diff --git a/policy-F13.patch b/policy-F13.patch
index bf460c6..6f7e206 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -1119,7 +1119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.8/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/admin/rpm.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/rpm.te 2010-02-09 08:59:57.000000000 -0500
@@ -15,6 +15,9 @@
domain_interactive_fd(rpm_t)
role system_r types rpm_t;
@@ -1226,24 +1226,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
-@@ -174,44 +202,41 @@
+@@ -174,7 +202,19 @@
')
optional_policy(`
+- hal_dbus_chat(rpm_t)
++ dbus_system_domain(rpm_t, rpm_exec_t)
++
++ optional_policy(`
++ hal_dbus_chat(rpm_t)
++ ')
++
++ optional_policy(`
++ networkmanager_dbus_chat(rpm_t)
++ ')
++
+ optional_policy(`
- hal_dbus_chat(rpm_t)
++ dbus_system_domain(rpm_t, debuginfo_exec_t)
++ ')
')
optional_policy(`
-- prelink_domtrans(rpm_t)
-+ networkmanager_dbus_chat(rpm_t)
+@@ -182,36 +222,19 @@
')
optional_policy(`
- unconfined_domain(rpm_t)
-- # yum-updatesd requires this
-- unconfined_dbus_chat(rpm_t)
-+ dbus_system_domain(rpm_t, rpm_exec_t)
++ unconfined_domain_noaudit(rpm_t)
+ # yum-updatesd requires this
+ unconfined_dbus_chat(rpm_t)
++ unconfined_dbus_chat(rpm_script_t)
')
-ifdef(`TODO',`
@@ -1256,25 +1268,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
-allow rpm_t fs_type:dir { setattr rw_dir_perms };
-
-allow rpm_t mount_t:tcp_socket write;
-+ optional_policy(`
-+ dbus_system_domain(rpm_t, debuginfo_exec_t)
-+ ')
-+')
-
+-
-allow rpm_t rpc_pipefs_t:dir search;
-+optional_policy(`
-+ prelink_domtrans(rpm_t)
-+')
-
- optional_policy(`
+-
+-optional_policy(`
-allow rpm_t sysadm_gph_t:fd use;
-+ unconfined_domain_noaudit(rpm_t)
-+ # yum-updatesd requires this
-+ unconfined_dbus_chat(rpm_t)
-+ unconfined_dbus_chat(rpm_script_t)
- ')
+-')
-') dnl endif TODO
-
+-
########################################
#
# rpm-script Local policy
@@ -1287,7 +1288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
-@@ -222,12 +247,15 @@
+@@ -222,12 +245,15 @@
allow rpm_script_t self:sem create_sem_perms;
allow rpm_script_t self:msgq create_msgq_perms;
allow rpm_script_t self:msg { send receive };
@@ -1303,7 +1304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
-@@ -239,6 +267,9 @@
+@@ -239,6 +265,9 @@
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
@@ -1313,7 +1314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
dev_list_sysfs(rpm_script_t)
-@@ -254,7 +285,9 @@
+@@ -254,7 +283,9 @@
fs_getattr_xattr_fs(rpm_script_t)
fs_mount_xattr_fs(rpm_script_t)
fs_unmount_xattr_fs(rpm_script_t)
@@ -1323,7 +1324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
mcs_killall(rpm_script_t)
mcs_ptrace_all(rpm_script_t)
-@@ -272,14 +305,19 @@
+@@ -272,14 +303,19 @@
storage_raw_read_fixed_disk(rpm_script_t)
storage_raw_write_fixed_disk(rpm_script_t)
@@ -1343,7 +1344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
-@@ -291,8 +329,10 @@
+@@ -291,8 +327,10 @@
files_exec_etc_files(rpm_script_t)
files_read_etc_runtime_files(rpm_script_t)
files_exec_usr_files(rpm_script_t)
@@ -1354,7 +1355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
libs_exec_ld_so(rpm_script_t)
libs_exec_lib_files(rpm_script_t)
-@@ -308,12 +348,15 @@
+@@ -308,12 +346,15 @@
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
@@ -1370,7 +1371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
')
')
-@@ -326,13 +369,22 @@
+@@ -326,13 +367,22 @@
')
optional_policy(`
@@ -1994,7 +1995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.8/policy/modules/apps/chrome.te
--- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/chrome.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/chrome.te 2010-02-09 10:40:33.000000000 -0500
@@ -0,0 +1,82 @@
+policy_module(chrome,1.0.0)
+
@@ -2019,8 +2020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t
+#
+# chrome_sandbox local policy
+#
-+allow chrome_sandbox_t self:capability { setuid sys_admin dac_override sys_chroot chown fsetid setgid };
-+dontaudit chrome_sandbox_t self:capability { sys_ptrace };
++allow chrome_sandbox_t self:capability { setuid sys_admin sys_ptrace dac_override sys_chroot chown fsetid setgid };
+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
+allow chrome_sandbox_t self:fifo_file manage_file_perms;
+allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
@@ -2065,6 +2065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t
+
+optional_policy(`
+ xserver_use_user_fonts(chrome_sandbox_t)
++ xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
@@ -2139,8 +2140,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
+/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.8/policy/modules/apps/execmem.if
--- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/execmem.if 2010-02-02 10:31:03.000000000 -0500
-@@ -0,0 +1,103 @@
++++ serefpolicy-3.7.8/policy/modules/apps/execmem.if 2010-02-10 12:27:20.000000000 -0500
+@@ -0,0 +1,108 @@
+## <summary>execmem domain</summary>
+
+########################################
@@ -2217,6 +2218,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
+ ')
+
+ optional_policy(`
++ nsplugin_rw_shm($1_execmem_t)
++ nsplugin_rw_semaphores($1_execmem_t)
++ ')
++
++ optional_policy(`
+ xserver_role($2, $1_execmem_t)
+ ')
+')
@@ -2935,7 +2941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc
+/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.7.8/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2009-08-18 11:41:14.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/apps/java.if 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/java.if 2010-02-09 10:04:27.000000000 -0500
@@ -30,6 +30,7 @@
allow java_t $2:unix_stream_socket connectto;
@@ -3328,7 +3334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.fc
+/usr/bin/mono.* -- gen_context(system_u:object_r:mono_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.8/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/apps/mono.if 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/mono.if 2010-02-09 10:28:01.000000000 -0500
