel(sendmail_t)
corenet_tcp_sendrecv_all_if(sendmail_t)
-@@ -91,32 +92,27 @@
+@@ -91,32 +96,27 @@
logging_send_syslog_msg(sendmail_t)
@@ -8385,7 +9342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
')
optional_policy(`
-@@ -130,6 +126,10 @@
+@@ -130,6 +130,10 @@
')
optional_policy(`
@@ -8396,6 +9353,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
seutil_sigchld_newrole(sendmail_t)
')
+@@ -155,3 +159,14 @@
+
+ dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
+ ') dnl end TODO
++
++########################################
++#
++# Unconfined mount local policy
++#
++
++optional_policy(`
++ mta_etc_filetrans_aliases(unconfined_sendmail_t)
++ unconfined_domain(unconfined_sendmail_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.0.7/policy/modules/services/setroubleshoot.if
--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2007-05-29 14:10:57.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/setroubleshoot.if 2007-09-06 15:43:06.000000000 -0400
@@ -8798,7 +9770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.0.7/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/ssh.if 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/ssh.if 2007-09-10 17:53:16.000000000 -0400
@@ -202,6 +202,7 @@
#
template(`ssh_per_role_template',`
@@ -8807,7 +9779,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
type ssh_agent_exec_t, ssh_keysign_exec_t;
')
-@@ -708,3 +709,42 @@
+@@ -520,6 +521,7 @@
+
+ optional_policy(`
+ kerberos_use($1_t)
++ kerberos_manage_host_rcache($1_t)
+ ')
+
+ optional_policy(`
+@@ -708,3 +710,42 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
@@ -8922,6 +9902,66 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
+
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.0.7/policy/modules/services/telnet.te
+--- nsaserefpolicy/policy/modules/services/telnet.te 2007-07-25 10:37:42.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/services/telnet.te 2007-09-10 17:54:44.000000000 -0400
+@@ -32,7 +32,6 @@
+ allow telnetd_t self:udp_socket create_socket_perms;
+ # for identd; cjp: this should probably only be inetd_child rules?
+ allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+-allow telnetd_t self:netlink_route_socket r_netlink_socket_perms;
+ allow telnetd_t self:capability { setuid setgid };
+
+ allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
+@@ -62,10 +61,12 @@
+
+ fs_getattr_xattr_fs(telnetd_t)
+
++auth_use_nsswitch(telnetd_t)
+ auth_rw_login_records(telnetd_t)
+
+ corecmd_search_bin(telnetd_t)
+
++files_read_usr_files(telnetd_t)
+ files_read_etc_files(telnetd_t)
+ files_read_etc_runtime_files(telnetd_t)
+ # for identd; cjp: this should probably only be inetd_child rules?
+@@ -80,9 +81,7 @@
+
+ miscfiles_read_localization(telnetd_t)
+
+-seutil_dontaudit_search_config(telnetd_t)
+-
+-sysnet_read_config(telnetd_t)
++seutil_read_config(telnetd_t)
+
+ remotelogin_domtrans(telnetd_t)
+
+@@ -90,17 +89,16 @@
+ optional_policy(`
+ kerberos_use(telnetd_t)
+ kerberos_read_keytab(telnetd_t)
++ kerberos_manage_host_rcache(telnetd_t)
+ ')
+
+-optional_policy(`
+- nis_use_ypbind(telnetd_t)
++tunable_policy(`use_nfs_home_dirs',`
++ fs_manage_nfs_dirs(telnetd_t)
++ fs_manage_nfs_files(telnetd_t)
+ ')
+
+-optional_policy(`
+- nscd_socket_use(telnetd_t)
++tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_dirs(telnetd_t)
++ fs_manage_cifs_files(telnetd_t)
+ ')
+
+-ifdef(`TODO',`
+-# Allow krb5 telnetd to use fork and open /dev/tty for use
+-allow telnetd_t userpty_type:chr_file setattr;
+-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.0.7/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/tftp.te 2007-09-06 15:43:06.000000000 -0400
@@ -9997,7 +11037,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-3.0.7/policy/modules/system/brctl.te
--- nsaserefpolicy/policy/modules/system/brctl.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/system/brctl.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/brctl.te 2007-09-10 08:59:32.000000000 -0400
@@ -0,0 +1,51 @@
+policy_module(brctl,1.0.0)
+
@@ -10180,8 +11220,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fuserm
\ No newline at end of file
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.te serefpolicy-3.0.7/policy/modules/system/fusermount.te
--- nsaserefpolicy/policy/modules/system/fusermount.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.7/policy/modules/system/fusermount.te 2007-09-06 15:43:06.000000000 -0400
-@@ -0,0 +1,44 @@
++++ serefpolicy-3.0.7/policy/modules/system/fusermount.te 2007-09-10 15:56:07.000000000 -0400
+@@ -0,0 +1,45 @@
+policy_module(fusermount,1.0.0)
+
+########################################
@@ -10217,6 +11257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fuserm
+
+storage_raw_read_fixed_disk(fusermount_t)
+storage_raw_write_fixed_disk(fusermount_t)
++storage_rw_fuse(fusermount_t)
+
+optional_policy(`
+ hal_write_log(fusermount_t)
@@ -11455,7 +12496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
/var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.7/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2007-08-22 07:14:12.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/modutils.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/modutils.te 2007-09-10 08:58:37.000000000 -0400
@@ -42,7 +42,7 @@
# insmod local policy
#
@@ -11564,7 +12605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.7/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/mount.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/mount.te 2007-09-10 16:38:20.000000000 -0400
@@ -8,6 +8,13 @@
##
@@ -11628,7 +12669,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
-@@ -101,6 +110,8 @@
+@@ -63,6 +72,7 @@
+ storage_raw_write_fixed_disk(mount_t)
+ storage_raw_read_removable_device(mount_t)
+ storage_raw_write_removable_device(mount_t)
++storage_rw_fuse(mount_t)
+
+ fs_getattr_xattr_fs(mount_t)
+ fs_getattr_cifs(mount_t)
