diff --git a/.cvsignore b/.cvsignore index 7775ff2..faafbf4 100644 --- a/.cvsignore +++ b/.cvsignore @@ -179,3 +179,4 @@ serefpolicy-3.6.21.tgz setroubleshoot-2.2.11.tar.gz serefpolicy-3.6.22.tgz serefpolicy-3.6.23.tgz +serefpolicy-3.6.24.tgz diff --git a/nsadiff b/nsadiff index 60f70ef..c8f2765 100755 --- a/nsadiff +++ b/nsadiff @@ -1 +1 @@ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.6.23 > /tmp/diff +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.6.24 > /tmp/diff diff --git a/policy-F12.patch b/policy-F12.patch index 188bdfa..16cfcc8 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -1,6 +1,6 @@ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.6.23/config/appconfig-mcs/default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.6.24/config/appconfig-mcs/default_contexts --- nsaserefpolicy/config/appconfig-mcs/default_contexts 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/config/appconfig-mcs/default_contexts 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/config/appconfig-mcs/default_contexts 2009-07-28 13:42:18.000000000 -0400 @@ -1,15 +1,6 @@ -system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 -system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 @@ -22,15 +22,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con -user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 +system_r:xdm_t:s0 user_r:user_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.6.23/config/appconfig-mcs/failsafe_context +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.6.24/config/appconfig-mcs/failsafe_context --- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/config/appconfig-mcs/failsafe_context 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/config/appconfig-mcs/failsafe_context 2009-07-28 13:42:18.000000000 -0400 @@ -1 +1 @@ -sysadm_r:sysadm_t:s0 +system_r:unconfined_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.6.23/config/appconfig-mcs/root_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.6.24/config/appconfig-mcs/root_default_contexts --- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/config/appconfig-mcs/root_default_contexts 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/config/appconfig-mcs/root_default_contexts 2009-07-28 13:42:18.000000000 -0400 @@ -1,11 +1,7 @@ -system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0 +system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 @@ -45,9 +45,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con # -#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/securetty_types serefpolicy-3.6.23/config/appconfig-mcs/securetty_types +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/securetty_types serefpolicy-3.6.24/config/appconfig-mcs/securetty_types --- nsaserefpolicy/config/appconfig-mcs/securetty_types 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/config/appconfig-mcs/securetty_types 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/config/appconfig-mcs/securetty_types 2009-07-28 13:42:18.000000000 -0400 @@ -1 +1,6 @@ +auditadm_tty_device_t +secadm_tty_device_t @@ -55,18 +55,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +sysadm_tty_device_t +unconfined_tty_device_t user_tty_device_t -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.6.23/config/appconfig-mcs/seusers +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.6.24/config/appconfig-mcs/seusers --- nsaserefpolicy/config/appconfig-mcs/seusers 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/config/appconfig-mcs/seusers 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/config/appconfig-mcs/seusers 2009-07-28 13:42:18.000000000 -0400 @@ -1,3 +1,3 @@ system_u:system_u:s0-mcs_systemhigh -root:root:s0-mcs_systemhigh -__default__:user_u:s0 +root:unconfined_u:s0-mcs_systemhigh +__default__:unconfined_u:s0-mcs_systemhigh -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.6.23/config/appconfig-mcs/staff_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.6.24/config/appconfig-mcs/staff_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/config/appconfig-mcs/staff_u_default_contexts 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/config/appconfig-mcs/staff_u_default_contexts 2009-07-28 13:42:18.000000000 -0400 @@ -1,10 +1,12 @@ system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 system_r:remote_login_t:s0 staff_r:staff_t:s0 @@ -81,9 +81,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.6.23/config/appconfig-mcs/unconfined_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.6.24/config/appconfig-mcs/unconfined_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/config/appconfig-mcs/unconfined_u_default_contexts 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/config/appconfig-mcs/unconfined_u_default_contexts 2009-07-28 13:42:18.000000000 -0400 @@ -1,4 +1,4 @@ -system_r:crond_t:s0 unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0 +system_r:crond_t:s0 unconfined_r:unconfined_t:s0 @@ -97,15 +97,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:initrc_su_t:s0 unconfined_r:unconfined_t:s0 +unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0 system_r:xdm_t:s0 unconfined_r:unconfined_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.6.23/config/appconfig-mcs/userhelper_context +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.6.24/config/appconfig-mcs/userhelper_context --- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/config/appconfig-mcs/userhelper_context 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/config/appconfig-mcs/userhelper_context 2009-07-28 13:42:18.000000000 -0400 @@ -1 +1 @@ -system_u:sysadm_r:sysadm_t:s0 +system_u:system_r:unconfined_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.6.23/config/appconfig-mcs/user_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.6.24/config/appconfig-mcs/user_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/config/appconfig-mcs/user_u_default_contexts 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/config/appconfig-mcs/user_u_default_contexts 2009-07-28 13:42:18.000000000 -0400 @@ -1,8 +1,9 @@ system_r:local_login_t:s0 user_r:user_t:s0 system_r:remote_login_t:s0 user_r:user_t:s0 @@ -118,20 +118,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con - +system_r:initrc_su_t:s0 user_r:user_t:s0 +user_r:user_t:s0 user_r:user_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_domain_context serefpolicy-3.6.23/config/appconfig-mcs/virtual_domain_context +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_domain_context serefpolicy-3.6.24/config/appconfig-mcs/virtual_domain_context --- nsaserefpolicy/config/appconfig-mcs/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/config/appconfig-mcs/virtual_domain_context 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/config/appconfig-mcs/virtual_domain_context 2009-07-28 13:42:18.000000000 -0400 @@ -0,0 +1 @@ +system_u:system_r:svirt_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_image_context serefpolicy-3.6.23/config/appconfig-mcs/virtual_image_context +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_image_context serefpolicy-3.6.24/config/appconfig-mcs/virtual_image_context --- nsaserefpolicy/config/appconfig-mcs/virtual_image_context 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/config/appconfig-mcs/virtual_image_context 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/config/appconfig-mcs/virtual_image_context 2009-07-28 13:42:18.000000000 -0400 @@ -0,0 +1,2 @@ +system_u:object_r:svirt_image_t:s0 +system_u:object_r:virt_content_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.6.23/config/appconfig-mls/default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.6.24/config/appconfig-mls/default_contexts --- nsaserefpolicy/config/appconfig-mls/default_contexts 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/config/appconfig-mls/default_contexts 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/config/appconfig-mls/default_contexts 2009-07-28 13:42:18.000000000 -0400 @@ -1,15 +1,6 @@ -system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 -system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 @@ -153,9 +153,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con -user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 +system_r:xdm_t:s0 user_r:user_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.6.23/config/appconfig-mls/root_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.6.24/config/appconfig-mls/root_default_contexts --- nsaserefpolicy/config/appconfig-mls/root_default_contexts 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/config/appconfig-mls/root_default_contexts 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/config/appconfig-mls/root_default_contexts 2009-07-28 13:42:18.000000000 -0400 @@ -1,11 +1,11 @@ -system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0 -system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 @@ -174,20 +174,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con # -#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.23/config/appconfig-mls/virtual_domain_context +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.24/config/appconfig-mls/virtual_domain_context --- nsaserefpolicy/config/appconfig-mls/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/config/appconfig-mls/virtual_domain_context 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/config/appconfig-mls/virtual_domain_context 2009-07-28 13:42:18.000000000 -0400 @@ -0,0 +1 @@ +system_u:system_r:qemu_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_image_context serefpolicy-3.6.23/config/appconfig-mls/virtual_image_context +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_image_context serefpolicy-3.6.24/config/appconfig-mls/virtual_image_context --- nsaserefpolicy/config/appconfig-mls/virtual_image_context 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/config/appconfig-mls/virtual_image_context 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/config/appconfig-mls/virtual_image_context 2009-07-28 13:42:18.000000000 -0400 @@ -0,0 +1,2 @@ +system_u:object_r:virt_image_t:s0 +system_u:object_r:virt_content_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/securetty_types serefpolicy-3.6.23/config/appconfig-standard/securetty_types +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/securetty_types serefpolicy-3.6.24/config/appconfig-standard/securetty_types --- nsaserefpolicy/config/appconfig-standard/securetty_types 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/config/appconfig-standard/securetty_types 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/config/appconfig-standard/securetty_types 2009-07-28 13:42:18.000000000 -0400 @@ -1 +1,6 @@ +auditadm_tty_device_t +secadm_tty_device_t @@ -195,9 +195,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +sysadm_tty_device_t +unconfined_tty_device_t user_tty_device_t -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.23/Makefile +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.24/Makefile --- nsaserefpolicy/Makefile 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/Makefile 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/Makefile 2009-07-28 13:42:18.000000000 -0400 @@ -241,7 +241,7 @@ appdir := $(contextpath) user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) @@ -260,9 +260,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Mak $(appdir)/%: $(appconf)/% @mkdir -p $(appdir) $(verbose) $(INSTALL) -m 644 $< $@ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.23/policy/global_tunables +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.24/policy/global_tunables --- nsaserefpolicy/policy/global_tunables 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/global_tunables 2009-07-27 13:55:41.000000000 -0400 ++++ serefpolicy-3.6.24/policy/global_tunables 2009-07-28 13:42:18.000000000 -0400 @@ -61,15 +61,6 @@ ## @@ -298,9 +298,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +gen_tunable(mmap_low_allowed, false) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.23/policy/mcs +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.24/policy/mcs --- nsaserefpolicy/policy/mcs 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/mcs 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/mcs 2009-07-28 13:42:18.000000000 -0400 @@ -66,8 +66,8 @@ # # Note that getattr on files is always permitted. @@ -334,9 +334,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mlsconstrain process { transition dyntransition } (( h1 dom h2 ) or ( t1 == mcssetcats )); -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.23/policy/modules/admin/anaconda.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.24/policy/modules/admin/anaconda.te --- nsaserefpolicy/policy/modules/admin/anaconda.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/admin/anaconda.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/admin/anaconda.te 2009-07-28 13:42:18.000000000 -0400 @@ -31,6 +31,7 @@ modutils_domtrans_insmod(anaconda_t) @@ -345,9 +345,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.23/policy/modules/admin/certwatch.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.24/policy/modules/admin/certwatch.te --- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/admin/certwatch.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/admin/certwatch.te 2009-07-28 13:42:18.000000000 -0400 @@ -36,6 +36,7 @@ miscfiles_read_localization(certwatch_t) @@ -356,17 +356,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` apache_exec_modules(certwatch_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.6.23/policy/modules/admin/dmesg.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.6.24/policy/modules/admin/dmesg.fc --- nsaserefpolicy/policy/modules/admin/dmesg.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/admin/dmesg.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/admin/dmesg.fc 2009-07-28 13:42:18.000000000 -0400 @@ -1,2 +1,4 @@ /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) + +/usr/sbin/mcelog -- gen_context(system_u:object_r:dmesg_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.23/policy/modules/admin/dmesg.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.24/policy/modules/admin/dmesg.te --- nsaserefpolicy/policy/modules/admin/dmesg.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/admin/dmesg.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/admin/dmesg.te 2009-07-28 13:42:18.000000000 -0400 @@ -9,6 +9,7 @@ type dmesg_t; type dmesg_exec_t; @@ -401,9 +401,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(dmesg_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.6.23/policy/modules/admin/kismet.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.6.24/policy/modules/admin/kismet.if --- nsaserefpolicy/policy/modules/admin/kismet.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/admin/kismet.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/admin/kismet.if 2009-07-28 13:42:18.000000000 -0400 @@ -16,6 +16,7 @@ ') @@ -412,9 +412,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.23/policy/modules/admin/kismet.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.24/policy/modules/admin/kismet.te --- nsaserefpolicy/policy/modules/admin/kismet.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/admin/kismet.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/admin/kismet.te 2009-07-28 13:42:18.000000000 -0400 @@ -17,6 +17,9 @@ type kismet_tmp_t; files_tmp_file(kismet_tmp_t) @@ -457,9 +457,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + networkmanager_dbus_chat(kismet_t) + ') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.23/policy/modules/admin/logrotate.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.24/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/admin/logrotate.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/admin/logrotate.te 2009-07-28 13:42:18.000000000 -0400 +@@ -32,7 +32,7 @@ + # Change ownership on log files. + allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; + # for mailx +-dontaudit logrotate_t self:capability { setuid setgid }; ++dontaudit logrotate_t self:capability { setuid setgid sys_ptrace }; + + allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + @@ -116,8 +116,9 @@ seutil_dontaudit_read_config(logrotate_t) @@ -493,29 +502,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol slrnpull_manage_spool(logrotate_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.23/policy/modules/admin/logwatch.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.24/policy/modules/admin/logwatch.te --- nsaserefpolicy/policy/modules/admin/logwatch.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/admin/logwatch.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/admin/logwatch.te 2009-07-28 13:42:18.000000000 -0400 @@ -136,4 +136,5 @@ optional_policy(` samba_read_log(logwatch_t) + samba_read_share_files(logwatch_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.23/policy/modules/admin/mrtg.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.24/policy/modules/admin/mrtg.te --- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/admin/mrtg.te 2009-07-23 16:39:09.000000000 -0400 -@@ -116,6 +116,7 @@ ++++ serefpolicy-3.6.24/policy/modules/admin/mrtg.te 2009-07-28 13:42:18.000000000 -0400 +@@ -116,6 +116,9 @@ userdom_use_user_terminals(mrtg_t) userdom_dontaudit_read_user_home_content_files(mrtg_t) userdom_dontaudit_use_unpriv_user_fds(mrtg_t) +userdom_dontaudit_list_admin_dir(mrtg_t) ++ ++netutils_domtrans_ping(mrtg_t) ifdef(`enable_mls',` corenet_udp_sendrecv_lo_if(mrtg_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.23/policy/modules/admin/prelink.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.24/policy/modules/admin/prelink.if --- nsaserefpolicy/policy/modules/admin/prelink.if 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/admin/prelink.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/admin/prelink.if 2009-07-28 13:42:18.000000000 -0400 @@ -140,3 +140,22 @@ files_search_var_lib($1) manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) @@ -539,88 +550,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_search_var_lib($1) + relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.fc serefpolicy-3.6.23/policy/modules/admin/readahead.fc ---- nsaserefpolicy/policy/modules/admin/readahead.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/admin/readahead.fc 2009-07-23 16:39:09.000000000 -0400 -@@ -1,3 +1,5 @@ --/etc/readahead.d(/.*)? gen_context(system_u:object_r:readahead_etc_rw_t,s0) -+/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) -+/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) -+ -+/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0) - --/usr/sbin/readahead -- gen_context(system_u:object_r:readahead_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.23/policy/modules/admin/readahead.te ---- nsaserefpolicy/policy/modules/admin/readahead.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/admin/readahead.te 2009-07-23 16:39:09.000000000 -0400 -@@ -11,8 +11,8 @@ - init_daemon_domain(readahead_t, readahead_exec_t) - application_domain(readahead_t, readahead_exec_t) - --type readahead_etc_rw_t; --files_pid_file(readahead_etc_rw_t) -+type readahead_var_lib_t; -+files_type(readahead_var_lib_t) - - type readahead_var_run_t; - files_pid_file(readahead_var_run_t) -@@ -23,15 +23,17 @@ - # - - allow readahead_t self:capability { fowner dac_override dac_read_search }; --dontaudit readahead_t self:capability sys_tty_config; --allow readahead_t self:process signal_perms; -+dontaudit readahead_t self:capability { net_admin sys_tty_config }; -+allow readahead_t self:process { setsched signal_perms }; - --manage_files_pattern(readahead_t, readahead_etc_rw_t, readahead_etc_rw_t) -+files_search_var_lib(readahead_t) -+manage_dirs_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t) -+manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t) - - manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t) - files_pid_filetrans(readahead_t, readahead_var_run_t, file) - --kernel_read_kernel_sysctls(readahead_t) -+kernel_read_all_sysctls(readahead_t) - kernel_read_system_state(readahead_t) - kernel_dontaudit_getattr_core_if(readahead_t) - -@@ -46,10 +48,15 @@ - storage_raw_read_fixed_disk(readahead_t) - - domain_use_interactive_fds(readahead_t) -+domain_read_all_domains_state(readahead_t) - +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.24/policy/modules/admin/readahead.te +--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-07-28 13:28:33.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/admin/readahead.te 2009-07-28 13:42:18.000000000 -0400 +@@ -54,7 +54,10 @@ files_dontaudit_getattr_all_sockets(readahead_t) files_list_non_security(readahead_t) files_read_non_security_files(readahead_t) +files_dontaudit_read_security_files(readahead_t) +files_dontaudit_getattr_non_security_blk_files(readahead_t) -+files_create_boot_flag(readahead_t) + files_create_boot_flag(readahead_t) +files_getattr_all_pipes(readahead_t) fs_getattr_all_fs(readahead_t) fs_search_auto_mountpoints(readahead_t) -@@ -58,6 +65,7 @@ - fs_dontaudit_search_ramfs(readahead_t) - fs_dontaudit_read_ramfs_pipes(readahead_t) - fs_dontaudit_read_ramfs_files(readahead_t) -+fs_dontaudit_use_tmpfs_chr_dev(readahead_t) - fs_read_tmpfs_symlinks(readahead_t) - fs_list_inotifyfs(readahead_t) - -@@ -72,6 +80,7 @@ - init_getattr_initctl(readahead_t) - - logging_send_syslog_msg(readahead_t) -+logging_set_audit_parameters(readahead_t) - logging_dontaudit_search_audit_config(readahead_t) - - miscfiles_read_localization(readahead_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.23/policy/modules/admin/rpm.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.24/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/admin/rpm.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/admin/rpm.fc 2009-07-28 13:42:18.000000000 -0400 @@ -4,14 +4,12 @@ /usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -662,9 +608,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # SuSE ifdef(`distro_suse', ` /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.23/policy/modules/admin/rpm.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.24/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/admin/rpm.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/admin/rpm.if 2009-07-28 13:42:18.000000000 -0400 @@ -66,6 +66,11 @@ rpm_domtrans($1) role $2 types rpm_t; @@ -1023,9 +969,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 rpm_t:process signull; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.23/policy/modules/admin/rpm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.24/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/admin/rpm.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/admin/rpm.te 2009-07-28 13:42:18.000000000 -0400 @@ -9,6 +9,8 @@ type rpm_t; type rpm_exec_t; @@ -1257,69 +1203,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` java_domtrans_unconfined(rpm_script_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.23/policy/modules/admin/sudo.if ---- nsaserefpolicy/policy/modules/admin/sudo.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/admin/sudo.if 2009-07-23 16:39:09.000000000 -0400 -@@ -32,6 +32,7 @@ - - gen_require(` - type sudo_exec_t; -+ attribute sudodomain; - ') - - ############################## -@@ -39,7 +40,7 @@ - # Declarations - # - -- type $1_sudo_t; -+ type $1_sudo_t, sudodomain; - application_domain($1_sudo_t, sudo_exec_t) - domain_interactive_fd($1_sudo_t) - ubac_constrained($1_sudo_t) -@@ -51,7 +52,7 @@ - # - - # Use capabilities. -- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource }; -+ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource }; - allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow $1_sudo_t self:process { setexec setrlimit }; - allow $1_sudo_t self:fd use; -@@ -64,33 +65,37 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.24/policy/modules/admin/sudo.if +--- nsaserefpolicy/policy/modules/admin/sudo.if 2009-07-28 13:28:33.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/admin/sudo.if 2009-07-28 13:52:41.000000000 -0400 +@@ -66,8 +66,8 @@ allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; allow $1_sudo_t self:unix_dgram_socket sendto; allow $1_sudo_t self:unix_stream_socket connectto; -- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read }; +- + allow $1_sudo_t $3:key search; + allow $1_sudo_t self:key manage_key_perms; -+ allow $1_sudo_t $1_t:key search; # Enter this derived domain from the user domain domtrans_pattern($3, sudo_exec_t, $1_sudo_t) - - # By default, revert to the calling domain when a shell is executed. - corecmd_shell_domtrans($1_sudo_t, $3) -+ corecmd_bin_domtrans($1_sudo_t, $3) - allow $3 $1_sudo_t:fd use; - allow $3 $1_sudo_t:fifo_file rw_file_perms; - allow $3 $1_sudo_t:process sigchld; - - kernel_read_kernel_sysctls($1_sudo_t) - kernel_read_system_state($1_sudo_t) -- kernel_search_key($1_sudo_t) -+ kernel_link_key($1_sudo_t) - - dev_read_urand($1_sudo_t) -+ dev_rw_generic_usb_dev($1_sudo_t) -+ dev_read_sysfs($1_sudo_t) - - fs_search_auto_mountpoints($1_sudo_t) - fs_getattr_xattr_fs($1_sudo_t) - -- auth_domtrans_chk_passwd($1_sudo_t) -+ auth_run_chk_passwd($1_sudo_t, $2) - # sudo stores a token in the pam_pid directory - auth_manage_pam_pid($1_sudo_t) +@@ -102,7 +102,7 @@ auth_use_nsswitch($1_sudo_t) corecmd_read_bin_symlinks($1_sudo_t) @@ -1328,127 +1225,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds($1_sudo_t) domain_sigchld_interactive_fds($1_sudo_t) -@@ -102,9 +107,11 @@ - files_getattr_usr_files($1_sudo_t) - # for some PAM modules and for cwd - files_dontaudit_search_home($1_sudo_t) -+ files_list_tmp($1_sudo_t) - - init_rw_utmp($1_sudo_t) - -+ logging_send_audit_msgs($1_sudo_t) - logging_send_syslog_msg($1_sudo_t) - - miscfiles_read_localization($1_sudo_t) -@@ -114,6 +121,54 @@ +@@ -132,9 +132,11 @@ userdom_manage_user_tmp_files($1_sudo_t) userdom_manage_user_tmp_symlinks($1_sudo_t) userdom_use_user_terminals($1_sudo_t) -+ -+ mta_role($2, $1_sudo_t) -+ -+ tunable_policy(`use_nfs_home_dirs',` -+ fs_manage_nfs_files($1_sudo_t) -+ ') -+ -+ tunable_policy(`use_samba_home_dirs',` -+ fs_manage_cifs_files($1_sudo_t) -+ ') -+ +- userdom_use_user_terminals($1_sudo_t) # for some PAM modules and for cwd userdom_dontaudit_search_user_home_content($1_sudo_t) + userdom_manage_all_users_keys($1_sudo_t) + -+ domain_role_change_exemption($1_sudo_t) -+ userdom_spec_domtrans_all_users($1_sudo_t) -+ -+ selinux_validate_context($1_sudo_t) -+ selinux_compute_relabel_context($1_sudo_t) -+ selinux_getattr_fs($1_sudo_t) -+ seutil_read_config($1_sudo_t) -+ seutil_search_default_contexts($1_sudo_t) -+ -+ userdom_use_user_terminals($1_sudo_t) -+ term_relabel_all_user_ttys($1_sudo_t) -+ term_relabel_all_user_ptys($1_sudo_t) -+ -+ optional_policy(` -+ dbus_system_bus_client($1_sudo_t) -+ ') - ') -+ -+######################################## -+## -+## Send a SIGCHLD signal to the sudo domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sudo_sigchld',` -+ gen_require(` -+ attribute sudodomain; -+ ') -+ -+ allow $1 sudodomain:process sigchld; -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.te serefpolicy-3.6.23/policy/modules/admin/sudo.te ---- nsaserefpolicy/policy/modules/admin/sudo.