diff --git a/nsadiff b/nsadiff index f5c3fa2..b5c1138 100755 --- a/nsadiff +++ b/nsadiff @@ -1 +1 @@ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.6.10 > /tmp/diff +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.6.11 > /tmp/diff diff --git a/policy-20090105.patch b/policy-20090105.patch index 8296478..3ffa392 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -1,6 +1,6 @@ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.6.10/config/appconfig-mcs/default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.6.11/config/appconfig-mcs/default_contexts --- nsaserefpolicy/config/appconfig-mcs/default_contexts 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.10/config/appconfig-mcs/default_contexts 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/config/appconfig-mcs/default_contexts 2009-04-06 12:59:54.000000000 -0400 @@ -1,15 +1,6 @@ -system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 -system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 @@ -22,25 +22,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con -user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 +system_r:xdm_t:s0 user_r:user_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.6.10/config/appconfig-mcs/failsafe_context +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.6.11/config/appconfig-mcs/failsafe_context --- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.6.10/config/appconfig-mcs/failsafe_context 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/config/appconfig-mcs/failsafe_context 2009-04-06 12:59:54.000000000 -0400 @@ -1 +1 @@ -sysadm_r:sysadm_t:s0 +system_r:unconfined_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.6.10/config/appconfig-mcs/guest_u_default_contexts ---- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/config/appconfig-mcs/guest_u_default_contexts 2009-03-30 10:09:41.000000000 -0400 -@@ -0,0 +1,6 @@ -+system_r:local_login_t:s0 guest_r:guest_t:s0 -+system_r:remote_login_t:s0 guest_r:guest_t:s0 -+system_r:sshd_t:s0 guest_r:guest_t:s0 -+system_r:crond_t:s0 guest_r:guest_t:s0 -+system_r:initrc_su_t:s0 guest_r:guest_t:s0 -+guest_r:guest_t:s0 guest_r:guest_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.6.10/config/appconfig-mcs/root_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.6.11/config/appconfig-mcs/root_default_contexts --- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.10/config/appconfig-mcs/root_default_contexts 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/config/appconfig-mcs/root_default_contexts 2009-04-06 12:59:54.000000000 -0400 @@ -1,11 +1,7 @@ -system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0 +system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 @@ -55,18 +45,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con # -#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.6.10/config/appconfig-mcs/seusers +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.6.11/config/appconfig-mcs/seusers --- nsaserefpolicy/config/appconfig-mcs/seusers 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.6.10/config/appconfig-mcs/seusers 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/config/appconfig-mcs/seusers 2009-04-06 12:59:54.000000000 -0400 @@ -1,3 +1,3 @@ system_u:system_u:s0-mcs_systemhigh -root:root:s0-mcs_systemhigh -__default__:user_u:s0 +root:unconfined_u:s0-mcs_systemhigh +__default__:unconfined_u:s0-mcs_systemhigh -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.6.10/config/appconfig-mcs/staff_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.6.11/config/appconfig-mcs/staff_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.10/config/appconfig-mcs/staff_u_default_contexts 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/config/appconfig-mcs/staff_u_default_contexts 2009-04-06 12:59:54.000000000 -0400 @@ -1,10 +1,12 @@ system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 system_r:remote_login_t:s0 staff_r:staff_t:s0 @@ -81,9 +71,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.6.10/config/appconfig-mcs/unconfined_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.6.11/config/appconfig-mcs/unconfined_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.10/config/appconfig-mcs/unconfined_u_default_contexts 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/config/appconfig-mcs/unconfined_u_default_contexts 2009-04-06 12:59:54.000000000 -0400 @@ -1,4 +1,4 @@ -system_r:crond_t:s0 unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0 +system_r:crond_t:s0 unconfined_r:unconfined_t:s0 @@ -97,15 +87,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:initrc_su_t:s0 unconfined_r:unconfined_t:s0 +unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0 system_r:xdm_t:s0 unconfined_r:unconfined_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.6.10/config/appconfig-mcs/userhelper_context +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.6.11/config/appconfig-mcs/userhelper_context --- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.6.10/config/appconfig-mcs/userhelper_context 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/config/appconfig-mcs/userhelper_context 2009-04-06 12:59:54.000000000 -0400 @@ -1 +1 @@ -system_u:sysadm_r:sysadm_t:s0 +system_u:system_r:unconfined_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.6.10/config/appconfig-mcs/user_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.6.11/config/appconfig-mcs/user_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.10/config/appconfig-mcs/user_u_default_contexts 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/config/appconfig-mcs/user_u_default_contexts 2009-04-06 12:59:54.000000000 -0400 @@ -1,8 +1,9 @@ system_r:local_login_t:s0 user_r:user_t:s0 system_r:remote_login_t:s0 user_r:user_t:s0 @@ -118,31 +108,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con - +system_r:initrc_su_t:s0 user_r:user_t:s0 +user_r:user_t:s0 user_r:user_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_domain_context serefpolicy-3.6.10/config/appconfig-mcs/virtual_domain_context +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_domain_context serefpolicy-3.6.11/config/appconfig-mcs/virtual_domain_context --- nsaserefpolicy/config/appconfig-mcs/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/config/appconfig-mcs/virtual_domain_context 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/config/appconfig-mcs/virtual_domain_context 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1 @@ +system_u:system_r:svirt_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_image_context serefpolicy-3.6.10/config/appconfig-mcs/virtual_image_context +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_image_context serefpolicy-3.6.11/config/appconfig-mcs/virtual_image_context --- nsaserefpolicy/config/appconfig-mcs/virtual_image_context 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/config/appconfig-mcs/virtual_image_context 2009-04-03 14:55:45.000000000 -0400 ++++ serefpolicy-3.6.11/config/appconfig-mcs/virtual_image_context 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,2 @@ +system_u:object_r:svirt_image_t:s0 +system_u:object_r:virt_content_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.6.10/config/appconfig-mcs/xguest_u_default_contexts ---- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/config/appconfig-mcs/xguest_u_default_contexts 2009-03-30 10:09:41.000000000 -0400 -@@ -0,0 +1,7 @@ -+system_r:local_login_t xguest_r:xguest_t:s0 -+system_r:remote_login_t xguest_r:xguest_t:s0 -+system_r:sshd_t xguest_r:xguest_t:s0 -+system_r:crond_t xguest_r:xguest_t:s0 -+system_r:xdm_t xguest_r:xguest_t:s0 -+system_r:initrc_su_t:s0 xguest_r:xguest_t:s0 -+xguest_r:xguest_t:s0 xguest_r:xguest_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.6.10/config/appconfig-mls/default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.6.11/config/appconfig-mls/default_contexts --- nsaserefpolicy/config/appconfig-mls/default_contexts 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.10/config/appconfig-mls/default_contexts 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/config/appconfig-mls/default_contexts 2009-04-06 12:59:54.000000000 -0400 @@ -1,15 +1,6 @@ -system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 -system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 @@ -164,17 +143,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con -user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 +system_r:xdm_t:s0 user_r:user_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.6.10/config/appconfig-mls/guest_u_default_contexts ---- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/config/appconfig-mls/guest_u_default_contexts 2009-03-30 10:09:41.000000000 -0400 -@@ -0,0 +1,4 @@ -+system_r:local_login_t:s0 guest_r:guest_t:s0 -+system_r:remote_login_t:s0 guest_r:guest_t:s0 -+system_r:sshd_t:s0 guest_r:guest_t:s0 -+system_r:crond_t:s0 guest_r:guest_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.6.10/config/appconfig-mls/root_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.6.11/config/appconfig-mls/root_default_contexts --- nsaserefpolicy/config/appconfig-mls/root_default_contexts 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.10/config/appconfig-mls/root_default_contexts 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/config/appconfig-mls/root_default_contexts 2009-04-06 12:59:54.000000000 -0400 @@ -1,11 +1,11 @@ -system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0 -system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 @@ -193,31 +164,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con # -#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.10/config/appconfig-mls/virtual_domain_context +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.11/config/appconfig-mls/virtual_domain_context --- nsaserefpolicy/config/appconfig-mls/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/config/appconfig-mls/virtual_domain_context 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/config/appconfig-mls/virtual_domain_context 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1 @@ +system_u:system_r:qemu_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_image_context serefpolicy-3.6.10/config/appconfig-mls/virtual_image_context +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_image_context serefpolicy-3.6.11/config/appconfig-mls/virtual_image_context --- nsaserefpolicy/config/appconfig-mls/virtual_image_context 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/config/appconfig-mls/virtual_image_context 2009-04-03 14:56:16.000000000 -0400 ++++ serefpolicy-3.6.11/config/appconfig-mls/virtual_image_context 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,2 @@ +system_u:object_r:virt_image_t:s0 +system_u:object_r:virt_content_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts serefpolicy-3.6.10/config/appconfig-mls/xguest_u_default_contexts ---- nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/config/appconfig-mls/xguest_u_default_contexts 2009-03-30 10:09:41.000000000 -0400 -@@ -0,0 +1,7 @@ -+system_r:local_login_t xguest_r:xguest_t:s0 -+system_r:remote_login_t xguest_r:xguest_t:s0 -+system_r:sshd_t xguest_r:xguest_t:s0 -+system_r:crond_t xguest_r:xguest_t:s0 -+system_r:xdm_t xguest_r:xguest_t:s0 -+system_r:initrc_su_t:s0 xguest_r:xguest_t:s0 -+xguest_r:xguest_t:s0 xguest_r:xguest_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.10/Makefile +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.11/Makefile --- nsaserefpolicy/Makefile 2009-01-19 11:07:35.000000000 -0500 -+++ serefpolicy-3.6.10/Makefile 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/Makefile 2009-04-06 12:59:54.000000000 -0400 @@ -241,7 +241,7 @@ appdir := $(contextpath) user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) @@ -280,9 +240,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Mak $(appdir)/%: $(appconf)/% @mkdir -p $(appdir) $(verbose) $(INSTALL) -m 644 $< $@ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.6.10/man/man8/httpd_selinux.8 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.6.11/man/man8/httpd_selinux.8 --- nsaserefpolicy/man/man8/httpd_selinux.8 2009-03-05 09:22:34.000000000 -0500 -+++ serefpolicy-3.6.10/man/man8/httpd_selinux.8 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/man/man8/httpd_selinux.8 2009-04-06 12:59:54.000000000 -0400 @@ -22,7 +22,7 @@ .EX httpd_sys_content_t @@ -306,9 +266,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man .EX httpd_unconfined_script_exec_t .EE -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.10/policy/global_tunables +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.11/policy/global_tunables --- nsaserefpolicy/policy/global_tunables 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.10/policy/global_tunables 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/global_tunables 2009-04-06 12:59:54.000000000 -0400 @@ -61,15 +61,6 @@ ## @@ -338,9 +298,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +gen_tunable(allow_console_login,false) + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.10/policy/mcs +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.11/policy/mcs --- nsaserefpolicy/policy/mcs 2009-02-03 22:50:50.000000000 -0500 -+++ serefpolicy-3.6.10/policy/mcs 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/mcs 2009-04-06 12:59:54.000000000 -0400 @@ -67,7 +67,7 @@ # Note that getattr on files is always permitted. # @@ -372,9 +332,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mlsconstrain process { transition dyntransition } (( h1 dom h2 ) or ( t1 == mcssetcats )); -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.10/policy/modules/admin/anaconda.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.11/policy/modules/admin/anaconda.te --- nsaserefpolicy/policy/modules/admin/anaconda.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/admin/anaconda.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/admin/anaconda.te 2009-04-06 12:59:54.000000000 -0400 @@ -31,6 +31,7 @@ modutils_domtrans_insmod(anaconda_t) @@ -383,9 +343,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.10/policy/modules/admin/certwatch.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.11/policy/modules/admin/certwatch.te --- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/admin/certwatch.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/admin/certwatch.te 2009-04-06 12:59:54.000000000 -0400 @@ -27,15 +27,20 @@ fs_list_inotifyfs(certwatch_t) @@ -407,9 +367,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.10/policy/modules/admin/dmesg.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.11/policy/modules/admin/dmesg.te --- nsaserefpolicy/policy/modules/admin/dmesg.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/admin/dmesg.te 2009-03-30 11:43:06.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/admin/dmesg.te 2009-04-06 12:59:54.000000000 -0400 @@ -35,7 +35,7 @@ domain_use_interactive_fds(dmesg_t) @@ -419,9 +379,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(dmesg_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.6.10/policy/modules/admin/kismet.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.6.11/policy/modules/admin/kismet.if --- nsaserefpolicy/policy/modules/admin/kismet.if 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/admin/kismet.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/admin/kismet.if 2009-04-06 12:59:54.000000000 -0400 @@ -16,6 +16,7 @@ ') @@ -430,9 +390,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.10/policy/modules/admin/kismet.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.11/policy/modules/admin/kismet.te --- nsaserefpolicy/policy/modules/admin/kismet.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/admin/kismet.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/admin/kismet.te 2009-04-06 12:59:54.000000000 -0400 @@ -14,27 +14,36 @@ type kismet_var_run_t; files_pid_file(kismet_var_run_t) @@ -498,9 +458,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_use_user_terminals(kismet_t) +userdom_read_user_tmpfs_files(kismet_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.10/policy/modules/admin/logrotate.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.11/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/admin/logrotate.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/admin/logrotate.te 2009-04-06 12:59:54.000000000 -0400 @@ -116,8 +116,9 @@ seutil_dontaudit_read_config(logrotate_t) @@ -530,9 +490,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - squid_signal(logrotate_t) + squid_domtrans(logrotate_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.10/policy/modules/admin/logwatch.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.11/policy/modules/admin/logwatch.te --- nsaserefpolicy/policy/modules/admin/logwatch.te 2009-03-20 12:39:40.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/admin/logwatch.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/admin/logwatch.te 2009-04-06 12:59:54.000000000 -0400 @@ -62,10 +62,9 @@ files_read_usr_files(logwatch_t) files_search_spool(logwatch_t) @@ -560,9 +520,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol samba_read_log(logwatch_t) + samba_read_share_files(logwatch_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.10/policy/modules/admin/mrtg.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.11/policy/modules/admin/mrtg.te --- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/admin/mrtg.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/admin/mrtg.te 2009-04-06 12:59:54.000000000 -0400 @@ -116,6 +116,7 @@ userdom_use_user_terminals(mrtg_t) userdom_dontaudit_read_user_home_content_files(mrtg_t) @@ -571,9 +531,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`enable_mls',` corenet_udp_sendrecv_lo_if(mrtg_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.10/policy/modules/admin/netutils.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.11/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2009-03-12 11:16:47.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/admin/netutils.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/admin/netutils.te 2009-04-06 12:59:54.000000000 -0400 @@ -152,6 +152,10 @@ ') @@ -585,18 +545,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol pcmcia_use_cardmgr_fds(ping_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.6.10/policy/modules/admin/prelink.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.6.11/policy/modules/admin/prelink.fc --- nsaserefpolicy/policy/modules/admin/prelink.fc 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/admin/prelink.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/admin/prelink.fc 2009-04-06 12:59:54.000000000 -0400 @@ -5,3 +5,5 @@ /var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0) /var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0) + +/var/lib/misc/prelink\* -- gen_context(system_u:object_r:prelink_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.10/policy/modules/admin/prelink.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.11/policy/modules/admin/prelink.if --- nsaserefpolicy/policy/modules/admin/prelink.if 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/admin/prelink.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/admin/prelink.if 2009-04-06 12:59:54.000000000 -0400 @@ -120,3 +120,23 @@ logging_search_logs($1) manage_files_pattern($1, prelink_log_t, prelink_log_t) @@ -621,9 +581,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_search_var_lib($1) + manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.10/policy/modules/admin/prelink.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.11/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/admin/prelink.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/admin/prelink.te 2009-04-06 12:59:54.000000000 -0400 @@ -21,12 +21,15 @@ type prelink_tmp_t; files_tmp_file(prelink_tmp_t) @@ -692,9 +652,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + unconfined_domain(prelink_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.10/policy/modules/admin/rpm.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.11/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/admin/rpm.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/admin/rpm.fc 2009-04-06 12:59:54.000000000 -0400 @@ -3,6 +3,7 @@ /usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -734,9 +694,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # SuSE ifdef(`distro_suse', ` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.10/policy/modules/admin/rpm.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.11/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/admin/rpm.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/admin/rpm.if 2009-04-06 12:59:54.000000000 -0400 @@ -146,6 +146,24 @@ ######################################## @@ -1067,9 +1027,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 rpm_t:process signull; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.10/policy/modules/admin/rpm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.11/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/admin/rpm.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/admin/rpm.te 2009-04-06 12:59:54.000000000 -0400 @@ -31,6 +31,9 @@ files_type(rpm_var_lib_t) typealias rpm_var_lib_t alias var_lib_rpm_t; @@ -1285,9 +1245,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` java_domtrans_unconfined(rpm_script_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.10/policy/modules/admin/sudo.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.11/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/admin/sudo.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/admin/sudo.if 2009-04-06 12:59:54.000000000 -0400 @@ -32,6 +32,7 @@ gen_require(` @@ -1423,9 +1383,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 sudodomain:process sigchld; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.te serefpolicy-3.6.10/policy/modules/admin/sudo.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.te serefpolicy-3.6.11/policy/modules/admin/sudo.te --- nsaserefpolicy/policy/modules/admin/sudo.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/admin/sudo.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/admin/sudo.te 2009-04-06 12:59:54.000000000 -0400 @@ -4,6 +4,7 @@ ######################################## # @@ -1434,9 +1394,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type sudo_exec_t; application_executable_file(sudo_exec_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.6.10/policy/modules/admin/su.