diff --git a/policy-F12.patch b/policy-F12.patch
index 16cfcc8..95fdb51 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -1,6 +1,6 @@
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.6.24/config/appconfig-mcs/default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.6.25/config/appconfig-mcs/default_contexts
--- nsaserefpolicy/config/appconfig-mcs/default_contexts 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/config/appconfig-mcs/default_contexts 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mcs/default_contexts 2009-07-29 21:34:35.000000000 -0400
@@ -1,15 +1,6 @@
-system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
@@ -22,15 +22,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
-user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.6.24/config/appconfig-mcs/failsafe_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.6.25/config/appconfig-mcs/failsafe_context
--- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/config/appconfig-mcs/failsafe_context 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mcs/failsafe_context 2009-07-29 21:34:35.000000000 -0400
@@ -1 +1 @@
-sysadm_r:sysadm_t:s0
+system_r:unconfined_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.6.24/config/appconfig-mcs/root_default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.6.25/config/appconfig-mcs/root_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/config/appconfig-mcs/root_default_contexts 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mcs/root_default_contexts 2009-07-29 21:34:35.000000000 -0400
@@ -1,11 +1,7 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
@@ -45,9 +45,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
#
-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/securetty_types serefpolicy-3.6.24/config/appconfig-mcs/securetty_types
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/securetty_types serefpolicy-3.6.25/config/appconfig-mcs/securetty_types
--- nsaserefpolicy/config/appconfig-mcs/securetty_types 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/config/appconfig-mcs/securetty_types 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mcs/securetty_types 2009-07-29 21:34:35.000000000 -0400
@@ -1 +1,6 @@
+auditadm_tty_device_t
+secadm_tty_device_t
@@ -55,18 +55,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
+sysadm_tty_device_t
+unconfined_tty_device_t
user_tty_device_t
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.6.24/config/appconfig-mcs/seusers
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.6.25/config/appconfig-mcs/seusers
--- nsaserefpolicy/config/appconfig-mcs/seusers 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/config/appconfig-mcs/seusers 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mcs/seusers 2009-07-29 21:34:35.000000000 -0400
@@ -1,3 +1,3 @@
system_u:system_u:s0-mcs_systemhigh
-root:root:s0-mcs_systemhigh
-__default__:user_u:s0
+root:unconfined_u:s0-mcs_systemhigh
+__default__:unconfined_u:s0-mcs_systemhigh
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.6.24/config/appconfig-mcs/staff_u_default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.6.25/config/appconfig-mcs/staff_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/config/appconfig-mcs/staff_u_default_contexts 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mcs/staff_u_default_contexts 2009-07-29 21:34:35.000000000 -0400
@@ -1,10 +1,12 @@
system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
system_r:remote_login_t:s0 staff_r:staff_t:s0
@@ -81,9 +81,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.6.24/config/appconfig-mcs/unconfined_u_default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.6.25/config/appconfig-mcs/unconfined_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/config/appconfig-mcs/unconfined_u_default_contexts 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mcs/unconfined_u_default_contexts 2009-07-29 21:34:35.000000000 -0400
@@ -1,4 +1,4 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0
@@ -97,15 +97,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
+system_r:initrc_su_t:s0 unconfined_r:unconfined_t:s0
+unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
system_r:xdm_t:s0 unconfined_r:unconfined_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.6.24/config/appconfig-mcs/userhelper_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.6.25/config/appconfig-mcs/userhelper_context
--- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/config/appconfig-mcs/userhelper_context 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mcs/userhelper_context 2009-07-29 21:34:35.000000000 -0400
@@ -1 +1 @@
-system_u:sysadm_r:sysadm_t:s0
+system_u:system_r:unconfined_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.6.24/config/appconfig-mcs/user_u_default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.6.25/config/appconfig-mcs/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/config/appconfig-mcs/user_u_default_contexts 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mcs/user_u_default_contexts 2009-07-29 21:34:35.000000000 -0400
@@ -1,8 +1,9 @@
system_r:local_login_t:s0 user_r:user_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0
@@ -118,20 +118,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
-
+system_r:initrc_su_t:s0 user_r:user_t:s0
+user_r:user_t:s0 user_r:user_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_domain_context serefpolicy-3.6.24/config/appconfig-mcs/virtual_domain_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_domain_context serefpolicy-3.6.25/config/appconfig-mcs/virtual_domain_context
--- nsaserefpolicy/config/appconfig-mcs/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/config/appconfig-mcs/virtual_domain_context 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mcs/virtual_domain_context 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1 @@
+system_u:system_r:svirt_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_image_context serefpolicy-3.6.24/config/appconfig-mcs/virtual_image_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_image_context serefpolicy-3.6.25/config/appconfig-mcs/virtual_image_context
--- nsaserefpolicy/config/appconfig-mcs/virtual_image_context 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/config/appconfig-mcs/virtual_image_context 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mcs/virtual_image_context 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,2 @@
+system_u:object_r:svirt_image_t:s0
+system_u:object_r:virt_content_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.6.24/config/appconfig-mls/default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.6.25/config/appconfig-mls/default_contexts
--- nsaserefpolicy/config/appconfig-mls/default_contexts 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/config/appconfig-mls/default_contexts 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mls/default_contexts 2009-07-29 21:34:35.000000000 -0400
@@ -1,15 +1,6 @@
-system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
@@ -153,9 +153,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
-user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.6.24/config/appconfig-mls/root_default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.6.25/config/appconfig-mls/root_default_contexts
--- nsaserefpolicy/config/appconfig-mls/root_default_contexts 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/config/appconfig-mls/root_default_contexts 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mls/root_default_contexts 2009-07-29 21:34:35.000000000 -0400
@@ -1,11 +1,11 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
-system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
@@ -174,20 +174,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
#
-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.24/config/appconfig-mls/virtual_domain_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.25/config/appconfig-mls/virtual_domain_context
--- nsaserefpolicy/config/appconfig-mls/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/config/appconfig-mls/virtual_domain_context 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mls/virtual_domain_context 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1 @@
+system_u:system_r:qemu_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_image_context serefpolicy-3.6.24/config/appconfig-mls/virtual_image_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_image_context serefpolicy-3.6.25/config/appconfig-mls/virtual_image_context
--- nsaserefpolicy/config/appconfig-mls/virtual_image_context 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/config/appconfig-mls/virtual_image_context 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mls/virtual_image_context 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,2 @@
+system_u:object_r:virt_image_t:s0
+system_u:object_r:virt_content_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/securetty_types serefpolicy-3.6.24/config/appconfig-standard/securetty_types
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/securetty_types serefpolicy-3.6.25/config/appconfig-standard/securetty_types
--- nsaserefpolicy/config/appconfig-standard/securetty_types 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/config/appconfig-standard/securetty_types 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-standard/securetty_types 2009-07-29 21:34:35.000000000 -0400
@@ -1 +1,6 @@
+auditadm_tty_device_t
+secadm_tty_device_t
@@ -195,9 +195,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
+sysadm_tty_device_t
+unconfined_tty_device_t
user_tty_device_t
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.24/Makefile
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.25/Makefile
--- nsaserefpolicy/Makefile 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/Makefile 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/Makefile 2009-07-29 21:34:35.000000000 -0400
@@ -241,7 +241,7 @@
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
@@ -260,9 +260,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Mak
$(appdir)/%: $(appconf)/%
@mkdir -p $(appdir)
$(verbose) $(INSTALL) -m 644 $< $@
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.24/policy/global_tunables
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.25/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/global_tunables 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/global_tunables 2009-07-29 21:34:35.000000000 -0400
@@ -61,15 +61,6 @@
## <desc>
@@ -298,9 +298,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## </desc>
+gen_tunable(mmap_low_allowed, false)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.24/policy/mcs
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.25/policy/mcs
--- nsaserefpolicy/policy/mcs 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/mcs 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/mcs 2009-07-29 21:34:35.000000000 -0400
@@ -66,8 +66,8 @@
#
# Note that getattr on files is always permitted.
@@ -334,9 +334,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mlsconstrain process { transition dyntransition }
(( h1 dom h2 ) or ( t1 == mcssetcats ));
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.24/policy/modules/admin/anaconda.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.6.25/policy/modules/admin/alsa.fc
+--- nsaserefpolicy/policy/modules/admin/alsa.fc 2009-07-29 22:34:34.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/alsa.fc 2009-07-29 15:16:12.000000000 -0400
+@@ -10,9 +10,4 @@
+
+ /usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
+
+-ifdef(`distro_debian', `
+-/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+-/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+-')
+-
+ /var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.6.25/policy/modules/admin/alsa.te
+--- nsaserefpolicy/policy/modules/admin/alsa.te 2009-07-29 22:34:34.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/alsa.te 2009-07-29 15:16:12.000000000 -0400
+@@ -1,5 +1,5 @@
+
+-policy_module(alsa, 1.7.2)
++policy_module(alsa, 1.7.1)
+
+ ########################################
+ #
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.25/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/anaconda.te 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/anaconda.te 2009-07-29 21:34:35.000000000 -0400
@@ -31,6 +31,7 @@
modutils_domtrans_insmod(anaconda_t)
@@ -345,9 +368,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.24/policy/modules/admin/certwatch.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.25/policy/modules/admin/certwatch.te
--- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/certwatch.te 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/certwatch.te 2009-07-29 21:34:35.000000000 -0400
@@ -36,6 +36,7 @@
miscfiles_read_localization(certwatch_t)
@@ -356,17 +379,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
apache_exec_modules(certwatch_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.6.24/policy/modules/admin/dmesg.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.6.25/policy/modules/admin/dmesg.fc
--- nsaserefpolicy/policy/modules/admin/dmesg.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/dmesg.fc 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/dmesg.fc 2009-07-29 21:34:35.000000000 -0400
@@ -1,2 +1,4 @@
/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
+
+/usr/sbin/mcelog -- gen_context(system_u:object_r:dmesg_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.24/policy/modules/admin/dmesg.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.25/policy/modules/admin/dmesg.te
--- nsaserefpolicy/policy/modules/admin/dmesg.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/dmesg.te 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/dmesg.te 2009-07-29 21:34:35.000000000 -0400
@@ -9,6 +9,7 @@
type dmesg_t;
type dmesg_exec_t;
@@ -401,9 +424,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(dmesg_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.6.24/policy/modules/admin/kismet.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.6.25/policy/modules/admin/kismet.if
--- nsaserefpolicy/policy/modules/admin/kismet.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/kismet.if 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/kismet.if 2009-07-29 21:34:35.000000000 -0400
@@ -16,6 +16,7 @@
')
@@ -412,9 +435,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.24/policy/modules/admin/kismet.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.25/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/kismet.te 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/kismet.te 2009-07-29 21:34:35.000000000 -0400
@@ -17,6 +17,9 @@
type kismet_tmp_t;
files_tmp_file(kismet_tmp_t)
@@ -457,9 +480,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ networkmanager_dbus_chat(kismet_t)
+ ')
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.24/policy/modules/admin/logrotate.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.25/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/logrotate.te 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/logrotate.te 2009-07-29 21:34:35.000000000 -0400
@@ -32,7 +32,7 @@
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
@@ -502,18 +525,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
slrnpull_manage_spool(logrotate_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.24/policy/modules/admin/logwatch.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.25/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/logwatch.te 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/logwatch.te 2009-07-29 21:34:35.000000000 -0400
@@ -136,4 +136,5 @@
optional_policy(`
samba_read_log(logwatch_t)
+ samba_read_share_files(logwatch_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.24/policy/modules/admin/mrtg.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.25/policy/modules/admin/mrtg.te
--- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/mrtg.te 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/mrtg.te 2009-07-29 21:34:35.000000000 -0400
@@ -116,6 +116,9 @@
userdom_use_user_terminals(mrtg_t)
userdom_dontaudit_read_user_home_content_files(mrtg_t)
@@ -524,9 +547,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`enable_mls',`
corenet_udp_sendrecv_lo_if(mrtg_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.24/policy/modules/admin/prelink.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.25/policy/modules/admin/prelink.if
--- nsaserefpolicy/policy/modules/admin/prelink.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/prelink.if 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/prelink.if 2009-07-29 21:34:35.000000000 -0400
@@ -140,3 +140,22 @@
files_search_var_lib($1)
manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
@@ -550,9 +573,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ files_search_var_lib($1)
+ relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.24/policy/modules/admin/readahead.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.25/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/readahead.te 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/readahead.te 2009-07-29 21:34:35.000000000 -0400
@@ -54,7 +54,10 @@
files_dontaudit_getattr_all_sockets(readahead_t)
files_list_non_security(readahead_t)
@@ -564,9 +587,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_getattr_all_fs(readahead_t)
fs_search_auto_mountpoints(readahead_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.24/policy/modules/admin/rpm.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.25/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/rpm.fc 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/rpm.fc 2009-07-29 21:34:35.000000000 -0400
@@ -4,14 +4,12 @@
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -608,9 +631,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# SuSE
ifdef(`distro_suse', `
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.24/policy/modules/admin/rpm.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.25/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/rpm.if 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/rpm.if 2009-07-29 21:34:35.000000000 -0400
@@ -66,6 +66,11 @@
rpm_domtrans($1)
role $2 types rpm_t;
@@ -623,11 +646,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_run_loadpolicy(rpm_script_t, $2)
seutil_run_semanage(rpm_script_t, $2)
seutil_run_setfiles(rpm_script_t, $2)
-@@ -146,6 +151,24 @@
+@@ -146,6 +151,34 @@
########################################
## <summary>
-+## dontaudit read and write an unnamed RPM pipe.
++## dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
@@ -635,12 +658,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## </summary>
+## </param>
+#
-+interface(`rpm_dontaudit_rw_pipes',`
++interface(`rpm_dontaudit_leaks',`
+ gen_require(`
+ type rpm_t;
++ type rpm_script_t;
++ type rpm_var_run_t;
++ type rpm_tmp_t;
++ type rpm_tmpfs_t;
+ ')
+
+ dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms;
++ dontaudit $1 rpm_script_t:fd use;
++ dontaudit $1 rpm_var_run_t:file write_file_perms;
++ dontaudit $1 rpm_tmp_t:file rw_file_perms;
++ dontaudit $1 rpm_t:shm rw_shm_perms;
++ dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
++ dontaudit $1 rpm_tmpfs_t:file write_file_perms;
+')
+
+########################################
@@ -648,7 +681,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Send and receive messages from
## rpm over dbus.
## </summary>
-@@ -167,6 +190,48 @@
+@@ -167,6 +200,48 @@
########################################
## <summary>
@@ -697,7 +730,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Create, read, write, and delete the RPM log.
## </summary>
## <param name="domain">
-@@ -186,6 +251,24 @@
+@@ -186,6 +261,24 @@
########################################
## <summary>
@@ -722,32 +755,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Inherit and use file descriptors from RPM scripts.
## </summary>
## <param name="domain">
-@@ -204,6 +287,24 @@
-
- ########################################
- ## <summary>
-+## dontaudit and use file descriptors from RPM scripts.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
-+## </param>
-+#
-+interface(`rpm_dontaudit_use_script_fds',`
-+ gen_require(`
-+ type rpm_script_t;
-+ ')
-+
-+ dontaudit $1 rpm_script_t:fd use;
-+')
-+
-+########################################
-+## <summary>
- ## Create, read, write, and delete RPM
- ## script temporary files.
- ## </summary>
-@@ -219,7 +320,29 @@
+@@ -219,7 +312,29 @@
')
files_search_tmp($1)
@@ -777,7 +785,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -245,6 +368,24 @@
+@@ -245,6 +360,24 @@
########################################
## <summary>
@@ -802,7 +810,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Create, read, write, and delete the RPM package database.
## </summary>
## <param name="domain">
-@@ -283,3 +424,166 @@
+@@ -283,3 +416,46 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
@@ -833,126 +841,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+########################################
+## <summary>
-+## allow domain to read,
-+## write RPM tmp files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`rpm_rw_tmp_files',`
-+ gen_require(`
-+ type rpm_tmp_t;
-+ ')
-+
-+ allow $1 rpm_tmp_t:file rw_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to read,
-+## write RPM tmp files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`rpm_dontaudit_rw_tmp_files',`
-+ gen_require(`
-+ type rpm_tmp_t;
-+ ')
-+
-+ dontaudit $1 rpm_tmp_t:file rw_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Manage RPM tmp files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`rpm_manage_tmp_files',`
-+ gen_require(`
-+ type rpm_tmp_t;
-+ ')
-+
-+ manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to read,
-+## write RPM shm
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`rpm_dontaudit_rw_shm',`
-+ gen_require(`
-+ type rpm_t;
-+ ')
-+
-+ dontaudit $1 rpm_t:shm rw_shm_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Read/write rpm tmpfs files.
-+## </summary>
-+## <desc>
-+## <p>
-+## Read/write rpm tmpfs files.
-+## </p>
-+## </desc>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`rpm_rw_tmpfs_files',`
-+ gen_require(`
-+ type rpm_tmpfs_t;
-+ ')
-+
-+ fs_search_tmpfs($1)
-+ allow $1 rpm_tmpfs_t:dir list_dir_perms;
-+ rw_files_pattern($1, rpm_tmpfs_t, rpm_tmpfs_t)
-+ read_lnk_files_pattern($1, rpm_tmpfs_t, rpm_tmpfs_t)
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to write, and delete the
-+## RPM var run files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`rpm_dontaudit_write_pid_files',`
-+ gen_require(`
-+ type rpm_var_run_t;
-+ ')
-+
-+ dontaudit $1 rpm_var_run_t:file write_file_perms;
-+')
-+
-+########################################
-+## <summary>
+## Send a null signal to rpm.
+## </summary>
+## <param name="domain">
@@ -969,19 +857,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 rpm_t:process signull;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.24/policy/modules/admin/rpm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.25/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/rpm.te 2009-07-28 13:42:18.000000000 -0400
-@@ -9,6 +9,8 @@
- type rpm_t;
- type rpm_exec_t;
- init_system_domain(rpm_t, rpm_exec_t)
-+#application_domain(rpm_t, rpm_exec_t)
-+
- domain_obj_id_change_exemption(rpm_t)
- domain_role_change_exemption(rpm_t)
- domain_system_change_exemption(rpm_t)
-@@ -31,11 +33,15 @@
++++ serefpolicy-3.6.25/policy/modules/admin/rpm.te 2009-07-29 21:34:35.000000000 -0400
+@@ -31,11 +31,15 @@
files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
@@ -997,7 +876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_type(rpm_script_t)
domain_entry_file(rpm_t, rpm_script_exec_t)
domain_interactive_fd(rpm_script_t)
-@@ -52,8 +58,9 @@
+@@ -52,8 +56,9 @@
# rpm Local policy
#
@@ -1009,7 +888,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
allow rpm_t self:fd use;
allow rpm_t self:fifo_file rw_fifo_file_perms;
-@@ -68,6 +75,8 @@
+@@ -68,6 +73,8 @@
allow rpm_t self:sem create_sem_perms;
allow rpm_t self:msgq create_msgq_perms;
allow rpm_t self:msg { send receive };
@@ -1018,7 +897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow rpm_t rpm_log_t:file manage_file_perms;
logging_log_filetrans(rpm_t, rpm_log_t, file)
-@@ -87,8 +96,13 @@
+@@ -87,8 +94,13 @@
manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
@@ -1032,7 +911,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_all_executables(rpm_t)
-@@ -108,12 +122,14 @@
+@@ -108,12 +120,14 @@
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t)
@@ -1047,7 +926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_search_auto_mountpoints(rpm_t)
mls_file_read_all_levels(rpm_t)
-@@ -132,6 +148,8 @@
+@@ -132,6 +146,8 @@
# for installing kernel packages
storage_raw_read_fixed_disk(rpm_t)
@@ -1056,7 +935,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_relabel_all_files_except_shadow(rpm_t)
auth_manage_all_files_except_shadow(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
-@@ -155,6 +173,7 @@
+@@ -155,6 +171,7 @@
files_exec_etc_files(rpm_t)
init_domtrans_script(rpm_t)
@@ -1064,7 +943,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
-@@ -174,17 +193,28 @@
+@@ -174,17 +191,28 @@
')
optional_policy(`
@@ -1094,7 +973,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
ifdef(`TODO',`
-@@ -210,8 +240,8 @@
+@@ -210,8 +238,8 @@
# rpm-script Local policy
#
@@ -1105,7 +984,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
-@@ -222,12 +252,15 @@
+@@ -222,12 +250,15 @@
allow rpm_script_t self:sem create_sem_perms;
allow rpm_script_t self:msgq create_msgq_perms;
allow rpm_script_t self:msg { send receive };
@@ -1121,7 +1000,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
-@@ -239,6 +272,9 @@
+@@ -239,6 +270,9 @@
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
@@ -1131,7 +1010,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_list_sysfs(rpm_script_t)
-@@ -255,6 +291,7 @@
+@@ -255,6 +289,7 @@
fs_mount_xattr_fs(rpm_script_t)
fs_unmount_xattr_fs(rpm_script_t)
fs_search_auto_mountpoints(rpm_script_t)
@@ -1139,7 +1018,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mcs_killall(rpm_script_t)
mcs_ptrace_all(rpm_script_t)
-@@ -272,14 +309,19 @@
+@@ -272,14 +307,19 @@
storage_raw_read_fixed_disk(rpm_script_t)
storage_raw_write_fixed_disk(rpm_script_t)
@@ -1159,7 +1038,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
-@@ -291,6 +333,7 @@
+@@ -291,6 +331,7 @@
files_exec_etc_files(rpm_script_t)
files_read_etc_runtime_files(rpm_script_t)
files_exec_usr_files(rpm_script_t)
@@ -1167,7 +1046,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
init_domtrans_script(rpm_script_t)
-@@ -308,12 +351,15 @@
+@@ -308,12 +349,15 @@
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
@@ -1183,7 +1062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -326,13 +372,18 @@
+@@ -326,13 +370,18 @@
')
optional_policy(`
@@ -1203,9 +1082,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.24/policy/modules/admin/sudo.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.25/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/sudo.if 2009-07-28 13:52:41.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/sudo.if 2009-07-29 21:34:35.000000000 -0400
@@ -66,8 +66,8 @@
allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
allow $1_sudo_t self:unix_dgram_socket sendto;
@@ -1238,9 +1117,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_sudo_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.24/policy/modules/admin/tmpreaper.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.25/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/tmpreaper.te 2009-07-28 13:54:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/tmpreaper.te 2009-07-29 21:34:35.000000000 -0400
@@ -52,6 +52,10 @@
')
@@ -1252,9 +1131,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kismet_manage_log(tmpreaper_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.24/policy/modules/admin/usermanage.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.25/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/usermanage.te 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/usermanage.te 2009-07-29 21:34:35.000000000 -0400
@@ -209,6 +209,7 @@
files_manage_etc_files(groupadd_t)
files_relabel_etc_files(groupadd_t)
@@ -1292,9 +1171,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.24/policy/modules/admin/vbetool.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.25/policy/modules/admin/vbetool.te
--- nsaserefpolicy/policy/modules/admin/vbetool.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/vbetool.te 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/vbetool.te 2009-07-29 21:34:35.000000000 -0400
@@ -23,7 +23,11 @@
dev_rwx_zero(vbetool_t)
dev_read_sysfs(vbetool_t)
@@ -1317,9 +1196,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_write_pid(vbetool_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.24/policy/modules/apps/awstats.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.25/policy/modules/apps/awstats.te
--- nsaserefpolicy/policy/modules/apps/awstats.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/awstats.te 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/awstats.te 2009-07-29 21:34:35.000000000 -0400
@@ -51,6 +51,8 @@
libs_read_lib_files(awstats_t)
@@ -1329,9 +1208,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization(awstats_t)
sysnet_dns_name_resolve(awstats_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.24/policy/modules/apps/cpufreqselector.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.25/policy/modules/apps/cpufreqselector.te
--- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/cpufreqselector.te 2009-07-28 13:57:37.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/cpufreqselector.te 2009-07-29 21:34:35.000000000 -0400
@@ -8,7 +8,8 @@
type cpufreqselector_t;
@@ -1350,17 +1229,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
policykit_domtrans_auth(cpufreqselector_t)
policykit_read_lib(cpufreqselector_t)
policykit_read_reload(cpufreqselector_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.6.24/policy/modules/apps/gitosis.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.6.25/policy/modules/apps/gitosis.fc
--- nsaserefpolicy/policy/modules/apps/gitosis.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/gitosis.fc 2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/gitosis.fc 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,4 @@
+
+/usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0)
+
+/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.24/policy/modules/apps/gitosis.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.25/policy/modules/apps/gitosis.if
--- nsaserefpolicy/policy/modules/apps/gitosis.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/gitosis.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/gitosis.if 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,96 @@
+## <summary>gitosis interface</summary>
+
@@ -1458,9 +1337,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.te serefpolicy-3.6.24/policy/modules/apps/gitosis.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.te serefpolicy-3.6.25/policy/modules/apps/gitosis.te
--- nsaserefpolicy/policy/modules/apps/gitosis.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/gitosis.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/gitosis.te 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,43 @@
+policy_module(gitosis,1.0.0)
+
@@ -1505,9 +1384,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ ssh_rw_pipes(gitosis_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.24/policy/modules/apps/gnome.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.25/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/gnome.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/gnome.fc 2009-07-29 21:34:35.000000000 -0400
@@ -1,8 +1,16 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
@@ -1527,9 +1406,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
+
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.24/policy/modules/apps/gnome.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.25/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/gnome.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/gnome.if 2009-07-29 21:34:35.000000000 -0400
@@ -89,5 +89,175 @@
allow $1 gnome_home_t:dir manage_dir_perms;
@@ -1706,9 +1585,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ # Connect to pulseaudit server
+ stream_connect_pattern($1, gnome_home_t, gnome_home_t, $2)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.24/policy/modules/apps/gnome.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.25/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/gnome.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/gnome.te 2009-07-29 21:34:35.000000000 -0400
@@ -9,16 +9,18 @@
attribute gnomedomain;
@@ -1837,9 +1716,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+permissive gnomesystemmm_t;
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.24/policy/modules/apps/gpg.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.25/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/gpg.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/gpg.te 2009-07-29 21:34:35.000000000 -0400
@@ -159,6 +159,19 @@
xserver_rw_xdm_pipes(gpg_t)
')
@@ -1867,9 +1746,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- xserver_stream_connect(gpg_pinentry_t)
+ xserver_common_app(gpg_pinentry_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.24/policy/modules/apps/java.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.25/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/java.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/java.fc 2009-07-29 21:34:35.000000000 -0400
@@ -2,15 +2,16 @@
# /opt
#
@@ -1904,9 +1783,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.24/policy/modules/apps/java.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.25/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/java.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/java.if 2009-07-29 21:34:35.000000000 -0400
@@ -30,6 +30,7 @@
allow java_t $2:unix_stream_socket connectto;
@@ -2047,9 +1926,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_role($1_r, $1_java_t)
+ ')
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.24/policy/modules/apps/java.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.25/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/java.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/java.te 2009-07-29 21:34:35.000000000 -0400
@@ -20,6 +20,8 @@
typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
@@ -2112,15 +1991,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.6.24/policy/modules/apps/livecd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.6.25/policy/modules/apps/livecd.fc
--- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/livecd.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/livecd.fc 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,2 @@
+
+/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.6.24/policy/modules/apps/livecd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.6.25/policy/modules/apps/livecd.if
--- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/livecd.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/livecd.if 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,50 @@
+
+## <summary>policy for livecd</summary>
@@ -2172,9 +2051,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ seutil_run_setfiles_mac(livecd_t, $2)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.6.24/policy/modules/apps/livecd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.6.25/policy/modules/apps/livecd.te
--- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/livecd.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/livecd.te 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,26 @@
+policy_module(livecd, 1.0.0)
+
@@ -2202,9 +2081,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+seutil_domtrans_setfiles_mac(livecd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.24/policy/modules/apps/mono.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.25/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/mono.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/mono.if 2009-07-29 21:34:35.000000000 -0400
@@ -21,6 +21,105 @@
########################################
@@ -2320,9 +2199,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
corecmd_search_bin($1)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.24/policy/modules/apps/mono.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.25/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/mono.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/mono.te 2009-07-29 21:34:35.000000000 -0400
@@ -15,7 +15,7 @@