@@ -21,6 +21,105 @@
########################################
@@ -3539,7 +3545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.8/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/mozilla.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/mozilla.te 2010-02-09 10:11:18.000000000 -0500
@@ -91,6 +91,7 @@
corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
@@ -3614,8 +3620,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.8/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/nsplugin.if 2010-02-02 10:31:03.000000000 -0500
-@@ -0,0 +1,321 @@
++++ serefpolicy-3.7.8/policy/modules/apps/nsplugin.if 2010-02-10 12:26:47.000000000 -0500
+@@ -0,0 +1,358 @@
+
+## <summary>policy for nsplugin</summary>
+
@@ -3937,6 +3943,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+
+ allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms;
+')
++
++########################################
++## <summary>
++## Read and write to nsplugin shared memory.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`nsplugin_rw_shm',`
++ gen_require(`
++ type nsplugin_t;
++ ')
++
++ allow $1 nsplugin_t:shm rw_shm_perms;
++')
++
++#####################################
++## <summary>
++## Allow read and write access to nsplugin semaphores.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`nsplugin_rw_semaphores',`
++ gen_require(`
++ type nsplugin_t;
++ ')
++
++ allow $1 nsplugin_t:sem rw_sem_perms;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.8/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.8/policy/modules/apps/nsplugin.te 2010-02-02 10:31:03.000000000 -0500
@@ -4425,7 +4468,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.8/policy/modules/apps/pulseaudio.if
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/apps/pulseaudio.if 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/pulseaudio.if 2010-02-10 12:27:45.000000000 -0500
+@@ -29,7 +29,7 @@
+ ps_process_pattern($2, pulseaudio_t)
+
+ allow pulseaudio_t $2:process { signal signull };
+- allow $2 pulseaudio_t:process { signal signull };
++ allow $2 pulseaudio_t:process { signal signull sigkill };
+ ps_process_pattern(pulseaudio_t, $2)
+
+ allow pulseaudio_t $2:unix_stream_socket connectto;
@@ -40,7 +40,7 @@
userdom_manage_tmpfs_role($1, pulseaudio_t)
@@ -6433,7 +6485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.8/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/devices.if 2010-02-08 12:14:39.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/devices.if 2010-02-09 16:10:20.000000000 -0500
@@ -801,6 +801,24 @@
########################################
@@ -7125,7 +7177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.8/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/files.if 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/files.if 2010-02-09 14:24:24.000000000 -0500
@@ -932,10 +932,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -8555,7 +8607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.t
+gen_user(guest_u, user, guest_r, s0, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.8/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/roles/staff.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/roles/staff.te 2010-02-09 10:07:37.000000000 -0500
@@ -10,161 +10,121 @@
userdom_unpriv_user_template(staff)
@@ -8679,35 +8731,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
-optional_policy(`
- razor_role(staff_r, staff_t)
-')
-+domain_read_all_domains_state(staff_t)
-+domain_getattr_all_domains(staff_t)
++domain_read_all_domains_state(staff_usertype)
++domain_getattr_all_domains(staff_usertype)
+domain_obj_id_change_exemption(staff_t)
-optional_policy(`
- rssh_role(staff_r, staff_t)
-')
-+files_read_kernel_modules(staff_t)
++files_read_kernel_modules(staff_usertype)
-optional_policy(`
- screen_role_template(staff, staff_r, staff_t)
-')
-+kernel_read_fs_sysctls(staff_t)
++kernel_read_fs_sysctls(staff_usertype)
-optional_policy(`
- secadm_role_change(staff_r)
-')
-+modutils_read_module_config(staff_t)
-+modutils_read_module_deps(staff_t)
++modutils_read_module_config(staff_usertype)
++modutils_read_module_deps(staff_usertype)
-optional_policy(`
- spamassassin_role(staff_r, staff_t)
-')
-+miscfiles_read_hwdata(staff_t)
++miscfiles_read_hwdata(staff_usertype)
-optional_policy(`
- ssh_role_template(staff, staff_r, staff_t)
-')
-+term_use_unallocated_ttys(staff_t)
++term_use_unallocated_ttys(staff_usertype)
optional_policy(`
- su_role_template(staff, staff_r, staff_t)
@@ -9760,7 +9812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.8/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/roles/unconfineduser.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/roles/unconfineduser.te 2010-02-10 13:39:29.000000000 -0500
@@ -0,0 +1,445 @@
+policy_module(unconfineduser, 1.0.0)
+
@@ -11464,7 +11516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.8/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/apache.if 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/apache.if 2010-02-09 16:01:34.000000000 -0500
@@ -13,21 +13,17 @@
#
template(`apache_content_template',`
@@ -12195,7 +12247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.8/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/apache.te 2010-02-05 12:03:18.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/apache.te 2010-02-09 15:52:27.000000000 -0500
@@ -19,6 +19,8 @@
# Declarations
#
@@ -12281,7 +12333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Unify HTTPD to communicate with the terminal.
## Needed for entering the passphrase for certificates at
## the terminal.
-@@ -108,6 +145,29 @@
+@@ -108,6 +145,36 @@
## </desc>
gen_tunable(httpd_unified, false)
@@ -12301,6 +12353,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
+## <desc>
+## <p>
++## Allow httpd to run gpg
++## </p>
++## </desc>
++gen_tunable(httpd_use_gpg, false)
++
++## <desc>
++## <p>
+## Allow apache scripts to write to public content. Directories/Files must be labeled public_content_rw_t.
