diff --git a/policy-F13.patch b/policy-F13.patch
index 8d12bed..00b15aa 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -50,7 +50,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.7.8/policy/modules/admin/alsa.te
--- nsaserefpolicy/policy/modules/admin/alsa.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/admin/alsa.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/alsa.te 2010-02-08 12:28:40.000000000 -0500
@@ -51,6 +51,8 @@
files_read_etc_files(alsa_t)
files_read_usr_files(alsa_t)
@@ -223,7 +223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.8/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/admin/logrotate.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/logrotate.te 2010-02-04 13:12:24.000000000 -0500
@@ -32,7 +32,7 @@
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
@@ -280,7 +280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
consoletype_exec(logrotate_t)
')
-@@ -157,6 +173,10 @@
+@@ -157,11 +173,15 @@
')
optional_policy(`
@@ -291,13 +291,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
hostname_exec(logrotate_t)
')
-@@ -183,6 +203,10 @@
+ optional_policy(`
+- samba_exec_log(logrotate_t)
++ icecast_signal(logrotate_t)
+ ')
+
+ optional_policy(`
+@@ -183,6 +203,15 @@
')
optional_policy(`
+ psad_domtrans(logrotate_t)
+')
+
++
++optional_policy(`
++ samba_exec_log(logrotate_t)
++')
++
+optional_policy(`
slrnpull_manage_spool(logrotate_t)
')
@@ -358,8 +369,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.7.8/policy/modules/admin/mcelog.te
--- nsaserefpolicy/policy/modules/admin/mcelog.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/admin/mcelog.te 2010-02-03 08:26:09.000000000 -0500
-@@ -0,0 +1,31 @@
++++ serefpolicy-3.7.8/policy/modules/admin/mcelog.te 2010-02-08 12:28:54.000000000 -0500
+@@ -0,0 +1,32 @@
+
+policy_module(mcelog,1.0.0)
+
@@ -380,6 +391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.
+# mcelog local policy
+#
+
++allow mcelog_t self:capability sys_admin;
+
+kernel_read_system_state(mcelog_t)
+
@@ -621,7 +633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.8/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/admin/readahead.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/readahead.te 2010-02-08 15:48:06.000000000 -0500
@@ -52,6 +52,7 @@
files_list_non_security(readahead_t)
@@ -630,6 +642,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahe
files_create_boot_flag(readahead_t)
files_getattr_all_pipes(readahead_t)
files_dontaudit_getattr_all_sockets(readahead_t)
+@@ -61,6 +62,8 @@
+ fs_search_auto_mountpoints(readahead_t)
+ fs_getattr_all_pipes(readahead_t)
+ fs_getattr_all_files(readahead_t)
++fs_read_cgroup_files(readahead_t)
++fs_read_tmpfs_files(readahead_t)
+ fs_read_tmpfs_symlinks(readahead_t)
+ fs_list_inotifyfs(readahead_t)
+ fs_dontaudit_search_ramfs(readahead_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.8/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.8/policy/modules/admin/rpm.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1667,7 +1688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.8/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/admin/usermanage.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/usermanage.te 2010-02-05 09:55:40.000000000 -0500
@@ -82,6 +82,7 @@
selinux_compute_relabel_context(chfn_t)
selinux_compute_user_contexts(chfn_t)
@@ -1709,6 +1730,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
seutil_read_config(groupadd_t)
+@@ -256,7 +256,7 @@
+ # Passwd local policy
+ #
+
+-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
++allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
+ allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow passwd_t self:process { setrlimit setfscreate };
+ allow passwd_t self:fd use;
@@ -292,6 +292,7 @@
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
@@ -1854,6 +1884,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te
optional_policy(`
dbus_system_bus_client(vpnc_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.te serefpolicy-3.7.8/policy/modules/apps/cdrecord.te
+--- nsaserefpolicy/policy/modules/apps/cdrecord.te 2009-11-17 10:54:26.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/cdrecord.te 2010-02-08 11:46:07.000000000 -0500
+@@ -32,6 +32,8 @@
+ allow cdrecord_t self:unix_dgram_socket create_socket_perms;
+ allow cdrecord_t self:unix_stream_socket create_stream_socket_perms;
+
++corecmd_exec_bin(cdrecord_t)
++
+ # allow searching for cdrom-drive
+ dev_list_all_dev_nodes(cdrecord_t)
+ dev_read_sysfs(cdrecord_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.7.8/policy/modules/apps/chrome.fc
--- nsaserefpolicy/policy/modules/apps/chrome.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.8/policy/modules/apps/chrome.fc 2010-02-02 10:31:03.000000000 -0500
@@ -2807,8 +2849,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.8/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/gpg.te 2010-02-02 10:31:03.000000000 -0500
-@@ -130,10 +130,10 @@
++++ serefpolicy-3.7.8/policy/modules/apps/gpg.te 2010-02-05 10:53:43.000000000 -0500
+@@ -20,6 +20,7 @@
+ typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
+ application_domain(gpg_t, gpg_exec_t)
+ ubac_constrained(gpg_t)
++role system_r types gpg_t;
+
+ type gpg_agent_t;
+ type gpg_agent_exec_t;
+@@ -45,6 +46,7 @@
+ typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
+ application_domain(gpg_helper_t, gpg_helper_exec_t)
+ ubac_constrained(gpg_helper_t)
++role system_r types gpg_helper_t;
+
+ type gpg_pinentry_t;
+ type pinentry_exec_t;
+@@ -59,7 +61,7 @@
+ #
+
+ allow gpg_t self:capability { ipc_lock setuid };
+-# setrlimit is for ulimit -c 0
++#at setrlimit is for ulimit -c 0
+ allow gpg_t self:process { signal setrlimit getcap setcap setpgid };
+
+ allow gpg_t self:fifo_file rw_fifo_file_perms;
+@@ -130,10 +132,10 @@
xserver_rw_xdm_pipes(gpg_t)
')
@@ -3073,8 +3140,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.8/policy/modules/apps/kdumpgui.te
--- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/kdumpgui.te 2010-02-02 10:31:03.000000000 -0500
-@@ -0,0 +1,64 @@
++++ serefpolicy-3.7.8/policy/modules/apps/kdumpgui.te 2010-02-05 14:36:52.000000000 -0500
+@@ -0,0 +1,68 @@
+policy_module(kdumpgui,1.0.0)
+
+########################################
@@ -3137,6 +3204,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui
+')
+
+optional_policy(`
++ gnome_dontaudit_search_config(kdumpgui_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(kdumpgui_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.7.8/policy/modules/apps/livecd.fc
@@ -4861,8 +4932,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.8/policy/modules/apps/sambagui.te
--- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/sambagui.te 2010-02-02 10:31:03.000000000 -0500
-@@ -0,0 +1,61 @@
++++ serefpolicy-3.7.8/policy/modules/apps/sambagui.te 2010-02-08 15:32:04.000000000 -0500
+@@ -0,0 +1,66 @@
+policy_module(sambagui,1.0.0)
+
+########################################
@@ -4917,11 +4988,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui
+
+userdom_dontaudit_search_admin_dir(sambagui_t)
+
++
+optional_policy(`
+ consoletype_exec(sambagui_t)
+')
+
+optional_policy(`
++ gnome_dontaudit_search_config(sambagui_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(sambagui_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.8/policy/modules/apps/sandbox.fc
@@ -4931,7 +5007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+# No types are sandbox_exec_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.8/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/sandbox.if 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/sandbox.if 2010-02-05 16:08:07.000000000 -0500
@@ -0,0 +1,225 @@
+
+## <summary>policy for sandbox</summary>
@@ -4964,7 +5040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
+ role $2 types sandbox_domain;
+ allow sandbox_domain $1:process sigchld;
-+ allow sandbox_domain $1:fifo_file rw_fifo_file_perms;
++ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
+
+ allow $1 sandbox_x_domain:process { signal_perms transition };
+ dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
@@ -4972,7 +5048,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ role $2 types sandbox_x_domain;
+ role $2 types sandbox_xserver_t;
+ allow $1 sandbox_xserver_t:process signal_perms;
-+ dontaudit sandbox_xserver_t $1:fifo_file rw_fifo_file_perms;
++ dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms;
+ dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms;
+ allow sandbox_xserver_t $1:unix_stream_socket { read write };
@@ -5980,7 +6056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.8/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/corecommands.fc 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/corecommands.fc 2010-02-08 15:10:24.000000000 -0500
@@ -44,15 +44,17 @@
/etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0)
/etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0)
@@ -6021,15 +6097,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
#
# /usr
#
-@@ -234,6 +240,7 @@
+@@ -214,6 +220,7 @@
+ /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
++/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
+@@ -228,12 +235,15 @@
+ /usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
-@@ -323,3 +330,21 @@
+@@ -323,3 +333,21 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -6098,7 +6190,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.7.8/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/kernel/corenetwork.if.in 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/corenetwork.if.in 2010-02-03 16:54:15.000000000 -0500
@@ -1705,6 +1705,24 @@
########################################
@@ -6280,7 +6372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.8/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-11-20 10:51:41.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/devices.fc 2010-02-03 11:34:06.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/devices.fc 2010-02-04 13:46:48.000000000 -0500
@@ -16,13 +16,16 @@
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
@@ -6298,7 +6390,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/event.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
-@@ -80,6 +83,7 @@
+@@ -61,6 +64,7 @@
+ /dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0)
+ /dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
++/dev/misc/dlm.* -c gen_context(system_u:object_r:dlm_control_device_t,s0)
+ /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
+ /dev/modem -c gen_context(system_u:object_r:modem_device_t,s0)
+@@ -80,6 +84,7 @@
/dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
/dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
@@ -6306,7 +6406,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
-@@ -101,6 +105,7 @@
+@@ -101,6 +106,7 @@
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0)
@@ -6314,7 +6414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -142,6 +147,7 @@
+@@ -142,6 +148,7 @@
/dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0)
@@ -6322,7 +6422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0)
-@@ -159,6 +165,8 @@
+@@ -159,6 +166,8 @@
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0)
@@ -6333,7 +6433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.8/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/devices.if 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/devices.if 2010-02-08 12:14:39.000000000 -0500
@@ -801,6 +801,24 @@
########################################
@@ -6384,7 +6484,75 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Create all block device files.