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/admin/sudo.te 2009-07-23 16:39:09.000000000 -0400 -@@ -4,6 +4,7 @@ - ######################################## - # - # Declarations -+attribute sudodomain; - - type sudo_exec_t; - application_executable_file(sudo_exec_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.23/policy/modules/admin/tmpreaper.te ---- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/admin/tmpreaper.te 2009-07-23 16:39:09.000000000 -0400 -@@ -28,6 +28,9 @@ - files_purge_tmp(tmpreaper_t) - # why does it need setattr? - files_setattr_all_tmp_dirs(tmpreaper_t) -+files_getattr_lost_found_dirs(tmpreaper_t) -+files_getattr_all_dirs(tmpreaper_t) -+files_getattr_all_files(tmpreaper_t) - - mls_file_read_all_levels(tmpreaper_t) - mls_file_write_all_levels(tmpreaper_t) -@@ -39,6 +42,26 @@ ++ mta_role($2, $1_sudo_t) - cron_system_entry(tmpreaper_t, tmpreaper_exec_t) + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files($1_sudo_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.24/policy/modules/admin/tmpreaper.te +--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-07-28 13:28:33.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/admin/tmpreaper.te 2009-07-28 13:54:33.000000000 -0400 +@@ -52,6 +52,10 @@ + ') -+userdom_delete_user_home_content_dirs(tmpreaper_t) -+userdom_delete_user_home_content_files(tmpreaper_t) -+userdom_delete_user_home_content_symlinks(tmpreaper_t) -+ -+optional_policy(` -+ amavis_manage_spool_files(tmpreaper_t) -+') -+ -+optional_policy(` + optional_policy(` + apache_delete_sys_content_rw(tmpreaper_t) +') + +optional_policy(` -+ kismet_manage_log(tmpreaper_t) -+') -+ - optional_policy(` - lpd_manage_spool(tmpreaper_t) + kismet_manage_log(tmpreaper_t) ') -+ -+optional_policy(` -+ unconfined_domain(tmpreaper_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.23/policy/modules/admin/usermanage.te + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.24/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/admin/usermanage.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/admin/usermanage.te 2009-07-28 13:42:18.000000000 -0400 @@ -209,6 +209,7 @@ files_manage_etc_files(groupadd_t) files_relabel_etc_files(groupadd_t) @@ -1486,9 +1292,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.23/policy/modules/admin/vbetool.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.24/policy/modules/admin/vbetool.te --- nsaserefpolicy/policy/modules/admin/vbetool.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/admin/vbetool.te 2009-07-27 13:54:52.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/admin/vbetool.te 2009-07-28 13:42:18.000000000 -0400 @@ -23,7 +23,11 @@ dev_rwx_zero(vbetool_t) dev_read_sysfs(vbetool_t) @@ -1511,9 +1317,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_write_pid(vbetool_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.23/policy/modules/apps/awstats.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.24/policy/modules/apps/awstats.te --- nsaserefpolicy/policy/modules/apps/awstats.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/apps/awstats.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/awstats.te 2009-07-28 13:42:18.000000000 -0400 @@ -51,6 +51,8 @@ libs_read_lib_files(awstats_t) @@ -1523,75 +1329,38 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(awstats_t) sysnet_dns_name_resolve(awstats_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.fc serefpolicy-3.6.23/policy/modules/apps/cpufreqselector.fc ---- nsaserefpolicy/policy/modules/apps/cpufreqselector.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/apps/cpufreqselector.fc 2009-07-23 16:39:09.000000000 -0400 -@@ -0,0 +1 @@ -+/usr/bin/cpufreq-selector -- gen_context(system_u:object_r:cpufreqselector_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.if serefpolicy-3.6.23/policy/modules/apps/cpufreqselector.if ---- nsaserefpolicy/policy/modules/apps/cpufreqselector.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/apps/cpufreqselector.if 2009-07-23 16:39:09.000000000 -0400 -@@ -0,0 +1,2 @@ -+## cpufreq-selector policy -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.23/policy/modules/apps/cpufreqselector.te ---- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/apps/cpufreqselector.te 2009-07-23 16:39:09.000000000 -0400 -@@ -0,0 +1,43 @@ -+policy_module(cpufreqselector,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type cpufreqselector_t; -+type cpufreqselector_exec_t; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.24/policy/modules/apps/cpufreqselector.te +--- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2009-07-28 13:28:33.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/cpufreqselector.te 2009-07-28 13:57:37.000000000 -0400 +@@ -8,7 +8,8 @@ + + type cpufreqselector_t; + type cpufreqselector_exec_t; +-application_domain(cpufreqselector_t, cpufreqselector_exec_t) + +dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) -+ -+######################################## -+# -+# cpufreq-selector local policy -+# -+ -+allow cpufreqselector_t self:capability { sys_nice sys_ptrace }; -+allow cpufreqselector_t self:fifo_file rw_fifo_file_perms; -+ -+files_read_etc_files(cpufreqselector_t) -+files_read_usr_files(cpufreqselector_t) -+ -+corecmd_search_bin(cpufreqselector_t) -+ -+dev_rw_sysfs(cpufreqselector_t) -+ -+userdom_read_all_users_state(cpufreqselector_t) -+ -+nscd_dontaudit_search_pid(cpufreqselector_t) -+ -+optional_policy(` -+ consolekit_dbus_chat(cpufreqselector_t) -+') -+ -+optional_policy(` + + ######################################## + # +@@ -36,6 +37,7 @@ + ') + + optional_policy(` + policykit_dbus_chat(cpufreqselector_t) -+ policykit_domtrans_auth(cpufreqselector_t) -+ policykit_read_lib(cpufreqselector_t) -+ policykit_read_reload(cpufreqselector_t) -+') -+ -+permissive cpufreqselector_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.6.23/policy/modules/apps/gitosis.fc + policykit_domtrans_auth(cpufreqselector_t) + policykit_read_lib(cpufreqselector_t) + policykit_read_reload(cpufreqselector_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.6.24/policy/modules/apps/gitosis.fc --- nsaserefpolicy/policy/modules/apps/gitosis.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/apps/gitosis.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/gitosis.fc 2009-07-28 13:42:18.000000000 -0400 @@ -0,0 +1,4 @@ + +/usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0) + +/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.23/policy/modules/apps/gitosis.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.24/policy/modules/apps/gitosis.if --- nsaserefpolicy/policy/modules/apps/gitosis.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/apps/gitosis.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/gitosis.if 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,96 @@ +## gitosis interface + @@ -1689,9 +1458,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) + manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.te serefpolicy-3.6.23/policy/modules/apps/gitosis.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.te serefpolicy-3.6.24/policy/modules/apps/gitosis.te --- nsaserefpolicy/policy/modules/apps/gitosis.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/apps/gitosis.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/gitosis.te 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,43 @@ +policy_module(gitosis,1.0.0) + @@ -1736,9 +1505,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + ssh_rw_pipes(gitosis_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.23/policy/modules/apps/gnome.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.24/policy/modules/apps/gnome.fc --- nsaserefpolicy/policy/modules/apps/gnome.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/apps/gnome.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/gnome.fc 2009-07-28 13:42:19.000000000 -0400 @@ -1,8 +1,16 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) @@ -1758,9 +1527,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0) + +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.23/policy/modules/apps/gnome.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.24/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/apps/gnome.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/gnome.if 2009-07-28 13:42:19.000000000 -0400 @@ -89,5 +89,175 @@ allow $1 gnome_home_t:dir manage_dir_perms; @@ -1937,9 +1706,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + # Connect to pulseaudit server + stream_connect_pattern($1, gnome_home_t, gnome_home_t, $2) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.23/policy/modules/apps/gnome.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.24/policy/modules/apps/gnome.te --- nsaserefpolicy/policy/modules/apps/gnome.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/apps/gnome.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/gnome.te 2009-07-28 13:42:19.000000000 -0400 @@ -9,16 +9,18 @@ attribute gnomedomain; @@ -2068,9 +1837,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +permissive gnomesystemmm_t; + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.23/policy/modules/apps/gpg.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.24/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/apps/gpg.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/gpg.te 2009-07-28 13:42:19.000000000 -0400 @@ -159,6 +159,19 @@ xserver_rw_xdm_pipes(gpg_t) ') @@ -2098,9 +1867,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - xserver_stream_connect(gpg_pinentry_t) + xserver_common_app(gpg_pinentry_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.23/policy/modules/apps/java.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.24/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/apps/java.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/java.fc 2009-07-28 13:42:19.000000000 -0400 @@ -2,15 +2,16 @@ # /opt # @@ -2135,9 +1904,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.23/policy/modules/apps/java.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.24/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/apps/java.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/java.if 2009-07-28 13:42:19.000000000 -0400 @@ -30,6 +30,7 @@ allow java_t $2:unix_stream_socket connectto; @@ -2278,9 +2047,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_role($1_r, $1_java_t) + ') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.23/policy/modules/apps/java.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.24/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/apps/java.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/java.te 2009-07-28 13:42:19.000000000 -0400 @@ -20,6 +20,8 @@ typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t }; typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t }; @@ -2343,15 +2112,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.6.23/policy/modules/apps/livecd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.6.24/policy/modules/apps/livecd.fc --- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/apps/livecd.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/livecd.fc 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,2 @@ + +/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.6.23/policy/modules/apps/livecd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.6.24/policy/modules/apps/livecd.if --- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/apps/livecd.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/livecd.if 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,50 @@ + +## policy for livecd @@ -2403,9 +2172,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + seutil_run_setfiles_mac(livecd_t, $2) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.6.23/policy/modules/apps/livecd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.6.24/policy/modules/apps/livecd.te --- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/apps/livecd.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/livecd.te 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,26 @@ +policy_module(livecd, 1.0.0) + @@ -2433,9 +2202,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +seutil_domtrans_setfiles_mac(livecd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.23/policy/modules/apps/mono.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.24/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/apps/mono.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/mono.if 2009-07-28 13:42:19.000000000 -0400 @@ -21,6 +21,105 @@ ######################################## @@ -2551,9 +2320,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') corecmd_search_bin($1) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.23/policy/modules/apps/mono.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.24/policy/modules/apps/mono.te --- nsaserefpolicy/policy/modules/apps/mono.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/apps/mono.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/mono.te 2009-07-28 13:42:19.000000000 -0400 @@ -15,7 +15,7 @@ # Local policy # @@ -2577,26 +2346,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + xserver_rw_shm(mono_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.23/policy/modules/apps/mozilla.fc ---- nsaserefpolicy/policy/modules/apps/mozilla.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/apps/mozilla.fc 2009-07-23 16:39:09.000000000 -0400 -@@ -17,7 +17,6 @@ - # - # /etc - # --/etc/mozpluggerrc -- gen_context(system_u:object_r:mozilla_conf_t,s0) - - # - # /lib -@@ -29,3 +28,5 @@ - /usr/lib(64)?/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) - /usr/lib(64)?/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) - /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) -+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) -+/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.23/policy/modules/apps/mozilla.if ---- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/apps/mozilla.if 2009-07-23 16:39:09.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.24/policy/modules/apps/mozilla.if +--- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-07-28 13:28:33.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/mozilla.if 2009-07-28 13:42:19.000000000 -0400 @@ -45,6 +45,18 @@ relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t) relabel_files_pattern($2, mozilla_home_t, mozilla_home_t) @@ -2624,18 +2376,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_search_user_home_dirs($1) ') -@@ -83,7 +96,7 @@ - ') - - allow $1 mozilla_home_t:dir list_dir_perms; -- allow $1 mozilla_home_t:file write; -+ allow $1 mozilla_home_t:file write_file_perms; - userdom_search_user_home_dirs($1) - ') - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.23/policy/modules/apps/mozilla.te ---- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/apps/mozilla.te 2009-07-23 16:39:09.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.24/policy/modules/apps/mozilla.te +--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-07-28 13:28:33.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/mozilla.te 2009-07-28 13:42:19.000000000 -0400 @@ -59,6 +59,7 @@ manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) @@ -2652,15 +2395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_sendrecv_http_client_packets(mozilla_t) corenet_sendrecv_http_cache_client_packets(mozilla_t) corenet_sendrecv_ftp_client_packets(mozilla_t) -@@ -105,6 +107,7 @@ - # Should not need other ports - corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t) - corenet_dontaudit_tcp_bind_generic_port(mozilla_t) -+corenet_tcp_connect_speech_port(mozilla_t) - - dev_read_urand(mozilla_t) - dev_read_rand(mozilla_t) -@@ -113,6 +116,8 @@ +@@ -114,6 +116,8 @@ dev_dontaudit_rw_dri(mozilla_t) dev_getattr_sysfs_dirs(mozilla_t) @@ -2669,7 +2404,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_runtime_files(mozilla_t) files_read_usr_files(mozilla_t) files_read_etc_files(mozilla_t) -@@ -128,6 +133,7 @@ +@@ -129,6 +133,7 @@ fs_rw_tmpfs_files(mozilla_t) term_dontaudit_getattr_pty_dirs(mozilla_t) @@ -2677,7 +2412,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(mozilla_t) -@@ -137,12 +143,7 @@ +@@ -138,12 +143,7 @@ # Browse the web, connect to printer sysnet_dns_name_resolve(mozilla_t) @@ -2691,7 +2426,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) xserver_dontaudit_read_xdm_tmp_files(mozilla_t) -@@ -230,10 +231,15 @@ +@@ -231,11 +231,15 @@ optional_policy(` dbus_system_bus_client(mozilla_t) dbus_session_bus_client(mozilla_t) @@ -2702,12 +2437,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` gnome_stream_connect_gconf(mozilla_t) -+ gnome_manage_config(mozilla_t) + gnome_manage_config(mozilla_t) + gnome_manage_gconf_home_files(mozilla_t) ') optional_policy(` -@@ -254,5 +260,10 @@ +@@ -256,5 +260,10 @@ ') optional_policy(` @@ -2718,9 +2453,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` thunderbird_domtrans(mozilla_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.23/policy/modules/apps/nsplugin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.24/policy/modules/apps/nsplugin.fc --- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/apps/nsplugin.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/nsplugin.fc 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,12 @@ +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) @@ -2734,9 +2469,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) +/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0) +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.23/policy/modules/apps/nsplugin.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.24/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/apps/nsplugin.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/nsplugin.if 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,313 @@ + +## policy for nsplugin @@ -3051,9 +2786,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.23/policy/modules/apps/nsplugin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.24/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/apps/nsplugin.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/nsplugin.te 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,287 @@ + +policy_module(nsplugin, 1.0.0) @@ -3342,16 +3077,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.6.23/policy/modules/apps/openoffice.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.6.24/policy/modules/apps/openoffice.fc --- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/apps/openoffice.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/openoffice.fc 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,3 @@ +/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) +/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.23/policy/modules/apps/openoffice.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.24/policy/modules/apps/openoffice.if --- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/apps/openoffice.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/openoffice.if 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,93 @@ +## Openoffice + @@ -3446,9 +3181,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_common_x_domain_template($1, $1_openoffice_t) + ') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.6.23/policy/modules/apps/openoffice.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.6.24/policy/modules/apps/openoffice.te --- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/apps/openoffice.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/openoffice.te 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,14 @@ + +policy_module(openoffice, 1.0.0) @@ -3464,18 +3199,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.23/policy/modules/apps/qemu.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.24/policy/modules/apps/qemu.fc --- nsaserefpolicy/policy/modules/apps/qemu.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/apps/qemu.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/qemu.fc 2009-07-28 13:42:19.000000000 -0400 @@ -1,2 +1,3 @@ -/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) -/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.23/policy/modules/apps/qemu.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.24/policy/modules/apps/qemu.if --- nsaserefpolicy/policy/modules/apps/qemu.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/apps/qemu.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/qemu.if 2009-07-28 13:42:19.000000000 -0400 @@ -40,6 +40,93 @@ qemu_domtrans($1) @@ -3782,9 +3517,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - ') + manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.23/policy/modules/apps/qemu.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.24/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/apps/qemu.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/qemu.te 2009-07-28 13:42:19.000000000 -0400 @@ -13,28 +13,97 @@ ## gen_tunable(qemu_full_network, false) @@ -3901,23 +3636,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role unconfined_r types qemu_unconfined_t; allow qemu_unconfined_t self:process { execstack execmem }; ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.6.23/policy/modules/apps/sambagui.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.6.24/policy/modules/apps/sambagui.fc --- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/apps/sambagui.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/sambagui.fc 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,4 @@ +/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0) + + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.6.23/policy/modules/apps/sambagui.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.6.24/policy/modules/apps/sambagui.if --- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/apps/sambagui.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/sambagui.if 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,2 @@ +## system-config-samba policy + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.23/policy/modules/apps/sambagui.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.24/policy/modules/apps/sambagui.te --- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/apps/sambagui.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/sambagui.te 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,57 @@ +policy_module(sambagui,1.0.0) + @@ -3976,14 +3711,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +permissive sambagui_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.6.23/policy/modules/apps/sandbox.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.6.24/policy/modules/apps/sandbox.fc --- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/apps/sandbox.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/sandbox.fc 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1 @@ +# No types are sandbox_exec_t -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.23/policy/modules/apps/sandbox.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.24/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/apps/sandbox.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/sandbox.if 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,145 @@ + +## policy for sandbox @@ -4130,9 +3865,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.23/policy/modules/apps/sandbox.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.24/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/apps/sandbox.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/sandbox.te 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,274 @@ +policy_module(sandbox,1.0.0) +dbus_stub() @@ -4408,9 +4143,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + hal_dbus_chat(sandbox_net_client_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.23/policy/modules/apps/screen.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.24/policy/modules/apps/screen.if --- nsaserefpolicy/policy/modules/apps/screen.if 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/apps/screen.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/screen.if 2009-07-28 13:42:19.000000000 -0400 @@ -157,3 +157,24 @@ nscd_socket_use($1_screen_t) ') @@ -4436,9 +4171,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_lnk_files_pattern($1,screen_var_run_t,screen_var_run_t) + manage_fifo_files_pattern($1,screen_var_run_t,screen_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.23/policy/modules/apps/vmware.fc ---- nsaserefpolicy/policy/modules/apps/vmware.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/apps/vmware.fc 2009-07-23 16:39:09.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.24/policy/modules/apps/vmware.fc +--- nsaserefpolicy/policy/modules/apps/vmware.fc 2009-07-28 13:28:33.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/vmware.fc 2009-07-28 13:42:19.000000000 -0400 @@ -18,6 +18,7 @@ /usr/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) /usr/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0) @@ -4447,108 +4182,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) /usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_host_exec_t,s0) /usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -@@ -63,6 +64,7 @@ - ') - - /var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0) -+/var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0) - - /var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0) - /var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.23/policy/modules/apps/vmware.te ---- nsaserefpolicy/policy/modules/apps/vmware.