diff --git a/.cvsignore b/.cvsignore
index 7775ff2..faafbf4 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -179,3 +179,4 @@ serefpolicy-3.6.21.tgz
setroubleshoot-2.2.11.tar.gz
serefpolicy-3.6.22.tgz
serefpolicy-3.6.23.tgz
+serefpolicy-3.6.24.tgz
diff --git a/nsadiff b/nsadiff
index 60f70ef..c8f2765 100755
--- a/nsadiff
+++ b/nsadiff
@@ -1 +1 @@
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.6.23 > /tmp/diff
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.6.24 > /tmp/diff
diff --git a/policy-F12.patch b/policy-F12.patch
index 188bdfa..16cfcc8 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -1,6 +1,6 @@
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.6.23/config/appconfig-mcs/default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.6.24/config/appconfig-mcs/default_contexts
--- nsaserefpolicy/config/appconfig-mcs/default_contexts 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/config/appconfig-mcs/default_contexts 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/config/appconfig-mcs/default_contexts 2009-07-28 13:42:18.000000000 -0400
@@ -1,15 +1,6 @@
-system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
@@ -22,15 +22,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
-user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.6.23/config/appconfig-mcs/failsafe_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.6.24/config/appconfig-mcs/failsafe_context
--- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/config/appconfig-mcs/failsafe_context 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/config/appconfig-mcs/failsafe_context 2009-07-28 13:42:18.000000000 -0400
@@ -1 +1 @@
-sysadm_r:sysadm_t:s0
+system_r:unconfined_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.6.23/config/appconfig-mcs/root_default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.6.24/config/appconfig-mcs/root_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/config/appconfig-mcs/root_default_contexts 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/config/appconfig-mcs/root_default_contexts 2009-07-28 13:42:18.000000000 -0400
@@ -1,11 +1,7 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
@@ -45,9 +45,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
#
-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/securetty_types serefpolicy-3.6.23/config/appconfig-mcs/securetty_types
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/securetty_types serefpolicy-3.6.24/config/appconfig-mcs/securetty_types
--- nsaserefpolicy/config/appconfig-mcs/securetty_types 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/config/appconfig-mcs/securetty_types 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/config/appconfig-mcs/securetty_types 2009-07-28 13:42:18.000000000 -0400
@@ -1 +1,6 @@
+auditadm_tty_device_t
+secadm_tty_device_t
@@ -55,18 +55,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
+sysadm_tty_device_t
+unconfined_tty_device_t
user_tty_device_t
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.6.23/config/appconfig-mcs/seusers
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.6.24/config/appconfig-mcs/seusers
--- nsaserefpolicy/config/appconfig-mcs/seusers 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/config/appconfig-mcs/seusers 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/config/appconfig-mcs/seusers 2009-07-28 13:42:18.000000000 -0400
@@ -1,3 +1,3 @@
system_u:system_u:s0-mcs_systemhigh
-root:root:s0-mcs_systemhigh
-__default__:user_u:s0
+root:unconfined_u:s0-mcs_systemhigh
+__default__:unconfined_u:s0-mcs_systemhigh
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.6.23/config/appconfig-mcs/staff_u_default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.6.24/config/appconfig-mcs/staff_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/config/appconfig-mcs/staff_u_default_contexts 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/config/appconfig-mcs/staff_u_default_contexts 2009-07-28 13:42:18.000000000 -0400
@@ -1,10 +1,12 @@
system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
system_r:remote_login_t:s0 staff_r:staff_t:s0
@@ -81,9 +81,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.6.23/config/appconfig-mcs/unconfined_u_default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.6.24/config/appconfig-mcs/unconfined_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/config/appconfig-mcs/unconfined_u_default_contexts 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/config/appconfig-mcs/unconfined_u_default_contexts 2009-07-28 13:42:18.000000000 -0400
@@ -1,4 +1,4 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0
@@ -97,15 +97,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
+system_r:initrc_su_t:s0 unconfined_r:unconfined_t:s0
+unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
system_r:xdm_t:s0 unconfined_r:unconfined_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.6.23/config/appconfig-mcs/userhelper_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.6.24/config/appconfig-mcs/userhelper_context
--- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/config/appconfig-mcs/userhelper_context 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/config/appconfig-mcs/userhelper_context 2009-07-28 13:42:18.000000000 -0400
@@ -1 +1 @@
-system_u:sysadm_r:sysadm_t:s0
+system_u:system_r:unconfined_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.6.23/config/appconfig-mcs/user_u_default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.6.24/config/appconfig-mcs/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/config/appconfig-mcs/user_u_default_contexts 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/config/appconfig-mcs/user_u_default_contexts 2009-07-28 13:42:18.000000000 -0400
@@ -1,8 +1,9 @@
system_r:local_login_t:s0 user_r:user_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0
@@ -118,20 +118,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
-
+system_r:initrc_su_t:s0 user_r:user_t:s0
+user_r:user_t:s0 user_r:user_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_domain_context serefpolicy-3.6.23/config/appconfig-mcs/virtual_domain_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_domain_context serefpolicy-3.6.24/config/appconfig-mcs/virtual_domain_context
--- nsaserefpolicy/config/appconfig-mcs/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/config/appconfig-mcs/virtual_domain_context 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/config/appconfig-mcs/virtual_domain_context 2009-07-28 13:42:18.000000000 -0400
@@ -0,0 +1 @@
+system_u:system_r:svirt_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_image_context serefpolicy-3.6.23/config/appconfig-mcs/virtual_image_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_image_context serefpolicy-3.6.24/config/appconfig-mcs/virtual_image_context
--- nsaserefpolicy/config/appconfig-mcs/virtual_image_context 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/config/appconfig-mcs/virtual_image_context 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/config/appconfig-mcs/virtual_image_context 2009-07-28 13:42:18.000000000 -0400
@@ -0,0 +1,2 @@
+system_u:object_r:svirt_image_t:s0
+system_u:object_r:virt_content_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.6.23/config/appconfig-mls/default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.6.24/config/appconfig-mls/default_contexts
--- nsaserefpolicy/config/appconfig-mls/default_contexts 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/config/appconfig-mls/default_contexts 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/config/appconfig-mls/default_contexts 2009-07-28 13:42:18.000000000 -0400
@@ -1,15 +1,6 @@
-system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
@@ -153,9 +153,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
-user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.6.23/config/appconfig-mls/root_default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.6.24/config/appconfig-mls/root_default_contexts
--- nsaserefpolicy/config/appconfig-mls/root_default_contexts 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/config/appconfig-mls/root_default_contexts 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/config/appconfig-mls/root_default_contexts 2009-07-28 13:42:18.000000000 -0400
@@ -1,11 +1,11 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
-system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
@@ -174,20 +174,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
#
-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.23/config/appconfig-mls/virtual_domain_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.24/config/appconfig-mls/virtual_domain_context
--- nsaserefpolicy/config/appconfig-mls/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/config/appconfig-mls/virtual_domain_context 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/config/appconfig-mls/virtual_domain_context 2009-07-28 13:42:18.000000000 -0400
@@ -0,0 +1 @@
+system_u:system_r:qemu_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_image_context serefpolicy-3.6.23/config/appconfig-mls/virtual_image_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_image_context serefpolicy-3.6.24/config/appconfig-mls/virtual_image_context
--- nsaserefpolicy/config/appconfig-mls/virtual_image_context 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/config/appconfig-mls/virtual_image_context 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/config/appconfig-mls/virtual_image_context 2009-07-28 13:42:18.000000000 -0400
@@ -0,0 +1,2 @@
+system_u:object_r:virt_image_t:s0
+system_u:object_r:virt_content_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/securetty_types serefpolicy-3.6.23/config/appconfig-standard/securetty_types
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/securetty_types serefpolicy-3.6.24/config/appconfig-standard/securetty_types
--- nsaserefpolicy/config/appconfig-standard/securetty_types 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/config/appconfig-standard/securetty_types 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/config/appconfig-standard/securetty_types 2009-07-28 13:42:18.000000000 -0400
@@ -1 +1,6 @@
+auditadm_tty_device_t
+secadm_tty_device_t
@@ -195,9 +195,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
+sysadm_tty_device_t
+unconfined_tty_device_t
user_tty_device_t
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.23/Makefile
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.24/Makefile
--- nsaserefpolicy/Makefile 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/Makefile 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/Makefile 2009-07-28 13:42:18.000000000 -0400
@@ -241,7 +241,7 @@
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
@@ -260,9 +260,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Mak
$(appdir)/%: $(appconf)/%
@mkdir -p $(appdir)
$(verbose) $(INSTALL) -m 644 $< $@
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.23/policy/global_tunables
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.24/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/global_tunables 2009-07-27 13:55:41.000000000 -0400
++++ serefpolicy-3.6.24/policy/global_tunables 2009-07-28 13:42:18.000000000 -0400
@@ -61,15 +61,6 @@
## <desc>
@@ -298,9 +298,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## </desc>
+gen_tunable(mmap_low_allowed, false)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.23/policy/mcs
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.24/policy/mcs
--- nsaserefpolicy/policy/mcs 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/mcs 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/mcs 2009-07-28 13:42:18.000000000 -0400
@@ -66,8 +66,8 @@
#
# Note that getattr on files is always permitted.
@@ -334,9 +334,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mlsconstrain process { transition dyntransition }
(( h1 dom h2 ) or ( t1 == mcssetcats ));
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.23/policy/modules/admin/anaconda.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.24/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/admin/anaconda.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/admin/anaconda.te 2009-07-28 13:42:18.000000000 -0400
@@ -31,6 +31,7 @@
modutils_domtrans_insmod(anaconda_t)
@@ -345,9 +345,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.23/policy/modules/admin/certwatch.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.24/policy/modules/admin/certwatch.te
--- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/admin/certwatch.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/admin/certwatch.te 2009-07-28 13:42:18.000000000 -0400
@@ -36,6 +36,7 @@
miscfiles_read_localization(certwatch_t)
@@ -356,17 +356,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
apache_exec_modules(certwatch_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.6.23/policy/modules/admin/dmesg.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.6.24/policy/modules/admin/dmesg.fc
--- nsaserefpolicy/policy/modules/admin/dmesg.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/admin/dmesg.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/admin/dmesg.fc 2009-07-28 13:42:18.000000000 -0400
@@ -1,2 +1,4 @@
/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
+
+/usr/sbin/mcelog -- gen_context(system_u:object_r:dmesg_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.23/policy/modules/admin/dmesg.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.24/policy/modules/admin/dmesg.te
--- nsaserefpolicy/policy/modules/admin/dmesg.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/admin/dmesg.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/admin/dmesg.te 2009-07-28 13:42:18.000000000 -0400
@@ -9,6 +9,7 @@
type dmesg_t;
type dmesg_exec_t;
@@ -401,9 +401,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(dmesg_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.6.23/policy/modules/admin/kismet.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.6.24/policy/modules/admin/kismet.if
--- nsaserefpolicy/policy/modules/admin/kismet.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/admin/kismet.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/admin/kismet.if 2009-07-28 13:42:18.000000000 -0400
@@ -16,6 +16,7 @@
')
@@ -412,9 +412,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.23/policy/modules/admin/kismet.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.24/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/admin/kismet.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/admin/kismet.te 2009-07-28 13:42:18.000000000 -0400
@@ -17,6 +17,9 @@
type kismet_tmp_t;
files_tmp_file(kismet_tmp_t)
@@ -457,9 +457,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ networkmanager_dbus_chat(kismet_t)
+ ')
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.23/policy/modules/admin/logrotate.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.24/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/admin/logrotate.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/admin/logrotate.te 2009-07-28 13:42:18.000000000 -0400
+@@ -32,7 +32,7 @@
+ # Change ownership on log files.
+ allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
+ # for mailx
+-dontaudit logrotate_t self:capability { setuid setgid };
++dontaudit logrotate_t self:capability { setuid setgid sys_ptrace };
+
+ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+
@@ -116,8 +116,9 @@
seutil_dontaudit_read_config(logrotate_t)
@@ -493,29 +502,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
slrnpull_manage_spool(logrotate_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.23/policy/modules/admin/logwatch.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.24/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/admin/logwatch.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/admin/logwatch.te 2009-07-28 13:42:18.000000000 -0400
@@ -136,4 +136,5 @@
optional_policy(`
samba_read_log(logwatch_t)
+ samba_read_share_files(logwatch_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.23/policy/modules/admin/mrtg.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.24/policy/modules/admin/mrtg.te
--- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/admin/mrtg.te 2009-07-23 16:39:09.000000000 -0400
-@@ -116,6 +116,7 @@
++++ serefpolicy-3.6.24/policy/modules/admin/mrtg.te 2009-07-28 13:42:18.000000000 -0400
+@@ -116,6 +116,9 @@
userdom_use_user_terminals(mrtg_t)
userdom_dontaudit_read_user_home_content_files(mrtg_t)
userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
+userdom_dontaudit_list_admin_dir(mrtg_t)
++
++netutils_domtrans_ping(mrtg_t)
ifdef(`enable_mls',`
corenet_udp_sendrecv_lo_if(mrtg_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.23/policy/modules/admin/prelink.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.24/policy/modules/admin/prelink.if
--- nsaserefpolicy/policy/modules/admin/prelink.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/admin/prelink.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/admin/prelink.if 2009-07-28 13:42:18.000000000 -0400
@@ -140,3 +140,22 @@
files_search_var_lib($1)
manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
@@ -539,88 +550,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ files_search_var_lib($1)
+ relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.fc serefpolicy-3.6.23/policy/modules/admin/readahead.fc
---- nsaserefpolicy/policy/modules/admin/readahead.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/admin/readahead.fc 2009-07-23 16:39:09.000000000 -0400
-@@ -1,3 +1,5 @@
--/etc/readahead.d(/.*)? gen_context(system_u:object_r:readahead_etc_rw_t,s0)
-+/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
-+/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
-+
-+/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)
-
--/usr/sbin/readahead -- gen_context(system_u:object_r:readahead_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.23/policy/modules/admin/readahead.te
---- nsaserefpolicy/policy/modules/admin/readahead.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/admin/readahead.te 2009-07-23 16:39:09.000000000 -0400
-@@ -11,8 +11,8 @@
- init_daemon_domain(readahead_t, readahead_exec_t)
- application_domain(readahead_t, readahead_exec_t)
-
--type readahead_etc_rw_t;
--files_pid_file(readahead_etc_rw_t)
-+type readahead_var_lib_t;
-+files_type(readahead_var_lib_t)
-
- type readahead_var_run_t;
- files_pid_file(readahead_var_run_t)
-@@ -23,15 +23,17 @@
- #
-
- allow readahead_t self:capability { fowner dac_override dac_read_search };
--dontaudit readahead_t self:capability sys_tty_config;
--allow readahead_t self:process signal_perms;
-+dontaudit readahead_t self:capability { net_admin sys_tty_config };
-+allow readahead_t self:process { setsched signal_perms };
-
--manage_files_pattern(readahead_t, readahead_etc_rw_t, readahead_etc_rw_t)
-+files_search_var_lib(readahead_t)
-+manage_dirs_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
-+manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
-
- manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
- files_pid_filetrans(readahead_t, readahead_var_run_t, file)
-
--kernel_read_kernel_sysctls(readahead_t)
-+kernel_read_all_sysctls(readahead_t)
- kernel_read_system_state(readahead_t)
- kernel_dontaudit_getattr_core_if(readahead_t)
-
-@@ -46,10 +48,15 @@
- storage_raw_read_fixed_disk(readahead_t)
-
- domain_use_interactive_fds(readahead_t)
-+domain_read_all_domains_state(readahead_t)
-
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.24/policy/modules/admin/readahead.te
+--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-07-28 13:28:33.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/admin/readahead.te 2009-07-28 13:42:18.000000000 -0400
+@@ -54,7 +54,10 @@
files_dontaudit_getattr_all_sockets(readahead_t)
files_list_non_security(readahead_t)
files_read_non_security_files(readahead_t)
+files_dontaudit_read_security_files(readahead_t)
+files_dontaudit_getattr_non_security_blk_files(readahead_t)
-+files_create_boot_flag(readahead_t)
+ files_create_boot_flag(readahead_t)
+files_getattr_all_pipes(readahead_t)
fs_getattr_all_fs(readahead_t)
fs_search_auto_mountpoints(readahead_t)
-@@ -58,6 +65,7 @@
- fs_dontaudit_search_ramfs(readahead_t)
- fs_dontaudit_read_ramfs_pipes(readahead_t)
- fs_dontaudit_read_ramfs_files(readahead_t)
-+fs_dontaudit_use_tmpfs_chr_dev(readahead_t)
- fs_read_tmpfs_symlinks(readahead_t)
- fs_list_inotifyfs(readahead_t)
-
-@@ -72,6 +80,7 @@
- init_getattr_initctl(readahead_t)
-
- logging_send_syslog_msg(readahead_t)
-+logging_set_audit_parameters(readahead_t)
- logging_dontaudit_search_audit_config(readahead_t)
-
- miscfiles_read_localization(readahead_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.23/policy/modules/admin/rpm.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.24/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/admin/rpm.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/admin/rpm.fc 2009-07-28 13:42:18.000000000 -0400
@@ -4,14 +4,12 @@
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -662,9 +608,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# SuSE
ifdef(`distro_suse', `
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.23/policy/modules/admin/rpm.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.24/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/admin/rpm.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/admin/rpm.if 2009-07-28 13:42:18.000000000 -0400
@@ -66,6 +66,11 @@
rpm_domtrans($1)
role $2 types rpm_t;
@@ -1023,9 +969,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 rpm_t:process signull;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.23/policy/modules/admin/rpm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.24/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/admin/rpm.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/admin/rpm.te 2009-07-28 13:42:18.000000000 -0400
@@ -9,6 +9,8 @@
type rpm_t;
type rpm_exec_t;
@@ -1257,69 +1203,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.23/policy/modules/admin/sudo.if
---- nsaserefpolicy/policy/modules/admin/sudo.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/admin/sudo.if 2009-07-23 16:39:09.000000000 -0400
-@@ -32,6 +32,7 @@
-
- gen_require(`
- type sudo_exec_t;
-+ attribute sudodomain;
- ')
-
- ##############################
-@@ -39,7 +40,7 @@
- # Declarations
- #
-
-- type $1_sudo_t;
-+ type $1_sudo_t, sudodomain;
- application_domain($1_sudo_t, sudo_exec_t)
- domain_interactive_fd($1_sudo_t)
- ubac_constrained($1_sudo_t)
-@@ -51,7 +52,7 @@
- #
-
- # Use capabilities.
-- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
-+ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
- allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_sudo_t self:process { setexec setrlimit };
- allow $1_sudo_t self:fd use;
-@@ -64,33 +65,37 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.24/policy/modules/admin/sudo.if
+--- nsaserefpolicy/policy/modules/admin/sudo.if 2009-07-28 13:28:33.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/admin/sudo.if 2009-07-28 13:52:41.000000000 -0400
+@@ -66,8 +66,8 @@
allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
allow $1_sudo_t self:unix_dgram_socket sendto;
allow $1_sudo_t self:unix_stream_socket connectto;
-- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
+-
+ allow $1_sudo_t $3:key search;
+ allow $1_sudo_t self:key manage_key_perms;
-+ allow $1_sudo_t $1_t:key search;
# Enter this derived domain from the user domain
domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
-
- # By default, revert to the calling domain when a shell is executed.