## </summary>
## <param name="domain">
-@@ -1999,6 +2035,24 @@
+@@ -1380,6 +1416,42 @@
+ rw_chr_files_pattern($1, device_t, crypt_device_t)
+ ')
+
++#######################################
++## <summary>
++## Set the attributes of the dlm control devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_setattr_dlm_control',`
++ gen_require(`
++ type device_t, kvm_device_t;
++ ')
++
++ setattr_chr_files_pattern($1, device_t, dlm_control_device_t)
++')
++
++#######################################
++## <summary>
++## Read and write the the dlm control device
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rw_dlm_control',`
++ gen_require(`
++ type device_t, dlm_control_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, dlm_control_device_t)
++')
++
+ ########################################
+ ## <summary>
+ ## getattr the dri devices.
+@@ -1710,6 +1782,24 @@
+
+ ########################################
+ ## <summary>
++## Write to the kernel messages device
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_write_kmsg',`
++ gen_require(`
++ type device_t, kmsg_device_t;
++ ')
++
++ write_chr_files_pattern($1, device_t, kmsg_device_t)
++')
++
++########################################
++## <summary>
+ ## Get the attributes of the ksm devices.
+ ## </summary>
+ ## <param name="domain">
+@@ -1999,6 +2089,24 @@
########################################
## <summary>
@@ -6409,7 +6577,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Read raw memory devices (e.g. /dev/mem).
## </summary>
## <param name="domain">
-@@ -3515,6 +3569,24 @@
+@@ -2450,6 +2558,24 @@
+
+ ########################################
+ ## <summary>
++## Dontaudit write the memory type range registers (MTRR).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_dontaudit_write_mtrr',`
++ gen_require(`
++ type mtrr_device_t;
++ ')
++
++ dontaudit $1 mtrr_device_t:chr_file write;
++')
++
++########################################
++## <summary>
+ ## Get the attributes of the network control device
+ ## </summary>
+ ## <param name="domain">
+@@ -3515,6 +3641,24 @@
########################################
## <summary>
@@ -6434,7 +6627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
-@@ -3703,6 +3775,24 @@
+@@ -3703,6 +3847,24 @@
getattr_chr_files_pattern($1, device_t, v4l_device_t)
')
@@ -6461,8 +6654,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Do not audit attempts to get the attributes
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.8/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/devices.te 2010-02-02 10:31:03.000000000 -0500
-@@ -232,6 +232,18 @@
++++ serefpolicy-3.7.8/policy/modules/kernel/devices.te 2010-02-04 13:46:48.000000000 -0500
+@@ -59,6 +59,12 @@
+ type crypt_device_t;
+ dev_node(crypt_device_t)
+
++#
++# dlm_misc_device_t is the type of /dev/misc/dlm.*
++#
++type dlm_control_device_t;
++dev_node(dlm_control_device_t)
++
+ type dri_device_t;
+ dev_node(dri_device_t)
+
+@@ -232,6 +238,18 @@
type usb_device_t;
dev_node(usb_device_t)
@@ -7617,7 +7823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/filesystem.if 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/filesystem.if 2010-02-08 15:48:31.000000000 -0500
@@ -906,7 +906,7 @@
type cifs_t;
')
@@ -7688,7 +7894,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
#########################################
## <summary>
## Read named sockets on a NFS filesystem.
-@@ -3684,6 +3722,24 @@
+@@ -3458,6 +3496,24 @@
+
+ ########################################
+ ## <summary>
++## Read generic tmpfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_read_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ read_files_pattern($1, tmpfs_t, tmpfs_t)
++')
++
++########################################
++## <summary>
+ ## Read and write generic tmpfs files.
+ ## </summary>
+ ## <param name="domain">
+@@ -3684,6 +3740,24 @@
########################################
## <summary>
@@ -7713,7 +7944,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Mount a XENFS filesystem.
## </summary>
## <param name="domain">
-@@ -4181,3 +4237,194 @@
+@@ -4181,3 +4255,214 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
')
@@ -7777,6 +8008,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+
+########################################
+## <summary>
++## Read files on cgroup
++## file systems.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_read_cgroup_files',`
++ gen_require(`
++ type cgroup_t;
++
++ ')
++
++ read_files_pattern($1, cgroup_t, cgroup_t)
++')
++
++########################################
++## <summary>
+## Read and write files on cgroup
+## file systems.
+## </summary>
@@ -11083,7 +11334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
sysnet_use_ldap(amavis_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.8/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/apache.fc 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/apache.fc 2010-02-04 13:36:26.000000000 -0500
@@ -2,12 +2,19 @@
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
@@ -11123,12 +11374,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-@@ -32,14 +45,28 @@
+@@ -32,14 +45,29 @@
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
+/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -11152,7 +11404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -47,16 +74,21 @@
+@@ -47,16 +75,21 @@
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -11174,7 +11426,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
')
-@@ -64,11 +96,34 @@
+@@ -64,11 +97,34 @@
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -11943,7 +12195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.8/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/apache.te 2010-02-03 13:33:57.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/apache.te 2010-02-05 12:03:18.000000000 -0500
@@ -19,6 +19,8 @@
# Declarations
#
@@ -13195,6 +13447,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
domain_system_change_exemption($1)
role_transition $2 named_initrc_exec_t system_r;
allow $2 system_r;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.7.8/policy/modules/services/bind.te
+--- nsaserefpolicy/policy/modules/services/bind.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.7.8/policy/modules/services/bind.te 2010-02-08 15:31:29.000000000 -0500
+@@ -142,11 +142,11 @@
+
+ logging_send_syslog_msg(named_t)
+
++init_read_script_tmp_files(named_t)
++
+ miscfiles_read_localization(named_t)
+ miscfiles_read_certs(named_t)
+
+-sysnet_read_config(named_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(named_t)
+ userdom_dontaudit_search_user_home_dirs(named_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.7.8/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2010-01-07 14:53:53.000000000 -0500
+++ serefpolicy-3.7.8/policy/modules/services/bluetooth.te 2010-02-02 10:31:03.000000000 -0500
@@ -14773,8 +15042,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.8/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/corosync.te 2010-02-02 10:31:03.000000000 -0500
-@@ -0,0 +1,108 @@
++++ serefpolicy-3.7.8/policy/modules/services/corosync.te 2010-02-04 13:46:48.000000000 -0500
+@@ -0,0 +1,110 @@
+
+policy_module(corosync,1.0.0)
+
@@ -14850,6 +15119,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+
+kernel_read_system_state(corosync_t)
+
++domain_read_all_domains_state(corosync_t)
++
+corenet_udp_bind_netsupport_port(corosync_t)
+
+corecmd_exec_bin(corosync_t)
@@ -14905,7 +15176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.8/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/cron.if 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/cron.if 2010-02-05 11:29:08.000000000 -0500
@@ -12,6 +12,10 @@
## </param>
#
@@ -14978,7 +15249,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
- allow $1 crond_t:fifo_file { getattr read write };
-+ allow $1 crond_t:fifo_file rw_fifo_file_perms;
++ allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -554,7 +550,7 @@
+ type system_cronjob_t;
+ ')
+
+- allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
++ allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
@@ -15641,7 +15921,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru
snmp_stream_connect(cyrus_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.8/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/dbus.if 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/dbus.if 2010-02-08 12:17:04.000000000 -0500
@@ -42,8 +42,10 @@
gen_require(`
class dbus { send_msg acquire_svc };
@@ -16018,12 +16298,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.8/policy/modules/services/devicekit.fc
--- nsaserefpolicy/policy/modules/services/devicekit.fc 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/devicekit.fc 2010-02-02 10:31:03.000000000 -0500
-@@ -1,8 +1,11 @@
++++ serefpolicy-3.7.8/policy/modules/services/devicekit.fc 2010-02-05 07:38:20.000000000 -0500
+@@ -1,8 +1,12 @@
/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+/usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
++/usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
@@ -16423,7 +16704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.8/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/dovecot.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/dovecot.te 2010-02-08 15:51:15.000000000 -0500