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.6.11/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/admin/su.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/admin/su.if 2009-04-06 12:59:54.000000000 -0400 @@ -90,15 +90,6 @@ miscfiles_read_localization($1_su_t) @@ -1469,9 +1429,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_rhel4',` domain_role_change_exemption($1_su_t) domain_subj_id_change_exemption($1_su_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.10/policy/modules/admin/tmpreaper.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.11/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/admin/tmpreaper.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/admin/tmpreaper.te 2009-04-06 12:59:54.000000000 -0400 @@ -22,12 +22,16 @@ dev_read_urand(tmpreaper_t) @@ -1516,9 +1476,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + unconfined_domain(tmpreaper_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.10/policy/modules/admin/usermanage.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.11/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-03-20 12:39:40.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/admin/usermanage.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/admin/usermanage.te 2009-04-06 12:59:54.000000000 -0400 @@ -326,6 +326,7 @@ # user generally runs this from their home directory, so do not audit a search # on user home dir @@ -1540,9 +1500,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.10/policy/modules/admin/vbetool.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.11/policy/modules/admin/vbetool.te --- nsaserefpolicy/policy/modules/admin/vbetool.te 2009-03-12 11:16:47.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/admin/vbetool.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/admin/vbetool.te 2009-04-06 12:59:54.000000000 -0400 @@ -23,6 +23,7 @@ dev_rwx_zero(vbetool_t) dev_read_sysfs(vbetool_t) @@ -1561,9 +1521,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_write_pid(vbetool_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.10/policy/modules/apps/awstats.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.11/policy/modules/apps/awstats.te --- nsaserefpolicy/policy/modules/apps/awstats.te 2009-02-16 08:44:12.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/awstats.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/awstats.te 2009-04-06 12:59:54.000000000 -0400 @@ -51,6 +51,8 @@ libs_read_lib_files(awstats_t) @@ -1573,29 +1533,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(awstats_t) sysnet_dns_name_resolve(awstats_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.fc serefpolicy-3.6.10/policy/modules/apps/cdrecord.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.fc serefpolicy-3.6.11/policy/modules/apps/cdrecord.fc --- nsaserefpolicy/policy/modules/apps/cdrecord.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/apps/cdrecord.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/cdrecord.fc 2009-04-06 12:59:54.000000000 -0400 @@ -2,4 +2,5 @@ # /usr # /usr/bin/cdrecord -- gen_context(system_u:object_r:cdrecord_exec_t,s0) +/usr/bin/growisoifs -- gen_context(system_u:object_r:cdrecord_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.fc serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.fc serefpolicy-3.6.11/policy/modules/apps/cpufreqselector.fc --- nsaserefpolicy/policy/modules/apps/cpufreqselector.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.fc 2009-04-02 10:05:45.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/cpufreqselector.fc 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1 @@ +/usr/bin/cpufreq-selector -- gen_context(system_u:object_r:cpufreqselector_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.if serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.if serefpolicy-3.6.11/policy/modules/apps/cpufreqselector.if --- nsaserefpolicy/policy/modules/apps/cpufreqselector.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.if 2009-04-02 10:05:45.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/cpufreqselector.if 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,2 @@ +## cpufreq-selector policy + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.11/policy/modules/apps/cpufreqselector.te --- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.te 2009-04-03 10:09:12.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/cpufreqselector.te 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,44 @@ +policy_module(cpufreqselector,1.0.0) + @@ -1641,29 +1601,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +permissive cpufreqselector_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/git.fc serefpolicy-3.6.10/policy/modules/apps/git.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/git.fc serefpolicy-3.6.11/policy/modules/apps/git.fc --- nsaserefpolicy/policy/modules/apps/git.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/git.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/git.fc 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,3 @@ +/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_content_rw_t,s0) +/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/git.if serefpolicy-3.6.10/policy/modules/apps/git.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/git.if serefpolicy-3.6.11/policy/modules/apps/git.if --- nsaserefpolicy/policy/modules/apps/git.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/git.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/git.if 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1 @@ +## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/git.te serefpolicy-3.6.10/policy/modules/apps/git.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/git.te serefpolicy-3.6.11/policy/modules/apps/git.te --- nsaserefpolicy/policy/modules/apps/git.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/git.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/git.te 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,4 @@ +policy_module(git, 1.0) + +apache_content_template(git) +permissive httpd_git_script_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.10/policy/modules/apps/gnome.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.11/policy/modules/apps/gnome.fc --- nsaserefpolicy/policy/modules/apps/gnome.fc 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/gnome.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/gnome.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1,8 +1,12 @@ HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) @@ -1678,9 +1638,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) +# Don't use because toolchain is broken +#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.10/policy/modules/apps/gnome.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.11/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/gnome.if 2009-04-03 17:09:33.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/gnome.if 2009-04-06 12:59:54.000000000 -0400 @@ -89,5 +89,154 @@ allow $1 gnome_home_t:dir manage_dir_perms; @@ -1836,9 +1796,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + # Connect to pulseaudit server + stream_connect_pattern($1, gnome_home_t, gnome_home_t, $2) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.10/policy/modules/apps/gnome.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.11/policy/modules/apps/gnome.te --- nsaserefpolicy/policy/modules/apps/gnome.te 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/gnome.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/gnome.te 2009-04-06 12:59:54.000000000 -0400 @@ -9,16 +9,18 @@ attribute gnomedomain; @@ -1867,9 +1827,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_user_home_content(gnome_home_t) ############################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.6.10/policy/modules/apps/gpg.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.6.11/policy/modules/apps/gpg.fc --- nsaserefpolicy/policy/modules/apps/gpg.fc 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/gpg.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/gpg.fc 2009-04-06 12:59:54.000000000 -0400 @@ -5,5 +5,5 @@ /usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0) @@ -1878,9 +1838,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) +/usr/lib(64)?/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) +/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.6.10/policy/modules/apps/gpg.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.6.11/policy/modules/apps/gpg.if --- nsaserefpolicy/policy/modules/apps/gpg.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/gpg.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/gpg.if 2009-04-06 12:59:54.000000000 -0400 @@ -30,7 +30,7 @@ # allow ps to show gpg @@ -1908,9 +1868,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.10/policy/modules/apps/gpg.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.11/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/gpg.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/gpg.te 2009-04-06 12:59:54.000000000 -0400 @@ -60,7 +60,7 @@ allow gpg_t self:capability { ipc_lock setuid }; @@ -2008,9 +1968,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # GPG agent local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.10/policy/modules/apps/java.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.11/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/java.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/java.fc 2009-04-06 12:59:54.000000000 -0400 @@ -2,15 +2,16 @@ # /opt # @@ -2045,9 +2005,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.10/policy/modules/apps/java.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.11/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/java.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/java.if 2009-04-06 12:59:54.000000000 -0400 @@ -30,6 +30,7 @@ allow java_t $2:unix_stream_socket connectto; @@ -2185,9 +2145,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_role($1_r, $1_java_t) + ') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.10/policy/modules/apps/java.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.11/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/java.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/java.te 2009-04-06 12:59:54.000000000 -0400 @@ -20,6 +20,8 @@ typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t }; typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t }; @@ -2241,15 +2201,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + rpm_domtrans(unconfined_java_t) + ') ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.6.10/policy/modules/apps/livecd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.6.11/policy/modules/apps/livecd.fc --- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/livecd.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/livecd.fc 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,2 @@ + +/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.6.10/policy/modules/apps/livecd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.6.11/policy/modules/apps/livecd.if --- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/livecd.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/livecd.if 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,50 @@ + +## policy for livecd @@ -2301,9 +2261,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + seutil_run_setfiles_mac(livecd_t, $2) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.6.10/policy/modules/apps/livecd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.6.11/policy/modules/apps/livecd.te --- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/livecd.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/livecd.te 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,26 @@ +policy_module(livecd, 1.0.0) + @@ -2331,9 +2291,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +seutil_domtrans_setfiles_mac(livecd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.10/policy/modules/apps/mono.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.11/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/apps/mono.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/mono.if 2009-04-06 12:59:54.000000000 -0400 @@ -21,6 +21,103 @@ ######################################## @@ -2447,9 +2407,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') corecmd_search_bin($1) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.10/policy/modules/apps/mono.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.11/policy/modules/apps/mono.te --- nsaserefpolicy/policy/modules/apps/mono.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/mono.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/mono.te 2009-04-06 12:59:54.000000000 -0400 @@ -15,7 +15,7 @@ # Local policy # @@ -2467,9 +2427,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + xserver_rw_shm(mono_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.10/policy/modules/apps/mozilla.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.11/policy/modules/apps/mozilla.fc --- nsaserefpolicy/policy/modules/apps/mozilla.fc 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/mozilla.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/mozilla.fc 2009-04-06 12:59:54.000000000 -0400 @@ -17,7 +17,6 @@ # # /etc @@ -2484,9 +2444,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.10/policy/modules/apps/mozilla.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.11/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/mozilla.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/mozilla.if 2009-04-06 12:59:54.000000000 -0400 @@ -82,8 +82,7 @@ type mozilla_home_t; ') @@ -2497,9 +2457,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_search_user_home_dirs($1) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.10/policy/modules/apps/mozilla.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.11/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/mozilla.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/mozilla.te 2009-04-06 12:59:54.000000000 -0400 @@ -105,6 +105,7 @@ # Should not need other ports corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t) @@ -2536,9 +2496,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` thunderbird_domtrans(mozilla_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.6.10/policy/modules/apps/mplayer.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.6.11/policy/modules/apps/mplayer.fc --- nsaserefpolicy/policy/modules/apps/mplayer.fc 2009-03-12 11:16:47.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/apps/mplayer.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/mplayer.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1,9 +1,4 @@ # -# /etc @@ -2549,9 +2509,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # /usr # /usr/bin/mplayer -- gen_context(system_u:object_r:mplayer_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.10/policy/modules/apps/nsplugin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.11/policy/modules/apps/nsplugin.fc --- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/nsplugin.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/nsplugin.fc 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,12 @@ +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) @@ -2565,9 +2525,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) +/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0) +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.10/policy/modules/apps/nsplugin.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.11/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/nsplugin.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/nsplugin.if 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,272 @@ + +## policy for nsplugin @@ -2841,9 +2801,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + manage_files_pattern($1, nsplugin_home_t, nsplugin_home_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.10/policy/modules/apps/nsplugin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.11/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/nsplugin.te 2009-04-03 17:12:08.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/nsplugin.te 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,292 @@ + +policy_module(nsplugin, 1.0.0) @@ -3137,16 +3097,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.6.10/policy/modules/apps/openoffice.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.6.11/policy/modules/apps/openoffice.fc --- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/openoffice.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/openoffice.fc 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,3 @@ +/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) +/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.10/policy/modules/apps/openoffice.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.11/policy/modules/apps/openoffice.if --- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/openoffice.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/openoffice.if 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,92 @@ +## Openoffice + @@ -3240,9 +3200,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_common_x_domain_template($1, $1_openoffice_t) + ') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.6.10/policy/modules/apps/openoffice.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.6.11/policy/modules/apps/openoffice.te --- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/openoffice.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/openoffice.te 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,14 @@ + +policy_module(openoffice, 1.0.0) @@ -3258,17 +3218,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.fc serefpolicy-3.6.10/policy/modules/apps/podsleuth.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.fc serefpolicy-3.6.11/policy/modules/apps/podsleuth.fc --- nsaserefpolicy/policy/modules/apps/podsleuth.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/apps/podsleuth.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/podsleuth.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1,2 +1,4 @@ /usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) +/usr/libexec/hal-podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) +/var/cache/podsleuth(/.*)? gen_context(system_u:object_r:podsleuth_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.if serefpolicy-3.6.10/policy/modules/apps/podsleuth.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.if serefpolicy-3.6.11/policy/modules/apps/podsleuth.if --- nsaserefpolicy/policy/modules/apps/podsleuth.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/apps/podsleuth.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/podsleuth.if 2009-04-06 12:59:54.000000000 -0400 @@ -16,4 +16,32 @@ ') @@ -3302,9 +3262,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role $2 types podsleuth_t; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.10/policy/modules/apps/podsleuth.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.11/policy/modules/apps/podsleuth.te --- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/podsleuth.te 2009-04-03 16:33:08.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/podsleuth.te 2009-04-06 12:59:54.000000000 -0400 @@ -11,21 +11,68 @@ application_domain(podsleuth_t, podsleuth_exec_t) role system_r types podsleuth_t; @@ -3376,15 +3336,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(podsleuth_t) dbus_system_bus_client(podsleuth_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.6.10/policy/modules/apps/pulseaudio.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.6.11/policy/modules/apps/pulseaudio.fc --- nsaserefpolicy/policy/modules/apps/pulseaudio.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/pulseaudio.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/pulseaudio.fc 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,2 @@ + +/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.10/policy/modules/apps/pulseaudio.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.11/policy/modules/apps/pulseaudio.if --- nsaserefpolicy/policy/modules/apps/pulseaudio.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/pulseaudio.if 2009-04-06 08:51:37.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/pulseaudio.if 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,148 @@ + +## policy for pulseaudio @@ -3534,9 +3494,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow nsplugin_t pulseaudio_t:process signull; + allow $1 pulseaudio_t:unix_stream_socket connectto; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.10/policy/modules/apps/pulseaudio.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.11/policy/modules/apps/pulseaudio.te --- nsaserefpolicy/policy/modules/apps/pulseaudio.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/pulseaudio.te 2009-04-03 17:26:42.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/pulseaudio.te 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,109 @@ +policy_module(pulseaudio,1.0.0) + @@ -3647,17 +3607,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.10/policy/modules/apps/qemu.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.11/policy/modules/apps/qemu.fc --- nsaserefpolicy/policy/modules/apps/qemu.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/apps/qemu.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/qemu.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1,2 +1,2 @@ -/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) -/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.10/policy/modules/apps/qemu.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.11/policy/modules/apps/qemu.if --- nsaserefpolicy/policy/modules/apps/qemu.if 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/qemu.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/qemu.if 2009-04-06 12:59:54.000000000 -0400 @@ -40,6 +40,93 @@ qemu_domtrans($1) @@ -3964,10 +3924,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - ') + manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.10/policy/modules/apps/qemu.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.11/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/qemu.te 2009-03-30 10:09:41.000000000 -0400 -@@ -13,28 +13,83 @@ ++++ serefpolicy-3.6.11/policy/modules/apps/qemu.te 2009-04-06 13:07:12.000000000 -0400 +@@ -13,28 +13,96 @@ ## gen_tunable(qemu_full_network, false) @@ -3992,6 +3952,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +gen_tunable(qemu_use_cifs, true) + ++## ++##