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/apps/vmware.te 2009-07-23 16:39:09.000000000 -0400 -@@ -29,6 +29,10 @@ - type vmware_host_exec_t; - init_daemon_domain(vmware_host_t, vmware_host_exec_t) - -+ifdef(`enable_mcs',` -+ init_ranged_daemon_domain(vmware_host_t,vmware_host_exec_t,s0 - mcs_systemhigh) -+') -+ - type vmware_host_pid_t alias vmware_var_run_t; - files_pid_file(vmware_host_pid_t) - -@@ -65,9 +69,9 @@ - # VMWare host local policy - # - --allow vmware_host_t self:capability { setgid setuid net_raw }; -+allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override }; - dontaudit vmware_host_t self:capability sys_tty_config; --allow vmware_host_t self:process signal_perms; -+allow vmware_host_t self:process { execstack execmem signal_perms }; - allow vmware_host_t self:fifo_file rw_fifo_file_perms; - allow vmware_host_t self:unix_stream_socket create_stream_socket_perms; - allow vmware_host_t self:rawip_socket create_socket_perms; -@@ -84,8 +88,9 @@ - logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir }) - - kernel_read_kernel_sysctls(vmware_host_t) --kernel_list_proc(vmware_host_t) --kernel_read_proc_symlinks(vmware_host_t) -+kernel_read_system_state(vmware_host_t) -+ -+libs_exec_ld_so(vmware_host_t) - - corenet_all_recvfrom_unlabeled(vmware_host_t) - corenet_all_recvfrom_netlabel(vmware_host_t) -@@ -104,13 +109,20 @@ - corenet_sendrecv_all_client_packets(vmware_host_t) - corenet_sendrecv_all_server_packets(vmware_host_t) - -+corecmd_exec_bin(vmware_host_t) -+corecmd_exec_shell(vmware_host_t) -+ -+dev_getattr_all_blk_files(vmware_host_t) - dev_read_sysfs(vmware_host_t) - dev_read_urand(vmware_host_t) - dev_rw_vmware(vmware_host_t) - - domain_use_interactive_fds(vmware_host_t) -+domain_dontaudit_read_all_domains_state(vmware_host_t) - -+files_list_tmp(vmware_host_t) - files_read_etc_files(vmware_host_t) -+files_read_etc_runtime_files(vmware_host_t) - - fs_getattr_all_fs(vmware_host_t) - fs_search_auto_mountpoints(vmware_host_t) -@@ -126,6 +138,8 @@ - - sysnet_dns_name_resolve(vmware_host_t) - -+storage_getattr_fixed_disk_dev(vmware_host_t) -+ - userdom_dontaudit_use_unpriv_user_fds(vmware_host_t) - userdom_dontaudit_search_user_home_dirs(vmware_host_t) - -@@ -140,6 +154,13 @@ - udev_read_db(vmware_host_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.24/policy/modules/apps/vmware.te +--- nsaserefpolicy/policy/modules/apps/vmware.te 2009-07-28 13:28:33.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/vmware.te 2009-07-28 13:42:19.000000000 -0400 +@@ -157,8 +157,10 @@ + optional_policy(` + xserver_read_tmp_files(vmware_host_t) + xserver_read_xdm_pid(vmware_host_t) ++ xserver_common_app(vmware_host_t) ') -+optional_policy(` -+ xserver_read_tmp_files(vmware_host_t) -+ xserver_read_xdm_pid(vmware_host_t) -+ xserver_common_app(vmware_host_t) -+') -+ + ifdef(`TODO',` # VMWare need access to pcmcia devices for network optional_policy(` -@@ -226,7 +247,7 @@ - files_read_usr_files(vmware_t) - files_list_home(vmware_t) - --fs_getattr_xattr_fs(vmware_t) -+fs_getattr_all_fs(vmware_t) - fs_search_auto_mountpoints(vmware_t) - - storage_raw_read_removable_device(vmware_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.6.23/policy/modules/apps/webalizer.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.6.24/policy/modules/apps/webalizer.te --- nsaserefpolicy/policy/modules/apps/webalizer.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/apps/webalizer.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/webalizer.te 2009-07-28 13:42:19.000000000 -0400 @@ -69,7 +69,6 @@ fs_search_auto_mountpoints(webalizer_t) fs_getattr_xattr_fs(webalizer_t) @@ -4557,9 +4207,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(webalizer_t) files_read_etc_runtime_files(webalizer_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.6.23/policy/modules/apps/wine.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.6.24/policy/modules/apps/wine.fc --- nsaserefpolicy/policy/modules/apps/wine.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/apps/wine.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/wine.fc 2009-07-28 13:42:19.000000000 -0400 @@ -1,4 +1,21 @@ -/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) +/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) @@ -4585,9 +4235,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.23/policy/modules/apps/wine.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.24/policy/modules/apps/wine.if --- nsaserefpolicy/policy/modules/apps/wine.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/apps/wine.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/wine.if 2009-07-28 13:42:19.000000000 -0400 @@ -43,3 +43,63 @@ wine_domtrans($1) role $2 types wine_t; @@ -4652,9 +4302,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + relabel_lnk_files_pattern($2, wine_home_t, wine_home_t) + +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.23/policy/modules/apps/wine.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.24/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/apps/wine.te 2009-07-27 13:54:28.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/apps/wine.te 2009-07-28 13:42:19.000000000 -0400 @@ -9,20 +9,35 @@ type wine_t; type wine_exec_t; @@ -4695,141 +4345,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_common_app(wine_t) + xserver_rw_shm(wine_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.fc serefpolicy-3.6.23/policy/modules/apps/wm.fc ---- nsaserefpolicy/policy/modules/apps/wm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/apps/wm.fc 2009-07-23 16:39:09.000000000 -0400 -@@ -0,0 +1,3 @@ -+/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) -+/usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0) -+/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.6.23/policy/modules/apps/wm.if ---- nsaserefpolicy/policy/modules/apps/wm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/apps/wm.if 2009-07-23 16:39:09.000000000 -0400 -@@ -0,0 +1,108 @@ -+## Window Manager. -+ -+######################################## -+## -+## Execute the wm program in the wm domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`wm_exec',` -+ gen_require(` -+ type wm_exec_t; -+ ') -+ -+ can_exec($1, wm_exec_t) -+') -+ -+####################################### -+## -+## The role template for the wm module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for wm applications. -+##

-+##
-+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+# -+template(`wm_role_template',` -+ gen_require(` -+ type wm_exec_t; -+ ') -+ -+ type $1_wm_t; -+ domain_type($1_wm_t) -+ domain_entry_file($1_wm_t, wm_exec_t) -+ role $2 types $1_wm_t; -+ -+ domtrans_pattern($3, wm_exec_t, $1_wm_t) -+ -+ corecmd_bin_domtrans($1_wm_t, $1_t) -+ corecmd_shell_domtrans($1_wm_t, $1_t) -+ -+ ifdef(`enable_mls',` -+ mls_file_read_all_levels($1_wm_t) -+ mls_file_write_all_levels($1_wm_t) -+ mls_xwin_read_all_levels($1_wm_t) -+ mls_xwin_write_all_levels($1_wm_t) -+ mls_fd_use_all_levels($1_wm_t) -+ ') -+ -+ files_read_etc_files($1_wm_t) -+ files_read_usr_files($1_wm_t) -+ -+ miscfiles_read_fonts($1_wm_t) -+ miscfiles_read_localization($1_wm_t) -+ -+ optional_policy(` -+ gnome_read_config($1_wm_t) -+ gnome_read_gconf_config($1_wm_t) -+ ') -+ -+ auth_use_nsswitch($1_wm_t) -+ -+ kernel_read_system_state($1_wm_t) -+ -+ allow $1_wm_t self:fifo_file rw_fifo_file_perms; -+ allow $1_wm_t self:process getsched; -+ allow $1_wm_t self:shm create_shm_perms; -+ -+ allow $1_wm_t $1_t:unix_stream_socket connectto; -+ -+ optional_policy(` -+ dbus_system_bus_client($1_wm_t) -+ ') -+ -+ userdom_unpriv_usertype($1, $1_wm_t) -+ -+ userdom_manage_home_role($1_r, $1_wm_t) -+ userdom_manage_tmpfs_role($1_r, $1_wm_t) -+ userdom_manage_tmp_role($1_r, $1_wm_t) -+ -+ dev_read_urand($1_wm_t) -+ -+ optional_policy(` -+ xserver_role($1_r, $1_wm_t) -+ xserver_use_xdm($1_wm_t) -+ ') -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.te serefpolicy-3.6.23/policy/modules/apps/wm.te ---- nsaserefpolicy/policy/modules/apps/wm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/apps/wm.te 2009-07-23 16:39:09.000000000 -0400 -@@ -0,0 +1,9 @@ -+policy_module(wm,0.0.4) -+ -+######################################## -+# -+# Declarations -+# -+ -+type wm_exec_t; -+corecmd_executable_file(wm_exec_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.23/policy/modules/kernel/corecommands.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.24/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/kernel/corecommands.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/kernel/corecommands.fc 2009-07-28 13:42:19.000000000 -0400 @@ -139,6 +139,9 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -4862,9 +4380,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) + +/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.23/policy/modules/kernel/corecommands.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.24/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/kernel/corecommands.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/kernel/corecommands.if 2009-07-28 13:42:19.000000000 -0400 @@ -893,6 +893,7 @@ read_lnk_files_pattern($1, bin_t, bin_t) @@ -4873,9 +4391,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.23/policy/modules/kernel/corenetwork.te.in ---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/kernel/corenetwork.te.in 2009-07-23 16:39:09.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.24/policy/modules/kernel/corenetwork.te.in +--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-07-28 13:28:33.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/kernel/corenetwork.te.in 2009-07-28 13:42:19.000000000 -0400 @@ -65,6 +65,7 @@ type server_packet_t, packet_type, server_packet_type; @@ -4884,15 +4402,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0) network_port(afs_ka, udp,7004,s0) network_port(afs_pt, udp,7002,s0) -@@ -87,16 +88,21 @@ +@@ -87,17 +88,21 @@ network_port(comsat, udp,512,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0) +portcon tcp 6780-6799 gen_context(system_u:object_r:cyphesis_port_t, s0) network_port(dbskkd, tcp,1178,s0) network_port(dcc, udp,6276,s0, udp,6277,s0) + network_port(dccm, tcp,5679,s0, udp,5679,s0) -network_port(dhcpc, udp,68,s0) -+network_port(dccm, tcp,5679,s0, udp,5679,s0) +network_port(dhcpc, udp,68,s0, tcp,68,s0) network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) @@ -4907,7 +4425,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) network_port(giftd, tcp,1213,s0) network_port(gopher, tcp,70,s0, udp,70,s0) -@@ -105,6 +111,7 @@ +@@ -106,6 +111,7 @@ network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy @@ -4915,7 +4433,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) -@@ -127,7 +134,7 @@ +@@ -128,7 +134,7 @@ network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) network_port(lmtp, tcp,24,s0, udp,24,s0) type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon @@ -4924,7 +4442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(memcache, tcp,11211,s0, udp,11211,s0) network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) -@@ -145,6 +152,12 @@ +@@ -146,6 +152,12 @@ network_port(pegasus_https, tcp,5989,s0) network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) network_port(pingd, tcp,9125,s0) @@ -4937,7 +4455,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) -@@ -171,26 +184,31 @@ +@@ -172,27 +184,31 @@ network_port(sap, tcp,9875,s0, udp,9875,s0) network_port(smbd, tcp,137-139,s0, tcp,445,s0) network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) @@ -4946,7 +4464,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type socks_port_t, port_type; dnl network_port(socks) # no defined portcon network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) network_port(spamd, tcp,783,s0) -+network_port(speech, tcp,8036,s0) + network_port(speech, tcp,8036,s0) network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp network_port(ssh, tcp,22,s0) +network_port(streaming, tcp, 1755, s0, udp, 1755, s0) @@ -4972,7 +4490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -@@ -219,6 +237,8 @@ +@@ -221,6 +237,8 @@ type node_t, node_type; sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh) @@ -4981,9 +4499,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # network_node examples: #network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255) #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.23/policy/modules/kernel/devices.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.24/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/kernel/devices.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/kernel/devices.fc 2009-07-28 13:42:19.000000000 -0400 @@ -47,8 +47,10 @@ /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) @@ -4995,9 +4513,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.23/policy/modules/kernel/devices.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.24/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/kernel/devices.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/kernel/devices.if 2009-07-28 13:42:19.000000000 -0400 @@ -1655,6 +1655,78 @@ ######################################## @@ -5165,9 +4683,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write to the null device (/dev/null). ## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.23/policy/modules/kernel/devices.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.24/policy/modules/kernel/devices.te --- nsaserefpolicy/policy/modules/kernel/devices.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/kernel/devices.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/kernel/devices.te 2009-07-28 13:42:19.000000000 -0400 @@ -84,6 +84,13 @@ dev_node(kmsg_device_t) @@ -5195,9 +4713,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Type for /dev/mapper/control # type lvm_control_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.23/policy/modules/kernel/domain.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.24/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/kernel/domain.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/kernel/domain.if 2009-07-28 13:42:19.000000000 -0400 @@ -44,34 +44,6 @@ interface(`domain_type',` # start with basic domain @@ -5378,9 +4896,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 unconfined_domain_type:process signal; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.23/policy/modules/kernel/domain.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.24/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/kernel/domain.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/kernel/domain.te 2009-07-28 13:42:19.000000000 -0400 @@ -5,6 +5,13 @@ # # Declarations @@ -5528,9 +5046,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + userdom_relabelto_user_home_dirs(polydomain) + userdom_relabelto_user_home_files(polydomain) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.23/policy/modules/kernel/files.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.24/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/kernel/files.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/kernel/files.fc 2009-07-28 13:42:19.000000000 -0400 @@ -5,10 +5,11 @@ /.* gen_context(system_u:object_r:default_t,s0) / -d gen_context(system_u:object_r:root_t,s0) @@ -5561,9 +5079,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) /var/lib/nfs/rpc_pipefs(/.*)? <> -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.23/policy/modules/kernel/files.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.24/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/kernel/files.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/kernel/files.if 2009-07-28 13:42:19.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -5936,9 +5454,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + allow $1 file_type:file entrypoint; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.23/policy/modules/kernel/files.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.24/policy/modules/kernel/files.te --- nsaserefpolicy/policy/modules/kernel/files.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/kernel/files.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/kernel/files.te 2009-07-28 13:42:19.000000000 -0400 @@ -52,7 +52,9 @@ # # etc_t is the type of the system etc directories. @@ -5950,15 +5468,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_type(etc_t) # compatibility aliases for removed types: typealias etc_t alias automount_etc_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.23/policy/modules/kernel/filesystem.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.24/policy/modules/kernel/filesystem.fc --- nsaserefpolicy/policy/modules/kernel/filesystem.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/kernel/filesystem.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/kernel/filesystem.fc 2009-07-28 13:42:19.000000000 -0400 @@ -1 +1 @@ -# This module currently does not have any file contexts. +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.23/policy/modules/kernel/filesystem.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.24/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/kernel/filesystem.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/kernel/filesystem.if 2009-07-28 13:42:19.000000000 -0400 @@ -3971,3 +3971,23 @@ relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs) @@ -5983,9 +5501,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dontaudit $1 cifs_t:dir list_dir_perms; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.23/policy/modules/kernel/kernel.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.24/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/kernel/kernel.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/kernel/kernel.if 2009-07-28 13:42:19.000000000 -0400 @@ -1807,7 +1807,7 @@ ') @@ -6044,9 +5562,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 kernel_t:unix_stream_socket connectto; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.23/policy/modules/kernel/kernel.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.24/policy/modules/kernel/kernel.te --- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/kernel/kernel.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/kernel/kernel.te 2009-07-28 13:42:19.000000000 -0400 @@ -63,6 +63,15 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) @@ -6130,9 +5648,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +files_boot(kernel_t) + +permissive kernel_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.23/policy/modules/kernel/selinux.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.24/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/kernel/selinux.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/kernel/selinux.if 2009-07-28 13:42:19.000000000 -0400 @@ -40,7 +40,7 @@ # because of this statement, any module which @@ -6190,9 +5708,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_type($1) + mls_trusted_object($1) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.6.23/policy/modules/kernel/storage.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.6.24/policy/modules/kernel/storage.fc --- nsaserefpolicy/policy/modules/kernel/storage.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/kernel/storage.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/kernel/storage.fc 2009-07-28 13:42:19.000000000 -0400 @@ -57,7 +57,7 @@ /dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) @@ -6202,9 +5720,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.6.23/policy/modules/kernel/terminal.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.6.24/policy/modules/kernel/terminal.fc --- nsaserefpolicy/policy/modules/kernel/terminal.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/kernel/terminal.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/kernel/terminal.fc 2009-07-28 13:42:19.000000000 -0400 @@ -13,6 +13,7 @@ /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0) @@ -6213,9 +5731,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.23/policy/modules/kernel/terminal.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.24/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/kernel/terminal.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/kernel/terminal.if 2009-07-28 13:42:19.000000000 -0400 @@ -173,7 +173,7 @@ dev_list_all_dev_nodes($1) @@ -6287,9 +5805,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Read and write the controlling -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.23/policy/modules/roles/guest.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.24/policy/modules/roles/guest.te --- nsaserefpolicy/policy/modules/roles/guest.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/roles/guest.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/roles/guest.te 2009-07-28 13:42:19.000000000 -0400 @@ -16,7 +16,11 @@ # @@ -6304,9 +5822,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +gen_user(guest_u, user, guest_r, s0, s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.23/policy/modules/roles/staff.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.24/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/roles/staff.te 2009-07-23 17:28:40.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/roles/staff.te 2009-07-28 13:42:19.000000000 -0400 @@ -15,156 +15,105 @@ # Local policy # @@ -6500,9 +6018,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - xserver_role(staff_r, staff_t) -') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.23/policy/modules/roles/sysadm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.24/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/roles/sysadm.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/roles/sysadm.te 2009-07-28 13:42:19.000000000 -0400 @@ -15,7 +15,7 @@ role sysadm_r; @@ -6800,9 +6318,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +init_script_role_transition(sysadm_r) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.23/policy/modules/roles/unconfineduser.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.24/policy/modules/roles/unconfineduser.fc --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/roles/unconfineduser.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/roles/unconfineduser.fc 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,37 @@ +# Add programs here which should not be confined by SELinux +# e.g.: @@ -6841,9 +6359,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.23/policy/modules/roles/unconfineduser.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.24/policy/modules/roles/unconfineduser.if --- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/roles/unconfineduser.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/roles/unconfineduser.if 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,638 @@ +## Unconfiend user role + @@ -7483,9 +7001,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 unconfined_r; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.23/policy/modules/roles/unconfineduser.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.24/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/roles/unconfineduser.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/roles/unconfineduser.te 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,410 @@ +policy_module(unconfineduser, 1.0.0) + @@ -7897,9 +7415,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.23/policy/modules/roles/unprivuser.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.24/policy/modules/roles/unprivuser.te --- nsaserefpolicy/policy/modules/roles/unprivuser.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/roles/unprivuser.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/roles/unprivuser.te 2009-07-28 13:42:19.000000000 -0400 @@ -14,142 +14,21 @@ userdom_unpriv_user_template(user) @@ -8048,9 +7566,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - xserver_role(user_r, user_t) + setroubleshoot_dontaudit_stream_connect(user_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.te serefpolicy-3.6.23/policy/modules/roles/webadm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.te serefpolicy-3.6.24/policy/modules/roles/webadm.te --- nsaserefpolicy/policy/modules/roles/webadm.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/roles/webadm.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/roles/webadm.te 2009-07-28 13:42:19.000000000 -0400 @@ -42,7 +42,7 @@ userdom_dontaudit_search_user_home_dirs(webadm_t) @@ -8060,9 +7578,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`webadm_manage_user_files',` userdom_manage_user_home_content_files(webadm_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.23/policy/modules/roles/xguest.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.24/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/roles/xguest.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/roles/xguest.te 2009-07-28 13:42:19.000000000 -0400 @@ -36,11 +36,17 @@ # Local policy # @@ -8109,9 +7627,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.6.23/policy/modules/services/amavis.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.6.24/policy/modules/services/amavis.te --- nsaserefpolicy/policy/modules/services/amavis.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/amavis.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/amavis.te 2009-07-28 13:42:19.000000000 -0400 @@ -103,6 +103,8 @@ kernel_dontaudit_read_proc_symlinks(amavis_t) kernel_dontaudit_read_system_state(amavis_t) @@ -8121,9 +7639,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # find perl corecmd_exec_bin(amavis_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.23/policy/modules/services/apache.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.24/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/apache.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/apache.fc 2009-07-28 13:42:19.000000000 -0400 @@ -1,12 +1,13 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -8217,9 +7735,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0) +/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.23/policy/modules/services/apache.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.24/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/apache.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/apache.if 2009-07-28 13:42:19.000000000 -0400 @@ -13,21 +13,16 @@ # template(`apache_content_template',` @@ -8758,9 +8276,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + typeattribute $1 httpd_rw_content; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.23/policy/modules/services/apache.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.24/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/apache.te 2009-07-27 14:13:27.