# Local policy
#
@@ -2346,9 +2225,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ xserver_rw_shm(mono_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.24/policy/modules/apps/mozilla.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.25/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/mozilla.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/mozilla.if 2009-07-29 21:34:35.000000000 -0400
@@ -45,6 +45,18 @@
relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
@@ -2376,9 +2255,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_search_user_home_dirs($1)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.24/policy/modules/apps/mozilla.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.25/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/mozilla.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/mozilla.te 2009-07-29 21:34:35.000000000 -0400
@@ -59,6 +59,7 @@
manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
@@ -2453,9 +2332,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
thunderbird_domtrans(mozilla_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.24/policy/modules/apps/nsplugin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.25/policy/modules/apps/nsplugin.fc
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/nsplugin.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/nsplugin.fc 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,12 @@
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
@@ -2469,9 +2348,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.24/policy/modules/apps/nsplugin.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.25/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/nsplugin.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/nsplugin.if 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,313 @@
+
+## <summary>policy for nsplugin</summary>
@@ -2786,9 +2665,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.24/policy/modules/apps/nsplugin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.25/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/nsplugin.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/nsplugin.te 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,287 @@
+
+policy_module(nsplugin, 1.0.0)
@@ -3077,16 +2956,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.6.24/policy/modules/apps/openoffice.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.6.25/policy/modules/apps/openoffice.fc
--- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/openoffice.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/openoffice.fc 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,3 @@
+/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.24/policy/modules/apps/openoffice.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.25/policy/modules/apps/openoffice.if
--- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/openoffice.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/openoffice.if 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,93 @@
+## <summary>Openoffice</summary>
+
@@ -3181,9 +3060,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_common_x_domain_template($1, $1_openoffice_t)
+ ')
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.6.24/policy/modules/apps/openoffice.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.6.25/policy/modules/apps/openoffice.te
--- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/openoffice.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/openoffice.te 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,14 @@
+
+policy_module(openoffice, 1.0.0)
@@ -3199,18 +3078,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.24/policy/modules/apps/qemu.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.25/policy/modules/apps/qemu.fc
--- nsaserefpolicy/policy/modules/apps/qemu.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/qemu.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/qemu.fc 2009-07-29 21:34:35.000000000 -0400
@@ -1,2 +1,3 @@
-/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
-/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.24/policy/modules/apps/qemu.if
---- nsaserefpolicy/policy/modules/apps/qemu.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/qemu.if 2009-07-28 13:42:19.000000000 -0400
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.25/policy/modules/apps/qemu.if
+--- nsaserefpolicy/policy/modules/apps/qemu.if 2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/qemu.if 2009-07-29 21:34:35.000000000 -0400
@@ -40,6 +40,93 @@
qemu_domtrans($1)
@@ -3424,29 +3303,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-
- type $1_t;
- domain_type($1_t)
-+interface(`qemu_manage_tmp_dirs',`
-+ gen_require(`
-+ type qemu_tmp_t;
-+ ')
-
+-
- type $1_tmp_t;
- files_tmp_file($1_tmp_t)
-+ manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
-+ ')
-
+-
- ##############################
- #
- # Local Policy
-+########################################
-+## <summary>
-+## Manage qemu temporary files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
- #
+- #
-
- allow $1_t self:capability { dac_read_search dac_override };
- allow $1_t self:process { execstack execmem signal getsched };
@@ -3496,17 +3360,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-
- userdom_use_user_terminals($1_t)
-
--# optional_policy(`
--# samba_domtrans_smb($1_t)
--# ')
--
+- optional_policy(`
+- samba_domtrans_smbd($1_t)
++interface(`qemu_manage_tmp_dirs',`
++ gen_require(`
++ type qemu_tmp_t;
+ ')
+
- optional_policy(`
- virt_manage_images($1_t)
- virt_read_config($1_t)
- virt_read_lib_files($1_t)
-+interface(`qemu_manage_tmp_files',`
-+ gen_require(`
-+ type qemu_tmp_t;
++ manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
- optional_policy(`
@@ -3514,12 +3379,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- xserver_read_xdm_tmp_files($1_t)
- xserver_read_xdm_pid($1_t)
-# xserver_xdm_rw_shm($1_t)
-- ')
++########################################
++## <summary>
++## Manage qemu temporary files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++ #
++interface(`qemu_manage_tmp_files',`
++ gen_require(`
++ type qemu_tmp_t;
+ ')
++
+ manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.24/policy/modules/apps/qemu.te
---- nsaserefpolicy/policy/modules/apps/qemu.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/qemu.te 2009-07-28 13:42:19.000000000 -0400
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.25/policy/modules/apps/qemu.te
+--- nsaserefpolicy/policy/modules/apps/qemu.te 2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/qemu.te 2009-07-29 23:11:35.000000000 -0400
@@ -13,28 +13,97 @@
## </desc>
gen_tunable(qemu_full_network, false)
@@ -3607,7 +3486,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+optional_policy(`
-+ samba_domtrans_smb(qemu_t)
++ samba_domtrans_smbd(qemu_t)
+')
+
+optional_policy(`
@@ -3636,23 +3515,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ role unconfined_r types qemu_unconfined_t;
allow qemu_unconfined_t self:process { execstack execmem };
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.6.24/policy/modules/apps/sambagui.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.6.25/policy/modules/apps/sambagui.fc
--- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/sambagui.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/sambagui.fc 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,4 @@
+/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0)
+
+
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.6.24/policy/modules/apps/sambagui.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.6.25/policy/modules/apps/sambagui.if
--- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/sambagui.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/sambagui.if 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,2 @@
+## <summary>system-config-samba policy</summary>
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.24/policy/modules/apps/sambagui.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.25/policy/modules/apps/sambagui.te
--- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/sambagui.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/sambagui.te 2009-07-29 23:11:23.000000000 -0400
@@ -0,0 +1,57 @@
+policy_module(sambagui,1.0.0)
+
@@ -3678,8 +3557,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+samba_manage_config(sambagui_t)
+samba_manage_var_files(sambagui_t)
+samba_initrc_domtrans(sambagui_t)
-+samba_domtrans_smb(sambagui_t)
-+samba_domtrans_nmb(sambagui_t)
++samba_domtrans_smbd(sambagui_t)
++samba_domtrans_nmbd(sambagui_t)
+
+# execut apps of system-config-samba
+corecmd_exec_shell(sambagui_t)
@@ -3711,14 +3590,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+permissive sambagui_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.6.24/policy/modules/apps/sandbox.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.6.25/policy/modules/apps/sandbox.fc
--- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/sandbox.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/sandbox.fc 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1 @@
+# No types are sandbox_exec_t
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.24/policy/modules/apps/sandbox.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.25/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/sandbox.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/sandbox.if 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,145 @@
+
+## <summary>policy for sandbox</summary>
@@ -3865,9 +3744,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.24/policy/modules/apps/sandbox.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.25/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/sandbox.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/sandbox.te 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,274 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
@@ -4143,9 +4022,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ hal_dbus_chat(sandbox_net_client_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.24/policy/modules/apps/screen.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.25/policy/modules/apps/screen.if
--- nsaserefpolicy/policy/modules/apps/screen.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/screen.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/screen.if 2009-07-29 21:34:35.000000000 -0400
@@ -157,3 +157,24 @@
nscd_socket_use($1_screen_t)
')
@@ -4171,9 +4050,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ manage_lnk_files_pattern($1,screen_var_run_t,screen_var_run_t)
+ manage_fifo_files_pattern($1,screen_var_run_t,screen_var_run_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.24/policy/modules/apps/vmware.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.25/policy/modules/apps/vmware.fc
--- nsaserefpolicy/policy/modules/apps/vmware.fc 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/vmware.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/vmware.fc 2009-07-29 21:34:35.000000000 -0400
@@ -18,6 +18,7 @@
/usr/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
@@ -4182,9 +4061,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.24/policy/modules/apps/vmware.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.25/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/vmware.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/vmware.te 2009-07-29 21:34:35.000000000 -0400
@@ -157,8 +157,10 @@
optional_policy(`
xserver_read_tmp_files(vmware_host_t)
@@ -4196,9 +4075,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`TODO',`
# VMWare need access to pcmcia devices for network
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.6.24/policy/modules/apps/webalizer.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.6.25/policy/modules/apps/webalizer.te
--- nsaserefpolicy/policy/modules/apps/webalizer.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/webalizer.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/webalizer.te 2009-07-29 21:34:35.000000000 -0400
@@ -69,7 +69,6 @@
fs_search_auto_mountpoints(webalizer_t)
fs_getattr_xattr_fs(webalizer_t)
@@ -4207,9 +4086,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(webalizer_t)
files_read_etc_runtime_files(webalizer_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.6.24/policy/modules/apps/wine.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.6.25/policy/modules/apps/wine.fc
--- nsaserefpolicy/policy/modules/apps/wine.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/wine.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/wine.fc 2009-07-29 21:34:35.000000000 -0400
@@ -1,4 +1,21 @@
-/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
@@ -4235,9 +4114,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-/opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
-/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.24/policy/modules/apps/wine.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.25/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/wine.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/wine.if 2009-07-29 21:34:35.000000000 -0400
@@ -43,3 +43,63 @@
wine_domtrans($1)
role $2 types wine_t;
@@ -4302,9 +4181,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ relabel_lnk_files_pattern($2, wine_home_t, wine_home_t)
+
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.24/policy/modules/apps/wine.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.25/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/wine.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/wine.te 2009-07-29 21:34:35.000000000 -0400
@@ -9,20 +9,35 @@
type wine_t;
type wine_exec_t;
@@ -4345,9 +4224,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_common_app(wine_t)
+ xserver_rw_shm(wine_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.24/policy/modules/kernel/corecommands.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.25/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/corecommands.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/corecommands.fc 2009-07-29 21:34:35.000000000 -0400
@@ -139,6 +139,9 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -4380,9 +4259,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.24/policy/modules/kernel/corecommands.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.25/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/corecommands.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/corecommands.if 2009-07-29 21:34:35.000000000 -0400
@@ -893,6 +893,7 @@
read_lnk_files_pattern($1, bin_t, bin_t)
@@ -4391,9 +4270,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.24/policy/modules/kernel/corenetwork.te.in
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.25/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/corenetwork.te.in 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/corenetwork.te.in 2009-07-29 21:34:35.000000000 -0400
@@ -65,6 +65,7 @@
type server_packet_t, packet_type, server_packet_type;
@@ -4499,9 +4378,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# network_node examples:
#network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.24/policy/modules/kernel/devices.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.25/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/devices.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/devices.fc 2009-07-29 21:34:35.000000000 -0400
@@ -47,8 +47,10 @@
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@@ -4513,9 +4392,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.24/policy/modules/kernel/devices.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.25/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/devices.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/devices.if 2009-07-29 21:34:35.000000000 -0400
@@ -1655,6 +1655,78 @@
########################################
@@ -4683,9 +4562,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read and write to the null device (/dev/null).
## </summary>
## <param name="domain">
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.24/policy/modules/kernel/devices.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.25/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/devices.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/devices.te 2009-07-29 21:34:35.000000000 -0400
@@ -84,6 +84,13 @@
dev_node(kmsg_device_t)
@@ -4713,9 +4592,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Type for /dev/mapper/control
#
type lvm_control_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.24/policy/modules/kernel/domain.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.25/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/domain.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/domain.if 2009-07-29 21:34:35.000000000 -0400
@@ -44,34 +44,6 @@
interface(`domain_type',`
# start with basic domain
@@ -4896,9 +4775,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 unconfined_domain_type:process signal;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.24/policy/modules/kernel/domain.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.25/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/domain.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/domain.te 2009-07-29 21:34:35.000000000 -0400
@@ -5,6 +5,13 @@
#
# Declarations
@@ -4969,7 +4848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -153,3 +174,76 @@
+@@ -153,3 +174,67 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -5008,26 +4887,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ cron_rw_system_job_pipes(domain)
+
+ifdef(`hide_broken_symptoms',`
-+ fs_list_inotifyfs(domain)
+ dontaudit domain self:udp_socket listen;
+ allow domain domain:key { link search };
-+ dbus_dontaudit_system_bus_rw_tcp_sockets(domain)
-+ cron_dontaudit_rw_tcp_sockets(domain)
+')
+')
+
+optional_policy(`
-+ rpm_rw_pipes(domain)
-+ rpm_dontaudit_use_script_fds(domain)
-+ rpm_dontaudit_write_pid_files(domain)
++ rpm_dontaudit_leaks(domain)
+ rpm_read_script_tmp_files(domain)
+')
+
+optional_policy(`
-+ rhgb_dontaudit_use_ptys(domain)
-+')
-+
-+optional_policy(`
+ ssh_rw_pipes(domain)
+')
+
@@ -5046,9 +4916,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ userdom_relabelto_user_home_dirs(polydomain)
+ userdom_relabelto_user_home_files(polydomain)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.24/policy/modules/kernel/files.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.25/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/files.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/files.fc 2009-07-29 21:34:35.000000000 -0400
@@ -5,10 +5,11 @@
/.* gen_context(system_u:object_r:default_t,s0)
/ -d gen_context(system_u:object_r:root_t,s0)
@@ -5079,9 +4949,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.24/policy/modules/kernel/files.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.25/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/files.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/files.if 2009-07-29 21:34:35.000000000 -0400
@@ -110,6 +110,11 @@
## </param>
#
@@ -5454,10 +5324,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+ allow $1 file_type:file entrypoint;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.24/policy/modules/kernel/files.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.25/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/files.te 2009-07-28 13:42:19.000000000 -0400
-@@ -52,7 +52,9 @@
++++ serefpolicy-3.6.25/policy/modules/kernel/files.te 2009-07-29 23:56:24.000000000 -0400
+@@ -42,6 +42,7 @@
+ #
+ type boot_t;
+ files_mountpoint(boot_t)
++dev_node(boot_t)
+
+ # default_t is the default type for files that do not
+ # match any specification in the file_contexts configuration
+@@ -52,7 +53,9 @@
#
# etc_t is the type of the system etc directories.
#
@@ -5468,15 +5346,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_type(etc_t)
# compatibility aliases for removed types:
typealias etc_t alias automount_etc_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.24/policy/modules/kernel/filesystem.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.25/policy/modules/kernel/filesystem.fc
--- nsaserefpolicy/policy/modules/kernel/filesystem.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/filesystem.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/filesystem.fc 2009-07-29 21:34:35.000000000 -0400
@@ -1 +1 @@
-# This module currently does not have any file contexts.
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.24/policy/modules/kernel/filesystem.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.25/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/filesystem.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/filesystem.if 2009-07-29 21:34:35.000000000 -0400
@@ -3971,3 +3971,23 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
@@ -5501,9 +5379,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ dontaudit $1 cifs_t:dir list_dir_perms;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.24/policy/modules/kernel/kernel.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.25/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/kernel.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/kernel.if 2009-07-29 21:34:35.000000000 -0400
@@ -1807,7 +1807,7 @@
')
@@ -5562,9 +5440,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 kernel_t:unix_stream_socket connectto;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.24/policy/modules/kernel/kernel.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.25/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/kernel.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/kernel.te 2009-07-29 21:34:35.000000000 -0400
@@ -63,6 +63,15 @@
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
@@ -5648,9 +5526,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+files_boot(kernel_t)
+
+permissive kernel_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.24/policy/modules/kernel/selinux.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.25/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/selinux.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/selinux.if 2009-07-29 21:34:35.000000000 -0400
@@ -40,7 +40,7 @@
# because of this statement, any module which
@@ -5708,21 +5586,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ fs_type($1)
+ mls_trusted_object($1)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.6.24/policy/modules/kernel/storage.fc
---- nsaserefpolicy/policy/modules/kernel/storage.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/storage.fc 2009-07-28 13:42:19.000000000 -0400
-@@ -57,7 +57,7 @@
-
- /dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-
--/dev/fuse -c gen_context(system_u:object_r:fuse_device_t,mls_systemhigh)
-+/dev/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
- /dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
-
- /dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.6.24/policy/modules/kernel/terminal.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.6.25/policy/modules/kernel/terminal.fc
--- nsaserefpolicy/policy/modules/kernel/terminal.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/terminal.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/terminal.fc 2009-07-29 21:34:35.000000000 -0400
@@ -13,6 +13,7 @@
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
@@ -5731,9 +5597,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.24/policy/modules/kernel/terminal.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.25/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/terminal.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/terminal.if 2009-07-29 21:34:35.000000000 -0400
@@ -173,7 +173,7 @@
dev_list_all_dev_nodes($1)
@@ -5805,9 +5671,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
## <summary>
## Read and write the controlling
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.24/policy/modules/roles/guest.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.25/policy/modules/roles/guest.te
--- nsaserefpolicy/policy/modules/roles/guest.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/roles/guest.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/roles/guest.te 2009-07-29 21:34:35.000000000 -0400
@@ -16,7 +16,11 @@
#
@@ -5822,9 +5688,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+gen_user(guest_u, user, guest_r, s0, s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.24/policy/modules/roles/staff.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.25/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/roles/staff.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/roles/staff.te 2009-07-29 21:34:35.000000000 -0400
@@ -15,156 +15,105 @@
# Local policy
#
@@ -6018,9 +5884,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-optional_policy(`
- xserver_role(staff_r, staff_t)
-')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.24/policy/modules/roles/sysadm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.25/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/roles/sysadm.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/roles/sysadm.te 2009-07-29 21:34:35.000000000 -0400
@@ -15,7 +15,7 @@
role sysadm_r;
@@ -6318,9 +6184,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+init_script_role_transition(sysadm_r)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.24/policy/modules/roles/unconfineduser.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.25/policy/modules/roles/unconfineduser.fc
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/roles/unconfineduser.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/roles/unconfineduser.fc 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,37 @@
+# Add programs here which should not be confined by SELinux
+# e.g.:
@@ -6359,9 +6225,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.24/policy/modules/roles/unconfineduser.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.25/policy/modules/roles/unconfineduser.if
--- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/roles/unconfineduser.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/roles/unconfineduser.if 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,638 @@
+## <summary>Unconfiend user role</summary>
+
@@ -7001,10 +6867,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 unconfined_r;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.24/policy/modules/roles/unconfineduser.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.25/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/roles/unconfineduser.te 2009-07-28 13:42:19.000000000 -0400
-@@ -0,0 +1,410 @@
++++ serefpolicy-3.6.25/policy/modules/roles/unconfineduser.te 2009-07-29 22:23:43.000000000 -0400
+@@ -0,0 +1,395 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -7399,25 +7265,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+# Unconfined mount local policy
+#
+
-+optional_policy(`
-+ gen_require(`
-+ type unconfined_mount_t;
-+ ')
-+
-+ files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
-+
-+ rpc_domtrans_rpcd(unconfined_mount_t)
-+
-+ unconfined_domain_noaudit(unconfined_mount_t)
-+ optional_policy(`
-+ hal_dbus_chat(unconfined_mount_t)
-+ ')
-+')
-+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.24/policy/modules/roles/unprivuser.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.25/policy/modules/roles/unprivuser.te
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/roles/unprivuser.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/roles/unprivuser.te 2009-07-29 21:34:35.000000000 -0400
@@ -14,142 +14,21 @@
userdom_unpriv_user_template(user)
@@ -7566,21 +7417,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- xserver_role(user_r, user_t)
+ setroubleshoot_dontaudit_stream_connect(user_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.te serefpolicy-3.6.24/policy/modules/roles/webadm.te
---- nsaserefpolicy/policy/modules/roles/webadm.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/roles/webadm.te 2009-07-28 13:42:19.000000000 -0400
-@@ -42,7 +42,7 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.te serefpolicy-3.6.25/policy/modules/roles/webadm.te
+--- nsaserefpolicy/policy/modules/roles/webadm.te 2009-07-28 15:51:13.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/roles/webadm.te 2009-07-29 21:34:35.000000000 -0400
+@@ -1,5 +1,5 @@
- userdom_dontaudit_search_user_home_dirs(webadm_t)
+-policy_module(webadm, 1.0.1)
++policy_module(webadm, 1.0.0)
--#apache_admin(webadm_t, webadm_r)
-+apache_admin(webadm_t, webadm_r)
-
- tunable_policy(`webadm_manage_user_files',`
- userdom_manage_user_home_content_files(webadm_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.24/policy/modules/roles/xguest.te
+ ########################################
+ #
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.25/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/roles/xguest.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/roles/xguest.te 2009-07-29 21:34:35.000000000 -0400
@@ -36,11 +36,17 @@
# Local policy
#
@@ -7627,9 +7476,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.6.24/policy/modules/services/amavis.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.6.25/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/amavis.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/amavis.te 2009-07-29 21:34:35.000000000 -0400
@@ -103,6 +103,8 @@
kernel_dontaudit_read_proc_symlinks(amavis_t)
kernel_dontaudit_read_system_state(amavis_t)
@@ -7639,9 +7488,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# find perl
corecmd_exec_bin(amavis_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.24/policy/modules/services/apache.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.25/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/apache.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/apache.fc 2009-07-29 21:34:35.000000000 -0400
@@ -1,12 +1,13 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -7735,9 +7584,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.24/policy/modules/services/apache.if
---- nsaserefpolicy/policy/modules/services/apache.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/apache.if 2009-07-28 13:42:19.000000000 -0400
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.25/policy/modules/services/apache.if
+--- nsaserefpolicy/policy/modules/services/apache.if 2009-07-28 15:51:13.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/apache.if 2009-07-29 23:18:25.000000000 -0400
@@ -13,21 +13,16 @@
#
template(`apache_content_template',`
@@ -8115,13 +7964,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1040,3 +1052,160 @@
+@@ -1043,6 +1055,44 @@
- allow httpd_t $1:process signal;
- ')
-+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+## Allow the specified domain to search
+## apache bugzilla directories.
+## </summary>
@@ -8160,79 +8006,43 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+########################################
+## <summary>
-+## All of the rules required to administrate an apache environment
-+## </summary>
-+## <param name="prefix">
-+## <summary>
-+## Prefix of the domain. Example, user would be
-+## the prefix for the uder_t domain.
-+## </summary>
-+## </param>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## The role to be allowed to manage the apache domain.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`apache_admin',`
-+
-+ gen_require(`
-+ type httpd_t, httpd_initrc_exec_t, httpd_config_t;
-+ type httpd_log_t, httpd_modules_t, httpd_lock_t;
-+ type httpd_var_run_t;
-+ attribute httpdcontent;
-+ attribute httpd_script_exec_type;
-+ type httpd_bool_t;
-+ type httpd_php_tmp_t;
-+ type httpd_suexec_tmp_t;
-+ type httpd_tmp_t;
-+
-+ ')
-+
-+ allow $1 httpd_t:process { getattr ptrace signal_perms };
-+ ps_process_pattern($1, httpd_t)
-+
+ ## All of the rules required to administrate an apache environment
+ ## </summary>
+ ## <param name="prefix">
+@@ -1072,11 +1122,17 @@
+ type httpd_modules_t, httpd_lock_t;
+ type httpd_var_run_t, httpd_php_tmp_t;
+ type httpd_suexec_tmp_t, httpd_tmp_t;
++ type httpd_initrc_exec_t, httpd_bool_t;
+ ')
+
+ allow $1 httpd_t:process { getattr ptrace signal_perms };
+ ps_process_pattern($1, httpd_t)
+
+ init_labeled_script_domtrans($1, httpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 httpd_initrc_exec_t system_r;
+ allow $2 system_r;
+
-+ apache_manage_all_content($1)
-+ miscfiles_manage_public_files($1)
-+
-+ files_search_etc($1)
-+ admin_pattern($1, httpd_config_t)
-+
-+ logging_search_logs($1)
-+ admin_pattern($1, httpd_log_t)
-+
-+ admin_pattern($1, httpd_modules_t)
-+
-+ admin_pattern($1, httpd_lock_t)
-+ files_lock_filetrans($1, httpd_lock_t, file)
-+
-+ admin_pattern($1, httpd_var_run_t)
-+ files_pid_filetrans($1, httpd_var_run_t, file)
-+
-+ kernel_search_proc($1)
-+ allow $1 httpd_t:dir list_dir_perms;
+ apache_manage_all_content($1)
+ miscfiles_manage_public_files($1)
+
+@@ -1096,12 +1152,57 @@
+
+ kernel_search_proc($1)
+ allow $1 httpd_t:dir list_dir_perms;
+-
+ ps_process_pattern($1, httpd_t)
-+ read_lnk_files_pattern($1, httpd_t, httpd_t)
-+
-+ admin_pattern($1, httpdcontent)
-+ admin_pattern($1, httpd_script_exec_type)
+ read_lnk_files_pattern($1, httpd_t, httpd_t)
+
+ admin_pattern($1, httpdcontent)
+ admin_pattern($1, httpd_script_exec_type)
+
+ seutil_domtrans_setfiles($1)
+
-+ admin_pattern($1, httpd_tmp_t)
-+ admin_pattern($1, httpd_php_tmp_t)
-+ admin_pattern($1, httpd_suexec_tmp_t)
+ admin_pattern($1, httpd_tmp_t)
+ admin_pattern($1, httpd_php_tmp_t)
+ admin_pattern($1, httpd_suexec_tmp_t)
+ files_tmp_filetrans($1, httpd_tmp_t, { file dir })
+
+ifdef(`TODO',`
@@ -8275,10 +8085,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ attribute httpd_rw_content;
+ ')
+ typeattribute $1 httpd_rw_content;
-+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.24/policy/modules/services/apache.te
---- nsaserefpolicy/policy/modules/services/apache.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/apache.te 2009-07-28 13:42:19.000000000 -0400
+ ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.25/policy/modules/services/apache.te
+--- nsaserefpolicy/policy/modules/services/apache.te 2009-07-28 15:51:13.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/apache.te 2009-07-29 21:34:35.000000000 -0400
@@ -19,6 +19,8 @@
# Declarations
#
@@ -9010,9 +8820,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.24/policy/modules/services/apm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.25/policy/modules/services/apm.te
--- nsaserefpolicy/policy/modules/services/apm.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/apm.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/apm.te 2009-07-29 21:34:35.000000000 -0400
@@ -60,7 +60,7 @@
# mknod: controlling an orderly resume of PCMCIA requires creating device
# nodes 254,{0,1,2} for some reason.
@@ -9022,55 +8832,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
allow apmd_t self:unix_dgram_socket create_socket_perms;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.6.24/policy/modules/services/automount.if
---- nsaserefpolicy/policy/modules/services/automount.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/automount.if 2009-07-28 13:42:19.000000000 -0400
-@@ -109,6 +109,25 @@
-
- ########################################
- ## <summary>
-+## Send automount a signal
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
-+## </param>
-+#
-+#
-+interface(`automount_signal',`
-+ gen_require(`
-+ type automount_t;
-+ ')
-+
-+ allow $1 automount_t:process signal;
-+')
-+
-+########################################
-+## <summary>
- ## All of the rules required to administrate
- ## an automount environment
- ## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.24/policy/modules/services/automount.te
---- nsaserefpolicy/policy/modules/services/automount.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/automount.te 2009-07-28 13:42:19.000000000 -0400
-@@ -71,6 +71,7 @@
- files_mounton_all_mountpoints(automount_t)
- files_mount_all_file_type_fs(automount_t)
- files_unmount_all_file_type_fs(automount_t)
-+files_manage_non_security_dirs(automount_t)
-
- fs_mount_all_fs(automount_t)
- fs_unmount_all_fs(automount_t)
-@@ -100,6 +101,7 @@
- corenet_udp_bind_all_rpc_ports(automount_t)
-
- dev_read_sysfs(automount_t)
-+dev_rw_autofs(automount_t)
- # for SSP
- dev_read_rand(automount_t)
- dev_read_urand(automount_t)
-@@ -127,6 +129,7 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.25/policy/modules/services/automount.te
+--- nsaserefpolicy/policy/modules/services/automount.te 2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/automount.te 2009-07-29 21:34:35.000000000 -0400
+@@ -129,6 +129,7 @@
fs_unmount_autofs(automount_t)
fs_mount_autofs(automount_t)
fs_manage_autofs_symlinks(automount_t)
@@ -9078,26 +8843,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
storage_rw_fuse(automount_t)
-@@ -142,6 +145,7 @@
-
- # Run mount in the mount_t domain.