@@ -73,14 +73,21 @@
can_exec(dovecot_t, dovecot_exec_t)
@@ -16447,7 +16728,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
-@@ -103,6 +110,7 @@
+@@ -93,6 +100,7 @@
+ corenet_tcp_sendrecv_generic_node(dovecot_t)
+ corenet_tcp_sendrecv_all_ports(dovecot_t)
+ corenet_tcp_bind_generic_node(dovecot_t)
++corenet_tcp_bind_mail_port(dovecot_t)
+ corenet_tcp_bind_pop_port(dovecot_t)
+ corenet_tcp_connect_all_ports(dovecot_t)
+ corenet_tcp_connect_postgresql_port(dovecot_t)
+@@ -103,6 +111,7 @@
dev_read_urand(dovecot_t)
fs_getattr_all_fs(dovecot_t)
@@ -16455,7 +16744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
fs_search_auto_mountpoints(dovecot_t)
fs_list_inotifyfs(dovecot_t)
-@@ -142,6 +150,10 @@
+@@ -142,6 +151,10 @@
')
optional_policy(`
@@ -16466,7 +16755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
seutil_sigchld_newrole(dovecot_t)
')
-@@ -172,11 +184,6 @@
+@@ -172,11 +185,6 @@
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
@@ -16478,7 +16767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
dovecot_stream_connect_auth(dovecot_auth_t)
-@@ -197,8 +204,9 @@
+@@ -197,8 +205,9 @@
files_search_pids(dovecot_auth_t)
files_read_usr_files(dovecot_auth_t)
files_read_usr_symlinks(dovecot_auth_t)
@@ -16489,7 +16778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
init_rw_utmp(dovecot_auth_t)
-@@ -225,6 +233,7 @@
+@@ -225,6 +234,7 @@
')
optional_policy(`
@@ -16497,7 +16786,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
postfix_search_spool(dovecot_auth_t)
')
-@@ -234,6 +243,8 @@
+@@ -234,6 +244,8 @@
#
allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
@@ -16506,7 +16795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
-@@ -263,11 +274,19 @@
+@@ -263,11 +275,19 @@
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
tunable_policy(`use_nfs_home_dirs',`
@@ -17495,7 +17784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.8/policy/modules/services/git.te
--- nsaserefpolicy/policy/modules/services/git.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/git.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/git.te 2010-02-08 15:36:58.000000000 -0500
@@ -1,9 +1,182 @@
-policy_module(git, 1.0)
@@ -17912,6 +18201,283 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl
kernel_list_proc(howl_t)
kernel_read_proc_symlinks(howl_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.fc serefpolicy-3.7.8/policy/modules/services/icecast.fc
+--- nsaserefpolicy/policy/modules/services/icecast.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/icecast.fc 2010-02-04 13:36:50.000000000 -0500
+@@ -0,0 +1,7 @@
++/etc/rc\.d/init\.d/icecast -- gen_context(system_u:object_r:icecast_initrc_exec_t,s0)
++
++/usr/bin/icecast -- gen_context(system_u:object_r:icecast_exec_t,s0)
++
++/var/log/icecast(/.*)? gen_context(system_u:object_r:icecast_log_t,s0)
++
++/var/run/icecast(/.*)? gen_context(system_u:object_r:icecast_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.if serefpolicy-3.7.8/policy/modules/services/icecast.if
+--- nsaserefpolicy/policy/modules/services/icecast.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/icecast.if 2010-02-04 13:14:02.000000000 -0500
+@@ -0,0 +1,199 @@
++
++## <summary> ShoutCast compatible streaming media server</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run icecast.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`icecast_domtrans',`
++ gen_require(`
++ type icecast_t, icecast_exec_t;
++ ')
++
++ domtrans_pattern($1, icecast_exec_t, icecast_t)
++')
++
++
++########################################
++## <summary>
++## Execute icecast server in the icecast domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`icecast_initrc_domtrans',`
++ gen_require(`
++ type icecast_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, icecast_initrc_exec_t)
++')
++
++########################################
++## <summary>
++## Read icecast PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`icecast_read_pid_files',`
++ gen_require(`
++ type icecast_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 icecast_var_run_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Manage icecast var_run files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`icecast_manage_var_run',`
++ gen_require(`
++ type icecast_var_run_t;
++ ')
++
++ manage_dirs_pattern($1, icecast_var_run_t, icecast_var_run_t)
++ manage_files_pattern($1, icecast_var_run_t, icecast_var_run_t)
++ manage_lnk_files_pattern($1, icecast_var_run_t, icecast_var_run_t)
++')
++
++
++########################################
++## <summary>
++## Allow the specified domain to read icecast's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`icecast_read_log',`
++ gen_require(`
++ type icecast_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, icecast_log_t, icecast_log_t)
++')
++
++########################################
++## <summary>
++## Allow the specified domain to append
++## icecast log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`icecast_append_log',`
++ gen_require(`
++ type var_log_t, icecast_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, icecast_log_t, icecast_log_t)
++')
++
++########################################
++## <summary>
++## Allow domain to manage icecast log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`icecast_manage_log',`
++ gen_require(`
++ type icecast_log_t;
++ ')
++
++ manage_dirs_pattern($1, icecast_log_t, icecast_log_t)
++ manage_files_pattern($1, icecast_log_t, icecast_log_t)
++ manage_lnk_files_pattern($1, icecast_log_t, icecast_log_t)
++')
++
++########################################
++## <summary>
++## Allow domain signal icecast
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`icecast_signal',`
++ gen_require(`
++ type icecast_t;
++ ')
++
++ allow $1 icecast_t:process signal;
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an icecast environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`icecast_admin',`
++ gen_require(`
++ type icecast_t;
++ ')
++
++ allow $1 icecast_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, icecast_t, icecast_t)
++
++
++ gen_require(`
++ type icecast_initrc_exec_t;
++ ')
++
++ # Allow icecast_t to restart the apache service
++ icecast_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 icecast_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ icecast_manage_var_run($1)
++
++ icecast_manage_log($1)
++
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.7.8/policy/modules/services/icecast.te
+--- nsaserefpolicy/policy/modules/services/icecast.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/icecast.te 2010-02-04 13:11:42.000000000 -0500
+@@ -0,0 +1,59 @@
++policy_module(icecast,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type icecast_t;
++type icecast_exec_t;
++init_daemon_domain(icecast_t, icecast_exec_t)
++
++permissive icecast_t;
++
++type icecast_initrc_exec_t;
++init_script_file(icecast_initrc_exec_t)
++
++type icecast_var_run_t;
++files_pid_file(icecast_var_run_t)
++
++type icecast_log_t;
++logging_log_file(icecast_log_t)
++
++########################################
++#
++# icecast local policy
++#
++
++allow icecast_t self:capability { dac_override setgid setuid sys_nice };
++allow icecast_t self:process { getsched fork setsched signal };
++
++# Init script handling
++domain_use_interactive_fds(icecast_t)
++
++# internal communication is often done using fifo and unix sockets.
++allow icecast_t self:fifo_file rw_fifo_file_perms;
++allow icecast_t self:unix_stream_socket create_stream_socket_perms;
++allow icecast_t self:tcp_socket create_stream_socket_perms;
++
++corenet_tcp_bind_soundd_port(icecast_t)
++
++files_read_etc_files(icecast_t)
++
++miscfiles_read_localization(icecast_t)
++
++manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
++manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
++files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
++
++manage_dirs_pattern(icecast_t, icecast_log_t, icecast_log_t)
++manage_files_pattern(icecast_t, icecast_log_t, icecast_log_t)
++logging_log_filetrans(icecast_t, icecast_log_t, { file dir } )
++
++auth_use_nsswitch(icecast_t)
++
++sysnet_dns_name_resolve(icecast_t)
++
++optional_policy(`
++ rtkit_daemon_system_domain(icecast_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.8/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2009-07-23 14:11:04.000000000 -0400
+++ serefpolicy-3.7.8/policy/modules/services/kerberos.if 2010-02-02 10:31:03.000000000 -0500
@@ -18347,7 +18913,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.8/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/mta.if 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/mta.if 2010-02-08 13:36:02.000000000 -0500
@@ -335,6 +335,7 @@
# apache should set close-on-exec
apache_dontaudit_rw_stream_sockets($1)
@@ -18401,6 +18967,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
+@@ -765,6 +786,25 @@
+
+ #######################################
+ ## <summary>
++## List the mail queue.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mta_list_queue',`
++ gen_require(`
++ type mqueue_spool_t;
++ ')
++
++ allow $1 mqueue_spool_t:dir list_dir_perms;
++ files_search_spool($1)
++')
++
++#######################################
++## <summary>
+ ## Read the mail queue.