- corecmd_shell_domtrans($1_sudo_t, $3)
-+ corecmd_bin_domtrans($1_sudo_t, $3)
- allow $3 $1_sudo_t:fd use;
- allow $3 $1_sudo_t:fifo_file rw_file_perms;
- allow $3 $1_sudo_t:process sigchld;
-
- kernel_read_kernel_sysctls($1_sudo_t)
- kernel_read_system_state($1_sudo_t)
-- kernel_search_key($1_sudo_t)
-+ kernel_link_key($1_sudo_t)
-
- dev_read_urand($1_sudo_t)
-+ dev_rw_generic_usb_dev($1_sudo_t)
-+ dev_read_sysfs($1_sudo_t)
-
- fs_search_auto_mountpoints($1_sudo_t)
- fs_getattr_xattr_fs($1_sudo_t)
-
-- auth_domtrans_chk_passwd($1_sudo_t)
-+ auth_run_chk_passwd($1_sudo_t, $2)
- # sudo stores a token in the pam_pid directory
- auth_manage_pam_pid($1_sudo_t)
+@@ -102,7 +102,7 @@
auth_use_nsswitch($1_sudo_t)
corecmd_read_bin_symlinks($1_sudo_t)
@@ -1328,127 +1225,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_use_interactive_fds($1_sudo_t)
domain_sigchld_interactive_fds($1_sudo_t)
-@@ -102,9 +107,11 @@
- files_getattr_usr_files($1_sudo_t)
- # for some PAM modules and for cwd
- files_dontaudit_search_home($1_sudo_t)
-+ files_list_tmp($1_sudo_t)
-
- init_rw_utmp($1_sudo_t)
-
-+ logging_send_audit_msgs($1_sudo_t)
- logging_send_syslog_msg($1_sudo_t)
-
- miscfiles_read_localization($1_sudo_t)
-@@ -114,6 +121,54 @@
+@@ -132,9 +132,11 @@
userdom_manage_user_tmp_files($1_sudo_t)
userdom_manage_user_tmp_symlinks($1_sudo_t)
userdom_use_user_terminals($1_sudo_t)
-+
-+ mta_role($2, $1_sudo_t)
-+
-+ tunable_policy(`use_nfs_home_dirs',`
-+ fs_manage_nfs_files($1_sudo_t)
-+ ')
-+
-+ tunable_policy(`use_samba_home_dirs',`
-+ fs_manage_cifs_files($1_sudo_t)
-+ ')
-+
+- userdom_use_user_terminals($1_sudo_t)
# for some PAM modules and for cwd
userdom_dontaudit_search_user_home_content($1_sudo_t)
+ userdom_manage_all_users_keys($1_sudo_t)
+
-+ domain_role_change_exemption($1_sudo_t)
-+ userdom_spec_domtrans_all_users($1_sudo_t)
-+
-+ selinux_validate_context($1_sudo_t)
-+ selinux_compute_relabel_context($1_sudo_t)
-+ selinux_getattr_fs($1_sudo_t)
-+ seutil_read_config($1_sudo_t)
-+ seutil_search_default_contexts($1_sudo_t)
-+
-+ userdom_use_user_terminals($1_sudo_t)
-+ term_relabel_all_user_ttys($1_sudo_t)
-+ term_relabel_all_user_ptys($1_sudo_t)
-+
-+ optional_policy(`
-+ dbus_system_bus_client($1_sudo_t)
-+ ')
- ')
-+
-+########################################
-+## <summary>
-+## Send a SIGCHLD signal to the sudo domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`sudo_sigchld',`
-+ gen_require(`
-+ attribute sudodomain;
-+ ')
-+
-+ allow $1 sudodomain:process sigchld;
-+')
-+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.te serefpolicy-3.6.23/policy/modules/admin/sudo.te
---- nsaserefpolicy/policy/modules/admin/sudo.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/admin/sudo.te 2009-07-23 16:39:09.000000000 -0400
-@@ -4,6 +4,7 @@
- ########################################
- #
- # Declarations
-+attribute sudodomain;
-
- type sudo_exec_t;
- application_executable_file(sudo_exec_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.23/policy/modules/admin/tmpreaper.te
---- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/admin/tmpreaper.te 2009-07-23 16:39:09.000000000 -0400
-@@ -28,6 +28,9 @@
- files_purge_tmp(tmpreaper_t)
- # why does it need setattr?
- files_setattr_all_tmp_dirs(tmpreaper_t)
-+files_getattr_lost_found_dirs(tmpreaper_t)
-+files_getattr_all_dirs(tmpreaper_t)
-+files_getattr_all_files(tmpreaper_t)
-
- mls_file_read_all_levels(tmpreaper_t)
- mls_file_write_all_levels(tmpreaper_t)
-@@ -39,6 +42,26 @@
++ mta_role($2, $1_sudo_t)
- cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files($1_sudo_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.24/policy/modules/admin/tmpreaper.te
+--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-07-28 13:28:33.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/admin/tmpreaper.te 2009-07-28 13:54:33.000000000 -0400
+@@ -52,6 +52,10 @@
+ ')
-+userdom_delete_user_home_content_dirs(tmpreaper_t)
-+userdom_delete_user_home_content_files(tmpreaper_t)
-+userdom_delete_user_home_content_symlinks(tmpreaper_t)
-+
-+optional_policy(`
-+ amavis_manage_spool_files(tmpreaper_t)
-+')
-+
-+optional_policy(`
+ optional_policy(`
+ apache_delete_sys_content_rw(tmpreaper_t)
+')
+
+optional_policy(`
-+ kismet_manage_log(tmpreaper_t)
-+')
-+
- optional_policy(`
- lpd_manage_spool(tmpreaper_t)
+ kismet_manage_log(tmpreaper_t)
')
-+
-+optional_policy(`
-+ unconfined_domain(tmpreaper_t)
-+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.23/policy/modules/admin/usermanage.te
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.24/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/admin/usermanage.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/admin/usermanage.te 2009-07-28 13:42:18.000000000 -0400
@@ -209,6 +209,7 @@
files_manage_etc_files(groupadd_t)
files_relabel_etc_files(groupadd_t)
@@ -1486,9 +1292,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.23/policy/modules/admin/vbetool.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.24/policy/modules/admin/vbetool.te
--- nsaserefpolicy/policy/modules/admin/vbetool.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/admin/vbetool.te 2009-07-27 13:54:52.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/admin/vbetool.te 2009-07-28 13:42:18.000000000 -0400
@@ -23,7 +23,11 @@
dev_rwx_zero(vbetool_t)
dev_read_sysfs(vbetool_t)
@@ -1511,9 +1317,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_write_pid(vbetool_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.23/policy/modules/apps/awstats.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.24/policy/modules/apps/awstats.te
--- nsaserefpolicy/policy/modules/apps/awstats.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/apps/awstats.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/awstats.te 2009-07-28 13:42:18.000000000 -0400
@@ -51,6 +51,8 @@
libs_read_lib_files(awstats_t)
@@ -1523,75 +1329,38 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization(awstats_t)
sysnet_dns_name_resolve(awstats_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.fc serefpolicy-3.6.23/policy/modules/apps/cpufreqselector.fc
---- nsaserefpolicy/policy/modules/apps/cpufreqselector.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/apps/cpufreqselector.fc 2009-07-23 16:39:09.000000000 -0400
-@@ -0,0 +1 @@
-+/usr/bin/cpufreq-selector -- gen_context(system_u:object_r:cpufreqselector_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.if serefpolicy-3.6.23/policy/modules/apps/cpufreqselector.if
---- nsaserefpolicy/policy/modules/apps/cpufreqselector.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/apps/cpufreqselector.if 2009-07-23 16:39:09.000000000 -0400
-@@ -0,0 +1,2 @@
-+## <summary>cpufreq-selector policy</summary>
-+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.23/policy/modules/apps/cpufreqselector.te
---- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/apps/cpufreqselector.te 2009-07-23 16:39:09.000000000 -0400
-@@ -0,0 +1,43 @@
-+policy_module(cpufreqselector,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type cpufreqselector_t;
-+type cpufreqselector_exec_t;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.24/policy/modules/apps/cpufreqselector.te
+--- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2009-07-28 13:28:33.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/cpufreqselector.te 2009-07-28 13:57:37.000000000 -0400
+@@ -8,7 +8,8 @@
+
+ type cpufreqselector_t;
+ type cpufreqselector_exec_t;
+-application_domain(cpufreqselector_t, cpufreqselector_exec_t)
+
+dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
-+
-+########################################
-+#
-+# cpufreq-selector local policy
-+#
-+
-+allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
-+allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
-+
-+files_read_etc_files(cpufreqselector_t)
-+files_read_usr_files(cpufreqselector_t)
-+
-+corecmd_search_bin(cpufreqselector_t)
-+
-+dev_rw_sysfs(cpufreqselector_t)
-+
-+userdom_read_all_users_state(cpufreqselector_t)
-+
-+nscd_dontaudit_search_pid(cpufreqselector_t)
-+
-+optional_policy(`
-+ consolekit_dbus_chat(cpufreqselector_t)
-+')
-+
-+optional_policy(`
+
+ ########################################
+ #
+@@ -36,6 +37,7 @@
+ ')
+
+ optional_policy(`
+ policykit_dbus_chat(cpufreqselector_t)
-+ policykit_domtrans_auth(cpufreqselector_t)
-+ policykit_read_lib(cpufreqselector_t)
-+ policykit_read_reload(cpufreqselector_t)
-+')
-+
-+permissive cpufreqselector_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.6.23/policy/modules/apps/gitosis.fc
+ policykit_domtrans_auth(cpufreqselector_t)
+ policykit_read_lib(cpufreqselector_t)
+ policykit_read_reload(cpufreqselector_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.6.24/policy/modules/apps/gitosis.fc
--- nsaserefpolicy/policy/modules/apps/gitosis.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/apps/gitosis.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/gitosis.fc 2009-07-28 13:42:18.000000000 -0400
@@ -0,0 +1,4 @@
+
+/usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0)
+
+/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.23/policy/modules/apps/gitosis.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.24/policy/modules/apps/gitosis.if
--- nsaserefpolicy/policy/modules/apps/gitosis.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/apps/gitosis.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/gitosis.if 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,96 @@
+## <summary>gitosis interface</summary>
+
@@ -1689,9 +1458,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.te serefpolicy-3.6.23/policy/modules/apps/gitosis.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.te serefpolicy-3.6.24/policy/modules/apps/gitosis.te
--- nsaserefpolicy/policy/modules/apps/gitosis.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/apps/gitosis.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/gitosis.te 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,43 @@
+policy_module(gitosis,1.0.0)
+
@@ -1736,9 +1505,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ ssh_rw_pipes(gitosis_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.23/policy/modules/apps/gnome.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.24/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/apps/gnome.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/gnome.fc 2009-07-28 13:42:19.000000000 -0400
@@ -1,8 +1,16 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
@@ -1758,9 +1527,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
+
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.23/policy/modules/apps/gnome.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.24/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/apps/gnome.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/gnome.if 2009-07-28 13:42:19.000000000 -0400
@@ -89,5 +89,175 @@
allow $1 gnome_home_t:dir manage_dir_perms;
@@ -1937,9 +1706,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ # Connect to pulseaudit server
+ stream_connect_pattern($1, gnome_home_t, gnome_home_t, $2)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.23/policy/modules/apps/gnome.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.24/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/apps/gnome.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/gnome.te 2009-07-28 13:42:19.000000000 -0400
@@ -9,16 +9,18 @@
attribute gnomedomain;
@@ -2068,9 +1837,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+permissive gnomesystemmm_t;
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.23/policy/modules/apps/gpg.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.24/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/apps/gpg.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/gpg.te 2009-07-28 13:42:19.000000000 -0400
@@ -159,6 +159,19 @@
xserver_rw_xdm_pipes(gpg_t)
')
@@ -2098,9 +1867,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- xserver_stream_connect(gpg_pinentry_t)
+ xserver_common_app(gpg_pinentry_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.23/policy/modules/apps/java.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.24/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/apps/java.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/java.fc 2009-07-28 13:42:19.000000000 -0400
@@ -2,15 +2,16 @@
# /opt
#
@@ -2135,9 +1904,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.23/policy/modules/apps/java.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.24/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/apps/java.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/java.if 2009-07-28 13:42:19.000000000 -0400
@@ -30,6 +30,7 @@
allow java_t $2:unix_stream_socket connectto;
@@ -2278,9 +2047,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_role($1_r, $1_java_t)
+ ')
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.23/policy/modules/apps/java.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.24/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/apps/java.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/java.te 2009-07-28 13:42:19.000000000 -0400
@@ -20,6 +20,8 @@
typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
@@ -2343,15 +2112,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.6.23/policy/modules/apps/livecd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.6.24/policy/modules/apps/livecd.fc
--- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/apps/livecd.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/livecd.fc 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,2 @@
+
+/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.6.23/policy/modules/apps/livecd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.6.24/policy/modules/apps/livecd.if
--- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/apps/livecd.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/livecd.if 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,50 @@
+
+## <summary>policy for livecd</summary>
@@ -2403,9 +2172,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ seutil_run_setfiles_mac(livecd_t, $2)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.6.23/policy/modules/apps/livecd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.6.24/policy/modules/apps/livecd.te
--- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/apps/livecd.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/livecd.te 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,26 @@
+policy_module(livecd, 1.0.0)
+
@@ -2433,9 +2202,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+seutil_domtrans_setfiles_mac(livecd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.23/policy/modules/apps/mono.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.24/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/apps/mono.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/mono.if 2009-07-28 13:42:19.000000000 -0400
@@ -21,6 +21,105 @@
########################################
@@ -2551,9 +2320,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
corecmd_search_bin($1)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.23/policy/modules/apps/mono.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.24/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/apps/mono.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/mono.te 2009-07-28 13:42:19.000000000 -0400
@@ -15,7 +15,7 @@
# Local policy
#
@@ -2577,26 +2346,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ xserver_rw_shm(mono_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.23/policy/modules/apps/mozilla.fc
---- nsaserefpolicy/policy/modules/apps/mozilla.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/apps/mozilla.fc 2009-07-23 16:39:09.000000000 -0400
-@@ -17,7 +17,6 @@
- #
- # /etc
- #
--/etc/mozpluggerrc -- gen_context(system_u:object_r:mozilla_conf_t,s0)
-
- #
- # /lib
-@@ -29,3 +28,5 @@
- /usr/lib(64)?/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
- /usr/lib(64)?/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
- /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-+/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.23/policy/modules/apps/mozilla.if
---- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/apps/mozilla.if 2009-07-23 16:39:09.000000000 -0400
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.24/policy/modules/apps/mozilla.if
+--- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-07-28 13:28:33.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/mozilla.if 2009-07-28 13:42:19.000000000 -0400
@@ -45,6 +45,18 @@
relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
@@ -2624,18 +2376,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_search_user_home_dirs($1)
')
-@@ -83,7 +96,7 @@
- ')
-
- allow $1 mozilla_home_t:dir list_dir_perms;
-- allow $1 mozilla_home_t:file write;
-+ allow $1 mozilla_home_t:file write_file_perms;
- userdom_search_user_home_dirs($1)
- ')
-
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.23/policy/modules/apps/mozilla.te
---- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/apps/mozilla.te 2009-07-23 16:39:09.000000000 -0400
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.24/policy/modules/apps/mozilla.te
+--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-07-28 13:28:33.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/mozilla.te 2009-07-28 13:42:19.000000000 -0400
@@ -59,6 +59,7 @@
manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
@@ -2652,15 +2395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_sendrecv_http_client_packets(mozilla_t)
corenet_sendrecv_http_cache_client_packets(mozilla_t)
corenet_sendrecv_ftp_client_packets(mozilla_t)
-@@ -105,6 +107,7 @@
- # Should not need other ports
- corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
- corenet_dontaudit_tcp_bind_generic_port(mozilla_t)
-+corenet_tcp_connect_speech_port(mozilla_t)
-
- dev_read_urand(mozilla_t)
- dev_read_rand(mozilla_t)
-@@ -113,6 +116,8 @@
+@@ -114,6 +116,8 @@
dev_dontaudit_rw_dri(mozilla_t)
dev_getattr_sysfs_dirs(mozilla_t)
@@ -2669,7 +2404,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_runtime_files(mozilla_t)
files_read_usr_files(mozilla_t)
files_read_etc_files(mozilla_t)
-@@ -128,6 +133,7 @@
+@@ -129,6 +133,7 @@
fs_rw_tmpfs_files(mozilla_t)
term_dontaudit_getattr_pty_dirs(mozilla_t)
@@ -2677,7 +2412,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(mozilla_t)
-@@ -137,12 +143,7 @@
+@@ -138,12 +143,7 @@
# Browse the web, connect to printer
sysnet_dns_name_resolve(mozilla_t)
@@ -2691,7 +2426,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
-@@ -230,10 +231,15 @@
+@@ -231,11 +231,15 @@
optional_policy(`
dbus_system_bus_client(mozilla_t)
dbus_session_bus_client(mozilla_t)
@@ -2702,12 +2437,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
-+ gnome_manage_config(mozilla_t)
+ gnome_manage_config(mozilla_t)
+ gnome_manage_gconf_home_files(mozilla_t)
')
optional_policy(`
-@@ -254,5 +260,10 @@
+@@ -256,5 +260,10 @@
')
optional_policy(`
@@ -2718,9 +2453,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
thunderbird_domtrans(mozilla_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.23/policy/modules/apps/nsplugin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.24/policy/modules/apps/nsplugin.fc
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/apps/nsplugin.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/nsplugin.fc 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,12 @@
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
@@ -2734,9 +2469,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.23/policy/modules/apps/nsplugin.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.24/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/apps/nsplugin.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/nsplugin.if 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,313 @@
+
+## <summary>policy for nsplugin</summary>
@@ -3051,9 +2786,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.23/policy/modules/apps/nsplugin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.24/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/apps/nsplugin.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/nsplugin.te 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,287 @@
+
+policy_module(nsplugin, 1.0.0)
@@ -3342,16 +3077,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.6.23/policy/modules/apps/openoffice.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.6.24/policy/modules/apps/openoffice.fc
--- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/apps/openoffice.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/openoffice.fc 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,3 @@
+/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.23/policy/modules/apps/openoffice.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.24/policy/modules/apps/openoffice.if
--- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/apps/openoffice.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/openoffice.if 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,93 @@
+## <summary>Openoffice</summary>
+
@@ -3446,9 +3181,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_common_x_domain_template($1, $1_openoffice_t)
+ ')
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.6.23/policy/modules/apps/openoffice.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.6.24/policy/modules/apps/openoffice.te
--- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/apps/openoffice.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/openoffice.te 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,14 @@
+
+policy_module(openoffice, 1.0.0)
@@ -3464,18 +3199,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.23/policy/modules/apps/qemu.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.24/policy/modules/apps/qemu.fc
--- nsaserefpolicy/policy/modules/apps/qemu.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/apps/qemu.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/qemu.fc 2009-07-28 13:42:19.000000000 -0400
@@ -1,2 +1,3 @@
-/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
-/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.23/policy/modules/apps/qemu.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.24/policy/modules/apps/qemu.if
--- nsaserefpolicy/policy/modules/apps/qemu.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/apps/qemu.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/qemu.if 2009-07-28 13:42:19.000000000 -0400
@@ -40,6 +40,93 @@
qemu_domtrans($1)
@@ -3782,9 +3517,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- ')
+ manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.23/policy/modules/apps/qemu.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.24/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/apps/qemu.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/qemu.te 2009-07-28 13:42:19.000000000 -0400
@@ -13,28 +13,97 @@
## </desc>
gen_tunable(qemu_full_network, false)
@@ -3901,23 +3636,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ role unconfined_r types qemu_unconfined_t;
allow qemu_unconfined_t self:process { execstack execmem };
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.6.23/policy/modules/apps/sambagui.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.6.24/policy/modules/apps/sambagui.fc
--- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/apps/sambagui.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/sambagui.fc 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,4 @@
+/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0)
+
+
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.6.23/policy/modules/apps/sambagui.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.6.24/policy/modules/apps/sambagui.if
--- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/apps/sambagui.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/sambagui.if 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,2 @@
+## <summary>system-config-samba policy</summary>
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.23/policy/modules/apps/sambagui.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.24/policy/modules/apps/sambagui.te
--- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/apps/sambagui.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/sambagui.te 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,57 @@
+policy_module(sambagui,1.0.0)
+
@@ -3976,14 +3711,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+permissive sambagui_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.6.23/policy/modules/apps/sandbox.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.6.24/policy/modules/apps/sandbox.fc
--- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/apps/sandbox.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/sandbox.fc 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1 @@
+# No types are sandbox_exec_t
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.23/policy/modules/apps/sandbox.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.24/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/apps/sandbox.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/sandbox.if 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,145 @@
+
+## <summary>policy for sandbox</summary>
@@ -4130,9 +3865,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.23/policy/modules/apps/sandbox.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.24/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/apps/sandbox.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/sandbox.te 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,274 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
@@ -4408,9 +4143,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ hal_dbus_chat(sandbox_net_client_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.23/policy/modules/apps/screen.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.24/policy/modules/apps/screen.if
--- nsaserefpolicy/policy/modules/apps/screen.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/apps/screen.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/screen.if 2009-07-28 13:42:19.000000000 -0400
@@ -157,3 +157,24 @@
nscd_socket_use($1_screen_t)
')
@@ -4436,9 +4171,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ manage_lnk_files_pattern($1,screen_var_run_t,screen_var_run_t)
+ manage_fifo_files_pattern($1,screen_var_run_t,screen_var_run_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.23/policy/modules/apps/vmware.fc
---- nsaserefpolicy/policy/modules/apps/vmware.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/apps/vmware.fc 2009-07-23 16:39:09.000000000 -0400
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.24/policy/modules/apps/vmware.fc
+--- nsaserefpolicy/policy/modules/apps/vmware.fc 2009-07-28 13:28:33.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/vmware.fc 2009-07-28 13:42:19.000000000 -0400
@@ -18,6 +18,7 @@
/usr/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