- mount_domtrans(automount_t)
-+mount_signal(automount_t)
-
- userdom_dontaudit_use_unpriv_user_fds(automount_t)
- userdom_dontaudit_search_user_home_dirs(automount_t)
-@@ -155,7 +159,7 @@
- ')
-
- optional_policy(`
-- kerberos_read_keytab(automount_t)
-+ kerberos_keytab_template(automount, automount_t)
- kerberos_read_config(automount_t)
- kerberos_dontaudit_write_config(automount_t)
- ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.24/policy/modules/services/bind.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.25/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/bind.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/bind.if 2009-07-29 21:34:35.000000000 -0400
@@ -287,6 +287,25 @@
########################################
@@ -9124,9 +8872,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
## an bind environment
## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.24/policy/modules/services/bluetooth.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.25/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/bluetooth.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/bluetooth.te 2009-07-29 21:34:35.000000000 -0400
@@ -64,6 +64,7 @@
allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow bluetooth_t self:tcp_socket create_stream_socket_perms;
@@ -9135,9 +8883,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.24/policy/modules/services/certmaster.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.25/policy/modules/services/certmaster.te
--- nsaserefpolicy/policy/modules/services/certmaster.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/certmaster.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/certmaster.te 2009-07-29 21:34:35.000000000 -0400
@@ -30,7 +30,7 @@
# certmaster local policy
#
@@ -9147,9 +8895,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow certmaster_t self:tcp_socket create_stream_socket_perms;
# config files
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.24/policy/modules/services/clamav.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.25/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/clamav.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/clamav.te 2009-07-29 21:34:35.000000000 -0400
@@ -117,9 +117,9 @@
logging_send_syslog_msg(clamd_t)
@@ -9184,9 +8932,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
apache_read_sys_content(clamscan_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.24/policy/modules/services/consolekit.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.25/policy/modules/services/consolekit.if
--- nsaserefpolicy/policy/modules/services/consolekit.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/consolekit.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/consolekit.if 2009-07-29 21:34:35.000000000 -0400
@@ -57,3 +57,23 @@
read_files_pattern($1, consolekit_log_t, consolekit_log_t)
files_search_pids($1)
@@ -9211,49 +8959,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.24/policy/modules/services/consolekit.te
---- nsaserefpolicy/policy/modules/services/consolekit.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/consolekit.te 2009-07-28 13:42:19.000000000 -0400
-@@ -11,7 +11,7 @@
- init_daemon_domain(consolekit_t, consolekit_exec_t)
-
- type consolekit_log_t;
--files_pid_file(consolekit_log_t)
-+logging_log_file(consolekit_log_t)
-
- type consolekit_var_run_t;
- files_pid_file(consolekit_var_run_t)
-@@ -50,6 +50,7 @@
- files_read_usr_files(consolekit_t)
- # needs to read /var/lib/dbus/machine-id
- files_read_var_lib_files(consolekit_t)
-+files_search_all_mountpoints(consolekit_t)
-
- fs_list_inotifyfs(consolekit_t)
-
-@@ -61,12 +62,17 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.25/policy/modules/services/consolekit.te
+--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/consolekit.te 2009-07-29 21:34:35.000000000 -0400
+@@ -62,12 +62,15 @@
init_telinit(consolekit_t)
init_rw_utmp(consolekit_t)
+init_chat(consolekit_t)
logging_send_syslog_msg(consolekit_t)
-+logging_send_audit_msgs(consolekit_t)
+ logging_send_audit_msgs(consolekit_t)
miscfiles_read_localization(consolekit_t)
+# consolekit needs to be able to ptrace all logged in users
+userdom_ptrace_all_users(consolekit_t)
userdom_dontaudit_read_user_home_content_files(consolekit_t)
-+userdom_read_user_tmp_files(consolekit_t)
+ userdom_read_user_tmp_files(consolekit_t)
- hal_ptrace(consolekit_t)
-
-@@ -81,9 +87,12 @@
+@@ -84,9 +87,12 @@
')
optional_policy(`
-- dbus_system_bus_client(consolekit_t)
+- dbus_system_domain(consolekit_t, consolekit_exec_t)
+ cron_read_system_job_lib_files(consolekit_t)
+')
@@ -9263,39 +8992,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hal_dbus_chat(consolekit_t)
')
-@@ -97,11 +106,28 @@
+@@ -100,6 +106,7 @@
')
optional_policy(`
+ policykit_dbus_chat(consolekit_t)
-+ policykit_domtrans_auth(consolekit_t)
-+ policykit_read_lib(consolekit_t)
-+ policykit_read_reload(consolekit_t)
-+')
-+
-+optional_policy(`
-+ xserver_read_xdm_pid(consolekit_t)
+ policykit_domtrans_auth(consolekit_t)
+ policykit_read_lib(consolekit_t)
+ policykit_read_reload(consolekit_t)
+@@ -108,10 +115,19 @@
+ optional_policy(`
+ xserver_read_xdm_pid(consolekit_t)
xserver_read_user_xauth(consolekit_t)
-- xserver_stream_connect(consolekit_t)
+ xserver_common_app(consolekit_t)
+ xserver_ptrace_xdm(consolekit_t)
+ xserver_common_app(consolekit_t)
-+ corenet_tcp_connect_xserver_port(consolekit_t)
-+')
-+
-+optional_policy(`
-+ udev_domtrans(consolekit_t)
+ corenet_tcp_connect_xserver_port(consolekit_t)
')
optional_policy(`
++ udev_domtrans(consolekit_t)
++')
++
++optional_policy(`
#reading .Xauthity
+ unconfined_ptrace(consolekit_t)
unconfined_stream_connect(consolekit_t)
')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.24/policy/modules/services/courier.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.25/policy/modules/services/courier.if
--- nsaserefpolicy/policy/modules/services/courier.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/courier.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/courier.if 2009-07-29 21:34:35.000000000 -0400
@@ -179,6 +179,24 @@
########################################
@@ -9321,9 +9048,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read and write to courier spool pipes.
## </summary>
## <param name="domain">
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.24/policy/modules/services/courier.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.25/policy/modules/services/courier.te
--- nsaserefpolicy/policy/modules/services/courier.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/courier.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/courier.te 2009-07-29 21:34:35.000000000 -0400
@@ -10,6 +10,7 @@
type courier_etc_t;
@@ -9332,9 +9059,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
courier_domain_template(pcp)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.24/policy/modules/services/cron.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.25/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/cron.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/cron.fc 2009-07-29 21:34:35.000000000 -0400
@@ -1,3 +1,4 @@
+/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
@@ -9366,9 +9093,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
+
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.24/policy/modules/services/cron.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.25/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/cron.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/cron.if 2009-07-29 21:34:35.000000000 -0400
@@ -12,6 +12,10 @@
## </param>
#
@@ -9670,9 +9397,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ init_labeled_script_domtrans($1, crond_initrc_exec_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.24/policy/modules/services/cron.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.25/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/cron.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/cron.te 2009-07-29 21:34:35.000000000 -0400
@@ -38,6 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -9918,7 +9645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# prelink tells init to restart it self, we either need to allow or dontaudit
-init_write_initctl(system_cronjob_t)
+init_telinit(system_cronjob_t)
-+init_spec_domtrans_script(system_cronjob_t)
++init_domtrans_script(system_cronjob_t)
auth_use_nsswitch(system_cronjob_t)
@@ -10024,288 +9751,41 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`fcron_crond', `
allow crond_t user_cron_spool_t:file manage_file_perms;
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.24/policy/modules/services/cups.fc
---- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/cups.fc 2009-07-28 13:42:19.000000000 -0400
-@@ -5,27 +5,38 @@
- /etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
- /etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
- /etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
--/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
- /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
- /etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
- /etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.25/policy/modules/services/cups.fc
+--- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/cups.fc 2009-07-29 21:34:35.000000000 -0400
+@@ -13,6 +13,8 @@
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
-+
-+/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0)
+ /etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
++/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0)
++
/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-
-+/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+
- /usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-+/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
-
--/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
--/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
--/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
-+/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
-+/usr/lib64/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
-
- /usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-
- /usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
- /usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
- /usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
-+/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
-+# keep as separate lines to ensure proper sorting
-+/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
-+/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
-+
- /usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
- /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
- /usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
-@@ -33,7 +44,7 @@
-
- /usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
- /usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
--/usr/share/hplip/hpssd\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
-+/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
-
- /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
- /var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -43,10 +54,19 @@
- /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-
- /var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
--/var/log/turboprint_cups\.log.* -- gen_context(system_u:object_r:cupsd_log_t,s0)
-+/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
-
-+/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
- /var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
-+/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
- /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
- /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+@@ -62,3 +64,8 @@
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+ /var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+
+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+
-+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.6.24/policy/modules/services/cups.if
---- nsaserefpolicy/policy/modules/services/cups.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/cups.if 2009-07-28 13:42:19.000000000 -0400
-@@ -20,6 +20,30 @@
-
- ########################################
- ## <summary>
-+## Setup cups to transtion to the cups backend domain
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
-+## </param>
-+#
-+interface(`cups_backend',`
-+ gen_require(`
-+ type cupsd_t;
-+ ')
-+
-+ domtrans_pattern(cupsd_t, $2, $1)
-+
-+ allow cupsd_t $1:process signal;
-+ allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms;
-+
-+ cups_read_config($1)
-+ cups_append_log($1)
-+')
-+
-+########################################
-+## <summary>
- ## Connect to cupsd over an unix domain stream socket.
- ## </summary>
- ## <param name="domain">
-@@ -212,6 +236,25 @@
-
- ########################################
- ## <summary>
-+## Append cups log files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`cups_append_log',`
-+ gen_require(`
-+ type cupsd_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ append_files_pattern($1, cupsd_log_t, cupsd_log_t)
-+')
-+
-+########################################
-+## <summary>
- ## Write cups log files.
- ## </summary>
- ## <param name="domain">
-@@ -247,3 +290,66 @@
- files_search_pids($1)
- stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t)
- ')
-+
-+########################################
-+## <summary>
-+## All of the rules required to administrate
-+## an cups environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## The role to be allowed to manage the cups domain.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`cups_admin',`
-+ gen_require(`
-+ type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
-+ type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
-+ type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
-+ type cupsd_var_run_t, ptal_etc_t;
-+ type ptal_var_run_t, hplip_var_run_t;
-+ type cupsd_initrc_exec_t;
-+ ')
-+
-+ allow $1 cupsd_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, cupsd_t)
-+
-+ init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
-+ domain_system_change_exemption($1)
-+ role_transition $2 cupsd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_list_tmp($1)
-+ admin_pattern($1, cupsd_tmp_t)
-+
-+ admin_pattern($1, cupsd_lpd_tmp_t)
-+
-+ files_list_etc($1)
-+ admin_pattern($1, cupsd_etc_t)
-+
-+ admin_pattern($1, ptal_etc_t)
-+
-+ files_list_spool($1)
-+ admin_pattern($1, cupsd_spool_t)
-+
-+ logging_list_logs($1)
-+ admin_pattern($1, cupsd_log_t)
-+
-+ files_list_pids($1)
-+ admin_pattern($1, cupsd_var_run_t)
-+
-+ admin_pattern($1, ptal_var_run_t)
-+
-+ admin_pattern($1, cupsd_config_var_run_t)
-+
-+ admin_pattern($1, cupsd_lpd_var_run_t)
-+
-+ admin_pattern($1, hplip_var_run_t)
-+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.24/policy/modules/services/cups.te
---- nsaserefpolicy/policy/modules/services/cups.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/cups.te 2009-07-28 13:42:19.000000000 -0400
-@@ -20,9 +20,18 @@
- type cupsd_etc_t;
- files_config_file(cupsd_etc_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.25/policy/modules/services/cups.te
+--- nsaserefpolicy/policy/modules/services/cups.te 2009-07-28 15:51:13.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/cups.te 2009-07-29 21:34:35.000000000 -0400
+@@ -23,6 +23,9 @@
+ type cupsd_initrc_exec_t;
+ init_script_file(cupsd_initrc_exec_t)
-+type cupsd_initrc_exec_t;
-+init_script_file(cupsd_initrc_exec_t)
-+
+type cupsd_interface_t;
+files_type(cupsd_interface_t)
+
type cupsd_rw_etc_t;
files_config_file(cupsd_rw_etc_t)
-+type cupsd_lock_t;
-+files_lock_file(cupsd_lock_t)
-+
- type cupsd_log_t;
- logging_log_file(cupsd_log_t)
-
-@@ -48,6 +57,10 @@
- type hplip_t;
- type hplip_exec_t;
- init_daemon_domain(hplip_t, hplip_exec_t)
-+# For CUPS to run as a backend
-+cups_backend(hplip_t, hplip_exec_t)
-+domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-+read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
-
- type hplip_etc_t;
- files_config_file(hplip_etc_t)
-@@ -55,6 +68,9 @@
- type hplip_var_run_t;
- files_pid_file(hplip_var_run_t)
-
-+type hplip_tmp_t;
-+files_tmp_file(hplip_tmp_t)
-+
- type ptal_t;
- type ptal_exec_t;
- init_daemon_domain(ptal_t, ptal_exec_t)
-@@ -65,6 +81,16 @@
- type ptal_var_run_t;
- files_pid_file(ptal_var_run_t)
-
-+type cups_pdf_t;
-+type cups_pdf_exec_t;
-+domain_type(cups_pdf_t)
-+domain_entry_file(cups_pdf_t, cups_pdf_exec_t)
-+cups_backend(cups_pdf_t, cups_pdf_exec_t)
-+role system_r types cups_pdf_t;
-+
-+type cups_pdf_tmp_t;
-+files_tmp_file(cups_pdf_tmp_t)
-+
- ifdef(`enable_mcs',`
- init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, s0 - mcs_systemhigh)
- ')
-@@ -79,13 +105,14 @@
- #
-
- # /usr/lib/cups/backend/serial needs sys_admin(?!)
--allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
-+allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config };
- dontaudit cupsd_t self:capability { sys_tty_config net_admin };
--allow cupsd_t self:process { setsched signal_perms };
--allow cupsd_t self:fifo_file rw_file_perms;
-+allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
-+allow cupsd_t self:fifo_file rw_fifo_file_perms;
- allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow cupsd_t self:unix_dgram_socket create_socket_perms;
- allow cupsd_t self:netlink_selinux_socket create_socket_perms;
-+allow cupsd_t self:shm create_shm_perms;
- allow cupsd_t self:tcp_socket create_stream_socket_perms;
- allow cupsd_t self:udp_socket create_socket_perms;
- allow cupsd_t self:appletalk_socket create_socket_perms;
-@@ -97,6 +124,9 @@
+@@ -116,6 +119,9 @@
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
files_search_etc(cupsd_t)
@@ -10315,244 +9795,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
-@@ -104,8 +134,11 @@
-
- # allow cups to execute its backend scripts
- can_exec(cupsd_t, cupsd_exec_t)
--allow cupsd_t cupsd_exec_t:dir search;
--allow cupsd_t cupsd_exec_t:lnk_file read;
-+allow cupsd_t cupsd_exec_t:dir search_dir_perms;
-+allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
-+
-+allow cupsd_t cupsd_lock_t:file manage_file_perms;
-+files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
-
- manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
- allow cupsd_t cupsd_log_t:dir setattr;
-@@ -116,13 +149,20 @@
- manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
- files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
-
-+# This whole section needs to be moved to a smbspool policy
-+# smbspool seems to be iterating through all existing tmp files.
-+# Looking for kerberos files
-+files_getattr_all_tmp_files(cupsd_t)
-+userdom_read_user_tmp_files(cupsd_t)
-+files_dontaudit_getattr_all_tmp_sockets(cupsd_t)
-+
- allow cupsd_t cupsd_var_run_t:dir setattr;
- manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
- manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
-+manage_fifo_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t)
- files_pid_filetrans(cupsd_t, cupsd_var_run_t, file)
-
--read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
--
-+allow cupsd_t hplip_t:process {signal sigkill };
- allow cupsd_t hplip_var_run_t:file read_file_perms;
-
- stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
-@@ -149,44 +189,49 @@
- corenet_tcp_bind_reserved_port(cupsd_t)
- corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
- corenet_tcp_connect_all_ports(cupsd_t)
-+corenet_tcp_connect_smbd_port(cupsd_t)
- corenet_sendrecv_hplip_client_packets(cupsd_t)
- corenet_sendrecv_ipp_client_packets(cupsd_t)
- corenet_sendrecv_ipp_server_packets(cupsd_t)
-+corenet_tcp_bind_all_rpc_ports(cupsd_t)
-
- dev_rw_printer(cupsd_t)
- dev_read_urand(cupsd_t)
- dev_read_sysfs(cupsd_t)
--dev_read_usbfs(cupsd_t)
-+dev_rw_input_dev(cupsd_t) #447878
-+dev_rw_generic_usb_dev(cupsd_t)
-+dev_rw_usbfs(cupsd_t)
- dev_getattr_printer_dev(cupsd_t)
-
- domain_read_all_domains_state(cupsd_t)
-
- fs_getattr_all_fs(cupsd_t)
- fs_search_auto_mountpoints(cupsd_t)
-+fs_read_anon_inodefs_files(cupsd_t)
-
-+mls_fd_use_all_levels(cupsd_t)
- mls_file_downgrade(cupsd_t)
- mls_file_write_all_levels(cupsd_t)
- mls_file_read_all_levels(cupsd_t)
-+mls_rangetrans_target(cupsd_t)
- mls_socket_write_all_levels(cupsd_t)
-
- term_use_unallocated_ttys(cupsd_t)
- term_search_ptys(cupsd_t)
-
--auth_domtrans_chk_passwd(cupsd_t)
--auth_dontaudit_read_pam_pid(cupsd_t)
--
- # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
- corecmd_exec_shell(cupsd_t)
- corecmd_exec_bin(cupsd_t)
-
- domain_use_interactive_fds(cupsd_t)
-
-+files_list_spool(cupsd_t)
- files_read_etc_files(cupsd_t)
- files_read_etc_runtime_files(cupsd_t)
- # read python modules
- files_read_usr_files(cupsd_t)
- # for /var/lib/defoma
--files_search_var_lib(cupsd_t)
-+files_read_var_lib_files(cupsd_t)
- files_list_world_readable(cupsd_t)
- files_read_world_readable_files(cupsd_t)
- files_read_world_readable_symlinks(cupsd_t)
-@@ -195,19 +240,21 @@
- files_read_var_symlinks(cupsd_t)
- # for /etc/printcap
- files_dontaudit_write_etc_files(cupsd_t)
--# smbspool seems to be iterating through all existing tmp files.
--# redhat bug #214953
--# cjp: this might be a broken behavior
--files_dontaudit_getattr_all_tmp_files(cupsd_t)
-
- selinux_compute_access_vector(cupsd_t)
-+selinux_validate_context(cupsd_t)
-
- init_exec_script_files(cupsd_t)
-+init_read_utmp(cupsd_t)
-
-+auth_domtrans_chk_passwd(cupsd_t)
-+auth_dontaudit_read_pam_pid(cupsd_t)
-+auth_rw_faillog(cupsd_t)
- auth_use_nsswitch(cupsd_t)
-
- # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
- libs_read_lib_files(cupsd_t)
-+libs_exec_lib_files(cupsd_t)
-
- logging_send_audit_msgs(cupsd_t)
- logging_send_syslog_msg(cupsd_t)
-@@ -215,19 +262,24 @@
+@@ -250,6 +256,7 @@
miscfiles_read_localization(cupsd_t)
# invoking ghostscript needs to read fonts
miscfiles_read_fonts(cupsd_t)
+miscfiles_setattr_fonts(cupsd_t)
seutil_read_config(cupsd_t)
-+sysnet_exec_ifconfig(cupsd_t)
-
--sysnet_read_config(cupsd_t)
--
-+files_dontaudit_list_home(cupsd_t)
- userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
- userdom_dontaudit_search_user_home_content(cupsd_t)
-
- # Write to /var/spool/cups.
- lpd_manage_spool(cupsd_t)
-+lpd_read_config(cupsd_t)
-+lpd_exec_lpr(cupsd_t)
-+lpd_relabel_spool(cupsd_t)
-
- ifdef(`enable_mls',`
-- lpd_relabel_spool(cupsd_t)
-+ mls_trusted_object(cupsd_var_run_t)
-+ init_ranged_daemon_domain(cupsd_t, cupsd_exec_t,mls_systemhigh)
- ')
-
- optional_policy(`
-@@ -244,8 +296,16 @@
- userdom_dbus_send_all_users(cupsd_t)
-
- optional_policy(`
-+ avahi_dbus_chat(cupsd_t)
-+ ')
-+
-+ optional_policy(`
- hal_dbus_chat(cupsd_t)
- ')
-+
-+ optional_policy(`
-+ unconfined_dbus_chat(cupsd_t)
-+ ')
- ')
-
- optional_policy(`
-@@ -261,6 +321,10 @@
- ')
-
- optional_policy(`
-+ mta_send_mail(cupsd_t)
-+')
-+
-+optional_policy(`
- # cups execs smbtool which reads samba_etc_t files
- samba_read_config(cupsd_t)
- samba_rw_var_files(cupsd_t)
-@@ -279,7 +343,7 @@
- # Cups configuration daemon local policy
- #
-
--allow cupsd_config_t self:capability { chown sys_tty_config };
-+allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
- dontaudit cupsd_config_t self:capability sys_tty_config;
- allow cupsd_config_t self:process signal_perms;
- allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
-@@ -302,8 +366,10 @@
-
- allow cupsd_config_t cupsd_log_t:file rw_file_perms;
-
--allow cupsd_config_t cupsd_tmp_t:file manage_file_perms;
--files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir })
-+manage_lnk_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
-+manage_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
-+manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
-+files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
-
- allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
-
-@@ -311,7 +377,7 @@
- files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
-
- kernel_read_system_state(cupsd_config_t)
--kernel_read_kernel_sysctls(cupsd_config_t)
-+kernel_read_all_sysctls(cupsd_config_t)
-
- corenet_all_recvfrom_unlabeled(cupsd_config_t)
- corenet_all_recvfrom_netlabel(cupsd_config_t)
-@@ -324,6 +390,7 @@
- dev_read_sysfs(cupsd_config_t)
- dev_read_urand(cupsd_config_t)
- dev_read_rand(cupsd_config_t)
-+dev_rw_generic_usb_dev(cupsd_config_t)
-
- fs_getattr_all_fs(cupsd_config_t)
- fs_search_auto_mountpoints(cupsd_config_t)
-@@ -341,13 +408,14 @@
- files_read_var_symlinks(cupsd_config_t)
-
- # Alternatives asks for this
--init_getattr_script_files(cupsd_config_t)
-+init_getattr_all_script_files(cupsd_config_t)
-
- auth_use_nsswitch(cupsd_config_t)
-
- logging_send_syslog_msg(cupsd_config_t)
-
- miscfiles_read_localization(cupsd_config_t)
-+miscfiles_read_hwdata(cupsd_config_t)
-
- seutil_dontaudit_search_config(cupsd_config_t)
-
-@@ -359,14 +427,16 @@
- lpd_read_config(cupsd_config_t)
-
- ifdef(`distro_redhat',`
-- init_getattr_script_files(cupsd_config_t)
--
- optional_policy(`
- rpm_read_db(cupsd_config_t)
- ')
+ sysnet_exec_ifconfig(cupsd_t)
+@@ -419,6 +426,10 @@
')
optional_policy(`
@@ -10563,125 +9814,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-@@ -382,6 +452,7 @@
- optional_policy(`
- hal_domtrans(cupsd_config_t)
- hal_read_tmp_files(cupsd_config_t)
-+ hal_dontaudit_use_fds(hplip_t)
- ')
-
- optional_policy(`
-@@ -491,7 +562,10 @@
- allow hplip_t self:udp_socket create_socket_perms;
- allow hplip_t self:rawip_socket create_socket_perms;
-
--allow hplip_t cupsd_etc_t:dir search;
-+allow hplip_t cupsd_etc_t:dir search_dir_perms;
-+manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
-+manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
-+files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir })
-
- cups_stream_connect(hplip_t)
-
-@@ -500,6 +574,13 @@
- read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
- files_search_etc(hplip_t)
-
-+fs_rw_anon_inodefs_files(hplip_t)
-+
-+read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
-+
-+manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
-+files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
-+
- manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
- files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-
-@@ -529,7 +610,8 @@
- dev_read_urand(hplip_t)
- dev_read_rand(hplip_t)
- dev_rw_generic_usb_dev(hplip_t)
--dev_read_usbfs(hplip_t)
-+dev_rw_usbfs(hplip_t)
-+
-
- fs_getattr_all_fs(hplip_t)
- fs_search_auto_mountpoints(hplip_t)
-@@ -553,7 +635,9 @@
- userdom_dontaudit_search_user_home_dirs(hplip_t)
- userdom_dontaudit_search_user_home_content(hplip_t)
-
--lpd_read_config(cupsd_t)
-+
-+lpd_read_config(hplip_t)
-+lpd_manage_spool(hplip_t)
+@@ -542,6 +553,8 @@
+ manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
+ files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
- optional_policy(`
- dbus_system_bus_client(hplip_t)
-@@ -635,3 +719,51 @@
- optional_policy(`
- udev_read_db(ptal_t)
- ')
-+
-+########################################
-+#
-+# cups_pdf local policy
-+#
-+
-+allow cups_pdf_t self:capability { chown fsetid setuid setgid dac_override };
-+
-+allow cups_pdf_t self:fifo_file rw_file_perms;
-+allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
-+
-+files_read_etc_files(cups_pdf_t)
-+files_read_usr_files(cups_pdf_t)
-+
+fs_rw_anon_inodefs_files(cups_pdf_t)
+
-+kernel_read_system_state(cups_pdf_t)
-+
-+auth_use_nsswitch(cups_pdf_t)
-+
-+corecmd_exec_shell(cups_pdf_t)
-+corecmd_exec_bin(cups_pdf_t)
-+
-+miscfiles_read_localization(cups_pdf_t)
-+
-+manage_files_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
-+manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
-+files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
-+
-+userdom_home_filetrans_user_home_dir(cups_pdf_t)
-+userdom_manage_user_home_content_dirs(cups_pdf_t)
-+userdom_manage_user_home_content_files(cups_pdf_t)
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_manage_nfs_dirs(cups_pdf_t)
-+ fs_manage_nfs_files(cups_pdf_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_manage_cifs_dirs(cups_pdf_t)
-+ fs_manage_cifs_files(cups_pdf_t)
-+')
-+
-+lpd_manage_spool(cups_pdf_t)
-+
-+manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-+miscfiles_read_fonts(cups_pdf_t)
-+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.24/policy/modules/services/cvs.te
+ kernel_read_system_state(cups_pdf_t)
+
+ files_read_etc_files(cups_pdf_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.25/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/cvs.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/cvs.te 2009-07-29 21:34:35.000000000 -0400
@@ -112,4 +112,5 @@
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.24/policy/modules/services/dbus.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.25/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/dbus.if 2009-07-28 14:03:30.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/dbus.if 2009-07-29 21:34:35.000000000 -0400
@@ -42,8 +42,10 @@
gen_require(`
class dbus { send_msg acquire_svc };
@@ -10765,9 +9918,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## for service (acquire_svc).
## </summary>
## <param name="domain">
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.24/policy/modules/services/dbus.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.25/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/dbus.te 2009-07-28 14:06:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/dbus.te 2009-07-29 21:34:35.000000000 -0400
@@ -121,6 +121,8 @@
init_use_fds(system_dbusd_t)
@@ -10793,7 +9946,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
')
-@@ -156,5 +168,18 @@
+@@ -156,5 +167,18 @@
#
# Unconfined access to this module
#
@@ -10812,9 +9965,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.24/policy/modules/services/dcc.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.25/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/dcc.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/dcc.te 2009-07-29 21:34:35.000000000 -0400
@@ -130,11 +130,13 @@
# Access files in /var/dcc. The map file can be updated
@@ -10841,9 +9994,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
spamassassin_read_spamd_tmp_files(dcc_client_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.6.24/policy/modules/services/ddclient.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.6.25/policy/modules/services/ddclient.if
--- nsaserefpolicy/policy/modules/services/ddclient.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/ddclient.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/ddclient.if 2009-07-29 21:34:35.000000000 -0400
@@ -21,6 +21,31 @@
########################################
@@ -10876,49 +10029,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
## an ddclient environment
## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.24/policy/modules/services/devicekit.fc
---- nsaserefpolicy/policy/modules/services/devicekit.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/devicekit.fc 2009-07-28 13:42:19.000000000 -0400
-@@ -0,0 +1,9 @@
-+
-+/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
-+/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
-+/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
-+
-+/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
-+
-+/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.25/policy/modules/services/devicekit.fc
+--- nsaserefpolicy/policy/modules/services/devicekit.fc 2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/devicekit.fc 2009-07-29 21:34:35.000000000 -0400
+@@ -5,4 +5,4 @@
+ /var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+
+ /var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+-/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.24/policy/modules/services/devicekit.if
---- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/devicekit.if 2009-07-28 13:42:19.000000000 -0400
-@@ -0,0 +1,197 @@
-+
-+## <summary>policy for devicekit</summary>
-+
-+########################################
-+## <summary>
-+## Execute a domain transition to run devicekit.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`devicekit_domtrans',`
-+ gen_require(`
-+ type devicekit_t;
-+ type devicekit_exec_t;
-+ ')
-+
-+ domtrans_pattern($1,devicekit_exec_t,devicekit_t)
-+')
-+
-+
-+########################################
-+## <summary>
-+## Read devicekit PID files.