+ ## </summary>
+ ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.8/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2010-01-07 14:53:53.000000000 -0500
+++ serefpolicy-3.7.8/policy/modules/services/mta.te 2010-02-02 10:31:03.000000000 -0500
@@ -18488,7 +19080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.8/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/munin.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/munin.te 2010-02-08 13:34:54.000000000 -0500
@@ -33,7 +33,7 @@
# Local policy
#
@@ -18508,7 +19100,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
# Allow access to the munin databases
manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
-@@ -147,6 +148,7 @@
+@@ -133,6 +134,7 @@
+ optional_policy(`
+ mta_read_config(munin_t)
+ mta_send_mail(munin_t)
++ mta_list_queue(munin_t)
+ mta_read_queue(munin_t)
+ ')
+
+@@ -147,6 +149,7 @@
optional_policy(`
postfix_list_spool(munin_t)
@@ -18565,7 +19165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
## Send a generic signal to MySQL.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.8/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/mysql.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/mysql.te 2010-02-05 10:58:38.000000000 -0500
@@ -1,6 +1,13 @@
policy_module(mysql, 1.11.1)
@@ -18580,6 +19180,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
########################################
#
# Declarations
+@@ -37,7 +44,7 @@
+ # Local policy
+ #
+
+-allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
++allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource net_bind_service };
+ dontaudit mysqld_t self:capability sys_tty_config;
+ allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
+ allow mysqld_t self:fifo_file rw_fifo_file_perms;
@@ -109,6 +116,11 @@
# for /root/.my.cnf - should not be needed:
userdom_read_user_home_content_files(mysqld_t)
@@ -18724,7 +19333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
+/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.8/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/nagios.if 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/nagios.if 2010-02-08 14:30:28.000000000 -0500
@@ -64,7 +64,7 @@
########################################
@@ -18757,7 +19366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
## </summary>
## <param name="domain">
## <summary>
-@@ -92,10 +91,119 @@
+@@ -92,10 +91,121 @@
## </summary>
## </param>
#
@@ -18823,6 +19432,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
+ # needed by command.cfg
+ domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
+
++ allow nagios_t nagios_$1_plugin_t:process signal_perms;
++
+ # cjp: leaked file descriptor
+ dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
+
@@ -20910,8 +21521,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.7.8/policy/modules/services/plymouth.te
--- nsaserefpolicy/policy/modules/services/plymouth.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/plymouth.te 2010-02-03 15:28:58.000000000 -0500
-@@ -0,0 +1,102 @@
++++ serefpolicy-3.7.8/policy/modules/services/plymouth.te 2010-02-08 14:38:49.000000000 -0500
+@@ -0,0 +1,104 @@
+policy_module(plymouthd, 1.0.0)
+
+########################################
@@ -21000,6 +21611,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym
+
+miscfiles_read_localization(plymouth_t)
+
++sysnet_read_config(plymouth_t)
++
+term_use_ptmx(plymouth_t)
+
+plymouth_stream_connect(plymouth_t)
@@ -22437,6 +23050,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
userdom_dontaudit_search_user_home_dirs(pyzor_t)
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.7.8/policy/modules/services/radvd.te
+--- nsaserefpolicy/policy/modules/services/radvd.te 2009-12-18 11:38:25.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/radvd.te 2010-02-08 16:21:33.000000000 -0500
+@@ -22,9 +22,9 @@
+ #
+ # Local policy
+ #
+-allow radvd_t self:capability { setgid setuid net_raw net_admin };
++allow radvd_t self:capability { kill setgid setuid net_raw net_admin };
+ dontaudit radvd_t self:capability sys_tty_config;
+-allow radvd_t self:process signal_perms;
++allow radvd_t self:process { fork signal_perms };
+ allow radvd_t self:unix_dgram_socket create_socket_perms;
+ allow radvd_t self:unix_stream_socket create_socket_perms;
+ allow radvd_t self:rawip_socket create_socket_perms;
+@@ -64,20 +64,16 @@
+ files_read_etc_files(radvd_t)
+ files_list_usr(radvd_t)
+
++auth_use_nsswitch(radvd_t)
++
+ logging_send_syslog_msg(radvd_t)
+
+ miscfiles_read_localization(radvd_t)
+
+-sysnet_read_config(radvd_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(radvd_t)
+ userdom_dontaudit_search_user_home_dirs(radvd_t)
+
+ optional_policy(`
+- nis_use_ypbind(radvd_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(radvd_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.8/policy/modules/services/razor.fc
--- nsaserefpolicy/policy/modules/services/razor.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.8/policy/modules/services/razor.fc 2010-02-02 10:31:03.000000000 -0500
@@ -22649,8 +23300,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.8/policy/modules/services/rgmanager.te
--- nsaserefpolicy/policy/modules/services/rgmanager.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/rgmanager.te 2010-02-02 10:31:03.000000000 -0500
-@@ -0,0 +1,186 @@
++++ serefpolicy-3.7.8/policy/modules/services/rgmanager.te 2010-02-04 15:10:37.000000000 -0500
+@@ -0,0 +1,204 @@
+
+policy_module(rgmanager,1.0.0)
+
@@ -22675,6 +23326,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+type rgmanager_tmp_t;
+files_tmp_file(rgmanager_tmp_t)
+
++type rgmanager_tmpfs_t;
++files_tmpfs_file(rgmanager_tmpfs_t)
++
+# log files
+type rgmanager_var_log_t;
+logging_log_file(rgmanager_var_log_t)
@@ -22703,6 +23357,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
+files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir })
+
++manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
++manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
++fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t,{ dir file })
++
+# log files
+manage_files_pattern(rgmanager_t, rgmanager_var_log_t,rgmanager_var_log_t)
+logging_log_filetrans(rgmanager_t,rgmanager_var_log_t,{ file })
@@ -22712,9 +23370,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
+files_pid_filetrans(rgmanager_t,rgmanager_var_run_t, { file sock_file })
+
-+aisexec_stream_connect(rgmanager_t)
-+groupd_stream_connect(rgmanager_t)
-+
+corecmd_exec_bin(rgmanager_t)
+corecmd_exec_sbin(rgmanager_t)
+corecmd_exec_shell(rgmanager_t)
@@ -22726,7 +23381,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+fs_getattr_xattr_fs(rgmanager_t)
+
+# need to write to /dev/misc/dlm-control
-+dev_manage_generic_chr_files(rgmanager_t)
++dev_rw_dlm_control(rgmanager_t)
++dev_setattr_dlm_control(rgmanager_t)
+dev_search_sysfs(rgmanager_t)
+
+domain_read_all_domains_state(rgmanager_t)
@@ -22762,16 +23418,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+
+# rgmanager can run resource scripts
+
++
++optional_policy(`
++ aisexec_stream_connect(rgmanager_t)
++')
++
+optional_policy(`
+ apache_domtrans(rgmanager_t)
+ apache_signal(rgmanager_t)
+')
+
+optional_policy(`
++ corosync_stream_connect(rgmanager_t)
++')
++
++optional_policy(`
+ fstools_domtrans(rgmanager_t)
+')
+
+optional_policy(`
++ groupd_stream_connect(rgmanager_t)
++')
++
++optional_policy(`
+ hostname_exec(rgmanager_t)
+')
+
@@ -22839,25 +23508,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.8/policy/modules/services/rhcs.fc
--- nsaserefpolicy/policy/modules/services/rhcs.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/rhcs.fc 2010-02-02 10:31:03.000000000 -0500
-@@ -0,0 +1,24 @@
-+/dev/misc/dlm.* -- gen_context(system_u:object_r:dlm_control_dev_t,s0)
-+
-+/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
++++ serefpolicy-3.7.8/policy/modules/services/rhcs.fc 2010-02-04 13:49:09.000000000 -0500
+@@ -0,0 +1,22 @@
++/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
+/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+
-+/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
+/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+
-+/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
++/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
+/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
+
-+/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
++/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
+/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
+
+/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
@@ -23238,8 +23905,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.8/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/rhcs.te 2010-02-02 10:31:26.000000000 -0500
-@@ -0,0 +1,422 @@
++++ serefpolicy-3.7.8/policy/modules/services/rhcs.te 2010-02-04 15:17:12.000000000 -0500
+@@ -0,0 +1,419 @@
+
+policy_module(rhcs,1.0.0)
+
@@ -23270,9 +23937,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+type dlm_controld_tmpfs_t;
+files_tmpfs_file(dlm_controld_tmpfs_t)
+
-+type dlm_control_dev_t;
-+dev_node(dlm_control_dev_t)
-+
+type fenced_t;
+type fenced_exec_t;
+init_daemon_domain(fenced_t, fenced_exec_t)
@@ -23352,12 +24016,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+