++## Allow qemu to user serial/parallell communication ports ++##

++##
++gen_tunable(qemu_use_comm, false) ++ ++ type qemu_exec_t; -qemu_domain_template(qemu) +virt_domain_template(qemu) @@ -4024,6 +3992,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_all_ports(qemu_t) ') ++tunable_policy(`qemu_use_comm',` ++ term_use_unallocated_ttys(sqemu_t) ++ dev_rw_printer(sqemu_t) ++') ++ +tunable_policy(`qemu_use_nfs',` + fs_manage_nfs_dirs(qemu_t) + fs_manage_nfs_files(qemu_t) @@ -4059,23 +4032,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # qemu_unconfined local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.6.10/policy/modules/apps/sambagui.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.6.11/policy/modules/apps/sambagui.fc --- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/sambagui.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/sambagui.fc 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,4 @@ +/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0) + + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.6.10/policy/modules/apps/sambagui.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.6.11/policy/modules/apps/sambagui.if --- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/sambagui.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/sambagui.if 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,2 @@ +## system-config-samba policy + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.10/policy/modules/apps/sambagui.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.11/policy/modules/apps/sambagui.te --- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/sambagui.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/sambagui.te 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,59 @@ +policy_module(sambagui,1.0.0) + @@ -4136,9 +4109,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +permissive sambagui_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.10/policy/modules/apps/vmware.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.11/policy/modules/apps/vmware.te --- nsaserefpolicy/policy/modules/apps/vmware.te 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/vmware.te 2009-03-30 11:15:35.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/vmware.te 2009-04-06 12:59:54.000000000 -0400 @@ -29,6 +29,10 @@ type vmware_host_exec_t; init_daemon_domain(vmware_host_t, vmware_host_exec_t) @@ -4227,9 +4200,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_auto_mountpoints(vmware_t) storage_raw_read_removable_device(vmware_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.6.10/policy/modules/apps/wine.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.6.11/policy/modules/apps/wine.fc --- nsaserefpolicy/policy/modules/apps/wine.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/apps/wine.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/wine.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1,4 +1,21 @@ -/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) +/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) @@ -4255,9 +4228,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.10/policy/modules/apps/wine.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.11/policy/modules/apps/wine.if --- nsaserefpolicy/policy/modules/apps/wine.if 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/wine.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/wine.if 2009-04-06 12:59:54.000000000 -0400 @@ -43,3 +43,63 @@ wine_domtrans($1) role $2 types wine_t; @@ -4322,9 +4295,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + relabel_lnk_files_pattern($2, wine_home_t, wine_home_t) + +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.10/policy/modules/apps/wine.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.11/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/wine.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/wine.te 2009-04-06 12:59:54.000000000 -0400 @@ -9,6 +9,7 @@ type wine_t; type wine_exec_t; @@ -4354,16 +4327,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_stream_connect(wine_t) + xserver_rw_shm(wine_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.fc serefpolicy-3.6.10/policy/modules/apps/wm.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.fc serefpolicy-3.6.11/policy/modules/apps/wm.fc --- nsaserefpolicy/policy/modules/apps/wm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/wm.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/wm.fc 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,3 @@ +/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) +/usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0) +/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.6.10/policy/modules/apps/wm.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.6.11/policy/modules/apps/wm.if --- nsaserefpolicy/policy/modules/apps/wm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/wm.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/wm.if 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,108 @@ +## Window Manager. + @@ -4473,9 +4446,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_use_xdm($1_wm_t) + ') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.te serefpolicy-3.6.10/policy/modules/apps/wm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.te serefpolicy-3.6.11/policy/modules/apps/wm.te --- nsaserefpolicy/policy/modules/apps/wm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/wm.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/apps/wm.te 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,9 @@ +policy_module(wm,0.0.4) + @@ -4486,9 +4459,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +type wm_exec_t; +corecmd_executable_file(wm_exec_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.10/policy/modules/kernel/corecommands.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.11/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-03-05 10:34:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/kernel/corecommands.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/kernel/corecommands.fc 2009-04-06 12:59:54.000000000 -0400 @@ -134,6 +134,8 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -4513,9 +4486,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/wicd/monitor.py -- gen_context(system_u:object_r:bin_t, s0) + +/usr/lib(64)?/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.10/policy/modules/kernel/corecommands.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.11/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/kernel/corecommands.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/kernel/corecommands.if 2009-04-06 12:59:54.000000000 -0400 @@ -893,6 +893,7 @@ read_lnk_files_pattern($1, bin_t, bin_t) @@ -4524,9 +4497,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.6.10/policy/modules/kernel/corenetwork.if.in +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.6.11/policy/modules/kernel/corenetwork.if.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2009-02-03 22:50:50.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/kernel/corenetwork.if.in 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/kernel/corenetwork.if.in 2009-04-06 12:59:54.000000000 -0400 @@ -1612,6 +1612,24 @@ ######################################## @@ -4577,9 +4550,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write the point-to-point device. ## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.10/policy/modules/kernel/corenetwork.te.in +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.11/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-03-23 13:47:10.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/kernel/corenetwork.te.in 2009-04-03 17:02:58.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/kernel/corenetwork.te.in 2009-04-06 12:59:54.000000000 -0400 @@ -65,10 +65,12 @@ type server_packet_t, packet_type, server_packet_type; @@ -4712,9 +4685,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # network_node examples: #network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255) #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.10/policy/modules/kernel/devices.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.11/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-03-05 14:09:51.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/kernel/devices.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/kernel/devices.fc 2009-04-06 12:59:54.000000000 -0400 @@ -91,6 +91,7 @@ /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0) /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) @@ -4723,9 +4696,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) /dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.10/policy/modules/kernel/devices.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.11/policy/modules/kernel/devices.te --- nsaserefpolicy/policy/modules/kernel/devices.te 2009-03-05 12:28:57.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/kernel/devices.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/kernel/devices.te 2009-04-06 12:59:54.000000000 -0400 @@ -188,6 +188,12 @@ genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0) @@ -4739,9 +4712,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # urandom_device_t is the type of /dev/urandom # type urandom_device_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.10/policy/modules/kernel/domain.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.11/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/kernel/domain.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/kernel/domain.if 2009-04-06 12:59:54.000000000 -0400 @@ -629,6 +629,7 @@ dontaudit $1 unconfined_domain_type:dir search_dir_perms; @@ -4813,9 +4786,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Unconfined access to domains. ## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.10/policy/modules/kernel/domain.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.11/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/kernel/domain.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/kernel/domain.te 2009-04-06 12:59:54.000000000 -0400 @@ -5,6 +5,13 @@ # # Declarations @@ -4930,9 +4903,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + userdom_relabelto_user_home_dirs(polydomain) + userdom_relabelto_user_home_files(polydomain) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.10/policy/modules/kernel/files.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.11/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/kernel/files.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/kernel/files.fc 2009-04-06 12:59:54.000000000 -0400 @@ -8,6 +8,8 @@ /initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0) /vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0) @@ -4959,9 +4932,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) /var/lib/nfs/rpc_pipefs(/.*)? <> -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.10/policy/modules/kernel/files.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.11/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/kernel/files.if 2009-03-30 11:17:50.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/kernel/files.if 2009-04-06 12:59:54.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -5302,9 +5275,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_lnk_files_pattern($1, root_t, root_t) + can_exec(kernel_t, root_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.10/policy/modules/kernel/files.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.11/policy/modules/kernel/files.te --- nsaserefpolicy/policy/modules/kernel/files.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/kernel/files.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/kernel/files.te 2009-04-06 12:59:54.000000000 -0400 @@ -52,7 +52,9 @@ # # etc_t is the type of the system etc directories. @@ -5328,15 +5301,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.10/policy/modules/kernel/filesystem.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.11/policy/modules/kernel/filesystem.fc --- nsaserefpolicy/policy/modules/kernel/filesystem.fc 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/kernel/filesystem.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/kernel/filesystem.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1 +1 @@ -# This module currently does not have any file contexts. +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.10/policy/modules/kernel/filesystem.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.11/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-03-04 16:49:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/kernel/filesystem.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/kernel/filesystem.if 2009-04-06 12:59:54.000000000 -0400 @@ -723,6 +723,24 @@ ######################################## @@ -5394,9 +5367,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.6.10/policy/modules/kernel/filesystem.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.6.11/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-03-04 15:43:10.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/kernel/filesystem.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/kernel/filesystem.te 2009-04-06 12:59:54.000000000 -0400 @@ -206,6 +206,10 @@ genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0) genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0) @@ -5417,9 +5390,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol genfscon lustre / gen_context(system_u:object_r:nfs_t,s0) genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.10/policy/modules/kernel/kernel.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.11/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/kernel/kernel.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/kernel/kernel.if 2009-04-06 12:59:54.000000000 -0400 @@ -1197,6 +1197,26 @@ ') @@ -5543,9 +5516,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 kernel_t:unix_stream_socket connectto; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.10/policy/modules/kernel/kernel.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.11/policy/modules/kernel/kernel.te --- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-02-03 22:50:50.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/kernel/kernel.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/kernel/kernel.te 2009-04-06 12:59:54.000000000 -0400 @@ -63,6 +63,15 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) @@ -5645,9 +5618,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; + +files_boot(kernel_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.10/policy/modules/kernel/selinux.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.11/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/kernel/selinux.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/kernel/selinux.if 2009-04-06 12:59:54.000000000 -0400 @@ -40,7 +40,7 @@ # because of this statement, any module which @@ -5705,9 +5678,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_type($1) + mls_trusted_object($1) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.10/policy/modules/kernel/terminal.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.11/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/kernel/terminal.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/kernel/terminal.if 2009-04-06 12:59:54.000000000 -0400 @@ -173,7 +173,7 @@ dev_list_all_dev_nodes($1) @@ -5729,98 +5702,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.fc serefpolicy-3.6.10/policy/modules/roles/guest.fc ---- nsaserefpolicy/policy/modules/roles/guest.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/roles/guest.fc 2009-03-30 10:09:41.000000000 -0400 -@@ -0,0 +1 @@ -+# file contexts handled by userdomain and genhomedircon -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.if serefpolicy-3.6.10/policy/modules/roles/guest.if ---- nsaserefpolicy/policy/modules/roles/guest.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/roles/guest.if 2009-03-30 10:09:41.000000000 -0400 -@@ -0,0 +1,50 @@ -+## Least privledge terminal user role -+ -+######################################## -+## -+## Change to the guest role. -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`guest_role_change',` -+ gen_require(` -+ role guest_r; -+ ') -+ -+ allow $1 guest_r; -+') -+ -+######################################## -+## -+## Change from the guest role. -+## -+## -+##

-+## Change from the guest role to -+## the specified role. -+##

-+##

-+## This is an interface to support third party modules -+## and its use is not allowed in upstream reference -+## policy. -+##

-+##
-+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`guest_role_change_to',` -+ gen_require(` -+ role guest_r; -+ ') -+ -+ allow guest_r $1; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.10/policy/modules/roles/guest.te ---- nsaserefpolicy/policy/modules/roles/guest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/roles/guest.te 2009-03-30 10:09:41.000000000 -0400 -@@ -0,0 +1,26 @@ -+ -+policy_module(guest, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+role xguest_r; -+ -+userdom_restricted_user_template(guest) -+ -+######################################## -+# -+# Local policy -+# -+ -+optional_policy(` +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.11/policy/modules/roles/guest.te +--- nsaserefpolicy/policy/modules/roles/guest.te 2009-04-06 12:42:08.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/roles/guest.te 2009-04-06 12:59:54.000000000 -0400 +@@ -16,7 +16,11 @@ + # + + optional_policy(` +- java_role(guest_r, guest_t) + java_role_template(guest, guest_r, guest_t) -+') -+ + ') + +-#gen_user(guest_u,, guest_r, s0, s0) +optional_policy(` + mono_role_template(guest, guest_r, guest_t) +') + +gen_user(guest_u, user, guest_r, s0, s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.10/policy/modules/roles/staff.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.11/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/roles/staff.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/roles/staff.te 2009-04-06 12:59:54.000000000 -0400 @@ -15,156 +15,90 @@ # Local policy # @@ -6011,9 +5912,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - xserver_role(staff_r, staff_t) + virt_stream_connect(staff_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.6.10/policy/modules/roles/sysadm.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.6.11/policy/modules/roles/sysadm.if --- nsaserefpolicy/policy/modules/roles/sysadm.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/roles/sysadm.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/roles/sysadm.if 2009-04-06 12:59:54.000000000 -0400 @@ -116,41 +116,6 @@ ######################################## @@ -6056,9 +5957,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Allow sysadm to execute a generic bin program in ## a specified domain. This is an explicit transition, ## requiring the caller to use setexeccon(). -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.10/policy/modules/roles/sysadm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.11/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/roles/sysadm.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/roles/sysadm.te 2009-04-06 12:59:54.000000000 -0400 @@ -15,7 +15,7 @@ role sysadm_r; @@ -6345,9 +6246,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` yam_run(sysadm_t, sysadm_r) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.10/policy/modules/roles/unprivuser.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.11/policy/modules/roles/unprivuser.te --- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/roles/unprivuser.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/roles/unprivuser.te 2009-04-06 12:59:54.000000000 -0400 @@ -14,142 +14,13 @@ userdom_unpriv_user_template(user) @@ -6494,14 +6395,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - xserver_role(user_r, user_t) + setroubleshoot_dontaudit_stream_connect(user_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.fc serefpolicy-3.6.10/policy/modules/roles/webadm.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.fc serefpolicy-3.6.11/policy/modules/roles/webadm.fc --- nsaserefpolicy/policy/modules/roles/webadm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/roles/webadm.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/roles/webadm.fc 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1 @@ +# No webadm file contexts. -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.if serefpolicy-3.6.10/policy/modules/roles/webadm.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.if serefpolicy-3.6.11/policy/modules/roles/webadm.if --- nsaserefpolicy/policy/modules/roles/webadm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/roles/webadm.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/roles/webadm.if 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,50 @@ +## Web administrator role + @@ -6553,9 +6454,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow webadm_r $1; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.te serefpolicy-3.6.10/policy/modules/roles/webadm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.te serefpolicy-3.6.11/policy/modules/roles/webadm.te --- nsaserefpolicy/policy/modules/roles/webadm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/roles/webadm.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/roles/webadm.te 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,64 @@ + +policy_module(webadm, 1.0.0) @@ -6621,159 +6522,40 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + userdom_write_user_tmp_files(webadm_t) +') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.fc serefpolicy-3.6.10/policy/modules/roles/xguest.fc ---- nsaserefpolicy/policy/modules/roles/xguest.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/roles/xguest.fc 2009-03-30 10:09:41.000000000 -0400 -@@ -0,0 +1 @@ -+# file contexts handled by userdomain and genhomedircon -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.if serefpolicy-3.6.10/policy/modules/roles/xguest.if ---- nsaserefpolicy/policy/modules/roles/xguest.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/roles/xguest.if 2009-03-30 10:09:41.000000000 -0400 -@@ -0,0 +1,50 @@ -+## Least privledge xwindows user role -+ -+######################################## -+## -+## Change to the xguest role. -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`xguest_role_change',` -+ gen_require(` -+ role xguest_r; -+ ') -+ -+ allow $1 xguest_r; -+') -+ -+######################################## -+## -+## Change from the xguest role. -+## -+## -+##

-+## Change from the xguest role to -+## the specified role. -+##

-+##

-+## This is an interface to support third party modules -+## and its use is not allowed in upstream reference -+## policy. -+##

-+##
-+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`xguest_role_change_to',` -+ gen_require(` -+ role xguest_r; -+ ') -+ -+ allow xguest_r $1; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.10/policy/modules/roles/xguest.te ---- nsaserefpolicy/policy/modules/roles/xguest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/roles/xguest.te 2009-03-30 10:09:41.000000000 -0400 -@@ -0,0 +1,87 @@ -+ -+policy_module(xguest, 1.0.0) -+ -+## -+##