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.25/policy/modules/services/devicekit.if
+--- nsaserefpolicy/policy/modules/services/devicekit.if 2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/devicekit.if 2009-07-29 21:34:35.000000000 -0400
+@@ -139,6 +139,26 @@
+
+ ########################################
+ ## <summary>
++## Manage devicekit var_run files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -10926,26 +10053,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## </summary>
+## </param>
+#
-+interface(`devicekit_read_pid_files',`
-+ gen_require(`
-+ type devicekit_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage devicekit var_run files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`devicekit_manage_var_run',`
++interface(`devicekit_manage_var_run',`
+ gen_require(`
+ type devicekit_var_run_t;
+ ')
@@ -10955,396 +10063,175 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ manage_lnk_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t)
+')
+
-+
-+########################################
-+## <summary>
-+## Send and receive messages from
-+## devicekit over dbus.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`devicekit_dbus_chat',`
-+ gen_require(`
-+ type devicekit_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 devicekit_t:dbus send_msg;
-+ allow devicekit_t $1:dbus send_msg;
-+')
-+
+########################################
+## <summary>
-+## Send signal devicekit power
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`devicekit_power_signal',`
-+ gen_require(`
-+ type devicekit_power_t;
-+ ')
-+
-+ allow $1 devicekit_power_t:process signal;
-+')
-+
-+########################################
-+## <summary>
-+## Send and receive messages from
-+## devicekit power over dbus.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`devicekit_power_dbus_chat',`
-+ gen_require(`
-+ type devicekit_power_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 devicekit_power_t:dbus send_msg;
-+ allow devicekit_power_t $1:dbus send_msg;
-+')
-+
-+########################################
-+## <summary>
-+## All of the rules required to administrate
-+## an devicekit environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## The role to be allowed to manage the devicekit domain.
-+## </summary>
-+## </param>
-+## <param name="terminal">
-+## <summary>
-+## The type of the user terminal.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`devicekit_admin',`
-+ gen_require(`
-+ type devicekit_t;
-+ ')
-+
-+ allow $1 devicekit_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, devicekit_t, devicekit_t)
-+
-+
-+ devicekit_manage_var_run($1)
-+
-+')
-+
-+########################################
-+## <summary>
-+## Send to devicekit over a unix domain
-+## datagram socket.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`devicekit_dgram_send',`
-+ gen_require(`
-+ type devicekit_t;
-+ ')
-+
-+ allow $1 devicekit_t:unix_dgram_socket sendto;
-+')
-+
-+########################################
-+## <summary>
-+## Send and receive messages from
-+## devicekit disk over dbus.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`devicekit_disk_dbus_chat',`
-+ gen_require(`
-+ type devicekit_disk_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 devicekit_disk_t:dbus send_msg;
-+ allow devicekit_disk_t $1:dbus send_msg;
-+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.24/policy/modules/services/devicekit.te
---- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/devicekit.te 2009-07-28 14:13:14.000000000 -0400
-@@ -0,0 +1,248 @@
-+policy_module(devicekit,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type devicekit_t;
-+type devicekit_exec_t;
-+dbus_system_domain(devicekit_t, devicekit_exec_t)
-+
-+type devicekit_power_t;
-+type devicekit_power_exec_t;
-+dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
-+
-+type devicekit_disk_t;
-+type devicekit_disk_exec_t;
-+dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
-+
-+type devicekit_tmp_t;
-+files_tmp_file(devicekit_tmp_t)
-+
-+type devicekit_var_run_t;
-+files_pid_file(devicekit_var_run_t)
-+
-+type devicekit_var_lib_t;
-+files_type(devicekit_var_lib_t)
-+
-+#
-+# DeviceKit local policy
-+#
-+allow devicekit_t self:unix_dgram_socket create_socket_perms;
-+
-+manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
-+manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
-+files_pid_filetrans(devicekit_t,devicekit_var_run_t, { file dir })
+ ## All of the rules required to administrate
+ ## an devicekit environment
+ ## </summary>
+@@ -162,7 +182,7 @@
+ interface(`devicekit_admin',`
+ gen_require(`
+ type devicekit_t, devicekit_disk_t, devicekit_power_t;
+- type devicekit_var_run_t;
++ type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
+ ')
+
+ allow $1 devicekit_t:process { ptrace signal_perms getattr };
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.25/policy/modules/services/devicekit.te
+--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/devicekit.te 2009-07-29 21:34:35.000000000 -0400
+@@ -36,12 +36,15 @@
+ manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
+ manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
+ files_pid_filetrans(devicekit_t, devicekit_var_run_t, { file dir })
+allow devicekit_disk_t devicekit_var_run_t:dir mounton;
-+
-+dev_read_sysfs(devicekit_t)
-+dev_read_urand(devicekit_t)
-+
-+files_read_etc_files(devicekit_t)
-+
+
+ dev_read_sysfs(devicekit_t)
+ dev_read_urand(devicekit_t)
+
+ files_read_etc_files(devicekit_t)
+
+kernel_read_system_state(devicekit_t)
+
-+miscfiles_read_localization(devicekit_t)
-+
-+optional_policy(`
-+ dbus_system_bus_client(devicekit_t)
-+')
-+
-+optional_policy(`
-+ udev_read_db(devicekit_t)
-+')
-+
-+#
-+# DeviceKit-Power local policy
-+#
-+allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice sys_ptrace };
-+allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
-+allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
-+allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
-+
-+manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
-+manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
-+files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
-+files_read_kernel_img(devicekit_power_t)
-+
-+corecmd_exec_bin(devicekit_power_t)
-+corecmd_exec_shell(devicekit_power_t)
-+
-+consoletype_exec(devicekit_power_t)
-+
-+domain_read_all_domains_state(devicekit_power_t)
-+
-+kernel_read_network_state(devicekit_power_t)
-+kernel_read_system_state(devicekit_power_t)
-+kernel_rw_hotplug_sysctls(devicekit_power_t)
-+kernel_rw_kernel_sysctl(devicekit_power_t)
-+kernel_write_proc_files(devicekit_power_t)
-+
-+dev_read_input(devicekit_power_t)
-+dev_rw_generic_usb_dev(devicekit_power_t)
-+dev_rw_netcontrol(devicekit_power_t)
-+dev_rw_sysfs(devicekit_power_t)
-+
-+files_read_etc_files(devicekit_power_t)
-+files_read_usr_files(devicekit_power_t)
-+
-+term_use_all_terms(devicekit_power_t)
-+
-+auth_use_nsswitch(devicekit_power_t)
-+
-+miscfiles_read_localization(devicekit_power_t)
-+
-+userdom_read_all_users_state(devicekit_power_t)
-+
-+optional_policy(`
-+ hal_domtrans_mac(devicekit_power_t)
-+ hal_manage_log(devicekit_power_t)
-+ hal_manage_pid_dirs(devicekit_power_t)
-+ hal_manage_pid_files(devicekit_power_t)
-+ hal_dbus_chat(devicekit_power_t)
-+')
-+
-+optional_policy(`
-+ cron_initrc_domtrans(devicekit_power_t)
-+')
-+
-+optional_policy(`
-+ policykit_dbus_chat(devicekit_power_t)
-+ policykit_domtrans_auth(devicekit_power_t)
-+ policykit_read_lib(devicekit_power_t)
-+ policykit_read_reload(devicekit_power_t)
-+')
-+
-+optional_policy(`
-+ dbus_system_bus_client(devicekit_power_t)
-+ allow devicekit_power_t devicekit_t:dbus send_msg;
-+ allow devicekit_t devicekit_power_t:dbus send_msg;
-+
-+ optional_policy(`
-+ consolekit_dbus_chat(devicekit_power_t)
-+ ')
-+
-+ optional_policy(`
-+ networkmanager_dbus_chat(devicekit_power_t)
-+ ')
-+
-+ optional_policy(`
-+ rpm_dbus_chat(devicekit_power_t)
-+ ')
-+')
-+
-+optional_policy(`
-+ bootloader_domtrans(devicekit_power_t)
-+')
-+
-+optional_policy(`
-+ fstools_domtrans(devicekit_power_t)
-+')
-+
-+optional_policy(`
-+ udev_read_db(devicekit_power_t)
-+')
-+
-+optional_policy(`
-+ vbetool_domtrans(devicekit_power_t)
-+')
-+#
-+# DeviceKit disk local policy
-+#
-+
+ miscfiles_read_localization(devicekit_t)
+
+ optional_policy(`
+@@ -60,8 +63,11 @@
+ # DeviceKit disk local policy
+ #
+
+-allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:process signal_perms;
+
-+allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
+ allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
+allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
-+
-+manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
-+manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
-+files_tmp_filetrans(devicekit_disk_t, devicekit_tmp_t, { file dir })
-+
-+manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
-+manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
-+files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
-+
-+corecmd_exec_bin(devicekit_disk_t)
-+
-+dev_rw_sysfs(devicekit_disk_t)
-+dev_read_urand(devicekit_disk_t)
-+dev_getattr_usbfs_dirs(devicekit_disk_t)
-+dev_manage_generic_files(devicekit_disk_t)
-+
+
+ manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
+ manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
+@@ -72,6 +78,7 @@
+ files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
+
+ kernel_read_software_raid_state(devicekit_disk_t)
+kernel_read_system_state(devicekit_disk_t)
-+kernel_read_software_raid_state(devicekit_disk_t)
-+kernel_setsched(devicekit_disk_t)
-+
-+files_manage_mnt_dirs(devicekit_disk_t)
-+files_read_etc_files(devicekit_disk_t)
-+files_read_etc_runtime_files(devicekit_disk_t)
-+files_read_usr_files(devicekit_disk_t)
+ kernel_setsched(devicekit_disk_t)
+
+ corecmd_exec_bin(devicekit_disk_t)
+@@ -79,11 +86,13 @@
+ dev_rw_sysfs(devicekit_disk_t)
+ dev_read_urand(devicekit_disk_t)
+ dev_getattr_usbfs_dirs(devicekit_disk_t)
++dev_manage_generic_files(devicekit_disk_t)
+
+ files_manage_mnt_dirs(devicekit_disk_t)
+ files_read_etc_files(devicekit_disk_t)
+ files_read_etc_runtime_files(devicekit_disk_t)
+ files_read_usr_files(devicekit_disk_t)
+files_manage_isid_type_dirs(devicekit_disk_t)
-+
-+fs_mount_all_fs(devicekit_disk_t)
-+fs_unmount_all_fs(devicekit_disk_t)
-+fs_manage_fusefs_dirs(devicekit_disk_t)
-+
-+storage_raw_read_fixed_disk(devicekit_disk_t)
-+storage_raw_write_fixed_disk(devicekit_disk_t)
-+storage_raw_read_removable_device(devicekit_disk_t)
-+storage_raw_write_removable_device(devicekit_disk_t)
-+
+
+ fs_mount_all_fs(devicekit_disk_t)
+ fs_unmount_all_fs(devicekit_disk_t)
+@@ -94,6 +103,8 @@
+ storage_raw_read_removable_device(devicekit_disk_t)
+ storage_raw_write_removable_device(devicekit_disk_t)
+
+term_use_all_terms(devicekit_disk_t)
+
-+auth_use_nsswitch(devicekit_disk_t)
-+
-+miscfiles_read_localization(devicekit_disk_t)
-+
-+userdom_read_all_users_state(devicekit_disk_t)
-+userdom_search_user_home_dirs(devicekit_disk_t)
-+
-+optional_policy(`
-+ fstools_domtrans(devicekit_disk_t)
-+')
-+
-+optional_policy(`
-+ lvm_domtrans(devicekit_disk_t)
-+')
-+
-+optional_policy(`
+ auth_use_nsswitch(devicekit_disk_t)
+
+ miscfiles_read_localization(devicekit_disk_t)
+@@ -110,6 +121,7 @@
+ ')
+
+ optional_policy(`
+ policykit_dbus_chat(devicekit_disk_t)
-+ policykit_domtrans_auth(devicekit_disk_t)
-+ policykit_read_lib(devicekit_disk_t)
-+ policykit_read_reload(devicekit_disk_t)
-+')
+ policykit_domtrans_auth(devicekit_disk_t)
+ policykit_read_lib(devicekit_disk_t)
+ policykit_read_reload(devicekit_disk_t)
+@@ -134,6 +146,19 @@
+ udev_read_db(devicekit_disk_t)
+ ')
+
+
-+optional_policy(`
-+ mount_domtrans(devicekit_disk_t)
-+')
++#ifdef(`TESTING',`
++ permissive devicekit_t;
++ permissive devicekit_power_t;
++ permissive devicekit_disk_t;
++#',`
++#optional_policy(`
++# unconfined_domain(devicekit_t)
++# unconfined_domain(devicekit_power_t)
++# unconfined_domain(devicekit_disk_t)
++#')
++#')
+
+ ########################################
+ #
+ # DeviceKit-Power local policy
+@@ -142,6 +167,7 @@
+ allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice sys_ptrace };
+ allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
+ allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
++allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+ manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+@@ -151,6 +177,7 @@
+ kernel_read_system_state(devicekit_power_t)
+ kernel_rw_hotplug_sysctls(devicekit_power_t)
+ kernel_rw_kernel_sysctl(devicekit_power_t)
++kernel_write_proc_files(devicekit_power_t)
+
+ corecmd_exec_bin(devicekit_power_t)
+ corecmd_exec_shell(devicekit_power_t)
+@@ -159,6 +186,7 @@
+
+ domain_read_all_domains_state(devicekit_power_t)
+
++dev_read_input(devicekit_power_t)
+ dev_rw_generic_usb_dev(devicekit_power_t)
+ dev_rw_netcontrol(devicekit_power_t)
+ dev_rw_sysfs(devicekit_power_t)
+@@ -180,8 +208,11 @@
+ ')
+
+ optional_policy(`
+- dbus_system_bus_client(devicekit_power_t)
++ cron_initrc_domtrans(devicekit_power_t)
++')
+
+optional_policy(`
-+ dbus_system_bus_client(devicekit_disk_t)
-+ allow devicekit_disk_t devicekit_t:dbus send_msg;
-+ allow devicekit_t devicekit_disk_t:dbus send_msg;
-+
-+ optional_policy(`
-+ consolekit_dbus_chat(devicekit_disk_t)
-+ ')
++ dbus_system_bus_client(devicekit_power_t)
+ allow devicekit_power_t devicekit_t:dbus send_msg;
+
+ optional_policy(`
+@@ -203,17 +234,23 @@
+
+ optional_policy(`
+ hal_domtrans_mac(devicekit_power_t)
++ hal_manage_log(devicekit_power_t)
+ hal_manage_pid_dirs(devicekit_power_t)
+ hal_manage_pid_files(devicekit_power_t)
+ hal_dbus_chat(devicekit_power_t)
+ ')
+
+ optional_policy(`
++ policykit_dbus_chat(devicekit_power_t)
+ policykit_domtrans_auth(devicekit_power_t)
+ policykit_read_lib(devicekit_power_t)
+ policykit_read_reload(devicekit_power_t)
+ ')
+
+ optional_policy(`
++ udev_read_db(devicekit_power_t)
+')
+
+optional_policy(`
-+ udev_domtrans(devicekit_disk_t)
-+ udev_read_db(devicekit_disk_t)
-+')
-+
-+
-+#ifdef(`TESTING',`
-+ permissive devicekit_t;
-+ permissive devicekit_power_t;
-+ permissive devicekit_disk_t;
-+#',`
-+#optional_policy(`
-+# unconfined_domain(devicekit_t)
-+# unconfined_domain(devicekit_power_t)
-+# unconfined_domain(devicekit_disk_t)
-+#')
-+#')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.24/policy/modules/services/dnsmasq.te
+ vbetool_domtrans(devicekit_power_t)
+ ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.25/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/dnsmasq.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/dnsmasq.te 2009-07-29 21:34:35.000000000 -0400
@@ -83,6 +83,14 @@
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
@@ -11360,9 +10247,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(dnsmasq_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.24/policy/modules/services/dovecot.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.25/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/dovecot.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/dovecot.te 2009-07-29 21:34:35.000000000 -0400
@@ -103,6 +103,7 @@
dev_read_urand(dovecot_t)
@@ -11387,9 +10274,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# dovecot deliver local policy
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.24/policy/modules/services/exim.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.25/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/exim.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/exim.te 2009-07-29 21:34:35.000000000 -0400
@@ -191,6 +191,10 @@
')
@@ -11401,9 +10288,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
spamassassin_exec(exim_t)
spamassassin_exec_client(exim_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.24/policy/modules/services/fetchmail.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.25/policy/modules/services/fetchmail.te
--- nsaserefpolicy/policy/modules/services/fetchmail.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/fetchmail.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/fetchmail.te 2009-07-29 21:34:35.000000000 -0400
@@ -47,6 +47,8 @@
kernel_read_proc_symlinks(fetchmail_t)
kernel_dontaudit_read_system_state(fetchmail_t)
@@ -11413,123 +10300,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(fetchmail_t)
corenet_all_recvfrom_netlabel(fetchmail_t)
corenet_tcp_sendrecv_generic_if(fetchmail_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.fc serefpolicy-3.6.24/policy/modules/services/fprintd.fc
---- nsaserefpolicy/policy/modules/services/fprintd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/fprintd.fc 2009-07-28 13:42:19.000000000 -0400
-@@ -0,0 +1,4 @@
-+
-+/usr/libexec/fprintd -- gen_context(system_u:object_r:fprintd_exec_t,s0)
-+
-+/var/lib/fprint(/.*)? gen_context(system_u:object_r:fprintd_var_lib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.if serefpolicy-3.6.24/policy/modules/services/fprintd.if
---- nsaserefpolicy/policy/modules/services/fprintd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/fprintd.if 2009-07-28 13:42:19.000000000 -0400
-@@ -0,0 +1,43 @@
-+
-+## <summary>policy for fprintd</summary>
-+
-+########################################
-+## <summary>
-+## Execute a domain transition to run fprintd.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`fprintd_domtrans',`
-+ gen_require(`
-+ type fprintd_t;
-+ type fprintd_exec_t;
-+ ')
-+
-+ domtrans_pattern($1,fprintd_exec_t,fprintd_t)
-+')
-+
-+########################################
-+## <summary>
-+## Send and receive messages from
-+## fprintd over dbus.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`fprintd_dbus_chat',`
-+ gen_require(`
-+ type fprintd_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 fprintd_t:dbus send_msg;
-+ allow fprintd_t $1:dbus send_msg;
-+')
-+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.24/policy/modules/services/fprintd.te
---- nsaserefpolicy/policy/modules/services/fprintd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/fprintd.te 2009-07-28 13:42:19.000000000 -0400
-@@ -0,0 +1,55 @@
-+policy_module(fprintd,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type fprintd_t;
-+type fprintd_exec_t;
-+dbus_system_domain(fprintd_t, fprintd_exec_t)
-+
-+type fprintd_var_lib_t;
-+files_type(fprintd_var_lib_t)
-+
-+allow fprintd_t self:capability sys_ptrace;
-+allow fprintd_t self:fifo_file rw_fifo_file_perms;
-+allow fprintd_t self:process { getsched signal };
-+
-+manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
-+manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
-+files_var_lib_filetrans(fprintd_t, fprintd_var_lib_t, { dir file })
-+
-+corecmd_search_bin(fprintd_t)
-+
-+dev_list_usbfs(fprintd_t)
-+dev_rw_generic_usb_dev(fprintd_t)
-+dev_read_sysfs(fprintd_t)
-+
-+files_read_etc_files(fprintd_t)
-+files_read_usr_files(fprintd_t)
-+
-+fs_list_inotifyfs(fprintd_t)
-+
-+kernel_read_system_state(fprintd_t)
-+
-+auth_use_nsswitch(fprintd_t)
-+
-+miscfiles_read_localization(fprintd_t)
-+
-+userdom_use_user_ptys(fprintd_t)
-+userdom_read_all_users_state(fprintd_t)
-+
-+optional_policy(`
-+ consolekit_dbus_chat(fprintd_t)
-+')
-+
-+optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.25/policy/modules/services/fprintd.te
+--- nsaserefpolicy/policy/modules/services/fprintd.te 2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/fprintd.te 2009-07-29 21:36:03.000000000 -0400
+@@ -51,5 +51,7 @@
+ optional_policy(`
+ policykit_read_reload(fprintd_t)
+ policykit_read_lib(fprintd_t)
+ policykit_dbus_chat(fprintd_t)
-+ policykit_domtrans_auth(fprintd_t)
-+ policykit_read_lib(fprintd_t)
-+ policykit_read_reload(fprintd_t)
-+')
-+
-+permissive fprintd_t;
+ policykit_domtrans_auth(fprintd_t)
+ ')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.24/policy/modules/services/ftp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.25/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/ftp.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/ftp.te 2009-07-29 21:34:35.000000000 -0400
@@ -41,6 +41,13 @@
## <desc>
@@ -11631,16 +10415,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(ftpd_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.6.24/policy/modules/services/gnomeclock.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.6.25/policy/modules/services/gnomeclock.fc
--- nsaserefpolicy/policy/modules/services/gnomeclock.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/gnomeclock.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/gnomeclock.fc 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,3 @@
+
+/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.6.24/policy/modules/services/gnomeclock.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.6.25/policy/modules/services/gnomeclock.if
--- nsaserefpolicy/policy/modules/services/gnomeclock.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/gnomeclock.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/gnomeclock.if 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,69 @@
+
+## <summary>policy for gnomeclock</summary>
@@ -11711,9 +10495,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 gnomeclock_t:dbus send_msg;
+ allow gnomeclock_t $1:dbus send_msg;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.24/policy/modules/services/gnomeclock.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.25/policy/modules/services/gnomeclock.te
--- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/gnomeclock.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/gnomeclock.te 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,50 @@
+policy_module(gnomeclock, 1.0.0)
+########################################
@@ -11765,9 +10549,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ policykit_read_reload(gnomeclock_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.24/policy/modules/services/gpsd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.25/policy/modules/services/gpsd.fc
--- nsaserefpolicy/policy/modules/services/gpsd.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/gpsd.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/gpsd.fc 2009-07-29 21:34:35.000000000 -0400
@@ -1 +1,6 @@
+/etc/rc\.d/init\.d/gpsd -- gen_context(system_u:object_r:gpsd_initrc_exec_t,s0)
+
@@ -11775,9 +10559,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/var/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0)
+/var/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.6.24/policy/modules/services/gpsd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.6.25/policy/modules/services/gpsd.if
--- nsaserefpolicy/policy/modules/services/gpsd.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/gpsd.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/gpsd.if 2009-07-29 21:34:35.000000000 -0400
@@ -33,11 +33,6 @@
## The role to be allowed the gpsd domain.
## </summary>
@@ -11823,9 +10607,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
+ read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.24/policy/modules/services/gpsd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.25/policy/modules/services/gpsd.te
--- nsaserefpolicy/policy/modules/services/gpsd.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/gpsd.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/gpsd.te 2009-07-29 22:45:43.000000000 -0400
@@ -11,9 +11,15 @@
application_domain(gpsd_t, gpsd_exec_t)
init_daemon_domain(gpsd_t, gpsd_exec_t)
@@ -11853,10 +10637,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(gpsd_t)
corenet_all_recvfrom_netlabel(gpsd_t)
corenet_tcp_sendrecv_generic_if(gpsd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.24/policy/modules/services/hal.if
+@@ -51,5 +61,5 @@
+ ')
+
+ optional_policy(`
+- ntpd_rw_shm(gpsd_t)
++ ntp_rw_shm(gpsd_t)
+ ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.25/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/hal.if 2009-07-28 14:14:19.000000000 -0400
-@@ -413,3 +414,21 @@
++++ serefpolicy-3.6.25/policy/modules/services/hal.if 2009-07-29 21:34:35.000000000 -0400
+@@ -413,3 +413,21 @@
files_search_pids($1)
manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
')
@@ -11878,9 +10669,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ dontaudit $1 hald_t:unix_dgram_socket { read write };
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.24/policy/modules/services/hal.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.25/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/hal.te 2009-07-28 14:20:01.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/hal.te 2009-07-29 23:08:37.000000000 -0400
@@ -55,6 +55,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -11919,19 +10710,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
policykit_domtrans_auth(hald_t)
policykit_domtrans_resolve(hald_t)
policykit_read_lib(hald_t)
-@@ -318,7 +328,11 @@
+@@ -321,6 +331,10 @@
+ virt_manage_images(hald_t)
')
- optional_policy(`
-- virt_manage_images(hald_t)
-+ virtual_manage_image(hald_t)
-+')
-+
+optional_policy(`
+ xserver_read_pid(hald_t)
- ')
-
++')
++
########################################
+ #
+ # Hal acl local policy
@@ -341,6 +355,7 @@
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
@@ -11992,9 +10781,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+permissive hald_dccm_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.24/policy/modules/services/kerberos.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.25/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/kerberos.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/kerberos.te 2009-07-29 21:34:35.000000000 -0400
@@ -277,6 +277,8 @@
#
@@ -12034,9 +10823,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
sysnet_dns_name_resolve(kpropd_t)
kerberos_use(kpropd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.24/policy/modules/services/ktalk.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.25/policy/modules/services/ktalk.te
--- nsaserefpolicy/policy/modules/services/ktalk.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/ktalk.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/ktalk.te 2009-07-29 21:34:35.000000000 -0400
@@ -69,6 +69,7 @@
files_read_etc_files(ktalkd_t)
@@ -12045,10 +10834,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(ktalkd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.24/policy/modules/services/lircd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.25/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/lircd.te 2009-07-28 13:42:19.000000000 -0400
-@@ -42,7 +42,17 @@
++++ serefpolicy-3.6.25/policy/modules/services/lircd.te 2009-07-29 21:34:35.000000000 -0400
+@@ -42,7 +42,18 @@
# /dev/lircd socket
manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t)
dev_filetrans(lircd_t, lircd_sock_t, sock_file )
@@ -12056,6 +10845,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+dev_filetrans_lirc(lircd_t)
+dev_rw_lirc(lircd_t)
++dev_rw_input_dev(lircd_t)
logging_send_syslog_msg(lircd_t)
@@ -12066,9 +10856,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
miscfiles_read_localization(lircd_t)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.24/policy/modules/services/mailman.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.25/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/mailman.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/mailman.te 2009-07-29 21:34:35.000000000 -0400
@@ -78,6 +78,10 @@
mta_dontaudit_rw_queue(mailman_mail_t)
@@ -12080,9 +10870,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cron_read_pipes(mailman_mail_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.24/policy/modules/services/memcached.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.25/policy/modules/services/memcached.te
--- nsaserefpolicy/policy/modules/services/memcached.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/memcached.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/memcached.te 2009-07-29 21:34:35.000000000 -0400
@@ -44,6 +44,8 @@
files_read_etc_files(memcached_t)
@@ -12092,59 +10882,117 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization(memcached_t)
sysnet_dns_name_resolve(memcached_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.24/policy/modules/services/mta.fc
---- nsaserefpolicy/policy/modules/services/mta.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/mta.fc 2009-07-28 13:42:19.000000000 -0400
-@@ -1,4 +1,4 @@
--/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-
- /etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
- /etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
-@@ -10,10 +10,13 @@
- ')
-
- /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-
-+/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-
- /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
-
-@@ -22,7 +25,5 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.fc serefpolicy-3.6.25/policy/modules/services/modemmanager.fc
+--- nsaserefpolicy/policy/modules/services/modemmanager.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.25/policy/modules/services/modemmanager.fc 2009-07-29 23:31:22.000000000 -0400
+@@ -0,0 +1,2 @@
++
++/usr/sbin/modem-manager -- gen_context(system_u:object_r:ModemManager_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.if serefpolicy-3.6.25/policy/modules/services/modemmanager.if
+--- nsaserefpolicy/policy/modules/services/modemmanager.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.25/policy/modules/services/modemmanager.if 2009-07-29 23:31:22.000000000 -0400
+@@ -0,0 +1,43 @@
++
++## <summary>policy for ModemManager</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run ModemManager.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ModemManager_domtrans',`
++ gen_require(`
++ type ModemManager_t;
++ type ModemManager_exec_t;
++ ')
++
++ domtrans_pattern($1,ModemManager_exec_t,ModemManager_t)
++')
++
++
++########################################
++## <summary>
++## Send and receive messages from
++## ModemManager over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ModemManager_dbus_chat',`
++ gen_require(`
++ type ModemManager_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 ModemManager_t:dbus send_msg;
++ allow ModemManager_t $1:dbus send_msg;
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.6.25/policy/modules/services/modemmanager.te
+--- nsaserefpolicy/policy/modules/services/modemmanager.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.25/policy/modules/services/modemmanager.te 2009-07-29 23:50:51.000000000 -0400
+@@ -0,0 +1,41 @@
++policy_module(ModemManager,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type ModemManager_t;
++type ModemManager_exec_t;
++dbus_system_domain(ModemManager_t, ModemManager_exec_t)
++
++########################################
++#
++# ModemManager local policy
++#
++
++
++# Init script handling
++domain_use_interactive_fds(ModemManager_t)
++
++# internal communication is often done using fifo and unix sockets.