+@@ -101,6 +111,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -11637,7 +12686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
libs_use_ld_so(mount_t)
libs_use_shared_libs(mount_t)
-@@ -127,10 +138,15 @@
+@@ -127,10 +139,15 @@
')
')
@@ -11654,7 +12703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -159,13 +175,8 @@
+@@ -159,13 +176,8 @@
fs_search_rpc(mount_t)
@@ -11668,7 +12717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -189,10 +200,6 @@
+@@ -189,10 +201,6 @@
samba_domtrans_smbmount(mount_t)
')
@@ -11679,7 +12728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
########################################
#
# Unconfined mount local policy
-@@ -201,4 +208,29 @@
+@@ -201,4 +209,29 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
@@ -11993,7 +13042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.7/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/selinuxutil.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/selinuxutil.te 2007-09-10 14:35:10.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(selinuxutil,1.6.2)
@@ -12110,7 +13159,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
dev_read_urand(semanage_t)
-@@ -465,6 +479,8 @@
+@@ -452,6 +466,7 @@
+ files_read_etc_runtime_files(semanage_t)
+ files_read_usr_files(semanage_t)
+ files_list_pids(semanage_t)
++fs_list_inotifyfs(semanage_t)
+
+ mls_file_write_all_levels(semanage_t)
+ mls_file_read_all_levels(semanage_t)
+@@ -465,6 +480,8 @@
# Running genhomedircon requires this for finding all users
auth_use_nsswitch(semanage_t)
@@ -12119,7 +13176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
libs_use_ld_so(semanage_t)
libs_use_shared_libs(semanage_t)
-@@ -488,6 +504,17 @@
+@@ -488,6 +505,17 @@
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
@@ -12137,7 +13194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -515,6 +542,8 @@
+@@ -515,6 +543,8 @@
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
@@ -12146,7 +13203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
kernel_read_system_state(setfiles_t)
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
kernel_relabelfrom_unlabeled_files(setfiles_t)
-@@ -531,6 +560,7 @@
+@@ -531,6 +561,7 @@
fs_getattr_xattr_fs(setfiles_t)
fs_list_all(setfiles_t)
@@ -12154,7 +13211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
fs_search_auto_mountpoints(setfiles_t)
fs_relabelfrom_noxattr_fs(setfiles_t)
-@@ -586,6 +616,10 @@
+@@ -586,6 +617,10 @@
ifdef(`hide_broken_symptoms',`
optional_policy(`
@@ -12527,7 +13584,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.7/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/unconfined.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/unconfined.te 2007-09-10 16:37:23.000000000 -0400
@@ -5,28 +5,36 @@
#
# Declarations
@@ -12598,17 +13655,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
optional_policy(`
- ada_domtrans(unconfined_t)
--')
--
--optional_policy(`
-- apache_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
-- apache_per_role_template(unconfined,unconfined_t,unconfined_r)
-- # this is disallowed usage:
-- unconfined_domain(httpd_unconfined_script_t)
+ ada_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
+- apache_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+- apache_per_role_template(unconfined,unconfined_t,unconfined_r)
+- # this is disallowed usage:
+- unconfined_domain(httpd_unconfined_script_t)
+-')
+-
+-optional_policy(`
- bind_run_ndc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ bootloader_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
@@ -12653,7 +13710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -155,22 +153,12 @@
+@@ -155,32 +153,23 @@
optional_policy(`
postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -12678,18 +13735,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -180,9 +168,10 @@
+ samba_per_role_template(unconfined)
+ samba_run_net(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ samba_run_winbind_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
++ samba_run_smbcontrol(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- spamassassin_per_role_template(unconfined,unconfined_t,unconfined_r)
-+ sendmail_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
++ sendmail_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
-+
optional_policy(`
- sysnet_run_dhcpc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
- sysnet_dbus_chat_dhcpc(unconfined_t)
@@ -205,11 +194,12 @@
')
@@ -13825,7 +14882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.7/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-08-22 07:14:11.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/userdomain.te 2007-09-06 15:43:06.000000000 -0400
++++ serefpolicy-3.0.7/policy/modules/system/userdomain.te 2007-09-10 14:07:37.000000000 -0400
@@ -74,6 +74,9 @@
# users home directory contents
attribute home_type;
@@ -13908,7 +14965,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
netutils_run(sysadm_t,sysadm_r,admin_terminal)
netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
-@@ -447,11 +448,15 @@
+@@ -443,15 +444,20 @@
+
+ optional_policy(`
+ samba_run_net(sysadm_t,sysadm_r,admin_terminal)
++ samba_run_smbcontrol(sysadm_t,sysadm_r,admin_terminal)
+ samba_run_winbind_helper(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
@@ -13924,7 +14986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
', `
userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal)
')
-@@ -494,3 +499,7 @@
+@@ -494,3 +500,7 @@
optional_policy(`
yam_run(sysadm_t,sysadm_r,admin_terminal)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8afa942..b589906 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.7
-Release: 7%{?dist}
+Release: 8%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -362,6 +362,10 @@ exit 0
%endif
%changelog
+* Mon Sep 10 2007 Dan Walsh 3.0.7-8
+- Allow newalias/sendmail dac_override
+- Allow bind to bind to all udp ports
+
* Fri Sep 7 2007 Dan Walsh 3.0.7-7
- Turn off direct transition