-+## Allow xguest users to mount removable media -+##

-+##
-+gen_tunable(xguest_mount_media, true) -+ -+## -+##

-+## Allow xguest to configure Network Manager -+##

-+##
-+gen_tunable(xguest_connect_network, true) -+ -+## -+##

-+## Allow xguest to use blue tooth devices -+##

-+##
-+gen_tunable(xguest_use_bluetooth, true) -+ -+######################################## -+# -+# Declarations -+# -+ -+role xguest_r; -+ -+userdom_restricted_xwindows_user_template(xguest) -+ -+######################################## -+# -+# Local policy -+# -+ -+optional_policy(` -+ mozilla_role(xguest_r, xguest_t) -+') -+ -+optional_policy(` +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.11/policy/modules/roles/xguest.te +--- nsaserefpolicy/policy/modules/roles/xguest.te 2009-04-06 12:42:08.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/roles/xguest.te 2009-04-06 12:59:54.000000000 -0400 +@@ -67,7 +67,11 @@ + ') + + optional_policy(` +- java_role(xguest_r, xguest_t) + java_role_template(xguest, xguest_r, xguest_t) +') + +optional_policy(` + mono_role_template(xguest, xguest_r, xguest_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +@@ -75,9 +79,13 @@ + ') + + optional_policy(` + nsplugin_role(xguest_r, xguest_t) +') + -+# Allow mounting of file systems +optional_policy(` -+ tunable_policy(`xguest_mount_media',` -+ hal_dbus_chat(xguest_t) -+ init_read_utmp(xguest_t) -+ auth_list_pam_console_data(xguest_t) -+ kernel_read_fs_sysctls(xguest_t) -+ files_dontaudit_getattr_boot_dirs(xguest_t) -+ files_search_mnt(xguest_t) -+ fs_manage_noxattr_fs_files(xguest_t) -+ fs_manage_noxattr_fs_dirs(xguest_t) -+ fs_manage_noxattr_fs_dirs(xguest_t) -+ fs_getattr_noxattr_fs(xguest_t) -+ fs_read_noxattr_fs_symlinks(xguest_t) -+ ') -+') -+ -+optional_policy(` -+ hal_dbus_chat(xguest_t) -+') -+ -+optional_policy(` -+ tunable_policy(`xguest_connect_network',` -+ networkmanager_dbus_chat(xguest_t) -+ ') -+') -+ -+optional_policy(` -+ tunable_policy(`xguest_use_bluetooth',` -+ bluetooth_dbus_chat(xguest_t) -+ ') -+') + tunable_policy(`xguest_connect_network',` + networkmanager_dbus_chat(xguest_t) + ') + ') + +-#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.6.10/policy/modules/services/afs.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.6.11/policy/modules/services/afs.fc --- nsaserefpolicy/policy/modules/services/afs.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/afs.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/afs.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1,3 +1,6 @@ +/etc/rc\.d/init\.d/openafs-client -- gen_context(system_u:object_r:afs_initrc_exec_t,s0) +/etc/rc\.d/init\.d/afs -- gen_context(system_u:object_r:afs_initrc_exec_t,s0) @@ -6795,9 +6577,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/vice/etc/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) + +/var/cache/afs(/.*)? gen_context(system_u:object_r:afs_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.6.10/policy/modules/services/afs.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.6.11/policy/modules/services/afs.if --- nsaserefpolicy/policy/modules/services/afs.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/afs.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/afs.if 2009-04-06 12:59:54.000000000 -0400 @@ -1 +1,110 @@ ## Andrew Filesystem server + @@ -6909,9 +6691,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $2 system_r; + +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.6.10/policy/modules/services/afs.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.6.11/policy/modules/services/afs.te --- nsaserefpolicy/policy/modules/services/afs.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/afs.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/afs.te 2009-04-06 12:59:54.000000000 -0400 @@ -6,6 +6,16 @@ # Declarations # @@ -6976,9 +6758,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +logging_send_syslog_msg(afs_t) + +permissive afs_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.10/policy/modules/services/apache.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.11/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/apache.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/apache.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1,12 +1,13 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -7070,9 +6852,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) + +/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.10/policy/modules/services/apache.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.11/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/apache.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/apache.if 2009-04-06 12:59:54.000000000 -0400 @@ -13,21 +13,16 @@ # template(`apache_content_template',` @@ -7605,9 +7387,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + typeattribute $1 httpd_rw_content; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.10/policy/modules/services/apache.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.11/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/apache.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/apache.te 2009-04-06 12:59:54.000000000 -0400 @@ -19,6 +19,8 @@ # Declarations # @@ -8313,9 +8095,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t; +typealias httpd_sys_script_t alias httpd_fastcgi_script_t; +typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.10/policy/modules/services/automount.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.11/policy/modules/services/automount.te --- nsaserefpolicy/policy/modules/services/automount.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/automount.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/automount.te 2009-04-06 12:59:54.000000000 -0400 @@ -71,6 +71,7 @@ files_mounton_all_mountpoints(automount_t) files_mount_all_file_type_fs(automount_t) @@ -8357,9 +8139,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kerberos_read_config(automount_t) kerberos_dontaudit_write_config(automount_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.10/policy/modules/services/avahi.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.11/policy/modules/services/avahi.te --- nsaserefpolicy/policy/modules/services/avahi.te 2009-03-23 13:47:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/avahi.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/avahi.te 2009-04-06 12:59:54.000000000 -0400 @@ -33,6 +33,7 @@ allow avahi_t self:tcp_socket create_stream_socket_perms; allow avahi_t self:udp_socket create_socket_perms; @@ -8376,9 +8158,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.6.10/policy/modules/services/bind.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.6.11/policy/modules/services/bind.fc --- nsaserefpolicy/policy/modules/services/bind.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/bind.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/bind.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1,17 +1,22 @@ /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) @@ -8412,9 +8194,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0) /var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0) /var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.10/policy/modules/services/bind.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.11/policy/modules/services/bind.if --- nsaserefpolicy/policy/modules/services/bind.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/bind.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/bind.if 2009-04-06 12:59:54.000000000 -0400 @@ -38,6 +38,42 @@ ######################################## @@ -8511,10 +8293,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_list_pids($1) admin_pattern($1, named_var_run_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.6.10/policy/modules/services/bind.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.6.11/policy/modules/services/bind.te --- nsaserefpolicy/policy/modules/services/bind.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/bind.te 2009-03-30 10:09:41.000000000 -0400 -@@ -169,7 +169,7 @@ ++++ serefpolicy-3.6.11/policy/modules/services/bind.te 2009-04-06 12:59:54.000000000 -0400 +@@ -123,6 +123,7 @@ + corenet_sendrecv_dns_client_packets(named_t) + corenet_sendrecv_rndc_server_packets(named_t) + corenet_sendrecv_rndc_client_packets(named_t) ++corenet_udp_dontaudit_bind_all_reserved_ports(named_t) + corenet_udp_bind_all_unreserved_ports(named_t) + + dev_read_sysfs(named_t) +@@ -169,7 +170,7 @@ ') optional_policy(` @@ -8523,7 +8313,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -229,6 +229,7 @@ +@@ -229,6 +230,7 @@ files_search_pids(ndc_t) fs_getattr_xattr_fs(ndc_t) @@ -8531,9 +8321,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol init_use_fds(ndc_t) init_use_script_ptys(ndc_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.6.10/policy/modules/services/bitlbee.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.6.11/policy/modules/services/bitlbee.te --- nsaserefpolicy/policy/modules/services/bitlbee.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/bitlbee.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/bitlbee.te 2009-04-06 12:59:54.000000000 -0400 @@ -75,6 +75,8 @@ # grant read-only access to the user help files files_read_usr_files(bitlbee_t) @@ -8543,9 +8333,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_legacy_use_shared_libs(bitlbee_t) miscfiles_read_localization(bitlbee_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.6.10/policy/modules/services/certmaster.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.6.11/policy/modules/services/certmaster.fc --- nsaserefpolicy/policy/modules/services/certmaster.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/certmaster.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/certmaster.fc 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,9 @@ + +/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0) @@ -8556,9 +8346,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0) + +/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.if serefpolicy-3.6.10/policy/modules/services/certmaster.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.if serefpolicy-3.6.11/policy/modules/services/certmaster.if --- nsaserefpolicy/policy/modules/services/certmaster.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/certmaster.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/certmaster.if 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,123 @@ +## policy for certmaster + @@ -8683,9 +8473,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_list_var_lib($1) + admin_pattern($1, certmaster_var_lib_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.10/policy/modules/services/certmaster.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.11/policy/modules/services/certmaster.te --- nsaserefpolicy/policy/modules/services/certmaster.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/certmaster.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/certmaster.te 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,79 @@ +policy_module(certmaster,1.0.0) + @@ -8766,9 +8556,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_manage_cert_files(certmaster_t) + +permissive certmaster_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.6.10/policy/modules/services/clamav.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.6.11/policy/modules/services/clamav.fc --- nsaserefpolicy/policy/modules/services/clamav.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/clamav.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/clamav.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1,20 +1,23 @@ /etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0) +/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0) @@ -8798,9 +8588,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) +/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.6.10/policy/modules/services/clamav.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.6.11/policy/modules/services/clamav.if --- nsaserefpolicy/policy/modules/services/clamav.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/clamav.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/clamav.if 2009-04-06 12:59:54.000000000 -0400 @@ -38,6 +38,27 @@ ######################################## @@ -8917,9 +8707,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, freshclam_var_log_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.10/policy/modules/services/clamav.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.11/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/clamav.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/clamav.te 2009-04-06 12:59:54.000000000 -0400 @@ -13,7 +13,10 @@ # configuration files @@ -9005,9 +8795,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` apache_read_sys_content(clamscan_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.6.10/policy/modules/services/consolekit.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.6.11/policy/modules/services/consolekit.fc --- nsaserefpolicy/policy/modules/services/consolekit.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/consolekit.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/consolekit.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1,3 +1,6 @@ /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) @@ -9015,9 +8805,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0) + +/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.10/policy/modules/services/consolekit.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.11/policy/modules/services/consolekit.if --- nsaserefpolicy/policy/modules/services/consolekit.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/consolekit.if 2009-04-03 16:41:51.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/consolekit.if 2009-04-06 12:59:54.000000000 -0400 @@ -38,3 +38,24 @@ allow $1 consolekit_t:dbus send_msg; allow consolekit_t $1:dbus send_msg; @@ -9043,9 +8833,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.10/policy/modules/services/consolekit.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.11/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/consolekit.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/consolekit.te 2009-04-06 12:59:54.000000000 -0400 @@ -13,6 +13,9 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -9155,9 +8945,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_dontaudit_rw_cifs_files(consolekit_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.10/policy/modules/services/courier.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.11/policy/modules/services/courier.if --- nsaserefpolicy/policy/modules/services/courier.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/courier.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/courier.if 2009-04-06 12:59:54.000000000 -0400 @@ -179,6 +179,24 @@ ######################################## @@ -9183,9 +8973,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write to courier spool pipes. ## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.10/policy/modules/services/courier.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.11/policy/modules/services/courier.te --- nsaserefpolicy/policy/modules/services/courier.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/courier.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/courier.te 2009-04-06 12:59:54.000000000 -0400 @@ -10,6 +10,7 @@ type courier_etc_t; @@ -9194,9 +8984,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol courier_domain_template(pcp) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.10/policy/modules/services/cron.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.11/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/cron.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/cron.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1,3 +1,4 @@ +/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) @@ -9228,9 +9018,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) + +/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.10/policy/modules/services/cron.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.11/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/cron.if 2009-04-02 11:21:32.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/cron.if 2009-04-06 12:59:54.000000000 -0400 @@ -12,6 +12,10 @@ ## # @@ -9536,9 +9326,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + init_labeled_script_domtrans($1, crond_initrc_exec_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.10/policy/modules/services/cron.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.11/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/cron.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/cron.te 2009-04-06 12:59:54.000000000 -0400 @@ -38,6 +38,10 @@ type cron_var_lib_t; files_type(cron_var_lib_t) @@ -9866,9 +9656,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`fcron_crond', ` allow crond_t user_cron_spool_t:file manage_file_perms; ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.10/policy/modules/services/cups.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.11/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/cups.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/cups.fc 2009-04-06 12:59:54.000000000 -0400 @@ -5,27 +5,38 @@ /etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -9942,9 +9732,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.6.10/policy/modules/services/cups.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.6.11/policy/modules/services/cups.if --- nsaserefpolicy/policy/modules/services/cups.if 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/cups.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/cups.if 2009-04-06 12:59:54.000000000 -0400 @@ -20,6 +20,30 @@ ######################################## @@ -10069,9 +9859,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + admin_pattern($1, hplip_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.10/policy/modules/services/cups.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.11/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/cups.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/cups.te 2009-04-06 12:59:54.000000000 -0400 @@ -20,9 +20,18 @@ type cupsd_etc_t; files_config_file(cupsd_etc_t) @@ -10489,18 +10279,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) +miscfiles_read_fonts(cups_pdf_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.10/policy/modules/services/cvs.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.11/policy/modules/services/cvs.te --- nsaserefpolicy/policy/modules/services/cvs.te 2009-03-23 13:47:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/cvs.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/cvs.te 2009-04-06 12:59:54.000000000 -0400 @@ -112,4 +112,5 @@ read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) + files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.6.10/policy/modules/services/dbus.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.6.11/policy/modules/services/dbus.fc --- nsaserefpolicy/policy/modules/services/dbus.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/dbus.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/dbus.fc 2009-04-06 12:59:54.000000000 -0400 @@ -4,6 +4,9 @@ /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) /bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) @@ -10511,9 +10301,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.10/policy/modules/services/dbus.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.11/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/dbus.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/dbus.if 2009-04-06 12:59:54.000000000 -0400 @@ -44,6 +44,7 @@ attribute session_bus_type; @@ -10707,9 +10497,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 system_dbusd_t:tcp_socket { read write }; + allow $1 system_dbusd_t:fd use; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.10/policy/modules/services/dbus.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.11/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/dbus.te 2009-04-06 08:40:45.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/dbus.te 2009-04-06 12:59:54.000000000 -0400 @@ -9,14 +9,15 @@ # # Delcarations @@ -10841,9 +10631,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; +allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms; +allow session_bus_type dbusd_unconfined:dbus send_msg; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.fc serefpolicy-3.6.10/policy/modules/services/dcc.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.fc serefpolicy-3.6.11/policy/modules/services/dcc.fc --- nsaserefpolicy/policy/modules/services/dcc.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/dcc.fc 2009-04-03 11:39:16.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/dcc.fc 2009-04-06 12:59:54.000000000 -0400 @@ -12,6 +12,8 @@ /var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) @@ -10853,9 +10643,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0) /var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.10/policy/modules/services/dcc.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.11/policy/modules/services/dcc.te --- nsaserefpolicy/policy/modules/services/dcc.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/dcc.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/dcc.te 2009-04-06 12:59:54.000000000 -0400 @@ -137,6 +137,7 @@ corenet_all_recvfrom_unlabeled(dcc_client_t) @@ -10864,9 +10654,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_udp_sendrecv_generic_if(dcc_client_t) corenet_udp_sendrecv_generic_node(dcc_client_t) corenet_udp_sendrecv_all_ports(dcc_client_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.10/policy/modules/services/devicekit.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.11/policy/modules/services/devicekit.fc --- nsaserefpolicy/policy/modules/services/devicekit.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/devicekit.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/devicekit.fc 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,8 @@ + +/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) @@ -10876,9 +10666,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) + +/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.10/policy/modules/services/devicekit.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.11/policy/modules/services/devicekit.if --- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/devicekit.if 2009-04-03 16:46:10.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/devicekit.if 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,197 @@ + +## policy for devicekit @@ -11077,9 +10867,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 devicekit_disk_t:dbus send_msg; + allow devicekit_disk_t $1:dbus send_msg; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.10/policy/modules/services/devicekit.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.11/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/devicekit.te 2009-04-03 08:12:27.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/devicekit.te 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,211 @@ +policy_module(devicekit,1.0.0) + @@ -11292,9 +11082,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + consolekit_dbus_chat(devicekit_disk_t) + ') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.10/policy/modules/services/dhcp.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.11/policy/modules/services/dhcp.if --- nsaserefpolicy/policy/modules/services/dhcp.if 2008-11-18 18:57:20.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/dhcp.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/dhcp.if 2009-04-06 12:59:54.000000000 -0400 @@ -22,6 +22,25 @@ ######################################## @@ -11321,9 +11111,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an dhcp environment ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.6.10/policy/modules/services/dnsmasq.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.6.11/policy/modules/services/dnsmasq.if --- nsaserefpolicy/policy/modules/services/dnsmasq.if 2009-03-23 13:47:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/dnsmasq.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/dnsmasq.if 2009-04-06 12:59:54.000000000 -0400 @@ -22,6 +22,25 @@ ######################################## @@ -11350,9 +11140,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send dnsmasq a signal ## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.10/policy/modules/services/dnsmasq.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.11/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-03-23 13:47:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/dnsmasq.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/dnsmasq.te 2009-04-06 12:59:54.000000000 -0400 @@ -42,8 +42,7 @@ files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file) @@ -11378,9 +11168,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(dnsmasq_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.6.10/policy/modules/services/dovecot.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.6.11/policy/modules/services/dovecot.fc --- nsaserefpolicy/policy/modules/services/dovecot.fc 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/dovecot.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/dovecot.fc 2009-04-06 12:59:54.000000000 -0400 @@ -6,6 +6,7 @@ /etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) @@ -11414,9 +11204,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) + /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.6.10/policy/modules/services/dovecot.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.6.11/policy/modules/services/dovecot.if --- nsaserefpolicy/policy/modules/services/dovecot.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/dovecot.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/dovecot.if 2009-04-06 12:59:54.000000000 -0400 @@ -21,7 +21,46 @@ ######################################## @@ -11526,9 +11316,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.10/policy/modules/services/dovecot.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.11/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/dovecot.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/dovecot.te 2009-04-06 12:59:54.000000000 -0400 @@ -15,12 +15,21 @@ domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t) role system_r types dovecot_auth_t; @@ -11711,9 +11501,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + mta_manage_spool(dovecot_deliver_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.6.10/policy/modules/services/exim.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.6.11/policy/modules/services/exim.if --- nsaserefpolicy/policy/modules/services/exim.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/exim.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/exim.if 2009-04-06 12:59:54.000000000 -0400 @@ -97,6 +97,26 @@ ######################################## @@ -11765,9 +11555,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_dirs_pattern($1, exim_spool_t, exim_spool_t) + files_search_spool($1) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.10/policy/modules/services/exim.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.11/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/exim.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/exim.te 2009-04-06 12:59:54.000000000 -0400 @@ -21,9 +21,20 @@ ## gen_tunable(exim_manage_user_files, false) @@ -11922,9 +11712,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + spamassassin_exec(exim_t) + spamassassin_exec_client(exim_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.6.10/policy/modules/services/fail2ban.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.6.11/policy/modules/services/fail2ban.te --- nsaserefpolicy/policy/modules/services/fail2ban.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/fail2ban.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/fail2ban.te 2009-04-06 12:59:54.000000000 -0400 @@ -26,6 +26,7 @@ # fail2ban local policy # @@ -11933,9 +11723,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow fail2ban_t self:process signal; allow fail2ban_t self:fifo_file rw_fifo_file_perms; allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms }; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.10/policy/modules/services/ftp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.11/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/ftp.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/ftp.te 2009-04-06 12:59:54.000000000 -0400 @@ -26,7 +26,7 @@ ## ##