@@ -4447,108 +4182,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-@@ -63,6 +64,7 @@
- ')
-
- /var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
-+/var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0)
-
- /var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0)
- /var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.23/policy/modules/apps/vmware.te
---- nsaserefpolicy/policy/modules/apps/vmware.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/apps/vmware.te 2009-07-23 16:39:09.000000000 -0400
-@@ -29,6 +29,10 @@
- type vmware_host_exec_t;
- init_daemon_domain(vmware_host_t, vmware_host_exec_t)
-
-+ifdef(`enable_mcs',`
-+ init_ranged_daemon_domain(vmware_host_t,vmware_host_exec_t,s0 - mcs_systemhigh)
-+')
-+
- type vmware_host_pid_t alias vmware_var_run_t;
- files_pid_file(vmware_host_pid_t)
-
-@@ -65,9 +69,9 @@
- # VMWare host local policy
- #
-
--allow vmware_host_t self:capability { setgid setuid net_raw };
-+allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override };
- dontaudit vmware_host_t self:capability sys_tty_config;
--allow vmware_host_t self:process signal_perms;
-+allow vmware_host_t self:process { execstack execmem signal_perms };
- allow vmware_host_t self:fifo_file rw_fifo_file_perms;
- allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
- allow vmware_host_t self:rawip_socket create_socket_perms;
-@@ -84,8 +88,9 @@
- logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir })
-
- kernel_read_kernel_sysctls(vmware_host_t)
--kernel_list_proc(vmware_host_t)
--kernel_read_proc_symlinks(vmware_host_t)
-+kernel_read_system_state(vmware_host_t)
-+
-+libs_exec_ld_so(vmware_host_t)
-
- corenet_all_recvfrom_unlabeled(vmware_host_t)
- corenet_all_recvfrom_netlabel(vmware_host_t)
-@@ -104,13 +109,20 @@
- corenet_sendrecv_all_client_packets(vmware_host_t)
- corenet_sendrecv_all_server_packets(vmware_host_t)
-
-+corecmd_exec_bin(vmware_host_t)
-+corecmd_exec_shell(vmware_host_t)
-+
-+dev_getattr_all_blk_files(vmware_host_t)
- dev_read_sysfs(vmware_host_t)
- dev_read_urand(vmware_host_t)
- dev_rw_vmware(vmware_host_t)
-
- domain_use_interactive_fds(vmware_host_t)
-+domain_dontaudit_read_all_domains_state(vmware_host_t)
-
-+files_list_tmp(vmware_host_t)
- files_read_etc_files(vmware_host_t)
-+files_read_etc_runtime_files(vmware_host_t)
-
- fs_getattr_all_fs(vmware_host_t)
- fs_search_auto_mountpoints(vmware_host_t)
-@@ -126,6 +138,8 @@
-
- sysnet_dns_name_resolve(vmware_host_t)
-
-+storage_getattr_fixed_disk_dev(vmware_host_t)
-+
- userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
- userdom_dontaudit_search_user_home_dirs(vmware_host_t)
-
-@@ -140,6 +154,13 @@
- udev_read_db(vmware_host_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.24/policy/modules/apps/vmware.te
+--- nsaserefpolicy/policy/modules/apps/vmware.te 2009-07-28 13:28:33.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/vmware.te 2009-07-28 13:42:19.000000000 -0400
+@@ -157,8 +157,10 @@
+ optional_policy(`
+ xserver_read_tmp_files(vmware_host_t)
+ xserver_read_xdm_pid(vmware_host_t)
++ xserver_common_app(vmware_host_t)
')
-+optional_policy(`
-+ xserver_read_tmp_files(vmware_host_t)
-+ xserver_read_xdm_pid(vmware_host_t)
-+ xserver_common_app(vmware_host_t)
-+')
-+
+
ifdef(`TODO',`
# VMWare need access to pcmcia devices for network
optional_policy(`
-@@ -226,7 +247,7 @@
- files_read_usr_files(vmware_t)
- files_list_home(vmware_t)
-
--fs_getattr_xattr_fs(vmware_t)
-+fs_getattr_all_fs(vmware_t)
- fs_search_auto_mountpoints(vmware_t)
-
- storage_raw_read_removable_device(vmware_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.6.23/policy/modules/apps/webalizer.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.6.24/policy/modules/apps/webalizer.te
--- nsaserefpolicy/policy/modules/apps/webalizer.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/apps/webalizer.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/webalizer.te 2009-07-28 13:42:19.000000000 -0400
@@ -69,7 +69,6 @@
fs_search_auto_mountpoints(webalizer_t)
fs_getattr_xattr_fs(webalizer_t)
@@ -4557,9 +4207,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(webalizer_t)
files_read_etc_runtime_files(webalizer_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.6.23/policy/modules/apps/wine.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.6.24/policy/modules/apps/wine.fc
--- nsaserefpolicy/policy/modules/apps/wine.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/apps/wine.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/wine.fc 2009-07-28 13:42:19.000000000 -0400
@@ -1,4 +1,21 @@
-/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
@@ -4585,9 +4235,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-/opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
-/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.23/policy/modules/apps/wine.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.24/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/apps/wine.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/wine.if 2009-07-28 13:42:19.000000000 -0400
@@ -43,3 +43,63 @@
wine_domtrans($1)
role $2 types wine_t;
@@ -4652,9 +4302,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ relabel_lnk_files_pattern($2, wine_home_t, wine_home_t)
+
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.23/policy/modules/apps/wine.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.24/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/apps/wine.te 2009-07-27 13:54:28.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/apps/wine.te 2009-07-28 13:42:19.000000000 -0400
@@ -9,20 +9,35 @@
type wine_t;
type wine_exec_t;
@@ -4695,141 +4345,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_common_app(wine_t)
+ xserver_rw_shm(wine_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.fc serefpolicy-3.6.23/policy/modules/apps/wm.fc
---- nsaserefpolicy/policy/modules/apps/wm.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/apps/wm.fc 2009-07-23 16:39:09.000000000 -0400
-@@ -0,0 +1,3 @@
-+/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
-+/usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0)
-+/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.6.23/policy/modules/apps/wm.if
---- nsaserefpolicy/policy/modules/apps/wm.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/apps/wm.if 2009-07-23 16:39:09.000000000 -0400
-@@ -0,0 +1,108 @@
-+## <summary>Window Manager.</summary>
-+
-+########################################
-+## <summary>
-+## Execute the wm program in the wm domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`wm_exec',`
-+ gen_require(`
-+ type wm_exec_t;
-+ ')
-+
-+ can_exec($1, wm_exec_t)
-+')
-+
-+#######################################
-+## <summary>
-+## The role template for the wm module.
-+## </summary>
-+## <desc>
-+## <p>
-+## This template creates a derived domains which are used
-+## for wm applications.
-+## </p>
-+## </desc>
-+## <param name="role_prefix">
-+## <summary>
-+## The prefix of the user domain (e.g., user
-+## is the prefix for user_t).
-+## </summary>
-+## </param>
-+## <param name="user_role">
-+## <summary>
-+## The role associated with the user domain.
-+## </summary>
-+## </param>
-+## <param name="user_domain">
-+## <summary>
-+## The type of the user domain.
-+## </summary>
-+## </param>
-+#
-+template(`wm_role_template',`
-+ gen_require(`
-+ type wm_exec_t;
-+ ')
-+
-+ type $1_wm_t;
-+ domain_type($1_wm_t)
-+ domain_entry_file($1_wm_t, wm_exec_t)
-+ role $2 types $1_wm_t;
-+
-+ domtrans_pattern($3, wm_exec_t, $1_wm_t)
-+
-+ corecmd_bin_domtrans($1_wm_t, $1_t)
-+ corecmd_shell_domtrans($1_wm_t, $1_t)
-+
-+ ifdef(`enable_mls',`
-+ mls_file_read_all_levels($1_wm_t)
-+ mls_file_write_all_levels($1_wm_t)
-+ mls_xwin_read_all_levels($1_wm_t)
-+ mls_xwin_write_all_levels($1_wm_t)
-+ mls_fd_use_all_levels($1_wm_t)
-+ ')
-+
-+ files_read_etc_files($1_wm_t)
-+ files_read_usr_files($1_wm_t)
-+
-+ miscfiles_read_fonts($1_wm_t)
-+ miscfiles_read_localization($1_wm_t)
-+
-+ optional_policy(`
-+ gnome_read_config($1_wm_t)
-+ gnome_read_gconf_config($1_wm_t)
-+ ')
-+
-+ auth_use_nsswitch($1_wm_t)
-+
-+ kernel_read_system_state($1_wm_t)
-+
-+ allow $1_wm_t self:fifo_file rw_fifo_file_perms;
-+ allow $1_wm_t self:process getsched;
-+ allow $1_wm_t self:shm create_shm_perms;
-+
-+ allow $1_wm_t $1_t:unix_stream_socket connectto;
-+
-+ optional_policy(`
-+ dbus_system_bus_client($1_wm_t)
-+ ')
-+
-+ userdom_unpriv_usertype($1, $1_wm_t)
-+
-+ userdom_manage_home_role($1_r, $1_wm_t)
-+ userdom_manage_tmpfs_role($1_r, $1_wm_t)
-+ userdom_manage_tmp_role($1_r, $1_wm_t)
-+
-+ dev_read_urand($1_wm_t)
-+
-+ optional_policy(`
-+ xserver_role($1_r, $1_wm_t)
-+ xserver_use_xdm($1_wm_t)
-+ ')
-+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.te serefpolicy-3.6.23/policy/modules/apps/wm.te
---- nsaserefpolicy/policy/modules/apps/wm.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/apps/wm.te 2009-07-23 16:39:09.000000000 -0400
-@@ -0,0 +1,9 @@
-+policy_module(wm,0.0.4)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type wm_exec_t;
-+corecmd_executable_file(wm_exec_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.23/policy/modules/kernel/corecommands.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.24/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/kernel/corecommands.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/kernel/corecommands.fc 2009-07-28 13:42:19.000000000 -0400
@@ -139,6 +139,9 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -4862,9 +4380,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.23/policy/modules/kernel/corecommands.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.24/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/kernel/corecommands.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/kernel/corecommands.if 2009-07-28 13:42:19.000000000 -0400
@@ -893,6 +893,7 @@
read_lnk_files_pattern($1, bin_t, bin_t)
@@ -4873,9 +4391,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.23/policy/modules/kernel/corenetwork.te.in
---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/kernel/corenetwork.te.in 2009-07-23 16:39:09.000000000 -0400
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.24/policy/modules/kernel/corenetwork.te.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-07-28 13:28:33.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/kernel/corenetwork.te.in 2009-07-28 13:42:19.000000000 -0400
@@ -65,6 +65,7 @@
type server_packet_t, packet_type, server_packet_type;
@@ -4884,15 +4402,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
network_port(afs_ka, udp,7004,s0)
network_port(afs_pt, udp,7002,s0)
-@@ -87,16 +88,21 @@
+@@ -87,17 +88,21 @@
network_port(comsat, udp,512,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0)
+portcon tcp 6780-6799 gen_context(system_u:object_r:cyphesis_port_t, s0)
network_port(dbskkd, tcp,1178,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
+ network_port(dccm, tcp,5679,s0, udp,5679,s0)
-network_port(dhcpc, udp,68,s0)
-+network_port(dccm, tcp,5679,s0, udp,5679,s0)
+network_port(dhcpc, udp,68,s0, tcp,68,s0)
network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
@@ -4907,7 +4425,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
network_port(giftd, tcp,1213,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
-@@ -105,6 +111,7 @@
+@@ -106,6 +111,7 @@
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
@@ -4915,7 +4433,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-@@ -127,7 +134,7 @@
+@@ -128,7 +134,7 @@
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
network_port(lmtp, tcp,24,s0, udp,24,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
@@ -4924,7 +4442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
-@@ -145,6 +152,12 @@
+@@ -146,6 +152,12 @@
network_port(pegasus_https, tcp,5989,s0)
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
@@ -4937,7 +4455,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
-@@ -171,26 +184,31 @@
+@@ -172,27 +184,31 @@
network_port(sap, tcp,9875,s0, udp,9875,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
@@ -4946,7 +4464,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
network_port(spamd, tcp,783,s0)
-+network_port(speech, tcp,8036,s0)
+ network_port(speech, tcp,8036,s0)
network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
network_port(ssh, tcp,22,s0)
+network_port(streaming, tcp, 1755, s0, udp, 1755, s0)
@@ -4972,7 +4490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -219,6 +237,8 @@
+@@ -221,6 +237,8 @@
type node_t, node_type;
sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
@@ -4981,9 +4499,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# network_node examples:
#network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.23/policy/modules/kernel/devices.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.24/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/kernel/devices.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/kernel/devices.fc 2009-07-28 13:42:19.000000000 -0400
@@ -47,8 +47,10 @@
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@@ -4995,9 +4513,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.23/policy/modules/kernel/devices.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.24/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/kernel/devices.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/kernel/devices.if 2009-07-28 13:42:19.000000000 -0400
@@ -1655,6 +1655,78 @@
########################################
@@ -5165,9 +4683,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read and write to the null device (/dev/null).
## </summary>
## <param name="domain">
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.23/policy/modules/kernel/devices.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.24/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/kernel/devices.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/kernel/devices.te 2009-07-28 13:42:19.000000000 -0400
@@ -84,6 +84,13 @@
dev_node(kmsg_device_t)
@@ -5195,9 +4713,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Type for /dev/mapper/control
#
type lvm_control_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.23/policy/modules/kernel/domain.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.24/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/kernel/domain.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/kernel/domain.if 2009-07-28 13:42:19.000000000 -0400
@@ -44,34 +44,6 @@
interface(`domain_type',`
# start with basic domain
@@ -5378,9 +4896,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 unconfined_domain_type:process signal;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.23/policy/modules/kernel/domain.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.24/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/kernel/domain.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/kernel/domain.te 2009-07-28 13:42:19.000000000 -0400
@@ -5,6 +5,13 @@
#
# Declarations
@@ -5528,9 +5046,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ userdom_relabelto_user_home_dirs(polydomain)
+ userdom_relabelto_user_home_files(polydomain)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.23/policy/modules/kernel/files.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.24/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/kernel/files.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/kernel/files.fc 2009-07-28 13:42:19.000000000 -0400
@@ -5,10 +5,11 @@
/.* gen_context(system_u:object_r:default_t,s0)
/ -d gen_context(system_u:object_r:root_t,s0)
@@ -5561,9 +5079,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.23/policy/modules/kernel/files.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.24/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/kernel/files.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/kernel/files.if 2009-07-28 13:42:19.000000000 -0400
@@ -110,6 +110,11 @@
## </param>
#
@@ -5936,9 +5454,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+ allow $1 file_type:file entrypoint;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.23/policy/modules/kernel/files.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.24/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/kernel/files.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/kernel/files.te 2009-07-28 13:42:19.000000000 -0400
@@ -52,7 +52,9 @@
#
# etc_t is the type of the system etc directories.
@@ -5950,15 +5468,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_type(etc_t)
# compatibility aliases for removed types:
typealias etc_t alias automount_etc_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.23/policy/modules/kernel/filesystem.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.24/policy/modules/kernel/filesystem.fc
--- nsaserefpolicy/policy/modules/kernel/filesystem.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/kernel/filesystem.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/kernel/filesystem.fc 2009-07-28 13:42:19.000000000 -0400
@@ -1 +1 @@
-# This module currently does not have any file contexts.
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.23/policy/modules/kernel/filesystem.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.24/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/kernel/filesystem.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/kernel/filesystem.if 2009-07-28 13:42:19.000000000 -0400
@@ -3971,3 +3971,23 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
@@ -5983,9 +5501,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ dontaudit $1 cifs_t:dir list_dir_perms;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.23/policy/modules/kernel/kernel.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.24/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/kernel/kernel.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/kernel/kernel.if 2009-07-28 13:42:19.000000000 -0400
@@ -1807,7 +1807,7 @@
')
@@ -6044,9 +5562,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 kernel_t:unix_stream_socket connectto;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.23/policy/modules/kernel/kernel.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.24/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/kernel/kernel.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/kernel/kernel.te 2009-07-28 13:42:19.000000000 -0400
@@ -63,6 +63,15 @@
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
@@ -6130,9 +5648,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+files_boot(kernel_t)
+
+permissive kernel_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.23/policy/modules/kernel/selinux.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.24/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/kernel/selinux.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/kernel/selinux.if 2009-07-28 13:42:19.000000000 -0400
@@ -40,7 +40,7 @@
# because of this statement, any module which
@@ -6190,9 +5708,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ fs_type($1)
+ mls_trusted_object($1)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.6.23/policy/modules/kernel/storage.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.6.24/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/kernel/storage.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/kernel/storage.fc 2009-07-28 13:42:19.000000000 -0400
@@ -57,7 +57,7 @@
/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -6202,9 +5720,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.6.23/policy/modules/kernel/terminal.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.6.24/policy/modules/kernel/terminal.fc
--- nsaserefpolicy/policy/modules/kernel/terminal.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/kernel/terminal.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/kernel/terminal.fc 2009-07-28 13:42:19.000000000 -0400
@@ -13,6 +13,7 @@
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
@@ -6213,9 +5731,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.23/policy/modules/kernel/terminal.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.24/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/kernel/terminal.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/kernel/terminal.if 2009-07-28 13:42:19.000000000 -0400
@@ -173,7 +173,7 @@
dev_list_all_dev_nodes($1)
@@ -6287,9 +5805,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
## <summary>
## Read and write the controlling
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.23/policy/modules/roles/guest.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.24/policy/modules/roles/guest.te
--- nsaserefpolicy/policy/modules/roles/guest.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/roles/guest.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/roles/guest.te 2009-07-28 13:42:19.000000000 -0400
@@ -16,7 +16,11 @@
#
@@ -6304,9 +5822,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+gen_user(guest_u, user, guest_r, s0, s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.23/policy/modules/roles/staff.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.24/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/roles/staff.te 2009-07-23 17:28:40.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/roles/staff.te 2009-07-28 13:42:19.000000000 -0400
@@ -15,156 +15,105 @@
# Local policy
#
@@ -6500,9 +6018,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-optional_policy(`
- xserver_role(staff_r, staff_t)
-')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.23/policy/modules/roles/sysadm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.24/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/roles/sysadm.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/roles/sysadm.te 2009-07-28 13:42:19.000000000 -0400
@@ -15,7 +15,7 @@
role sysadm_r;
@@ -6800,9 +6318,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+init_script_role_transition(sysadm_r)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.23/policy/modules/roles/unconfineduser.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.24/policy/modules/roles/unconfineduser.fc
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/roles/unconfineduser.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/roles/unconfineduser.fc 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,37 @@
+# Add programs here which should not be confined by SELinux
+# e.g.:
@@ -6841,9 +6359,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.23/policy/modules/roles/unconfineduser.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.24/policy/modules/roles/unconfineduser.if
--- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/roles/unconfineduser.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/roles/unconfineduser.if 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,638 @@
+## <summary>Unconfiend user role</summary>
+
@@ -7483,9 +7001,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 unconfined_r;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.23/policy/modules/roles/unconfineduser.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.24/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/roles/unconfineduser.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/roles/unconfineduser.te 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,410 @@
+policy_module(unconfineduser, 1.0.0)
+
@@ -7897,9 +7415,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.23/policy/modules/roles/unprivuser.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.24/policy/modules/roles/unprivuser.te
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/roles/unprivuser.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/roles/unprivuser.te 2009-07-28 13:42:19.000000000 -0400
@@ -14,142 +14,21 @@
userdom_unpriv_user_template(user)
@@ -8048,9 +7566,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- xserver_role(user_r, user_t)
+ setroubleshoot_dontaudit_stream_connect(user_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.te serefpolicy-3.6.23/policy/modules/roles/webadm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.te serefpolicy-3.6.24/policy/modules/roles/webadm.te
--- nsaserefpolicy/policy/modules/roles/webadm.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/roles/webadm.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/roles/webadm.te 2009-07-28 13:42:19.000000000 -0400
@@ -42,7 +42,7 @@
userdom_dontaudit_search_user_home_dirs(webadm_t)
@@ -8060,9 +7578,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`webadm_manage_user_files',`
userdom_manage_user_home_content_files(webadm_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.23/policy/modules/roles/xguest.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.24/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/roles/xguest.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/roles/xguest.te 2009-07-28 13:42:19.000000000 -0400
@@ -36,11 +36,17 @@
# Local policy
#
@@ -8109,9 +7627,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.6.23/policy/modules/services/amavis.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.6.24/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/amavis.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/amavis.te 2009-07-28 13:42:19.000000000 -0400
@@ -103,6 +103,8 @@
kernel_dontaudit_read_proc_symlinks(amavis_t)
kernel_dontaudit_read_system_state(amavis_t)
@@ -8121,9 +7639,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# find perl
corecmd_exec_bin(amavis_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.23/policy/modules/services/apache.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.24/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/apache.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/apache.fc 2009-07-28 13:42:19.000000000 -0400
@@ -1,12 +1,13 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -8217,9 +7735,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.23/policy/modules/services/apache.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.24/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/apache.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/apache.if 2009-07-28 13:42:19.000000000 -0400
@@ -13,21 +13,16 @@
#
template(`apache_content_template',`
@@ -8758,9 +8276,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+ typeattribute $1 httpd_rw_content;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.23/policy/modules/services/apache.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.24/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/apache.te 2009-07-27 14:13:27.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/apache.te 2009-07-28 13:42:19.000000000 -0400
@@ -19,6 +19,8 @@
# Declarations
#
@@ -9492,9 +9010,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.23/policy/modules/services/apm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.24/policy/modules/services/apm.te
--- nsaserefpolicy/policy/modules/services/apm.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/apm.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/apm.te 2009-07-28 13:42:19.000000000 -0400