+## </p>
+## </desc>
@@ -12311,7 +12370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
attribute httpdcontent;
attribute httpd_user_content_type;
-@@ -140,6 +200,9 @@
+@@ -140,6 +207,9 @@
domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
role system_r types httpd_helper_t;
@@ -12321,7 +12380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
type httpd_lock_t;
files_lock_file(httpd_lock_t)
-@@ -180,6 +243,10 @@
+@@ -180,6 +250,10 @@
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -12332,7 +12391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -187,28 +254,28 @@
+@@ -187,28 +261,28 @@
files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
@@ -12374,7 +12433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# for apache2 memory mapped files
type httpd_var_lib_t;
-@@ -230,7 +297,7 @@
+@@ -230,7 +304,7 @@
# Apache server local policy
#
@@ -12383,7 +12442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
-@@ -249,6 +316,7 @@
+@@ -249,6 +323,7 @@
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
@@ -12391,7 +12450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -272,6 +340,7 @@
+@@ -272,6 +347,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -12399,7 +12458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -283,9 +352,9 @@
+@@ -283,9 +359,9 @@
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
@@ -12412,7 +12471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -301,9 +370,11 @@
+@@ -301,9 +377,11 @@
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
@@ -12425,7 +12484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
-@@ -312,18 +383,21 @@
+@@ -312,18 +390,21 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -12452,7 +12511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
corenet_sendrecv_http_server_packets(httpd_t)
# Signal self for shutdown
corenet_tcp_connect_http_port(httpd_t)
-@@ -335,15 +409,15 @@
+@@ -335,15 +416,15 @@
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -12471,7 +12530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
-@@ -358,6 +432,10 @@
+@@ -358,6 +439,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -12482,7 +12541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
libs_read_lib_files(httpd_t)
-@@ -372,18 +450,33 @@
+@@ -372,18 +457,33 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -12520,7 +12579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -391,32 +484,71 @@
+@@ -391,32 +491,71 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -12597,7 +12656,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -424,11 +556,23 @@
+@@ -424,11 +563,23 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -12621,7 +12680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -451,6 +595,21 @@
+@@ -451,6 +602,21 @@
')
optional_policy(`
@@ -12643,7 +12702,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
cron_system_entry(httpd_t, httpd_exec_t)
')
-@@ -459,8 +618,18 @@
+@@ -459,8 +625,24 @@
')
optional_policy(`
@@ -12660,11 +12719,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+')
+
+optional_policy(`
++tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
++ gpg_domtrans(httpd_t)
++')
++')
++
++optional_policy(`
+ kerberos_keytab_template(httpd, httpd_t)
')
optional_policy(`
-@@ -468,22 +637,19 @@
+@@ -468,22 +650,19 @@
mailman_domtrans_cgi(httpd_t)
# should have separate types for public and private archives
mailman_search_data(httpd_t)
@@ -12690,7 +12755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -494,12 +660,23 @@
+@@ -494,12 +673,23 @@
')
optional_policy(`
@@ -12714,7 +12779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -508,6 +685,7 @@
+@@ -508,6 +698,7 @@
')
optional_policy(`
@@ -12722,7 +12787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -535,6 +713,23 @@
+@@ -535,6 +726,23 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -12746,7 +12811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -564,20 +759,25 @@
+@@ -564,20 +772,25 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -12778,7 +12843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -595,23 +795,24 @@
+@@ -595,23 +808,24 @@
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
@@ -12807,7 +12872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -624,6 +825,7 @@
+@@ -624,6 +838,7 @@
logging_send_syslog_msg(httpd_suexec_t)
miscfiles_read_localization(httpd_suexec_t)
@@ -12815,7 +12880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
-@@ -631,22 +833,31 @@
+@@ -631,22 +846,31 @@
corenet_all_recvfrom_unlabeled(httpd_suexec_t)
corenet_all_recvfrom_netlabel(httpd_suexec_t)
@@ -12854,7 +12919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -672,16 +883,16 @@
+@@ -672,16 +896,16 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -12875,7 +12940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
dontaudit httpd_sys_script_t httpd_config_t:dir search;
-@@ -699,12 +910,24 @@
+@@ -699,12 +923,24 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -12902,7 +12967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -712,6 +935,35 @@
+@@ -712,6 +948,35 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -12938,7 +13003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -724,6 +976,10 @@
+@@ -724,6 +989,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -12949,7 +13014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -735,6 +991,8 @@
+@@ -735,6 +1004,8 @@
# httpd_rotatelogs local policy
#
@@ -12958,7 +13023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -754,11 +1012,88 @@
+@@ -754,11 +1025,88 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -12978,12 +13043,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ userdom_search_user_home_content(httpd_t)
+ userdom_search_user_home_content(httpd_suexec_t)
+ userdom_search_user_home_content(httpd_user_script_t)
-+')
+ ')
+
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_user_script_t)
+ userdom_read_user_home_content_files(httpd_suexec_t)
- ')
++')
+
+tunable_policy(`httpd_read_user_content && httpd_builtin_scripting',`
+ userdom_read_user_home_content_files(httpd_t)
@@ -14279,7 +14344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog
+/var/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.8/policy/modules/services/clogd.if
--- nsaserefpolicy/policy/modules/services/clogd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/clogd.if 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/clogd.if 2010-02-09 10:29:01.000000000 -0500
@@ -0,0 +1,98 @@
+## <summary>clogd - clustered mirror log server</summary>
+
@@ -15921,7 +15986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru
snmp_stream_connect(cyrus_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.8/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/dbus.if 2010-02-08 12:17:04.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/dbus.if 2010-02-09 09:01:28.000000000 -0500
@@ -42,8 +42,10 @@
gen_require(`
class dbus { send_msg acquire_svc };
@@ -16012,10 +16077,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
## for service (acquire_svc).
## </summary>
## <param name="domain">
-@@ -364,6 +372,16 @@
+@@ -364,6 +372,18 @@
dbus_system_bus_client($1)
dbus_connect_system_bus($1)
++ ps_process_pattern(system_dbusd_t, $1)
++
+ userdom_dontaudit_search_admin_dir($1)
+
+ optional_policy(`
@@ -16029,7 +16096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
ifdef(`hide_broken_symptoms', `
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
-@@ -405,3 +423,24 @@
+@@ -405,3 +425,24 @@
typeattribute $1 dbusd_unconfined;
')