@@ -12051,16 +11841,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(ftpd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.6.10/policy/modules/services/gnomeclock.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.6.11/policy/modules/services/gnomeclock.fc --- nsaserefpolicy/policy/modules/services/gnomeclock.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/gnomeclock.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/gnomeclock.fc 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,3 @@ + +/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.6.10/policy/modules/services/gnomeclock.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.6.11/policy/modules/services/gnomeclock.if --- nsaserefpolicy/policy/modules/services/gnomeclock.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/gnomeclock.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/gnomeclock.if 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,69 @@ + +##

policy for gnomeclock @@ -12131,9 +11921,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 gnomeclock_t:dbus send_msg; + allow gnomeclock_t $1:dbus send_msg; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.10/policy/modules/services/gnomeclock.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.11/policy/modules/services/gnomeclock.te --- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/gnomeclock.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/gnomeclock.te 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,51 @@ +policy_module(gnomeclock, 1.0.0) +######################################## @@ -12186,9 +11976,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + polkit_read_reload(gnomeclock_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.te serefpolicy-3.6.10/policy/modules/services/gpm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.te serefpolicy-3.6.11/policy/modules/services/gpm.te --- nsaserefpolicy/policy/modules/services/gpm.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/gpm.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/gpm.te 2009-04-06 12:59:54.000000000 -0400 @@ -54,6 +54,8 @@ dev_rw_input_dev(gpm_t) dev_rw_mouse(gpm_t) @@ -12198,16 +11988,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(gpm_t) fs_search_auto_mountpoints(gpm_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.10/policy/modules/services/gpsd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.11/policy/modules/services/gpsd.fc --- nsaserefpolicy/policy/modules/services/gpsd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/gpsd.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/gpsd.fc 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,3 @@ + +/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.6.10/policy/modules/services/gpsd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.6.11/policy/modules/services/gpsd.if --- nsaserefpolicy/policy/modules/services/gpsd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/gpsd.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/gpsd.if 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,83 @@ +## gpsd monitor daemon + @@ -12292,9 +12082,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) + read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.10/policy/modules/services/gpsd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.11/policy/modules/services/gpsd.te --- nsaserefpolicy/policy/modules/services/gpsd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/gpsd.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/gpsd.te 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,52 @@ +policy_module(gpsd,1.0.0) + @@ -12348,9 +12138,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.6.10/policy/modules/services/hal.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.6.11/policy/modules/services/hal.fc --- nsaserefpolicy/policy/modules/services/hal.fc 2008-11-19 11:51:44.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/hal.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/hal.fc 2009-04-06 12:59:54.000000000 -0400 @@ -5,6 +5,7 @@ /usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0) @@ -12359,9 +12149,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0) /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.10/policy/modules/services/hal.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.11/policy/modules/services/hal.if --- nsaserefpolicy/policy/modules/services/hal.if 2008-11-19 11:51:44.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/hal.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/hal.if 2009-04-06 12:59:54.000000000 -0400 @@ -20,6 +20,24 @@ ######################################## @@ -12462,9 +12252,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + logging_log_filetrans($1, hald_log_t, file) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.10/policy/modules/services/hal.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.11/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/hal.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/hal.te 2009-04-06 12:59:54.000000000 -0400 @@ -49,6 +49,15 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -12642,9 +12432,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_localization(hald_dccm_t) + +permissive hald_dccm_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.fc serefpolicy-3.6.10/policy/modules/services/ifplugd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.fc serefpolicy-3.6.11/policy/modules/services/ifplugd.fc --- nsaserefpolicy/policy/modules/services/ifplugd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/ifplugd.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/ifplugd.fc 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,9 @@ + +/etc/ifplugd(/.*)? gen_context(system_u:object_r:ifplugd_etc_t,s0) @@ -12655,9 +12445,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/var/run/ifplugd.* gen_context(system_u:object_r:ifplugd_var_run_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.if serefpolicy-3.6.10/policy/modules/services/ifplugd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.if serefpolicy-3.6.11/policy/modules/services/ifplugd.if --- nsaserefpolicy/policy/modules/services/ifplugd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/ifplugd.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/ifplugd.if 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,194 @@ +## policy for ifplugd + @@ -12853,9 +12643,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, ifplugd_var_run_t) + +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.te serefpolicy-3.6.10/policy/modules/services/ifplugd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.te serefpolicy-3.6.11/policy/modules/services/ifplugd.te --- nsaserefpolicy/policy/modules/services/ifplugd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/ifplugd.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/ifplugd.te 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,89 @@ +policy_module(ifplugd,1.0.0) + @@ -12946,9 +12736,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +permissive ifplugd_t; + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.6.10/policy/modules/services/kerneloops.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.6.11/policy/modules/services/kerneloops.if --- nsaserefpolicy/policy/modules/services/kerneloops.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/kerneloops.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/kerneloops.if 2009-04-06 12:59:54.000000000 -0400 @@ -63,6 +63,25 @@ ######################################## @@ -12991,9 +12781,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, kerneloops_tmp_t) ') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.10/policy/modules/services/kerneloops.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.11/policy/modules/services/kerneloops.te --- nsaserefpolicy/policy/modules/services/kerneloops.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/kerneloops.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/kerneloops.te 2009-04-06 12:59:54.000000000 -0400 @@ -13,6 +13,9 @@ type kerneloops_initrc_exec_t; init_script_file(kerneloops_initrc_exec_t) @@ -13026,9 +12816,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - dbus_connect_system_bus(kerneloops_t) + dbus_system_domain(kerneloops_t, kerneloops_exec_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.10/policy/modules/services/ktalk.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.11/policy/modules/services/ktalk.te --- nsaserefpolicy/policy/modules/services/ktalk.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/ktalk.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/ktalk.te 2009-04-06 12:59:54.000000000 -0400 @@ -69,6 +69,7 @@ files_read_etc_files(ktalkd_t) @@ -13037,9 +12827,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(ktalkd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.fc serefpolicy-3.6.10/policy/modules/services/lircd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.fc serefpolicy-3.6.11/policy/modules/services/lircd.fc --- nsaserefpolicy/policy/modules/services/lircd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/lircd.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/lircd.fc 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,9 @@ + +/dev/lircd -s gen_context(system_u:object_r:lircd_sock_t,s0) @@ -13050,9 +12840,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0) + +/var/run/lircd\.pid gen_context(system_u:object_r:lircd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.if serefpolicy-3.6.10/policy/modules/services/lircd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.if serefpolicy-3.6.11/policy/modules/services/lircd.if --- nsaserefpolicy/policy/modules/services/lircd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/lircd.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/lircd.if 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,100 @@ +## Lirc daemon + @@ -13154,9 +12944,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, lircd_sock_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.10/policy/modules/services/lircd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.11/policy/modules/services/lircd.te --- nsaserefpolicy/policy/modules/services/lircd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/lircd.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/lircd.te 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,55 @@ +policy_module(lircd,1.0.0) + @@ -13213,17 +13003,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +miscfiles_read_localization(lircd_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.6.10/policy/modules/services/mailman.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.6.11/policy/modules/services/mailman.fc --- nsaserefpolicy/policy/modules/services/mailman.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/mailman.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/mailman.fc 2009-04-06 12:59:54.000000000 -0400 @@ -31,3 +31,4 @@ /var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) /var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) ') +/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.6.10/policy/modules/services/mailman.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.6.11/policy/modules/services/mailman.if --- nsaserefpolicy/policy/modules/services/mailman.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/mailman.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/mailman.if 2009-04-06 12:59:54.000000000 -0400 @@ -31,6 +31,12 @@ allow mailman_$1_t self:tcp_socket create_stream_socket_perms; allow mailman_$1_t self:udp_socket create_socket_perms; @@ -13287,9 +13077,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Append to mailman logs. ## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.10/policy/modules/services/mailman.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.11/policy/modules/services/mailman.te --- nsaserefpolicy/policy/modules/services/mailman.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/mailman.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/mailman.te 2009-04-06 12:59:54.000000000 -0400 @@ -53,10 +53,8 @@ apache_use_fds(mailman_cgi_t) apache_dontaudit_append_log(mailman_cgi_t) @@ -13356,9 +13146,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` cron_system_entry(mailman_queue_t, mailman_queue_exec_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.10/policy/modules/services/mta.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.11/policy/modules/services/mta.fc --- nsaserefpolicy/policy/modules/services/mta.fc 2008-09-12 10:48:05.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/mta.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/mta.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1,4 +1,4 @@ -/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) @@ -13389,9 +13179,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -#') +HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) +/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.10/policy/modules/services/mta.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.11/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/mta.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/mta.if 2009-04-06 12:59:54.000000000 -0400 @@ -130,6 +130,15 @@ sendmail_create_log($1_mail_t) ') @@ -13467,9 +13257,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.10/policy/modules/services/mta.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.11/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/mta.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/mta.te 2009-04-06 12:59:54.000000000 -0400 @@ -27,6 +27,9 @@ type mail_spool_t; files_mountpoint(mail_spool_t) @@ -13624,9 +13414,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # User send mail local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.10/policy/modules/services/munin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.11/policy/modules/services/munin.fc --- nsaserefpolicy/policy/modules/services/munin.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/munin.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/munin.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1,4 +1,5 @@ /etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0) +/etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0) @@ -13644,9 +13434,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) +/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.6.10/policy/modules/services/munin.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.6.11/policy/modules/services/munin.if --- nsaserefpolicy/policy/modules/services/munin.if 2009-03-12 11:16:47.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/munin.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/munin.if 2009-04-06 12:59:54.000000000 -0400 @@ -59,8 +59,9 @@ type munin_log_t; ') @@ -13714,9 +13504,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, httpd_munin_content_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.10/policy/modules/services/munin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.11/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2009-03-12 11:16:47.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/munin.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/munin.te 2009-04-06 12:59:54.000000000 -0400 @@ -13,6 +13,9 @@ type munin_etc_t alias lrrd_etc_t; files_config_file(munin_etc_t) @@ -13851,9 +13641,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) +manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.6.10/policy/modules/services/mysql.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.6.11/policy/modules/services/mysql.fc --- nsaserefpolicy/policy/modules/services/mysql.fc 2008-11-18 18:57:20.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/mysql.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/mysql.fc 2009-04-06 12:59:54.000000000 -0400 @@ -12,6 +12,8 @@ # /usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0) @@ -13863,9 +13653,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.6.10/policy/modules/services/mysql.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.6.11/policy/modules/services/mysql.if --- nsaserefpolicy/policy/modules/services/mysql.if 2008-11-18 18:57:20.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/mysql.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/mysql.if 2009-04-06 12:59:54.000000000 -0400 @@ -121,6 +121,44 @@ allow $1 mysqld_db_t:dir rw_dir_perms; ') @@ -13972,9 +13762,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.10/policy/modules/services/mysql.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.11/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2009-03-12 11:16:47.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/mysql.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/mysql.te 2009-04-06 12:59:54.000000000 -0400 @@ -10,6 +10,10 @@ type mysqld_exec_t; init_daemon_domain(mysqld_t, mysqld_exec_t) @@ -14023,9 +13813,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +hostname_exec(mysqld_safe_t) + +permissive mysqld_safe_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.10/policy/modules/services/nagios.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.11/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/nagios.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/nagios.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1,16 +1,19 @@ /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) /etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) @@ -14050,9 +13840,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') +/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.10/policy/modules/services/nagios.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.11/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/nagios.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/nagios.if 2009-04-06 12:59:54.000000000 -0400 @@ -44,7 +44,7 @@ ######################################## @@ -14172,9 +13962,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + admin_pattern($1, nrpe_etc_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.10/policy/modules/services/nagios.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.11/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/nagios.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/nagios.te 2009-04-06 12:59:54.000000000 -0400 @@ -10,13 +10,12 @@ type nagios_exec_t; init_daemon_domain(nagios_t, nagios_exec_t) @@ -14270,9 +14060,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.10/policy/modules/services/networkmanager.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.11/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/networkmanager.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/networkmanager.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1,12 +1,25 @@ +/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0) +/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) @@ -14299,9 +14089,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.10/policy/modules/services/networkmanager.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.11/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-09-11 11:28:34.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/networkmanager.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/networkmanager.if 2009-04-06 12:59:54.000000000 -0400 @@ -118,6 +118,24 @@ ######################################## @@ -14358,9 +14148,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role $2 types NetworkManager_t; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.10/policy/modules/services/networkmanager.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.11/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/networkmanager.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/networkmanager.te 2009-04-06 12:59:54.000000000 -0400 @@ -19,6 +19,9 @@ type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) @@ -14590,9 +14380,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.10/policy/modules/services/nis.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.11/policy/modules/services/nis.fc --- nsaserefpolicy/policy/modules/services/nis.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/nis.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/nis.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1,9 +1,13 @@ - +/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) @@ -14608,9 +14398,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.6.10/policy/modules/services/nis.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.6.11/policy/modules/services/nis.if --- nsaserefpolicy/policy/modules/services/nis.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/nis.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/nis.if 2009-04-06 12:59:54.000000000 -0400 @@ -28,7 +28,7 @@ type var_yp_t; ') @@ -14788,9 +14578,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role $2 types ypbind_t; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.10/policy/modules/services/nis.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.11/policy/modules/services/nis.te --- nsaserefpolicy/policy/modules/services/nis.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/nis.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/nis.te 2009-04-06 12:59:54.000000000 -0400 @@ -13,6 +13,9 @@ type ypbind_exec_t; init_daemon_domain(ypbind_t, ypbind_exec_t) @@ -14865,17 +14655,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) corenet_tcp_connect_all_ports(ypxfr_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.6.10/policy/modules/services/nscd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.6.11/policy/modules/services/nscd.fc --- nsaserefpolicy/policy/modules/services/nscd.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/nscd.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/nscd.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1,3 +1,4 @@ +/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) /usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.10/policy/modules/services/nscd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.11/policy/modules/services/nscd.if --- nsaserefpolicy/policy/modules/services/nscd.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/nscd.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/nscd.if 2009-04-06 12:59:54.000000000 -0400 @@ -58,6 +58,42 @@ ######################################## @@ -14998,9 +14788,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, nscd_var_run_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.10/policy/modules/services/nscd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.11/policy/modules/services/nscd.te --- nsaserefpolicy/policy/modules/services/nscd.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/nscd.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/nscd.te 2009-04-06 12:59:54.000000000 -0400 @@ -20,6 +20,9 @@ type nscd_exec_t; init_daemon_domain(nscd_t, nscd_exec_t) @@ -15098,9 +14888,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + samba_read_config(nscd_t) + samba_read_var_files(nscd_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.10/policy/modules/services/ntp.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.11/policy/modules/services/ntp.if --- nsaserefpolicy/policy/modules/services/ntp.if 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/ntp.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/ntp.if 2009-04-06 12:59:54.000000000 -0400 @@ -37,6 +37,32 @@ ######################################## @@ -15198,9 +14988,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an ntp environment ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.10/policy/modules/services/ntp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.11/policy/modules/services/ntp.te --- nsaserefpolicy/policy/modules/services/ntp.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/ntp.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/ntp.te 2009-04-06 12:59:54.000000000 -0400 @@ -25,6 +25,9 @@ type ntpd_tmp_t; files_tmp_file(ntpd_tmp_t) @@ -15265,9 +15055,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol firstboot_dontaudit_use_fds(ntpd_t) firstboot_dontaudit_rw_pipes(ntpd_t) firstboot_dontaudit_rw_stream_sockets(ntpd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.10/policy/modules/services/nx.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.11/policy/modules/services/nx.te --- nsaserefpolicy/policy/modules/services/nx.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/nx.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/nx.te 2009-04-06 12:59:54.000000000 -0400 @@ -25,6 +25,9 @@ type nx_server_var_run_t; files_pid_file(nx_server_var_run_t) @@ -15288,18 +15078,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(nx_server_t) kernel_read_kernel_sysctls(nx_server_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.6.10/policy/modules/services/oddjob.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.6.11/policy/modules/services/oddjob.fc --- nsaserefpolicy/policy/modules/services/oddjob.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/oddjob.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/oddjob.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1,4 +1,4 @@ -/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) +/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.10/policy/modules/services/oddjob.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.11/policy/modules/services/oddjob.if --- nsaserefpolicy/policy/modules/services/oddjob.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/oddjob.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/oddjob.if 2009-04-06 12:59:54.000000000 -0400 @@ -44,6 +44,7 @@ ') @@ -15337,9 +15127,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + oddjob_domtrans_mkhomedir($1) + role $2 types oddjob_mkhomedir_t; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.6.10/policy/modules/services/oddjob.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.6.11/policy/modules/services/oddjob.te --- nsaserefpolicy/policy/modules/services/oddjob.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/oddjob.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/oddjob.te 2009-04-06 12:59:54.000000000 -0400 @@ -10,14 +10,21 @@ type oddjob_exec_t; domain_type(oddjob_t) @@ -15396,9 +15186,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Add/remove user home directories userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.fc serefpolicy-3.6.10/policy/modules/services/pads.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.fc serefpolicy-3.6.11/policy/modules/services/pads.fc --- nsaserefpolicy/policy/modules/services/pads.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/pads.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/pads.fc 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,12 @@ + +/etc/pads-ether-codes -- gen_context(system_u:object_r:pads_config_t, s0) @@ -15412,9 +15202,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/var/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.if serefpolicy-3.6.10/policy/modules/services/pads.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.if serefpolicy-3.6.11/policy/modules/services/pads.if --- nsaserefpolicy/policy/modules/services/pads.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/pads.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/pads.if 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,10 @@ +## SELinux policy for PADS daemon. +## @@ -15426,9 +15216,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +##