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/apache.te 2009-07-28 13:42:19.000000000 -0400 @@ -19,6 +19,8 @@ # Declarations # @@ -9492,9 +9010,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +typealias httpd_sys_script_t alias httpd_fastcgi_script_t; +typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.23/policy/modules/services/apm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.24/policy/modules/services/apm.te --- nsaserefpolicy/policy/modules/services/apm.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/apm.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/apm.te 2009-07-28 13:42:19.000000000 -0400 @@ -60,7 +60,7 @@ # mknod: controlling an orderly resume of PCMCIA requires creating device # nodes 254,{0,1,2} for some reason. @@ -9504,9 +9022,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow apmd_t self:process { signal_perms getsession }; allow apmd_t self:fifo_file rw_fifo_file_perms; allow apmd_t self:unix_dgram_socket create_socket_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.6.23/policy/modules/services/automount.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.6.24/policy/modules/services/automount.if --- nsaserefpolicy/policy/modules/services/automount.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/automount.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/automount.if 2009-07-28 13:42:19.000000000 -0400 @@ -109,6 +109,25 @@ ######################################## @@ -9533,9 +9051,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an automount environment ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.23/policy/modules/services/automount.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.24/policy/modules/services/automount.te --- nsaserefpolicy/policy/modules/services/automount.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/automount.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/automount.te 2009-07-28 13:42:19.000000000 -0400 @@ -71,6 +71,7 @@ files_mounton_all_mountpoints(automount_t) files_mount_all_file_type_fs(automount_t) @@ -9577,28 +9095,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kerberos_read_config(automount_t) kerberos_dontaudit_write_config(automount_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.23/policy/modules/services/avahi.te ---- nsaserefpolicy/policy/modules/services/avahi.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/avahi.te 2009-07-23 16:39:09.000000000 -0400 -@@ -33,6 +33,7 @@ - allow avahi_t self:tcp_socket create_stream_socket_perms; - allow avahi_t self:udp_socket create_socket_perms; - -+files_search_var_lib(avahi_t) - manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) - manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) - files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file }) -@@ -93,6 +94,7 @@ - dbus_connect_system_bus(avahi_t) - - init_dbus_chat_script(avahi_t) -+ dbus_system_domain(avahi_t, avahi_exec_t) - ') - - optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.23/policy/modules/services/bind.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.24/policy/modules/services/bind.if --- nsaserefpolicy/policy/modules/services/bind.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/bind.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/bind.if 2009-07-28 13:42:19.000000000 -0400 @@ -287,6 +287,25 @@ ######################################## @@ -9625,9 +9124,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an bind environment ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.23/policy/modules/services/bluetooth.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.24/policy/modules/services/bluetooth.te --- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/bluetooth.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/bluetooth.te 2009-07-28 13:42:19.000000000 -0400 @@ -64,6 +64,7 @@ allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow bluetooth_t self:tcp_socket create_stream_socket_perms; @@ -9636,9 +9135,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.23/policy/modules/services/certmaster.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.24/policy/modules/services/certmaster.te --- nsaserefpolicy/policy/modules/services/certmaster.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/certmaster.te 2009-07-27 14:06:05.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/certmaster.te 2009-07-28 13:42:19.000000000 -0400 @@ -30,7 +30,7 @@ # certmaster local policy # @@ -9648,9 +9147,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow certmaster_t self:tcp_socket create_stream_socket_perms; # config files -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.23/policy/modules/services/clamav.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.24/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/clamav.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/clamav.te 2009-07-28 13:42:19.000000000 -0400 @@ -117,9 +117,9 @@ logging_send_syslog_msg(clamd_t) @@ -9685,9 +9184,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` apache_read_sys_content(clamscan_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.23/policy/modules/services/consolekit.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.24/policy/modules/services/consolekit.if --- nsaserefpolicy/policy/modules/services/consolekit.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/consolekit.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/consolekit.if 2009-07-28 13:42:19.000000000 -0400 @@ -57,3 +57,23 @@ read_files_pattern($1, consolekit_log_t, consolekit_log_t) files_search_pids($1) @@ -9712,9 +9211,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.23/policy/modules/services/consolekit.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.24/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/consolekit.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/consolekit.te 2009-07-28 13:42:19.000000000 -0400 @@ -11,7 +11,7 @@ init_daemon_domain(consolekit_t, consolekit_exec_t) @@ -9794,9 +9293,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_stream_connect(consolekit_t) ') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.23/policy/modules/services/courier.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.24/policy/modules/services/courier.if --- nsaserefpolicy/policy/modules/services/courier.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/courier.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/courier.if 2009-07-28 13:42:19.000000000 -0400 @@ -179,6 +179,24 @@ ######################################## @@ -9822,9 +9321,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write to courier spool pipes. ## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.23/policy/modules/services/courier.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.24/policy/modules/services/courier.te --- nsaserefpolicy/policy/modules/services/courier.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/courier.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/courier.te 2009-07-28 13:42:19.000000000 -0400 @@ -10,6 +10,7 @@ type courier_etc_t; @@ -9833,9 +9332,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol courier_domain_template(pcp) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.23/policy/modules/services/cron.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.24/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/cron.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/cron.fc 2009-07-28 13:42:19.000000000 -0400 @@ -1,3 +1,4 @@ +/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) @@ -9867,9 +9366,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) + +/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.23/policy/modules/services/cron.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.24/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/cron.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/cron.if 2009-07-28 13:42:19.000000000 -0400 @@ -12,6 +12,10 @@ ## # @@ -10171,9 +9670,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + init_labeled_script_domtrans($1, crond_initrc_exec_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.23/policy/modules/services/cron.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.24/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/cron.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/cron.te 2009-07-28 13:42:19.000000000 -0400 @@ -38,6 +38,10 @@ type cron_var_lib_t; files_type(cron_var_lib_t) @@ -10525,9 +10024,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`fcron_crond', ` allow crond_t user_cron_spool_t:file manage_file_perms; ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.23/policy/modules/services/cups.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.24/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/cups.fc 2009-07-27 13:42:47.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/cups.fc 2009-07-28 13:42:19.000000000 -0400 @@ -5,27 +5,38 @@ /etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -10601,9 +10100,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.6.23/policy/modules/services/cups.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.6.24/policy/modules/services/cups.if --- nsaserefpolicy/policy/modules/services/cups.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/cups.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/cups.if 2009-07-28 13:42:19.000000000 -0400 @@ -20,6 +20,30 @@ ######################################## @@ -10728,9 +10227,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + admin_pattern($1, hplip_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.23/policy/modules/services/cups.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.24/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/cups.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/cups.te 2009-07-28 13:42:19.000000000 -0400 @@ -20,9 +20,18 @@ type cupsd_etc_t; files_config_file(cupsd_etc_t) @@ -11171,31 +10670,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) +miscfiles_read_fonts(cups_pdf_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.23/policy/modules/services/cvs.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.24/policy/modules/services/cvs.te --- nsaserefpolicy/policy/modules/services/cvs.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/cvs.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/cvs.te 2009-07-28 13:42:19.000000000 -0400 @@ -112,4 +112,5 @@ read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) + files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.6.23/policy/modules/services/dbus.fc ---- nsaserefpolicy/policy/modules/services/dbus.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/dbus.fc 2009-07-23 16:39:09.000000000 -0400 -@@ -4,6 +4,9 @@ - /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) - /bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) - -+/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) -+/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) -+ - /var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) - - /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.23/policy/modules/services/dbus.if ---- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/dbus.if 2009-07-23 16:39:09.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.24/policy/modules/services/dbus.if +--- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/dbus.if 2009-07-28 14:03:30.000000000 -0400 @@ -42,8 +42,10 @@ gen_require(` class dbus { send_msg acquire_svc }; @@ -11225,25 +10711,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1_dbusd_t $3:process sigkill; allow $3 $1_dbusd_t:fd use; allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; -@@ -117,6 +119,7 @@ - dev_read_urand($1_dbusd_t) - - domain_use_interactive_fds($1_dbusd_t) -+ domain_read_all_domains_state($1_dbusd_t) - - files_read_etc_files($1_dbusd_t) - files_list_home($1_dbusd_t) -@@ -145,13 +148,20 @@ +@@ -146,6 +148,8 @@ seutil_read_config($1_dbusd_t) seutil_read_default_contexts($1_dbusd_t) + term_use_all_terms($1_dbusd_t) + userdom_read_user_home_content_files($1_dbusd_t) -+ userdom_dontaudit_search_admin_dir($1_dbusd_t) ifdef(`hide_broken_symptoms', ` - dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; +@@ -153,6 +157,10 @@ ') optional_policy(` @@ -11254,34 +10731,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hal_dbus_chat($1_dbusd_t) ') -@@ -161,6 +171,26 @@ - ') - ') - -+######################################## -+## -+## Connect to the the system DBUS -+## for service (acquire_svc). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dbus_connect_session_bus',` -+ gen_require(` -+ attribute session_bus_type; -+ class dbus acquire_svc; -+ ') -+ -+ allow $1 session_bus_type:dbus acquire_svc; -+') -+ - ####################################### - ## - ## Template for creating connections to -@@ -177,10 +207,12 @@ +@@ -178,10 +186,12 @@ type system_dbusd_t, system_dbusd_t; type system_dbusd_var_run_t, system_dbusd_var_lib_t; class dbus send_msg; @@ -11295,7 +10745,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($1) -@@ -189,6 +221,10 @@ +@@ -190,6 +200,10 @@ files_search_pids($1) stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) dbus_read_config($1) @@ -11306,211 +10756,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -236,6 +272,35 @@ +@@ -256,7 +270,7 @@ ######################################## ## -+## Chat on user/application specific DBUS. -+## -+## -+## -+## The prefix of the domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+template(`dbus_chat_user_bus',` -+ gen_require(` -+ type $1_t; -+ type $1_dbusd_t; -+ class dbus send_msg; -+ ') -+ -+ allow $2 $1_dbusd_t:dbus send_msg; -+ allow $1_dbusd_t $2:dbus send_msg; -+ allow $2 $1_t:dbus send_msg; -+ allow $1_t $2:dbus send_msg; -+') -+ -+######################################## -+## - ## Read dbus configuration. +-## Connect to the the session DBUS ++## Connect to the system DBUS + ## for service (acquire_svc). ## ## -@@ -310,3 +375,79 @@ - - allow $1 system_dbusd_t:dbus *; - ') -+ -+######################################## -+## -+## Allow unconfined access to the system DBUS. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dbus_unconfined',` -+ gen_require(` -+ attribute dbusd_unconfined; -+ ') -+ -+ typeattribute $1 dbusd_unconfined; -+') -+ -+######################################## -+## -+## Create a domain for processes -+## which can be started by the system dbus -+## -+## -+## -+## Type to be used as a domain. -+## -+## -+## -+## -+## Type of the program to be used as an entry point to this domain. -+## -+## -+# -+interface(`dbus_system_domain',` -+ gen_require(` -+ type system_dbusd_t; -+ role system_r; -+ ') -+ -+ domain_type($1) -+ domain_entry_file($1, $2) -+ -+ role system_r types $1; -+ -+ domtrans_pattern(system_dbusd_t, $2, $1) -+ -+ dbus_system_bus_client($1) -+ dbus_connect_system_bus($1) -+ -+ ifdef(`hide_broken_symptoms', ` -+ dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; -+ ') -+ -+ userdom_dontaudit_search_admin_dir($1) -+') -+ -+######################################## -+## -+## Dontaudit Read, and write system dbus TCP sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` -+ gen_require(` -+ type system_dbusd_t; -+ ') -+ -+ allow $1 system_dbusd_t:tcp_socket { read write }; -+ allow $1 system_dbusd_t:fd use; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.23/policy/modules/services/dbus.te ---- nsaserefpolicy/policy/modules/services/dbus.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/dbus.te 2009-07-23 16:39:09.000000000 -0400 -@@ -9,14 +9,15 @@ - # - # Delcarations - # -- -+attribute dbusd_unconfined; - attribute session_bus_type; - - type dbusd_etc_t; --files_type(dbusd_etc_t) -+files_config_file(dbusd_etc_t) - - type dbusd_exec_t; - corecmd_executable_file(dbusd_exec_t) -+typealias dbusd_exec_t alias system_dbusd_exec_t; - - type session_dbusd_tmp_t; - typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t }; -@@ -31,11 +32,25 @@ - files_tmp_file(system_dbusd_tmp_t) - - type system_dbusd_var_lib_t; --files_pid_file(system_dbusd_var_lib_t) -+files_type(system_dbusd_var_lib_t) - - type system_dbusd_var_run_t; - files_pid_file(system_dbusd_var_run_t) - -+ifdef(`enable_mcs',` -+ init_ranged_daemon_domain(system_dbusd_t, dbusd_exec_t,s0 - mcs_systemhigh) -+') -+ -+ifdef(`enable_mls',` -+ init_ranged_daemon_domain(system_dbusd_t, dbusd_exec_t,s0 - mls_systemhigh) -+ mls_fd_use_all_levels(system_dbusd_t) -+ mls_rangetrans_target(system_dbusd_t) -+ mls_file_read_all_levels(system_dbusd_t) -+ mls_socket_write_all_levels(system_dbusd_t) -+ mls_socket_read_to_clearance(system_dbusd_t) -+ mls_dbus_recv_all_levels(system_dbusd_t) -+') -+ - ############################## - # - # System bus local policy -@@ -45,7 +60,7 @@ - # cjp: dac_override should probably go in a distro_debian - allow system_dbusd_t self:capability { dac_override setgid setpcap setuid }; - dontaudit system_dbusd_t self:capability sys_tty_config; --allow system_dbusd_t self:process { getattr signal_perms setcap }; -+allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap }; - allow system_dbusd_t self:fifo_file rw_fifo_file_perms; - allow system_dbusd_t self:dbus { send_msg acquire_svc }; - allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; -@@ -53,6 +68,8 @@ - # Receive notifications of policy reloads and enforcing status changes. - allow system_dbusd_t self:netlink_selinux_socket { create bind read }; - -+can_exec(system_dbusd_t, dbusd_exec_t) -+ - allow system_dbusd_t dbusd_etc_t:dir list_dir_perms; - read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) - read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) -@@ -73,8 +90,10 @@ - dev_read_urand(system_dbusd_t) - dev_read_sysfs(system_dbusd_t) - -+fs_list_inotifyfs(system_dbusd_t) - fs_getattr_all_fs(system_dbusd_t) - fs_search_auto_mountpoints(system_dbusd_t) -+fs_dontaudit_list_nfs(system_dbusd_t) - - selinux_get_fs_mount(system_dbusd_t) - selinux_validate_context(system_dbusd_t) -@@ -91,9 +110,9 @@ - corecmd_list_bin(system_dbusd_t) - corecmd_read_bin_pipes(system_dbusd_t) - corecmd_read_bin_sockets(system_dbusd_t) --corecmd_exec_bin(system_dbusd_t) - - domain_use_interactive_fds(system_dbusd_t) -+domain_read_all_domains_state(system_dbusd_t) - - files_read_etc_files(system_dbusd_t) - files_list_home(system_dbusd_t) -@@ -101,6 +120,8 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.24/policy/modules/services/dbus.te +--- nsaserefpolicy/policy/modules/services/dbus.te 2009-07-28 13:28:33.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/dbus.te 2009-07-28 14:06:19.000000000 -0400 +@@ -121,6 +121,8 @@ init_use_fds(system_dbusd_t) init_use_script_ptys(system_dbusd_t) @@ -11519,7 +10777,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_audit_msgs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) -@@ -120,9 +141,39 @@ +@@ -140,6 +142,15 @@ ') optional_policy(` @@ -11532,18 +10790,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +optional_policy(` + policykit_dbus_chat(system_dbusd_t) -+ policykit_domtrans_auth(system_dbusd_t) -+ policykit_search_lib(system_dbusd_t) -+') -+ -+optional_policy(` - sysnet_domtrans_dhcpc(system_dbusd_t) + policykit_domtrans_auth(system_dbusd_t) + policykit_search_lib(system_dbusd_t) ') - - optional_policy(` - udev_read_db(system_dbusd_t) - ') -+ +@@ -156,5 +168,18 @@ + # + # Unconfined access to this module + # +optional_policy(` + gen_require(` + type unconfined_dbusd_t; @@ -11555,13 +10808,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_rw_shm(unconfined_dbusd_t) + ') +') -+ -+allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; + + allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; +allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms; +allow session_bus_type dbusd_unconfined:dbus send_msg; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.23/policy/modules/services/dcc.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.24/policy/modules/services/dcc.te --- nsaserefpolicy/policy/modules/services/dcc.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/dcc.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/dcc.te 2009-07-28 13:42:19.000000000 -0400 @@ -130,11 +130,13 @@ # Access files in /var/dcc. The map file can be updated @@ -11588,9 +10841,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol spamassassin_read_spamd_tmp_files(dcc_client_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.6.23/policy/modules/services/ddclient.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.6.24/policy/modules/services/ddclient.if --- nsaserefpolicy/policy/modules/services/ddclient.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/ddclient.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/ddclient.if 2009-07-28 13:42:19.000000000 -0400 @@ -21,6 +21,31 @@ ######################################## @@ -11623,9 +10876,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an ddclient environment ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.23/policy/modules/services/devicekit.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.24/policy/modules/services/devicekit.fc --- nsaserefpolicy/policy/modules/services/devicekit.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/services/devicekit.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/devicekit.fc 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,9 @@ + +/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) @@ -11636,9 +10889,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.23/policy/modules/services/devicekit.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.24/policy/modules/services/devicekit.if --- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/services/devicekit.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/devicekit.if 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,197 @@ + +## policy for devicekit @@ -11837,10 +11090,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 devicekit_disk_t:dbus send_msg; + allow devicekit_disk_t $1:dbus send_msg; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.23/policy/modules/services/devicekit.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.24/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/services/devicekit.te 2009-07-23 16:39:09.000000000 -0400 -@@ -0,0 +1,244 @@ ++++ serefpolicy-3.6.24/policy/modules/services/devicekit.te 2009-07-28 14:13:14.000000000 -0400 +@@ -0,0 +1,248 @@ +policy_module(devicekit,1.0.0) + +######################################## @@ -11940,7 +11193,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +optional_policy(` + hal_domtrans_mac(devicekit_power_t) -+ hal_create_log(devicekit_power_t) ++ hal_manage_log(devicekit_power_t) + hal_manage_pid_dirs(devicekit_power_t) + hal_manage_pid_files(devicekit_power_t) + hal_dbus_chat(devicekit_power_t) @@ -11984,6 +11237,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` ++ udev_read_db(devicekit_power_t) ++') ++ ++optional_policy(` + vbetool_domtrans(devicekit_power_t) +') +# @@ -12085,9 +11342,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# unconfined_domain(devicekit_disk_t) +#') +#') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.23/policy/modules/services/dnsmasq.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.24/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/dnsmasq.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/dnsmasq.te 2009-07-28 13:42:19.000000000 -0400 @@ -83,6 +83,14 @@ userdom_dontaudit_search_user_home_dirs(dnsmasq_t) @@ -12103,9 +11360,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(dnsmasq_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.23/policy/modules/services/dovecot.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.24/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/dovecot.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/dovecot.te 2009-07-28 13:42:19.000000000 -0400 @@ -103,6 +103,7 @@ dev_read_urand(dovecot_t) @@ -12130,9 +11387,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # dovecot deliver local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.23/policy/modules/services/exim.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.24/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/exim.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/exim.te 2009-07-28 13:42:19.000000000 -0400 @@ -191,6 +191,10 @@ ') @@ -12144,9 +11401,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol spamassassin_exec(exim_t) spamassassin_exec_client(exim_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.23/policy/modules/services/fetchmail.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.24/policy/modules/services/fetchmail.te --- nsaserefpolicy/policy/modules/services/fetchmail.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/fetchmail.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/fetchmail.te 2009-07-28 13:42:19.000000000 -0400 @@ -47,6 +47,8 @@ kernel_read_proc_symlinks(fetchmail_t) kernel_dontaudit_read_system_state(fetchmail_t) @@ -12156,17 +11413,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(fetchmail_t) corenet_all_recvfrom_netlabel(fetchmail_t) corenet_tcp_sendrecv_generic_if(fetchmail_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.fc serefpolicy-3.6.23/policy/modules/services/fprintd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.fc serefpolicy-3.6.24/policy/modules/services/fprintd.fc --- nsaserefpolicy/policy/modules/services/fprintd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/services/fprintd.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/fprintd.fc 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,4 @@ + +/usr/libexec/fprintd -- gen_context(system_u:object_r:fprintd_exec_t,s0) + +/var/lib/fprint(/.*)? gen_context(system_u:object_r:fprintd_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.if serefpolicy-3.6.23/policy/modules/services/fprintd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.if serefpolicy-3.6.24/policy/modules/services/fprintd.if --- nsaserefpolicy/policy/modules/services/fprintd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/services/fprintd.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/fprintd.if 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,43 @@ + +## policy for fprintd @@ -12211,9 +11468,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow fprintd_t $1:dbus send_msg; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.23/policy/modules/services/fprintd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.24/policy/modules/services/fprintd.te --- nsaserefpolicy/policy/modules/services/fprintd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/services/fprintd.