++allow ModemManager_t self:fifo_file rw_file_perms;
++allow ModemManager_t self:unix_stream_socket create_stream_socket_perms;
++allow ModemManager_t self:netlink_kobject_uevent_socket create_socket_perms;
++
++kernel_read_system_state(ModemManager_t)
++
++dev_read_sysfs(ModemManager_t)
++
++files_read_etc_files(ModemManager_t)
++
++miscfiles_read_localization(ModemManager_t)
++
++logging_send_syslog_msg(ModemManager_t)
++
++optional_policy(`
++ networkmanager_dbus_chat(ModemManager_t)
++')
++
++permissive ModemManager_t;
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.25/policy/modules/services/mta.fc
+--- nsaserefpolicy/policy/modules/services/mta.fc 2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/mta.fc 2009-07-29 21:34:35.000000000 -0400
+@@ -26,3 +26,5 @@
/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
--
--#ifdef(`postfix.te', `', `
--#/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
--#')
+HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
+/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.24/policy/modules/services/mta.if
---- nsaserefpolicy/policy/modules/services/mta.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/mta.if 2009-07-28 13:42:19.000000000 -0400
-@@ -130,6 +130,15 @@
- sendmail_create_log($1_mail_t)
- ')
-
-+ optional_policy(`
-+ exim_read_log($1_mail_t)
-+ exim_append_log($1_mail_t)
-+ exim_manage_spool_files($1_mail_t)
-+ ')
-+
-+ optional_policy(`
-+ uucp_manage_spool($1_mail_t)
-+ ')
- ')
-
- ########################################
-@@ -302,11 +311,13 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.25/policy/modules/services/mta.if
+--- nsaserefpolicy/policy/modules/services/mta.if 2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/mta.if 2009-07-29 21:34:35.000000000 -0400
+@@ -311,6 +311,7 @@
allow $1 mail_spool_t:dir list_dir_perms;
create_files_pattern($1, mail_spool_t, mail_spool_t)
read_files_pattern($1, mail_spool_t, mail_spool_t)
@@ -12152,13 +11000,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
create_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
- optional_policy(`
- dovecot_manage_spool($1)
-+ dovecot_domtrans_deliver($1)
- ')
-
- optional_policy(`
-@@ -341,6 +352,7 @@
+@@ -351,6 +352,7 @@
# apache should set close-on-exec
apache_dontaudit_rw_stream_sockets($1)
apache_dontaudit_rw_sys_script_stream_sockets($1)
@@ -12166,54 +11008,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -446,6 +458,26 @@
+@@ -471,6 +473,7 @@
+ ')
- ########################################
- ## <summary>
-+## write mail server configuration.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`mta_write_config',`
-+ gen_require(`
-+ type etc_mail_t;
-+ ')
-+
-+ write_files_pattern($1, etc_mail_t, etc_mail_t)
+ write_files_pattern($1, etc_mail_t, etc_mail_t)
+ allow $1 etc_mail_t:file setattr;
-+')
-+
-+########################################
-+## <summary>
- ## Read mail address aliases.
- ## </summary>
- ## <param name="domain">
-@@ -591,8 +623,8 @@
-
- files_search_spool($1)
- allow $1 mail_spool_t:dir list_dir_perms;
-- allow $1 mail_spool_t:lnk_file read;
-- allow $1 mail_spool_t:file getattr;
-+ getattr_files_pattern($1, mail_spool_t, mail_spool_t)
-+ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
########################################
-@@ -612,7 +644,7 @@
- ')
-
- files_dontaudit_search_spool($1)
-- dontaudit $1 mail_spool_t:dir search;
-+ dontaudit $1 mail_spool_t:dir search_dir_perms;
- dontaudit $1 mail_spool_t:lnk_file read;
- dontaudit $1 mail_spool_t:file getattr;
- ')
-@@ -665,7 +697,7 @@
+@@ -694,7 +697,7 @@
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
allow $1 mail_spool_t:file setattr;
@@ -12222,17 +11025,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -806,6 +838,7 @@
- ')
-
- files_search_spool($1)
-+ manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t)
- manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
- ')
-
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.24/policy/modules/services/mta.te
---- nsaserefpolicy/policy/modules/services/mta.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/mta.te 2009-07-28 13:42:19.000000000 -0400
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.25/policy/modules/services/mta.te
+--- nsaserefpolicy/policy/modules/services/mta.te 2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/mta.te 2009-07-29 21:34:35.000000000 -0400
@@ -27,6 +27,9 @@
type mail_spool_t;
files_mountpoint(mail_spool_t)
@@ -12243,36 +11038,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type sendmail_exec_t;
mta_agent_executable(sendmail_exec_t)
-@@ -47,34 +50,48 @@
- #
-
- # newalias required this, not sure if it is needed in 'if' file
--allow system_mail_t self:capability { dac_override };
-+allow system_mail_t self:capability { dac_override fowner };
-+allow system_mail_t self:fifo_file rw_fifo_file_perms;
-
- read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
-+read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
+@@ -57,6 +60,8 @@
- allow system_mail_t mta_exec_type:file entrypoint;
+ can_exec(system_mail_t, mta_exec_type)
--allow system_mail_t mailcontent_type:file read_file_perms;
-+can_exec(system_mail_t, mta_exec_type)
-+
+files_read_all_tmp_files(system_mail_t)
-
++
kernel_read_system_state(system_mail_t)
kernel_read_network_state(system_mail_t)
-+dev_read_sysfs(system_mail_t)
- dev_read_rand(system_mail_t)
- dev_read_urand(system_mail_t)
-
-+fs_rw_anon_inodefs_files(system_mail_t)
-+
-+selinux_getattr_fs(system_mail_t)
-+
- init_use_script_ptys(system_mail_t)
+@@ -72,16 +77,21 @@
userdom_use_user_terminals(system_mail_t)
userdom_dontaudit_search_user_home_dirs(system_mail_t)
@@ -12294,44 +11069,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -88,6 +105,13 @@
+@@ -93,13 +103,9 @@
+ ')
+
optional_policy(`
+- clamav_stream_connect(system_mail_t)
+- clamav_append_log(system_mail_t)
+-')
+-
+-optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
+ cron_rw_system_stream_sockets(system_mail_t)
-+')
-+
-+optional_policy(`
-+ courier_manage_spool_dirs(system_mail_t)
-+ courier_manage_spool_files(system_mail_t)
-+ courier_rw_spool_pipes(system_mail_t)
')
optional_policy(`
-@@ -95,6 +119,11 @@
+@@ -118,10 +124,6 @@
')
optional_policy(`
-+ exim_domtrans(system_mail_t)
-+ exim_manage_log(system_mail_t)
-+')
-+
-+optional_policy(`
- logrotate_read_tmp_files(system_mail_t)
- ')
-
-@@ -132,10 +161,6 @@
- # compatability for old default main.cf
- postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
- ')
+- fail2ban_append_log(system_mail_t)
+-')
-
-- optional_policy(`
-- cron_rw_tcp_sockets(system_mail_t)
-- ')
+-optional_policy(`
+ logrotate_read_tmp_files(system_mail_t)
')
- optional_policy(`
-@@ -155,6 +180,19 @@
+@@ -178,6 +180,19 @@
')
optional_policy(`
@@ -12351,7 +11115,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
smartmon_read_tmp_files(system_mail_t)
')
-@@ -174,6 +212,25 @@
+@@ -197,6 +212,25 @@
')
')
@@ -12377,9 +11141,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# User send mail local policy
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.24/policy/modules/services/munin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.25/policy/modules/services/munin.fc
--- nsaserefpolicy/policy/modules/services/munin.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/munin.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/munin.fc 2009-07-29 21:34:35.000000000 -0400
@@ -9,3 +9,6 @@
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
@@ -12387,9 +11151,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.24/policy/modules/services/munin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.25/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/munin.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/munin.te 2009-07-29 21:34:35.000000000 -0400
@@ -33,7 +33,7 @@
# Local policy
#
@@ -12469,9 +11233,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.24/policy/modules/services/mysql.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.25/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/mysql.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/mysql.te 2009-07-29 21:34:35.000000000 -0400
@@ -136,6 +136,8 @@
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
@@ -12490,9 +11254,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mysql_read_config(mysqld_safe_t)
mysql_search_pid_files(mysqld_safe_t)
mysql_write_log(mysqld_safe_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.24/policy/modules/services/nagios.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.25/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/nagios.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/nagios.fc 2009-07-29 21:34:35.000000000 -0400
@@ -1,16 +1,21 @@
/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
@@ -12518,9 +11282,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
+/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.24/policy/modules/services/nagios.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.25/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/nagios.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/nagios.if 2009-07-29 21:34:35.000000000 -0400
@@ -64,7 +64,7 @@
########################################
@@ -12620,9 +11384,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ admin_pattern($1, nrpe_etc_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.24/policy/modules/services/nagios.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.25/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/nagios.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/nagios.te 2009-07-29 21:34:35.000000000 -0400
@@ -10,13 +10,12 @@
type nagios_exec_t;
init_daemon_domain(nagios_t, nagios_exec_t)
@@ -12718,9 +11482,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.24/policy/modules/services/networkmanager.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.25/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/networkmanager.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/networkmanager.fc 2009-07-29 21:34:35.000000000 -0400
@@ -1,12 +1,25 @@
+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0)
+/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -12747,9 +11511,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.24/policy/modules/services/networkmanager.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.25/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/networkmanager.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/networkmanager.if 2009-07-29 21:34:35.000000000 -0400
@@ -118,6 +118,24 @@
########################################
@@ -12806,9 +11570,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ role $2 types NetworkManager_t;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.24/policy/modules/services/networkmanager.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.25/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/networkmanager.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/networkmanager.te 2009-07-29 23:49:39.000000000 -0400
@@ -19,6 +19,9 @@
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
@@ -12819,7 +11583,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type NetworkManager_var_run_t;
files_pid_file(NetworkManager_var_run_t)
-@@ -33,9 +36,9 @@
+@@ -33,13 +36,14 @@
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
@@ -12831,7 +11595,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
-@@ -51,8 +54,10 @@
+ allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
++allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
+ allow NetworkManager_t self:udp_socket create_socket_perms;
+ allow NetworkManager_t self:packet_socket create_socket_perms;
+@@ -51,8 +55,10 @@
manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
@@ -12844,7 +11613,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
-@@ -63,6 +68,8 @@
+@@ -63,6 +69,8 @@
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
kernel_load_module(NetworkManager_t)
@@ -12853,7 +11622,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t)
-@@ -81,13 +88,18 @@
+@@ -81,13 +89,18 @@
corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
corenet_sendrecv_all_client_packets(NetworkManager_t)
@@ -12872,7 +11641,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mls_file_read_all_levels(NetworkManager_t)
-@@ -98,15 +110,20 @@
+@@ -98,15 +111,20 @@
domain_use_interactive_fds(NetworkManager_t)
domain_read_confined_domains_state(NetworkManager_t)
@@ -12894,7 +11663,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
-@@ -116,25 +133,40 @@
+@@ -116,25 +134,40 @@
seutil_read_config(NetworkManager_t)
@@ -12942,7 +11711,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -146,8 +178,25 @@
+@@ -146,8 +179,25 @@
')
optional_policy(`
@@ -12970,7 +11739,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -155,23 +204,51 @@
+@@ -155,23 +205,51 @@
')
optional_policy(`
@@ -13024,7 +11793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -179,12 +256,15 @@
+@@ -179,12 +257,15 @@
')
optional_policy(`
@@ -13040,9 +11809,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.24/policy/modules/services/nis.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.25/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/nis.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/nis.fc 2009-07-29 21:34:35.000000000 -0400
@@ -1,4 +1,7 @@
-
+/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0)
@@ -13052,9 +11821,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0)
/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.6.24/policy/modules/services/nis.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.6.25/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/nis.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/nis.if 2009-07-29 21:34:35.000000000 -0400
@@ -28,7 +28,7 @@
type var_yp_t;
')
@@ -13196,9 +11965,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ role $2 types ypbind_t;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.24/policy/modules/services/nis.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.25/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/nis.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/nis.te 2009-07-29 21:34:35.000000000 -0400
@@ -13,6 +13,9 @@
type ypbind_exec_t;
init_daemon_domain(ypbind_t, ypbind_exec_t)
@@ -13248,9 +12017,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_all_rpc_ports(ypxfr_t)
corenet_udp_bind_all_rpc_ports(ypxfr_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.24/policy/modules/services/nscd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.25/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/nscd.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/nscd.if 2009-07-29 21:34:35.000000000 -0400
@@ -236,6 +236,24 @@
########################################
@@ -13276,9 +12045,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
## an nscd environment
## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.24/policy/modules/services/nscd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.25/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/nscd.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/nscd.te 2009-07-29 21:34:35.000000000 -0400
@@ -90,6 +90,7 @@
selinux_compute_relabel_context(nscd_t)
selinux_compute_user_contexts(nscd_t)
@@ -13300,17 +12069,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.fc serefpolicy-3.6.24/policy/modules/services/nslcd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.fc serefpolicy-3.6.25/policy/modules/services/nslcd.fc
--- nsaserefpolicy/policy/modules/services/nslcd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/nslcd.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/nslcd.fc 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,4 @@
+/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
+/etc/nss-ldapd.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0)
+/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
+/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.6.24/policy/modules/services/nslcd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.6.25/policy/modules/services/nslcd.if
--- nsaserefpolicy/policy/modules/services/nslcd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/nslcd.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/nslcd.if 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,142 @@
+
+## <summary>policy for nslcd</summary>
@@ -13454,9 +12223,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ nslcd_manage_var_run($1)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.6.24/policy/modules/services/nslcd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.6.25/policy/modules/services/nslcd.te
--- nsaserefpolicy/policy/modules/services/nslcd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/nslcd.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/nslcd.te 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,50 @@
+policy_module(nslcd,1.0.0)
+
@@ -13508,9 +12277,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+auth_use_nsswitch(nslcd_t)
+
+logging_send_syslog_msg(nslcd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.24/policy/modules/services/ntp.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.25/policy/modules/services/ntp.if
--- nsaserefpolicy/policy/modules/services/ntp.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/ntp.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/ntp.if 2009-07-29 21:43:08.000000000 -0400
@@ -37,6 +37,32 @@
########################################
@@ -13544,74 +12313,43 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Execute ntp server in the ntpd domain.
## </summary>
## <param name="domain">
-@@ -56,7 +82,7 @@
-
- ########################################
- ## <summary>
--## Read and write ntpd shared memory.
-+## Execute ntp server in the ntpd domain.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -64,16 +90,51 @@
+@@ -64,7 +90,7 @@
## </summary>
## </param>
#
-interface(`ntpd_rw_shm',`
-+interface(`ntp_initrc_domtrans',`
++interface(`ntp_rw_shm',`
gen_require(`
-- type ntpd_t, ntpd_tmpfs_t;
-+ type ntpd_initrc_exec_t;
+ type ntpd_t, ntpd_tmpfs_t;
')
+@@ -78,6 +104,24 @@
-- allow $1 ntpd_t:shm rw_shm_perms;
-+ init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
-+')
-+
-+#######################################
-+## <summary>
-+## Read/write ntpdd tmpfs files.
+ ########################################
+ ## <summary>
++## Execute ntp server in the ntpd domain.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
++## <summary>
++## The type of the process performing this action.
++## </summary>
+## </param>
+#
-+interface(`ntpd_rw_tmpfs_files',`
-+ gen_require(`
-+ type ntpd_tmpfs_t;
-+ ')
++interface(`ntp_initrc_domtrans',`
++ gen_require(`
++ type ntpd_initrc_exec_t;
++ ')
+
-+ fs_search_tmpfs($1)
- list_dirs_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
- rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
- read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
-- fs_search_tmpfs($1)
++ init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
+')
+
+########################################
-+## <summary>
-+## Read and write to ntpd shared memory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
-+## </param>
-+#
-+interface(`ntpd_rw_shm',`
-+ gen_require(`
-+ type ntpd_t;
-+ ')
-+
-+ allow $1 ntpd_t:shm rw_shm_perms;
- ')
-
- ########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.24/policy/modules/services/ntp.te
++## <summary>
+ ## All of the rules required to administrate
+ ## an ntp environment
+ ## </summary>
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.25/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/ntp.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/ntp.te 2009-07-29 21:34:35.000000000 -0400
@@ -41,10 +41,11 @@
# sys_resource and setrlimit is for locking memory
@@ -13650,9 +12388,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.24/policy/modules/services/nx.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.25/policy/modules/services/nx.te
--- nsaserefpolicy/policy/modules/services/nx.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/nx.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/nx.te 2009-07-29 21:34:35.000000000 -0400
@@ -25,6 +25,9 @@
type nx_server_var_run_t;
files_pid_file(nx_server_var_run_t)
@@ -13673,9 +12411,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(nx_server_t)
kernel_read_kernel_sysctls(nx_server_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.24/policy/modules/services/oddjob.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.25/policy/modules/services/oddjob.if
--- nsaserefpolicy/policy/modules/services/oddjob.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/oddjob.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/oddjob.if 2009-07-29 21:34:35.000000000 -0400
@@ -44,6 +44,7 @@
')
@@ -13684,9 +12422,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.24/policy/modules/services/openvpn.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.25/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/openvpn.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/openvpn.te 2009-07-29 21:34:35.000000000 -0400
@@ -86,6 +86,7 @@
corenet_udp_bind_openvpn_port(openvpn_t)
corenet_tcp_connect_openvpn_port(openvpn_t)
@@ -13695,9 +12433,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_rw_tun_tap_dev(openvpn_t)
corenet_sendrecv_openvpn_server_packets(openvpn_t)
corenet_sendrecv_openvpn_client_packets(openvpn_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.24/policy/modules/services/pcscd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.25/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/pcscd.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/pcscd.te 2009-07-29 21:34:35.000000000 -0400
@@ -29,6 +29,7 @@
manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
@@ -13715,9 +12453,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_use_unallocated_ttys(pcscd_t)
term_dontaudit_getattr_pty_dirs(pcscd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.24/policy/modules/services/pegasus.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.25/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/pegasus.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/pegasus.te 2009-07-29 21:34:35.000000000 -0400
@@ -30,7 +30,7 @@
# Local policy
#
@@ -13789,21 +12527,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xen_stream_connect(pegasus_t)
+ xen_stream_connect_xenstore(pegasus_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.6.24/policy/modules/services/policykit.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.6.25/policy/modules/services/policykit.fc
--- nsaserefpolicy/policy/modules/services/policykit.fc 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/policykit.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/policykit.fc 2009-07-29 21:34:35.000000000 -0400
@@ -1,7 +1,7 @@
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
-/usr/libexec/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
-+/usr/libexec/polkitd.* gen_context(system_u:object_r:policykit_exec_t,s0)
++/usr/libexec/polkit.* gen_context(system_u:object_r:policykit_exec_t,s0)
/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.6.24/policy/modules/services/policykit.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.6.25/policy/modules/services/policykit.if
--- nsaserefpolicy/policy/modules/services/policykit.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/policykit.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/policykit.if 2009-07-29 21:34:35.000000000 -0400
@@ -17,6 +17,8 @@
class dbus send_msg;
')
@@ -13853,9 +12591,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ policykit_read_reload($2)
+ policykit_dbus_chat($2)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.24/policy/modules/services/policykit.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.25/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/policykit.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/policykit.te 2009-07-29 21:34:35.000000000 -0400
@@ -38,9 +38,10 @@
allow policykit_t self:capability { setgid setuid };
@@ -13951,9 +12689,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.24/policy/modules/services/postfix.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.25/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/postfix.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/postfix.fc 2009-07-29 21:34:35.000000000 -0400
@@ -29,12 +29,10 @@
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
@@ -13967,9 +12705,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.24/policy/modules/services/postfix.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.25/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/postfix.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/postfix.if 2009-07-29 21:34:35.000000000 -0400
@@ -46,6 +46,7 @@
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
@@ -14216,9 +12954,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ role $2 types postfix_postdrop_t;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.24/policy/modules/services/postfix.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.25/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/postfix.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/postfix.te 2009-07-29 21:34:35.000000000 -0400
@@ -6,6 +6,15 @@
# Declarations
#
@@ -14598,9 +13336,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+userdom_manage_user_home_content(postfix_virtual_t)
+userdom_home_filetrans_user_home_dir(postfix_virtual_t)
+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.24/policy/modules/services/postgresql.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.25/policy/modules/services/postgresql.fc
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/postgresql.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/postgresql.fc 2009-07-29 21:34:35.000000000 -0400
@@ -2,6 +2,7 @@
# /etc
#
@@ -14609,9 +13347,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
# /usr
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.24/policy/modules/services/postgresql.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.25/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/postgresql.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/postgresql.if 2009-07-29 21:34:35.000000000 -0400
@@ -384,3 +384,46 @@
typeattribute $1 sepgsql_unconfined_type;
@@ -14659,9 +13397,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ admin_pattern($1, postgresql_tmp_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.24/policy/modules/services/postgresql.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.25/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/postgresql.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/postgresql.te 2009-07-29 21:34:35.000000000 -0400
@@ -32,6 +32,9 @@
type postgresql_etc_t;
files_config_file(postgresql_etc_t)
@@ -14700,9 +13438,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization(postgresql_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.24/policy/modules/services/ppp.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.25/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/ppp.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/ppp.if 2009-07-29 21:34:35.000000000 -0400
@@ -177,10 +177,16 @@
interface(`ppp_run',`
gen_require(`
@@ -14720,9 +13458,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.24/policy/modules/services/ppp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.25/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/ppp.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/ppp.te 2009-07-29 21:34:35.000000000 -0400
@@ -193,6 +193,8 @@
optional_policy(`
@@ -14761,9 +13499,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hostname_exec(pptp_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.24/policy/modules/services/privoxy.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.25/policy/modules/services/privoxy.te
--- nsaserefpolicy/policy/modules/services/privoxy.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/privoxy.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/privoxy.te 2009-07-29 21:34:35.000000000 -0400
@@ -47,9 +47,8 @@
manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t)
files_pid_filetrans(privoxy_t, privoxy_var_run_t, file)
@@ -14775,9 +13513,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(privoxy_t)
corenet_all_recvfrom_netlabel(privoxy_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.24/policy/modules/services/procmail.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.25/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/procmail.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/procmail.te 2009-07-29 21:34:35.000000000 -0400
@@ -22,7 +22,7 @@
# Local policy
#
@@ -14825,9 +13563,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.24/policy/modules/services/pyzor.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.25/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/pyzor.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/pyzor.fc 2009-07-29 21:34:35.000000000 -0400
@@ -1,6 +1,10 @@
/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
+/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
@@ -14839,9 +13577,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.24/policy/modules/services/pyzor.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.25/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/pyzor.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/pyzor.if 2009-07-29 21:34:35.000000000 -0400
@@ -88,3 +88,50 @@
corecmd_search_bin($1)
can_exec($1, pyzor_exec_t)
@@ -14893,9 +13631,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.24/policy/modules/services/pyzor.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.25/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/pyzor.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/pyzor.te 2009-07-29 21:34:35.000000000 -0400
@@ -6,6 +6,38 @@
# Declarations
#
@@ -14960,17 +13698,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_dontaudit_search_user_home_dirs(pyzor_t)
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.6.24/policy/modules/services/razor.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.6.25/policy/modules/services/razor.fc
--- nsaserefpolicy/policy/modules/services/razor.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/razor.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/razor.fc 2009-07-29 21:34:35.000000000 -0400
@@ -1,3 +1,4 @@
+/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.24/policy/modules/services/razor.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.25/policy/modules/services/razor.if
--- nsaserefpolicy/policy/modules/services/razor.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/razor.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/razor.if 2009-07-29 21:34:35.000000000 -0400
@@ -157,3 +157,45 @@
domtrans_pattern($1, razor_exec_t, razor_t)
@@ -15017,9 +13755,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.24/policy/modules/services/razor.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.25/policy/modules/services/razor.te
--- nsaserefpolicy/policy/modules/services/razor.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/razor.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/razor.te 2009-07-29 21:34:35.000000000 -0400
@@ -6,6 +6,32 @@
# Declarations
#
@@ -15071,9 +13809,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.24/policy/modules/services/ricci.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.25/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/ricci.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/ricci.te 2009-07-29 21:34:35.000000000 -0400
@@ -440,6 +440,10 @@
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
@@ -15085,9 +13823,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
storage_raw_read_fixed_disk(ricci_modstorage_t)
term_dontaudit_use_console(ricci_modstorage_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.6.24/policy/modules/services/rpcbind.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.6.25/policy/modules/services/rpcbind.if
--- nsaserefpolicy/policy/modules/services/rpcbind.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/rpcbind.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/rpcbind.if 2009-07-29 21:34:35.000000000 -0400
@@ -97,6 +97,26 @@
########################################
@@ -15115,9 +13853,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
## an rpcbind environment
## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.24/policy/modules/services/rpc.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.25/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/rpc.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/rpc.if 2009-07-29 21:34:35.000000000 -0400
@@ -54,7 +54,7 @@
allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
@@ -15138,51 +13876,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole($1_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.24/policy/modules/services/rpc.te
---- nsaserefpolicy/policy/modules/services/rpc.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/rpc.te 2009-07-28 13:42:19.000000000 -0400
-@@ -23,7 +23,7 @@
- gen_tunable(allow_nfsd_anon_write, false)
-
- type exports_t;
--files_type(exports_t)
-+files_config_file(exports_t)
-
- rpc_domain_template(gssd)
-
-@@ -69,15 +69,21 @@
- kernel_read_sysctl(rpcd_t)
- kernel_rw_fs_sysctls(rpcd_t)
- kernel_dontaudit_getattr_core_if(rpcd_t)
-+kernel_signal(rpcd_t)
-
- corecmd_exec_bin(rpcd_t)
-
- files_manage_mounttab(rpcd_t)
-+files_getattr_all_dirs(rpcd_t)
-
- fs_list_rpc(rpcd_t)
- fs_read_rpc_files(rpcd_t)
- fs_read_rpc_symlinks(rpcd_t)
- fs_rw_rpc_sockets(rpcd_t)
-+fs_get_all_fs_quotas(rpcd_t)
-+fs_getattr_all_fs(rpcd_t)
-+
-+storage_getattr_fixed_disk_dev(rpcd_t)
-
- selinux_dontaudit_read_fs(rpcd_t)
-
-@@ -85,10 +91,20 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.25/policy/modules/services/rpc.te
+--- nsaserefpolicy/policy/modules/services/rpc.te 2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/rpc.te 2009-07-29 21:34:35.000000000 -0400
+@@ -91,6 +91,8 @@
seutil_dontaudit_search_config(rpcd_t)
+userdom_signal_unpriv_users(rpcd_t)
+
-+optional_policy(`
-+ automount_signal(rpcd_t)
-+')
-+
optional_policy(`
+ automount_signal(rpcd_t)
+ ')
+@@ -99,6 +101,10 @@
nis_read_ypserv_config(rpcd_t)
')
@@ -15193,16 +13899,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# NFSD local policy
-@@ -116,7 +132,7 @@
- # for exportfs and rpc.mountd
- files_getattr_tmp_dirs(nfsd_t)
- # cjp: this should really have its own type
--files_manage_mounttab(rpcd_t)
-+files_manage_mounttab(nfsd_t)
-
- fs_mount_nfsd_fs(nfsd_t)
- fs_search_nfsd_fs(nfsd_t)
-@@ -125,6 +141,7 @@
+@@ -135,6 +141,7 @@
fs_rw_nfsd_fs(nfsd_t)
storage_dontaudit_read_fixed_disk(nfsd_t)
@@ -15210,7 +13907,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
-@@ -141,6 +158,7 @@
+@@ -151,6 +158,7 @@
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
')
@@ -15218,33 +13915,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`nfs_export_all_ro',`
dev_getattr_all_blk_files(nfsd_t)
-@@ -183,9 +201,12 @@
- files_read_usr_symlinks(gssd_t)
-
- auth_use_nsswitch(gssd_t)
-+auth_manage_cache(gssd_t)
-
- miscfiles_read_certs(gssd_t)
-
-+mount_signal(gssd_t)
-+
- tunable_policy(`allow_gssd_read_tmp',`
- userdom_list_user_tmp(gssd_t)
- userdom_read_user_tmp_files(gssd_t)
-@@ -193,6 +214,10 @@
- ')
-
- optional_policy(`
-+ automount_signal(gssd_t)
-+')
-+
-+optional_policy(`
- kerberos_keytab_template(gssd, gssd_t)
- ')
-
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.24/policy/modules/services/rsync.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.25/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/rsync.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/rsync.te 2009-07-29 21:34:35.000000000 -0400
@@ -8,6 +8,13 @@
## <desc>
@@ -15279,15 +13952,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
auth_can_read_shadow_passwords(rsync_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.fc serefpolicy-3.6.24/policy/modules/services/rtkit_daemon.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.fc serefpolicy-3.6.25/policy/modules/services/rtkit_daemon.fc
--- nsaserefpolicy/policy/modules/services/rtkit_daemon.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/rtkit_daemon.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/rtkit_daemon.fc 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,2 @@
+
+/usr/libexec/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.if serefpolicy-3.6.24/policy/modules/services/rtkit_daemon.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.if serefpolicy-3.6.25/policy/modules/services/rtkit_daemon.if
--- nsaserefpolicy/policy/modules/services/rtkit_daemon.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/rtkit_daemon.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/rtkit_daemon.if 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,64 @@
+
+## <summary>policy for rtkit_daemon</summary>
@@ -15353,9 +14026,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow rtkit_daemon_t $1:process { getsched setsched };
+ rtkit_daemon_dbus_chat($1)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.te serefpolicy-3.6.24/policy/modules/services/rtkit_daemon.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.te serefpolicy-3.6.25/policy/modules/services/rtkit_daemon.te
--- nsaserefpolicy/policy/modules/services/rtkit_daemon.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/rtkit_daemon.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/rtkit_daemon.te 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,36 @@
+policy_module(rtkit_daemon,1.0.0)
+
@@ -15393,28 +14066,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ policykit_dbus_chat(rtkit_daemon_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.24/policy/modules/services/samba.fc
---- nsaserefpolicy/policy/modules/services/samba.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/samba.fc 2009-07-28 13:42:19.000000000 -0400
-@@ -2,6 +2,9 @@
- #
- # /etc
- #
-+/etc/rc\.d/init\.d/winbind -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
- /etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0)
- /etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
- /etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
-@@ -15,6 +18,7 @@
- /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
- /usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
- /usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0)
-+/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
- /usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0)
-
- /usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0)
-@@ -47,3 +51,7 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.25/policy/modules/services/samba.fc
+--- nsaserefpolicy/policy/modules/services/samba.fc 2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/samba.fc 2009-07-29 21:34:35.000000000 -0400
+@@ -51,3 +51,7 @@
/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
@@ -15422,56 +14077,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ifndef(`enable_mls',`
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.24/policy/modules/services/samba.if
---- nsaserefpolicy/policy/modules/services/samba.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/samba.if 2009-07-28 13:42:19.000000000 -0400
-@@ -4,6 +4,45 @@
- ## from Windows NT servers.