+##
+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.6.10/policy/modules/services/pads.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.6.11/policy/modules/services/pads.te --- nsaserefpolicy/policy/modules/services/pads.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/pads.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/pads.te 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,65 @@ + +policy_module(pads, 0.0.1) @@ -15495,9 +15285,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + prelude_manage_spool(pads_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.10/policy/modules/services/pegasus.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.11/policy/modules/services/pegasus.te --- nsaserefpolicy/policy/modules/services/pegasus.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/pegasus.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/pegasus.te 2009-04-06 12:59:54.000000000 -0400 @@ -30,7 +30,7 @@ # Local policy # @@ -15569,9 +15359,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xen_stream_connect(pegasus_t) + xen_stream_connect_xenstore(pegasus_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.fc serefpolicy-3.6.10/policy/modules/services/pingd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.fc serefpolicy-3.6.11/policy/modules/services/pingd.fc --- nsaserefpolicy/policy/modules/services/pingd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/pingd.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/pingd.fc 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,11 @@ + +/etc/pingd.conf -- gen_context(system_u:object_r:pingd_etc_t,s0) @@ -15584,9 +15374,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.if serefpolicy-3.6.10/policy/modules/services/pingd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.if serefpolicy-3.6.11/policy/modules/services/pingd.if --- nsaserefpolicy/policy/modules/services/pingd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/pingd.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/pingd.if 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,99 @@ +## policy for pingd + @@ -15687,9 +15477,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.te serefpolicy-3.6.10/policy/modules/services/pingd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.te serefpolicy-3.6.11/policy/modules/services/pingd.te --- nsaserefpolicy/policy/modules/services/pingd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/pingd.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/pingd.te 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,54 @@ +policy_module(pingd,1.0.0) + @@ -15745,9 +15535,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.6.10/policy/modules/services/polkit.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.6.11/policy/modules/services/polkit.fc --- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/polkit.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/polkit.fc 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,11 @@ + +/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0) @@ -15760,9 +15550,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) + +/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:polkit_reload_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.10/policy/modules/services/polkit.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.11/policy/modules/services/polkit.if --- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/polkit.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/polkit.if 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,241 @@ + +## policy for polkit_auth @@ -16005,9 +15795,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 polkit_t:dbus send_msg; + allow polkit_t $1:dbus send_msg; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.10/policy/modules/services/polkit.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.11/policy/modules/services/polkit.te --- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/polkit.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/polkit.te 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,237 @@ +policy_module(polkit_auth, 1.0.0) + @@ -16246,9 +16036,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + unconfined_ptrace(polkit_resolve_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.fc serefpolicy-3.6.10/policy/modules/services/portreserve.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.fc serefpolicy-3.6.11/policy/modules/services/portreserve.fc --- nsaserefpolicy/policy/modules/services/portreserve.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/portreserve.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/portreserve.fc 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,12 @@ +# portreserve executable will have: +# label: system_u:object_r:portreserve_exec_t @@ -16262,9 +16052,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.if serefpolicy-3.6.10/policy/modules/services/portreserve.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.if serefpolicy-3.6.11/policy/modules/services/portreserve.if --- nsaserefpolicy/policy/modules/services/portreserve.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/portreserve.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/portreserve.if 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,66 @@ +## policy for portreserve + @@ -16332,9 +16122,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t) + read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.6.10/policy/modules/services/portreserve.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.6.11/policy/modules/services/portreserve.te --- nsaserefpolicy/policy/modules/services/portreserve.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/portreserve.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/portreserve.te 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,51 @@ +policy_module(portreserve,1.0.0) + @@ -16387,9 +16177,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +#init_use_fds(portreserve_t) +#init_use_script_ptys(portreserve_t) +#domain_use_interactive_fds(portreserve_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.10/policy/modules/services/postfix.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.11/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/postfix.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/postfix.fc 2009-04-06 12:59:54.000000000 -0400 @@ -29,12 +29,10 @@ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) @@ -16403,9 +16193,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.10/policy/modules/services/postfix.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.11/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/postfix.if 2009-04-06 08:26:28.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/postfix.if 2009-04-06 12:59:54.000000000 -0400 @@ -46,6 +46,7 @@ allow postfix_$1_t postfix_etc_t:dir list_dir_perms; @@ -16599,9 +16389,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.10/policy/modules/services/postfix.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.11/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/postfix.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/postfix.te 2009-04-06 12:59:54.000000000 -0400 @@ -6,6 +6,15 @@ # Declarations # @@ -16949,9 +16739,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +userdom_manage_user_home_content(postfix_virtual_t) +userdom_home_filetrans_user_home_dir(postfix_virtual_t) +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.10/policy/modules/services/postgresql.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.11/policy/modules/services/postgresql.fc --- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-08-14 13:08:27.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/postgresql.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/postgresql.fc 2009-04-06 12:59:54.000000000 -0400 @@ -2,6 +2,7 @@ # /etc # @@ -16960,9 +16750,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /usr -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.10/policy/modules/services/postgresql.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.11/policy/modules/services/postgresql.if --- nsaserefpolicy/policy/modules/services/postgresql.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/postgresql.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/postgresql.if 2009-04-06 12:59:54.000000000 -0400 @@ -351,3 +351,46 @@ typeattribute $1 sepgsql_unconfined_type; @@ -17010,9 +16800,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + admin_pattern($1, postgresql_tmp_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.10/policy/modules/services/postgresql.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.11/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2009-02-03 22:50:50.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/postgresql.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/postgresql.te 2009-04-06 12:59:54.000000000 -0400 @@ -32,6 +32,9 @@ type postgresql_etc_t; files_config_file(postgresql_etc_t) @@ -17066,9 +16856,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto }; allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.6.10/policy/modules/services/ppp.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.6.11/policy/modules/services/ppp.fc --- nsaserefpolicy/policy/modules/services/ppp.fc 2008-09-11 11:28:34.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/ppp.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/ppp.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1,7 +1,7 @@ # # /etc @@ -17089,9 +16879,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /sbin -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.10/policy/modules/services/ppp.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.11/policy/modules/services/ppp.if --- nsaserefpolicy/policy/modules/services/ppp.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/ppp.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/ppp.if 2009-04-06 12:59:54.000000000 -0400 @@ -58,6 +58,25 @@ ######################################## @@ -17192,9 +16982,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - manage_files_pattern($1, pptp_var_run_t, pptp_var_run_t) + admin_pattern($1, pptp_var_run_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.10/policy/modules/services/ppp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.11/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/ppp.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/ppp.te 2009-04-06 12:59:54.000000000 -0400 @@ -37,8 +37,8 @@ type pppd_etc_rw_t; files_type(pppd_etc_rw_t) @@ -17330,9 +17120,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - -# FIXME: -domtrans_pattern(pppd_t, pppd_script_exec_t, initrc_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.6.10/policy/modules/services/prelude.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.6.11/policy/modules/services/prelude.fc --- nsaserefpolicy/policy/modules/services/prelude.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/prelude.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/prelude.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1,3 +1,9 @@ +/etc/prelude-correlator(/.*)? gen_context(system_u:object_r:prelude_correlator_config_t, s0) + @@ -17359,9 +17149,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t, s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.6.10/policy/modules/services/prelude.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.6.11/policy/modules/services/prelude.if --- nsaserefpolicy/policy/modules/services/prelude.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/prelude.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/prelude.if 2009-04-06 12:59:54.000000000 -0400 @@ -6,7 +6,7 @@ ## ## @@ -17474,9 +17264,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, prelude_lml_tmp_t) + admin_pattern($1, prelude_lml_var_run_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.10/policy/modules/services/prelude.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.11/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/prelude.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/prelude.te 2009-04-06 12:59:54.000000000 -0400 @@ -13,25 +13,57 @@ type prelude_spool_t; files_type(prelude_spool_t) @@ -17746,9 +17536,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` mysql_search_db(httpd_prewikka_script_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.10/policy/modules/services/procmail.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.11/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/procmail.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/procmail.te 2009-04-06 12:59:54.000000000 -0400 @@ -77,6 +77,7 @@ files_read_usr_files(procmail_t) @@ -17776,9 +17566,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol pyzor_domtrans(procmail_t) pyzor_signal(procmail_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.fc serefpolicy-3.6.10/policy/modules/services/psad.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.fc serefpolicy-3.6.11/policy/modules/services/psad.fc --- nsaserefpolicy/policy/modules/services/psad.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/psad.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/psad.fc 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,17 @@ + + @@ -17797,9 +17587,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/psad(/.*)? gen_context(system_u:object_r:psad_var_lib_t,s0) + +/var/log/psad(/.*)? gen_context(system_u:object_r:psad_var_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.if serefpolicy-3.6.10/policy/modules/services/psad.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.if serefpolicy-3.6.11/policy/modules/services/psad.if --- nsaserefpolicy/policy/modules/services/psad.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/psad.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/psad.if 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,304 @@ +## Psad SELinux policy + @@ -18105,9 +17895,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_search_tmp($1) + admin_pattern($1, psad_tmp_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.te serefpolicy-3.6.10/policy/modules/services/psad.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.te serefpolicy-3.6.11/policy/modules/services/psad.te --- nsaserefpolicy/policy/modules/services/psad.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/psad.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/psad.te 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,107 @@ +policy_module(psad,1.0.0) + @@ -18216,9 +18006,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +permissive psad_t; + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.10/policy/modules/services/pyzor.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.11/policy/modules/services/pyzor.fc --- nsaserefpolicy/policy/modules/services/pyzor.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/pyzor.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/pyzor.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1,6 +1,8 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) +/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) @@ -18228,9 +18018,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.10/policy/modules/services/pyzor.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.11/policy/modules/services/pyzor.if --- nsaserefpolicy/policy/modules/services/pyzor.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/pyzor.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/pyzor.if 2009-04-06 12:59:54.000000000 -0400 @@ -88,3 +88,50 @@ corecmd_search_bin($1) can_exec($1, pyzor_exec_t) @@ -18282,9 +18072,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.10/policy/modules/services/pyzor.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.11/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/pyzor.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/pyzor.te 2009-04-06 12:59:54.000000000 -0400 @@ -6,6 +6,38 @@ # Declarations # @@ -18341,9 +18131,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_search_user_home_dirs(pyzor_t) optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.10/policy/modules/services/razor.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.11/policy/modules/services/razor.if --- nsaserefpolicy/policy/modules/services/razor.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/razor.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/razor.if 2009-04-06 12:59:54.000000000 -0400 @@ -157,3 +157,45 @@ domtrans_pattern($1, razor_exec_t, razor_t) @@ -18390,9 +18180,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.10/policy/modules/services/razor.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.11/policy/modules/services/razor.te --- nsaserefpolicy/policy/modules/services/razor.te 2009-01-19 11:07:32.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/razor.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/razor.te 2009-04-06 12:59:54.000000000 -0400 @@ -6,6 +6,32 @@ # Declarations # @@ -18432,9 +18222,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') + +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.10/policy/modules/services/ricci.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.11/policy/modules/services/ricci.te --- nsaserefpolicy/policy/modules/services/ricci.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/ricci.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/ricci.te 2009-04-06 12:59:54.000000000 -0400 @@ -133,6 +133,8 @@ dev_read_urand(ricci_t) @@ -18539,9 +18329,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ccs_stream_connect(ricci_modstorage_t) ccs_read_config(ricci_modstorage_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.10/policy/modules/services/rpc.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.11/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2009-03-20 12:39:39.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/rpc.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/rpc.te 2009-04-06 12:59:54.000000000 -0400 @@ -23,7 +23,7 @@ gen_tunable(allow_nfsd_anon_write, false) @@ -18567,9 +18357,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_certs(gssd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.6.10/policy/modules/services/rshd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.6.11/policy/modules/services/rshd.te --- nsaserefpolicy/policy/modules/services/rshd.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/rshd.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/rshd.te 2009-04-06 12:59:54.000000000 -0400 @@ -51,7 +51,7 @@ files_list_home(rshd_t) @@ -18579,9 +18369,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_login_pgm_domain(rshd_t) auth_write_login_records(rshd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.10/policy/modules/services/samba.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.11/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/samba.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/samba.fc 2009-04-06 12:59:54.000000000 -0400 @@ -2,6 +2,9 @@ # # /etc @@ -18608,9 +18398,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +ifndef(`enable_mls',` +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.10/policy/modules/services/samba.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.11/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/samba.if 2009-04-01 15:42:15.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/samba.if 2009-04-06 12:59:54.000000000 -0400 @@ -4,6 +4,45 @@ ## from Windows NT servers. ## @@ -19008,9 +18798,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, samba_unconfined_script_exec_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.10/policy/modules/services/samba.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.11/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/samba.te 2009-04-01 15:20:37.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/samba.te 2009-04-06 12:59:54.000000000 -0400 @@ -66,6 +66,13 @@ ##
gen_tunable(samba_share_nfs, false) @@ -19470,9 +19260,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow winbind_t smbcontrol_t:process signal; + +allow smbcontrol_t nmbd_var_run_t:file { read lock }; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.10/policy/modules/services/sasl.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.11/policy/modules/services/sasl.te --- nsaserefpolicy/policy/modules/services/sasl.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/sasl.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/sasl.te 2009-04-06 12:59:54.000000000 -0400 @@ -99,6 +99,7 @@ optional_policy(` @@ -19492,9 +19282,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(saslauthd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.10/policy/modules/services/sendmail.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.11/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/sendmail.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/sendmail.if 2009-04-06 12:59:54.000000000 -0400 @@ -149,3 +149,92 @@ logging_log_filetrans($1, sendmail_log_t, file) @@ -19588,9 +19378,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 sendmail_t:fifo_file rw_fifo_file_perms; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.10/policy/modules/services/sendmail.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.11/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/sendmail.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/sendmail.te 2009-04-06 12:59:54.000000000 -0400 @@ -20,13 +20,17 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -19758,18 +19548,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; -') dnl end TODO -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.6.10/policy/modules/services/setroubleshoot.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.6.11/policy/modules/services/setroubleshoot.fc --- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/setroubleshoot.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/setroubleshoot.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1,3 +1,5 @@ +/etc/rc\.d/init\.d/setroubleshoot -- gen_context(system_u:object_r:setroubleshoot_initrc_exec_t,s0) + /usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0) /var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.10/policy/modules/services/setroubleshoot.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.11/policy/modules/services/setroubleshoot.if --- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/setroubleshoot.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/setroubleshoot.if 2009-04-06 12:59:54.000000000 -0400 @@ -16,8 +16,8 @@ ') @@ -19852,9 +19642,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_list_pids($1) + admin_pattern($1, setroubleshoot_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.10/policy/modules/services/setroubleshoot.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.11/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/setroubleshoot.te 2009-04-03 10:25:52.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/setroubleshoot.te 2009-04-06 12:59:54.000000000 -0400 @@ -11,6 +11,9 @@ domain_type(setroubleshootd_t) init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) @@ -19942,9 +19732,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpm_read_db(setroubleshootd_t) rpm_dontaudit_manage_db(setroubleshootd_t) rpm_use_script_fds(setroubleshootd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.10/policy/modules/services/smartmon.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.11/policy/modules/services/smartmon.te --- nsaserefpolicy/policy/modules/services/smartmon.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/smartmon.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/smartmon.te 2009-04-06 12:59:54.000000000 -0400 @@ -19,6 +19,10 @@ type fsdaemon_tmp_t; files_tmp_file(fsdaemon_tmp_t) @@ -20002,9 +19792,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.6.10/policy/modules/services/snmp.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.6.11/policy/modules/services/snmp.fc --- nsaserefpolicy/policy/modules/services/snmp.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/snmp.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/snmp.fc 2009-04-06 12:59:54.000000000 -0400 @@ -20,5 +20,5 @@ /var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0) @@ -20012,9 +19802,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/var/run/snmpd -d gen_context(system_u:object_r:snmpd_var_run_t,s0) +/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.10/policy/modules/services/snmp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.11/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/snmp.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/snmp.te 2009-04-06 12:59:54.000000000 -0400 @@ -71,6 +71,7 @@ corenet_tcp_bind_snmp_port(snmpd_t) corenet_udp_bind_snmp_port(snmpd_t) @@ -20023,9 +19813,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_list_sysfs(snmpd_t) dev_read_sysfs(snmpd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.6.10/policy/modules/services/snort.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.6.11/policy/modules/services/snort.te --- nsaserefpolicy/policy/modules/services/snort.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/snort.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/snort.te 2009-04-06 12:59:54.000000000 -0400 @@ -56,6 +56,7 @@ files_pid_filetrans(snort_t, snort_var_run_t, file) @@ -20056,9 +19846,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` seutil_sigchld_newrole(snort_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.10/policy/modules/services/spamassassin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.11/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2008-11-25 09:01:08.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/spamassassin.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/spamassassin.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1,15 +1,24 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) @@ -20087,9 +19877,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.10/policy/modules/services/spamassassin.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.11/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/spamassassin.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/spamassassin.if 2009-04-06 12:59:54.000000000 -0400 @@ -111,6 +111,7 @@ ') @@ -20176,9 +19966,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_list_pids($1) + admin_pattern($1, spamd_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.10/policy/modules/services/spamassassin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.11/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/spamassassin.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/spamassassin.te 2009-04-06 12:59:54.000000000 -0400 @@ -20,6 +20,35 @@ ## gen_tunable(spamd_enable_home_dirs, true) @@ -20437,9 +20227,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.6.10/policy/modules/services/squid.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.6.11/policy/modules/services/squid.fc --- nsaserefpolicy/policy/modules/services/squid.fc 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/squid.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/squid.fc 2009-04-06 12:59:54.000000000 -0400 @@ -6,7 +6,11 @@ /usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0) /usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) @@ -20452,9 +20242,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + /var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0) /var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.6.10/policy/modules/services/squid.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.6.11/policy/modules/services/squid.if --- nsaserefpolicy/policy/modules/services/squid.if 2008-11-11 16:13:45.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/squid.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/squid.if 2009-04-06 12:59:54.000000000 -0400 @@ -21,6 +21,25 @@ ######################################## @@ -20481,9 +20271,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send generic signals to squid. ## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.10/policy/modules/services/squid.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.11/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/squid.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/squid.te 2009-04-06 12:59:54.000000000 -0400 @@ -118,6 +118,9 @@ fs_getattr_all_fs(squid_t) @@ -20503,18 +20293,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -#squid requires the following when run in diskd mode, the recommended setting -allow squid_t tmpfs_t:file { read write }; -') dnl end TODO -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.10/policy/modules/services/ssh.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.11/policy/modules/services/ssh.fc --- nsaserefpolicy/policy/modules/services/ssh.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/ssh.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/ssh.fc 2009-04-06 12:59:54.000000000 -0400 @@ -14,3 +14,5 @@ /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) + +/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.10/policy/modules/services/ssh.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.11/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/ssh.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/ssh.if 2009-04-06 12:59:54.000000000 -0400 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -20743,9 +20533,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + can_exec($1, ssh_agent_exec_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.10/policy/modules/services/ssh.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.11/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/ssh.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/ssh.te 2009-04-06 12:59:54.000000000 -0400 @@ -41,6 +41,9 @@ files_tmp_file(sshd_tmp_t) files_poly_parent(sshd_tmp_t) @@ -20913,9 +20703,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.10/policy/modules/services/sssd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.11/policy/modules/services/sssd.fc --- nsaserefpolicy/policy/modules/services/sssd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/sssd.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/sssd.fc 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,6 @@ + +/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) @@ -20923,9 +20713,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) +/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) +/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.10/policy/modules/services/sssd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.11/policy/modules/services/sssd.if --- nsaserefpolicy/policy/modules/services/sssd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/sssd.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/sssd.if 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,249 @@ + +## policy for sssd @@ -21176,9 +20966,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.10/policy/modules/services/sssd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.11/policy/modules/services/sssd.te --- nsaserefpolicy/policy/modules/services/sssd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/sssd.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/sssd.te 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,68 @@ +policy_module(sssd,1.0.0) + @@ -21248,9 +21038,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dbus_system_bus_client(sssd_t) + dbus_connect_system_bus(sssd_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.if serefpolicy-3.6.10/policy/modules/services/tftp.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.if serefpolicy-3.6.11/policy/modules/services/tftp.if --- nsaserefpolicy/policy/modules/services/tftp.if 2008-11-11 16:13:45.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/tftp.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/tftp.if 2009-04-06 12:59:54.000000000 -0400 @@ -2,6 +2,24 @@ ######################################## @@ -21276,9 +21066,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an tftp environment ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.6.10/policy/modules/services/tor.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.6.11/policy/modules/services/tor.te --- nsaserefpolicy/policy/modules/services/tor.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/tor.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/tor.te 2009-04-06 12:59:54.000000000 -0400 @@ -34,7 +34,7 @@ # tor local policy # @@ -21288,9 +21078,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow tor_t self:fifo_file rw_fifo_file_perms; allow tor_t self:unix_stream_socket create_stream_socket_perms; allow tor_t self:netlink_route_socket r_netlink_socket_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.fc serefpolicy-3.6.10/policy/modules/services/ulogd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.fc serefpolicy-3.6.11/policy/modules/services/ulogd.fc --- nsaserefpolicy/policy/modules/services/ulogd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/ulogd.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/ulogd.fc 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,10 @@ + +/etc/rc\.d/init\.d/ulogd -- gen_context(system_u:object_r:ulogd_initrc_exec_t,s0) @@ -21302,9 +21092,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0) + +/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.if serefpolicy-3.6.10/policy/modules/services/ulogd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.if serefpolicy-3.6.11/policy/modules/services/ulogd.if --- nsaserefpolicy/policy/modules/services/ulogd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/ulogd.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/ulogd.if 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,127 @@ +## policy for ulogd + @@ -21433,9 +21223,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_search_usr($1) + admin_pattern($1, ulogd_modules_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.6.10/policy/modules/services/ulogd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.6.11/policy/modules/services/ulogd.te --- nsaserefpolicy/policy/modules/services/ulogd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/ulogd.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/ulogd.te 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,51 @@ +policy_module(ulogd,1.0.0) + @@ -21488,9 +21278,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_localization(ulogd_t) + +permissive ulogd_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.10/policy/modules/services/uucp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.11/policy/modules/services/uucp.te --- nsaserefpolicy/policy/modules/services/uucp.te 2009-03-23 13:47:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/uucp.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/uucp.te 2009-04-06 12:59:54.000000000 -0400 @@ -129,6 +129,7 @@ optional_policy(` mta_send_mail(uux_t) @@ -21499,9 +21289,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.10/policy/modules/services/virt.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.11/policy/modules/services/virt.fc --- nsaserefpolicy/policy/modules/services/virt.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/virt.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/virt.fc 2009-04-06 12:59:54.000000000 -0400 @@ -8,5 +8,16 @@ /var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) @@ -21519,9 +21309,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0) + +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.10/policy/modules/services/virt.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.11/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/virt.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/virt.if 2009-04-06 12:59:54.000000000 -0400 @@ -2,28 +2,6 @@ ######################################## @@ -21670,10 +21460,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.10/policy/modules/services/virt.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.11/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/virt.te 2009-04-03 16:51:32.000000000 -0400 -@@ -8,20 +8,18 @@ ++++ serefpolicy-3.6.11/policy/modules/services/virt.te 2009-04-06 12:59:54.000000000 -0400 +@@ -8,19 +8,38 @@ ## ##