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/fprintd.te 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,55 @@ +policy_module(fprintd,1.0.0) + @@ -12270,9 +11527,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +permissive fprintd_t; + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.23/policy/modules/services/ftp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.24/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/ftp.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/ftp.te 2009-07-28 13:42:19.000000000 -0400 @@ -41,6 +41,13 @@ ## @@ -12374,16 +11631,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(ftpd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.6.23/policy/modules/services/gnomeclock.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.6.24/policy/modules/services/gnomeclock.fc --- nsaserefpolicy/policy/modules/services/gnomeclock.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/services/gnomeclock.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/gnomeclock.fc 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,3 @@ + +/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.6.23/policy/modules/services/gnomeclock.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.6.24/policy/modules/services/gnomeclock.if --- nsaserefpolicy/policy/modules/services/gnomeclock.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/services/gnomeclock.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/gnomeclock.if 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,69 @@ + +## policy for gnomeclock @@ -12454,9 +11711,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 gnomeclock_t:dbus send_msg; + allow gnomeclock_t $1:dbus send_msg; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.23/policy/modules/services/gnomeclock.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.24/policy/modules/services/gnomeclock.te --- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/services/gnomeclock.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/gnomeclock.te 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,50 @@ +policy_module(gnomeclock, 1.0.0) +######################################## @@ -12508,9 +11765,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + policykit_read_reload(gnomeclock_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.23/policy/modules/services/gpsd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.24/policy/modules/services/gpsd.fc --- nsaserefpolicy/policy/modules/services/gpsd.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/gpsd.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/gpsd.fc 2009-07-28 13:42:19.000000000 -0400 @@ -1 +1,6 @@ +/etc/rc\.d/init\.d/gpsd -- gen_context(system_u:object_r:gpsd_initrc_exec_t,s0) + @@ -12518,9 +11775,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/var/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0) +/var/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.6.23/policy/modules/services/gpsd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.6.24/policy/modules/services/gpsd.if --- nsaserefpolicy/policy/modules/services/gpsd.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/gpsd.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/gpsd.if 2009-07-28 13:42:19.000000000 -0400 @@ -33,11 +33,6 @@ ## The role to be allowed the gpsd domain. ## @@ -12566,9 +11823,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) + read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.23/policy/modules/services/gpsd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.24/policy/modules/services/gpsd.te --- nsaserefpolicy/policy/modules/services/gpsd.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/gpsd.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/gpsd.te 2009-07-28 13:42:19.000000000 -0400 @@ -11,9 +11,15 @@ application_domain(gpsd_t, gpsd_exec_t) init_daemon_domain(gpsd_t, gpsd_exec_t) @@ -12596,90 +11853,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(gpsd_t) corenet_all_recvfrom_netlabel(gpsd_t) corenet_tcp_sendrecv_generic_if(gpsd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.6.23/policy/modules/services/hal.fc ---- nsaserefpolicy/policy/modules/services/hal.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/hal.fc 2009-07-23 16:39:09.000000000 -0400 -@@ -5,6 +5,7 @@ - /usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0) - - /usr/libexec/hal-acl-tool -- gen_context(system_u:object_r:hald_acl_exec_t,s0) -+/usr/libexec/hal-dccm -- gen_context(system_u:object_r:hald_dccm_exec_t,s0) - /usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0) - /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) - /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.23/policy/modules/services/hal.if ---- nsaserefpolicy/policy/modules/services/hal.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/hal.if 2009-07-23 16:39:09.000000000 -0400 -@@ -20,6 +20,24 @@ - - ######################################## - ## -+## Execute hal mac in the hal mac domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`hal_domtrans_mac',` -+ gen_require(` -+ type hald_mac_t, hald_mac_exec_t; -+ ') -+ -+ domtrans_pattern($1, hald_mac_exec_t, hald_mac_t) -+') -+ -+######################################## -+## - ## Get the attributes of a hal process. - ## - ## -@@ -51,10 +69,7 @@ - type hald_t; - ') - -- allow $1 hald_t:dir list_dir_perms; -- read_files_pattern($1, hald_t, hald_t) -- read_lnk_files_pattern($1, hald_t, hald_t) -- dontaudit $1 hald_t:process ptrace; -+ ps_process_pattern($1, hald_t) - ') - - ######################################## -@@ -170,6 +185,24 @@ - - ######################################## - ## -+## Allo read/write to a hal unix datagram socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`hal_rw_dgram_sockets',` -+ gen_require(` -+ type hald_t; -+ ') -+ -+ dontaudit $1 hald_t:unix_dgram_socket { read write }; -+') -+ -+######################################## -+## - ## Send to hal over a unix domain - ## stream socket. - ## -@@ -340,3 +373,62 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.24/policy/modules/services/hal.if +--- nsaserefpolicy/policy/modules/services/hal.if 2009-07-28 13:28:33.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/hal.if 2009-07-28 14:14:19.000000000 -0400 +@@ -413,3 +414,21 @@ files_search_pids($1) - allow $1 hald_var_run_t:file rw_file_perms; + manage_files_pattern($1, hald_var_run_t, hald_var_run_t) ') + +######################################## +## -+## Manage hald PID dirs. ++## Dontaudit read/write to a hal unix datagram socket. +## +## +## @@ -12687,74 +11871,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`hal_manage_pid_dirs',` ++interface(`hal_dontaudit_rw_dgram_sockets',` + gen_require(` -+ type hald_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t) -+') -+ -+######################################## -+## -+## Manage hald PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`hal_manage_pid_files',` -+ gen_require(` -+ type hald_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ manage_files_pattern($1, hald_var_run_t, hald_var_run_t) -+') -+ -+######################################## -+## -+## Manage hald log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`hal_create_log',` -+ gen_require(` -+ type hald_log_t; ++ type hald_t; + ') + -+ # log files for hald -+ manage_files_pattern($1, hald_log_t, hald_log_t) -+ logging_log_filetrans($1, hald_log_t, file) ++ dontaudit $1 hald_t:unix_dgram_socket { read write }; +') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.23/policy/modules/services/hal.te ---- nsaserefpolicy/policy/modules/services/hal.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/hal.te 2009-07-23 16:39:09.000000000 -0400 -@@ -49,6 +49,15 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.24/policy/modules/services/hal.te +--- nsaserefpolicy/policy/modules/services/hal.te 2009-07-28 13:28:33.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/hal.te 2009-07-28 14:20:01.000000000 -0400 +@@ -55,6 +55,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) +typealias hald_log_t alias pmtools_log_t; +typealias hald_var_run_t alias pmtools_var_run_t; + -+type hald_dccm_t; -+type hald_dccm_exec_t; -+domain_type(hald_dccm_t) -+domain_entry_file(hald_dccm_t, hald_dccm_exec_t) -+role system_r types hald_dccm_t; -+ ######################################## # # Local policy -@@ -94,6 +103,7 @@ +@@ -100,6 +103,7 @@ kernel_rw_irq_sysctls(hald_t) kernel_rw_vm_sysctls(hald_t) kernel_write_proc_files(hald_t) @@ -12762,16 +11899,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_setsched(hald_t) auth_read_pam_console_data(hald_t) -@@ -141,13 +151,20 @@ - # hal is now execing pm-suspend - files_create_boot_flag(hald_t) - files_getattr_all_dirs(hald_t) -+files_getattr_all_files(hald_t) - files_read_kernel_img(hald_t) - files_rw_lock_dirs(hald_t) -+files_read_generic_pids(hald_t) - - fs_getattr_all_fs(hald_t) +@@ -156,6 +160,11 @@ fs_search_all(hald_t) fs_list_inotifyfs(hald_t) fs_list_auto_mountpoints(hald_t) @@ -12780,37 +11908,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +fs_manage_dos_files(hald_t) +fs_manage_fusefs_dirs(hald_t) + - files_getattr_all_mountpoints(hald_t) - - mls_file_read_all_levels(hald_t) -@@ -195,6 +212,7 @@ - seutil_read_file_contexts(hald_t) - - sysnet_read_config(hald_t) -+sysnet_domtrans_dhcpc(hald_t) - - userdom_dontaudit_use_unpriv_user_fds(hald_t) - userdom_dontaudit_search_user_home_dirs(hald_t) -@@ -277,6 +295,18 @@ - ') - - optional_policy(` -+ ppp_read_rw_config(hald_t) -+') -+ -+optional_policy(` -+ policykit_dbus_chat(hald_t) -+ policykit_domtrans_auth(hald_t) -+ policykit_domtrans_resolve(hald_t) -+ policykit_read_lib(hald_t) -+ policykit_read_reload(hald_t) -+') -+ -+optional_policy(` - rpc_search_nfs_state_data(hald_t) + files_getattr_all_mountpoints(hald_t) + + mls_file_read_all_levels(hald_t) +@@ -290,6 +299,7 @@ ') -@@ -298,7 +328,11 @@ + optional_policy(` ++ policykit_dbus_chat(hald_t) + policykit_domtrans_auth(hald_t) + policykit_domtrans_resolve(hald_t) + policykit_read_lib(hald_t) +@@ -318,7 +328,11 @@ ') optional_policy(` @@ -12823,16 +11932,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -306,7 +340,7 @@ - # Hal acl local policy - # - --allow hald_acl_t self:capability { dac_override fowner }; -+allow hald_acl_t self:capability { dac_override fowner sys_resource }; - allow hald_acl_t self:process { getattr signal }; - allow hald_acl_t self:fifo_file rw_fifo_file_perms; - -@@ -321,6 +355,7 @@ +@@ -341,6 +355,7 @@ manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) @@ -12840,111 +11940,61 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(hald_acl_t) -@@ -339,6 +374,8 @@ - - storage_getattr_removable_dev(hald_acl_t) - storage_setattr_removable_dev(hald_acl_t) -+storage_getattr_fixed_disk_dev(hald_acl_t) -+storage_setattr_fixed_disk_dev(hald_acl_t) - - auth_use_nsswitch(hald_acl_t) - -@@ -346,12 +383,19 @@ - +@@ -369,6 +384,7 @@ miscfiles_read_localization(hald_acl_t) -+optional_policy(` + optional_policy(` + policykit_dbus_chat(hald_acl_t) -+ policykit_domtrans_auth(hald_acl_t) -+ policykit_read_lib(hald_acl_t) -+ policykit_read_reload(hald_acl_t) -+') -+ - ######################################## - # - # Local hald mac policy - # - --allow hald_mac_t self:capability { setgid setuid }; -+allow hald_mac_t self:capability { setgid setuid sys_admin }; - - domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t) - allow hald_t hald_mac_t:process signal; -@@ -374,6 +418,8 @@ - - auth_use_nsswitch(hald_mac_t) - -+logging_send_syslog_msg(hald_mac_t) -+ - miscfiles_read_localization(hald_mac_t) - - ######################################## -@@ -415,6 +461,62 @@ - - dev_rw_input_dev(hald_keymap_t) - -+files_read_etc_files(hald_keymap_t) - files_read_usr_files(hald_keymap_t) + policykit_domtrans_auth(hald_acl_t) + policykit_read_lib(hald_acl_t) + policykit_read_reload(hald_acl_t) +@@ -450,11 +466,15 @@ miscfiles_read_localization(hald_keymap_t) -+ + +# This is caused by a bug in hald and PolicyKit. +# Should be removed when this is fixed +cron_read_system_job_lib_files(hald_t) + -+######################################## -+# -+# Local hald dccm policy -+# + ######################################## + # + # Local hald dccm policy + # +- +allow hald_dccm_t self:fifo_file rw_fifo_file_perms; -+allow hald_dccm_t self:capability { net_bind_service }; -+allow hald_dccm_t self:process getsched; -+allow hald_dccm_t self:tcp_socket create_stream_socket_perms; -+allow hald_dccm_t self:udp_socket create_socket_perms; -+allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms; -+ -+domtrans_pattern(hald_t, hald_dccm_exec_t, hald_dccm_t) -+allow hald_t hald_dccm_t:process signal; -+allow hald_dccm_t hald_t:unix_stream_socket connectto; -+ -+hal_rw_dgram_sockets(hald_dccm_t) -+ -+corenet_all_recvfrom_unlabeled(hald_dccm_t) -+corenet_all_recvfrom_netlabel(hald_dccm_t) -+corenet_tcp_sendrecv_generic_if(hald_dccm_t) -+corenet_udp_sendrecv_generic_if(hald_dccm_t) -+corenet_tcp_sendrecv_generic_node(hald_dccm_t) -+corenet_udp_sendrecv_generic_node(hald_dccm_t) -+corenet_tcp_sendrecv_all_ports(hald_dccm_t) -+corenet_udp_sendrecv_all_ports(hald_dccm_t) -+corenet_tcp_bind_generic_node(hald_dccm_t) -+corenet_udp_bind_generic_node(hald_dccm_t) -+corenet_udp_bind_dhcpc_port(hald_dccm_t) + allow hald_dccm_t self:capability { net_bind_service }; + allow hald_dccm_t self:process getsched; + allow hald_dccm_t self:tcp_socket create_stream_socket_perms; +@@ -473,6 +493,8 @@ + + kernel_search_network_sysctl(hald_dccm_t) + ++hal_dontaudit_rw_dgram_sockets(hald_dccm_t) ++ + corenet_all_recvfrom_unlabeled(hald_dccm_t) + corenet_all_recvfrom_netlabel(hald_dccm_t) + corenet_tcp_sendrecv_generic_if(hald_dccm_t) +@@ -484,6 +506,7 @@ + corenet_tcp_bind_generic_node(hald_dccm_t) + corenet_udp_bind_generic_node(hald_dccm_t) + corenet_udp_bind_dhcpc_port(hald_dccm_t) +corenet_tcp_bind_ftps_port(hald_dccm_t) -+corenet_tcp_bind_dccm_port(hald_dccm_t) -+ -+kernel_search_network_sysctl(hald_dccm_t) -+ -+logging_send_syslog_msg(hald_dccm_t) -+ -+manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) -+manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) -+files_search_var_lib(hald_dccm_t) -+ -+write_files_pattern(hald_dccm_t, hald_log_t, hald_log_t) -+ -+files_read_usr_files(hald_dccm_t) -+ -+miscfiles_read_localization(hald_dccm_t) + corenet_tcp_bind_dccm_port(hald_dccm_t) + + logging_send_syslog_msg(hald_dccm_t) +@@ -491,3 +514,9 @@ + files_read_usr_files(hald_dccm_t) + + miscfiles_read_localization(hald_dccm_t) + +optional_policy(` + dbus_system_bus_client(hald_dccm_t) +') + +permissive hald_dccm_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.23/policy/modules/services/kerberos.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.24/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/kerberos.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/kerberos.te 2009-07-28 13:42:19.000000000 -0400 @@ -277,6 +277,8 @@ # @@ -12984,20 +12034,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sysnet_dns_name_resolve(kpropd_t) kerberos_use(kpropd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.23/policy/modules/services/kerneloops.te ---- nsaserefpolicy/policy/modules/services/kerneloops.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/kerneloops.te 2009-07-23 16:39:09.000000000 -0400 -@@ -51,6 +51,5 @@ - miscfiles_read_localization(kerneloops_t) - - optional_policy(` -- dbus_system_bus_client(kerneloops_t) -- dbus_connect_system_bus(kerneloops_t) -+ dbus_system_domain(kerneloops_t, kerneloops_exec_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.23/policy/modules/services/ktalk.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.24/policy/modules/services/ktalk.te --- nsaserefpolicy/policy/modules/services/ktalk.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/ktalk.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/ktalk.te 2009-07-28 13:42:19.000000000 -0400 @@ -69,6 +69,7 @@ files_read_etc_files(ktalkd_t) @@ -13006,9 +12045,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(ktalkd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.23/policy/modules/services/lircd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.24/policy/modules/services/lircd.te --- nsaserefpolicy/policy/modules/services/lircd.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/lircd.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/lircd.te 2009-07-28 13:42:19.000000000 -0400 @@ -42,7 +42,17 @@ # /dev/lircd socket manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t) @@ -13027,9 +12066,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + miscfiles_read_localization(lircd_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.23/policy/modules/services/mailman.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.24/policy/modules/services/mailman.te --- nsaserefpolicy/policy/modules/services/mailman.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/mailman.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/mailman.te 2009-07-28 13:42:19.000000000 -0400 @@ -78,6 +78,10 @@ mta_dontaudit_rw_queue(mailman_mail_t) @@ -13041,9 +12080,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_read_pipes(mailman_mail_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.23/policy/modules/services/memcached.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.24/policy/modules/services/memcached.te --- nsaserefpolicy/policy/modules/services/memcached.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/memcached.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/memcached.te 2009-07-28 13:42:19.000000000 -0400 @@ -44,6 +44,8 @@ files_read_etc_files(memcached_t) @@ -13053,9 +12092,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(memcached_t) sysnet_dns_name_resolve(memcached_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.23/policy/modules/services/mta.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.24/policy/modules/services/mta.fc --- nsaserefpolicy/policy/modules/services/mta.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/mta.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/mta.fc 2009-07-28 13:42:19.000000000 -0400 @@ -1,4 +1,4 @@ -/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) @@ -13086,9 +12125,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -#') +HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) +/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.23/policy/modules/services/mta.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.24/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/mta.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/mta.if 2009-07-28 13:42:19.000000000 -0400 @@ -130,6 +130,15 @@ sendmail_create_log($1_mail_t) ') @@ -13191,9 +12230,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.23/policy/modules/services/mta.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.24/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/mta.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/mta.te 2009-07-28 13:42:19.000000000 -0400 @@ -27,6 +27,9 @@ type mail_spool_t; files_mountpoint(mail_spool_t) @@ -13338,9 +12377,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # User send mail local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.23/policy/modules/services/munin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.24/policy/modules/services/munin.fc --- nsaserefpolicy/policy/modules/services/munin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/munin.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/munin.fc 2009-07-28 13:42:19.000000000 -0400 @@ -9,3 +9,6 @@ /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) /var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) @@ -13348,9 +12387,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) +/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.23/policy/modules/services/munin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.24/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/munin.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/munin.te 2009-07-28 13:42:19.000000000 -0400 @@ -33,7 +33,7 @@ # Local policy # @@ -13430,9 +12469,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) +manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.23/policy/modules/services/mysql.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.24/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/mysql.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/mysql.te 2009-07-28 13:42:19.000000000 -0400 @@ -136,6 +136,8 @@ domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) @@ -13451,9 +12490,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mysql_read_config(mysqld_safe_t) mysql_search_pid_files(mysqld_safe_t) mysql_write_log(mysqld_safe_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.23/policy/modules/services/nagios.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.24/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/nagios.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/nagios.fc 2009-07-28 13:42:19.000000000 -0400 @@ -1,16 +1,21 @@ /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) /etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) @@ -13479,9 +12518,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') +/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.23/policy/modules/services/nagios.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.24/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/nagios.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/nagios.if 2009-07-28 13:42:19.000000000 -0400 @@ -64,7 +64,7 @@ ######################################## @@ -13581,9 +12620,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + admin_pattern($1, nrpe_etc_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.23/policy/modules/services/nagios.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.24/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/nagios.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/nagios.te 2009-07-28 13:42:19.000000000 -0400 @@ -10,13 +10,12 @@ type nagios_exec_t; init_daemon_domain(nagios_t, nagios_exec_t) @@ -13679,9 +12718,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.23/policy/modules/services/networkmanager.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.24/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/networkmanager.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/networkmanager.fc 2009-07-28 13:42:19.000000000 -0400 @@ -1,12 +1,25 @@ +/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0) +/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) @@ -13708,9 +12747,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.23/policy/modules/services/networkmanager.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.24/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/networkmanager.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/networkmanager.if 2009-07-28 13:42:19.000000000 -0400 @@ -118,6 +118,24 @@ ######################################## @@ -13767,9 +12806,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role $2 types NetworkManager_t; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.23/policy/modules/services/networkmanager.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.24/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/networkmanager.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/networkmanager.te 2009-07-28 13:42:19.000000000 -0400 @@ -19,6 +19,9 @@ type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) @@ -14001,9 +13040,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.23/policy/modules/services/nis.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.24/policy/modules/services/nis.fc --- nsaserefpolicy/policy/modules/services/nis.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/nis.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/nis.fc 2009-07-28 13:42:19.000000000 -0400 @@ -1,4 +1,7 @@ - +/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) @@ -14013,9 +13052,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0) /sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.6.23/policy/modules/services/nis.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.6.24/policy/modules/services/nis.if --- nsaserefpolicy/policy/modules/services/nis.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/nis.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/nis.if 2009-07-28 13:42:19.000000000 -0400 @@ -28,7 +28,7 @@ type var_yp_t; ') @@ -14157,9 +13196,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role $2 types ypbind_t; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.23/policy/modules/services/nis.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.24/policy/modules/services/nis.te --- nsaserefpolicy/policy/modules/services/nis.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/nis.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/nis.te 2009-07-28 13:42:19.000000000 -0400 @@ -13,6 +13,9 @@ type ypbind_exec_t; init_daemon_domain(ypbind_t, ypbind_exec_t) @@ -14209,9 +13248,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_all_rpc_ports(ypxfr_t) corenet_udp_bind_all_rpc_ports(ypxfr_t) corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.23/policy/modules/services/nscd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.24/policy/modules/services/nscd.if --- nsaserefpolicy/policy/modules/services/nscd.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/nscd.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/nscd.if 2009-07-28 13:42:19.000000000 -0400 @@ -236,6 +236,24 @@ ######################################## @@ -14237,9 +13276,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an nscd environment ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.23/policy/modules/services/nscd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.24/policy/modules/services/nscd.te --- nsaserefpolicy/policy/modules/services/nscd.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/nscd.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/nscd.te 2009-07-28 13:42:19.000000000 -0400 @@ -90,6 +90,7 @@ selinux_compute_relabel_context(nscd_t) selinux_compute_user_contexts(nscd_t) @@ -14261,17 +13300,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + samba_read_config(nscd_t) + samba_read_var_files(nscd_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.fc serefpolicy-3.6.23/policy/modules/services/nslcd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.fc serefpolicy-3.6.24/policy/modules/services/nslcd.fc --- nsaserefpolicy/policy/modules/services/nslcd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/services/nslcd.