@@ -16585,6 +16652,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
## Set the attributes of the DCHP
## server state files.
## </summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.7.8/policy/modules/services/djbdns.if
+--- nsaserefpolicy/policy/modules/services/djbdns.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.8/policy/modules/services/djbdns.if 2010-02-10 13:04:18.000000000 -0500
+@@ -26,6 +26,8 @@
+ daemontools_read_svc(djbdns_$1_t)
+
+ allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot };
++ allow djbdns_$1_t self:process signal;
++ allow djbdns_$1_t self:fifo_file rw_fifo_file_perms;
+ allow djbdns_$1_t self:tcp_socket create_stream_socket_perms;
+ allow djbdns_$1_t self:udp_socket create_socket_perms;
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.8/policy/modules/services/dnsmasq.fc
--- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.8/policy/modules/services/dnsmasq.fc 2010-02-02 10:31:03.000000000 -0500
@@ -17221,7 +17300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.8/policy/modules/services/git.fc
--- nsaserefpolicy/policy/modules/services/git.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/git.fc 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/git.fc 2010-02-10 13:25:49.000000000 -0500
@@ -1,3 +1,16 @@
-/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
-/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
@@ -19239,8 +19318,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
mysql_write_log(mysqld_safe_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.8/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/nagios.fc 2010-02-02 10:31:03.000000000 -0500
-@@ -1,16 +1,85 @@
++++ serefpolicy-3.7.8/policy/modules/services/nagios.fc 2010-02-09 10:17:49.000000000 -0500
+@@ -1,16 +1,87 @@
/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
@@ -19271,6 +19350,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
+/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+
++# admin plugins
++/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
++
+# check disk plugins
+/usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
@@ -19286,7 +19368,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
+/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
@@ -19493,7 +19574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.8/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/nagios.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/nagios.te 2010-02-09 10:17:49.000000000 -0500
@@ -6,17 +6,23 @@
# Declarations
#
@@ -19532,13 +19613,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
type nrpe_t;
type nrpe_exec_t;
init_daemon_domain(nrpe_t, nrpe_exec_t)
-@@ -33,6 +42,33 @@
+@@ -33,6 +42,38 @@
type nrpe_etc_t;
files_config_file(nrpe_etc_t)
+type nrpe_var_run_t;
+files_pid_file(nrpe_var_run_t)
+
++# creates nagios_admin_plugin_exec_t for executable
++# and nagios_admin_plugin_t for domain
++nagios_plugin_template(admin)
++
+# creates nagios_checkdisk_plugin_exec_t for executable
+# and nagios_checkdisk_plugin_t for domain
+nagios_plugin_template(checkdisk)
@@ -19559,6 +19644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
+ unconfined_domain(nagios_unconfined_plugin_t)
+')
+
++permissive nagios_admin_plugin_t;
+permissive nagios_checkdisk_plugin_t;
+permissive nagios_services_plugin_t;
+permissive nagios_system_plugin_t;
@@ -19566,7 +19652,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
########################################
#
# Nagios local policy
-@@ -45,6 +81,9 @@
+@@ -45,6 +86,9 @@
allow nagios_t self:tcp_socket create_stream_socket_perms;
allow nagios_t self:udp_socket create_socket_perms;
@@ -19576,7 +19662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
allow nagios_t nagios_etc_t:dir list_dir_perms;
-@@ -60,6 +99,8 @@
+@@ -60,6 +104,8 @@
manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
files_pid_filetrans(nagios_t, nagios_var_run_t, file)
@@ -19585,7 +19671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
kernel_read_system_state(nagios_t)
kernel_read_kernel_sysctls(nagios_t)
-@@ -76,6 +117,9 @@
+@@ -76,6 +122,9 @@
corenet_udp_sendrecv_all_ports(nagios_t)
corenet_tcp_connect_all_ports(nagios_t)
@@ -19595,7 +19681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
dev_read_sysfs(nagios_t)
dev_read_urand(nagios_t)
-@@ -86,6 +130,7 @@
+@@ -86,6 +135,7 @@
files_read_etc_files(nagios_t)
files_read_etc_runtime_files(nagios_t)
files_read_kernel_symbol_table(nagios_t)
@@ -19603,7 +19689,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
fs_getattr_all_fs(nagios_t)
fs_search_auto_mountpoints(nagios_t)
-@@ -118,61 +163,63 @@
+@@ -118,61 +168,63 @@
udev_read_db(nagios_t)
')
@@ -19625,45 +19711,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
-
-read_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
-+allow httpd_nagios_script_t self:process signal_perms;
-
+-
-allow nagios_cgi_t nagios_etc_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
-+read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
-+read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
++allow httpd_nagios_script_t self:process signal_perms;
-allow nagios_cgi_t nagios_log_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
++read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
++read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
+
+-kernel_read_system_state(nagios_cgi_t)
+files_search_spool(httpd_nagios_script_t)
+rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t)
--kernel_read_system_state(nagios_cgi_t)
+-corecmd_exec_bin(nagios_cgi_t)
+allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
--corecmd_exec_bin(nagios_cgi_t)
+-domain_dontaudit_read_all_domains_state(nagios_cgi_t)
+allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
--domain_dontaudit_read_all_domains_state(nagios_cgi_t)
-+kernel_read_system_state(httpd_nagios_script_t)
-
-files_read_etc_files(nagios_cgi_t)
-files_read_etc_runtime_files(nagios_cgi_t)
-files_read_kernel_symbol_table(nagios_cgi_t)
-+domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
++kernel_read_system_state(httpd_nagios_script_t)
-logging_send_syslog_msg(nagios_cgi_t)
-logging_search_logs(nagios_cgi_t)
++domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
+
+-miscfiles_read_localization(nagios_cgi_t)
+files_read_etc_runtime_files(httpd_nagios_script_t)
+files_read_kernel_symbol_table(httpd_nagios_script_t)
--miscfiles_read_localization(nagios_cgi_t)
--
-optional_policy(`
- apache_append_log(nagios_cgi_t)
-')
@@ -19699,7 +19785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
kernel_read_system_state(nrpe_t)
kernel_read_kernel_sysctls(nrpe_t)
-@@ -183,15 +230,21 @@
+@@ -183,15 +235,21 @@
dev_read_urand(nrpe_t)
domain_use_interactive_fds(nrpe_t)
@@ -19721,11 +19807,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
optional_policy(`
-@@ -209,3 +262,85 @@
+@@ -209,3 +267,120 @@
optional_policy(`
udev_read_db(nrpe_t)
')
+
++#####################################
++#
++# local policy for admin check plugins
++#
++
++allow nagios_admin_plugin_t self:capability { setuid setgid dac_override };
++
++allow nagios_admin_plugin_t self:tcp_socket create_stream_socket_perms;
++allow nagios_admin_plugin_t self:udp_socket create_socket_perms;
++
++kernel_read_system_state(nagios_admin_plugin_t)
++kernel_read_kernel_sysctls(nagios_admin_plugin_t)
++
++corecmd_read_bin_files(nagios_admin_plugin_t)
++corecmd_read_bin_symlinks(nagios_admin_plugin_t)
++
++dev_read_urand(nagios_admin_plugin_t)
++
++files_read_etc_files(nagios_admin_plugin_t)
++
++libs_use_lib_files(nagios_admin_plugin_t)
++libs_use_ld_so(nagios_admin_plugin_t)
++