@@ -21686,17 +21476,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ##

-## Allow virt to manage cifs files ++## Allow svirt to manage nfs files ++##

++##
++gen_tunable(virt_use_nfs, false) ++ ++## ++##

+## Allow svirt to manage cifs files ##

##
gen_tunable(virt_use_samba, false) -attribute virt_image_type; -- ++## ++##

++## Allow svirt to manage nfs files ++##

++##
++gen_tunable(virt_use_nfs, false) ++ ++## ++##

++## Allow svirt to user serial/parallell communication ports ++##

++##
++gen_tunable(virt_use_comm, false) + type virt_etc_t; files_config_file(virt_etc_t) - -@@ -29,8 +27,12 @@ +@@ -29,8 +48,12 @@ files_type(virt_etc_rw_t) # virt Image files @@ -21711,7 +21520,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type virt_log_t; logging_log_file(virt_log_t) -@@ -48,17 +50,39 @@ +@@ -48,17 +71,39 @@ type virtd_initrc_exec_t; init_script_file(virtd_initrc_exec_t) @@ -21753,7 +21562,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -67,7 +91,11 @@ +@@ -67,7 +112,11 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -21766,7 +21575,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -86,6 +114,7 @@ +@@ -86,6 +135,7 @@ kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) kernel_load_module(virtd_t) @@ -21774,7 +21583,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -96,7 +125,7 @@ +@@ -96,7 +146,7 @@ corenet_tcp_sendrecv_generic_node(virtd_t) corenet_tcp_sendrecv_all_ports(virtd_t) corenet_tcp_bind_generic_node(virtd_t) @@ -21783,7 +21592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_vnc_port(virtd_t) corenet_tcp_connect_vnc_port(virtd_t) corenet_tcp_connect_soundd_port(virtd_t) -@@ -104,21 +133,39 @@ +@@ -104,21 +154,39 @@ dev_read_sysfs(virtd_t) dev_read_rand(virtd_t) @@ -21824,7 +21633,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_getattr_pty_fs(virtd_t) term_use_ptmx(virtd_t) -@@ -129,6 +176,13 @@ +@@ -129,6 +197,13 @@ logging_send_syslog_msg(virtd_t) @@ -21838,7 +21647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_read_all_users_state(virtd_t) tunable_policy(`virt_use_nfs',` -@@ -167,22 +221,34 @@ +@@ -167,22 +242,34 @@ dnsmasq_domtrans(virtd_t) dnsmasq_signal(virtd_t) dnsmasq_kill(virtd_t) @@ -21878,7 +21687,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -198,5 +264,73 @@ +@@ -198,5 +285,78 @@ ') optional_policy(` @@ -21932,6 +21741,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +corenet_udp_bind_all_ports(svirt_t) +corenet_tcp_bind_all_ports(svirt_t) + ++tunable_policy(`virt_use_comm',` ++ term_use_unallocated_ttys(svirt_t) ++ dev_rw_printer(svirt_t) ++') ++ +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(svirt_t) + fs_manage_nfs_files(svirt_t) @@ -21953,9 +21767,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + xen_rw_image_files(svirt_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.10/policy/modules/services/w3c.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.11/policy/modules/services/w3c.te --- nsaserefpolicy/policy/modules/services/w3c.te 2008-08-25 09:12:31.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/w3c.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/w3c.te 2009-04-06 12:59:54.000000000 -0400 @@ -8,11 +8,18 @@ apache_content_template(w3c_validator) @@ -21975,9 +21789,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.10/policy/modules/services/xserver.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.11/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/xserver.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/xserver.fc 2009-04-06 12:59:54.000000000 -0400 @@ -3,12 +3,16 @@ # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) @@ -22045,9 +21859,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_suse',` /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.10/policy/modules/services/xserver.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.11/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/xserver.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/xserver.if 2009-04-06 12:59:54.000000000 -0400 @@ -90,7 +90,7 @@ allow $2 xauth_home_t:file manage_file_perms; allow $2 xauth_home_t:file { relabelfrom relabelto }; @@ -22694,9 +22508,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow xdm_t $1:dbus send_msg; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.10/policy/modules/services/xserver.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.11/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/xserver.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/xserver.te 2009-04-06 12:59:54.000000000 -0400 @@ -34,6 +34,13 @@ ## @@ -23408,9 +23222,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -# -allow xdm_t user_home_type:file unlink; -') dnl end TODO -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.if serefpolicy-3.6.10/policy/modules/services/zosremote.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.if serefpolicy-3.6.11/policy/modules/services/zosremote.if --- nsaserefpolicy/policy/modules/services/zosremote.if 2009-03-20 12:39:39.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/zosremote.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/zosremote.if 2009-04-06 12:59:54.000000000 -0400 @@ -12,7 +12,7 @@ # interface(`zosremote_domtrans',` @@ -23420,9 +23234,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') domtrans_pattern($1, zos_remote_exec_t, zos_remote_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.10/policy/modules/system/application.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.11/policy/modules/system/application.te --- nsaserefpolicy/policy/modules/system/application.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/system/application.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/application.te 2009-04-06 12:59:54.000000000 -0400 @@ -7,8 +7,18 @@ # Executables to be run by user attribute application_exec_type; @@ -23442,9 +23256,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + sudo_sigchld(application_domain_type) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.10/policy/modules/system/authlogin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.11/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/system/authlogin.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/authlogin.fc 2009-04-06 12:59:54.000000000 -0400 @@ -7,12 +7,10 @@ /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) @@ -23471,9 +23285,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.10/policy/modules/system/authlogin.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.11/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/authlogin.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/authlogin.if 2009-04-06 12:59:54.000000000 -0400 @@ -43,20 +43,38 @@ interface(`auth_login_pgm_domain',` gen_require(` @@ -23810,9 +23624,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_var_filetrans($1,auth_cache_t,{ file dir } ) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.10/policy/modules/system/authlogin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.11/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/authlogin.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/authlogin.te 2009-04-06 12:59:54.000000000 -0400 @@ -12,7 +12,7 @@ type chkpwd_t, can_read_shadow_passwords; @@ -23892,9 +23706,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_urand(pam_console_t) mls_file_read_all_levels(pam_console_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.10/policy/modules/system/fstools.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.11/policy/modules/system/fstools.fc --- nsaserefpolicy/policy/modules/system/fstools.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/system/fstools.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/fstools.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1,4 +1,3 @@ -/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -23908,9 +23722,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.10/policy/modules/system/fstools.te ---- nsaserefpolicy/policy/modules/system/fstools.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/fstools.te 2009-03-30 10:09:41.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.11/policy/modules/system/fstools.te +--- nsaserefpolicy/policy/modules/system/fstools.te 2009-04-06 12:42:08.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/fstools.te 2009-04-06 12:59:54.000000000 -0400 @@ -97,6 +97,10 @@ fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) @@ -23930,21 +23744,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -userdom_use_unpriv_users_fds(fsadm_t) +term_use_all_terms(fsadm_t) - tunable_policy(`read_default_t',` - files_list_default(fsadm_t) -@@ -182,4 +185,9 @@ + ifdef(`distro_redhat',` + optional_policy(` +@@ -188,4 +191,6 @@ optional_policy(` xen_append_log(fsadm_t) + xen_rw_image_files(fsadm_t) -+') -+ -+optional_policy(` -+ unconfined_domain(fsadm_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.10/policy/modules/system/hostname.te ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.11/policy/modules/system/hostname.te --- nsaserefpolicy/policy/modules/system/hostname.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/hostname.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/hostname.te 2009-04-06 12:59:54.000000000 -0400 @@ -8,7 +8,9 @@ type hostname_t; @@ -23956,9 +23767,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol role system_r types hostname_t; ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.10/policy/modules/system/init.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.11/policy/modules/system/init.fc --- nsaserefpolicy/policy/modules/system/init.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/init.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/init.fc 2009-04-06 12:59:54.000000000 -0400 @@ -4,8 +4,7 @@ /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -23978,9 +23789,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /var # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.10/policy/modules/system/init.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.11/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/init.if 2009-04-01 15:00:12.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/init.if 2009-04-06 12:59:54.000000000 -0400 @@ -280,6 +280,28 @@ kernel_dontaudit_use_fds($1) ') @@ -24169,9 +23980,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 init_t:unix_dgram_socket sendto; + allow init_t $1:unix_dgram_socket sendto; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.10/policy/modules/system/init.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.11/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/init.te 2009-04-01 15:00:25.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/init.te 2009-04-06 12:59:54.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart,false) @@ -24474,93 +24285,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_dontaudit_rw_cifs_files(daemon) + ') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.6.10/policy/modules/system/ipsec.fc ---- nsaserefpolicy/policy/modules/system/ipsec.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/system/ipsec.fc 2009-03-30 10:09:41.000000000 -0400 -@@ -16,6 +16,8 @@ - /usr/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) - /usr/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) - -+/usr/libexec/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) -+/usr/libexec/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) - /usr/libexec/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0) - /usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) - /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) -@@ -26,6 +28,7 @@ - /usr/local/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) - /usr/local/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) - -+/usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) - /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) - /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.10/policy/modules/system/ipsec.te ---- nsaserefpolicy/policy/modules/system/ipsec.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/ipsec.te 2009-03-30 10:09:41.000000000 -0400 -@@ -55,11 +55,12 @@ - - allow ipsec_t self:capability { net_admin dac_override dac_read_search }; - dontaudit ipsec_t self:capability sys_tty_config; --allow ipsec_t self:process signal; --allow ipsec_t self:netlink_route_socket r_netlink_socket_perms; -+allow ipsec_t self:process { signal setsched }; - allow ipsec_t self:tcp_socket create_stream_socket_perms; --allow ipsec_t self:key_socket { create write read setopt }; --allow ipsec_t self:fifo_file read_file_perms; -+allow ipsec_t self:udp_socket create_socket_perms; -+allow ipsec_t self:key_socket create_socket_perms; -+allow ipsec_t self:fifo_file read_fifo_file_perms; -+allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write }; - - allow ipsec_t ipsec_conf_file_t:dir list_dir_perms; - read_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t) -@@ -104,6 +105,11 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.11/policy/modules/system/ipsec.te +--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-04-06 12:42:08.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/ipsec.te 2009-04-06 12:59:54.000000000 -0400 +@@ -1,5 +1,5 @@ + +-policy_module(ipsec, 1.9.1) ++policy_module(ipsec, 1.9.0) + + ######################################## + # +@@ -103,11 +103,13 @@ + corenet_raw_sendrecv_all_nodes(ipsec_t) + corenet_tcp_sendrecv_all_ports(ipsec_t) corenet_tcp_bind_all_nodes(ipsec_t) +-corenet_udp_bind_all_nodes(ipsec_t) corenet_tcp_bind_reserved_port(ipsec_t) corenet_tcp_bind_isakmp_port(ipsec_t) + +corenet_udp_bind_all_nodes(ipsec_t) -+corenet_udp_bind_isakmp_port(ipsec_t) -+corenet_udp_bind_ipsecnat_port(ipsec_t) + corenet_udp_bind_isakmp_port(ipsec_t) + corenet_udp_bind_ipsecnat_port(ipsec_t) + corenet_sendrecv_generic_server_packets(ipsec_t) corenet_sendrecv_isakmp_server_packets(ipsec_t) -@@ -127,20 +133,16 @@ - init_use_fds(ipsec_t) - init_use_script_ptys(ipsec_t) - -+auth_use_nsswitch(ipsec_t) -+ - logging_send_syslog_msg(ipsec_t) - - miscfiles_read_localization(ipsec_t) - --sysnet_read_config(ipsec_t) -- - userdom_dontaudit_use_unpriv_user_fds(ipsec_t) - userdom_dontaudit_search_user_home_dirs(ipsec_t) - - optional_policy(` -- nis_use_ypbind(ipsec_t) --') -- --optional_policy(` - seutil_sigchld_newrole(ipsec_t) - ') - -@@ -156,9 +158,9 @@ - allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search }; - allow ipsec_mgmt_t self:process { signal setrlimit }; - allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; --allow ipsec_mgmt_t self:tcp_socket create_socket_perms; -+allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; - allow ipsec_mgmt_t self:udp_socket create_socket_perms; --allow ipsec_mgmt_t self:key_socket { create setopt }; -+allow ipsec_mgmt_t self:key_socket create_socket_perms; - allow ipsec_mgmt_t self:fifo_file rw_file_perms; - - allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; @@ -167,6 +169,8 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file) @@ -24570,24 +24319,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t) manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t) -@@ -222,6 +226,7 @@ - # the ipsec wrapper wants to run /usr/bin/logger (should we put - # it in its own domain?) - corecmd_exec_bin(ipsec_mgmt_t) -+corecmd_exec_shell(ipsec_mgmt_t) - - domain_use_interactive_fds(ipsec_mgmt_t) - # denials when ps tries to search /proc. Do not audit these denials. -@@ -276,7 +281,7 @@ - allow racoon_t self:unix_dgram_socket { connect create ioctl write }; - allow racoon_t self:netlink_selinux_socket { bind create read }; - allow racoon_t self:udp_socket create_socket_perms; --allow racoon_t self:key_socket { create read setopt write }; -+allow racoon_t self:key_socket create_socket_perms; - - # manage pid file - manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t) -@@ -298,6 +303,7 @@ +@@ -242,8 +246,6 @@ + init_exec_script_files(ipsec_mgmt_t) + init_use_fds(ipsec_mgmt_t) + +-logging_send_syslog_msg(ipsec_mgmt_t) +- + miscfiles_read_localization(ipsec_mgmt_t) + + modutils_domtrans_insmod(ipsec_mgmt_t) +@@ -298,13 +300,10 @@ + kernel_read_network_state(racoon_t) + + corenet_all_recvfrom_unlabeled(racoon_t) +-corenet_tcp_sendrecv_all_if(racoon_t) +-corenet_udp_sendrecv_all_if(racoon_t) +-corenet_tcp_sendrecv_all_nodes(racoon_t) +-corenet_udp_sendrecv_all_nodes(racoon_t) corenet_tcp_bind_all_nodes(racoon_t) corenet_udp_bind_all_nodes(racoon_t) corenet_udp_bind_isakmp_port(racoon_t) @@ -24595,50 +24343,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_udp_bind_ipsecnat_port(racoon_t) dev_read_urand(racoon_t) -@@ -312,6 +318,8 @@ - - ipsec_setcontext_default_spd(racoon_t) - -+auth_use_nsswitch(racoon_t) -+ - locallogin_use_fds(racoon_t) - - logging_send_syslog_msg(racoon_t) -@@ -325,7 +333,7 @@ - # - - allow setkey_t self:capability net_admin; --allow setkey_t self:key_socket { create read setopt write }; -+allow setkey_t self:key_socket create_socket_perms; - allow setkey_t self:netlink_route_socket create_netlink_socket_perms; - - allow setkey_t ipsec_conf_file_t:dir list_dir_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.10/policy/modules/system/iptables.fc ---- nsaserefpolicy/policy/modules/system/iptables.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/system/iptables.fc 2009-03-30 10:09:41.000000000 -0400 -@@ -6,3 +6,4 @@ - /usr/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) -+/var/lib/shorewall(/.*)? -- gen_context(system_u:object_r:iptables_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.10/policy/modules/system/iptables.te ---- nsaserefpolicy/policy/modules/system/iptables.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/iptables.te 2009-03-30 10:09:41.000000000 -0400 -@@ -22,12 +22,12 @@ - # Iptables local policy - # - --allow iptables_t self:capability { net_admin net_raw }; -+allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw }; - dontaudit iptables_t self:capability sys_tty_config; - allow iptables_t self:process { sigchld sigkill sigstop signull signal }; - allow iptables_t self:rawip_socket create_socket_perms; - --allow iptables_t iptables_var_run_t:dir rw_dir_perms; -+manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) - files_pid_filetrans(iptables_t,iptables_var_run_t,file) - - can_exec(iptables_t,iptables_exec_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.11/policy/modules/system/iptables.te +--- nsaserefpolicy/policy/modules/system/iptables.te 2009-04-06 12:42:08.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/iptables.te 2009-04-06 12:59:54.000000000 -0400 @@ -53,6 +53,7 @@ mls_file_read_all_levels(iptables_t) @@ -24647,9 +24354,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(iptables_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.10/policy/modules/system/iscsi.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.11/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2009-03-20 12:39:39.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/system/iscsi.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/iscsi.te 2009-04-06 12:59:54.000000000 -0400 @@ -55,6 +55,7 @@ files_pid_filetrans(iscsid_t,iscsi_var_run_t,file) @@ -24667,9 +24374,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -sysnet_dns_name_resolve(iscsid_t) +miscfiles_read_localization(iscsid_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.10/policy/modules/system/libraries.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.11/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/libraries.fc 2009-03-30 12:04:51.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/libraries.fc 2009-04-06 12:59:54.000000000 -0400 @@ -60,12 +60,15 @@ # # /opt @@ -24864,9 +24571,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.10/policy/modules/system/libraries.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.11/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/libraries.