+allow dlm_controld_t self:sem create_sem_perms;
+allow dlm_controld_t self:fifo_file rw_fifo_file_perms;
-+allow dlm_controld_t self:unix_stream_socket { create_stream_socket_perms };
-+allow dlm_controld_t self:unix_dgram_socket { create_socket_perms };
++allow dlm_controld_t self:unix_stream_socket create_stream_socket_perms;
++allow dlm_controld_t self:unix_dgram_socket create_socket_perms;
+allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
+
-+allow dlm_controld_t dlm_control_dev_t:chr_file rw_chr_file_perms;
-+
+manage_dirs_pattern(dlm_controld_t, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
+manage_files_pattern(dlm_controld_t, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
+fs_tmpfs_filetrans(dlm_controld_t, dlm_controld_tmpfs_t,{ dir file })
@@ -23374,10 +24036,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
+aisexec_stream_connect(dlm_controld_t)
+ccs_stream_connect(dlm_controld_t)
++corosync_stream_connect(dlm_controld_t)
+groupd_stream_connect(dlm_controld_t)
+
+kernel_read_system_state(dlm_controld_t)
+
++dev_rw_dlm_control(dlm_controld_t)
+dev_rw_sysfs(dlm_controld_t)
+
+fs_manage_configfs_files(dlm_controld_t)
@@ -23514,8 +24178,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+
+storage_getattr_removable_dev(gfs_controld_t)
+
-+dev_manage_generic_chr_files(gfs_controld_t)
-+#dev_read_sysfs(gfs_controld_t)
++dev_rw_dlm_control(gfs_controld_t)
++dev_setattr_dlm_control(gfs_controld_t)
+dev_rw_sysfs(gfs_controld_t)
+
+init_rw_script_tmp_files(gfs_controld_t)
@@ -24089,7 +24753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
auth_can_read_shadow_passwords(rsync_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.7.8/policy/modules/services/rtkit.if
--- nsaserefpolicy/policy/modules/services/rtkit.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/rtkit.if 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/rtkit.if 2010-02-04 08:57:20.000000000 -0500
@@ -38,3 +38,23 @@
allow $1 rtkit_daemon_t:dbus send_msg;
allow rtkit_daemon_t $1:dbus send_msg;
@@ -24367,7 +25031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.8/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/samba.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/samba.te 2010-02-08 16:25:02.000000000 -0500
@@ -66,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
@@ -24387,7 +25051,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
auth_use_nsswitch(samba_net_t)
-auth_read_cache(samba_net_t)
-+auth_rw_cache(samba_net_t)
++auth_manage_cache(samba_net_t)
logging_send_syslog_msg(samba_net_t)
@@ -24410,7 +25074,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
kernel_read_network_state(smbd_t)
-@@ -325,6 +336,8 @@
+@@ -316,6 +327,7 @@
+ auth_use_nsswitch(smbd_t)
+ auth_domtrans_chk_passwd(smbd_t)
+ auth_domtrans_upd_passwd(smbd_t)
++auth_manage_cache(smbd_t)
+
+ domain_use_interactive_fds(smbd_t)
+ domain_dontaudit_list_all_domains_state(smbd_t)
+@@ -325,6 +337,8 @@
files_read_etc_runtime_files(smbd_t)
files_read_usr_files(smbd_t)
files_search_spool(smbd_t)
@@ -24419,7 +25091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
# Allow samba to list mnt_t for potential mounted dirs
files_list_mnt(smbd_t)
-@@ -337,10 +350,13 @@
+@@ -337,10 +351,13 @@
miscfiles_read_public_files(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)
@@ -24434,7 +25106,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -352,19 +368,19 @@
+@@ -352,19 +369,19 @@
')
tunable_policy(`samba_domain_controller',`
@@ -24460,7 +25132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
# Support Samba sharing of NFS mount points
-@@ -376,6 +392,15 @@
+@@ -376,6 +393,15 @@
fs_manage_nfs_named_sockets(smbd_t)
')
@@ -24476,7 +25148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
optional_policy(`
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
-@@ -391,6 +416,11 @@
+@@ -391,6 +417,11 @@
')
optional_policy(`
@@ -24488,7 +25160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
rpc_search_nfs_state_data(smbd_t)
')
-@@ -405,13 +435,15 @@
+@@ -405,13 +436,15 @@
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -24505,7 +25177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
auth_read_all_files_except_shadow(nmbd_t)
')
-@@ -420,8 +452,8 @@
+@@ -420,8 +453,8 @@
auth_manage_all_files_except_shadow(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
auth_manage_all_files_except_shadow(nmbd_t)
@@ -24515,7 +25187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
########################################
#
-@@ -525,6 +557,7 @@
+@@ -525,6 +558,7 @@
allow smbcontrol_t winbind_t:process { signal signull };
@@ -24523,7 +25195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -536,6 +569,8 @@
+@@ -536,6 +570,8 @@
miscfiles_read_localization(smbcontrol_t)
@@ -24532,7 +25204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
########################################
#
# smbmount Local policy
-@@ -618,7 +653,7 @@
+@@ -618,7 +654,7 @@
# SWAT Local policy
#
@@ -24541,7 +25213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t self:process { setrlimit signal_perms };
allow swat_t self:fifo_file rw_fifo_file_perms;
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-@@ -626,23 +661,23 @@
+@@ -626,23 +662,23 @@
allow swat_t self:udp_socket create_socket_perms;
allow swat_t self:unix_stream_socket connectto;
@@ -24574,7 +25246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t smbd_exec_t:file mmap_file_perms ;
allow swat_t smbd_t:process signull;
-@@ -657,7 +692,7 @@
+@@ -657,7 +693,7 @@
files_pid_filetrans(swat_t, swat_var_run_t, file)
allow swat_t winbind_exec_t:file mmap_file_perms;
@@ -24583,7 +25255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -700,6 +735,8 @@
+@@ -700,6 +736,8 @@
miscfiles_read_localization(swat_t)
@@ -24592,7 +25264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -713,12 +750,23 @@
+@@ -713,12 +751,23 @@
kerberos_use(swat_t)
')
@@ -24617,7 +25289,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process { signal_perms getsched setsched };
allow winbind_t self:fifo_file rw_fifo_file_perms;
-@@ -866,6 +914,18 @@
+@@ -779,6 +828,8 @@
+ corenet_tcp_bind_generic_node(winbind_t)
+ corenet_udp_bind_generic_node(winbind_t)
+ corenet_tcp_connect_smbd_port(winbind_t)
++corenet_tcp_connect_smbd_port(winbind_t)
++corenet_tcp_connect_all_unreserved_ports(winbind_t)
+
+ dev_read_sysfs(winbind_t)
+ dev_read_urand(winbind_t)
+@@ -788,7 +839,7 @@
+
+ auth_domtrans_chk_passwd(winbind_t)
+ auth_use_nsswitch(winbind_t)
+-auth_rw_cache(winbind_t)
++auth_manage_cache(winbind_t)
+
+ domain_use_interactive_fds(winbind_t)
+
+@@ -866,6 +917,18 @@
#
optional_policy(`
@@ -24636,7 +25326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -876,9 +936,12 @@
+@@ -876,9 +939,12 @@
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -24973,7 +25663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.8/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/setroubleshoot.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/setroubleshoot.te 2010-02-05 14:36:34.000000000 -0500
@@ -22,13 +22,19 @@
type setroubleshoot_var_run_t;
files_pid_file(setroubleshoot_var_run_t)
@@ -25035,7 +25725,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
-@@ -94,23 +113,75 @@
+@@ -94,23 +113,79 @@
locallogin_dontaudit_use_fds(setroubleshootd_t)
@@ -25105,6 +25795,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
+userdom_signull_unpriv_users(setroubleshoot_fixit_t)
+
+optional_policy(`
++ gnome_dontaudit_search_config(setroubleshoot_fixit_t)
++')
++
++optional_policy(`
+ rpm_signull(setroubleshoot_fixit_t)
+ rpm_read_db(setroubleshoot_fixit_t)
+ rpm_dontaudit_manage_db(setroubleshoot_fixit_t)
@@ -25157,7 +25851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp
allow snmpd_t self:fifo_file rw_fifo_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.8/policy/modules/services/snort.te
--- nsaserefpolicy/policy/modules/services/snort.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/snort.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/snort.te 2010-02-04 08:19:39.000000000 -0500
@@ -37,6 +37,7 @@
allow snort_t self:tcp_socket create_stream_socket_perms;
allow snort_t self:udp_socket create_socket_perms;
@@ -25182,11 +25876,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor
corenet_all_recvfrom_unlabeled(snort_t)
corenet_all_recvfrom_netlabel(snort_t)
-@@ -76,6 +78,7 @@
+@@ -76,6 +78,8 @@
dev_read_sysfs(snort_t)
dev_read_rand(snort_t)
dev_read_urand(snort_t)
+dev_read_usbmon_dev(snort_t)
++dev_rw_generic_usb_dev(snort_t)
domain_use_interactive_fds(snort_t)
@@ -25353,7 +26048,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.8/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/spamassassin.te 2010-02-03 08:51:00.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/spamassassin.te 2010-02-08 15:11:48.000000000 -0500
@@ -20,6 +20,35 @@
## </desc>
gen_tunable(spamd_enable_home_dirs, true)
@@ -25611,9 +26306,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
fs_manage_cifs_files(spamd_t)
')
-@@ -402,23 +499,16 @@
+@@ -401,24 +498,18 @@
+ ')
optional_policy(`
++ dcc_domtrans_cdcc(spamd_t)
dcc_domtrans_client(spamd_t)
+ dcc_signal_client(spamd_t)
dcc_stream_connect_dccifd(spamd_t)
@@ -25636,7 +26333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