++logging_send_syslog_msg(nagios_admin_plugin_t)
++
++sysnet_read_config(nagios_admin_plugin_t)
++
++nscd_dontaudit_search_pid(nagios_admin_plugin_t)
++
++optional_policy(`
++ mta_read_config(nagios_admin_plugin_t)
++ mta_list_queue(nagios_admin_plugin_t)
++ mta_read_queue(nagios_admin_plugin_t)
++ mta_sendmail_exec(nagios_admin_plugin_t)
++')
+
+######################################
+#
@@ -25433,13 +25554,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.8/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-11 09:40:36.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/sendmail.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/sendmail.te 2010-02-09 08:31:26.000000000 -0500
@@ -30,7 +30,7 @@
#
allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
-allow sendmail_t self:process { setrlimit signal signull };
-+allow sendmail_t self:process { setpgid setrlimit signal signull };
++allow sendmail_t self:process { setsched setpgid setrlimit signal signull };
allow sendmail_t self:fifo_file rw_fifo_file_perms;
allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
allow sendmail_t self:unix_dgram_socket create_socket_perms;
@@ -26396,7 +26517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.8/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2010-01-18 15:04:31.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/ssh.if 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/ssh.if 2010-02-10 12:29:40.000000000 -0500
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -26515,7 +26636,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
########################################
-@@ -694,6 +706,27 @@
+@@ -386,6 +398,7 @@
+ logging_send_syslog_msg($1_ssh_agent_t)
+
+ miscfiles_read_localization($1_ssh_agent_t)
++ miscfiles_read_certs($1_ssh_agent_t)
+
+ seutil_dontaudit_read_config($1_ssh_agent_t)
+
+@@ -393,6 +406,7 @@
+ userdom_use_user_terminals($1_ssh_agent_t)
+
+ # for the transition back to normal privs upon exec
++ userdom_search_user_home_content($1_ssh_agent_t)
+ userdom_user_home_domtrans($1_ssh_agent_t, $3)
+ allow $3 $1_ssh_agent_t:fd use;
+ allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
+@@ -694,6 +708,27 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
@@ -26545,7 +26682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
## Delete from the ssh temp files.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.8/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-01-18 15:04:31.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/ssh.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/ssh.te 2010-02-10 13:27:57.000000000 -0500
@@ -111,9 +111,10 @@
manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -26589,15 +26726,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
dev_read_urand(ssh_t)
-@@ -172,6 +176,7 @@
+@@ -170,8 +174,10 @@
+ userdom_search_user_home_dirs(ssh_t)
+ # Write to the user domain tty.
userdom_use_user_terminals(ssh_t)
- # needs to read krb tgt
+-# needs to read krb tgt
++# needs to read krb/write tgt
userdom_read_user_tmp_files(ssh_t)
++userdom_write_user_tmp_files(ssh_t)
+userdom_read_user_home_content_symlinks(ssh_t)
tunable_policy(`allow_ssh_keysign',`
domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-@@ -282,6 +287,8 @@
+@@ -282,6 +288,8 @@
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -26606,7 +26747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
-@@ -298,16 +305,23 @@
+@@ -298,16 +306,23 @@
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
@@ -26634,7 +26775,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
optional_policy(`
-@@ -315,7 +329,12 @@
+@@ -315,7 +330,12 @@
')
optional_policy(`
@@ -26648,7 +26789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
optional_policy(`
-@@ -323,6 +342,10 @@
+@@ -323,6 +343,10 @@
')
optional_policy(`
@@ -26659,7 +26800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
rpm_use_script_fds(sshd_t)
')
-@@ -333,10 +356,18 @@
+@@ -333,10 +357,18 @@
')
optional_policy(`
@@ -28332,7 +28473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.8/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/xserver.if 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/xserver.if 2010-02-10 12:25:28.000000000 -0500
@@ -19,7 +19,7 @@
interface(`xserver_restricted_role',`
gen_require(`
@@ -28342,6 +28483,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
type iceauth_t, iceauth_exec_t, iceauth_home_t;
type xauth_t, xauth_exec_t, xauth_home_t;
')
+@@ -31,7 +31,7 @@
+ allow xserver_t $2:shm rw_shm_perms;
+
+ domtrans_pattern($2, xserver_exec_t, xserver_t)
+- allow xserver_t $2:process signal;
++ allow xserver_t $2:process { getpgid signal };
+
+ allow xserver_t $2:shm rw_shm_perms;
+
@@ -45,6 +45,7 @@
manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
@@ -28377,15 +28527,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Client read xserver shm
allow $2 xserver_t:fd use;
-@@ -96,7 +105,6 @@
+@@ -94,9 +103,9 @@
+ dev_rw_usbfs($2)
+
miscfiles_read_fonts($2)
++ miscfiles_setattr_fonts_cache_dirs($2)
xserver_common_x_domain_template(user, $2)
- xserver_unconfined($2)
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
xserver_stream_connect_xdm($2)
-@@ -104,6 +112,7 @@
+@@ -104,6 +113,7 @@
xserver_read_xdm_pid($2)
# gnome-session creates socket under /tmp/.ICE-unix/
xserver_create_xdm_tmp_sockets($2)
@@ -28393,7 +28546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)
-@@ -162,7 +171,6 @@
+@@ -162,7 +172,6 @@
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
@@ -28401,7 +28554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
#######################################
-@@ -197,7 +205,7 @@
+@@ -197,7 +206,7 @@
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -28410,7 +28563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -260,12 +268,12 @@
+@@ -260,12 +269,12 @@
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -28426,7 +28579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow $1 xdm_tmp_t:dir search;
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -445,6 +453,7 @@
+@@ -445,6 +454,7 @@
xserver_use_user_fonts($2)
xserver_read_xdm_tmp_files($2)
@@ -28434,7 +28587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# X object manager
xserver_object_types_template($1)
-@@ -514,6 +523,12 @@
+@@ -514,6 +524,12 @@
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
@@ -28447,7 +28600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -567,6 +582,7 @@
+@@ -567,6 +583,7 @@
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -28455,7 +28608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -774,7 +790,7 @@
+@@ -774,7 +791,7 @@
')
files_search_pids($1)
@@ -28464,7 +28617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1219,3 +1235,329 @@
+@@ -1219,3 +1236,329 @@
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
@@ -28796,7 +28949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/xserver.te 2010-02-08 14:29:02.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/xserver.te 2010-02-09 15:53:37.000000000 -0500
@@ -36,6 +36,13 @@
## <desc>
@@ -28959,7 +29112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(iceauth_t)
-@@ -250,30 +274,53 @@
+@@ -250,30 +274,55 @@
fs_manage_cifs_files(iceauth_t)
')
@@ -29000,7 +29153,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
-allow xdm_t xauth_home_t:file manage_file_perms;
-userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
--
++stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+
domain_use_interactive_fds(xauth_t)
+domain_dontaudit_leaks(xauth_t)
@@ -29017,7 +29171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
fs_search_auto_mountpoints(xauth_t)