@@ -60,7 +60,7 @@
# mknod: controlling an orderly resume of PCMCIA requires creating device
# nodes 254,{0,1,2} for some reason.
@@ -9504,9 +9022,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
allow apmd_t self:unix_dgram_socket create_socket_perms;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.6.23/policy/modules/services/automount.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.6.24/policy/modules/services/automount.if
--- nsaserefpolicy/policy/modules/services/automount.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/automount.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/automount.if 2009-07-28 13:42:19.000000000 -0400
@@ -109,6 +109,25 @@
########################################
@@ -9533,9 +9051,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
## an automount environment
## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.23/policy/modules/services/automount.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.24/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/automount.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/automount.te 2009-07-28 13:42:19.000000000 -0400
@@ -71,6 +71,7 @@
files_mounton_all_mountpoints(automount_t)
files_mount_all_file_type_fs(automount_t)
@@ -9577,28 +9095,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kerberos_read_config(automount_t)
kerberos_dontaudit_write_config(automount_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.23/policy/modules/services/avahi.te
---- nsaserefpolicy/policy/modules/services/avahi.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/avahi.te 2009-07-23 16:39:09.000000000 -0400
-@@ -33,6 +33,7 @@
- allow avahi_t self:tcp_socket create_stream_socket_perms;
- allow avahi_t self:udp_socket create_socket_perms;
-
-+files_search_var_lib(avahi_t)
- manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
- manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
- files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file })
-@@ -93,6 +94,7 @@
- dbus_connect_system_bus(avahi_t)
-
- init_dbus_chat_script(avahi_t)
-+ dbus_system_domain(avahi_t, avahi_exec_t)
- ')
-
- optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.23/policy/modules/services/bind.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.24/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/bind.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/bind.if 2009-07-28 13:42:19.000000000 -0400
@@ -287,6 +287,25 @@
########################################
@@ -9625,9 +9124,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
## an bind environment
## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.23/policy/modules/services/bluetooth.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.24/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/bluetooth.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/bluetooth.te 2009-07-28 13:42:19.000000000 -0400
@@ -64,6 +64,7 @@
allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow bluetooth_t self:tcp_socket create_stream_socket_perms;
@@ -9636,9 +9135,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.23/policy/modules/services/certmaster.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.24/policy/modules/services/certmaster.te
--- nsaserefpolicy/policy/modules/services/certmaster.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/certmaster.te 2009-07-27 14:06:05.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/certmaster.te 2009-07-28 13:42:19.000000000 -0400
@@ -30,7 +30,7 @@
# certmaster local policy
#
@@ -9648,9 +9147,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow certmaster_t self:tcp_socket create_stream_socket_perms;
# config files
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.23/policy/modules/services/clamav.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.24/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/clamav.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/clamav.te 2009-07-28 13:42:19.000000000 -0400
@@ -117,9 +117,9 @@
logging_send_syslog_msg(clamd_t)
@@ -9685,9 +9184,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
apache_read_sys_content(clamscan_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.23/policy/modules/services/consolekit.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.24/policy/modules/services/consolekit.if
--- nsaserefpolicy/policy/modules/services/consolekit.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/consolekit.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/consolekit.if 2009-07-28 13:42:19.000000000 -0400
@@ -57,3 +57,23 @@
read_files_pattern($1, consolekit_log_t, consolekit_log_t)
files_search_pids($1)
@@ -9712,9 +9211,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.23/policy/modules/services/consolekit.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.24/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/consolekit.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/consolekit.te 2009-07-28 13:42:19.000000000 -0400
@@ -11,7 +11,7 @@
init_daemon_domain(consolekit_t, consolekit_exec_t)
@@ -9794,9 +9293,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_stream_connect(consolekit_t)
')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.23/policy/modules/services/courier.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.24/policy/modules/services/courier.if
--- nsaserefpolicy/policy/modules/services/courier.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/courier.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/courier.if 2009-07-28 13:42:19.000000000 -0400
@@ -179,6 +179,24 @@
########################################
@@ -9822,9 +9321,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read and write to courier spool pipes.
## </summary>
## <param name="domain">
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.23/policy/modules/services/courier.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.24/policy/modules/services/courier.te
--- nsaserefpolicy/policy/modules/services/courier.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/courier.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/courier.te 2009-07-28 13:42:19.000000000 -0400
@@ -10,6 +10,7 @@
type courier_etc_t;
@@ -9833,9 +9332,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
courier_domain_template(pcp)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.23/policy/modules/services/cron.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.24/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/cron.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/cron.fc 2009-07-28 13:42:19.000000000 -0400
@@ -1,3 +1,4 @@
+/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
@@ -9867,9 +9366,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
+
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.23/policy/modules/services/cron.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.24/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/cron.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/cron.if 2009-07-28 13:42:19.000000000 -0400
@@ -12,6 +12,10 @@
## </param>
#
@@ -10171,9 +9670,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ init_labeled_script_domtrans($1, crond_initrc_exec_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.23/policy/modules/services/cron.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.24/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/cron.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/cron.te 2009-07-28 13:42:19.000000000 -0400
@@ -38,6 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -10525,9 +10024,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`fcron_crond', `
allow crond_t user_cron_spool_t:file manage_file_perms;
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.23/policy/modules/services/cups.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.24/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/cups.fc 2009-07-27 13:42:47.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/cups.fc 2009-07-28 13:42:19.000000000 -0400
@@ -5,27 +5,38 @@
/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -10601,9 +10100,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.6.23/policy/modules/services/cups.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.6.24/policy/modules/services/cups.if
--- nsaserefpolicy/policy/modules/services/cups.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/cups.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/cups.if 2009-07-28 13:42:19.000000000 -0400
@@ -20,6 +20,30 @@
########################################
@@ -10728,9 +10227,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ admin_pattern($1, hplip_var_run_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.23/policy/modules/services/cups.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.24/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/cups.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/cups.te 2009-07-28 13:42:19.000000000 -0400
@@ -20,9 +20,18 @@
type cupsd_etc_t;
files_config_file(cupsd_etc_t)
@@ -11171,31 +10670,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
+miscfiles_read_fonts(cups_pdf_t)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.23/policy/modules/services/cvs.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.24/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/cvs.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/cvs.te 2009-07-28 13:42:19.000000000 -0400
@@ -112,4 +112,5 @@
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.6.23/policy/modules/services/dbus.fc
---- nsaserefpolicy/policy/modules/services/dbus.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/dbus.fc 2009-07-23 16:39:09.000000000 -0400
-@@ -4,6 +4,9 @@
- /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
- /bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-
-+/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-+/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-+
- /var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
-
- /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.23/policy/modules/services/dbus.if
---- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/dbus.if 2009-07-23 16:39:09.000000000 -0400
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.24/policy/modules/services/dbus.if
+--- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/dbus.if 2009-07-28 14:03:30.000000000 -0400
@@ -42,8 +42,10 @@
gen_require(`
class dbus { send_msg acquire_svc };
@@ -11225,25 +10711,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $1_dbusd_t $3:process sigkill;
allow $3 $1_dbusd_t:fd use;
allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
-@@ -117,6 +119,7 @@
- dev_read_urand($1_dbusd_t)
-
- domain_use_interactive_fds($1_dbusd_t)
-+ domain_read_all_domains_state($1_dbusd_t)
-
- files_read_etc_files($1_dbusd_t)
- files_list_home($1_dbusd_t)
-@@ -145,13 +148,20 @@
+@@ -146,6 +148,8 @@
seutil_read_config($1_dbusd_t)
seutil_read_default_contexts($1_dbusd_t)
+ term_use_all_terms($1_dbusd_t)
+
userdom_read_user_home_content_files($1_dbusd_t)
-+ userdom_dontaudit_search_admin_dir($1_dbusd_t)
ifdef(`hide_broken_symptoms', `
- dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
+@@ -153,6 +157,10 @@
')
optional_policy(`
@@ -11254,34 +10731,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hal_dbus_chat($1_dbusd_t)
')
-@@ -161,6 +171,26 @@
- ')
- ')
-
-+########################################
-+## <summary>
-+## Connect to the the system DBUS
-+## for service (acquire_svc).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dbus_connect_session_bus',`
-+ gen_require(`
-+ attribute session_bus_type;
-+ class dbus acquire_svc;
-+ ')
-+
-+ allow $1 session_bus_type:dbus acquire_svc;
-+')
-+
- #######################################
- ## <summary>
- ## Template for creating connections to
-@@ -177,10 +207,12 @@
+@@ -178,10 +186,12 @@
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
@@ -11295,7 +10745,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
-@@ -189,6 +221,10 @@
+@@ -190,6 +200,10 @@
files_search_pids($1)
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
dbus_read_config($1)
@@ -11306,211 +10756,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -236,6 +272,35 @@
+@@ -256,7 +270,7 @@
########################################
## <summary>
-+## Chat on user/application specific DBUS.
-+## </summary>
-+## <param name="domain_prefix">
-+## <summary>
-+## The prefix of the domain (e.g., user
-+## is the prefix for user_t).
-+## </summary>
-+## </param>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+template(`dbus_chat_user_bus',`
-+ gen_require(`
-+ type $1_t;
-+ type $1_dbusd_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $2 $1_dbusd_t:dbus send_msg;
-+ allow $1_dbusd_t $2:dbus send_msg;
-+ allow $2 $1_t:dbus send_msg;
-+ allow $1_t $2:dbus send_msg;
-+')
-+
-+########################################
-+## <summary>
- ## Read dbus configuration.
+-## Connect to the the session DBUS
++## Connect to the system DBUS
+ ## for service (acquire_svc).
## </summary>
## <param name="domain">
-@@ -310,3 +375,79 @@
-
- allow $1 system_dbusd_t:dbus *;
- ')
-+
-+########################################
-+## <summary>
-+## Allow unconfined access to the system DBUS.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dbus_unconfined',`
-+ gen_require(`
-+ attribute dbusd_unconfined;
-+ ')
-+
-+ typeattribute $1 dbusd_unconfined;
-+')
-+
-+########################################
-+## <summary>
-+## Create a domain for processes
-+## which can be started by the system dbus
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Type to be used as a domain.
-+## </summary>
-+## </param>
-+## <param name="entry_point">
-+## <summary>
-+## Type of the program to be used as an entry point to this domain.
-+## </summary>
-+## </param>
-+#
-+interface(`dbus_system_domain',`
-+ gen_require(`
-+ type system_dbusd_t;
-+ role system_r;
-+ ')
-+
-+ domain_type($1)
-+ domain_entry_file($1, $2)
-+
-+ role system_r types $1;
-+
-+ domtrans_pattern(system_dbusd_t, $2, $1)
-+
-+ dbus_system_bus_client($1)
-+ dbus_connect_system_bus($1)
-+
-+ ifdef(`hide_broken_symptoms', `
-+ dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
-+ ')
-+
-+ userdom_dontaudit_search_admin_dir($1)
-+')
-+
-+########################################
-+## <summary>
-+## Dontaudit Read, and write system dbus TCP sockets.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
-+ gen_require(`
-+ type system_dbusd_t;
-+ ')
-+
-+ allow $1 system_dbusd_t:tcp_socket { read write };
-+ allow $1 system_dbusd_t:fd use;
-+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.23/policy/modules/services/dbus.te
---- nsaserefpolicy/policy/modules/services/dbus.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/dbus.te 2009-07-23 16:39:09.000000000 -0400
-@@ -9,14 +9,15 @@
- #
- # Delcarations
- #
--
-+attribute dbusd_unconfined;
- attribute session_bus_type;
-
- type dbusd_etc_t;
--files_type(dbusd_etc_t)
-+files_config_file(dbusd_etc_t)
-
- type dbusd_exec_t;
- corecmd_executable_file(dbusd_exec_t)
-+typealias dbusd_exec_t alias system_dbusd_exec_t;
-
- type session_dbusd_tmp_t;
- typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
-@@ -31,11 +32,25 @@
- files_tmp_file(system_dbusd_tmp_t)
-
- type system_dbusd_var_lib_t;
--files_pid_file(system_dbusd_var_lib_t)
-+files_type(system_dbusd_var_lib_t)
-
- type system_dbusd_var_run_t;
- files_pid_file(system_dbusd_var_run_t)
-
-+ifdef(`enable_mcs',`
-+ init_ranged_daemon_domain(system_dbusd_t, dbusd_exec_t,s0 - mcs_systemhigh)
-+')
-+
-+ifdef(`enable_mls',`
-+ init_ranged_daemon_domain(system_dbusd_t, dbusd_exec_t,s0 - mls_systemhigh)
-+ mls_fd_use_all_levels(system_dbusd_t)
-+ mls_rangetrans_target(system_dbusd_t)
-+ mls_file_read_all_levels(system_dbusd_t)
-+ mls_socket_write_all_levels(system_dbusd_t)
-+ mls_socket_read_to_clearance(system_dbusd_t)
-+ mls_dbus_recv_all_levels(system_dbusd_t)
-+')
-+
- ##############################
- #
- # System bus local policy
-@@ -45,7 +60,7 @@
- # cjp: dac_override should probably go in a distro_debian
- allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
- dontaudit system_dbusd_t self:capability sys_tty_config;
--allow system_dbusd_t self:process { getattr signal_perms setcap };
-+allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
- allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
- allow system_dbusd_t self:dbus { send_msg acquire_svc };
- allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
-@@ -53,6 +68,8 @@
- # Receive notifications of policy reloads and enforcing status changes.