postfix_read_config(spamd_t)
')
-@@ -433,6 +523,10 @@
+@@ -433,6 +524,10 @@
optional_policy(`
razor_domtrans(spamd_t)
@@ -25647,7 +26344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
')
optional_policy(`
-@@ -445,5 +539,9 @@
+@@ -445,5 +540,9 @@
')
optional_policy(`
@@ -25996,7 +26693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.8/policy/modules/services/sssd.if
--- nsaserefpolicy/policy/modules/services/sssd.if 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/sssd.if 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/sssd.if 2010-02-08 12:03:33.000000000 -0500
@@ -38,6 +38,25 @@
########################################
@@ -28099,7 +28796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/xserver.te 2010-02-02 16:08:33.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/xserver.te 2010-02-08 14:29:02.000000000 -0500
@@ -36,6 +36,13 @@
## <desc>
@@ -28262,11 +28959,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(iceauth_t)
-@@ -250,30 +274,52 @@
+@@ -250,30 +274,53 @@
fs_manage_cifs_files(iceauth_t)
')
+ifdef(`hide_broken_symptoms', `
++ dev_dontaudit_read_urand(iceauth_t)
+ dev_dontaudit_rw_dri(iceauth_t)
+ dev_dontaudit_rw_generic_dev_nodes(iceauth_t)
+ fs_list_inotifyfs(iceauth_t)
@@ -28319,7 +29017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
fs_search_auto_mountpoints(xauth_t)
# cjp: why?
-@@ -283,17 +329,35 @@
+@@ -283,17 +330,35 @@
userdom_use_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
@@ -28355,7 +29053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
-@@ -305,20 +369,31 @@
+@@ -305,20 +370,31 @@
# XDM Local policy
#
@@ -28390,7 +29088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -334,22 +409,40 @@
+@@ -334,22 +410,40 @@
manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
@@ -28434,7 +29132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t xserver_t:process signal;
allow xdm_t xserver_t:unix_stream_socket connectto;
-@@ -363,6 +456,7 @@
+@@ -363,6 +457,7 @@
allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xserver_t:shm rw_shm_perms;
@@ -28442,7 +29140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -371,10 +465,14 @@
+@@ -371,10 +466,14 @@
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -28458,7 +29156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xdm_t)
kernel_read_kernel_sysctls(xdm_t)
-@@ -394,11 +492,13 @@
+@@ -394,11 +493,13 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -28472,7 +29170,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -406,6 +506,7 @@
+@@ -406,6 +507,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -28480,7 +29178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -414,18 +515,21 @@
+@@ -414,18 +516,21 @@
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -28505,7 +29203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -436,9 +540,15 @@
+@@ -436,9 +541,15 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -28521,7 +29219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -447,6 +557,7 @@
+@@ -447,6 +558,7 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -28529,7 +29227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
term_setattr_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
-@@ -455,6 +566,7 @@
+@@ -455,6 +567,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -28537,7 +29235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -465,10 +577,12 @@
+@@ -465,10 +578,12 @@
logging_read_generic_logs(xdm_t)
@@ -28552,7 +29250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -477,6 +591,11 @@
+@@ -477,6 +592,11 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -28564,7 +29262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -509,10 +628,12 @@
+@@ -509,10 +629,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@@ -28577,7 +29275,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -520,12 +641,49 @@
+@@ -520,12 +642,49 @@
')
optional_policy(`
@@ -28627,7 +29325,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
hostname_exec(xdm_t)
')
-@@ -543,9 +701,43 @@
+@@ -543,9 +702,43 @@
')
optional_policy(`
@@ -28671,7 +29369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
seutil_sigchld_newrole(xdm_t)
')
-@@ -555,8 +747,9 @@
+@@ -555,8 +748,9 @@
')
optional_policy(`
@@ -28683,7 +29381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -565,7 +758,6 @@
+@@ -565,7 +759,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -28691,7 +29389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -576,6 +768,10 @@
+@@ -576,6 +769,10 @@
')
optional_policy(`
@@ -28702,7 +29400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xdm_t)
')
-@@ -600,10 +796,9 @@
+@@ -600,10 +797,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -28714,7 +29412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -615,6 +810,18 @@
+@@ -615,6 +811,18 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -28733,7 +29431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -634,12 +841,19 @@
+@@ -634,12 +842,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -28755,7 +29453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -673,7 +887,6 @@
+@@ -673,7 +888,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -28763,7 +29461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -683,9 +896,12 @@
+@@ -683,9 +897,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -28777,7 +29475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +916,12 @@
+@@ -700,8 +917,12 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -28790,7 +29488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -723,6 +943,7 @@
+@@ -723,6 +944,7 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -28798,7 +29496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
modutils_domtrans_insmod(xserver_t)
-@@ -779,12 +1000,20 @@
+@@ -779,12 +1001,20 @@
')
optional_policy(`
@@ -28820,7 +29518,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -811,7 +1040,7 @@
+@@ -811,7 +1041,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -28829,7 +29527,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1061,14 @@
+@@ -832,9 +1062,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -28844,7 +29542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1083,14 @@
+@@ -849,11 +1084,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -28861,7 +29559,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -1000,17 +1237,32 @@
+@@ -1000,17 +1238,32 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -28938,15 +29636,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.8/policy/modules/system/application.te
--- nsaserefpolicy/policy/modules/system/application.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/application.te 2010-02-03 09:21:48.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/application.te 2010-02-05 11:23:03.000000000 -0500
@@ -7,6 +7,17 @@
# Executables to be run by user
attribute application_exec_type;
+userdom_inherit_append_user_home_content_files(application_domain_type)
+userdom_inherit_append_admin_home_files(application_domain_type)
-+userdom_write_user_tmp_files(application_domain_type)
-+logging_rw_all_logs(application_domain_type)
++userdom_inherit_append_user_tmp_files(application_domain_type)
++logging_inherit_append_all_logs(application_domain_type)
+
+files_dontaudit_search_all_dirs(application_domain_type)
+
@@ -29460,7 +30158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
# /var
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.8/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/init.if 2010-02-03 15:45:27.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/init.if 2010-02-04 09:02:56.000000000 -0500
@@ -162,8 +162,10 @@
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
@@ -29472,12 +30170,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
typeattribute $1 daemon;
-@@ -174,6 +176,12 @@
+@@ -174,6 +176,13 @@
role system_r types $1;
domtrans_pattern(initrc_t,$2,$1)
+ allow initrc_t $1:process siginh;
+ allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
++ allow $1 initrc_transition_domain:fd use;
+
+ # Handle upstart direct transition to a executable
+ domtrans_pattern(init_t,$2,$1)
@@ -29485,7 +30184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
# daemons started from init will
# inherit fds from init for the console
-@@ -265,6 +273,7 @@
+@@ -265,6 +274,7 @@
gen_require(`
type initrc_t;
role system_r;
@@ -29493,16 +30192,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
application_domain($1,$2)
-@@ -272,6 +281,8 @@
+@@ -272,6 +282,9 @@
role system_r types $1;
domtrans_pattern(initrc_t,$2,$1)
+ allow initrc_t $1:process siginh;
+ allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
++ allow $1 initrc_transition_domain:fd use;
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
-@@ -280,6 +291,36 @@
+@@ -280,6 +293,36 @@
kernel_dontaudit_use_fds($1)
')
')
@@ -29539,7 +30239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -546,7 +587,8 @@
+@@ -546,7 +589,8 @@
# upstart uses a datagram socket instead of initctl pipe
allow $1 self:unix_dgram_socket create_socket_perms;
@@ -29549,7 +30249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
')
-@@ -619,18 +661,19 @@
+@@ -619,18 +663,19 @@
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -29573,7 +30273,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
')