- ## </summary>
-
-+
-+########################################
-+## <summary>
-+## Execute smbd net in the smbd_t domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
-+## </param>
-+#
-+interface(`samba_domtrans_smb',`
-+ gen_require(`
-+ type smbd_t, smbd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, smbd_exec_t, smbd_t)
-+')
-+
-+########################################
-+## <summary>
-+## Execute nmbd net in the nmbd_t domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
-+## </param>
-+#
-+interface(`samba_domtrans_nmb',`
-+ gen_require(`
-+ type nmbd_t, nmbd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, nmbd_exec_t, nmbd_t)
-+')
-+
- ########################################
- ## <summary>
- ## Execute samba net in the samba_net domain.
-@@ -25,6 +64,25 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.25/policy/modules/services/samba.if
+--- nsaserefpolicy/policy/modules/services/samba.if 2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/samba.if 2009-07-29 21:56:08.000000000 -0400
+@@ -62,6 +62,25 @@
########################################
## <summary>
@@ -15479,352 +14088,173 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## </summary>
+## <param name="domain">
+## <summary>
-+## The type of the process performing this action.
-+## </summary>
-+## </param>
-+#
-+interface(`samba_domtrans_unconfined_net',`
-+ gen_require(`
-+ type samba_unconfined_net_t, samba_net_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t)
-+')
-+
-+########################################
-+## <summary>
- ## Execute samba net in the samba_net domain, and
- ## allow the specified role the samba_net domain.
- ## </summary>
-@@ -49,6 +107,50 @@
- role $2 types samba_net_t;
- ')
-
-+#######################################
-+## <summary>
-+## The role for the samba module.
-+## </summary>
-+## <param name="role">
-+## <summary>
-+## The role to be allowed the samba_net domain.
-+## </summary>
-+## </param>
-+#
-+template(`samba_role_notrans',`
-+ gen_require(`
-+ type smbd_t;
-+ ')
-+
-+ role $1 types smbd_t;
-+')
-+
-+########################################
-+## <summary>
-+## Execute samba net in the samba_unconfined_net domain, and
-+## allow the specified role the samba_unconfined_net domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## The role to be allowed the samba_unconfined_net domain.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`samba_run_unconfined_net',`
-+ gen_require(`
-+ type samba_unconfined_net_t;
-+ ')
-+
-+ samba_domtrans_unconfined_net($1)
-+ role $2 types samba_unconfined_net_t;
-+')
-+
- ########################################
- ## <summary>
- ## Execute smbmount in the smbmount domain.
-@@ -138,6 +240,28 @@
-
- ########################################
- ## <summary>
-+## Allow the specified domain to read
-+## and write samba configuration files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`samba_manage_config',`
-+ gen_require(`
-+ type samba_etc_t;
-+ ')
-+
-+ files_search_etc($1)
-+ manage_dirs_pattern($1, samba_etc_t, samba_etc_t)
-+ manage_files_pattern($1, samba_etc_t, samba_etc_t)
-+')
-+
-+########################################
-+## <summary>
- ## Allow the specified domain to read samba's log files.
- ## </summary>
- ## <param name="domain">
-@@ -281,6 +405,25 @@
-
- ########################################
- ## <summary>
-+## dontaudit the specified domain to
-+## write samba /var files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`samba_dontaudit_write_var_files',`
-+ gen_require(`
-+ type samba_var_t;
-+ ')
-+
-+ dontaudit $1 samba_var_t:file write;
-+')
-+
-+########################################
-+## <summary>
- ## Allow the specified domain to
- ## read and write samba /var files.
- ## </summary>
-@@ -298,6 +441,7 @@
- files_search_var($1)
- files_search_var_lib($1)
- manage_files_pattern($1, samba_var_t, samba_var_t)
-+ manage_lnk_files_pattern($1, samba_var_t, samba_var_t)
- ')
-
- ########################################
-@@ -370,6 +514,7 @@
- ')
-
- domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
-+ allow $1 winbind_helper_t:process signal;
- ')
-
- ########################################
-@@ -447,3 +592,202 @@
- stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t)
- ')
- ')
-+
-+########################################
-+## <summary>
-+## Create a set of derived types for apache
-+## web content.
-+## </summary>
-+## <param name="prefix">
-+## <summary>
-+## The prefix to be used for deriving type names.
-+## </summary>
-+## </param>
-+#
-+template(`samba_helper_template',`
-+ gen_require(`
-+ type smbd_t;
-+ ')
-+ #This type is for samba helper scripts
-+ type samba_$1_script_t;
-+ domain_type(samba_$1_script_t)
-+ role system_r types samba_$1_script_t;
-+
-+ # This type is used for executable scripts files
-+ type samba_$1_script_exec_t;
-+ corecmd_shell_entry_type(samba_$1_script_t)
-+ domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t)
-+
-+ domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
-+ allow smbd_t samba_$1_script_exec_t:file ioctl;
-+
-+')
-+
-+########################################
-+## <summary>
-+## Allow the specified domain to read samba's shares
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
++## The type of the process performing this action.
+## </summary>
+## </param>
+#
-+interface(`samba_read_share_files',`
++interface(`samba_domtrans_unconfined_net',`
+ gen_require(`
-+ type samba_share_t;
++ type samba_unconfined_net_t, samba_net_exec_t;
+ ')
+
-+ allow $1 samba_share_t:filesystem getattr;
-+ read_files_pattern($1, samba_share_t, samba_share_t)
++ corecmd_search_bin($1)
++ domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t)
+')
+
+########################################
+## <summary>
-+## Execute a domain transition to run smbcontrol.
-+## </summary>
-+## <param name="domain">
+ ## Execute samba net in the samba_net domain, and
+ ## allow the specified role the samba_net domain.
+ ## </summary>
+@@ -86,6 +105,50 @@
+ role $2 types samba_net_t;
+ ')
+
++#######################################
+## <summary>
-+## Domain allowed to transition.
++## The role for the samba module.
+## </summary>
++## <param name="role">
++## <summary>
++## The role to be allowed the samba_net domain.
++## </summary>
+## </param>
+#
-+interface(`samba_domtrans_smbcontrol',`
++template(`samba_role_notrans',`
+ gen_require(`
-+ type smbcontrol_t;
-+ type smbcontrol_exec_t;
++ type smbd_t;
+ ')
+
-+ domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
++ role $1 types smbd_t;
+')
+
-+
+########################################
+## <summary>
-+## Execute smbcontrol in the smbcontrol domain, and
-+## allow the specified role the smbcontrol domain.
++## Execute samba net in the samba_unconfined_net domain, and
++## allow the specified role the samba_unconfined_net domain.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access
++## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
-+## The role to be allowed the smbcontrol domain.
++## The role to be allowed the samba_unconfined_net domain.
+## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`samba_run_smbcontrol',`
++interface(`samba_run_unconfined_net',`
+ gen_require(`
-+ type smbcontrol_t;
++ type samba_unconfined_net_t;
+ ')
+
-+ samba_domtrans_smbcontrol($1)
-+ role $2 types smbcontrol_t;
++ samba_domtrans_unconfined_net($1)
++ role $2 types samba_unconfined_net_t;
+')
+
-+########################################
-+## <summary>
-+## Execute samba server in the samba domain.
+ ########################################
+ ## <summary>
+ ## Execute smbmount in the smbmount domain.
+@@ -395,6 +458,7 @@
+ files_search_var($1)
+ files_search_var_lib($1)
+ manage_files_pattern($1, samba_var_t, samba_var_t)
++ manage_lnk_files_pattern($1, samba_var_t, samba_var_t)
+ ')
+
+ ########################################
+@@ -530,6 +595,7 @@
+ ')
+
+ domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
++ allow $1 winbind_helper_t:process signal;
+ ')
+
+ ########################################
+@@ -610,6 +676,36 @@
+
+ ########################################
+ ## <summary>
++## Create a set of derived types for apache
++## web content.
+## </summary>
-+## <param name="domain">
++## <param name="prefix">
+## <summary>
-+## The type of the process performing this action.
++## The prefix to be used for deriving type names.
+## </summary>
+## </param>
+#
-+interface(`samba_initrc_domtrans',`
++template(`samba_helper_template',`
+ gen_require(`
-+ type samba_initrc_exec_t;
++ type smbd_t;
+ ')
++ #This type is for samba helper scripts
++ type samba_$1_script_t;
++ domain_type(samba_$1_script_t)
++ role system_r types samba_$1_script_t;
++
++ # This type is used for executable scripts files
++ type samba_$1_script_exec_t;
++ corecmd_shell_entry_type(samba_$1_script_t)
++ domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t)
++
++ domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
++ allow smbd_t samba_$1_script_exec_t:file ioctl;
+
-+ init_labeled_script_domtrans($1, samba_initrc_exec_t)
+')
+
+########################################
+## <summary>
-+## All of the rules required to administrate
-+## an samba environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## The role to be allowed to manage the samba domain.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`samba_admin',`
-+ gen_require(`
-+ type nmbd_t, nmbd_var_run_t;
-+ type smbd_t, smbd_tmp_t;
-+ type smbd_initrc_exec_t;
-+ type smbd_spool_t, smbd_var_run_t;
-+
-+ type samba_log_t, samba_var_t;
-+ type samba_etc_t, samba_share_t;
-+ type samba_secrets_t;
-+
-+ type swat_var_run_t, swat_tmp_t;
-+
-+ type winbind_var_run_t, winbind_tmp_t;
-+ type winbind_log_t;
-+
+ ## All of the rules required to administrate
+ ## an samba environment
+ ## </summary>
+@@ -630,6 +726,7 @@
+ type nmbd_t, nmbd_var_run_t;
+ type smbd_t, smbd_tmp_t;
+ type smbd_var_run_t;
++ type smbd_initrc_exec_t, smbd_spool_t;
+
+ type samba_log_t, samba_var_t;
+ type samba_etc_t, samba_share_t;
+@@ -640,6 +737,7 @@
+ type winbind_var_run_t, winbind_tmp_t;
+ type winbind_log_t;
+
+ type samba_unconfined_script_t, samba_unconfined_script_exec_t;
-+ type samba_initrc_exec_t;
-+ ')
-+
-+ allow $1 smbd_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, smbd_t)
-+
-+ allow $1 nmbd_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, nmbd_t)
-+
+ type samba_initrc_exec_t;
+ ')
+
+@@ -649,6 +747,9 @@
+ allow $1 nmbd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, nmbd_t)
+
+ allow $1 samba_unconfined_script_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, samba_unconfined_script_t, samba_unconfined_script_t)
+
-+ samba_run_smbcontrol($1, $2, $3)
-+ samba_run_winbind_helper($1, $2, $3)
-+ samba_run_smbmount($1, $2, $3)
-+ samba_run_net($1, $2, $3)
-+
-+ init_labeled_script_domtrans($1, samba_initrc_exec_t)
-+ domain_system_change_exemption($1)
-+ role_transition $2 samba_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_list_tmp($1)
-+ admin_pattern($1, smbd_tmp_t)
-+ admin_pattern($1, swat_tmp_t)
-+ admin_pattern($1, winbind_tmp_t)
-+
-+ admin_pattern($1, samba_secrets_t)
-+
-+ files_list_etc($1)
-+ admin_pattern($1, samba_etc_t)
-+
-+ admin_pattern($1, samba_share_t)
-+
-+ logging_list_logs($1)
-+ admin_pattern($1, samba_log_t)
-+ admin_pattern($1, winbind_log_t)
-+
-+ files_list_spool($1)
+ samba_run_smbcontrol($1, $2, $3)
+ samba_run_winbind_helper($1, $2, $3)
+ samba_run_smbmount($1, $2, $3)
+@@ -674,6 +775,9 @@
+ admin_pattern($1, samba_var_t)
+ files_list_var($1)
+
+ admin_pattern($1, smbd_spool_t)
++ files_list_spool($1)
+
-+ files_list_var($1)
-+ admin_pattern($1, samba_var_t)
-+
-+ files_list_pids($1)
-+ admin_pattern($1, smbd_var_run_t)
-+ admin_pattern($1, nmbd_var_run_t)
-+ admin_pattern($1, swat_var_run_t)
-+ admin_pattern($1, winbind_var_run_t)
+ admin_pattern($1, smbd_var_run_t)
+ files_list_pids($1)
+
+@@ -689,4 +793,5 @@
+ admin_pattern($1, winbind_tmp_t)
+
+ admin_pattern($1, winbind_var_run_t)
+ admin_pattern($1, samba_unconfined_script_exec_t)
-+')
-+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.24/policy/modules/services/samba.te
---- nsaserefpolicy/policy/modules/services/samba.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/samba.te 2009-07-28 13:42:19.000000000 -0400
+ ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.25/policy/modules/services/samba.te
+--- nsaserefpolicy/policy/modules/services/samba.te 2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/samba.te 2009-07-29 22:06:25.000000000 -0400
@@ -66,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
@@ -15839,73 +14269,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type nmbd_t;
type nmbd_exec_t;
init_daemon_domain(nmbd_t, nmbd_exec_t)
-@@ -73,6 +80,9 @@
- type nmbd_var_run_t;
- files_pid_file(nmbd_var_run_t)
-
-+type samba_initrc_exec_t;
-+init_script_file(samba_initrc_exec_t)
-+
- type samba_etc_t;
- files_config_file(samba_etc_t)
-
-@@ -80,11 +90,9 @@
- logging_log_file(samba_log_t)
-
- type samba_net_t;
--domain_type(samba_net_t)
--role system_r types samba_net_t;
--
- type samba_net_exec_t;
--domain_entry_file(samba_net_t, samba_net_exec_t)
-+role system_r types samba_net_t;
-+application_domain(samba_net_t, samba_net_exec_t)
-
- type samba_net_tmp_t;
- files_tmp_file(samba_net_tmp_t)
-@@ -146,11 +154,17 @@
- type winbind_var_run_t;
- files_pid_file(winbind_var_run_t)
-
-+type smbcontrol_t;
-+type smbcontrol_exec_t;
-+application_domain(smbcontrol_t, smbcontrol_exec_t)
-+role system_r types smbcontrol_t;
-+
- ########################################
- #
- # Samba net local policy
- #
--
-+allow samba_net_t self:capability { sys_nice dac_read_search dac_override };
-+allow samba_net_t self:process { getsched setsched };
- allow samba_net_t self:unix_dgram_socket create_socket_perms;
- allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
- allow samba_net_t self:udp_socket create_socket_perms;
-@@ -165,11 +179,12 @@
- manage_files_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t)
- files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
-
--allow samba_net_t samba_var_t:dir rw_dir_perms;
-+manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
- manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
- manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
-
- kernel_read_proc_symlinks(samba_net_t)
-+kernel_read_system_state(samba_net_t)
-
- corenet_all_recvfrom_unlabeled(samba_net_t)
- corenet_all_recvfrom_netlabel(samba_net_t)
-@@ -190,15 +205,23 @@
- domain_use_interactive_fds(samba_net_t)
-
- files_read_etc_files(samba_net_t)
-+files_read_usr_symlinks(samba_net_t)
-
- auth_use_nsswitch(samba_net_t)
-+auth_read_cache(samba_net_t)
-
- logging_send_syslog_msg(samba_net_t)
+@@ -207,8 +214,10 @@
miscfiles_read_localization(samba_net_t)
@@ -15914,78 +14278,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_use_user_terminals(samba_net_t)
-userdom_dontaudit_search_user_home_dirs(samba_net_t)
+userdom_list_user_home_dirs(samba_net_t)
-+
-+optional_policy(`
-+ pcscd_read_pub_files(samba_net_t)
-+')
optional_policy(`
- kerberos_use(samba_net_t)
-@@ -208,7 +231,7 @@
- #
- # smbd Local policy
- #
--allow smbd_t self:capability { fowner setgid setuid sys_resource lease dac_override dac_read_search };
-+allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
- dontaudit smbd_t self:capability sys_tty_config;
- allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow smbd_t self:process setrlimit;
-@@ -226,10 +249,8 @@
-
- allow smbd_t samba_etc_t:file { rw_file_perms setattr };
-
--create_dirs_pattern(smbd_t, samba_log_t, samba_log_t)
-+manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t)
- manage_files_pattern(smbd_t, samba_log_t, samba_log_t)
--allow smbd_t samba_log_t:dir setattr;
--dontaudit smbd_t samba_log_t:dir remove_name;
-
- allow smbd_t samba_net_tmp_t:file getattr;
-
-@@ -239,6 +260,7 @@
- manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
- manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
- manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
-+allow smbd_t samba_share_t:filesystem getattr;
-
- manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
- manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
-@@ -250,13 +272,14 @@
- files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
-
- allow smbd_t nmbd_var_run_t:file rw_file_perms;
-+allow smbd_t nmbd_t:process { signal signull };
-
- manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
- manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
- manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
- files_pid_filetrans(smbd_t, smbd_var_run_t, file)
-
--allow smbd_t winbind_var_run_t:sock_file { read write getattr };
-+allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms;
-
- kernel_getattr_core_if(smbd_t)
- kernel_getattr_message_if(smbd_t)
-@@ -298,6 +321,7 @@
+ pcscd_read_pub_files(samba_net_t)
+@@ -341,6 +350,8 @@
- auth_use_nsswitch(smbd_t)
- auth_domtrans_chk_passwd(smbd_t)
-+auth_domtrans_upd_passwd(smbd_t)
+ usermanage_read_crack_db(smbd_t)
- domain_use_interactive_fds(smbd_t)
- domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -321,6 +345,10 @@
- userdom_use_unpriv_users_fds(smbd_t)
- userdom_dontaudit_search_user_home_dirs(smbd_t)
-
-+usermanage_read_crack_db(smbd_t)
-+
+term_use_ptmx(smbd_t)
+
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -332,26 +360,39 @@
+@@ -352,19 +363,19 @@
')
tunable_policy(`samba_domain_controller',`
@@ -15994,7 +14299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+
usermanage_domtrans_passwd(smbd_t)
-+ usermanage_kill_passwd(smbd_t)
+ usermanage_kill_passwd(smbd_t)
usermanage_domtrans_useradd(smbd_t)
usermanage_domtrans_groupadd(smbd_t)
+ allow smbd_t self:passwd passwd;
@@ -16011,12 +14316,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
# Support Samba sharing of NFS mount points
- tunable_policy(`samba_share_nfs',`
- fs_manage_nfs_dirs(smbd_t)
- fs_manage_nfs_files(smbd_t)
-+ fs_manage_nfs_symlinks(smbd_t)
-+ fs_manage_nfs_named_pipes(smbd_t)
-+ fs_manage_nfs_named_sockets(smbd_t)
+@@ -376,6 +387,15 @@
+ fs_manage_nfs_named_sockets(smbd_t)
')
+# Support Samba sharing of ntfs/fusefs mount points
@@ -16031,24 +14332,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
-@@ -359,6 +400,16 @@
+@@ -391,6 +411,11 @@
+ ')
optional_policy(`
- kerberos_use(smbd_t)
-+ kerberos_keytab_template(smbd, smbd_t)
-+')
-+
-+optional_policy(`
-+ lpd_exec_lpr(smbd_t)
++ qemu_manage_tmp_dirs(smbd_t)
++ qemu_manage_tmp_files(smbd_t)
+')
+
+optional_policy(`
-+ qemu_manage_tmp_dirs(smbd_t)
-+ qemu_manage_tmp_files(smbd_t)
+ rpc_search_nfs_state_data(smbd_t)
')
- optional_policy(`
-@@ -376,13 +427,15 @@
+@@ -405,13 +430,15 @@
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -16065,7 +14361,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_read_all_files_except_shadow(nmbd_t)
')
-@@ -391,8 +444,8 @@
+@@ -420,8 +447,8 @@
auth_manage_all_files_except_shadow(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
auth_manage_all_files_except_shadow(nmbd_t)
@@ -16075,89 +14371,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
-@@ -417,14 +470,11 @@
- files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
-
- read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-+read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -525,6 +553,7 @@
- manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
- manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
+ allow smbcontrol_t winbind_t:process { signal signull };
--read_files_pattern(nmbd_t, samba_log_t, samba_log_t)
--create_files_pattern(nmbd_t, samba_log_t, samba_log_t)
--allow nmbd_t samba_log_t:dir setattr;
--
- manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
-
- allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
-@@ -553,21 +603,36 @@
- userdom_use_user_terminals(smbmount_t)
- userdom_use_all_users_fds(smbmount_t)
++files_search_var_lib(smbcontrol_t)
+ samba_read_config(smbcontrol_t)
+ samba_rw_var_files(smbcontrol_t)
+ samba_search_var(smbcontrol_t)
+@@ -638,6 +667,10 @@
-+optional_policy(`
-+ cups_read_rw_config(smbmount_t)
-+')
-+
- ########################################
- #
- # SWAT Local policy
- #
+ allow swat_t smbd_var_run_t:file { lock unlink };
--allow swat_t self:capability { setuid setgid };
--allow swat_t self:process signal_perms;
--allow swat_t self:fifo_file rw_file_perms;
-+allow swat_t self:capability { setuid setgid sys_resource };
-+allow swat_t self:process { setrlimit signal_perms };
-+allow swat_t self:fifo_file rw_fifo_file_perms;
- allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
- allow swat_t self:tcp_socket create_stream_socket_perms;
- allow swat_t self:udp_socket create_socket_perms;
-
-+allow swat_t self:unix_stream_socket connectto;
-+samba_domtrans_smb(swat_t)
+allow swat_t smbd_port_t:tcp_socket name_bind;
-+allow swat_t smbd_t:process { signal signull };
-+allow swat_t smbd_var_run_t:file { lock unlink };
+
- allow swat_t nmbd_exec_t:file mmap_file_perms;
-+can_exec(swat_t, nmbd_exec_t)
+allow swat_t nmbd_port_t:udp_socket name_bind;
-+allow swat_t nmbd_t:process { signal signull };
-+allow swat_t nmbd_var_run_t:file { lock read unlink };
-
++
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
-+read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t)
-
- append_files_pattern(swat_t, samba_log_t, samba_log_t)
+ read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t)
-@@ -585,6 +650,9 @@
- files_pid_filetrans(swat_t, swat_var_run_t, file)
-
- allow swat_t winbind_exec_t:file mmap_file_perms;
-+can_exec(swat_t, winbind_exec_t)
-+allow swat_t winbind_var_run_t:dir { write add_name remove_name };
-+allow swat_t winbind_var_run_t:sock_file { create unlink };
-
- kernel_read_kernel_sysctls(swat_t)
- kernel_read_system_state(swat_t)
-@@ -609,6 +677,7 @@
-
- dev_read_urand(swat_t)
-
-+files_list_var_lib(swat_t)
- files_read_etc_files(swat_t)
- files_search_home(swat_t)
- files_read_usr_files(swat_t)
-@@ -618,6 +687,7 @@
- auth_use_nsswitch(swat_t)
-
- logging_send_syslog_msg(swat_t)
-+logging_send_audit_msgs(swat_t)
- logging_search_logs(swat_t)
-
- miscfiles_read_localization(swat_t)
-@@ -635,14 +705,25 @@
+@@ -713,12 +746,23 @@
kerberos_use(swat_t)
')
@@ -16180,52 +14413,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-allow winbind_t self:capability { dac_override ipc_lock setuid };
+allow winbind_t self:capability { sys_nice dac_override ipc_lock setuid };
dontaudit winbind_t self:capability sys_tty_config;
--allow winbind_t self:process signal_perms;
-+allow winbind_t self:process { signal_perms getsched setsched };
+ allow winbind_t self:process { signal_perms getsched setsched };
allow winbind_t self:fifo_file rw_fifo_file_perms;
- allow winbind_t self:unix_dgram_socket create_socket_perms;
- allow winbind_t self:unix_stream_socket create_stream_socket_perms;
-@@ -683,9 +764,10 @@
- manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
- files_pid_filetrans(winbind_t, winbind_var_run_t, file)
-
-+corecmd_exec_bin(winbind_t)
-+
- kernel_read_kernel_sysctls(winbind_t)
--kernel_list_proc(winbind_t)
--kernel_read_proc_symlinks(winbind_t)
-+kernel_read_system_state(winbind_t)
-
- corenet_all_recvfrom_unlabeled(winbind_t)
- corenet_all_recvfrom_netlabel(winbind_t)
-@@ -709,10 +791,12 @@
-
- auth_domtrans_chk_passwd(winbind_t)
- auth_use_nsswitch(winbind_t)
-+auth_rw_cache(winbind_t)
-
- domain_use_interactive_fds(winbind_t)
-
- files_read_etc_files(winbind_t)
-+files_read_usr_symlinks(winbind_t)
-
- logging_send_syslog_msg(winbind_t)
-
-@@ -768,8 +852,13 @@
- userdom_use_user_terminals(winbind_helper_t)
-
- optional_policy(`
-+ apache_append_log(winbind_helper_t)
-+')
-+
-+optional_policy(`
- squid_read_log(winbind_helper_t)
- squid_append_log(winbind_helper_t)
-+ squid_rw_stream_sockets(winbind_helper_t)
- ')
-
- ########################################
-@@ -778,6 +867,16 @@
+@@ -866,6 +910,16 @@
#
optional_policy(`
@@ -16242,7 +14432,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -788,9 +887,43 @@
+@@ -876,9 +930,12 @@
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -16252,44 +14442,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`samba_run_unconfined',`
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
+- ')
+',`
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
- ')
--')
-+
-+########################################
-+#
-+# smbcontrol local policy
-+#
-+
-+# internal communication is often done using fifo and unix sockets.