# cjp: why?
-@@ -283,17 +330,35 @@
+@@ -283,17 +332,35 @@
userdom_use_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
@@ -29053,7 +29207,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
-@@ -305,20 +370,31 @@
+@@ -305,20 +372,31 @@
# XDM Local policy
#
@@ -29088,7 +29242,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -334,22 +410,40 @@
+@@ -334,22 +412,40 @@
manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
@@ -29132,7 +29286,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t xserver_t:process signal;
allow xdm_t xserver_t:unix_stream_socket connectto;
-@@ -363,6 +457,7 @@
+@@ -363,6 +459,7 @@
allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xserver_t:shm rw_shm_perms;
@@ -29140,7 +29294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -371,10 +466,14 @@
+@@ -371,10 +468,14 @@
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -29156,7 +29310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xdm_t)
kernel_read_kernel_sysctls(xdm_t)
-@@ -394,11 +493,13 @@
+@@ -394,11 +495,13 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -29170,7 +29324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -406,6 +507,7 @@
+@@ -406,6 +509,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -29178,7 +29332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -414,18 +516,21 @@
+@@ -414,18 +518,21 @@
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -29203,7 +29357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -436,9 +541,15 @@
+@@ -436,9 +543,15 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -29219,7 +29373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -447,6 +558,7 @@
+@@ -447,6 +560,7 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -29227,7 +29381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
term_setattr_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
-@@ -455,6 +567,7 @@
+@@ -455,6 +569,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -29235,7 +29389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -465,10 +578,12 @@
+@@ -465,10 +580,12 @@
logging_read_generic_logs(xdm_t)
@@ -29250,7 +29404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -477,6 +592,11 @@
+@@ -477,6 +594,11 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -29262,7 +29416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -509,10 +629,12 @@
+@@ -509,10 +631,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@@ -29275,7 +29429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -520,12 +642,49 @@
+@@ -520,12 +644,49 @@
')
optional_policy(`
@@ -29325,7 +29479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
hostname_exec(xdm_t)
')
-@@ -543,9 +702,43 @@
+@@ -543,9 +704,43 @@
')
optional_policy(`
@@ -29369,7 +29523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
seutil_sigchld_newrole(xdm_t)
')
-@@ -555,8 +748,9 @@
+@@ -555,8 +750,9 @@
')
optional_policy(`
@@ -29381,7 +29535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -565,7 +759,6 @@
+@@ -565,7 +761,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -29389,7 +29543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -576,6 +769,10 @@
+@@ -576,6 +771,10 @@
')
optional_policy(`
@@ -29400,7 +29554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xdm_t)
')
-@@ -600,10 +797,9 @@
+@@ -600,10 +799,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -29412,7 +29566,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -615,6 +811,18 @@
+@@ -615,6 +813,18 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -29431,7 +29585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -634,12 +842,19 @@
+@@ -634,12 +844,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -29453,7 +29607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -673,7 +888,6 @@
+@@ -673,7 +890,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -29461,7 +29615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -683,9 +897,12 @@
+@@ -683,9 +899,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -29475,7 +29629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +917,12 @@
+@@ -700,8 +919,12 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -29488,7 +29642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -723,6 +944,7 @@
+@@ -723,6 +946,7 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -29496,7 +29650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
modutils_domtrans_insmod(xserver_t)
-@@ -779,12 +1001,20 @@
+@@ -779,12 +1003,20 @@
')
optional_policy(`
@@ -29518,7 +29672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -811,7 +1041,7 @@
+@@ -811,7 +1043,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -29527,7 +29681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1062,14 @@
+@@ -832,9 +1064,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -29542,7 +29696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1084,14 @@
+@@ -849,11 +1086,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -29559,7 +29713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -1000,17 +1238,32 @@
+@@ -1000,17 +1240,32 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -30034,6 +30188,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
########################################
#
# PAM local policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.7.8/policy/modules/system/daemontools.te
+--- nsaserefpolicy/policy/modules/system/daemontools.te 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.8/policy/modules/system/daemontools.te 2010-02-10 13:04:18.000000000 -0500
+@@ -65,6 +65,8 @@
+
+ kernel_read_system_state(svc_run_t)
+
++dev_read_urand(svc_run_t)
++
+ corecmd_exec_bin(svc_run_t)
+ corecmd_exec_shell(svc_run_t)
+
+@@ -93,10 +95,14 @@
+
+ allow svc_start_t self:fifo_file rw_fifo_file_perms;
+ allow svc_start_t self:capability kill;
++allow svc_start_t self:tcp_socket create_stream_socket_perms;
+ allow svc_start_t self:unix_stream_socket create_socket_perms;
+
+ can_exec(svc_start_t, svc_start_exec_t)
+
++kernel_read_kernel_sysctls(svc_start_t)
++kernel_read_system_state(svc_start_t)
++
+ corecmd_exec_bin(svc_start_t)
+ corecmd_exec_shell(svc_start_t)
+
+@@ -105,5 +111,9 @@
+ files_search_var(svc_start_t)
+ files_search_pids(svc_start_t)
+
++logging_send_syslog_msg(svc_start_t)
++
++miscfiles_read_localization(svc_start_t)
++
+ daemontools_domtrans_run(svc_start_t)
+ daemontools_manage_svc(svc_start_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.7.8/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.8/policy/modules/system/fstools.fc 2010-02-02 10:31:03.000000000 -0500
@@ -30471,7 +30662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.8/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/init.te 2010-02-08 12:54:27.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/init.te 2010-02-10 15:45:12.000000000 -0500
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart, false)
@@ -30908,13 +31099,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -515,6 +602,33 @@
+@@ -515,6 +602,34 @@
')
')
+domain_dontaudit_use_interactive_fds(daemon)
+
+userdom_dontaudit_list_admin_dir(daemon)
++userdom_dontaudit_search_user_tmp(daemon)
+
+tunable_policy(`allow_daemons_use_tty',`
+ term_use_unallocated_ttys(daemon)
@@ -30942,7 +31134,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -567,10 +681,19 @@
+@@ -527,6 +642,8 @@
+ optional_policy(`
+ apache_read_config(initrc_t)
+ apache_list_modules(initrc_t)
++ # webmin seems to cause this.