-@@ -646,23 +689,43 @@
+@@ -646,23 +691,43 @@
#
interface(`init_domtrans_script',`
gen_require(`
@@ -29621,7 +30321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
## Execute a init script in a specified domain.
## </summary>
## <desc>
-@@ -714,8 +777,10 @@
+@@ -714,8 +779,10 @@
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -29632,7 +30332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
-@@ -923,6 +988,24 @@
+@@ -923,6 +990,24 @@
allow $1 init_script_file_type:file read_file_perms;
')
@@ -29657,7 +30357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
########################################
## <summary>
## Execute all init scripts in the caller domain.
-@@ -1142,7 +1225,7 @@
+@@ -1142,7 +1227,7 @@
type initrc_t;
')
@@ -29666,7 +30366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -1310,6 +1393,25 @@
+@@ -1310,6 +1395,25 @@
########################################
## <summary>
@@ -29692,7 +30392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1540,3 +1642,76 @@
+@@ -1540,3 +1644,76 @@
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -29771,7 +30471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.8/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/init.te 2010-02-03 15:43:32.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/init.te 2010-02-08 12:54:27.000000000 -0500
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart, false)
@@ -29801,6 +30501,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# Mark process types as daemons
attribute daemon;
+@@ -33,7 +48,7 @@
+ #
+ # init_t is the domain of the init process.
+ #
+-type init_t;
++type init_t, initrc_transition_domain;
+ type init_exec_t;
+ domain_type(init_t)
+ domain_entry_file(init_t, init_exec_t)
@@ -64,6 +79,7 @@
# of the below init_upstart tunable
# but this has a typeattribute in it
@@ -29818,17 +30527,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -101,7 +117,8 @@
+@@ -101,7 +117,9 @@
# Re-exec itself
can_exec(init_t, init_exec_t)
-allow init_t initrc_t:unix_stream_socket connectto;
+allow init_t initrc_t:unix_stream_socket { connectto rw_stream_socket_perms };
+allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms };
++allow initrc_t init_t:fifo_file rw_fifo_file_perms;
# For /var/run/shutdown.pid.
allow init_t init_var_run_t:file manage_file_perms;
-@@ -140,6 +157,7 @@
+@@ -140,6 +158,7 @@
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
@@ -29836,7 +30546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
-@@ -167,6 +185,8 @@
+@@ -167,11 +186,14 @@
miscfiles_read_localization(init_t)
@@ -29845,7 +30555,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
-@@ -189,6 +209,22 @@
+
+ ifdef(`distro_redhat',`
++ fs_read_tmpfs_symlinks(init_t)
+ fs_rw_tmpfs_chr_files(init_t)
+ fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
+ ')
+@@ -189,10 +211,31 @@
')
optional_policy(`
@@ -29853,6 +30569,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+')
+
+optional_policy(`
++ dbus_connect_system_bus(init_t)
+ dbus_system_bus_client(init_t)
+')
+
@@ -29868,7 +30585,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
nscd_socket_use(init_t)
')
-@@ -202,9 +238,10 @@
+ optional_policy(`
++ sssd_stream_connect(init_t)
++')
++
++optional_policy(`
+ unconfined_domain(init_t)
+ ')
+
+@@ -202,9 +245,10 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -29880,7 +30605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# Allow IPC with self
allow initrc_t self:unix_dgram_socket create_socket_perms;
-@@ -217,7 +254,8 @@
+@@ -217,7 +261,8 @@
term_create_pty(initrc_t, initrc_devpts_t)
# Going to single user mode
@@ -29890,7 +30615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
can_exec(initrc_t, init_script_file_type)
-@@ -230,10 +268,16 @@
+@@ -230,10 +275,16 @@
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -29909,7 +30634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
init_write_initctl(initrc_t)
-@@ -246,13 +290,19 @@
+@@ -246,13 +297,19 @@
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -29931,7 +30656,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corenet_all_recvfrom_unlabeled(initrc_t)
corenet_all_recvfrom_netlabel(initrc_t)
-@@ -272,16 +322,66 @@
+@@ -267,21 +324,72 @@
+
+ dev_read_rand(initrc_t)
+ dev_read_urand(initrc_t)
++dev_write_kmsg(initrc_t)
+ dev_write_rand(initrc_t)
+ dev_write_urand(initrc_t)
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
@@ -29999,7 +30730,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -291,7 +391,7 @@
+@@ -291,7 +399,7 @@
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -30008,7 +30739,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -306,14 +406,15 @@
+@@ -306,14 +414,15 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -30026,7 +30757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_exec_etc_files(initrc_t)
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
-@@ -324,48 +425,16 @@
+@@ -324,48 +433,16 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -30079,7 +30810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
logging_send_syslog_msg(initrc_t)
logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
-@@ -374,19 +443,22 @@
+@@ -374,19 +451,22 @@
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -30103,7 +30834,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -422,16 +494,12 @@
+@@ -422,16 +502,12 @@
# init scripts touch this
clock_dontaudit_write_adjtime(initrc_t)
@@ -30121,7 +30852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
arpwatch_manage_data_files(initrc_t)
-@@ -450,11 +518,9 @@
+@@ -450,11 +526,9 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -30134,7 +30865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# These seem to be from the initrd
# during device initialization:
dev_create_generic_dirs(initrc_t)
-@@ -464,6 +530,7 @@
+@@ -464,6 +538,7 @@
storage_raw_read_fixed_disk(initrc_t)
storage_raw_write_fixed_disk(initrc_t)
@@ -30142,7 +30873,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
# wants to read /.fonts directory
-@@ -492,15 +559,26 @@
+@@ -472,6 +547,7 @@
+ # Needs to cp localtime to /var dirs
+ files_write_var_dirs(initrc_t)
+
++ fs_read_tmpfs_symlinks(initrc_t)
+ fs_rw_tmpfs_chr_files(initrc_t)
+
+ storage_manage_fixed_disk(initrc_t)
+@@ -492,15 +568,26 @@
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -30169,7 +30908,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -515,6 +593,33 @@
+@@ -515,6 +602,33 @@
')
')
@@ -30203,7 +30942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -567,10 +672,19 @@
+@@ -567,10 +681,19 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -30223,7 +30962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -590,6 +704,10 @@
+@@ -590,6 +713,10 @@
')
optional_policy(`
@@ -30234,7 +30973,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dev_read_usbfs(initrc_t)
# init scripts run /etc/hotplug/usb.rc
-@@ -646,20 +764,20 @@
+@@ -646,20 +773,20 @@
')
optional_policy(`
@@ -30261,7 +31000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ifdef(`distro_redhat',`
-@@ -668,6 +786,7 @@
+@@ -668,6 +795,7 @@
mysql_stream_connect(initrc_t)
mysql_write_log(initrc_t)
@@ -30269,7 +31008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -700,7 +819,6 @@
+@@ -700,7 +828,6 @@
')
optional_policy(`
@@ -30277,7 +31016,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -722,8 +840,6 @@
+@@ -722,8 +849,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -30286,7 +31025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -736,13 +852,16 @@
+@@ -736,13 +861,16 @@
squid_manage_logs(initrc_t)
')
@@ -30303,7 +31042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -751,6 +870,7 @@
+@@ -751,6 +879,7 @@
optional_policy(`
udev_rw_db(initrc_t)
@@ -30311,7 +31050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -758,7 +878,17 @@
+@@ -758,7 +887,17 @@
')
optional_policy(`
@@ -30329,7 +31068,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -768,6 +898,21 @@
+@@ -768,6 +907,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -30344,6 +31083,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+ ')
+ init_system_domain(unconfined_execmem_t, execmem_exec_t)
+ ')
++
++ optional_policy(`
++ rtkit_daemon_system_domain(initrc_t)
++ ')
+')
+
+optional_policy(`
@@ -30351,7 +31094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -793,3 +938,31 @@
+@@ -793,3 +951,31 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -30664,9 +31407,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
+/etc/sysctl\.conf.* --
+gen_context(system_u:object_r:iptables_conf_t,s0)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.8/policy/modules/system/iptables.if
+--- nsaserefpolicy/policy/modules/system/iptables.if 2009-12-04 09:43:33.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/iptables.if 2010-02-08 13:40:44.000000000 -0500
+@@ -49,6 +49,13 @@
+ optional_policy(`
+ modutils_run_insmod(iptables_t, $2)
+ ')
++
++ifdef(`hide_broken_symptoms', `
++ dontaudit iptables_t $2:unix_stream_socket rw_socket_perms;