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/nslcd.fc 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,4 @@ +/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0) +/etc/nss-ldapd.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0) +/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0) +/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.6.23/policy/modules/services/nslcd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.6.24/policy/modules/services/nslcd.if --- nsaserefpolicy/policy/modules/services/nslcd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/services/nslcd.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/nslcd.if 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,142 @@ + +## policy for nslcd @@ -14415,9 +13454,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + nslcd_manage_var_run($1) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.6.23/policy/modules/services/nslcd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.6.24/policy/modules/services/nslcd.te --- nsaserefpolicy/policy/modules/services/nslcd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/services/nslcd.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/nslcd.te 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,50 @@ +policy_module(nslcd,1.0.0) + @@ -14469,9 +13508,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +auth_use_nsswitch(nslcd_t) + +logging_send_syslog_msg(nslcd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.23/policy/modules/services/ntp.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.24/policy/modules/services/ntp.if --- nsaserefpolicy/policy/modules/services/ntp.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/ntp.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/ntp.if 2009-07-28 13:42:19.000000000 -0400 @@ -37,6 +37,32 @@ ######################################## @@ -14570,9 +13609,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.23/policy/modules/services/ntp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.24/policy/modules/services/ntp.te --- nsaserefpolicy/policy/modules/services/ntp.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/ntp.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/ntp.te 2009-07-28 13:42:19.000000000 -0400 @@ -41,10 +41,11 @@ # sys_resource and setrlimit is for locking memory @@ -14611,9 +13650,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.23/policy/modules/services/nx.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.24/policy/modules/services/nx.te --- nsaserefpolicy/policy/modules/services/nx.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/nx.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/nx.te 2009-07-28 13:42:19.000000000 -0400 @@ -25,6 +25,9 @@ type nx_server_var_run_t; files_pid_file(nx_server_var_run_t) @@ -14634,18 +13673,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(nx_server_t) kernel_read_kernel_sysctls(nx_server_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.6.23/policy/modules/services/oddjob.fc ---- nsaserefpolicy/policy/modules/services/oddjob.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/oddjob.fc 2009-07-23 16:39:09.000000000 -0400 -@@ -1,4 +1,4 @@ --/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) -+/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) - - /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.23/policy/modules/services/oddjob.if ---- nsaserefpolicy/policy/modules/services/oddjob.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/oddjob.if 2009-07-23 16:39:09.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.24/policy/modules/services/oddjob.if +--- nsaserefpolicy/policy/modules/services/oddjob.if 2009-07-28 13:28:33.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/oddjob.if 2009-07-28 13:42:19.000000000 -0400 @@ -44,6 +44,7 @@ ') @@ -14654,97 +13684,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -84,3 +85,28 @@ - - domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) - ') -+ -+######################################## -+## -+## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to allow the oddjob_mkhomedir domain. -+## -+## -+## -+# -+interface(`oddjob_run_mkhomedir',` -+ gen_require(` -+ type oddjob_mkhomedir_t; -+ ') -+ -+ oddjob_domtrans_mkhomedir($1) -+ role $2 types oddjob_mkhomedir_t; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.6.23/policy/modules/services/oddjob.te ---- nsaserefpolicy/policy/modules/services/oddjob.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/oddjob.te 2009-07-23 16:39:09.000000000 -0400 -@@ -10,14 +10,21 @@ - type oddjob_exec_t; - domain_type(oddjob_t) - init_daemon_domain(oddjob_t, oddjob_exec_t) -+domain_obj_id_change_exemption(oddjob_t) -+domain_role_change_exemption(oddjob_t) - domain_subj_id_change_exemption(oddjob_t) - - type oddjob_mkhomedir_t; - type oddjob_mkhomedir_exec_t; - domain_type(oddjob_mkhomedir_t) --init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) -+domain_obj_id_change_exemption(oddjob_mkhomedir_t) -+init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) - oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) - -+ifdef(`enable_mcs',` -+ init_ranged_daemon_domain(oddjob_t, oddjob_exec_t,s0 - mcs_systemhigh) -+') -+ - # pid files - type oddjob_var_run_t; - files_pid_file(oddjob_var_run_t) -@@ -65,13 +72,32 @@ - # oddjob_mkhomedir local policy - # - -+allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override }; -+allow oddjob_mkhomedir_t self:process setfscreate; - allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms; - allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms; - - files_read_etc_files(oddjob_mkhomedir_t) - -+kernel_read_system_state(oddjob_mkhomedir_t) -+ -+auth_use_nsswitch(oddjob_mkhomedir_t) -+ -+logging_send_syslog_msg(oddjob_mkhomedir_t) -+ - miscfiles_read_localization(oddjob_mkhomedir_t) - -+selinux_get_fs_mount(oddjob_mkhomedir_t) -+selinux_validate_context(oddjob_mkhomedir_t) -+selinux_compute_access_vector(oddjob_mkhomedir_t) -+selinux_compute_create_context(oddjob_mkhomedir_t) -+selinux_compute_relabel_context(oddjob_mkhomedir_t) -+selinux_compute_user_contexts(oddjob_mkhomedir_t) -+ -+seutil_read_config(oddjob_mkhomedir_t) -+seutil_read_file_contexts(oddjob_mkhomedir_t) -+seutil_read_default_contexts(oddjob_mkhomedir_t) -+ - # Add/remove user home directories - userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) - userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.23/policy/modules/services/openvpn.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.24/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/openvpn.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/openvpn.te 2009-07-28 13:42:19.000000000 -0400 @@ -86,6 +86,7 @@ corenet_udp_bind_openvpn_port(openvpn_t) corenet_tcp_connect_openvpn_port(openvpn_t) @@ -14753,9 +13695,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_rw_tun_tap_dev(openvpn_t) corenet_sendrecv_openvpn_server_packets(openvpn_t) corenet_sendrecv_openvpn_client_packets(openvpn_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.23/policy/modules/services/pcscd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.24/policy/modules/services/pcscd.te --- nsaserefpolicy/policy/modules/services/pcscd.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/pcscd.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/pcscd.te 2009-07-28 13:42:19.000000000 -0400 @@ -29,6 +29,7 @@ manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) @@ -14773,9 +13715,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_unallocated_ttys(pcscd_t) term_dontaudit_getattr_pty_dirs(pcscd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.23/policy/modules/services/pegasus.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.24/policy/modules/services/pegasus.te --- nsaserefpolicy/policy/modules/services/pegasus.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/pegasus.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/pegasus.te 2009-07-28 13:42:19.000000000 -0400 @@ -30,7 +30,7 @@ # Local policy # @@ -14847,9 +13789,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xen_stream_connect(pegasus_t) + xen_stream_connect_xenstore(pegasus_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.6.23/policy/modules/services/policykit.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.6.24/policy/modules/services/policykit.fc --- nsaserefpolicy/policy/modules/services/policykit.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/policykit.fc 2009-07-27 09:04:55.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/policykit.fc 2009-07-28 13:42:19.000000000 -0400 @@ -1,7 +1,7 @@ /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) /usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) @@ -14859,9 +13801,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0) /var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.6.23/policy/modules/services/policykit.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.6.24/policy/modules/services/policykit.if --- nsaserefpolicy/policy/modules/services/policykit.if 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/policykit.if 2009-07-23 17:17:05.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/policykit.if 2009-07-28 13:42:19.000000000 -0400 @@ -17,6 +17,8 @@ class dbus send_msg; ') @@ -14911,9 +13853,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + policykit_read_reload($2) + policykit_dbus_chat($2) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.23/policy/modules/services/policykit.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.24/policy/modules/services/policykit.te --- nsaserefpolicy/policy/modules/services/policykit.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/policykit.te 2009-07-27 11:48:01.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/policykit.te 2009-07-28 13:42:19.000000000 -0400 @@ -38,9 +38,10 @@ allow policykit_t self:capability { setgid setuid }; @@ -15009,9 +13951,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.23/policy/modules/services/postfix.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.24/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/postfix.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/postfix.fc 2009-07-28 13:42:19.000000000 -0400 @@ -29,12 +29,10 @@ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) @@ -15025,9 +13967,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.23/policy/modules/services/postfix.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.24/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/postfix.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/postfix.if 2009-07-28 13:42:19.000000000 -0400 @@ -46,6 +46,7 @@ allow postfix_$1_t postfix_etc_t:dir list_dir_perms; @@ -15274,9 +14216,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role $2 types postfix_postdrop_t; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.23/policy/modules/services/postfix.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.24/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/postfix.te 2009-07-27 09:06:16.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/postfix.te 2009-07-28 13:42:19.000000000 -0400 @@ -6,6 +6,15 @@ # Declarations # @@ -15656,9 +14598,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +userdom_manage_user_home_content(postfix_virtual_t) +userdom_home_filetrans_user_home_dir(postfix_virtual_t) +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.23/policy/modules/services/postgresql.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.24/policy/modules/services/postgresql.fc --- nsaserefpolicy/policy/modules/services/postgresql.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/postgresql.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/postgresql.fc 2009-07-28 13:42:19.000000000 -0400 @@ -2,6 +2,7 @@ # /etc # @@ -15667,9 +14609,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /usr -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.23/policy/modules/services/postgresql.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.24/policy/modules/services/postgresql.if --- nsaserefpolicy/policy/modules/services/postgresql.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/postgresql.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/postgresql.if 2009-07-28 13:42:19.000000000 -0400 @@ -384,3 +384,46 @@ typeattribute $1 sepgsql_unconfined_type; @@ -15717,9 +14659,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + admin_pattern($1, postgresql_tmp_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.23/policy/modules/services/postgresql.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.24/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/postgresql.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/postgresql.te 2009-07-28 13:42:19.000000000 -0400 @@ -32,6 +32,9 @@ type postgresql_etc_t; files_config_file(postgresql_etc_t) @@ -15758,9 +14700,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(postgresql_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.23/policy/modules/services/ppp.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.24/policy/modules/services/ppp.if --- nsaserefpolicy/policy/modules/services/ppp.if 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/ppp.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/ppp.if 2009-07-28 13:42:19.000000000 -0400 @@ -177,10 +177,16 @@ interface(`ppp_run',` gen_require(` @@ -15778,9 +14720,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.23/policy/modules/services/ppp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.24/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/ppp.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/ppp.te 2009-07-28 13:42:19.000000000 -0400 @@ -193,6 +193,8 @@ optional_policy(` @@ -15819,9 +14761,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_exec(pptp_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.23/policy/modules/services/privoxy.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.24/policy/modules/services/privoxy.te --- nsaserefpolicy/policy/modules/services/privoxy.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/privoxy.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/privoxy.te 2009-07-28 13:42:19.000000000 -0400 @@ -47,9 +47,8 @@ manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t) files_pid_filetrans(privoxy_t, privoxy_var_run_t, file) @@ -15833,9 +14775,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(privoxy_t) corenet_all_recvfrom_netlabel(privoxy_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.23/policy/modules/services/procmail.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.24/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/procmail.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/procmail.te 2009-07-28 13:42:19.000000000 -0400 @@ -22,7 +22,7 @@ # Local policy # @@ -15883,9 +14825,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.23/policy/modules/services/pyzor.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.24/policy/modules/services/pyzor.fc --- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/pyzor.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/pyzor.fc 2009-07-28 13:42:19.000000000 -0400 @@ -1,6 +1,10 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) +/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) @@ -15897,9 +14839,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.23/policy/modules/services/pyzor.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.24/policy/modules/services/pyzor.if --- nsaserefpolicy/policy/modules/services/pyzor.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/pyzor.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/pyzor.if 2009-07-28 13:42:19.000000000 -0400 @@ -88,3 +88,50 @@ corecmd_search_bin($1) can_exec($1, pyzor_exec_t) @@ -15951,9 +14893,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.23/policy/modules/services/pyzor.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.24/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/pyzor.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/pyzor.te 2009-07-28 13:42:19.000000000 -0400 @@ -6,6 +6,38 @@ # Declarations # @@ -16018,17 +14960,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_search_user_home_dirs(pyzor_t) optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.6.23/policy/modules/services/razor.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.6.24/policy/modules/services/razor.fc --- nsaserefpolicy/policy/modules/services/razor.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/razor.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/razor.fc 2009-07-28 13:42:19.000000000 -0400 @@ -1,3 +1,4 @@ +/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.23/policy/modules/services/razor.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.24/policy/modules/services/razor.if --- nsaserefpolicy/policy/modules/services/razor.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/razor.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/razor.if 2009-07-28 13:42:19.000000000 -0400 @@ -157,3 +157,45 @@ domtrans_pattern($1, razor_exec_t, razor_t) @@ -16075,9 +15017,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.23/policy/modules/services/razor.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.24/policy/modules/services/razor.te --- nsaserefpolicy/policy/modules/services/razor.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/razor.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/razor.te 2009-07-28 13:42:19.000000000 -0400 @@ -6,6 +6,32 @@ # Declarations # @@ -16129,9 +15071,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.23/policy/modules/services/ricci.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.24/policy/modules/services/ricci.te --- nsaserefpolicy/policy/modules/services/ricci.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/ricci.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/ricci.te 2009-07-28 13:42:19.000000000 -0400 @@ -440,6 +440,10 @@ files_read_usr_files(ricci_modstorage_t) files_read_kernel_modules(ricci_modstorage_t) @@ -16143,9 +15085,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_raw_read_fixed_disk(ricci_modstorage_t) term_dontaudit_use_console(ricci_modstorage_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.6.23/policy/modules/services/rpcbind.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.6.24/policy/modules/services/rpcbind.if --- nsaserefpolicy/policy/modules/services/rpcbind.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/rpcbind.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/rpcbind.if 2009-07-28 13:42:19.000000000 -0400 @@ -97,6 +97,26 @@ ######################################## @@ -16173,9 +15115,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an rpcbind environment ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.23/policy/modules/services/rpc.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.24/policy/modules/services/rpc.if --- nsaserefpolicy/policy/modules/services/rpc.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/rpc.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/rpc.if 2009-07-28 13:42:19.000000000 -0400 @@ -54,7 +54,7 @@ allow $1_t self:unix_dgram_socket create_socket_perms; allow $1_t self:unix_stream_socket create_stream_socket_perms; @@ -16196,9 +15138,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole($1_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.23/policy/modules/services/rpc.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.24/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/rpc.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/rpc.te 2009-07-28 13:42:19.000000000 -0400 @@ -23,7 +23,7 @@ gen_tunable(allow_nfsd_anon_write, false) @@ -16300,9 +15242,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kerberos_keytab_template(gssd, gssd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.23/policy/modules/services/rsync.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.24/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/rsync.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/rsync.te 2009-07-28 13:42:19.000000000 -0400 @@ -8,6 +8,13 @@ ## @@ -16337,15 +15279,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + auth_can_read_shadow_passwords(rsync_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.fc serefpolicy-3.6.23/policy/modules/services/rtkit_daemon.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.fc serefpolicy-3.6.24/policy/modules/services/rtkit_daemon.fc --- nsaserefpolicy/policy/modules/services/rtkit_daemon.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/services/rtkit_daemon.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/rtkit_daemon.fc 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,2 @@ + +/usr/libexec/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.if serefpolicy-3.6.23/policy/modules/services/rtkit_daemon.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.if serefpolicy-3.6.24/policy/modules/services/rtkit_daemon.if --- nsaserefpolicy/policy/modules/services/rtkit_daemon.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/services/rtkit_daemon.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/rtkit_daemon.if 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,64 @@ + +## policy for rtkit_daemon @@ -16411,9 +15353,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow rtkit_daemon_t $1:process { getsched setsched }; + rtkit_daemon_dbus_chat($1) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.te serefpolicy-3.6.23/policy/modules/services/rtkit_daemon.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.te serefpolicy-3.6.24/policy/modules/services/rtkit_daemon.te --- nsaserefpolicy/policy/modules/services/rtkit_daemon.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/services/rtkit_daemon.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/rtkit_daemon.te 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,36 @@ +policy_module(rtkit_daemon,1.0.0) + @@ -16451,9 +15393,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + policykit_dbus_chat(rtkit_daemon_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.23/policy/modules/services/samba.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.24/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/samba.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/samba.fc 2009-07-28 13:42:19.000000000 -0400 @@ -2,6 +2,9 @@ # # /etc @@ -16480,9 +15422,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +ifndef(`enable_mls',` +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.23/policy/modules/services/samba.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.24/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/samba.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/samba.if 2009-07-28 13:42:19.000000000 -0400 @@ -4,6 +4,45 @@ ## from Windows NT servers. ## @@ -16880,9 +15822,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, samba_unconfined_script_exec_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.23/policy/modules/services/samba.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.24/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/samba.te 2009-07-27 11:16:18.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/samba.te 2009-07-28 13:42:19.000000000 -0400 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -17043,9 +15985,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`hide_broken_symptoms', ` files_dontaudit_getattr_default_dirs(smbd_t) files_dontaudit_getattr_boot_dirs(smbd_t) -@@ -333,25 +361,34 @@ +@@ -332,26 +360,39 @@ + ') tunable_policy(`samba_domain_controller',` ++ gen_require(` ++ class passwd passwd; ++ ') ++ usermanage_domtrans_passwd(smbd_t) + usermanage_kill_passwd(smbd_t) usermanage_domtrans_useradd(smbd_t) @@ -17070,21 +16017,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_manage_nfs_symlinks(smbd_t) + fs_manage_nfs_named_pipes(smbd_t) + fs_manage_nfs_named_sockets(smbd_t) -+') -+ + ') + +# Support Samba sharing of ntfs/fusefs mount points +tunable_policy(`samba_share_fusefs',` + fs_manage_fusefs_dirs(smbd_t) + fs_manage_fusefs_files(smbd_t) +',` + fs_search_fusefs(smbd_t) - ') - ++') ++ + optional_policy(` cups_read_rw_config(smbd_t) cups_stream_connect(smbd_t) -@@ -359,6 +396,16 @@ +@@ -359,6 +400,16 @@ optional_policy(` kerberos_use(smbd_t) @@ -17101,7 +16048,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -376,13 +423,15 @@ +@@ -376,13 +427,15 @@ tunable_policy(`samba_create_home_dirs',` allow smbd_t self:capability chown; userdom_create_user_home_dirs(smbd_t) @@ -17118,7 +16065,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_read_all_files_except_shadow(nmbd_t) ') -@@ -391,8 +440,8 @@ +@@ -391,8 +444,8 @@ auth_manage_all_files_except_shadow(smbd_t) fs_read_noxattr_fs_files(nmbd_t) auth_manage_all_files_except_shadow(nmbd_t) @@ -17128,7 +16075,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -@@ -417,14 +466,11 @@ +@@ -417,14 +470,11 @@ files_pid_filetrans(nmbd_t, nmbd_var_run_t, file) read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) @@ -17144,7 +16091,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) allow nmbd_t smbd_var_run_t:dir rw_dir_perms; -@@ -553,21 +599,36 @@ +@@ -553,21 +603,36 @@ userdom_use_user_terminals(smbmount_t) userdom_use_all_users_fds(smbmount_t) @@ -17184,7 +16131,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol append_files_pattern(swat_t, samba_log_t, samba_log_t) -@@ -585,6 +646,9 @@ +@@ -585,6 +650,9 @@ files_pid_filetrans(swat_t, swat_var_run_t, file) allow swat_t winbind_exec_t:file mmap_file_perms; @@ -17194,7 +16141,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -609,6 +673,7 @@ +@@ -609,6 +677,7 @@ dev_read_urand(swat_t) @@ -17202,7 +16149,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(swat_t) files_search_home(swat_t) files_read_usr_files(swat_t) -@@ -618,6 +683,7 @@ +@@ -618,6 +687,7 @@ auth_use_nsswitch(swat_t) logging_send_syslog_msg(swat_t) @@ -17210,7 +16157,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_search_logs(swat_t) miscfiles_read_localization(swat_t) -@@ -635,14 +701,25 @@ +@@ -635,14 +705,25 @@ kerberos_use(swat_t) ') @@ -17238,7 +16185,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow winbind_t self:fifo_file rw_fifo_file_perms; allow winbind_t self:unix_dgram_socket create_socket_perms; allow winbind_t self:unix_stream_socket create_stream_socket_perms; -@@ -683,9 +760,10 @@ +@@ -683,9 +764,10 @@ manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) files_pid_filetrans(winbind_t, winbind_var_run_t, file) @@ -17251,7 +16198,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(winbind_t) corenet_all_recvfrom_netlabel(winbind_t) -@@ -709,10 +787,12 @@ +@@ -709,10 +791,12 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) @@ -17264,7 +16211,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(winbind_t) -@@ -768,8 +848,13 @@ +@@ -768,8 +852,13 @@ userdom_use_user_terminals(winbind_helper_t) optional_policy(` @@ -17278,7 +16225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -778,6 +863,16 @@ +@@ -778,6 +867,16 @@ # optional_policy(` @@ -17295,7 +16242,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -788,9 +883,43 @@ +@@ -788,9 +887,43 @@ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -17340,9 +16287,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow winbind_t smbcontrol_t:process signal; + +allow smbcontrol_t nmbd_var_run_t:file { read lock }; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.23/policy/modules/services/sasl.