-+allow smbcontrol_t self:fifo_file rw_file_perms;
-+allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
-+
-+files_read_etc_files(smbcontrol_t)
-+
-+miscfiles_read_localization(smbcontrol_t)
-+
-+files_search_var_lib(smbcontrol_t)
-+samba_read_config(smbcontrol_t)
-+samba_rw_var_files(smbcontrol_t)
-+samba_search_var(smbcontrol_t)
-+samba_read_winbind_pid(smbcontrol_t)
-+
-+allow smbcontrol_t smbd_t:process signal;
-+domain_use_interactive_fds(smbcontrol_t)
-+allow smbd_t smbcontrol_t:process { signal signull };
-+
-+allow nmbd_t smbcontrol_t:process signal;
-+allow smbcontrol_t nmbd_t:process { signal signull };
-+
-+allow smbcontrol_t winbind_t:process { signal signull };
-+allow winbind_t smbcontrol_t:process signal;
-+
-+allow smbcontrol_t nmbd_var_run_t:file { read lock };
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.24/policy/modules/services/sasl.te
+ ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.25/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/sasl.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/sasl.te 2009-07-29 21:34:35.000000000 -0400
@@ -31,7 +31,7 @@
# Local policy
#
@@ -16352,9 +14511,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(saslauthd_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.24/policy/modules/services/sendmail.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.25/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/sendmail.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/sendmail.if 2009-07-29 21:34:35.000000000 -0400
@@ -59,20 +59,20 @@
########################################
@@ -16527,9 +14686,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 sendmail_t:fifo_file rw_fifo_file_perms;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.24/policy/modules/services/sendmail.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.25/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/sendmail.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/sendmail.te 2009-07-29 21:34:35.000000000 -0400
@@ -20,13 +20,17 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -16705,18 +14864,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
-') dnl end TODO
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.6.24/policy/modules/services/setroubleshoot.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.6.25/policy/modules/services/setroubleshoot.fc
--- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/setroubleshoot.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/setroubleshoot.fc 2009-07-29 21:34:35.000000000 -0400
@@ -5,3 +5,5 @@
/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
+
+/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.24/policy/modules/services/setroubleshoot.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.25/policy/modules/services/setroubleshoot.if
--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/setroubleshoot.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/setroubleshoot.if 2009-07-29 21:34:35.000000000 -0400
@@ -16,8 +16,8 @@
')
@@ -16793,9 +14952,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ files_list_pids($1)
+ admin_pattern($1, setroubleshoot_var_run_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.24/policy/modules/services/setroubleshoot.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.25/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/setroubleshoot.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/setroubleshoot.te 2009-07-29 21:34:35.000000000 -0400
@@ -22,13 +22,19 @@
type setroubleshoot_var_run_t;
files_pid_file(setroubleshoot_var_run_t)
@@ -16913,9 +15072,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+permissive setroubleshoot_fixit_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.fc serefpolicy-3.6.24/policy/modules/services/shorewall.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.fc serefpolicy-3.6.25/policy/modules/services/shorewall.fc
--- nsaserefpolicy/policy/modules/services/shorewall.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/shorewall.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/shorewall.fc 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,12 @@
+
+/etc/rc\.d/init\.d/shorewall -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
@@ -16929,9 +15088,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+/var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.if serefpolicy-3.6.24/policy/modules/services/shorewall.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.if serefpolicy-3.6.25/policy/modules/services/shorewall.if
--- nsaserefpolicy/policy/modules/services/shorewall.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/shorewall.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/shorewall.if 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,166 @@
+## <summary>policy for shorewall</summary>
+
@@ -17099,9 +15258,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ admin_pattern($1, shorewall_tmp_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.te serefpolicy-3.6.24/policy/modules/services/shorewall.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.te serefpolicy-3.6.25/policy/modules/services/shorewall.te
--- nsaserefpolicy/policy/modules/services/shorewall.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/shorewall.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/shorewall.te 2009-07-29 21:34:35.000000000 -0400
@@ -0,0 +1,102 @@
+policy_module(shorewall,1.0.0)
+
@@ -17205,9 +15364,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+permissive shorewall_t;
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.24/policy/modules/services/smartmon.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.25/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/smartmon.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/smartmon.te 2009-07-29 21:34:35.000000000 -0400
@@ -19,6 +19,10 @@
type fsdaemon_tmp_t;
files_tmp_file(fsdaemon_tmp_t)
@@ -17265,9 +15424,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.24/policy/modules/services/spamassassin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.25/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/spamassassin.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/spamassassin.fc 2009-07-29 21:34:35.000000000 -0400
@@ -1,15 +1,25 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
@@ -17296,9 +15455,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.24/policy/modules/services/spamassassin.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.25/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/spamassassin.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/spamassassin.if 2009-07-29 21:34:35.000000000 -0400
@@ -111,6 +111,7 @@
')
@@ -17385,9 +15544,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ files_list_pids($1)
+ admin_pattern($1, spamd_var_run_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.24/policy/modules/services/spamassassin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.25/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/spamassassin.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/spamassassin.te 2009-07-29 21:34:35.000000000 -0400
@@ -20,6 +20,35 @@
## </desc>
gen_tunable(spamd_enable_home_dirs, true)
@@ -17680,9 +15839,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
udev_read_db(spamd_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.24/policy/modules/services/squid.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.25/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/squid.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/squid.te 2009-07-29 21:34:35.000000000 -0400
@@ -118,6 +118,8 @@
fs_getattr_all_fs(squid_t)
@@ -17701,18 +15860,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-#squid requires the following when run in diskd mode, the recommended setting
-allow squid_t tmpfs_t:file { read write };
-') dnl end TODO
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.24/policy/modules/services/ssh.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.25/policy/modules/services/ssh.fc
--- nsaserefpolicy/policy/modules/services/ssh.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/ssh.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/ssh.fc 2009-07-29 21:34:35.000000000 -0400
@@ -14,3 +14,5 @@
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
+
+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.24/policy/modules/services/ssh.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.25/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/ssh.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/ssh.if 2009-07-29 21:34:35.000000000 -0400
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -18013,9 +16172,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ read_lnk_files_pattern($1, home_ssh_t, home_ssh_t)
+ userdom_search_user_home_dirs($1)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.24/policy/modules/services/ssh.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.25/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/ssh.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/ssh.te 2009-07-29 21:34:35.000000000 -0400
@@ -41,6 +41,9 @@
files_tmp_file(sshd_tmp_t)
files_poly_parent(sshd_tmp_t)
@@ -18187,18 +16346,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(ssh_keygen_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.24/policy/modules/services/sssd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.25/policy/modules/services/sssd.fc
--- nsaserefpolicy/policy/modules/services/sssd.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/sssd.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/sssd.fc 2009-07-29 21:34:35.000000000 -0400
@@ -1,4 +1,4 @@
-/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.24/policy/modules/services/sssd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.25/policy/modules/services/sssd.if
--- nsaserefpolicy/policy/modules/services/sssd.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/sssd.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/sssd.if 2009-07-29 21:34:35.000000000 -0400
@@ -12,12 +12,32 @@
#
interface(`sssd_domtrans',`
@@ -18261,9 +16420,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Send and receive messages from
## sssd over dbus.
## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.24/policy/modules/services/uucp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.25/policy/modules/services/uucp.te
--- nsaserefpolicy/policy/modules/services/uucp.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/uucp.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/uucp.te 2009-07-29 21:34:35.000000000 -0400
@@ -95,6 +95,8 @@
files_search_home(uucpd_t)
files_search_spool(uucpd_t)
@@ -18281,9 +16440,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.24/policy/modules/services/virt.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.25/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/virt.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/virt.fc 2009-07-29 21:34:35.000000000 -0400
@@ -8,5 +8,16 @@
/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
@@ -18301,39 +16460,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0)
+
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.24/policy/modules/services/virt.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.25/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/virt.if 2009-07-28 13:42:19.000000000 -0400
-@@ -2,28 +2,6 @@
++++ serefpolicy-3.6.25/policy/modules/services/virt.if 2009-07-29 23:18:44.000000000 -0400
+@@ -103,7 +103,7 @@
########################################
## <summary>
--## Make the specified type usable as a virt image
--## </summary>
--## <param name="type">
--## <summary>
--## Type to be used as a virtual image
--## </summary>
--## </param>
--#
--interface(`virt_image',`
-- gen_require(`
-- attribute virt_image_type;
-- ')
--
-- typeattribute $1 virt_image_type;
-- files_type($1)
--
-- # virt images can be assigned to blk devices
-- dev_node($1)
--')
--
--########################################
--## <summary>
- ## Execute a domain transition to run virt.
+-## Read virt PID files.
++## Read virt pid files.
## </summary>
## <param name="domain">
-@@ -117,12 +95,12 @@
+ ## <summary>
+@@ -117,12 +117,12 @@
')
files_search_pids($1)
@@ -18348,7 +16487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -135,6 +113,7 @@
+@@ -135,6 +135,7 @@
type virt_var_run_t;
')
@@ -18356,7 +16495,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
')
-@@ -272,11 +251,7 @@
+@@ -268,15 +269,16 @@
+ #
+ interface(`virt_manage_images',`
+ gen_require(`
+- type virt_image_t, virt_var_lib_t;
++ type virt_var_lib_t;
++ attribute virt_image_type;
')
virt_search_lib($1)
@@ -18365,11 +16510,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- manage_files_pattern($1, virt_image_t, virt_image_t)
- read_lnk_files_pattern($1, virt_image_t, virt_image_t)
- rw_blk_files_pattern($1, virt_image_t, virt_image_t)
-+ virtual_manage_image($1)
++ allow $1 virt_image_type:dir list_dir_perms;
++ manage_dirs_pattern($1, virt_image_type, virt_image_type)
++ manage_files_pattern($1, virt_image_type, virt_image_type)
++ read_lnk_files_pattern($1, virt_image_type, virt_image_type)
++ rw_blk_files_pattern($1, virt_image_type, virt_image_type)
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs($1)
-@@ -293,6 +268,41 @@
+@@ -293,6 +295,41 @@
########################################
## <summary>
@@ -18411,7 +16560,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
## an virt environment
## </summary>
-@@ -327,3 +337,53 @@
+@@ -327,3 +364,54 @@
virt_manage_log($1)
')
@@ -18428,9 +16577,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## </param>
+#
+template(`virt_domain_template',`
++ gen_require(`
++ attribute virt_image_type;
++ attribute virt_domain;
++ ')
+
-+ type $1_t;
-+ virtual_domain($1_t)
++ type $1_t, virt_domain;
++ domain_type($1_t)
++ role system_r types $1_t;
+
+ type $1_tmp_t;
+ files_tmp_file($1_tmp_t)
@@ -18438,8 +16592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ type $1_tmpfs_t;
+ files_tmpfs_file($1_tmpfs_t)
+
-+ type $1_image_t;
-+ virtual_image($1_image_t)
++ type $1_image_t, virt_image_type;
+
+ manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
+ manage_files_pattern($1_t, $1_image_t, $1_image_t)
@@ -18455,78 +16608,62 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
-+ fs_getattr_tmpfs($1_t)
-+
-+ fs_read_noxattr_fs_files($1_t)
-+ fs_dontaudit_write_noxattr_fs_files($1_t)
+
+ optional_policy(`
++ xserver_rw_shm($1_t)
+ xserver_common_app($1_t)
-+ ')
-+')
-+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.24/policy/modules/services/virt.te
---- nsaserefpolicy/policy/modules/services/virt.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/virt.te 2009-07-28 13:42:19.000000000 -0400
-@@ -8,19 +8,38 @@
-
- ## <desc>
- ## <p>
--## Allow virt to manage nfs files
-+## Allow svirt to manage nfs files
- ## </p>
- ## </desc>
- gen_tunable(virt_use_nfs, false)
-
- ## <desc>
- ## <p>
--## Allow virt to manage cifs files
-+## Allow svirt to manage cifs files
- ## </p>
++ ')
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.25/policy/modules/services/virt.te
+--- nsaserefpolicy/policy/modules/services/virt.te 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/virt.te 2009-07-29 23:52:17.000000000 -0400
+@@ -20,6 +20,28 @@
## </desc>
gen_tunable(virt_use_samba, false)
--attribute virt_image_type;
+## <desc>
+## <p>
-+## Allow svirt to use usb devices
++## Allow virt to use usb devices
+## </p>
+## </desc>
+gen_tunable(virt_use_usb, true)
+
+## <desc>
+## <p>
-+## Allow svirt to manage device configuration, (pci)
++## Allow virt to manage device configuration, (pci)
+## </p>
+## </desc>
+gen_tunable(virt_manage_sysfs, false)
+
+## <desc>
+## <p>
-+## Allow svirt to use serial/parallell communication ports
++## Allow virt to use serial/parallell communication ports
+## </p>
+## </desc>
+gen_tunable(virt_use_comm, false)
++
++attribute virt_domain;
+ attribute virt_image_type;
type virt_etc_t;
- files_config_file(virt_etc_t)
-@@ -29,8 +48,13 @@
+@@ -29,9 +51,14 @@
files_type(virt_etc_rw_t)
# virt Image files
-type virt_image_t, virt_image_type; # customizable
--virt_image(virt_image_t)
+type virt_image_t; # customizable
-+virtual_image(virt_image_t)
-+
+ virt_image(virt_image_t)
+
+# virt Image files
-+type virt_content_t;
-+virtual_image(virt_content_t)
++type virt_content_t; # customizable
++virt_image(virt_content_t)
+userdom_user_home_content(virt_content_t)
-
++
type virt_log_t;
logging_log_file(virt_log_t)
-@@ -48,17 +72,40 @@
+
+@@ -48,17 +75,37 @@
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@@ -18561,28 +16698,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow virtd_t self:unix_stream_socket create_stream_socket_perms;
allow virtd_t self:tcp_socket create_stream_socket_perms;
-+manage_files_pattern(virtd_t, virt_image_t, virt_image_t)
-+manage_blk_files_pattern(virtd_t, virt_image_t, virt_image_t)
-+allow virtd_t virt_image_t:file { relabelfrom relabelto };
-+allow virtd_t virt_image_t:blk_file { relabelfrom relabelto };
++allow virtd_t virt_domain:process { setsched transition signal signull sigkill };
+
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -67,7 +114,11 @@
- manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -68,6 +115,12 @@
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
--manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
-+virtual_manage_image(virtd_t)
-+virtual_image_relabel(virtd_t)
+ manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
++manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
++allow virtd_t virt_image_type:file { relabelfrom relabelto };
++allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
+
+manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
+manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -86,6 +137,7 @@
+@@ -86,6 +139,7 @@
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
kernel_load_module(virtd_t)
@@ -18590,7 +16724,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -96,30 +148,51 @@
+@@ -96,30 +150,51 @@
corenet_tcp_sendrecv_generic_node(virtd_t)
corenet_tcp_sendrecv_all_ports(virtd_t)
corenet_tcp_bind_generic_node(virtd_t)
@@ -18645,13 +16779,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
-@@ -129,7 +202,15 @@
+@@ -129,7 +204,14 @@
logging_send_syslog_msg(virtd_t)
+sysnet_domtrans_ifconfig(virtd_t)
-+
-+virtual_transition(virtd_t)
++sysnet_read_config(virtd_t)
+
+userdom_dontaudit_list_admin_dir(virtd_t)
+userdom_getattr_all_users(virtd_t)
@@ -18661,7 +16794,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -167,22 +248,35 @@
+@@ -167,22 +249,35 @@
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
@@ -18680,9 +16813,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ kerberos_keytab_template(virtd, virtd_t)
+')
-
- optional_policy(`
-- qemu_domtrans(virtd_t)
++
++optional_policy(`
+ lvm_domtrans(virtd_t)
+')
+
@@ -18692,8 +16824,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ policykit_domtrans_resolve(virtd_t)
+ policykit_read_lib(virtd_t)
+')
-+
-+optional_policy(`
+
+ optional_policy(`
+- qemu_domtrans(virtd_t)
+ qemu_spec_domtrans(virtd_t, svirt_t)
qemu_read_state(virtd_t)
qemu_signal(virtd_t)
@@ -18702,7 +16835,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -195,8 +289,94 @@
+@@ -195,8 +290,152 @@
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
@@ -18797,9 +16930,67 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xen_rw_image_files(svirt_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.24/policy/modules/services/w3c.te
++########################################
++#
++# virtual domains common policy
++#
++
++allow virt_domain self:capability { kill dac_read_search dac_override };
++allow virt_domain self:process { execstack execmem signal getsched signull };
++
++allow virt_domain self:fifo_file rw_file_perms;
++allow virt_domain self:shm create_shm_perms;
++allow virt_domain self:unix_stream_socket create_stream_socket_perms;
++allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
++allow virt_domain self:tcp_socket create_stream_socket_perms;
++
++kernel_read_system_state(virt_domain)
++
++corenet_all_recvfrom_unlabeled(virt_domain)
++corenet_all_recvfrom_netlabel(virt_domain)
++corenet_tcp_sendrecv_generic_if(virt_domain)
++corenet_tcp_sendrecv_generic_node(virt_domain)
++corenet_tcp_sendrecv_all_ports(virt_domain)
++corenet_tcp_bind_generic_node(virt_domain)
++corenet_tcp_bind_vnc_port(virt_domain)
++corenet_rw_tun_tap_dev(virt_domain)
++
++dev_read_sound(virt_domain)
++dev_write_sound(virt_domain)
++dev_rw_ksm(virt_domain)
++dev_rw_kvm(virt_domain)
++dev_rw_qemu(virt_domain)
++
++domain_use_interactive_fds(virt_domain)
++
++files_read_etc_files(virt_domain)
++files_read_usr_files(virt_domain)
++files_read_var_files(virt_domain)
++files_search_all(virt_domain)
++
++fs_getattr_tmpfs(virt_domain)
++fs_rw_anon_inodefs_files(virt_domain)
++fs_rw_tmpfs_files(virt_domain)
++
++term_use_all_terms(virt_domain)
++term_getattr_pty_fs(virt_domain)
++term_use_generic_ptys(virt_domain)
++term_use_ptmx(virt_domain)
++
++auth_use_nsswitch(virt_domain)
++
++logging_send_syslog_msg(virt_domain)
++
++miscfiles_read_localization(virt_domain)
++
++optional_policy(`
++ virt_read_config(virt_domain)
++ virt_read_lib_files(virt_domain)
++ virt_read_content(virt_domain)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.25/policy/modules/services/w3c.te
--- nsaserefpolicy/policy/modules/services/w3c.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/w3c.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/w3c.te 2009-07-29 21:34:35.000000000 -0400
@@ -8,11 +8,18 @@
apache_content_template(w3c_validator)
@@ -18819,9 +17010,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.24/policy/modules/services/xserver.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.25/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/xserver.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/xserver.fc 2009-07-29 21:34:35.000000000 -0400
@@ -3,12 +3,16 @@
#
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
@@ -18892,9 +17083,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_suse',`
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.24/policy/modules/services/xserver.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.25/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/xserver.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/xserver.if 2009-07-29 21:34:35.000000000 -0400
@@ -90,7 +90,7 @@
allow $2 xauth_home_t:file manage_file_perms;
allow $2 xauth_home_t:file { relabelfrom relabelto };
@@ -19568,9 +17759,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow xdm_t $1:dbus send_msg;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.24/policy/modules/services/xserver.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.25/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/xserver.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/xserver.te 2009-07-29 22:43:31.000000000 -0400
@@ -34,6 +34,13 @@
## <desc>
@@ -19968,8 +18159,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+
+ optional_policy(`
-+ devicekit_power_dbus_chat(xdm_t)
-+ devicekit_disk_dbus_chat(xdm_t)
++ devicekit_dbus_chat_disk(xdm_t)
++ devicekit_dbus_chat_power(xdm_t)
+ ')
+
+ optional_policy(`
@@ -20166,7 +18357,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-+ devicekit_power_signal(xserver_t)
++ devicekit_signal_power(xserver_t)
+')
+
+optional_policy(`
@@ -20224,19 +18415,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -856,6 +1027,11 @@
- rhgb_rw_tmpfs_files(xserver_t)
- ')
-
-+optional_policy(`
-+ rpm_dontaudit_rw_shm(xserver_t)
-+ rpm_rw_tmpfs_files(xserver_t)
-+')
-+
- ########################################
- #
- # Rules common to all X window domains
-@@ -881,6 +1057,8 @@
+@@ -881,6 +1052,8 @@
# X Server
# can read server-owned resources
allow x_domain xserver_t:x_resource read;
@@ -20245,7 +18424,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# can mess with own clients
allow x_domain self:x_client { manage destroy };
-@@ -905,6 +1083,8 @@
+@@ -905,6 +1078,8 @@
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -20254,7 +18433,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# X Colormaps
# can use the default colormap
allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -972,17 +1152,49 @@
+@@ -972,17 +1147,49 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -20316,9 +18495,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-#
-allow xdm_t user_home_type:file unlink;
-') dnl end TODO
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.6.24/policy/modules/system/application.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.6.25/policy/modules/system/application.if
--- nsaserefpolicy/policy/modules/system/application.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/application.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/application.if 2009-07-29 21:34:35.000000000 -0400
@@ -2,7 +2,7 @@
########################################
@@ -20350,9 +18529,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 application_domain_type:process signull;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.24/policy/modules/system/application.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.25/policy/modules/system/application.te
--- nsaserefpolicy/policy/modules/system/application.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/application.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/application.te 2009-07-29 21:34:35.000000000 -0400
@@ -7,7 +7,18 @@
# Executables to be run by user
attribute application_exec_type;
@@ -20372,9 +18551,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ sudo_sigchld(application_domain_type)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.24/policy/modules/system/authlogin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.25/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/authlogin.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/authlogin.fc 2009-07-29 21:34:35.000000000 -0400
@@ -7,12 +7,10 @@
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
@@ -20400,9 +18579,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.24/policy/modules/system/authlogin.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.25/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/authlogin.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/authlogin.if 2009-07-29 21:34:35.000000000 -0400
@@ -40,17 +40,76 @@
## </summary>
## </param>
@@ -20702,9 +18881,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.24/policy/modules/system/authlogin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.25/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/authlogin.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/authlogin.te 2009-07-29 21:34:35.000000000 -0400
@@ -125,9 +125,18 @@
')
@@ -20724,9 +18903,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# PAM local policy
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.24/policy/modules/system/fstools.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.25/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/fstools.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/fstools.fc 2009-07-29 21:34:35.000000000 -0400
@@ -1,4 +1,3 @@
-/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -20740,9 +18919,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.24/policy/modules/system/fstools.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.25/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/fstools.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/fstools.te 2009-07-29 21:34:35.000000000 -0400
@@ -97,6 +97,10 @@
fs_getattr_tmpfs_dirs(fsadm_t)
fs_read_tmpfs_symlinks(fsadm_t)
@@ -20771,9 +18950,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xen_rw_image_files(fsadm_t)
')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.24/policy/modules/system/hostname.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.25/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/hostname.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/hostname.te 2009-07-29 21:34:35.000000000 -0400
@@ -8,7 +8,9 @@
type hostname_t;
@@ -20785,9 +18964,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
role system_r types hostname_t;
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.24/policy/modules/system/init.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.25/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/init.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/init.fc 2009-07-29 21:34:35.000000000 -0400
@@ -4,10 +4,10 @@
/etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -20810,9 +18989,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
# /var
#
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.24/policy/modules/system/init.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.25/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/init.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/init.if 2009-07-29 21:34:35.000000000 -0400
@@ -174,6 +174,7 @@
role system_r types $1;
@@ -21021,9 +19200,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 init_t:unix_dgram_socket sendto;
+ allow init_t $1:unix_dgram_socket sendto;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.24/policy/modules/system/init.te
---- nsaserefpolicy/policy/modules/system/init.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/init.te 2009-07-28 13:42:19.000000000 -0400
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.25/policy/modules/system/init.te
+--- nsaserefpolicy/policy/modules/system/init.te 2009-07-29 22:34:34.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/init.te 2009-07-29 21:34:35.000000000 -0400
+@@ -1,5 +1,5 @@
+
+-policy_module(init, 1.13.2)
++policy_module(init, 1.13.1)
+
+ gen_require(`
+ class passwd rootok;
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart, false)
@@ -21045,7 +19231,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# used for direct running of init scripts
# by admin domains
attribute direct_run_init;
-@@ -88,7 +102,7 @@
+@@ -64,6 +78,7 @@
+ # of the below init_upstart tunable
+ # but this has a typeattribute in it
+ corecmd_shell_entry_type(initrc_t)
++corecmd_bin_entry_type(initrc_t)
+
+ type initrc_devpts_t;
+ term_pty(initrc_devpts_t)
+@@ -88,7 +103,7 @@
#
# Use capabilities. old rule:
@@ -21054,7 +19248,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -101,7 +115,7 @@
+@@ -101,7 +116,7 @@
# Re-exec itself
can_exec(init_t, init_exec_t)
@@ -21063,7 +19257,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# For /var/run/shutdown.pid.
allow init_t init_var_run_t:file manage_file_perms;
-@@ -167,6 +181,8 @@
+@@ -167,6 +182,8 @@
miscfiles_read_localization(init_t)
@@ -21072,7 +19266,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
-@@ -189,6 +205,14 @@
+@@ -189,6 +206,14 @@
')
optional_policy(`
@@ -21087,7 +19281,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
nscd_socket_use(init_t)
')
-@@ -202,9 +226,10 @@
+@@ -202,9 +227,10 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -21095,11 +19289,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module };
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
-+allow initrc_t self:key { search };
++allow initrc_t self:key manage_key_perms;
# Allow IPC with self
allow initrc_t self:unix_dgram_socket create_socket_perms;
-@@ -217,7 +242,8 @@
+@@ -217,7 +243,8 @@
term_create_pty(initrc_t, initrc_devpts_t)
# Going to single user mode
@@ -21109,7 +19303,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
can_exec(initrc_t, init_script_file_type)
-@@ -230,10 +256,16 @@
+@@ -230,10 +257,16 @@
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -21128,7 +19322,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
init_write_initctl(initrc_t)
-@@ -249,15 +281,19 @@
+@@ -249,15 +282,19 @@
kernel_rw_all_sysctls(initrc_t)
# for lsof which is used by alsa shutdown:
kernel_dontaudit_getattr_message_if(initrc_t)
@@ -21152,7 +19346,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -270,17 +306,22 @@
+@@ -270,17 +307,22 @@
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
@@ -21176,7 +19370,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
fs_write_ramfs_pipes(initrc_t)
-@@ -328,7 +369,7 @@
+@@ -328,7 +370,7 @@
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -21185,7 +19379,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -343,14 +384,15 @@
+@@ -343,14 +385,15 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -21203,7 +19397,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_exec_etc_files(initrc_t)
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
-@@ -366,7 +408,9 @@
+@@ -366,7 +409,9 @@
libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t)
@@ -21213,7 +19407,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(initrc_t)
logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
-@@ -451,11 +495,9 @@
+@@ -425,8 +470,6 @@
+ # init scripts touch this
+ clock_dontaudit_write_adjtime(initrc_t)
+
+- logging_send_audit_msgs(initrc_t)
+-
+ # for integrated run_init to read run_init_type.