++ apache_search_sys_content(daemon)
+ ')
+
+ optional_policy(`
+@@ -567,10 +684,19 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -30962,7 +31163,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -590,6 +713,10 @@
+@@ -590,6 +716,10 @@
')
optional_policy(`
@@ -30973,7 +31174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dev_read_usbfs(initrc_t)
# init scripts run /etc/hotplug/usb.rc
-@@ -646,20 +773,20 @@
+@@ -646,20 +776,20 @@
')
optional_policy(`
@@ -31000,7 +31201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ifdef(`distro_redhat',`
-@@ -668,6 +795,7 @@
+@@ -668,6 +798,7 @@
mysql_stream_connect(initrc_t)
mysql_write_log(initrc_t)
@@ -31008,7 +31209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -700,7 +828,6 @@
+@@ -700,7 +831,6 @@
')
optional_policy(`
@@ -31016,7 +31217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -722,8 +849,6 @@
+@@ -722,8 +852,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -31025,7 +31226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -736,13 +861,16 @@
+@@ -736,13 +864,16 @@
squid_manage_logs(initrc_t)
')
@@ -31042,7 +31243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -751,6 +879,7 @@
+@@ -751,6 +882,7 @@
optional_policy(`
udev_rw_db(initrc_t)
@@ -31050,7 +31251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -758,7 +887,17 @@
+@@ -758,7 +890,17 @@
')
optional_policy(`
@@ -31068,7 +31269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -768,6 +907,25 @@
+@@ -768,6 +910,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -31094,7 +31295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -793,3 +951,31 @@
+@@ -793,3 +954,31 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -31261,7 +31462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.8/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/ipsec.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/ipsec.te 2010-02-10 12:21:01.000000000 -0500
@@ -29,9 +29,15 @@
type ipsec_key_file_t;
files_type(ipsec_key_file_t)
@@ -31314,23 +31515,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
-allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
-allow ipsec_mgmt_t self:process { signal setrlimit };
-+allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap };
++allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
+dontaudit ipsec_mgmt_t self:capability sys_tty_config;
-+allow ipsec_mgmt_t self:process { signal setrlimit ptrace };
++allow ipsec_mgmt_t self:process { getsched ptrace setrlimit signal };
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -182,6 +195,9 @@
+@@ -182,6 +195,13 @@
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
++manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
++manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
++files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file })
++
+manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t)
+logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
-@@ -209,7 +225,6 @@
+@@ -209,7 +229,6 @@
# whack needs to connect to pluto
stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
@@ -31338,7 +31543,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
-@@ -259,6 +274,7 @@
+@@ -244,11 +263,13 @@
+ domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
+ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+
+-files_read_etc_files(ipsec_mgmt_t)
+-files_exec_etc_files(ipsec_mgmt_t)
+-files_read_etc_runtime_files(ipsec_mgmt_t)
+ files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
+ files_dontaudit_getattr_default_files(ipsec_mgmt_t)
++files_exec_etc_files(ipsec_mgmt_t)
++files_list_tmp(ipsec_mgmt_t)
++files_read_etc_files(ipsec_mgmt_t)
++files_read_etc_runtime_files(ipsec_mgmt_t)
++files_read_usr_files(ipsec_mgmt_t)
+
+ fs_getattr_xattr_fs(ipsec_mgmt_t)
+ fs_list_tmpfs(ipsec_mgmt_t)
+@@ -259,6 +280,7 @@
init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
@@ -31346,7 +31568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
logging_send_syslog_msg(ipsec_mgmt_t)
-@@ -323,6 +339,7 @@
+@@ -323,6 +345,7 @@
kernel_read_system_state(racoon_t)
kernel_read_network_state(racoon_t)
@@ -31354,7 +31576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
-@@ -362,6 +379,8 @@
+@@ -362,6 +385,8 @@
sysnet_exec_ifconfig(racoon_t)
@@ -31363,7 +31585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -380,12 +399,15 @@
+@@ -380,12 +405,15 @@
read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
@@ -31379,7 +31601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
-@@ -397,3 +419,4 @@
+@@ -397,3 +425,4 @@
seutil_read_config(setkey_t)
userdom_use_user_terminals(setkey_t)
@@ -32038,7 +32260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.8/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/locallogin.te 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/locallogin.te 2010-02-09 15:54:03.000000000 -0500
@@ -33,7 +33,7 @@
# Local login local policy
#
@@ -32048,15 +32270,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow local_login_t self:process { setrlimit setexec };
allow local_login_t self:fd use;
-@@ -74,6 +74,7 @@
+@@ -74,6 +74,8 @@
dev_setattr_power_mgmt_dev(local_login_t)
dev_getattr_sound_dev(local_login_t)
dev_setattr_sound_dev(local_login_t)
+dev_rw_generic_usb_dev(local_login_t)
++dev_read_video_dev(local_login_t)
dev_dontaudit_getattr_apm_bios_dev(local_login_t)
dev_dontaudit_setattr_apm_bios_dev(local_login_t)
dev_dontaudit_read_framebuffer(local_login_t)
-@@ -152,6 +153,11 @@
+@@ -152,6 +154,11 @@
fs_read_cifs_symlinks(local_login_t)
')
@@ -32068,7 +32291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
optional_policy(`
alsa_domtrans(local_login_t)
')
-@@ -181,7 +187,7 @@
+@@ -181,7 +188,7 @@
')
optional_policy(`
@@ -32077,7 +32300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
')
optional_policy(`
-@@ -198,9 +204,10 @@
+@@ -198,9 +205,10 @@
# Sulogin local policy
#
@@ -32089,7 +32312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
allow sulogin_t self:unix_dgram_socket create_socket_perms;
allow sulogin_t self:unix_stream_socket create_stream_socket_perms;
allow sulogin_t self:unix_dgram_socket sendto;
-@@ -220,6 +227,7 @@
+@@ -220,6 +228,7 @@
files_dontaudit_search_isid_type_dirs(sulogin_t)
auth_read_shadow(sulogin_t)
@@ -32097,7 +32320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
init_getpgid_script(sulogin_t)
-@@ -233,11 +241,24 @@
+@@ -233,11 +242,24 @@
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
@@ -32122,7 +32345,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
ifdef(`sulogin_no_pam', `
allow sulogin_t self:capability sys_tty_config;