- allow system_dbusd_t self:netlink_selinux_socket { create bind read };
-
-+can_exec(system_dbusd_t, dbusd_exec_t)
-+
- allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
- read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
- read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
-@@ -73,8 +90,10 @@
- dev_read_urand(system_dbusd_t)
- dev_read_sysfs(system_dbusd_t)
-
-+fs_list_inotifyfs(system_dbusd_t)
- fs_getattr_all_fs(system_dbusd_t)
- fs_search_auto_mountpoints(system_dbusd_t)
-+fs_dontaudit_list_nfs(system_dbusd_t)
-
- selinux_get_fs_mount(system_dbusd_t)
- selinux_validate_context(system_dbusd_t)
-@@ -91,9 +110,9 @@
- corecmd_list_bin(system_dbusd_t)
- corecmd_read_bin_pipes(system_dbusd_t)
- corecmd_read_bin_sockets(system_dbusd_t)
--corecmd_exec_bin(system_dbusd_t)
-
- domain_use_interactive_fds(system_dbusd_t)
-+domain_read_all_domains_state(system_dbusd_t)
-
- files_read_etc_files(system_dbusd_t)
- files_list_home(system_dbusd_t)
-@@ -101,6 +120,8 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.24/policy/modules/services/dbus.te
+--- nsaserefpolicy/policy/modules/services/dbus.te 2009-07-28 13:28:33.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/dbus.te 2009-07-28 14:06:19.000000000 -0400
+@@ -121,6 +121,8 @@
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
@@ -11519,7 +10777,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-@@ -120,9 +141,39 @@
+@@ -140,6 +142,15 @@
')
optional_policy(`
@@ -11532,18 +10790,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+optional_policy(`
+ policykit_dbus_chat(system_dbusd_t)
-+ policykit_domtrans_auth(system_dbusd_t)
-+ policykit_search_lib(system_dbusd_t)
-+')
-+
-+optional_policy(`
- sysnet_domtrans_dhcpc(system_dbusd_t)
+ policykit_domtrans_auth(system_dbusd_t)
+ policykit_search_lib(system_dbusd_t)
')
-
- optional_policy(`
- udev_read_db(system_dbusd_t)
- ')
-+
+@@ -156,5 +168,18 @@
+ #
+ # Unconfined access to this module
+ #
+optional_policy(`
+ gen_require(`
+ type unconfined_dbusd_t;
@@ -11555,13 +10808,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_rw_shm(unconfined_dbusd_t)
+ ')
+')
-+
-+allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+
+ allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.23/policy/modules/services/dcc.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.24/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/dcc.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/dcc.te 2009-07-28 13:42:19.000000000 -0400
@@ -130,11 +130,13 @@
# Access files in /var/dcc. The map file can be updated
@@ -11588,9 +10841,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
spamassassin_read_spamd_tmp_files(dcc_client_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.6.23/policy/modules/services/ddclient.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.6.24/policy/modules/services/ddclient.if
--- nsaserefpolicy/policy/modules/services/ddclient.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/ddclient.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/ddclient.if 2009-07-28 13:42:19.000000000 -0400
@@ -21,6 +21,31 @@
########################################
@@ -11623,9 +10876,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
## an ddclient environment
## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.23/policy/modules/services/devicekit.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.24/policy/modules/services/devicekit.fc
--- nsaserefpolicy/policy/modules/services/devicekit.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/services/devicekit.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/devicekit.fc 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,9 @@
+
+/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
@@ -11636,9 +10889,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.23/policy/modules/services/devicekit.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.24/policy/modules/services/devicekit.if
--- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/services/devicekit.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/devicekit.if 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,197 @@
+
+## <summary>policy for devicekit</summary>
@@ -11837,10 +11090,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 devicekit_disk_t:dbus send_msg;
+ allow devicekit_disk_t $1:dbus send_msg;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.23/policy/modules/services/devicekit.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.24/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/services/devicekit.te 2009-07-23 16:39:09.000000000 -0400
-@@ -0,0 +1,244 @@
++++ serefpolicy-3.6.24/policy/modules/services/devicekit.te 2009-07-28 14:13:14.000000000 -0400
+@@ -0,0 +1,248 @@
+policy_module(devicekit,1.0.0)
+
+########################################
@@ -11940,7 +11193,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+optional_policy(`
+ hal_domtrans_mac(devicekit_power_t)
-+ hal_create_log(devicekit_power_t)
++ hal_manage_log(devicekit_power_t)
+ hal_manage_pid_dirs(devicekit_power_t)
+ hal_manage_pid_files(devicekit_power_t)
+ hal_dbus_chat(devicekit_power_t)
@@ -11984,6 +11237,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+optional_policy(`
++ udev_read_db(devicekit_power_t)
++')
++
++optional_policy(`
+ vbetool_domtrans(devicekit_power_t)
+')
+#
@@ -12085,9 +11342,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+# unconfined_domain(devicekit_disk_t)
+#')
+#')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.23/policy/modules/services/dnsmasq.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.24/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/dnsmasq.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/dnsmasq.te 2009-07-28 13:42:19.000000000 -0400
@@ -83,6 +83,14 @@
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
@@ -12103,9 +11360,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(dnsmasq_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.23/policy/modules/services/dovecot.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.24/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/dovecot.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/dovecot.te 2009-07-28 13:42:19.000000000 -0400
@@ -103,6 +103,7 @@
dev_read_urand(dovecot_t)
@@ -12130,9 +11387,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# dovecot deliver local policy
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.23/policy/modules/services/exim.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.24/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/exim.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/exim.te 2009-07-28 13:42:19.000000000 -0400
@@ -191,6 +191,10 @@
')
@@ -12144,9 +11401,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
spamassassin_exec(exim_t)
spamassassin_exec_client(exim_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.23/policy/modules/services/fetchmail.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.24/policy/modules/services/fetchmail.te
--- nsaserefpolicy/policy/modules/services/fetchmail.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/fetchmail.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/fetchmail.te 2009-07-28 13:42:19.000000000 -0400
@@ -47,6 +47,8 @@
kernel_read_proc_symlinks(fetchmail_t)
kernel_dontaudit_read_system_state(fetchmail_t)
@@ -12156,17 +11413,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(fetchmail_t)
corenet_all_recvfrom_netlabel(fetchmail_t)
corenet_tcp_sendrecv_generic_if(fetchmail_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.fc serefpolicy-3.6.23/policy/modules/services/fprintd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.fc serefpolicy-3.6.24/policy/modules/services/fprintd.fc
--- nsaserefpolicy/policy/modules/services/fprintd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/services/fprintd.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/fprintd.fc 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,4 @@
+
+/usr/libexec/fprintd -- gen_context(system_u:object_r:fprintd_exec_t,s0)
+
+/var/lib/fprint(/.*)? gen_context(system_u:object_r:fprintd_var_lib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.if serefpolicy-3.6.23/policy/modules/services/fprintd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.if serefpolicy-3.6.24/policy/modules/services/fprintd.if
--- nsaserefpolicy/policy/modules/services/fprintd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/services/fprintd.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/fprintd.if 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,43 @@
+
+## <summary>policy for fprintd</summary>
@@ -12211,9 +11468,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow fprintd_t $1:dbus send_msg;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.23/policy/modules/services/fprintd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.24/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/services/fprintd.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/fprintd.te 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,55 @@
+policy_module(fprintd,1.0.0)
+
@@ -12270,9 +11527,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+permissive fprintd_t;
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.23/policy/modules/services/ftp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.24/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/ftp.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/ftp.te 2009-07-28 13:42:19.000000000 -0400
@@ -41,6 +41,13 @@
## <desc>
@@ -12374,16 +11631,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(ftpd_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.6.23/policy/modules/services/gnomeclock.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.6.24/policy/modules/services/gnomeclock.fc
--- nsaserefpolicy/policy/modules/services/gnomeclock.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/services/gnomeclock.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/gnomeclock.fc 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,3 @@
+
+/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.6.23/policy/modules/services/gnomeclock.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.6.24/policy/modules/services/gnomeclock.if
--- nsaserefpolicy/policy/modules/services/gnomeclock.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/services/gnomeclock.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/gnomeclock.if 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,69 @@
+
+## <summary>policy for gnomeclock</summary>
@@ -12454,9 +11711,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 gnomeclock_t:dbus send_msg;
+ allow gnomeclock_t $1:dbus send_msg;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.23/policy/modules/services/gnomeclock.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.24/policy/modules/services/gnomeclock.te
--- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/services/gnomeclock.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/gnomeclock.te 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,50 @@
+policy_module(gnomeclock, 1.0.0)
+########################################
@@ -12508,9 +11765,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ policykit_read_reload(gnomeclock_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.23/policy/modules/services/gpsd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.24/policy/modules/services/gpsd.fc
--- nsaserefpolicy/policy/modules/services/gpsd.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/gpsd.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/gpsd.fc 2009-07-28 13:42:19.000000000 -0400
@@ -1 +1,6 @@
+/etc/rc\.d/init\.d/gpsd -- gen_context(system_u:object_r:gpsd_initrc_exec_t,s0)
+
@@ -12518,9 +11775,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/var/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0)
+/var/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.6.23/policy/modules/services/gpsd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.6.24/policy/modules/services/gpsd.if
--- nsaserefpolicy/policy/modules/services/gpsd.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/gpsd.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/gpsd.if 2009-07-28 13:42:19.000000000 -0400
@@ -33,11 +33,6 @@
## The role to be allowed the gpsd domain.
## </summary>
@@ -12566,9 +11823,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
+ read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.23/policy/modules/services/gpsd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.24/policy/modules/services/gpsd.te
--- nsaserefpolicy/policy/modules/services/gpsd.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/gpsd.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/gpsd.te 2009-07-28 13:42:19.000000000 -0400
@@ -11,9 +11,15 @@
application_domain(gpsd_t, gpsd_exec_t)
init_daemon_domain(gpsd_t, gpsd_exec_t)
@@ -12596,90 +11853,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(gpsd_t)
corenet_all_recvfrom_netlabel(gpsd_t)
corenet_tcp_sendrecv_generic_if(gpsd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.6.23/policy/modules/services/hal.fc
---- nsaserefpolicy/policy/modules/services/hal.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/hal.fc 2009-07-23 16:39:09.000000000 -0400
-@@ -5,6 +5,7 @@
- /usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0)
-
- /usr/libexec/hal-acl-tool -- gen_context(system_u:object_r:hald_acl_exec_t,s0)
-+/usr/libexec/hal-dccm -- gen_context(system_u:object_r:hald_dccm_exec_t,s0)
- /usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0)
- /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
- /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.23/policy/modules/services/hal.if
---- nsaserefpolicy/policy/modules/services/hal.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/hal.if 2009-07-23 16:39:09.000000000 -0400
-@@ -20,6 +20,24 @@
-
- ########################################
- ## <summary>
-+## Execute hal mac in the hal mac domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`hal_domtrans_mac',`
-+ gen_require(`
-+ type hald_mac_t, hald_mac_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, hald_mac_exec_t, hald_mac_t)
-+')
-+
-+########################################
-+## <summary>
- ## Get the attributes of a hal process.
- ## </summary>
- ## <param name="domain">
-@@ -51,10 +69,7 @@
- type hald_t;
- ')
-
-- allow $1 hald_t:dir list_dir_perms;
-- read_files_pattern($1, hald_t, hald_t)
-- read_lnk_files_pattern($1, hald_t, hald_t)
-- dontaudit $1 hald_t:process ptrace;
-+ ps_process_pattern($1, hald_t)
- ')
-
- ########################################
-@@ -170,6 +185,24 @@
-
- ########################################
- ## <summary>
-+## Allo read/write to a hal unix datagram socket.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`hal_rw_dgram_sockets',`
-+ gen_require(`
-+ type hald_t;
-+ ')
-+
-+ dontaudit $1 hald_t:unix_dgram_socket { read write };
-+')
-+
-+########################################
-+## <summary>
- ## Send to hal over a unix domain
- ## stream socket.
- ## </summary>
-@@ -340,3 +373,62 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.24/policy/modules/services/hal.if
+--- nsaserefpolicy/policy/modules/services/hal.if 2009-07-28 13:28:33.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/hal.if 2009-07-28 14:14:19.000000000 -0400
+@@ -413,3 +414,21 @@
files_search_pids($1)
- allow $1 hald_var_run_t:file rw_file_perms;
+ manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
')
+
+########################################
+## <summary>
-+## Manage hald PID dirs.
++## Dontaudit read/write to a hal unix datagram socket.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -12687,74 +11871,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## </summary>
+## </param>
+#
-+interface(`hal_manage_pid_dirs',`
++interface(`hal_dontaudit_rw_dgram_sockets',`
+ gen_require(`
-+ type hald_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage hald PID files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`hal_manage_pid_files',`
-+ gen_require(`
-+ type hald_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage hald log files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`hal_create_log',`
-+ gen_require(`
-+ type hald_log_t;
++ type hald_t;
+ ')
+
-+ # log files for hald
-+ manage_files_pattern($1, hald_log_t, hald_log_t)
-+ logging_log_filetrans($1, hald_log_t, file)
++ dontaudit $1 hald_t:unix_dgram_socket { read write };
+')
-+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.23/policy/modules/services/hal.te
---- nsaserefpolicy/policy/modules/services/hal.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/hal.te 2009-07-23 16:39:09.000000000 -0400
-@@ -49,6 +49,15 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.24/policy/modules/services/hal.te
+--- nsaserefpolicy/policy/modules/services/hal.te 2009-07-28 13:28:33.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/hal.te 2009-07-28 14:20:01.000000000 -0400
+@@ -55,6 +55,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
+typealias hald_log_t alias pmtools_log_t;
+typealias hald_var_run_t alias pmtools_var_run_t;
+
-+type hald_dccm_t;
-+type hald_dccm_exec_t;
-+domain_type(hald_dccm_t)
-+domain_entry_file(hald_dccm_t, hald_dccm_exec_t)
-+role system_r types hald_dccm_t;
-+
########################################
#
# Local policy
-@@ -94,6 +103,7 @@
+@@ -100,6 +103,7 @@
kernel_rw_irq_sysctls(hald_t)
kernel_rw_vm_sysctls(hald_t)
kernel_write_proc_files(hald_t)
@@ -12762,16 +11899,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_setsched(hald_t)
auth_read_pam_console_data(hald_t)
-@@ -141,13 +151,20 @@
- # hal is now execing pm-suspend
- files_create_boot_flag(hald_t)
- files_getattr_all_dirs(hald_t)
-+files_getattr_all_files(hald_t)
- files_read_kernel_img(hald_t)
- files_rw_lock_dirs(hald_t)
-+files_read_generic_pids(hald_t)
-
- fs_getattr_all_fs(hald_t)
+@@ -156,6 +160,11 @@
fs_search_all(hald_t)
fs_list_inotifyfs(hald_t)
fs_list_auto_mountpoints(hald_t)
@@ -12780,37 +11908,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+fs_manage_dos_files(hald_t)
+fs_manage_fusefs_dirs(hald_t)
+
- files_getattr_all_mountpoints(hald_t)
-
- mls_file_read_all_levels(hald_t)
-@@ -195,6 +212,7 @@
- seutil_read_file_contexts(hald_t)
-
- sysnet_read_config(hald_t)
-+sysnet_domtrans_dhcpc(hald_t)
-
- userdom_dontaudit_use_unpriv_user_fds(hald_t)
- userdom_dontaudit_search_user_home_dirs(hald_t)
-@@ -277,6 +295,18 @@
- ')
-
- optional_policy(`
-+ ppp_read_rw_config(hald_t)
-+')
-+
-+optional_policy(`
-+ policykit_dbus_chat(hald_t)
-+ policykit_domtrans_auth(hald_t)
-+ policykit_domtrans_resolve(hald_t)
-+ policykit_read_lib(hald_t)
-+ policykit_read_reload(hald_t)
-+')
-+
-+optional_policy(`
- rpc_search_nfs_state_data(hald_t)
+ files_getattr_all_mountpoints(hald_t)
+
+ mls_file_read_all_levels(hald_t)
+@@ -290,6 +299,7 @@
')
-@@ -298,7 +328,11 @@
+ optional_policy(`
++ policykit_dbus_chat(hald_t)
+ policykit_domtrans_auth(hald_t)
+ policykit_domtrans_resolve(hald_t)
+ policykit_read_lib(hald_t)
+@@ -318,7 +328,11 @@
')
optional_policy(`
@@ -12823,16 +11932,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -306,7 +340,7 @@
- # Hal acl local policy
- #
-
--allow hald_acl_t self:capability { dac_override fowner };
-+allow hald_acl_t self:capability { dac_override fowner sys_resource };
- allow hald_acl_t self:process { getattr signal };
- allow hald_acl_t self:fifo_file rw_fifo_file_perms;
-
-@@ -321,6 +355,7 @@
+@@ -341,6 +355,7 @@
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
@@ -12840,111 +11940,61 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(hald_acl_t)
-@@ -339,6 +374,8 @@
-
- storage_getattr_removable_dev(hald_acl_t)
- storage_setattr_removable_dev(hald_acl_t)
-+storage_getattr_fixed_disk_dev(hald_acl_t)
-+storage_setattr_fixed_disk_dev(hald_acl_t)
-
- auth_use_nsswitch(hald_acl_t)
-
-@@ -346,12 +383,19 @@
-
+@@ -369,6 +384,7 @@
miscfiles_read_localization(hald_acl_t)
-+optional_policy(`
+ optional_policy(`
+ policykit_dbus_chat(hald_acl_t)
-+ policykit_domtrans_auth(hald_acl_t)
-+ policykit_read_lib(hald_acl_t)
-+ policykit_read_reload(hald_acl_t)
-+')
-+
- ########################################
- #
- # Local hald mac policy
- #
-
--allow hald_mac_t self:capability { setgid setuid };
-+allow hald_mac_t self:capability { setgid setuid sys_admin };
-
- domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
- allow hald_t hald_mac_t:process signal;
-@@ -374,6 +418,8 @@
-
- auth_use_nsswitch(hald_mac_t)
-
-+logging_send_syslog_msg(hald_mac_t)
-+
- miscfiles_read_localization(hald_mac_t)
-
- ########################################
-@@ -415,6 +461,62 @@
-
- dev_rw_input_dev(hald_keymap_t)
-
-+files_read_etc_files(hald_keymap_t)
- files_read_usr_files(hald_keymap_t)
+ policykit_domtrans_auth(hald_acl_t)
+ policykit_read_lib(hald_acl_t)
+ policykit_read_reload(hald_acl_t)
+@@ -450,11 +466,15 @@
miscfiles_read_localization(hald_keymap_t)
-+
+
+# This is caused by a bug in hald and PolicyKit.