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/libraries.te 2009-04-06 12:59:54.000000000 -0400 @@ -52,11 +52,11 @@ # ldconfig local policy # @@ -24923,9 +24630,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + unconfined_domain(ldconfig_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.10/policy/modules/system/locallogin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.11/policy/modules/system/locallogin.te --- nsaserefpolicy/policy/modules/system/locallogin.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/locallogin.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/locallogin.te 2009-04-06 12:59:54.000000000 -0400 @@ -67,6 +67,7 @@ dev_setattr_power_mgmt_dev(local_login_t) dev_getattr_sound_dev(local_login_t) @@ -25000,9 +24707,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - nscd_socket_use(sulogin_t) -') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.10/policy/modules/system/logging.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.11/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/system/logging.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/logging.fc 2009-04-06 12:59:54.000000000 -0400 @@ -53,15 +53,18 @@ /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0) ') @@ -25026,9 +24733,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.10/policy/modules/system/logging.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.11/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/logging.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/logging.if 2009-04-06 12:59:54.000000000 -0400 @@ -623,7 +623,7 @@ ') @@ -25047,9 +24754,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.10/policy/modules/system/logging.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.11/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/logging.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/logging.te 2009-04-06 12:59:54.000000000 -0400 @@ -126,7 +126,7 @@ allow auditd_t self:process { signal_perms setpgid setsched }; allow auditd_t self:file rw_file_perms; @@ -25142,9 +24849,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.6.10/policy/modules/system/lvm.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.6.11/policy/modules/system/lvm.fc --- nsaserefpolicy/policy/modules/system/lvm.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/system/lvm.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/lvm.fc 2009-04-06 12:59:54.000000000 -0400 @@ -55,6 +55,7 @@ /sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0) @@ -25158,9 +24865,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0) /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) +/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.10/policy/modules/system/lvm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.11/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/lvm.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/lvm.te 2009-04-06 12:59:54.000000000 -0400 @@ -10,6 +10,9 @@ type clvmd_exec_t; init_daemon_domain(clvmd_t,clvmd_exec_t) @@ -25367,9 +25074,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xen_append_log(lvm_t) + xen_dontaudit_rw_unix_stream_sockets(lvm_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.10/policy/modules/system/modutils.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.11/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/modutils.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/modutils.te 2009-04-06 12:59:54.000000000 -0400 @@ -42,7 +42,7 @@ # insmod local policy # @@ -25482,9 +25189,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ################################# -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.6.10/policy/modules/system/mount.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.6.11/policy/modules/system/mount.fc --- nsaserefpolicy/policy/modules/system/mount.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/system/mount.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/mount.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1,4 +1,9 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) @@ -25496,9 +25203,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.10/policy/modules/system/mount.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.11/policy/modules/system/mount.if --- nsaserefpolicy/policy/modules/system/mount.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/mount.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/mount.if 2009-04-06 12:59:54.000000000 -0400 @@ -43,9 +43,11 @@ mount_domtrans($1) @@ -25534,9 +25241,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 mount_t:process signal; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.10/policy/modules/system/mount.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.11/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/mount.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/mount.te 2009-04-06 12:59:54.000000000 -0400 @@ -18,17 +18,21 @@ init_system_domain(mount_t,mount_exec_t) role system_r types mount_t; @@ -25765,9 +25472,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + hal_rw_pipes(mount_t) ') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.6.10/policy/modules/system/raid.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.6.11/policy/modules/system/raid.te --- nsaserefpolicy/policy/modules/system/raid.te 2009-03-20 12:39:39.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/system/raid.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/raid.te 2009-04-06 12:59:54.000000000 -0400 @@ -49,6 +49,9 @@ storage_dev_filetrans_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) @@ -25778,9 +25485,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_dontaudit_list_ptys(mdadm_t) # Helper program access -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.10/policy/modules/system/selinuxutil.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.11/policy/modules/system/selinuxutil.fc --- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/system/selinuxutil.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/selinuxutil.fc 2009-04-06 12:59:54.000000000 -0400 @@ -6,13 +6,13 @@ /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) @@ -25819,9 +25526,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.10/policy/modules/system/selinuxutil.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.11/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/selinuxutil.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/selinuxutil.if 2009-04-06 12:59:54.000000000 -0400 @@ -535,6 +535,53 @@ ######################################## @@ -26210,9 +25917,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + hotplug_use_fds($1) +') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.10/policy/modules/system/selinuxutil.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.11/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/selinuxutil.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/selinuxutil.te 2009-04-06 12:59:54.000000000 -0400 @@ -23,6 +23,9 @@ type selinux_config_t; files_type(selinux_config_t) @@ -26584,9 +26291,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - hotplug_use_fds(setfiles_t) + unconfined_domain(setfiles_mac_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.6.10/policy/modules/system/setrans.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.6.11/policy/modules/system/setrans.if --- nsaserefpolicy/policy/modules/system/setrans.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/system/setrans.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/setrans.if 2009-04-06 12:59:54.000000000 -0400 @@ -21,3 +21,23 @@ stream_connect_pattern($1,setrans_var_run_t,setrans_var_run_t,setrans_t) files_list_pids($1) @@ -26611,9 +26318,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + init_labeled_script_domtrans($1, setrans_initrc_exec_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.10/policy/modules/system/sysnetwork.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.11/policy/modules/system/sysnetwork.fc --- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/system/sysnetwork.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/sysnetwork.fc 2009-04-06 12:59:54.000000000 -0400 @@ -11,8 +11,12 @@ /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) @@ -26642,9 +26349,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.10/policy/modules/system/sysnetwork.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.11/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/sysnetwork.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/sysnetwork.if 2009-04-06 12:59:54.000000000 -0400 @@ -43,6 +43,39 @@ sysnet_domtrans_dhcpc($1) @@ -26813,9 +26520,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + role_transition $1 dhcpc_exec_t system_r; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.10/policy/modules/system/sysnetwork.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.11/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/sysnetwork.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/sysnetwork.te 2009-04-06 12:59:54.000000000 -0400 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpc_t,dhcpc_exec_t) role system_r types dhcpc_t; @@ -26999,9 +26706,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_xen_state(ifconfig_t) kernel_write_xen_state(ifconfig_t) xen_append_log(ifconfig_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.6.10/policy/modules/system/udev.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.6.11/policy/modules/system/udev.if --- nsaserefpolicy/policy/modules/system/udev.if 2009-03-20 12:39:40.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/system/udev.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/udev.if 2009-04-06 12:59:54.000000000 -0400 @@ -20,6 +20,24 @@ ######################################## @@ -27027,9 +26734,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute a udev helper in the udev domain. ## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.10/policy/modules/system/udev.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.11/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2009-03-20 12:39:39.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/system/udev.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/udev.te 2009-04-06 12:59:54.000000000 -0400 @@ -206,6 +206,10 @@ ') @@ -27062,9 +26769,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` xserver_read_xdm_pid(udev_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.6.10/policy/modules/system/unconfined.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.6.11/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-09-11 16:42:49.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/system/unconfined.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/unconfined.fc 2009-04-06 12:59:54.000000000 -0400 @@ -2,15 +2,28 @@ # e.g.: # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) @@ -27103,9 +26810,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.10/policy/modules/system/unconfined.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.11/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/unconfined.if 2009-04-03 10:28:13.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/unconfined.if 2009-04-06 12:59:54.000000000 -0400 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -27383,9 +27090,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 unconfined_r; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.10/policy/modules/system/unconfined.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.11/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/unconfined.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/unconfined.te 2009-04-06 12:59:54.000000000 -0400 @@ -5,6 +5,35 @@ # # Declarations @@ -27748,9 +27455,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.10/policy/modules/system/userdomain.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.11/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/userdomain.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/userdomain.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1,4 +1,7 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) @@ -27760,9 +27467,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) +/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0) +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.10/policy/modules/system/userdomain.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.11/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/userdomain.if 2009-04-06 08:22:27.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/userdomain.if 2009-04-06 12:59:54.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -29642,9 +29349,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dontaudit $1 userdomain:unix_stream_socket rw_socket_perms; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.10/policy/modules/system/userdomain.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.11/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/userdomain.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/userdomain.te 2009-04-06 12:59:54.000000000 -0400 @@ -8,13 +8,6 @@ ## @@ -29728,14 +29435,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_read_cifs_named_sockets(userhomereader) + fs_read_cifs_named_pipes(userhomereader) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.fc serefpolicy-3.6.10/policy/modules/system/virtual.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.fc serefpolicy-3.6.11/policy/modules/system/virtual.fc --- nsaserefpolicy/policy/modules/system/virtual.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/virtual.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/virtual.fc 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1 @@ +# No application file contexts. -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.10/policy/modules/system/virtual.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.11/policy/modules/system/virtual.if --- nsaserefpolicy/policy/modules/system/virtual.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/virtual.if 2009-04-03 16:50:58.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/virtual.if 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,114 @@ +## Virtual machine emulator and virtualizer + @@ -29851,9 +29558,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 virtualdomain:process { setsched transition signal signull sigkill }; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.10/policy/modules/system/virtual.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.11/policy/modules/system/virtual.te --- nsaserefpolicy/policy/modules/system/virtual.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/virtual.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/virtual.te 2009-04-06 12:59:54.000000000 -0400 @@ -0,0 +1,80 @@ + +policy_module(virtualization, 1.1.2) @@ -29935,9 +29642,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_read_xdm_pid(virtualdomain) + xserver_rw_shm(virtualdomain) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.6.10/policy/modules/system/xen.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.6.11/policy/modules/system/xen.fc --- nsaserefpolicy/policy/modules/system/xen.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/xen.fc 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/xen.fc 2009-04-06 12:59:54.000000000 -0400 @@ -1,32 +1,31 @@ /dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0) @@ -29977,9 +29684,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) /var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.10/policy/modules/system/xen.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.11/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/xen.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/xen.if 2009-04-06 12:59:54.000000000 -0400 @@ -167,11 +167,14 @@ # interface(`xen_stream_connect',` @@ -30043,9 +29750,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_search_pids($1) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.10/policy/modules/system/xen.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.11/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/xen.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/xen.te 2009-04-06 12:59:54.000000000 -0400 @@ -6,6 +6,13 @@ # Declarations # @@ -30315,9 +30022,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +libs_use_ld_so(evtchnd_t) +libs_use_shared_libs(evtchnd_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/ipc_patterns.spt serefpolicy-3.6.10/policy/support/ipc_patterns.spt +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/ipc_patterns.spt serefpolicy-3.6.11/policy/support/ipc_patterns.spt --- nsaserefpolicy/policy/support/ipc_patterns.spt 2009-03-12 11:16:47.000000000 -0400 -+++ serefpolicy-3.6.10/policy/support/ipc_patterns.spt 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/support/ipc_patterns.spt 2009-04-06 12:59:54.000000000 -0400 @@ -3,12 +3,12 @@ # define(`stream_connect_pattern',` @@ -30333,9 +30040,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 $3:sock_file { getattr write }; allow $1 $4:unix_dgram_socket sendto; ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.10/policy/support/obj_perm_sets.spt +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.11/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-03-12 11:16:47.000000000 -0400 -+++ serefpolicy-3.6.10/policy/support/obj_perm_sets.spt 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/support/obj_perm_sets.spt 2009-04-06 12:59:54.000000000 -0400 @@ -225,7 +225,7 @@ define(`create_lnk_file_perms',`{ create getattr }') define(`rename_lnk_file_perms',`{ getattr rename }') @@ -30359,9 +30066,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') + +define(`manage_key_perms', `{ create link read search setattr view write } ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.10/policy/users +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.11/policy/users --- nsaserefpolicy/policy/users 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.6.10/policy/users 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/policy/users 2009-04-06 12:59:54.000000000 -0400 @@ -25,11 +25,8 @@ # permit any access to such users, then remove this entry. # @@ -30386,9 +30093,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -') +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.6.10/Rules.modular +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.6.11/Rules.modular --- nsaserefpolicy/Rules.modular 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.10/Rules.modular 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/Rules.modular 2009-04-06 12:59:54.000000000 -0400 @@ -73,8 +73,8 @@ $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te @echo "Compliling $(NAME) $(@F) module" @@ -30418,9 +30125,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rul $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.6.10/support/Makefile.devel +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.6.11/support/Makefile.devel --- nsaserefpolicy/support/Makefile.devel 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.10/support/Makefile.devel 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.11/support/Makefile.devel 2009-04-06 12:59:54.000000000 -0400 @@ -185,8 +185,7 @@ tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te @$(EINFO) "Compiling $(NAME) $(basename $(@F)) module" diff --git a/selinux-policy.spec b/selinux-policy.spec index 1803475..f9f3360 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,8 +19,8 @@ %define CHECKPOLICYVER 2.0.16-3 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.6.10 -Release: 9%{?dist} +Version: 3.6.11 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -187,7 +187,7 @@ fi; %description SELinux Reference Policy - modular. -Based off of reference policy: Checked out revision 2936. +Based off of reference policy: Checked out revision 2943. %build @@ -444,6 +444,10 @@ exit 0 %endif %changelog +* Mon Apr 6 2009 Dan Walsh 3.6.11-1 +- Dontaudit binds to ports < 1024 for named +- Upgrade to latest upstream + * Fri Apr 3 2009 Dan Walsh 3.6.10-9 - Allow podsleuth to use tmpfs files