++ dontaudit iptables_t $2:tcp_socket rw_socket_perms;
++ dontaudit iptables_t $2:udp_socket rw_socket_perms;
++')
++
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.8/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/iptables.te 2010-02-03 08:15:29.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/iptables.te 2010-02-04 13:52:12.000000000 -0500
@@ -14,9 +14,6 @@
type iptables_initrc_exec_t;
init_script_file(iptables_initrc_exec_t)
@@ -30692,15 +31452,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
files_pid_filetrans(iptables_t, iptables_var_run_t, file)
-@@ -53,6 +51,7 @@
+@@ -53,8 +51,12 @@
kernel_use_fds(iptables_t)
corenet_relabelto_all_packets(iptables_t)
+corenet_dontaudit_rw_tun_tap_dev(iptables_t)
dev_read_sysfs(iptables_t)
++ifdef(`hide_broken_symptoms',`
++ dev_dontaudit_write_mtrr(iptables_t)
++')
-@@ -63,6 +62,7 @@
+ fs_getattr_xattr_fs(iptables_t)
+ fs_search_auto_mountpoints(iptables_t)
+@@ -63,6 +65,7 @@
mls_file_read_all_levels(iptables_t)
term_dontaudit_use_console(iptables_t)
@@ -30708,7 +31473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
domain_use_interactive_fds(iptables_t)
-@@ -76,6 +76,7 @@
+@@ -76,6 +79,7 @@
# to allow rules to be saved on reboot:
init_rw_script_tmp_files(iptables_t)
init_rw_script_stream_sockets(iptables_t)
@@ -30716,7 +31481,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
logging_send_syslog_msg(iptables_t)
-@@ -89,6 +90,7 @@
+@@ -89,6 +93,7 @@
optional_policy(`
fail2ban_append_log(iptables_t)
@@ -30724,7 +31489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
')
optional_policy(`
-@@ -122,5 +124,10 @@
+@@ -122,5 +127,10 @@
')
optional_policy(`
@@ -31401,7 +32166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.8/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/logging.if 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/logging.if 2010-02-05 11:22:48.000000000 -0500
@@ -69,6 +69,20 @@
########################################
@@ -31423,16 +32188,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
## Set up audit
## </summary>
## <param name="domain">
-@@ -624,7 +638,7 @@
+@@ -624,7 +638,25 @@
')
files_search_var($1)
- append_files_pattern($1, var_log_t, logfile)
+ append_files_pattern($1, logfile, logfile)
++')
++
++########################################
++## <summary>
++## Append to all log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`logging_inherit_append_all_logs',`
++ gen_require(`
++ attribute logfile;
++ ')
++
++ allow $1 logfile:file { getattr append };
')
########################################
-@@ -707,7 +721,9 @@
+@@ -707,7 +739,9 @@
files_search_var($1)
manage_files_pattern($1, logfile, logfile)
@@ -31730,7 +32513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.8/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/modutils.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/modutils.te 2010-02-08 11:50:22.000000000 -0500
@@ -19,6 +19,7 @@
type insmod_exec_t;
application_domain(insmod_t, insmod_exec_t)
@@ -31771,7 +32554,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket create_socket_perms;
-@@ -143,6 +147,7 @@
+@@ -126,6 +130,7 @@
+ kernel_mount_debugfs(insmod_t)
+ kernel_mount_kvmfs(insmod_t)
+ kernel_read_debugfs(insmod_t)
++kernel_request_load_module(insmod_t)
+ # Rules for /proc/sys/kernel/tainted
+ kernel_read_kernel_sysctls(insmod_t)
+ kernel_rw_kernel_sysctl(insmod_t)
+@@ -143,6 +148,7 @@
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
@@ -31779,7 +32570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
-@@ -160,11 +165,15 @@
+@@ -160,11 +166,15 @@
files_write_kernel_modules(insmod_t)
fs_getattr_xattr_fs(insmod_t)
@@ -31795,7 +32586,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
logging_send_syslog_msg(insmod_t)
logging_search_logs(insmod_t)
-@@ -173,10 +182,13 @@
+@@ -173,10 +183,13 @@
seutil_read_file_contexts(insmod_t)
@@ -31811,7 +32602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
if( ! secure_mode_insmod ) {
kernel_domtrans_to(insmod_t, insmod_exec_t)
}
-@@ -230,7 +242,7 @@
+@@ -230,7 +243,7 @@
')
optional_policy(`
@@ -31926,7 +32717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.8/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/mount.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/mount.te 2010-02-05 14:44:10.000000000 -0500
@@ -18,8 +18,15 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -32129,7 +32920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -186,6 +259,15 @@
+@@ -186,6 +259,19 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -32137,6 +32928,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+')
+
+optional_policy(`
++ ssh_exec(mount_t)
++')
++
++optional_policy(`
+ usbmuxd_stream_connect(mount_t)
+')
+
@@ -32145,7 +32940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
########################################
-@@ -195,5 +277,9 @@
+@@ -195,5 +281,9 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
@@ -33003,7 +33798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.8/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/sysnetwork.if 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/sysnetwork.if 2010-02-08 14:34:28.000000000 -0500
@@ -43,6 +43,36 @@
sysnet_domtrans_dhcpc($1)
@@ -33182,7 +33977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.8/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/sysnetwork.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/sysnetwork.te 2010-02-08 13:45:54.000000000 -0500
@@ -20,6 +20,9 @@
init_daemon_domain(dhcpc_t, dhcpc_exec_t)
role system_r types dhcpc_t;
@@ -33419,7 +34214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.8/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/udev.te 2010-02-03 14:21:06.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/udev.te 2010-02-08 11:55:08.000000000 -0500
@@ -50,6 +50,7 @@
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -33428,7 +34223,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
-@@ -210,6 +211,10 @@
+@@ -99,6 +100,7 @@
+ # udev_node.c/node_symlink() symlink labels are explicitly
+ # preserved, instead of short circuiting the relabel
+ dev_relabel_generic_symlinks(udev_t)
++dev_manage_generic_symlinks(udev_t)
+
+ domain_read_all_domains_state(udev_t)
+ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
+@@ -210,6 +212,10 @@
')
optional_policy(`
@@ -33439,7 +34242,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
consoletype_exec(udev_t)
')
-@@ -236,6 +241,7 @@
+@@ -236,6 +242,7 @@
optional_policy(`
hal_dgram_send(udev_t)
@@ -33447,7 +34250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
')
optional_policy(`
-@@ -263,7 +269,7 @@
+@@ -263,7 +270,7 @@
')
optional_policy(`
@@ -33456,7 +34259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
')
optional_policy(`
-@@ -271,6 +277,14 @@
+@@ -271,6 +278,14 @@
')
optional_policy(`
@@ -34248,7 +35051,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/userdomain.if 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/userdomain.if 2010-02-05 11:22:50.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -36829,9 +37632,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)
files_search_mnt(xend_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.7.8/policy/support/misc_patterns.spt
+--- nsaserefpolicy/policy/support/misc_patterns.spt 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.8/policy/support/misc_patterns.spt 2010-02-05 16:37:16.000000000 -0500
+@@ -15,7 +15,7 @@
+ domain_transition_pattern($1,$2,$3)
+
+ allow $3 $1:fd use;
+- allow $3 $1:fifo_file rw_fifo_file_perms;
++ allow $3 $1:fifo_file rw_inherited_fifo_file_perms;
+ allow $3 $1:process sigchld;
+ ')
+
+@@ -34,7 +34,7 @@
+ domain_auto_transition_pattern($1,$2,$3)
+
+ allow $3 $1:fd use;
+- allow $3 $1:fifo_file rw_fifo_file_perms;
++ allow $3 $1:fifo_file rw_inherited_fifo_file_perms;
+ allow $3 $1:process sigchld;
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.8/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/support/obj_perm_sets.spt 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/support/obj_perm_sets.spt 2010-02-08 12:51:47.000000000 -0500
@@ -28,7 +28,7 @@
#
# All socket classes.
@@ -36858,6 +37682,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets
define(`create_file_perms',`{ getattr create open }')
define(`rename_file_perms',`{ getattr rename }')
define(`delete_file_perms',`{ getattr unlink }')
+@@ -225,7 +227,7 @@
+ define(`create_lnk_file_perms',`{ create getattr }')
+ define(`rename_lnk_file_perms',`{ getattr rename }')
+ define(`delete_lnk_file_perms',`{ getattr unlink }')
+-define(`manage_lnk_file_perms',`{ create read getattr setattr link unlink rename }')
++define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
+ define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
+ define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
+ define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
@@ -238,7 +240,8 @@
define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')