+# Should be removed when this is fixed
+cron_read_system_job_lib_files(hald_t)
+
-+########################################
-+#
-+# Local hald dccm policy
-+#
+ ########################################
+ #
+ # Local hald dccm policy
+ #
+-
+allow hald_dccm_t self:fifo_file rw_fifo_file_perms;
-+allow hald_dccm_t self:capability { net_bind_service };
-+allow hald_dccm_t self:process getsched;
-+allow hald_dccm_t self:tcp_socket create_stream_socket_perms;
-+allow hald_dccm_t self:udp_socket create_socket_perms;
-+allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms;
-+
-+domtrans_pattern(hald_t, hald_dccm_exec_t, hald_dccm_t)
-+allow hald_t hald_dccm_t:process signal;
-+allow hald_dccm_t hald_t:unix_stream_socket connectto;
-+
-+hal_rw_dgram_sockets(hald_dccm_t)
-+
-+corenet_all_recvfrom_unlabeled(hald_dccm_t)
-+corenet_all_recvfrom_netlabel(hald_dccm_t)
-+corenet_tcp_sendrecv_generic_if(hald_dccm_t)
-+corenet_udp_sendrecv_generic_if(hald_dccm_t)
-+corenet_tcp_sendrecv_generic_node(hald_dccm_t)
-+corenet_udp_sendrecv_generic_node(hald_dccm_t)
-+corenet_tcp_sendrecv_all_ports(hald_dccm_t)
-+corenet_udp_sendrecv_all_ports(hald_dccm_t)
-+corenet_tcp_bind_generic_node(hald_dccm_t)
-+corenet_udp_bind_generic_node(hald_dccm_t)
-+corenet_udp_bind_dhcpc_port(hald_dccm_t)
+ allow hald_dccm_t self:capability { net_bind_service };
+ allow hald_dccm_t self:process getsched;
+ allow hald_dccm_t self:tcp_socket create_stream_socket_perms;
+@@ -473,6 +493,8 @@
+
+ kernel_search_network_sysctl(hald_dccm_t)
+
++hal_dontaudit_rw_dgram_sockets(hald_dccm_t)
++
+ corenet_all_recvfrom_unlabeled(hald_dccm_t)
+ corenet_all_recvfrom_netlabel(hald_dccm_t)
+ corenet_tcp_sendrecv_generic_if(hald_dccm_t)
+@@ -484,6 +506,7 @@
+ corenet_tcp_bind_generic_node(hald_dccm_t)
+ corenet_udp_bind_generic_node(hald_dccm_t)
+ corenet_udp_bind_dhcpc_port(hald_dccm_t)
+corenet_tcp_bind_ftps_port(hald_dccm_t)
-+corenet_tcp_bind_dccm_port(hald_dccm_t)
-+
-+kernel_search_network_sysctl(hald_dccm_t)
-+
-+logging_send_syslog_msg(hald_dccm_t)
-+
-+manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
-+manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
-+files_search_var_lib(hald_dccm_t)
-+
-+write_files_pattern(hald_dccm_t, hald_log_t, hald_log_t)
-+
-+files_read_usr_files(hald_dccm_t)
-+
-+miscfiles_read_localization(hald_dccm_t)
+ corenet_tcp_bind_dccm_port(hald_dccm_t)
+
+ logging_send_syslog_msg(hald_dccm_t)
+@@ -491,3 +514,9 @@
+ files_read_usr_files(hald_dccm_t)
+
+ miscfiles_read_localization(hald_dccm_t)
+
+optional_policy(`
+ dbus_system_bus_client(hald_dccm_t)
+')
+
+permissive hald_dccm_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.23/policy/modules/services/kerberos.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.24/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/kerberos.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/kerberos.te 2009-07-28 13:42:19.000000000 -0400
@@ -277,6 +277,8 @@
#
@@ -12984,20 +12034,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
sysnet_dns_name_resolve(kpropd_t)
kerberos_use(kpropd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.23/policy/modules/services/kerneloops.te
---- nsaserefpolicy/policy/modules/services/kerneloops.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/kerneloops.te 2009-07-23 16:39:09.000000000 -0400
-@@ -51,6 +51,5 @@
- miscfiles_read_localization(kerneloops_t)
-
- optional_policy(`
-- dbus_system_bus_client(kerneloops_t)
-- dbus_connect_system_bus(kerneloops_t)
-+ dbus_system_domain(kerneloops_t, kerneloops_exec_t)
- ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.23/policy/modules/services/ktalk.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.24/policy/modules/services/ktalk.te
--- nsaserefpolicy/policy/modules/services/ktalk.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/ktalk.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/ktalk.te 2009-07-28 13:42:19.000000000 -0400
@@ -69,6 +69,7 @@
files_read_etc_files(ktalkd_t)
@@ -13006,9 +12045,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(ktalkd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.23/policy/modules/services/lircd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.24/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/lircd.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/lircd.te 2009-07-28 13:42:19.000000000 -0400
@@ -42,7 +42,17 @@
# /dev/lircd socket
manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t)
@@ -13027,9 +12066,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
miscfiles_read_localization(lircd_t)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.23/policy/modules/services/mailman.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.24/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/mailman.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/mailman.te 2009-07-28 13:42:19.000000000 -0400
@@ -78,6 +78,10 @@
mta_dontaudit_rw_queue(mailman_mail_t)
@@ -13041,9 +12080,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cron_read_pipes(mailman_mail_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.23/policy/modules/services/memcached.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.24/policy/modules/services/memcached.te
--- nsaserefpolicy/policy/modules/services/memcached.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/memcached.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/memcached.te 2009-07-28 13:42:19.000000000 -0400
@@ -44,6 +44,8 @@
files_read_etc_files(memcached_t)
@@ -13053,9 +12092,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization(memcached_t)
sysnet_dns_name_resolve(memcached_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.23/policy/modules/services/mta.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.24/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/mta.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/mta.fc 2009-07-28 13:42:19.000000000 -0400
@@ -1,4 +1,4 @@
-/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -13086,9 +12125,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-#')
+HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
+/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.23/policy/modules/services/mta.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.24/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/mta.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/mta.if 2009-07-28 13:42:19.000000000 -0400
@@ -130,6 +130,15 @@
sendmail_create_log($1_mail_t)
')
@@ -13191,9 +12230,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.23/policy/modules/services/mta.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.24/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/mta.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/mta.te 2009-07-28 13:42:19.000000000 -0400
@@ -27,6 +27,9 @@
type mail_spool_t;
files_mountpoint(mail_spool_t)
@@ -13338,9 +12377,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# User send mail local policy
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.23/policy/modules/services/munin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.24/policy/modules/services/munin.fc
--- nsaserefpolicy/policy/modules/services/munin.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/munin.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/munin.fc 2009-07-28 13:42:19.000000000 -0400
@@ -9,3 +9,6 @@
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
@@ -13348,9 +12387,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.23/policy/modules/services/munin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.24/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/munin.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/munin.te 2009-07-28 13:42:19.000000000 -0400
@@ -33,7 +33,7 @@
# Local policy
#
@@ -13430,9 +12469,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.23/policy/modules/services/mysql.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.24/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/mysql.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/mysql.te 2009-07-28 13:42:19.000000000 -0400
@@ -136,6 +136,8 @@
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
@@ -13451,9 +12490,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mysql_read_config(mysqld_safe_t)
mysql_search_pid_files(mysqld_safe_t)
mysql_write_log(mysqld_safe_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.23/policy/modules/services/nagios.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.24/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/nagios.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/nagios.fc 2009-07-28 13:42:19.000000000 -0400
@@ -1,16 +1,21 @@
/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
@@ -13479,9 +12518,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
+/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.23/policy/modules/services/nagios.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.24/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/nagios.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/nagios.if 2009-07-28 13:42:19.000000000 -0400
@@ -64,7 +64,7 @@
########################################
@@ -13581,9 +12620,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ admin_pattern($1, nrpe_etc_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.23/policy/modules/services/nagios.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.24/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/nagios.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/nagios.te 2009-07-28 13:42:19.000000000 -0400
@@ -10,13 +10,12 @@
type nagios_exec_t;
init_daemon_domain(nagios_t, nagios_exec_t)
@@ -13679,9 +12718,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.23/policy/modules/services/networkmanager.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.24/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/networkmanager.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/networkmanager.fc 2009-07-28 13:42:19.000000000 -0400
@@ -1,12 +1,25 @@
+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0)
+/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -13708,9 +12747,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.23/policy/modules/services/networkmanager.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.24/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/networkmanager.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/networkmanager.if 2009-07-28 13:42:19.000000000 -0400
@@ -118,6 +118,24 @@
########################################
@@ -13767,9 +12806,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ role $2 types NetworkManager_t;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.23/policy/modules/services/networkmanager.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.24/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/networkmanager.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/networkmanager.te 2009-07-28 13:42:19.000000000 -0400
@@ -19,6 +19,9 @@
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
@@ -14001,9 +13040,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.23/policy/modules/services/nis.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.24/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/nis.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/nis.fc 2009-07-28 13:42:19.000000000 -0400
@@ -1,4 +1,7 @@
-
+/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0)
@@ -14013,9 +13052,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0)
/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.6.23/policy/modules/services/nis.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.6.24/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/nis.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/nis.if 2009-07-28 13:42:19.000000000 -0400
@@ -28,7 +28,7 @@
type var_yp_t;
')
@@ -14157,9 +13196,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ role $2 types ypbind_t;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.23/policy/modules/services/nis.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.24/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/nis.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/nis.te 2009-07-28 13:42:19.000000000 -0400
@@ -13,6 +13,9 @@
type ypbind_exec_t;
init_daemon_domain(ypbind_t, ypbind_exec_t)
@@ -14209,9 +13248,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_all_rpc_ports(ypxfr_t)
corenet_udp_bind_all_rpc_ports(ypxfr_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.23/policy/modules/services/nscd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.24/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/nscd.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/nscd.if 2009-07-28 13:42:19.000000000 -0400
@@ -236,6 +236,24 @@
########################################
@@ -14237,9 +13276,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
## an nscd environment
## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.23/policy/modules/services/nscd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.24/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/nscd.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/nscd.te 2009-07-28 13:42:19.000000000 -0400
@@ -90,6 +90,7 @@
selinux_compute_relabel_context(nscd_t)
selinux_compute_user_contexts(nscd_t)
@@ -14261,17 +13300,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.fc serefpolicy-3.6.23/policy/modules/services/nslcd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.fc serefpolicy-3.6.24/policy/modules/services/nslcd.fc
--- nsaserefpolicy/policy/modules/services/nslcd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/services/nslcd.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/nslcd.fc 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,4 @@
+/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
+/etc/nss-ldapd.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0)
+/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
+/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.6.23/policy/modules/services/nslcd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.6.24/policy/modules/services/nslcd.if
--- nsaserefpolicy/policy/modules/services/nslcd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/services/nslcd.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/nslcd.if 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,142 @@
+
+## <summary>policy for nslcd</summary>
@@ -14415,9 +13454,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ nslcd_manage_var_run($1)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.6.23/policy/modules/services/nslcd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.6.24/policy/modules/services/nslcd.te
--- nsaserefpolicy/policy/modules/services/nslcd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/services/nslcd.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/nslcd.te 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,50 @@
+policy_module(nslcd,1.0.0)
+
@@ -14469,9 +13508,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+auth_use_nsswitch(nslcd_t)
+
+logging_send_syslog_msg(nslcd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.23/policy/modules/services/ntp.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.24/policy/modules/services/ntp.if
--- nsaserefpolicy/policy/modules/services/ntp.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/ntp.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/ntp.if 2009-07-28 13:42:19.000000000 -0400
@@ -37,6 +37,32 @@
########################################
@@ -14570,9 +13609,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.23/policy/modules/services/ntp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.24/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/ntp.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/ntp.te 2009-07-28 13:42:19.000000000 -0400
@@ -41,10 +41,11 @@
# sys_resource and setrlimit is for locking memory
@@ -14611,9 +13650,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.23/policy/modules/services/nx.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.24/policy/modules/services/nx.te
--- nsaserefpolicy/policy/modules/services/nx.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/nx.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/nx.te 2009-07-28 13:42:19.000000000 -0400
@@ -25,6 +25,9 @@
type nx_server_var_run_t;
files_pid_file(nx_server_var_run_t)
@@ -14634,18 +13673,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(nx_server_t)
kernel_read_kernel_sysctls(nx_server_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.6.23/policy/modules/services/oddjob.fc
---- nsaserefpolicy/policy/modules/services/oddjob.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/oddjob.fc 2009-07-23 16:39:09.000000000 -0400
-@@ -1,4 +1,4 @@
--/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
-+/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
-
- /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
-
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.23/policy/modules/services/oddjob.if
---- nsaserefpolicy/policy/modules/services/oddjob.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/oddjob.if 2009-07-23 16:39:09.000000000 -0400
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.24/policy/modules/services/oddjob.if
+--- nsaserefpolicy/policy/modules/services/oddjob.if 2009-07-28 13:28:33.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/oddjob.if 2009-07-28 13:42:19.000000000 -0400
@@ -44,6 +44,7 @@
')
@@ -14654,97 +13684,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -84,3 +85,28 @@
-
- domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t)
- ')
-+
-+########################################
-+## <summary>
-+## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## The role to allow the oddjob_mkhomedir domain.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`oddjob_run_mkhomedir',`
-+ gen_require(`
-+ type oddjob_mkhomedir_t;
-+ ')
-+
-+ oddjob_domtrans_mkhomedir($1)
-+ role $2 types oddjob_mkhomedir_t;
-+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.6.23/policy/modules/services/oddjob.te
---- nsaserefpolicy/policy/modules/services/oddjob.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/oddjob.te 2009-07-23 16:39:09.000000000 -0400
-@@ -10,14 +10,21 @@
- type oddjob_exec_t;
- domain_type(oddjob_t)
- init_daemon_domain(oddjob_t, oddjob_exec_t)
-+domain_obj_id_change_exemption(oddjob_t)
-+domain_role_change_exemption(oddjob_t)
- domain_subj_id_change_exemption(oddjob_t)
-
- type oddjob_mkhomedir_t;
- type oddjob_mkhomedir_exec_t;
- domain_type(oddjob_mkhomedir_t)
--init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
-+domain_obj_id_change_exemption(oddjob_mkhomedir_t)
-+init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
- oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
-
-+ifdef(`enable_mcs',`
-+ init_ranged_daemon_domain(oddjob_t, oddjob_exec_t,s0 - mcs_systemhigh)
-+')
-+
- # pid files
- type oddjob_var_run_t;
- files_pid_file(oddjob_var_run_t)
-@@ -65,13 +72,32 @@
- # oddjob_mkhomedir local policy
- #
-
-+allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
-+allow oddjob_mkhomedir_t self:process setfscreate;
- allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms;
- allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
-
- files_read_etc_files(oddjob_mkhomedir_t)
-
-+kernel_read_system_state(oddjob_mkhomedir_t)
-+
-+auth_use_nsswitch(oddjob_mkhomedir_t)
-+
-+logging_send_syslog_msg(oddjob_mkhomedir_t)
-+
- miscfiles_read_localization(oddjob_mkhomedir_t)
-
-+selinux_get_fs_mount(oddjob_mkhomedir_t)
-+selinux_validate_context(oddjob_mkhomedir_t)
-+selinux_compute_access_vector(oddjob_mkhomedir_t)
-+selinux_compute_create_context(oddjob_mkhomedir_t)
-+selinux_compute_relabel_context(oddjob_mkhomedir_t)
-+selinux_compute_user_contexts(oddjob_mkhomedir_t)
-+
-+seutil_read_config(oddjob_mkhomedir_t)
-+seutil_read_file_contexts(oddjob_mkhomedir_t)
-+seutil_read_default_contexts(oddjob_mkhomedir_t)
-+
- # Add/remove user home directories
- userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
- userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.23/policy/modules/services/openvpn.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.24/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/openvpn.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/openvpn.te 2009-07-28 13:42:19.000000000 -0400
@@ -86,6 +86,7 @@
corenet_udp_bind_openvpn_port(openvpn_t)
corenet_tcp_connect_openvpn_port(openvpn_t)
@@ -14753,9 +13695,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_rw_tun_tap_dev(openvpn_t)
corenet_sendrecv_openvpn_server_packets(openvpn_t)
corenet_sendrecv_openvpn_client_packets(openvpn_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.23/policy/modules/services/pcscd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.24/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/pcscd.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/pcscd.te 2009-07-28 13:42:19.000000000 -0400
@@ -29,6 +29,7 @@
manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
@@ -14773,9 +13715,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_use_unallocated_ttys(pcscd_t)
term_dontaudit_getattr_pty_dirs(pcscd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.23/policy/modules/services/pegasus.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.24/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/pegasus.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/pegasus.te 2009-07-28 13:42:19.000000000 -0400
@@ -30,7 +30,7 @@
# Local policy
#
@@ -14847,9 +13789,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xen_stream_connect(pegasus_t)
+ xen_stream_connect_xenstore(pegasus_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.6.23/policy/modules/services/policykit.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.6.24/policy/modules/services/policykit.fc
--- nsaserefpolicy/policy/modules/services/policykit.fc 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/policykit.fc 2009-07-27 09:04:55.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/policykit.fc 2009-07-28 13:42:19.000000000 -0400
@@ -1,7 +1,7 @@
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
@@ -14859,9 +13801,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.6.23/policy/modules/services/policykit.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.6.24/policy/modules/services/policykit.if
--- nsaserefpolicy/policy/modules/services/policykit.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/policykit.if 2009-07-23 17:17:05.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/policykit.if 2009-07-28 13:42:19.000000000 -0400
@@ -17,6 +17,8 @@
class dbus send_msg;
')
@@ -14911,9 +13853,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ policykit_read_reload($2)
+ policykit_dbus_chat($2)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.23/policy/modules/services/policykit.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.24/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/policykit.te 2009-07-27 11:48:01.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/policykit.te 2009-07-28 13:42:19.000000000 -0400
@@ -38,9 +38,10 @@
allow policykit_t self:capability { setgid setuid };
@@ -15009,9 +13951,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.23/policy/modules/services/postfix.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.24/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/postfix.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/postfix.fc 2009-07-28 13:42:19.000000000 -0400
@@ -29,12 +29,10 @@
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
@@ -15025,9 +13967,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.23/policy/modules/services/postfix.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.24/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/postfix.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/postfix.if 2009-07-28 13:42:19.000000000 -0400
@@ -46,6 +46,7 @@
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
@@ -15274,9 +14216,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ role $2 types postfix_postdrop_t;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.23/policy/modules/services/postfix.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.24/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/postfix.te 2009-07-27 09:06:16.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/postfix.te 2009-07-28 13:42:19.000000000 -0400
@@ -6,6 +6,15 @@
# Declarations
#
@@ -15656,9 +14598,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+userdom_manage_user_home_content(postfix_virtual_t)
+userdom_home_filetrans_user_home_dir(postfix_virtual_t)
+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.23/policy/modules/services/postgresql.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.24/policy/modules/services/postgresql.fc
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/postgresql.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/postgresql.fc 2009-07-28 13:42:19.000000000 -0400
@@ -2,6 +2,7 @@
# /etc
#
@@ -15667,9 +14609,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
# /usr
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.23/policy/modules/services/postgresql.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.24/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/postgresql.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/postgresql.if 2009-07-28 13:42:19.000000000 -0400
@@ -384,3 +384,46 @@
typeattribute $1 sepgsql_unconfined_type;
@@ -15717,9 +14659,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ admin_pattern($1, postgresql_tmp_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.23/policy/modules/services/postgresql.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.24/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/postgresql.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/postgresql.te 2009-07-28 13:42:19.000000000 -0400
@@ -32,6 +32,9 @@
type postgresql_etc_t;
files_config_file(postgresql_etc_t)
@@ -15758,9 +14700,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization(postgresql_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.23/policy/modules/services/ppp.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.24/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/ppp.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/ppp.if 2009-07-28 13:42:19.000000000 -0400
@@ -177,10 +177,16 @@
interface(`ppp_run',`
gen_require(`
@@ -15778,9 +14720,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.23/policy/modules/services/ppp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.24/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/ppp.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/ppp.te 2009-07-28 13:42:19.000000000 -0400
@@ -193,6 +193,8 @@
optional_policy(`
@@ -15819,9 +14761,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hostname_exec(pptp_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.23/policy/modules/services/privoxy.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.24/policy/modules/services/privoxy.te
--- nsaserefpolicy/policy/modules/services/privoxy.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/privoxy.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/privoxy.te 2009-07-28 13:42:19.000000000 -0400
@@ -47,9 +47,8 @@
manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t)
files_pid_filetrans(privoxy_t, privoxy_var_run_t, file)
@@ -15833,9 +14775,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(privoxy_t)
corenet_all_recvfrom_netlabel(privoxy_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.23/policy/modules/services/procmail.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.24/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/procmail.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/procmail.te 2009-07-28 13:42:19.000000000 -0400
@@ -22,7 +22,7 @@
# Local policy
#
@@ -15883,9 +14825,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.23/policy/modules/services/pyzor.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.24/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/pyzor.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/pyzor.fc 2009-07-28 13:42:19.000000000 -0400
@@ -1,6 +1,10 @@
/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
+/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
@@ -15897,9 +14839,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.23/policy/modules/services/pyzor.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.24/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/pyzor.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/pyzor.if 2009-07-28 13:42:19.000000000 -0400
@@ -88,3 +88,50 @@
corecmd_search_bin($1)
can_exec($1, pyzor_exec_t)
@@ -15951,9 +14893,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.23/policy/modules/services/pyzor.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.24/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/pyzor.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/pyzor.te 2009-07-28 13:42:19.000000000 -0400
@@ -6,6 +6,38 @@
# Declarations
#
@@ -16018,17 +14960,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_dontaudit_search_user_home_dirs(pyzor_t)
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.6.23/policy/modules/services/razor.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.6.24/policy/modules/services/razor.fc
--- nsaserefpolicy/policy/modules/services/razor.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/razor.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/razor.fc 2009-07-28 13:42:19.000000000 -0400
@@ -1,3 +1,4 @@
+/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.23/policy/modules/services/razor.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.24/policy/modules/services/razor.if
--- nsaserefpolicy/policy/modules/services/razor.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/razor.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/razor.if 2009-07-28 13:42:19.000000000 -0400
@@ -157,3 +157,45 @@
domtrans_pattern($1, razor_exec_t, razor_t)
@@ -16075,9 +15017,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.23/policy/modules/services/razor.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.24/policy/modules/services/razor.te
--- nsaserefpolicy/policy/modules/services/razor.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/razor.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/razor.te 2009-07-28 13:42:19.000000000 -0400
@@ -6,6 +6,32 @@
# Declarations
#
@@ -16129,9 +15071,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.23/policy/modules/services/ricci.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.24/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/ricci.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/ricci.te 2009-07-28 13:42:19.000000000 -0400
@@ -440,6 +440,10 @@
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
@@ -16143,9 +15085,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
storage_raw_read_fixed_disk(ricci_modstorage_t)
term_dontaudit_use_console(ricci_modstorage_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.6.23/policy/modules/services/rpcbind.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.6.24/policy/modules/services/rpcbind.if
--- nsaserefpolicy/policy/modules/services/rpcbind.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/rpcbind.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/rpcbind.if 2009-07-28 13:42:19.000000000 -0400
@@ -97,6 +97,26 @@
########################################
@@ -16173,9 +15115,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
## an rpcbind environment
## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.23/policy/modules/services/rpc.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.24/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/rpc.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/rpc.if 2009-07-28 13:42:19.000000000 -0400
@@ -54,7 +54,7 @@
allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
@@ -16196,9 +15138,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole($1_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.23/policy/modules/services/rpc.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.24/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/rpc.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/rpc.te 2009-07-28 13:42:19.000000000 -0400
@@ -23,7 +23,7 @@
gen_tunable(allow_nfsd_anon_write, false)
@@ -16300,9 +15242,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kerberos_keytab_template(gssd, gssd_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.23/policy/modules/services/rsync.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.24/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/rsync.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/rsync.te 2009-07-28 13:42:19.000000000 -0400
@@ -8,6 +8,13 @@
## <desc>
@@ -16337,15 +15279,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
auth_can_read_shadow_passwords(rsync_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.fc serefpolicy-3.6.23/policy/modules/services/rtkit_daemon.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.fc serefpolicy-3.6.24/policy/modules/services/rtkit_daemon.fc
--- nsaserefpolicy/policy/modules/services/rtkit_daemon.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/services/rtkit_daemon.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/rtkit_daemon.fc 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,2 @@
+
+/usr/libexec/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.if serefpolicy-3.6.23/policy/modules/services/rtkit_daemon.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.if serefpolicy-3.6.24/policy/modules/services/rtkit_daemon.if
--- nsaserefpolicy/policy/modules/services/rtkit_daemon.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/services/rtkit_daemon.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/rtkit_daemon.if 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,64 @@
+
+## <summary>policy for rtkit_daemon</summary>
@@ -16411,9 +15353,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow rtkit_daemon_t $1:process { getsched setsched };
+ rtkit_daemon_dbus_chat($1)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.te serefpolicy-3.6.23/policy/modules/services/rtkit_daemon.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.te serefpolicy-3.6.24/policy/modules/services/rtkit_daemon.te
--- nsaserefpolicy/policy/modules/services/rtkit_daemon.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/services/rtkit_daemon.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/rtkit_daemon.te 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,36 @@
+policy_module(rtkit_daemon,1.0.0)
+
@@ -16451,9 +15393,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ policykit_dbus_chat(rtkit_daemon_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.23/policy/modules/services/samba.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.24/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/samba.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/samba.fc 2009-07-28 13:42:19.000000000 -0400
@@ -2,6 +2,9 @@
#
# /etc
@@ -16480,9 +15422,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ifndef(`enable_mls',`
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.23/policy/modules/services/samba.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.24/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/samba.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/samba.if 2009-07-28 13:42:19.000000000 -0400