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.24/policy/modules/services/sasl.te --- nsaserefpolicy/policy/modules/services/sasl.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/sasl.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/sasl.te 2009-07-28 13:42:19.000000000 -0400 @@ -31,7 +31,7 @@ # Local policy # @@ -17405,9 +16352,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(saslauthd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.23/policy/modules/services/sendmail.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.24/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/sendmail.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/sendmail.if 2009-07-28 13:42:19.000000000 -0400 @@ -59,20 +59,20 @@ ######################################## @@ -17580,9 +16527,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 sendmail_t:fifo_file rw_fifo_file_perms; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.23/policy/modules/services/sendmail.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.24/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/sendmail.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/sendmail.te 2009-07-28 13:42:19.000000000 -0400 @@ -20,13 +20,17 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -17758,18 +16705,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; -') dnl end TODO -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.6.23/policy/modules/services/setroubleshoot.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.6.24/policy/modules/services/setroubleshoot.fc --- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/setroubleshoot.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/setroubleshoot.fc 2009-07-28 13:42:19.000000000 -0400 @@ -5,3 +5,5 @@ /var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) /var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) + +/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.23/policy/modules/services/setroubleshoot.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.24/policy/modules/services/setroubleshoot.if --- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/setroubleshoot.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/setroubleshoot.if 2009-07-28 13:42:19.000000000 -0400 @@ -16,8 +16,8 @@ ') @@ -17846,9 +16793,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_list_pids($1) + admin_pattern($1, setroubleshoot_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.23/policy/modules/services/setroubleshoot.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.24/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/setroubleshoot.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/setroubleshoot.te 2009-07-28 13:42:19.000000000 -0400 @@ -22,13 +22,19 @@ type setroubleshoot_var_run_t; files_pid_file(setroubleshoot_var_run_t) @@ -17966,9 +16913,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +permissive setroubleshoot_fixit_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.fc serefpolicy-3.6.23/policy/modules/services/shorewall.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.fc serefpolicy-3.6.24/policy/modules/services/shorewall.fc --- nsaserefpolicy/policy/modules/services/shorewall.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/services/shorewall.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/shorewall.fc 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,12 @@ + +/etc/rc\.d/init\.d/shorewall -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0) @@ -17982,9 +16929,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) +/var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.if serefpolicy-3.6.23/policy/modules/services/shorewall.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.if serefpolicy-3.6.24/policy/modules/services/shorewall.if --- nsaserefpolicy/policy/modules/services/shorewall.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/services/shorewall.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/shorewall.if 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,166 @@ +## policy for shorewall + @@ -18152,9 +17099,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, shorewall_tmp_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.te serefpolicy-3.6.23/policy/modules/services/shorewall.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.te serefpolicy-3.6.24/policy/modules/services/shorewall.te --- nsaserefpolicy/policy/modules/services/shorewall.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/services/shorewall.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/shorewall.te 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,102 @@ +policy_module(shorewall,1.0.0) + @@ -18258,9 +17205,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +permissive shorewall_t; + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.23/policy/modules/services/smartmon.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.24/policy/modules/services/smartmon.te --- nsaserefpolicy/policy/modules/services/smartmon.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/smartmon.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/smartmon.te 2009-07-28 13:42:19.000000000 -0400 @@ -19,6 +19,10 @@ type fsdaemon_tmp_t; files_tmp_file(fsdaemon_tmp_t) @@ -18318,53 +17265,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.if serefpolicy-3.6.23/policy/modules/services/snort.if ---- nsaserefpolicy/policy/modules/services/snort.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/snort.if 2009-07-23 16:39:09.000000000 -0400 -@@ -38,6 +38,7 @@ - interface(`snort_admin',` - gen_require(` - type snort_t, snort_var_run_t, snort_log_t; -+ type snort_etc_t; - type snort_initrc_exec_t; - ') - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.6.23/policy/modules/services/snort.te ---- nsaserefpolicy/policy/modules/services/snort.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/snort.te 2009-07-23 16:39:09.000000000 -0400 -@@ -56,6 +56,7 @@ - files_pid_filetrans(snort_t, snort_var_run_t, file) - - kernel_read_kernel_sysctls(snort_t) -+kernel_read_sysctl(snort_t) - kernel_list_proc(snort_t) - kernel_read_proc_symlinks(snort_t) - kernel_dontaudit_read_system_state(snort_t) -@@ -70,6 +71,7 @@ - corenet_raw_sendrecv_generic_node(snort_t) - corenet_tcp_sendrecv_all_ports(snort_t) - corenet_udp_sendrecv_all_ports(snort_t) -+corenet_tcp_connect_prelude_port(snort_t) - - dev_read_sysfs(snort_t) - dev_read_rand(snort_t) -@@ -94,6 +96,13 @@ - userdom_dontaudit_use_unpriv_user_fds(snort_t) - userdom_dontaudit_search_user_home_dirs(snort_t) - -+# snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager -+sysnet_dns_name_resolve(snort_t) -+ -+optional_policy(` -+ prelude_manage_spool(snort_t) -+') -+ - optional_policy(` - seutil_sigchld_newrole(snort_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.23/policy/modules/services/spamassassin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.24/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/spamassassin.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/spamassassin.fc 2009-07-28 13:42:19.000000000 -0400 @@ -1,15 +1,25 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) @@ -18393,9 +17296,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.23/policy/modules/services/spamassassin.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.24/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/spamassassin.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/spamassassin.if 2009-07-28 13:42:19.000000000 -0400 @@ -111,6 +111,7 @@ ') @@ -18482,16 +17385,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_list_pids($1) + admin_pattern($1, spamd_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.23/policy/modules/services/spamassassin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.24/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/spamassassin.te 2009-07-23 16:39:09.000000000 -0400 -@@ -1,5 +1,5 @@ - --policy_module(spamassassin, 2.1.4) -+policy_module(spamassassin, 2.1.3) - - ######################################## - # ++++ serefpolicy-3.6.24/policy/modules/services/spamassassin.te 2009-07-28 13:42:19.000000000 -0400 @@ -20,6 +20,35 @@ ## gen_tunable(spamd_enable_home_dirs, true) @@ -18784,9 +17680,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` udev_read_db(spamd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.23/policy/modules/services/squid.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.24/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/squid.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/squid.te 2009-07-28 13:42:19.000000000 -0400 @@ -118,6 +118,8 @@ fs_getattr_all_fs(squid_t) @@ -18805,18 +17701,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -#squid requires the following when run in diskd mode, the recommended setting -allow squid_t tmpfs_t:file { read write }; -') dnl end TODO -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.23/policy/modules/services/ssh.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.24/policy/modules/services/ssh.fc --- nsaserefpolicy/policy/modules/services/ssh.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/ssh.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/ssh.fc 2009-07-28 13:42:19.000000000 -0400 @@ -14,3 +14,5 @@ /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) + +/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.23/policy/modules/services/ssh.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.24/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/ssh.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/ssh.if 2009-07-28 13:42:19.000000000 -0400 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -19117,16 +18013,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + read_lnk_files_pattern($1, home_ssh_t, home_ssh_t) + userdom_search_user_home_dirs($1) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.23/policy/modules/services/ssh.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.24/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/ssh.te 2009-07-23 16:39:09.000000000 -0400 -@@ -1,5 +1,5 @@ - --policy_module(ssh, 2.0.3) -+policy_module(ssh, 2.0.2) - - ######################################## - # ++++ serefpolicy-3.6.24/policy/modules/services/ssh.te 2009-07-28 13:42:19.000000000 -0400 @@ -41,6 +41,9 @@ files_tmp_file(sshd_tmp_t) files_poly_parent(sshd_tmp_t) @@ -19298,18 +18187,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(ssh_keygen_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.23/policy/modules/services/sssd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.24/policy/modules/services/sssd.fc --- nsaserefpolicy/policy/modules/services/sssd.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/sssd.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/sssd.fc 2009-07-28 13:42:19.000000000 -0400 @@ -1,4 +1,4 @@ -/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) /usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.23/policy/modules/services/sssd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.24/policy/modules/services/sssd.if --- nsaserefpolicy/policy/modules/services/sssd.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/sssd.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/sssd.if 2009-07-28 13:42:19.000000000 -0400 @@ -12,12 +12,32 @@ # interface(`sssd_domtrans',` @@ -19372,9 +18261,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send and receive messages from ## sssd over dbus. ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.23/policy/modules/services/uucp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.24/policy/modules/services/uucp.te --- nsaserefpolicy/policy/modules/services/uucp.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/uucp.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/uucp.te 2009-07-28 13:42:19.000000000 -0400 @@ -95,6 +95,8 @@ files_search_home(uucpd_t) files_search_spool(uucpd_t) @@ -19392,9 +18281,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.23/policy/modules/services/virt.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.24/policy/modules/services/virt.fc --- nsaserefpolicy/policy/modules/services/virt.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/virt.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/virt.fc 2009-07-28 13:42:19.000000000 -0400 @@ -8,5 +8,16 @@ /var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) @@ -19412,9 +18301,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0) + +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.23/policy/modules/services/virt.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.24/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/virt.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/virt.if 2009-07-28 13:42:19.000000000 -0400 @@ -2,28 +2,6 @@ ######################################## @@ -19576,9 +18465,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.23/policy/modules/services/virt.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.24/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/virt.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/virt.te 2009-07-28 13:42:19.000000000 -0400 @@ -8,19 +8,38 @@ ## @@ -19908,9 +18797,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xen_rw_image_files(svirt_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.23/policy/modules/services/w3c.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.24/policy/modules/services/w3c.te --- nsaserefpolicy/policy/modules/services/w3c.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/w3c.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/w3c.te 2009-07-28 13:42:19.000000000 -0400 @@ -8,11 +8,18 @@ apache_content_template(w3c_validator) @@ -19930,9 +18819,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.23/policy/modules/services/xserver.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.24/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/xserver.fc 2009-07-27 13:50:30.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/xserver.fc 2009-07-28 13:42:19.000000000 -0400 @@ -3,12 +3,16 @@ # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) @@ -20003,9 +18892,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_suse',` /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.23/policy/modules/services/xserver.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.24/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/xserver.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/xserver.if 2009-07-28 13:42:19.000000000 -0400 @@ -90,7 +90,7 @@ allow $2 xauth_home_t:file manage_file_perms; allow $2 xauth_home_t:file { relabelfrom relabelto }; @@ -20679,9 +19568,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow xdm_t $1:dbus send_msg; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.23/policy/modules/services/xserver.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.24/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/services/xserver.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/services/xserver.te 2009-07-28 13:42:19.000000000 -0400 @@ -34,6 +34,13 @@ ## @@ -21427,9 +20316,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -# -allow xdm_t user_home_type:file unlink; -') dnl end TODO -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.6.23/policy/modules/system/application.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.6.24/policy/modules/system/application.if --- nsaserefpolicy/policy/modules/system/application.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/application.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/application.if 2009-07-28 13:42:19.000000000 -0400 @@ -2,7 +2,7 @@ ######################################## @@ -21461,9 +20350,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 application_domain_type:process signull; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.23/policy/modules/system/application.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.24/policy/modules/system/application.te --- nsaserefpolicy/policy/modules/system/application.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/application.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/application.te 2009-07-28 13:42:19.000000000 -0400 @@ -7,7 +7,18 @@ # Executables to be run by user attribute application_exec_type; @@ -21483,9 +20372,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + sudo_sigchld(application_domain_type) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.23/policy/modules/system/authlogin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.24/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/authlogin.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/authlogin.fc 2009-07-28 13:42:19.000000000 -0400 @@ -7,12 +7,10 @@ /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) @@ -21511,9 +20400,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) +/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.23/policy/modules/system/authlogin.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.24/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/authlogin.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/authlogin.if 2009-07-28 13:42:19.000000000 -0400 @@ -40,17 +40,76 @@ ## ## @@ -21813,9 +20702,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.23/policy/modules/system/authlogin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.24/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/authlogin.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/authlogin.te 2009-07-28 13:42:19.000000000 -0400 @@ -125,9 +125,18 @@ ') @@ -21835,9 +20724,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # PAM local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.23/policy/modules/system/fstools.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.24/policy/modules/system/fstools.fc --- nsaserefpolicy/policy/modules/system/fstools.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/fstools.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/fstools.fc 2009-07-28 13:42:19.000000000 -0400 @@ -1,4 +1,3 @@ -/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -21851,9 +20740,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.23/policy/modules/system/fstools.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.24/policy/modules/system/fstools.te --- nsaserefpolicy/policy/modules/system/fstools.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/fstools.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/fstools.te 2009-07-28 13:42:19.000000000 -0400 @@ -97,6 +97,10 @@ fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) @@ -21882,9 +20771,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xen_rw_image_files(fsadm_t) ') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.23/policy/modules/system/hostname.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.24/policy/modules/system/hostname.te --- nsaserefpolicy/policy/modules/system/hostname.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/hostname.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/hostname.te 2009-07-28 13:42:19.000000000 -0400 @@ -8,7 +8,9 @@ type hostname_t; @@ -21896,9 +20785,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol role system_r types hostname_t; ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.23/policy/modules/system/init.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.24/policy/modules/system/init.fc --- nsaserefpolicy/policy/modules/system/init.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/init.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/init.fc 2009-07-28 13:42:19.000000000 -0400 @@ -4,10 +4,10 @@ /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -21921,9 +20810,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /var # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.23/policy/modules/system/init.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.24/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/init.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/init.if 2009-07-28 13:42:19.000000000 -0400 @@ -174,6 +174,7 @@ role system_r types $1; @@ -22132,9 +21021,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 init_t:unix_dgram_socket sendto; + allow init_t $1:unix_dgram_socket sendto; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.23/policy/modules/system/init.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.24/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/init.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/init.te 2009-07-28 13:42:19.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart, false) @@ -22528,18 +21417,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + fail2ban_read_lib_files(daemon) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.6.23/policy/modules/system/ipsec.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.6.24/policy/modules/system/ipsec.fc --- nsaserefpolicy/policy/modules/system/ipsec.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/ipsec.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/ipsec.fc 2009-07-28 13:42:19.000000000 -0400 @@ -1,3 +1,5 @@ +/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) + /etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0) /etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) /etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.6.23/policy/modules/system/ipsec.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.6.24/policy/modules/system/ipsec.if --- nsaserefpolicy/policy/modules/system/ipsec.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/ipsec.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/ipsec.if 2009-07-28 13:42:19.000000000 -0400 @@ -229,3 +229,28 @@ ipsec_domtrans_setkey($1) role $2 types setkey_t; @@ -22569,9 +21458,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ipsec_domtrans_racoon($1) + role $2 types racoon_t; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.23/policy/modules/system/ipsec.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.24/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/ipsec.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/ipsec.te 2009-07-28 13:42:19.000000000 -0400 @@ -15,6 +15,9 @@ type ipsec_conf_file_t; files_type(ipsec_conf_file_t) @@ -22672,9 +21561,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # allow setkey to set the context for ipsec SAs and policy. ipsec_setcontext_default_spd(setkey_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.23/policy/modules/system/iptables.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.24/policy/modules/system/iptables.fc --- nsaserefpolicy/policy/modules/system/iptables.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/iptables.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/iptables.fc 2009-07-28 13:42:19.000000000 -0400 @@ -1,9 +1,10 @@ -/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) @@ -22691,9 +21580,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) -/var/lib/shorewall(/.*)? -- gen_context(system_u:object_r:iptables_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.23/policy/modules/system/iptables.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.24/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/iptables.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/iptables.te 2009-07-28 13:42:19.000000000 -0400 @@ -53,6 +53,7 @@ mls_file_read_all_levels(iptables_t) @@ -22713,9 +21602,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rhgb_dontaudit_use_ptys(iptables_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.6.23/policy/modules/system/iscsi.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.6.24/policy/modules/system/iscsi.if --- nsaserefpolicy/policy/modules/system/iscsi.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/iscsi.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/iscsi.if 2009-07-28 13:42:19.000000000 -0400 @@ -17,3 +17,43 @@ domtrans_pattern($1, iscsid_exec_t, iscsid_t) @@ -22760,9 +21649,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + stream_connect_pattern($1,iscsi_var_lib_t,iscsi_var_lib_t,iscsid_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.23/policy/modules/system/iscsi.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.24/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/iscsi.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/iscsi.te 2009-07-28 13:42:19.000000000 -0400 @@ -55,6 +55,7 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) @@ -22786,9 +21675,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -sysnet_dns_name_resolve(iscsid_t) +miscfiles_read_localization(iscsid_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.23/policy/modules/system/libraries.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.24/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/libraries.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/libraries.fc 2009-07-28 13:42:19.000000000 -0400 @@ -60,12 +60,15 @@ # # /opt @@ -22995,9 +21884,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.23/policy/modules/system/libraries.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.24/policy/modules/system/libraries.if --- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/libraries.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/libraries.if 2009-07-28 13:42:19.000000000 -0400 @@ -60,7 +60,7 @@ type lib_t, ld_so_t, ld_so_cache_t; ') @@ -23025,9 +21914,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1 lib_t:dir list_dir_perms; read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.23/policy/modules/system/libraries.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.24/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/libraries.