-@@ -251,11 +272,3 @@
+@@ -251,11 +273,3 @@
selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
@@ -32228,8 +32451,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.8/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/logging.te 2010-02-02 10:31:03.000000000 -0500
-@@ -123,10 +123,10 @@
++++ serefpolicy-3.7.8/policy/modules/system/logging.te 2010-02-09 08:53:48.000000000 -0500
+@@ -101,6 +101,7 @@
+
+ kernel_read_kernel_sysctls(auditctl_t)
+ kernel_read_proc_symlinks(auditctl_t)
++kernel_setsched(auditctl_t)
+
+ domain_read_all_domains_state(auditctl_t)
+ domain_use_interactive_fds(auditctl_t)
+@@ -123,10 +124,10 @@
allow auditd_t self:capability { chown fsetid sys_nice sys_resource };
dontaudit auditd_t self:capability sys_tty_config;
@@ -32242,7 +32473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
allow auditd_t self:tcp_socket create_stream_socket_perms;
allow auditd_t auditd_etc_t:dir list_dir_perms;
-@@ -179,6 +179,8 @@
+@@ -179,6 +180,8 @@
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
@@ -32251,7 +32482,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
miscfiles_read_localization(auditd_t)
mls_file_read_all_levels(auditd_t)
-@@ -215,9 +217,9 @@
+@@ -215,9 +218,9 @@
# audit dispatcher local policy
#
@@ -32264,7 +32495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
allow audisp_t self:unix_stream_socket create_stream_socket_perms;
allow audisp_t self:unix_dgram_socket create_socket_perms;
-@@ -226,13 +228,18 @@
+@@ -226,13 +229,18 @@
manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
@@ -32284,7 +32515,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
logging_send_syslog_msg(audisp_t)
-@@ -240,6 +247,14 @@
+@@ -240,6 +248,14 @@
sysnet_dns_name_resolve(audisp_t)
@@ -32299,7 +32530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
########################################
#
# Audit remote logger local policy
-@@ -253,11 +268,16 @@
+@@ -253,11 +269,16 @@
corenet_tcp_sendrecv_generic_node(audisp_remote_t)
corenet_tcp_connect_audit_port(audisp_remote_t)
corenet_sendrecv_audit_client_packets(audisp_remote_t)
@@ -32316,7 +32547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
miscfiles_read_localization(audisp_remote_t)
sysnet_dns_name_resolve(audisp_remote_t)
-@@ -337,7 +357,7 @@
+@@ -337,7 +358,7 @@
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
allow syslogd_t self:unix_dgram_socket sendto;
@@ -32325,7 +32556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
-@@ -461,10 +481,18 @@
+@@ -461,10 +482,18 @@
')
optional_policy(`
@@ -32513,7 +32744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.8/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/modutils.te 2010-02-08 11:50:22.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/modutils.te 2010-02-09 08:53:16.000000000 -0500
@@ -19,6 +19,7 @@
type insmod_exec_t;
application_domain(insmod_t, insmod_exec_t)
@@ -32717,7 +32948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.8/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/mount.te 2010-02-05 14:44:10.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/mount.te 2010-02-10 13:39:41.000000000 -0500
@@ -18,8 +18,15 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -32940,12 +33171,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
########################################
-@@ -195,5 +281,9 @@
+@@ -195,5 +281,10 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
- unconfined_domain(unconfined_mount_t)
+ unconfined_domain_noaudit(unconfined_mount_t)
++ userdom_unpriv_usertype(unconfined, unconfined_mount_t)
+
+ rpc_domtrans_rpcd(unconfined_mount_t)
+ devicekit_dbus_chat_disk(unconfined_mount_t)
@@ -33012,7 +33244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.8/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/selinuxutil.if 2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/selinuxutil.if 2010-02-10 13:11:08.000000000 -0500
@@ -351,6 +351,27 @@
########################################
@@ -33139,7 +33371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
## </summary>
## </param>
## <rolecap/>
-@@ -1028,6 +1117,33 @@
+@@ -1028,6 +1117,54 @@
########################################
## <summary>
@@ -33170,10 +33402,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+
+########################################
+## <summary>
++## Full management of the semanage
++## module store.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`seutil_read_module_store',`
++ gen_require(`
++ type selinux_config_t, semanage_store_t;
++ ')
++
++ files_search_etc($1)
++ read_dirs_pattern($1, selinux_config_t, semanage_store_t)
++ read_files_pattern($1, semanage_store_t, semanage_store_t)
++')
++
++########################################
++## <summary>
## Full management of the semanage
## module store.
## </summary>
-@@ -1139,3 +1255,194 @@
+@@ -1139,3 +1276,194 @@
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -35051,7 +35304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/userdomain.if 2010-02-05 11:22:50.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/userdomain.if 2010-02-10 15:44:32.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -36704,7 +36957,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2897,7 +3185,43 @@
+@@ -2884,6 +3172,25 @@
+
+ ########################################
+ ## <summary>
++## Dontaudit search user temporary directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_dontaduit_search_user_tmp',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ dontaudit $1 user_tmp_t:dir search_dir_perms;
++')
++
++
++########################################
++## <summary>
+ ## Write all users files in /tmp
+ ## </summary>
+ ## <param name="domain">
+@@ -2897,7 +3204,43 @@
type user_tmp_t;
')
@@ -36749,7 +37028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2934,6 +3258,7 @@
+@@ -2934,6 +3277,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -36757,7 +37036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -3064,3 +3389,674 @@
+@@ -3064,3 +3408,674 @@
allow $1 userdomain:dbus send_msg;
')
@@ -37634,7 +37913,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
files_search_mnt(xend_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.7.8/policy/support/misc_patterns.spt
--- nsaserefpolicy/policy/support/misc_patterns.spt 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/support/misc_patterns.spt 2010-02-05 16:37:16.000000000 -0500
++++ serefpolicy-3.7.8/policy/support/misc_patterns.spt 2010-02-09 09:00:57.000000000 -0500
@@ -15,7 +15,7 @@
domain_transition_pattern($1,$2,$3)