@@ -4,6 +4,45 @@
## from Windows NT servers.
## </summary>
@@ -16880,9 +15822,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ admin_pattern($1, samba_unconfined_script_exec_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.23/policy/modules/services/samba.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.24/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/samba.te 2009-07-27 11:16:18.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/samba.te 2009-07-28 13:42:19.000000000 -0400
@@ -66,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
@@ -17043,9 +15985,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -333,25 +361,34 @@
+@@ -332,26 +360,39 @@
+ ')
tunable_policy(`samba_domain_controller',`
++ gen_require(`
++ class passwd passwd;
++ ')
++
usermanage_domtrans_passwd(smbd_t)
+ usermanage_kill_passwd(smbd_t)
usermanage_domtrans_useradd(smbd_t)
@@ -17070,21 +16017,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ fs_manage_nfs_symlinks(smbd_t)
+ fs_manage_nfs_named_pipes(smbd_t)
+ fs_manage_nfs_named_sockets(smbd_t)
-+')
-+
+ ')
+
+# Support Samba sharing of ntfs/fusefs mount points
+tunable_policy(`samba_share_fusefs',`
+ fs_manage_fusefs_dirs(smbd_t)
+ fs_manage_fusefs_files(smbd_t)
+',`
+ fs_search_fusefs(smbd_t)
- ')
-
++')
++
+
optional_policy(`
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
-@@ -359,6 +396,16 @@
+@@ -359,6 +400,16 @@
optional_policy(`
kerberos_use(smbd_t)
@@ -17101,7 +16048,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -376,13 +423,15 @@
+@@ -376,13 +427,15 @@
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -17118,7 +16065,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_read_all_files_except_shadow(nmbd_t)
')
-@@ -391,8 +440,8 @@
+@@ -391,8 +444,8 @@
auth_manage_all_files_except_shadow(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
auth_manage_all_files_except_shadow(nmbd_t)
@@ -17128,7 +16075,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
-@@ -417,14 +466,11 @@
+@@ -417,14 +470,11 @@
files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
@@ -17144,7 +16091,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
-@@ -553,21 +599,36 @@
+@@ -553,21 +603,36 @@
userdom_use_user_terminals(smbmount_t)
userdom_use_all_users_fds(smbmount_t)
@@ -17184,7 +16131,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
append_files_pattern(swat_t, samba_log_t, samba_log_t)
-@@ -585,6 +646,9 @@
+@@ -585,6 +650,9 @@
files_pid_filetrans(swat_t, swat_var_run_t, file)
allow swat_t winbind_exec_t:file mmap_file_perms;
@@ -17194,7 +16141,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -609,6 +673,7 @@
+@@ -609,6 +677,7 @@
dev_read_urand(swat_t)
@@ -17202,7 +16149,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(swat_t)
files_search_home(swat_t)
files_read_usr_files(swat_t)
-@@ -618,6 +683,7 @@
+@@ -618,6 +687,7 @@
auth_use_nsswitch(swat_t)
logging_send_syslog_msg(swat_t)
@@ -17210,7 +16157,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
-@@ -635,14 +701,25 @@
+@@ -635,14 +705,25 @@
kerberos_use(swat_t)
')
@@ -17238,7 +16185,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow winbind_t self:fifo_file rw_fifo_file_perms;
allow winbind_t self:unix_dgram_socket create_socket_perms;
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
-@@ -683,9 +760,10 @@
+@@ -683,9 +764,10 @@
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
files_pid_filetrans(winbind_t, winbind_var_run_t, file)
@@ -17251,7 +16198,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(winbind_t)
corenet_all_recvfrom_netlabel(winbind_t)
-@@ -709,10 +787,12 @@
+@@ -709,10 +791,12 @@
auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
@@ -17264,7 +16211,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(winbind_t)
-@@ -768,8 +848,13 @@
+@@ -768,8 +852,13 @@
userdom_use_user_terminals(winbind_helper_t)
optional_policy(`
@@ -17278,7 +16225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -778,6 +863,16 @@
+@@ -778,6 +867,16 @@
#
optional_policy(`
@@ -17295,7 +16242,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -788,9 +883,43 @@
+@@ -788,9 +887,43 @@
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -17340,9 +16287,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+allow winbind_t smbcontrol_t:process signal;
+
+allow smbcontrol_t nmbd_var_run_t:file { read lock };
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.23/policy/modules/services/sasl.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.24/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/sasl.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/sasl.te 2009-07-28 13:42:19.000000000 -0400
@@ -31,7 +31,7 @@
# Local policy
#
@@ -17405,9 +16352,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(saslauthd_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.23/policy/modules/services/sendmail.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.24/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/sendmail.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/sendmail.if 2009-07-28 13:42:19.000000000 -0400
@@ -59,20 +59,20 @@
########################################
@@ -17580,9 +16527,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 sendmail_t:fifo_file rw_fifo_file_perms;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.23/policy/modules/services/sendmail.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.24/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/sendmail.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/sendmail.te 2009-07-28 13:42:19.000000000 -0400
@@ -20,13 +20,17 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -17758,18 +16705,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
-') dnl end TODO
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.6.23/policy/modules/services/setroubleshoot.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.6.24/policy/modules/services/setroubleshoot.fc
--- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/setroubleshoot.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/setroubleshoot.fc 2009-07-28 13:42:19.000000000 -0400
@@ -5,3 +5,5 @@
/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
+
+/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.23/policy/modules/services/setroubleshoot.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.24/policy/modules/services/setroubleshoot.if
--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/setroubleshoot.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/setroubleshoot.if 2009-07-28 13:42:19.000000000 -0400
@@ -16,8 +16,8 @@
')
@@ -17846,9 +16793,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ files_list_pids($1)
+ admin_pattern($1, setroubleshoot_var_run_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.23/policy/modules/services/setroubleshoot.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.24/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/setroubleshoot.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/setroubleshoot.te 2009-07-28 13:42:19.000000000 -0400
@@ -22,13 +22,19 @@
type setroubleshoot_var_run_t;
files_pid_file(setroubleshoot_var_run_t)
@@ -17966,9 +16913,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+permissive setroubleshoot_fixit_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.fc serefpolicy-3.6.23/policy/modules/services/shorewall.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.fc serefpolicy-3.6.24/policy/modules/services/shorewall.fc
--- nsaserefpolicy/policy/modules/services/shorewall.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/services/shorewall.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/shorewall.fc 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,12 @@
+
+/etc/rc\.d/init\.d/shorewall -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
@@ -17982,9 +16929,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+/var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.if serefpolicy-3.6.23/policy/modules/services/shorewall.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.if serefpolicy-3.6.24/policy/modules/services/shorewall.if
--- nsaserefpolicy/policy/modules/services/shorewall.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/services/shorewall.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/shorewall.if 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,166 @@
+## <summary>policy for shorewall</summary>
+
@@ -18152,9 +17099,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ admin_pattern($1, shorewall_tmp_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.te serefpolicy-3.6.23/policy/modules/services/shorewall.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.te serefpolicy-3.6.24/policy/modules/services/shorewall.te
--- nsaserefpolicy/policy/modules/services/shorewall.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/services/shorewall.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/shorewall.te 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,102 @@
+policy_module(shorewall,1.0.0)
+
@@ -18258,9 +17205,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+permissive shorewall_t;
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.23/policy/modules/services/smartmon.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.24/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/smartmon.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/smartmon.te 2009-07-28 13:42:19.000000000 -0400
@@ -19,6 +19,10 @@
type fsdaemon_tmp_t;
files_tmp_file(fsdaemon_tmp_t)
@@ -18318,53 +17265,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.if serefpolicy-3.6.23/policy/modules/services/snort.if
---- nsaserefpolicy/policy/modules/services/snort.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/snort.if 2009-07-23 16:39:09.000000000 -0400
-@@ -38,6 +38,7 @@
- interface(`snort_admin',`
- gen_require(`
- type snort_t, snort_var_run_t, snort_log_t;
-+ type snort_etc_t;
- type snort_initrc_exec_t;
- ')
-
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.6.23/policy/modules/services/snort.te
---- nsaserefpolicy/policy/modules/services/snort.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/snort.te 2009-07-23 16:39:09.000000000 -0400
-@@ -56,6 +56,7 @@
- files_pid_filetrans(snort_t, snort_var_run_t, file)
-
- kernel_read_kernel_sysctls(snort_t)
-+kernel_read_sysctl(snort_t)
- kernel_list_proc(snort_t)
- kernel_read_proc_symlinks(snort_t)
- kernel_dontaudit_read_system_state(snort_t)
-@@ -70,6 +71,7 @@
- corenet_raw_sendrecv_generic_node(snort_t)
- corenet_tcp_sendrecv_all_ports(snort_t)
- corenet_udp_sendrecv_all_ports(snort_t)
-+corenet_tcp_connect_prelude_port(snort_t)
-
- dev_read_sysfs(snort_t)
- dev_read_rand(snort_t)
-@@ -94,6 +96,13 @@
- userdom_dontaudit_use_unpriv_user_fds(snort_t)
- userdom_dontaudit_search_user_home_dirs(snort_t)
-
-+# snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager
-+sysnet_dns_name_resolve(snort_t)
-+
-+optional_policy(`
-+ prelude_manage_spool(snort_t)
-+')
-+
- optional_policy(`
- seutil_sigchld_newrole(snort_t)
- ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.23/policy/modules/services/spamassassin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.24/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/spamassassin.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/spamassassin.fc 2009-07-28 13:42:19.000000000 -0400
@@ -1,15 +1,25 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
@@ -18393,9 +17296,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.23/policy/modules/services/spamassassin.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.24/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/spamassassin.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/spamassassin.if 2009-07-28 13:42:19.000000000 -0400
@@ -111,6 +111,7 @@
')
@@ -18482,16 +17385,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ files_list_pids($1)
+ admin_pattern($1, spamd_var_run_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.23/policy/modules/services/spamassassin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.24/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/spamassassin.te 2009-07-23 16:39:09.000000000 -0400
-@@ -1,5 +1,5 @@
-
--policy_module(spamassassin, 2.1.4)
-+policy_module(spamassassin, 2.1.3)
-
- ########################################
- #
++++ serefpolicy-3.6.24/policy/modules/services/spamassassin.te 2009-07-28 13:42:19.000000000 -0400
@@ -20,6 +20,35 @@
## </desc>
gen_tunable(spamd_enable_home_dirs, true)
@@ -18784,9 +17680,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
udev_read_db(spamd_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.23/policy/modules/services/squid.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.24/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/squid.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/squid.te 2009-07-28 13:42:19.000000000 -0400
@@ -118,6 +118,8 @@
fs_getattr_all_fs(squid_t)
@@ -18805,18 +17701,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-#squid requires the following when run in diskd mode, the recommended setting
-allow squid_t tmpfs_t:file { read write };
-') dnl end TODO
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.23/policy/modules/services/ssh.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.24/policy/modules/services/ssh.fc
--- nsaserefpolicy/policy/modules/services/ssh.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/ssh.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/ssh.fc 2009-07-28 13:42:19.000000000 -0400
@@ -14,3 +14,5 @@
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
+
+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.23/policy/modules/services/ssh.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.24/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/ssh.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/ssh.if 2009-07-28 13:42:19.000000000 -0400
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -19117,16 +18013,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ read_lnk_files_pattern($1, home_ssh_t, home_ssh_t)
+ userdom_search_user_home_dirs($1)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.23/policy/modules/services/ssh.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.24/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/ssh.te 2009-07-23 16:39:09.000000000 -0400
-@@ -1,5 +1,5 @@
-
--policy_module(ssh, 2.0.3)
-+policy_module(ssh, 2.0.2)
-
- ########################################
- #
++++ serefpolicy-3.6.24/policy/modules/services/ssh.te 2009-07-28 13:42:19.000000000 -0400
@@ -41,6 +41,9 @@
files_tmp_file(sshd_tmp_t)
files_poly_parent(sshd_tmp_t)
@@ -19298,18 +18187,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(ssh_keygen_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.23/policy/modules/services/sssd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.24/policy/modules/services/sssd.fc
--- nsaserefpolicy/policy/modules/services/sssd.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/sssd.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/sssd.fc 2009-07-28 13:42:19.000000000 -0400
@@ -1,4 +1,4 @@
-/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.23/policy/modules/services/sssd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.24/policy/modules/services/sssd.if
--- nsaserefpolicy/policy/modules/services/sssd.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/sssd.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/sssd.if 2009-07-28 13:42:19.000000000 -0400
@@ -12,12 +12,32 @@
#
interface(`sssd_domtrans',`
@@ -19372,9 +18261,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Send and receive messages from
## sssd over dbus.
## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.23/policy/modules/services/uucp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.24/policy/modules/services/uucp.te
--- nsaserefpolicy/policy/modules/services/uucp.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/uucp.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/uucp.te 2009-07-28 13:42:19.000000000 -0400
@@ -95,6 +95,8 @@
files_search_home(uucpd_t)
files_search_spool(uucpd_t)
@@ -19392,9 +18281,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.23/policy/modules/services/virt.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.24/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/virt.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/virt.fc 2009-07-28 13:42:19.000000000 -0400
@@ -8,5 +8,16 @@
/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
@@ -19412,9 +18301,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0)
+
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.23/policy/modules/services/virt.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.24/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/virt.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/virt.if 2009-07-28 13:42:19.000000000 -0400
@@ -2,28 +2,6 @@
########################################
@@ -19576,9 +18465,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.23/policy/modules/services/virt.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.24/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/virt.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/virt.te 2009-07-28 13:42:19.000000000 -0400
@@ -8,19 +8,38 @@
## <desc>
@@ -19908,9 +18797,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xen_rw_image_files(svirt_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.23/policy/modules/services/w3c.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.24/policy/modules/services/w3c.te
--- nsaserefpolicy/policy/modules/services/w3c.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/w3c.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/w3c.te 2009-07-28 13:42:19.000000000 -0400
@@ -8,11 +8,18 @@
apache_content_template(w3c_validator)
@@ -19930,9 +18819,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.23/policy/modules/services/xserver.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.24/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/xserver.fc 2009-07-27 13:50:30.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/xserver.fc 2009-07-28 13:42:19.000000000 -0400
@@ -3,12 +3,16 @@
#
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
@@ -20003,9 +18892,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_suse',`
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.23/policy/modules/services/xserver.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.24/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/xserver.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/xserver.if 2009-07-28 13:42:19.000000000 -0400
@@ -90,7 +90,7 @@
allow $2 xauth_home_t:file manage_file_perms;
allow $2 xauth_home_t:file { relabelfrom relabelto };
@@ -20679,9 +19568,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow xdm_t $1:dbus send_msg;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.23/policy/modules/services/xserver.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.24/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/xserver.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/services/xserver.te 2009-07-28 13:42:19.000000000 -0400
@@ -34,6 +34,13 @@
## <desc>
@@ -21427,9 +20316,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-#
-allow xdm_t user_home_type:file unlink;
-') dnl end TODO
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.6.23/policy/modules/system/application.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.6.24/policy/modules/system/application.if
--- nsaserefpolicy/policy/modules/system/application.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/application.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/application.if 2009-07-28 13:42:19.000000000 -0400
@@ -2,7 +2,7 @@
########################################
@@ -21461,9 +20350,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 application_domain_type:process signull;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.23/policy/modules/system/application.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.24/policy/modules/system/application.te
--- nsaserefpolicy/policy/modules/system/application.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/application.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/application.te 2009-07-28 13:42:19.000000000 -0400
@@ -7,7 +7,18 @@
# Executables to be run by user
attribute application_exec_type;
@@ -21483,9 +20372,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ sudo_sigchld(application_domain_type)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.23/policy/modules/system/authlogin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.24/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/authlogin.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/authlogin.fc 2009-07-28 13:42:19.000000000 -0400
@@ -7,12 +7,10 @@
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
@@ -21511,9 +20400,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.23/policy/modules/system/authlogin.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.24/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/authlogin.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/authlogin.if 2009-07-28 13:42:19.000000000 -0400
@@ -40,17 +40,76 @@
## </summary>
## </param>
@@ -21813,9 +20702,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.23/policy/modules/system/authlogin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.24/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/authlogin.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/authlogin.te 2009-07-28 13:42:19.000000000 -0400
@@ -125,9 +125,18 @@
')
@@ -21835,9 +20724,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# PAM local policy
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.23/policy/modules/system/fstools.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.24/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/fstools.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/fstools.fc 2009-07-28 13:42:19.000000000 -0400
@@ -1,4 +1,3 @@
-/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -21851,9 +20740,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.23/policy/modules/system/fstools.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.24/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/fstools.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/fstools.te 2009-07-28 13:42:19.000000000 -0400
@@ -97,6 +97,10 @@
fs_getattr_tmpfs_dirs(fsadm_t)
fs_read_tmpfs_symlinks(fsadm_t)
@@ -21882,9 +20771,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xen_rw_image_files(fsadm_t)
')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.23/policy/modules/system/hostname.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.24/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/hostname.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/hostname.te 2009-07-28 13:42:19.000000000 -0400
@@ -8,7 +8,9 @@
type hostname_t;
@@ -21896,9 +20785,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
role system_r types hostname_t;
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.23/policy/modules/system/init.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.24/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/init.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/init.fc 2009-07-28 13:42:19.000000000 -0400
@@ -4,10 +4,10 @@
/etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -21921,9 +20810,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
# /var
#
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.23/policy/modules/system/init.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.24/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/init.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/init.if 2009-07-28 13:42:19.000000000 -0400
@@ -174,6 +174,7 @@
role system_r types $1;
@@ -22132,9 +21021,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 init_t:unix_dgram_socket sendto;
+ allow init_t $1:unix_dgram_socket sendto;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.23/policy/modules/system/init.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.24/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/init.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/init.te 2009-07-28 13:42:19.000000000 -0400
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart, false)
@@ -22528,18 +21417,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ fail2ban_read_lib_files(daemon)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.6.23/policy/modules/system/ipsec.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.6.24/policy/modules/system/ipsec.fc
--- nsaserefpolicy/policy/modules/system/ipsec.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/ipsec.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/ipsec.fc 2009-07-28 13:42:19.000000000 -0400
@@ -1,3 +1,5 @@
+/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+
/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
/etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
/etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.6.23/policy/modules/system/ipsec.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.6.24/policy/modules/system/ipsec.if
--- nsaserefpolicy/policy/modules/system/ipsec.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/ipsec.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/ipsec.if 2009-07-28 13:42:19.000000000 -0400
@@ -229,3 +229,28 @@
ipsec_domtrans_setkey($1)
role $2 types setkey_t;
@@ -22569,9 +21458,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ipsec_domtrans_racoon($1)
+ role $2 types racoon_t;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.23/policy/modules/system/ipsec.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.24/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/ipsec.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/ipsec.te 2009-07-28 13:42:19.000000000 -0400
@@ -15,6 +15,9 @@
type ipsec_conf_file_t;
files_type(ipsec_conf_file_t)
@@ -22672,9 +21561,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.23/policy/modules/system/iptables.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.24/policy/modules/system/iptables.fc
--- nsaserefpolicy/policy/modules/system/iptables.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/iptables.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/iptables.fc 2009-07-28 13:42:19.000000000 -0400
@@ -1,9 +1,10 @@
-/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -22691,9 +21580,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/var/lib/shorewall(/.*)? -- gen_context(system_u:object_r:iptables_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.23/policy/modules/system/iptables.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.24/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/iptables.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/iptables.te 2009-07-28 13:42:19.000000000 -0400
@@ -53,6 +53,7 @@
mls_file_read_all_levels(iptables_t)
@@ -22713,9 +21602,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rhgb_dontaudit_use_ptys(iptables_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.6.23/policy/modules/system/iscsi.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.6.24/policy/modules/system/iscsi.if
--- nsaserefpolicy/policy/modules/system/iscsi.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/iscsi.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/iscsi.if 2009-07-28 13:42:19.000000000 -0400
@@ -17,3 +17,43 @@
domtrans_pattern($1, iscsid_exec_t, iscsid_t)
@@ -22760,9 +21649,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ stream_connect_pattern($1,iscsi_var_lib_t,iscsi_var_lib_t,iscsid_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.23/policy/modules/system/iscsi.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.24/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/iscsi.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/iscsi.te 2009-07-28 13:42:19.000000000 -0400
@@ -55,6 +55,7 @@
files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
@@ -22786,9 +21675,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-sysnet_dns_name_resolve(iscsid_t)
+miscfiles_read_localization(iscsid_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.23/policy/modules/system/libraries.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.24/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/libraries.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/libraries.fc 2009-07-28 13:42:19.000000000 -0400
@@ -60,12 +60,15 @@
#
# /opt
@@ -22995,9 +21884,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.23/policy/modules/system/libraries.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.24/policy/modules/system/libraries.if
--- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/libraries.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/libraries.if 2009-07-28 13:42:19.000000000 -0400
@@ -60,7 +60,7 @@
type lib_t, ld_so_t, ld_so_cache_t;
')
@@ -23025,9 +21914,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $1 lib_t:dir list_dir_perms;
read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.23/policy/modules/system/libraries.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.24/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/libraries.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/libraries.te 2009-07-28 13:42:19.000000000 -0400
@@ -52,11 +52,11 @@
# ldconfig local policy
#
@@ -23084,9 +21973,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ unconfined_domain(ldconfig_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.23/policy/modules/system/locallogin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.24/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/locallogin.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/locallogin.te 2009-07-28 13:42:19.000000000 -0400
@@ -67,6 +67,7 @@
dev_setattr_power_mgmt_dev(local_login_t)
dev_getattr_sound_dev(local_login_t)
@@ -23165,9 +22054,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-optional_policy(`
- nscd_socket_use(sulogin_t)
-')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.23/policy/modules/system/logging.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.24/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/logging.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/logging.fc 2009-07-28 13:42:19.000000000 -0400
@@ -53,15 +53,18 @@
/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
')
@@ -23191,9 +22080,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.23/policy/modules/system/logging.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.24/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/logging.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/logging.if 2009-07-28 13:42:19.000000000 -0400
@@ -623,7 +623,7 @@
')
@@ -23212,9 +22101,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.23/policy/modules/system/logging.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.24/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/logging.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/logging.te 2009-07-28 13:42:19.000000000 -0400
@@ -126,7 +126,7 @@
allow auditd_t self:process { signal_perms setpgid setsched };
allow auditd_t self:file rw_file_perms;
@@ -23307,9 +22196,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.23/policy/modules/system/lvm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.24/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/lvm.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/lvm.te 2009-07-28 13:42:19.000000000 -0400
@@ -10,6 +10,9 @@
type clvmd_exec_t;
init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -23396,9 +22285,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
modutils_domtrans_insmod(lvm_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.23/policy/modules/system/miscfiles.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.24/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/miscfiles.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/miscfiles.if 2009-07-28 13:42:19.000000000 -0400
@@ -87,6 +87,25 @@
########################################
@@ -23425,9 +22314,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to write fonts.