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/libraries.te 2009-07-28 13:42:19.000000000 -0400 @@ -52,11 +52,11 @@ # ldconfig local policy # @@ -23084,9 +21973,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + unconfined_domain(ldconfig_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.23/policy/modules/system/locallogin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.24/policy/modules/system/locallogin.te --- nsaserefpolicy/policy/modules/system/locallogin.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/locallogin.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/locallogin.te 2009-07-28 13:42:19.000000000 -0400 @@ -67,6 +67,7 @@ dev_setattr_power_mgmt_dev(local_login_t) dev_getattr_sound_dev(local_login_t) @@ -23165,9 +22054,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - nscd_socket_use(sulogin_t) -') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.23/policy/modules/system/logging.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.24/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/logging.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/logging.fc 2009-07-28 13:42:19.000000000 -0400 @@ -53,15 +53,18 @@ /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0) ') @@ -23191,9 +22080,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.23/policy/modules/system/logging.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.24/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/logging.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/logging.if 2009-07-28 13:42:19.000000000 -0400 @@ -623,7 +623,7 @@ ') @@ -23212,9 +22101,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.23/policy/modules/system/logging.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.24/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/logging.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/logging.te 2009-07-28 13:42:19.000000000 -0400 @@ -126,7 +126,7 @@ allow auditd_t self:process { signal_perms setpgid setsched }; allow auditd_t self:file rw_file_perms; @@ -23307,9 +22196,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.23/policy/modules/system/lvm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.24/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/lvm.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/lvm.te 2009-07-28 13:42:19.000000000 -0400 @@ -10,6 +10,9 @@ type clvmd_exec_t; init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -23396,9 +22285,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` modutils_domtrans_insmod(lvm_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.23/policy/modules/system/miscfiles.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.24/policy/modules/system/miscfiles.if --- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/miscfiles.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/miscfiles.if 2009-07-28 13:42:19.000000000 -0400 @@ -87,6 +87,25 @@ ######################################## @@ -23425,9 +22314,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to write fonts. ## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.23/policy/modules/system/modutils.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.24/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/modutils.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/modutils.te 2009-07-28 13:42:19.000000000 -0400 @@ -42,7 +42,7 @@ # insmod local policy # @@ -23540,9 +22429,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ################################# -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.6.23/policy/modules/system/mount.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.6.24/policy/modules/system/mount.fc --- nsaserefpolicy/policy/modules/system/mount.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/mount.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/mount.fc 2009-07-28 13:42:19.000000000 -0400 @@ -1,4 +1,9 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) @@ -23554,9 +22443,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.23/policy/modules/system/mount.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.24/policy/modules/system/mount.if --- nsaserefpolicy/policy/modules/system/mount.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/mount.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/mount.if 2009-07-28 13:42:19.000000000 -0400 @@ -43,9 +43,11 @@ mount_domtrans($1) @@ -23592,9 +22481,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 mount_t:process signal; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.23/policy/modules/system/mount.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.24/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/mount.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/mount.te 2009-07-28 14:16:41.000000000 -0400 @@ -18,17 +18,22 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -23790,7 +22679,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -185,14 +227,24 @@ +@@ -185,14 +227,23 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -23800,7 +22689,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -# Unconfined mount local policy -+# ntfs local policy ++# ntfs local policy # +allow mount_t self:fifo_file rw_fifo_file_perms; +allow mount_t self:unix_stream_socket create_stream_socket_perms; @@ -23815,12 +22704,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - unconfined_domain(unconfined_mount_t) + hal_write_log(mount_t) + hal_use_fds(mount_t) -+ hal_rw_pipes(mount_t) ++ hal_dontaudit_rw_pipes(mount_t) ') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.23/policy/modules/system/selinuxutil.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.24/policy/modules/system/selinuxutil.fc --- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/selinuxutil.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/selinuxutil.fc 2009-07-28 13:42:19.000000000 -0400 @@ -6,13 +6,13 @@ /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) @@ -23859,9 +22747,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.23/policy/modules/system/selinuxutil.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.24/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/selinuxutil.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/selinuxutil.if 2009-07-28 13:42:19.000000000 -0400 @@ -535,6 +535,53 @@ ######################################## @@ -24250,9 +23138,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + hotplug_use_fds($1) +') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.23/policy/modules/system/selinuxutil.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.24/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/selinuxutil.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/selinuxutil.te 2009-07-28 13:42:19.000000000 -0400 @@ -23,6 +23,9 @@ type selinux_config_t; files_type(selinux_config_t) @@ -24616,9 +23504,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - hotplug_use_fds(setfiles_t) + unconfined_domain(setfiles_mac_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.6.23/policy/modules/system/setrans.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.6.24/policy/modules/system/setrans.if --- nsaserefpolicy/policy/modules/system/setrans.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/setrans.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/setrans.if 2009-07-28 13:42:19.000000000 -0400 @@ -21,3 +21,23 @@ stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t) files_list_pids($1) @@ -24643,9 +23531,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + init_labeled_script_domtrans($1, setrans_initrc_exec_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.23/policy/modules/system/sysnetwork.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.24/policy/modules/system/sysnetwork.fc --- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/sysnetwork.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/sysnetwork.fc 2009-07-28 13:42:19.000000000 -0400 @@ -11,15 +11,20 @@ /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) @@ -24674,9 +23562,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.23/policy/modules/system/sysnetwork.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.24/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/sysnetwork.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/sysnetwork.if 2009-07-28 13:42:19.000000000 -0400 @@ -43,6 +43,39 @@ sysnet_domtrans_dhcpc($1) @@ -24845,9 +23733,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + role_transition $1 dhcpc_exec_t system_r; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.23/policy/modules/system/sysnetwork.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.24/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/sysnetwork.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/sysnetwork.te 2009-07-28 14:15:06.000000000 -0400 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpc_t, dhcpc_exec_t) role system_r types dhcpc_t; @@ -25042,25 +23930,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') + +optional_policy(` -+ hal_rw_dgram_sockets(dhcpc_t) ++ hal_dontaudit_rw_dgram_sockets(dhcpc_t) + hal_dontaudit_rw_pipes(ifconfig_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.6.23/policy/modules/system/udev.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.6.24/policy/modules/system/udev.fc --- nsaserefpolicy/policy/modules/system/udev.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/udev.fc 2009-07-23 16:39:09.000000000 -0400 -@@ -8,6 +8,8 @@ ++++ serefpolicy-3.6.24/policy/modules/system/udev.fc 2009-07-28 13:42:19.000000000 -0400 +@@ -7,6 +7,9 @@ + /etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0) /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) - -+/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) ++/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) + ++/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) + /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) - /sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.23/policy/modules/system/udev.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.24/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/udev.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/udev.te 2009-07-28 14:15:17.000000000 -0400 @@ -50,6 +50,7 @@ allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -25069,7 +23958,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) -@@ -111,6 +112,7 @@ +@@ -66,6 +67,7 @@ + + manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t) + manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) ++manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) + files_pid_filetrans(udev_t, udev_var_run_t, { dir file }) + + kernel_read_system_state(udev_t) +@@ -111,6 +113,7 @@ fs_getattr_all_fs(udev_t) fs_list_inotifyfs(udev_t) @@ -25077,7 +23974,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mcs_ptrace_all(udev_t) -@@ -140,6 +142,7 @@ +@@ -140,6 +143,7 @@ logging_send_audit_msgs(udev_t) miscfiles_read_localization(udev_t) @@ -25085,7 +23982,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol modutils_domtrans_insmod(udev_t) # read modules.inputmap: -@@ -182,9 +185,11 @@ +@@ -182,9 +186,11 @@ # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(udev_t) @@ -25100,7 +23997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -194,6 +199,10 @@ +@@ -194,6 +200,10 @@ ') optional_policy(` @@ -25111,7 +24008,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol brctl_domtrans(udev_t) ') -@@ -202,6 +211,10 @@ +@@ -202,6 +212,10 @@ ') optional_policy(` @@ -25122,7 +24019,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol consoletype_exec(udev_t) ') -@@ -210,6 +223,11 @@ +@@ -210,6 +224,11 @@ ') optional_policy(` @@ -25134,15 +24031,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol lvm_domtrans(udev_t) ') -@@ -219,6 +237,7 @@ +@@ -219,6 +238,7 @@ optional_policy(` hal_dgram_send(udev_t) -+ hal_rw_dgram_sockets(udev_t) ++ hal_dontaudit_rw_dgram_sockets(udev_t) ') optional_policy(` -@@ -228,6 +247,10 @@ +@@ -228,6 +248,10 @@ ') optional_policy(` @@ -25153,7 +24050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -242,6 +265,10 @@ +@@ -242,6 +266,10 @@ ') optional_policy(` @@ -25164,9 +24061,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_write_xen_state(udev_t) kernel_read_xen_state(udev_t) xen_manage_log(udev_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.6.23/policy/modules/system/unconfined.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.6.24/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/unconfined.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/unconfined.fc 2009-07-28 13:42:19.000000000 -0400 @@ -1,16 +1 @@ # Add programs here which should not be confined by SELinux -# e.g.: @@ -25184,9 +24081,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -ifdef(`distro_gentoo',` -/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.23/policy/modules/system/unconfined.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.24/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/unconfined.if 2009-07-27 13:54:34.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/unconfined.if 2009-07-28 13:42:19.000000000 -0400 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -25680,9 +24577,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - - allow $1 unconfined_t:dbus acquire_svc; -') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.23/policy/modules/system/unconfined.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.24/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/unconfined.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/unconfined.te 2009-07-28 13:42:19.000000000 -0400 @@ -1,231 +1,9 @@ -policy_module(unconfined, 3.0.0) @@ -25917,9 +24814,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - hal_dbus_chat(unconfined_execmem_t) - ') -') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.23/policy/modules/system/userdomain.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.24/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/userdomain.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/userdomain.fc 2009-07-28 13:42:19.000000000 -0400 @@ -1,4 +1,7 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) @@ -25929,9 +24826,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) +/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0) +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.23/policy/modules/system/userdomain.if ---- nsaserefpolicy/policy/modules/system/userdomain.if 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/userdomain.if 2009-07-27 14:11:20.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.24/policy/modules/system/userdomain.if +--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-07-28 13:28:33.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/userdomain.if 2009-07-28 14:32:30.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -26888,7 +25785,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - setroubleshoot_dontaudit_stream_connect($1_t) -+ wm_role_template($1, $1_r, $1_usertype) ++ wm_role_template($1, $1_r, $1_t) ') ') @@ -27149,7 +26046,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1635,6 +1752,7 @@ +@@ -1653,6 +1770,7 @@ type user_home_dir_t, user_home_t; ') @@ -27157,55 +26054,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1733,30 +1851,80 @@ - - ######################################## - ## --## Execute user home files. -+## Delete user home subdirectory symbolic links. - ## - ## - ## - ## Domain allowed access. - ## - ## --## +@@ -1780,19 +1898,32 @@ # --interface(`userdom_exec_user_home_content_files',` -+interface(`userdom_delete_user_home_content_symlinks',` + interface(`userdom_exec_user_home_content_files',` gen_require(` - type user_home_dir_t, user_home_t; -+ type user_home_t; ++ type user_home_dir_t; ++ attribute user_home_type; ') -- files_search_home($1) + files_search_home($1) - exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) -+ allow $1 user_home_t:lnk_file delete_lnk_file_perms; -+') - +- - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1) -+######################################## -+## -+## Delete files -+## in a user home subdirectory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_delete_user_home_content_files',` -+ gen_require(` -+ type user_home_t; ++ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) ++ dontaudit $1 user_home_type:sock_file execute; ') - tunable_policy(`use_samba_home_dirs',` - fs_exec_cifs_files($1) -+ allow $1 user_home_t:file delete_file_perms; -+') -+ +######################################## +## +## Dontaudit Delete files @@ -27220,82 +26088,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +interface(`userdom_dontaudit_delete_user_home_content_files',` + gen_require(` + type user_home_t; -+ ') -+ -+ allow $1 user_home_t:dir delete_file_perms; -+') -+ -+######################################## -+## -+## Execute user home files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`userdom_exec_user_home_content_files',` -+ gen_require(` -+ type user_home_dir_t; -+ attribute user_home_type; ') + -+ files_search_home($1) -+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) -+ dontaudit $1 user_home_type:sock_file execute; ++ allow $1 user_home_t:dir delete_file_perms; ') ######################################## -@@ -1779,6 +1947,46 @@ - - ######################################## - ## -+## Delete directories -+## in a user home subdirectory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_delete_user_home_content_dirs',` -+ gen_require(` -+ type user_home_t; -+ ') -+ -+ allow $1 user_home_t:dir delete_dir_perms; -+') -+ -+######################################## -+## -+## Append files -+## in a user home subdirectory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_append_user_home_content_files',` -+ gen_require(` -+ type user_home_dir_t, user_home_t; -+ ') -+ -+ append_files_pattern($1, user_home_t, user_home_t) -+ allow $1 user_home_dir_t:dir search_dir_perms; -+ files_search_home($1) -+') -+ -+######################################## -+## - ## Create, read, write, and delete files - ## in a user home subdirectory. - ## -@@ -1791,6 +1999,7 @@ +@@ -1827,6 +1958,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -27303,7 +26102,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2320,7 +2529,7 @@ +@@ -2374,7 +2506,7 @@ ######################################## ## @@ -27312,17 +26111,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2674,11 +2883,32 @@ +@@ -2728,11 +2860,32 @@ # interface(`userdom_search_user_home_content',` gen_require(` - type user_home_dir_t, user_home_t; + type user_home_dir_t; + attribute user_home_type; - ') - - files_list_home($1) -- allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms; ++ ') ++ ++ files_list_home($1) + allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms; +') + @@ -27340,14 +26138,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + gen_require(` + type user_home_dir_t; + attribute user_home_type; -+ ') -+ -+ files_list_home($1) + ') + + files_list_home($1) +- allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms; + allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms; ') ######################################## -@@ -2806,7 +3036,25 @@ +@@ -2860,7 +3013,25 @@ type user_tmp_t; ') @@ -27374,7 +26173,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2843,6 +3091,7 @@ +@@ -2897,6 +3068,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -27382,7 +26181,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -2973,3 +3222,481 @@ +@@ -3027,3 +3199,501 @@ allow $1 userdomain:dbus send_msg; ') @@ -27864,9 +26663,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + dontaudit $1 userdomain:unix_stream_socket rw_socket_perms; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.23/policy/modules/system/userdomain.te ++######################################## ++## ++## Append files ++## in a user home subdirectory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_append_user_home_content_files',` ++ gen_require(` ++ type user_home_dir_t, user_home_t; ++ ') ++ ++ append_files_pattern($1, user_home_t, user_home_t) ++ allow $1 user_home_dir_t:dir search_dir_perms; ++ files_search_home($1) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.24/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/userdomain.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/userdomain.te 2009-07-28 13:42:19.000000000 -0400 @@ -8,13 +8,6 @@ ## @@ -27952,14 +26771,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +allow userdomain userdomain:process signull; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.fc serefpolicy-3.6.23/policy/modules/system/virtual.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.fc serefpolicy-3.6.24/policy/modules/system/virtual.fc --- nsaserefpolicy/policy/modules/system/virtual.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/system/virtual.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/virtual.fc 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1 @@ +# No application file contexts. -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.23/policy/modules/system/virtual.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.24/policy/modules/system/virtual.if --- nsaserefpolicy/policy/modules/system/virtual.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/system/virtual.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/virtual.if 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,119 @@ +## Virtual machine emulator and virtualizer + @@ -28080,9 +26899,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 virtualdomain:process { setsched transition signal signull sigkill }; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.23/policy/modules/system/virtual.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.24/policy/modules/system/virtual.te --- nsaserefpolicy/policy/modules/system/virtual.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.23/policy/modules/system/virtual.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/virtual.te 2009-07-28 13:42:19.000000000 -0400 @@ -0,0 +1,75 @@ + +policy_module(virtualization, 1.1.2) @@ -28159,9 +26978,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_read_xdm_pid(virtualdomain) + xserver_rw_shm(virtualdomain) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.6.23/policy/modules/system/xen.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.6.24/policy/modules/system/xen.fc --- nsaserefpolicy/policy/modules/system/xen.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/xen.fc 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/xen.fc 2009-07-28 13:42:19.000000000 -0400 @@ -1,5 +1,7 @@ /dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0) @@ -28189,9 +27008,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) /var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.23/policy/modules/system/xen.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.24/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/xen.if 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/xen.if 2009-07-28 13:42:19.000000000 -0400 @@ -71,6 +71,8 @@ ') @@ -28264,9 +27083,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_search_pids($1) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.23/policy/modules/system/xen.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.24/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/modules/system/xen.te 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/modules/system/xen.te 2009-07-28 13:42:19.000000000 -0400 @@ -6,6 +6,13 @@ # Declarations # @@ -28561,9 +27380,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +libs_use_ld_so(evtchnd_t) +libs_use_shared_libs(evtchnd_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.23/policy/support/obj_perm_sets.spt +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.24/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/support/obj_perm_sets.spt 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/support/obj_perm_sets.spt 2009-07-28 13:42:19.000000000 -0400 @@ -201,7 +201,7 @@ define(`setattr_file_perms',`{ setattr }') define(`read_file_perms',`{ getattr open read lock ioctl }') @@ -28596,9 +27415,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') + +define(`manage_key_perms', `{ create link read search setattr view write } ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.23/policy/users +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.24/policy/users --- nsaserefpolicy/policy/users 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/policy/users 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/policy/users 2009-07-28 13:42:19.000000000 -0400 @@ -25,11 +25,8 @@ # permit any access to such users, then remove this entry. # @@ -28623,9 +27442,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -') +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.6.23/Rules.modular +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.6.24/Rules.modular --- nsaserefpolicy/Rules.modular 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/Rules.modular 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/Rules.modular 2009-07-28 13:42:19.000000000 -0400 @@ -73,8 +73,8 @@ $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te @echo "Compliling $(NAME) $(@F) module" @@ -28655,9 +27474,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rul $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.6.23/support/Makefile.devel +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.6.24/support/Makefile.devel --- nsaserefpolicy/support/Makefile.devel 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.23/support/Makefile.devel 2009-07-23 16:39:09.000000000 -0400 ++++ serefpolicy-3.6.24/support/Makefile.devel 2009-07-28 13:42:19.000000000 -0400 @@ -185,8 +185,7 @@ tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te @$(EINFO) "Compiling $(NAME) $(basename $(@F)) module" diff --git a/selinux-policy.spec b/selinux-policy.spec index 48230ae..b0b0b2f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,8 +19,8 @@ %define CHECKPOLICYVER 2.0.16-3 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.6.23 -Release: 2%{?dist} +Version: 3.6.24 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -475,6 +475,9 @@ exit 0 %endif %changelog +* Tue Jul 28 2009 Dan Walsh 3.6.24-1 +- Update to upstream + * Mon Jul 27 2009 Dan Walsh 3.6.23-2 - Allow certmaster to override dac permissions diff --git a/sources b/sources index 6345c36..24a820d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -f39558603d3d7d1500b93f9d4ce27311 serefpolicy-3.6.23.tgz +4d74666892956fc2b2a50158e740174e serefpolicy-3.6.24.tgz