## </summary>
## <param name="domain">
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.23/policy/modules/system/modutils.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.24/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/modutils.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/modutils.te 2009-07-28 13:42:19.000000000 -0400
@@ -42,7 +42,7 @@
# insmod local policy
#
@@ -23540,9 +22429,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.6.23/policy/modules/system/mount.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.6.24/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/mount.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/mount.fc 2009-07-28 13:42:19.000000000 -0400
@@ -1,4 +1,9 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
@@ -23554,9 +22443,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.23/policy/modules/system/mount.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.24/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/mount.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/mount.if 2009-07-28 13:42:19.000000000 -0400
@@ -43,9 +43,11 @@
mount_domtrans($1)
@@ -23592,9 +22481,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 mount_t:process signal;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.23/policy/modules/system/mount.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.24/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/mount.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/mount.te 2009-07-28 14:16:41.000000000 -0400
@@ -18,17 +18,22 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -23790,7 +22679,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -185,14 +227,24 @@
+@@ -185,14 +227,23 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -23800,7 +22689,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
-# Unconfined mount local policy
-+# ntfs local policy
++# ntfs local policy
#
+allow mount_t self:fifo_file rw_fifo_file_perms;
+allow mount_t self:unix_stream_socket create_stream_socket_perms;
@@ -23815,12 +22704,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- unconfined_domain(unconfined_mount_t)
+ hal_write_log(mount_t)
+ hal_use_fds(mount_t)
-+ hal_rw_pipes(mount_t)
++ hal_dontaudit_rw_pipes(mount_t)
')
-+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.23/policy/modules/system/selinuxutil.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.24/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/selinuxutil.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/selinuxutil.fc 2009-07-28 13:42:19.000000000 -0400
@@ -6,13 +6,13 @@
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
@@ -23859,9 +22747,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.23/policy/modules/system/selinuxutil.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.24/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/selinuxutil.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/selinuxutil.if 2009-07-28 13:42:19.000000000 -0400
@@ -535,6 +535,53 @@
########################################
@@ -24250,9 +23138,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ hotplug_use_fds($1)
+')
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.23/policy/modules/system/selinuxutil.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.24/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/selinuxutil.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/selinuxutil.te 2009-07-28 13:42:19.000000000 -0400
@@ -23,6 +23,9 @@
type selinux_config_t;
files_type(selinux_config_t)
@@ -24616,9 +23504,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- hotplug_use_fds(setfiles_t)
+ unconfined_domain(setfiles_mac_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.6.23/policy/modules/system/setrans.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.6.24/policy/modules/system/setrans.if
--- nsaserefpolicy/policy/modules/system/setrans.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/setrans.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/setrans.if 2009-07-28 13:42:19.000000000 -0400
@@ -21,3 +21,23 @@
stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t)
files_list_pids($1)
@@ -24643,9 +23531,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ init_labeled_script_domtrans($1, setrans_initrc_exec_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.23/policy/modules/system/sysnetwork.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.24/policy/modules/system/sysnetwork.fc
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/sysnetwork.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/sysnetwork.fc 2009-07-28 13:42:19.000000000 -0400
@@ -11,15 +11,20 @@
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
@@ -24674,9 +23562,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
+
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.23/policy/modules/system/sysnetwork.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.24/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/sysnetwork.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/sysnetwork.if 2009-07-28 13:42:19.000000000 -0400
@@ -43,6 +43,39 @@
sysnet_domtrans_dhcpc($1)
@@ -24845,9 +23733,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ role_transition $1 dhcpc_exec_t system_r;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.23/policy/modules/system/sysnetwork.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.24/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/sysnetwork.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/sysnetwork.te 2009-07-28 14:15:06.000000000 -0400
@@ -20,6 +20,9 @@
init_daemon_domain(dhcpc_t, dhcpc_exec_t)
role system_r types dhcpc_t;
@@ -25042,25 +23930,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
+
+optional_policy(`
-+ hal_rw_dgram_sockets(dhcpc_t)
++ hal_dontaudit_rw_dgram_sockets(dhcpc_t)
+ hal_dontaudit_rw_pipes(ifconfig_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.6.23/policy/modules/system/udev.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.6.24/policy/modules/system/udev.fc
--- nsaserefpolicy/policy/modules/system/udev.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/udev.fc 2009-07-23 16:39:09.000000000 -0400
-@@ -8,6 +8,8 @@
++++ serefpolicy-3.6.24/policy/modules/system/udev.fc 2009-07-28 13:42:19.000000000 -0400
+@@ -7,6 +7,9 @@
+ /etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
/etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
-
-+/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
++/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+
++/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
+
/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
- /sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.23/policy/modules/system/udev.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.24/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/udev.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/udev.te 2009-07-28 14:15:17.000000000 -0400
@@ -50,6 +50,7 @@
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -25069,7 +23958,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
-@@ -111,6 +112,7 @@
+@@ -66,6 +67,7 @@
+
+ manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
+ manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
++manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
+ files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
+
+ kernel_read_system_state(udev_t)
+@@ -111,6 +113,7 @@
fs_getattr_all_fs(udev_t)
fs_list_inotifyfs(udev_t)
@@ -25077,7 +23974,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mcs_ptrace_all(udev_t)
-@@ -140,6 +142,7 @@
+@@ -140,6 +143,7 @@
logging_send_audit_msgs(udev_t)
miscfiles_read_localization(udev_t)
@@ -25085,7 +23982,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
modutils_domtrans_insmod(udev_t)
# read modules.inputmap:
-@@ -182,9 +185,11 @@
+@@ -182,9 +186,11 @@
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
@@ -25100,7 +23997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -194,6 +199,10 @@
+@@ -194,6 +200,10 @@
')
optional_policy(`
@@ -25111,7 +24008,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
brctl_domtrans(udev_t)
')
-@@ -202,6 +211,10 @@
+@@ -202,6 +212,10 @@
')
optional_policy(`
@@ -25122,7 +24019,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
consoletype_exec(udev_t)
')
-@@ -210,6 +223,11 @@
+@@ -210,6 +224,11 @@
')
optional_policy(`
@@ -25134,15 +24031,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
lvm_domtrans(udev_t)
')
-@@ -219,6 +237,7 @@
+@@ -219,6 +238,7 @@
optional_policy(`
hal_dgram_send(udev_t)
-+ hal_rw_dgram_sockets(udev_t)
++ hal_dontaudit_rw_dgram_sockets(udev_t)
')
optional_policy(`
-@@ -228,6 +247,10 @@
+@@ -228,6 +248,10 @@
')
optional_policy(`
@@ -25153,7 +24050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -242,6 +265,10 @@
+@@ -242,6 +266,10 @@
')
optional_policy(`
@@ -25164,9 +24061,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_write_xen_state(udev_t)
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.6.23/policy/modules/system/unconfined.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.6.24/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/unconfined.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/unconfined.fc 2009-07-28 13:42:19.000000000 -0400
@@ -1,16 +1 @@
# Add programs here which should not be confined by SELinux
-# e.g.:
@@ -25184,9 +24081,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-ifdef(`distro_gentoo',`
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.23/policy/modules/system/unconfined.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.24/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/unconfined.if 2009-07-27 13:54:34.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/unconfined.if 2009-07-28 13:42:19.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -25680,9 +24577,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-
- allow $1 unconfined_t:dbus acquire_svc;
-')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.23/policy/modules/system/unconfined.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.24/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/unconfined.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/unconfined.te 2009-07-28 13:42:19.000000000 -0400
@@ -1,231 +1,9 @@
-policy_module(unconfined, 3.0.0)
@@ -25917,9 +24814,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- hal_dbus_chat(unconfined_execmem_t)
- ')
-')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.23/policy/modules/system/userdomain.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.24/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/userdomain.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/userdomain.fc 2009-07-28 13:42:19.000000000 -0400
@@ -1,4 +1,7 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
@@ -25929,9 +24826,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
+/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.23/policy/modules/system/userdomain.if
---- nsaserefpolicy/policy/modules/system/userdomain.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/userdomain.if 2009-07-27 14:11:20.000000000 -0400
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.24/policy/modules/system/userdomain.if
+--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-07-28 13:28:33.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/userdomain.if 2009-07-28 14:32:30.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -26888,7 +25785,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
- setroubleshoot_dontaudit_stream_connect($1_t)
-+ wm_role_template($1, $1_r, $1_usertype)
++ wm_role_template($1, $1_r, $1_t)
')
')
@@ -27149,7 +26046,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1635,6 +1752,7 @@
+@@ -1653,6 +1770,7 @@
type user_home_dir_t, user_home_t;
')
@@ -27157,55 +26054,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1733,30 +1851,80 @@
-
- ########################################
- ## <summary>
--## Execute user home files.
-+## Delete user home subdirectory symbolic links.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
+@@ -1780,19 +1898,32 @@
#
--interface(`userdom_exec_user_home_content_files',`
-+interface(`userdom_delete_user_home_content_symlinks',`
+ interface(`userdom_exec_user_home_content_files',`
gen_require(`
- type user_home_dir_t, user_home_t;
-+ type user_home_t;
++ type user_home_dir_t;
++ attribute user_home_type;
')
-- files_search_home($1)
+ files_search_home($1)
- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-+ allow $1 user_home_t:lnk_file delete_lnk_file_perms;
-+')
-
+-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
-+########################################
-+## <summary>
-+## Delete files
-+## in a user home subdirectory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_delete_user_home_content_files',`
-+ gen_require(`
-+ type user_home_t;
++ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++ dontaudit $1 user_home_type:sock_file execute;
')
- tunable_policy(`use_samba_home_dirs',`
- fs_exec_cifs_files($1)
-+ allow $1 user_home_t:file delete_file_perms;
-+')
-+
+########################################
+## <summary>
+## Dontaudit Delete files
@@ -27220,82 +26088,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+interface(`userdom_dontaudit_delete_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
-+ ')
-+
-+ allow $1 user_home_t:dir delete_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Execute user home files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`userdom_exec_user_home_content_files',`
-+ gen_require(`
-+ type user_home_dir_t;
-+ attribute user_home_type;
')
+
-+ files_search_home($1)
-+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ dontaudit $1 user_home_type:sock_file execute;
++ allow $1 user_home_t:dir delete_file_perms;
')
########################################
-@@ -1779,6 +1947,46 @@
-
- ########################################
- ## <summary>
-+## Delete directories
-+## in a user home subdirectory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_delete_user_home_content_dirs',`
-+ gen_require(`
-+ type user_home_t;
-+ ')
-+
-+ allow $1 user_home_t:dir delete_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Append files
-+## in a user home subdirectory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_append_user_home_content_files',`
-+ gen_require(`
-+ type user_home_dir_t, user_home_t;
-+ ')
-+
-+ append_files_pattern($1, user_home_t, user_home_t)
-+ allow $1 user_home_dir_t:dir search_dir_perms;
-+ files_search_home($1)
-+')
-+
-+########################################
-+## <summary>
- ## Create, read, write, and delete files
- ## in a user home subdirectory.
- ## </summary>
-@@ -1791,6 +1999,7 @@
+@@ -1827,6 +1958,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -27303,7 +26102,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2320,7 +2529,7 @@
+@@ -2374,7 +2506,7 @@
########################################
## <summary>
@@ -27312,17 +26111,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -2674,11 +2883,32 @@
+@@ -2728,11 +2860,32 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
- type user_home_dir_t, user_home_t;
+ type user_home_dir_t;
+ attribute user_home_type;
- ')
-
- files_list_home($1)
-- allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
++ ')
++
++ files_list_home($1)
+ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
+')
+
@@ -27340,14 +26138,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ gen_require(`
+ type user_home_dir_t;
+ attribute user_home_type;
-+ ')
-+
-+ files_list_home($1)
+ ')
+
+ files_list_home($1)
+- allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
+ allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
')
########################################
-@@ -2806,7 +3036,25 @@
+@@ -2860,7 +3013,25 @@
type user_tmp_t;
')
@@ -27374,7 +26173,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2843,6 +3091,7 @@
+@@ -2897,6 +3068,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -27382,7 +26181,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_search_proc($1)
')
-@@ -2973,3 +3222,481 @@
+@@ -3027,3 +3199,501 @@
allow $1 userdomain:dbus send_msg;
')
@@ -27864,9 +26663,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.23/policy/modules/system/userdomain.te
++########################################
++## <summary>
++## Append files
++## in a user home subdirectory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_append_user_home_content_files',`
++ gen_require(`
++ type user_home_dir_t, user_home_t;
++ ')
++
++ append_files_pattern($1, user_home_t, user_home_t)
++ allow $1 user_home_dir_t:dir search_dir_perms;
++ files_search_home($1)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.24/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/userdomain.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/userdomain.te 2009-07-28 13:42:19.000000000 -0400
@@ -8,13 +8,6 @@
## <desc>
@@ -27952,14 +26771,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+allow userdomain userdomain:process signull;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.fc serefpolicy-3.6.23/policy/modules/system/virtual.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.fc serefpolicy-3.6.24/policy/modules/system/virtual.fc
--- nsaserefpolicy/policy/modules/system/virtual.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/system/virtual.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/virtual.fc 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1 @@
+# No application file contexts.
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.23/policy/modules/system/virtual.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.24/policy/modules/system/virtual.if
--- nsaserefpolicy/policy/modules/system/virtual.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/system/virtual.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/virtual.if 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,119 @@
+## <summary>Virtual machine emulator and virtualizer</summary>
+
@@ -28080,9 +26899,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 virtualdomain:process { setsched transition signal signull sigkill };
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.23/policy/modules/system/virtual.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.24/policy/modules/system/virtual.te
--- nsaserefpolicy/policy/modules/system/virtual.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.23/policy/modules/system/virtual.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/virtual.te 2009-07-28 13:42:19.000000000 -0400
@@ -0,0 +1,75 @@
+
+policy_module(virtualization, 1.1.2)
@@ -28159,9 +26978,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_read_xdm_pid(virtualdomain)
+ xserver_rw_shm(virtualdomain)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.6.23/policy/modules/system/xen.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.6.24/policy/modules/system/xen.fc
--- nsaserefpolicy/policy/modules/system/xen.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/xen.fc 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/xen.fc 2009-07-28 13:42:19.000000000 -0400
@@ -1,5 +1,7 @@
/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0)
@@ -28189,9 +27008,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
/var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.23/policy/modules/system/xen.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.24/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/xen.if 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/xen.if 2009-07-28 13:42:19.000000000 -0400
@@ -71,6 +71,8 @@
')
@@ -28264,9 +27083,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ files_search_pids($1)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.23/policy/modules/system/xen.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.24/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/xen.te 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/modules/system/xen.te 2009-07-28 13:42:19.000000000 -0400
@@ -6,6 +6,13 @@
# Declarations
#
@@ -28561,9 +27380,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+libs_use_ld_so(evtchnd_t)
+libs_use_shared_libs(evtchnd_t)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.23/policy/support/obj_perm_sets.spt
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.24/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/support/obj_perm_sets.spt 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/support/obj_perm_sets.spt 2009-07-28 13:42:19.000000000 -0400
@@ -201,7 +201,7 @@
define(`setattr_file_perms',`{ setattr }')
define(`read_file_perms',`{ getattr open read lock ioctl }')
@@ -28596,9 +27415,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
+
+define(`manage_key_perms', `{ create link read search setattr view write } ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.23/policy/users
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.24/policy/users
--- nsaserefpolicy/policy/users 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/users 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/policy/users 2009-07-28 13:42:19.000000000 -0400
@@ -25,11 +25,8 @@
# permit any access to such users, then remove this entry.
#
@@ -28623,9 +27442,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.6.23/Rules.modular
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.6.24/Rules.modular
--- nsaserefpolicy/Rules.modular 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/Rules.modular 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/Rules.modular 2009-07-28 13:42:19.000000000 -0400
@@ -73,8 +73,8 @@
$(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
@echo "Compliling $(NAME) $(@F) module"
@@ -28655,9 +27474,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rul
$(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.6.23/support/Makefile.devel
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.6.24/support/Makefile.devel
--- nsaserefpolicy/support/Makefile.devel 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/support/Makefile.devel 2009-07-23 16:39:09.000000000 -0400
++++ serefpolicy-3.6.24/support/Makefile.devel 2009-07-28 13:42:19.000000000 -0400
@@ -185,8 +185,7 @@
tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
@$(EINFO) "Compiling $(NAME) $(basename $(@F)) module"
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 48230ae..b0b0b2f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,8 +19,8 @@
%define CHECKPOLICYVER 2.0.16-3
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.6.23
-Release: 2%{?dist}
+Version: 3.6.24
+Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -475,6 +475,9 @@ exit 0
%endif
%changelog
+* Tue Jul 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.24-1
+- Update to upstream
+
* Mon Jul 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.23-2
- Allow certmaster to override dac permissions
diff --git a/sources b/sources
index 6345c36..24a820d 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-f39558603d3d7d1500b93f9d4ce27311 serefpolicy-3.6.23.tgz
+4d74666892956fc2b2a50158e740174e serefpolicy-3.6.24.tgz