+ # happens during boot (/sbin/rc execs init scripts)
+ seutil_read_default_contexts(initrc_t)
+@@ -453,11 +496,9 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -21226,7 +19429,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# These seem to be from the initrd
# during device initialization:
dev_create_generic_dirs(initrc_t)
-@@ -465,6 +507,7 @@
+@@ -467,6 +508,7 @@
storage_raw_read_fixed_disk(initrc_t)
storage_raw_write_fixed_disk(initrc_t)
@@ -21234,7 +19437,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
# wants to read /.fonts directory
-@@ -498,6 +541,7 @@
+@@ -500,6 +542,7 @@
optional_policy(`
#for /etc/rc.d/init.d/nfs to create /etc/exports
rpc_write_exports(initrc_t)
@@ -21242,7 +19445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -516,6 +560,33 @@
+@@ -518,6 +561,33 @@
')
')
@@ -21276,7 +19479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -570,6 +641,10 @@
+@@ -572,6 +642,10 @@
dbus_read_config(initrc_t)
optional_policy(`
@@ -21287,7 +19490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
networkmanager_dbus_chat(initrc_t)
')
')
-@@ -591,6 +666,10 @@
+@@ -593,6 +667,10 @@
')
optional_policy(`
@@ -21298,7 +19501,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_usbfs(initrc_t)
# init scripts run /etc/hotplug/usb.rc
-@@ -647,20 +726,20 @@
+@@ -649,20 +727,20 @@
')
optional_policy(`
@@ -21325,7 +19528,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
ifdef(`distro_redhat',`
-@@ -669,6 +748,7 @@
+@@ -671,6 +749,7 @@
mysql_stream_connect(initrc_t)
mysql_write_log(initrc_t)
@@ -21333,7 +19536,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -719,8 +799,6 @@
+@@ -699,7 +778,6 @@
+ ')
+
+ optional_policy(`
+- corecmd_shell_entry_type(initrc_t)
+ fs_write_ramfs_sockets(initrc_t)
+ fs_search_ramfs(initrc_t)
+
+@@ -721,8 +799,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -21342,7 +19553,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -733,10 +811,12 @@
+@@ -735,10 +811,12 @@
squid_manage_logs(initrc_t)
')
@@ -21355,7 +19566,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -754,6 +834,11 @@
+@@ -756,6 +834,11 @@
uml_setattr_util_sockets(initrc_t)
')
@@ -21367,7 +19578,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
unconfined_domain(initrc_t)
-@@ -765,6 +850,13 @@
+@@ -767,6 +850,13 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -21381,7 +19592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -790,3 +882,35 @@
+@@ -792,3 +882,31 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -21399,10 +19610,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+
+optional_policy(`
-+ rpm_dontaudit_rw_pipes(daemon)
-+')
-+
-+optional_policy(`
+ xserver_rw_xdm_home_files(daemon)
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_rw_nfs_files(daemon)
@@ -21417,18 +19624,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ fail2ban_read_lib_files(daemon)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.6.24/policy/modules/system/ipsec.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.6.25/policy/modules/system/ipsec.fc
--- nsaserefpolicy/policy/modules/system/ipsec.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/ipsec.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/ipsec.fc 2009-07-29 21:34:35.000000000 -0400
@@ -1,3 +1,5 @@
+/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+
/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
/etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
/etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.6.24/policy/modules/system/ipsec.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.6.25/policy/modules/system/ipsec.if
--- nsaserefpolicy/policy/modules/system/ipsec.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/ipsec.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/ipsec.if 2009-07-29 21:34:35.000000000 -0400
@@ -229,3 +229,28 @@
ipsec_domtrans_setkey($1)
role $2 types setkey_t;
@@ -21458,9 +19665,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ipsec_domtrans_racoon($1)
+ role $2 types racoon_t;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.24/policy/modules/system/ipsec.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.25/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/ipsec.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/ipsec.te 2009-07-29 21:34:35.000000000 -0400
@@ -15,6 +15,9 @@
type ipsec_conf_file_t;
files_type(ipsec_conf_file_t)
@@ -21561,9 +19768,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.24/policy/modules/system/iptables.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.25/policy/modules/system/iptables.fc
--- nsaserefpolicy/policy/modules/system/iptables.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/iptables.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/iptables.fc 2009-07-29 21:34:35.000000000 -0400
@@ -1,9 +1,10 @@
-/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -21580,9 +19787,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/var/lib/shorewall(/.*)? -- gen_context(system_u:object_r:iptables_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.24/policy/modules/system/iptables.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.25/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/iptables.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/iptables.te 2009-07-29 21:34:35.000000000 -0400
@@ -53,6 +53,7 @@
mls_file_read_all_levels(iptables_t)
@@ -21602,9 +19809,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rhgb_dontaudit_use_ptys(iptables_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.6.24/policy/modules/system/iscsi.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.6.25/policy/modules/system/iscsi.if
--- nsaserefpolicy/policy/modules/system/iscsi.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/iscsi.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/iscsi.if 2009-07-29 21:34:35.000000000 -0400
@@ -17,3 +17,43 @@
domtrans_pattern($1, iscsid_exec_t, iscsid_t)
@@ -21649,9 +19856,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ stream_connect_pattern($1,iscsi_var_lib_t,iscsi_var_lib_t,iscsid_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.24/policy/modules/system/iscsi.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.25/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/iscsi.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/iscsi.te 2009-07-29 21:34:35.000000000 -0400
@@ -55,6 +55,7 @@
files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
@@ -21675,9 +19882,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-sysnet_dns_name_resolve(iscsid_t)
+miscfiles_read_localization(iscsid_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.24/policy/modules/system/libraries.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.25/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/libraries.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/libraries.fc 2009-07-29 23:41:18.000000000 -0400
@@ -60,12 +60,15 @@
#
# /opt
@@ -21719,7 +19926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
-@@ -115,25 +121,35 @@
+@@ -115,25 +121,29 @@
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -21732,32 +19939,38 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib64/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -169,11 +185,13 @@
+@@ -143,7 +153,6 @@
+ /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+-/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -169,11 +178,13 @@
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -21772,33 +19985,44 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -188,12 +206,15 @@
- /usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -185,15 +196,13 @@
+ /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/X11R6/lib/libOSMesa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/X11R6/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -234,7 +255,7 @@
+@@ -228,31 +237,24 @@
+ /usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
-/usr/lib(64)?.*/libmpg123\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -247,12 +268,13 @@
+-/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libavcodec.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libavutil.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/xine/plugins/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Flash plugin, Macromedia
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -21814,7 +20038,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -268,6 +290,9 @@
+@@ -268,6 +270,9 @@
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -21824,7 +20048,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -292,6 +317,8 @@
+@@ -292,6 +297,8 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -21833,7 +20057,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') dnl end distro_redhat
#
-@@ -304,10 +331,50 @@
+@@ -304,10 +311,74 @@
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
@@ -21849,7 +20073,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
+
-+/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libmythavcodec-[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -21859,8 +20082,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
+/usr/lib(64)?/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -21871,6 +20092,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib/oracle/.*/lib/libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libnnz11.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -21884,9 +20106,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.24/policy/modules/system/libraries.if
++
++
++
++ifdef(`fixed',`
++/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libavcodec.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libavutil.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/X11R6/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.25/policy/modules/system/libraries.if
--- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/libraries.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/libraries.if 2009-07-29 21:34:35.000000000 -0400
@@ -60,7 +60,7 @@
type lib_t, ld_so_t, ld_so_cache_t;
')
@@ -21914,9 +20162,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $1 lib_t:dir list_dir_perms;
read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.24/policy/modules/system/libraries.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.25/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/libraries.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/libraries.te 2009-07-29 21:34:35.000000000 -0400
@@ -52,11 +52,11 @@
# ldconfig local policy
#
@@ -21962,20 +20210,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`hide_broken_symptoms',`
optional_policy(`
unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
-@@ -116,4 +124,10 @@
- # and executes ldconfig on it. If you dont allow this kernel installs
+@@ -117,3 +125,7 @@
# blow up.
rpm_manage_script_tmp_files(ldconfig_t)
-+ # smart package manager needs the following for the same reason
-+ rpm_rw_tmp_files(ldconfig_t)
-+')
+ ')
+
+optional_policy(`
+ unconfined_domain(ldconfig_t)
- ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.24/policy/modules/system/locallogin.te
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.25/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/locallogin.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/locallogin.te 2009-07-29 21:34:35.000000000 -0400
@@ -67,6 +67,7 @@
dev_setattr_power_mgmt_dev(local_login_t)
dev_getattr_sound_dev(local_login_t)
@@ -22054,9 +20299,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-optional_policy(`
- nscd_socket_use(sulogin_t)
-')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.24/policy/modules/system/logging.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.25/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/logging.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/logging.fc 2009-07-29 21:34:35.000000000 -0400
@@ -53,15 +53,18 @@
/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
')
@@ -22080,9 +20325,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.24/policy/modules/system/logging.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.25/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/logging.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/logging.if 2009-07-29 21:34:35.000000000 -0400
@@ -623,7 +623,7 @@
')
@@ -22101,9 +20346,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.24/policy/modules/system/logging.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.25/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/logging.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/logging.te 2009-07-29 21:34:35.000000000 -0400
@@ -126,7 +126,7 @@
allow auditd_t self:process { signal_perms setpgid setsched };
allow auditd_t self:file rw_file_perms;
@@ -22196,9 +20441,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.24/policy/modules/system/lvm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.25/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/lvm.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/lvm.te 2009-07-29 21:34:35.000000000 -0400
@@ -10,6 +10,9 @@
type clvmd_exec_t;
init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -22285,9 +20530,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
modutils_domtrans_insmod(lvm_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.24/policy/modules/system/miscfiles.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.25/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/miscfiles.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/miscfiles.if 2009-07-29 21:34:35.000000000 -0400
@@ -87,6 +87,25 @@
########################################
@@ -22314,9 +20559,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to write fonts.
## </summary>
## <param name="domain">
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.24/policy/modules/system/modutils.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.25/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/modutils.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/modutils.te 2009-07-29 21:34:35.000000000 -0400
@@ -42,7 +42,7 @@
# insmod local policy
#
@@ -22399,15 +20644,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hotplug_search_config(insmod_t)
')
-@@ -154,6 +168,7 @@
-
- optional_policy(`
- rpm_rw_pipes(insmod_t)
-+ rpm_read_script_tmp_files(insmod_t)
- ')
-
- optional_policy(`
-@@ -184,6 +199,7 @@
+@@ -184,6 +198,7 @@
files_read_kernel_symbol_table(depmod_t)
files_read_kernel_modules(depmod_t)
@@ -22415,7 +20652,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_getattr_xattr_fs(depmod_t)
-@@ -214,7 +230,13 @@
+@@ -214,7 +229,13 @@
')
optional_policy(`
@@ -22429,9 +20666,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.6.24/policy/modules/system/mount.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.6.25/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/mount.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/mount.fc 2009-07-29 21:34:35.000000000 -0400
@@ -1,4 +1,9 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
@@ -22443,66 +20680,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.24/policy/modules/system/mount.if
---- nsaserefpolicy/policy/modules/system/mount.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/mount.if 2009-07-28 13:42:19.000000000 -0400
-@@ -43,9 +43,11 @@
-
- mount_domtrans($1)
- role $2 types mount_t;
-+ #Leaked File Descriptors
-+ dontaudit mount_t $1:unix_stream_socket rw_socket_perms;
-
- optional_policy(`
-- samba_run_smbmount($1, $2)
-+ samba_run_smbmount($1, $2, $3)
- ')
- ')
-
-@@ -159,3 +161,21 @@
- mount_domtrans_unconfined($1)
- role $2 types unconfined_mount_t;
- ')
-+
-+########################################
-+## <summary>
-+## Send signal to mount process
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
-+## </param>
-+#
-+interface(`mount_signal',`
-+ gen_require(`
-+ type mount_t;
-+ ')
-+
-+ allow $1 mount_t:process signal;
-+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.24/policy/modules/system/mount.te
---- nsaserefpolicy/policy/modules/system/mount.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/mount.te 2009-07-28 14:16:41.000000000 -0400
-@@ -18,17 +18,22 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.25/policy/modules/system/mount.te
+--- nsaserefpolicy/policy/modules/system/mount.te 2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/mount.te 2009-07-29 22:27:56.000000000 -0400
+@@ -18,8 +18,12 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
--type mount_loopback_t; # customizable
--files_type(mount_loopback_t)
+typealias mount_t alias mount_ntfs_t;
+typealias mount_exec_t alias mount_ntfs_exec_t;
+
-+type mount_loop_t; # customizable
-+files_type(mount_loop_t)
-+typealias mount_loop_t alias mount_loopback_t;
+ type mount_loopback_t; # customizable
+ files_type(mount_loopback_t)
++typealias mount_loopback_t alias mount_loop_t;
type mount_tmp_t;
files_tmp_file(mount_tmp_t)
-
--# causes problems with interfaces when
--# this is optionally declared in monolithic
--# policy--duplicate type declaration
+@@ -29,6 +33,10 @@
+ # policy--duplicate type declaration
type unconfined_mount_t;
application_domain(unconfined_mount_t, mount_exec_t)
+role system_r types unconfined_mount_t;
@@ -22512,20 +20707,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
-@@ -36,9 +41,10 @@
+@@ -36,7 +44,11 @@
#
# setuid/setgid needed to mount cifs
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+allow mount_t self:capability { fsetid ipc_lock sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid };
+allow mount_t self:process { ptrace signal };
++allow mount_t self:fifo_file rw_fifo_file_perms;
++allow mount_t self:unix_stream_socket create_stream_socket_perms;
++allow mount_t self:unix_dgram_socket create_socket_perms;
--allow mount_t mount_loopback_t:file read_file_perms;
-+allow mount_t mount_loop_t:file read_file_perms;
+ allow mount_t mount_loopback_t:file read_file_perms;
- allow mount_t mount_tmp_t:file manage_file_perms;
- allow mount_t mount_tmp_t:dir manage_dir_perms;
-@@ -47,12 +53,25 @@
+@@ -47,12 +59,25 @@
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
@@ -22551,7 +20746,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_rw_lvm_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
-@@ -62,16 +81,19 @@
+@@ -62,16 +87,19 @@
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@@ -22574,7 +20769,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_use_all_terms(mount_t)
-@@ -79,6 +101,7 @@
+@@ -79,6 +107,7 @@
corecmd_exec_bin(mount_t)
domain_use_interactive_fds(mount_t)
@@ -22582,7 +20777,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_search_all(mount_t)
files_read_etc_files(mount_t)
-@@ -87,7 +110,7 @@
+@@ -87,7 +116,7 @@
files_mounton_all_mountpoints(mount_t)
files_unmount_rootfs(mount_t)
# These rules need to be generalized. Only admin, initrc should have it:
@@ -22591,7 +20786,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_mount_all_file_type_fs(mount_t)
files_unmount_all_file_type_fs(mount_t)
# for when /etc/mtab loses its type
-@@ -100,6 +123,8 @@
+@@ -100,6 +129,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -22600,7 +20795,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(mount_t)
-@@ -116,6 +141,7 @@
+@@ -116,6 +147,7 @@
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -22608,8 +20803,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_redhat',`
optional_policy(`
-@@ -133,7 +159,7 @@
+@@ -131,9 +163,13 @@
+ ')
+ ')
++corecmd_exec_shell(mount_t)
++
++modutils_domtrans_insmod(mount_t)
++
tunable_policy(`allow_mount_anyfile',`
auth_read_all_dirs_except_shadow(mount_t)
- auth_read_all_files_except_shadow(mount_t)
@@ -22617,32 +20818,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_mounton_non_security(mount_t)
')
-@@ -141,16 +167,16 @@
- # for nfs
- corenet_all_recvfrom_unlabeled(mount_t)
- corenet_all_recvfrom_netlabel(mount_t)
-- corenet_tcp_sendrecv_all_if(mount_t)
-- corenet_raw_sendrecv_all_if(mount_t)
-- corenet_udp_sendrecv_all_if(mount_t)
-- corenet_tcp_sendrecv_all_nodes(mount_t)
-- corenet_raw_sendrecv_all_nodes(mount_t)
-- corenet_udp_sendrecv_all_nodes(mount_t)
-+ corenet_tcp_sendrecv_generic_if(mount_t)
-+ corenet_raw_sendrecv_generic_if(mount_t)
-+ corenet_udp_sendrecv_generic_if(mount_t)
-+ corenet_tcp_sendrecv_generic_node(mount_t)
-+ corenet_raw_sendrecv_generic_node(mount_t)
-+ corenet_udp_sendrecv_generic_node(mount_t)
- corenet_tcp_sendrecv_all_ports(mount_t)
- corenet_udp_sendrecv_all_ports(mount_t)
-- corenet_tcp_bind_all_nodes(mount_t)
-- corenet_udp_bind_all_nodes(mount_t)
-+ corenet_tcp_bind_generic_node(mount_t)
-+ corenet_udp_bind_generic_node(mount_t)
- corenet_tcp_bind_generic_port(mount_t)
- corenet_udp_bind_generic_port(mount_t)
- corenet_tcp_bind_reserved_port(mount_t)
-@@ -164,6 +190,8 @@
+@@ -164,6 +200,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -22651,7 +20827,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -171,6 +199,15 @@
+@@ -171,6 +209,21 @@
')
optional_policy(`
@@ -22664,10 +20840,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+
+optional_policy(`
++ hal_write_log(mount_t)
++ hal_use_fds(mount_t)
++ hal_dontaudit_rw_pipes(mount_t)
++')
++
++optional_policy(`
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -178,6 +215,11 @@
+@@ -178,6 +231,11 @@
')
')
@@ -22679,7 +20861,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -185,14 +227,23 @@
+@@ -185,6 +243,7 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -22687,28 +20869,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
- #
--# Unconfined mount local policy
-+# ntfs local policy
- #
-+allow mount_t self:fifo_file rw_fifo_file_perms;
-+allow mount_t self:unix_stream_socket create_stream_socket_perms;
-+allow mount_t self:unix_dgram_socket create_socket_perms;
-+
-+corecmd_exec_shell(mount_t)
-+
-+modutils_domtrans_insmod(mount_t)
+@@ -194,5 +253,8 @@
optional_policy(`
-- files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
+ files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
- unconfined_domain(unconfined_mount_t)
-+ hal_write_log(mount_t)
-+ hal_use_fds(mount_t)
-+ hal_dontaudit_rw_pipes(mount_t)
++ unconfined_domain_noaudit(unconfined_mount_t)
++
++ rpc_domtrans_rpcd(unconfined_mount_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.24/policy/modules/system/selinuxutil.fc
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.25/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/selinuxutil.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/selinuxutil.fc 2009-07-29 21:34:35.000000000 -0400
@@ -6,13 +6,13 @@
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
@@ -22747,9 +20920,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.24/policy/modules/system/selinuxutil.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.25/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/selinuxutil.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/selinuxutil.if 2009-07-29 21:34:35.000000000 -0400
@@ -535,6 +535,53 @@
########################################
@@ -22882,7 +21055,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Full management of the semanage
## module store.
## </summary>
-@@ -1139,3 +1234,255 @@
+@@ -1139,3 +1234,251 @@
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -23018,10 +21191,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ userdom_dontaudit_write_user_home_content_files($1)
+
-+ optional_policy(`
-+ rpm_dontaudit_rw_tmp_files($1)
-+ rpm_dontaudit_rw_pipes($1)
-+ ')
+')
+
+
@@ -23138,9 +21307,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ hotplug_use_fds($1)
+')
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.24/policy/modules/system/selinuxutil.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.25/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/selinuxutil.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/selinuxutil.te 2009-07-29 21:34:35.000000000 -0400
@@ -23,6 +23,9 @@
type selinux_config_t;
files_type(selinux_config_t)
@@ -23504,9 +21673,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- hotplug_use_fds(setfiles_t)
+ unconfined_domain(setfiles_mac_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.6.24/policy/modules/system/setrans.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.6.25/policy/modules/system/setrans.if
--- nsaserefpolicy/policy/modules/system/setrans.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/setrans.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/setrans.if 2009-07-29 21:34:35.000000000 -0400
@@ -21,3 +21,23 @@
stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t)
files_list_pids($1)
@@ -23531,9 +21700,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ init_labeled_script_domtrans($1, setrans_initrc_exec_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.24/policy/modules/system/sysnetwork.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.25/policy/modules/system/sysnetwork.fc
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/sysnetwork.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/sysnetwork.fc 2009-07-29 21:34:35.000000000 -0400
@@ -11,15 +11,20 @@
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
@@ -23562,9 +21731,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
+
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.24/policy/modules/system/sysnetwork.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.25/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/sysnetwork.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/sysnetwork.if 2009-07-29 21:34:35.000000000 -0400
@@ -43,6 +43,39 @@
sysnet_domtrans_dhcpc($1)
@@ -23733,9 +21902,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ role_transition $1 dhcpc_exec_t system_r;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.24/policy/modules/system/sysnetwork.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.25/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/sysnetwork.te 2009-07-28 14:15:06.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/sysnetwork.te 2009-07-29 21:34:35.000000000 -0400
@@ -20,6 +20,9 @@
init_daemon_domain(dhcpc_t, dhcpc_exec_t)
role system_r types dhcpc_t;
@@ -23934,9 +22103,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ hal_dontaudit_rw_pipes(ifconfig_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.6.24/policy/modules/system/udev.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.6.25/policy/modules/system/udev.fc
--- nsaserefpolicy/policy/modules/system/udev.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/udev.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/udev.fc 2009-07-29 21:34:35.000000000 -0400
@@ -7,6 +7,9 @@
/etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
@@ -23947,9 +22116,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.24/policy/modules/system/udev.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.25/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/udev.te 2009-07-28 14:15:17.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/udev.te 2009-07-29 21:34:35.000000000 -0400
@@ -50,6 +50,7 @@
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -24061,9 +22230,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_write_xen_state(udev_t)
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.6.24/policy/modules/system/unconfined.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.6.25/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/unconfined.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/unconfined.fc 2009-07-29 21:34:35.000000000 -0400
@@ -1,16 +1 @@
# Add programs here which should not be confined by SELinux
-# e.g.:
@@ -24081,9 +22250,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-ifdef(`distro_gentoo',`
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.24/policy/modules/system/unconfined.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.25/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/unconfined.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/unconfined.if 2009-07-29 21:34:35.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -24577,9 +22746,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-
- allow $1 unconfined_t:dbus acquire_svc;
-')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.24/policy/modules/system/unconfined.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.25/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/unconfined.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/unconfined.te 2009-07-29 21:34:35.000000000 -0400
@@ -1,231 +1,9 @@
-policy_module(unconfined, 3.0.0)
@@ -24814,9 +22983,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- hal_dbus_chat(unconfined_execmem_t)
- ')
-')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.24/policy/modules/system/userdomain.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.25/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/userdomain.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/userdomain.fc 2009-07-29 21:34:35.000000000 -0400
@@ -1,4 +1,7 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
@@ -24826,9 +22995,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
+/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.24/policy/modules/system/userdomain.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.25/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/userdomain.if 2009-07-28 14:32:30.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/userdomain.if 2009-07-29 22:34:20.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -25423,8 +23592,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
- hal_dbus_chat($1_t)
+ devicekit_dbus_chat($1_usertype)
-+ devicekit_power_dbus_chat($1_usertype)
-+ devicekit_disk_dbus_chat($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
')
optional_policy(`
@@ -25752,8 +23921,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ optional_policy(`
+ devicekit_dbus_chat($1_usertype)
-+ devicekit_power_dbus_chat($1_usertype)
-+ devicekit_disk_dbus_chat($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
')
optional_policy(`
@@ -26683,9 +24852,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 user_home_dir_t:dir search_dir_perms;
+ files_search_home($1)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.24/policy/modules/system/userdomain.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.25/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/userdomain.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/userdomain.te 2009-07-29 21:34:35.000000000 -0400
@@ -8,13 +8,6 @@
## <desc>
@@ -26771,216 +24940,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+allow userdomain userdomain:process signull;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.fc serefpolicy-3.6.24/policy/modules/system/virtual.fc
---- nsaserefpolicy/policy/modules/system/virtual.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/system/virtual.fc 2009-07-28 13:42:19.000000000 -0400
-@@ -0,0 +1 @@
-+# No application file contexts.
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.24/policy/modules/system/virtual.if
---- nsaserefpolicy/policy/modules/system/virtual.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/system/virtual.if 2009-07-28 13:42:19.000000000 -0400
-@@ -0,0 +1,119 @@
-+## <summary>Virtual machine emulator and virtualizer</summary>
-+
-+########################################
-+## <summary>
-+## Make the specified type a virtual domain
-+## </summary>
-+## <desc>
-+## <p>
-+## Make the specified type a virtual domain
-+## </p>
-+## <p>
-+## Gives the basic access required for a virtual operatins system
-+## </p>
-+## </desc>
-+## <param name="type">
-+## <summary>
-+## Type granted access
-+## </summary>
-+## </param>
-+#
-+interface(`virtual_domain',`
-+ gen_require(`
-+ attribute virtualdomain;
-+ ')
-+
-+ typeattribute $1 virtualdomain;
-+
-+ # start with basic domain
-+ domain_type($1)
-+
-+ # could be started by libvirt
-+ domain_user_exemption_target($1)
-+
-+ optional_policy(`
-+ xserver_common_app($1)
-+ ')
-+
-+')
-+
-+########################################
-+## <summary>
-+## Make the specified type usable as a virtual os image
-+## </summary>
-+## <param name="type">
-+## <summary>
-+## Type to be used as a virtual image
-+## </summary>
-+## </param>
-+#
-+interface(`virtual_image',`
-+ gen_require(`
-+ attribute virtual_image_type;
-+ ')
-+
-+ typeattribute $1 virtual_image_type;
-+ files_type($1)
-+
-+ # virt images can be assigned to blk devices
-+ dev_node($1)
-+')
-+
-+########################################
-+## <summary>
-+## Allow domain to manage virt image files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`virtual_manage_image',`
-+ gen_require(`
-+ attribute virtual_image_type;
-+ ')
-+
-+ manage_dirs_pattern($1, virtual_image_type, virtual_image_type)
-+ manage_files_pattern($1, virtual_image_type, virtual_image_type)
-+ manage_lnk_files_pattern($1, virtual_image_type, virtual_image_type)
-+ rw_blk_files_pattern($1, virtual_image_type, virtual_image_type)
-+')
-+
-+########################################
-+## <summary>
-+## Allow domain to relabel virt image files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`virtual_image_relabel',`
-+ gen_require(`
-+ attribute virtual_image_type;
-+ ')
-+
-+ allow $1 virtual_image_type:file { relabelfrom relabelto };
-+ allow $1 virtual_image_type:blk_file { relabelfrom relabelto };
-+')
-+
-+########################################
-+## <summary>
-+## Allow domain to transition and control virtualdomain
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`virtual_transition',`
-+ gen_require(`
-+ attribute virtualdomain;
-+ ')
-+
-+ allow $1 virtualdomain:process { setsched transition signal signull sigkill };
-+')
-+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.24/policy/modules/system/virtual.te
---- nsaserefpolicy/policy/modules/system/virtual.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/system/virtual.te 2009-07-28 13:42:19.000000000 -0400
-@@ -0,0 +1,75 @@
-+
-+policy_module(virtualization, 1.1.2)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+attribute virtualseparateddomain;
-+attribute virtualdomain;
-+attribute virtual_image_type;
-+
-+########################################
-+#
-+# qemu common policy
-+#
-+
-+allow virtualdomain self:capability { kill dac_read_search dac_override };
-+allow virtualdomain self:process { execstack execmem signal getsched signull };
-+
-+allow virtualdomain self:fifo_file rw_file_perms;
-+allow virtualdomain self:shm create_shm_perms;
-+allow virtualdomain self:unix_stream_socket create_stream_socket_perms;
-+allow virtualdomain self:unix_dgram_socket { create_socket_perms sendto };
-+allow virtualdomain self:tcp_socket create_stream_socket_perms;
-+
-+kernel_read_system_state(virtualdomain)
-+
-+corenet_all_recvfrom_unlabeled(virtualdomain)
-+corenet_all_recvfrom_netlabel(virtualdomain)
-+corenet_tcp_sendrecv_generic_if(virtualdomain)
-+corenet_tcp_sendrecv_generic_node(virtualdomain)
-+corenet_tcp_sendrecv_all_ports(virtualdomain)
-+corenet_tcp_bind_generic_node(virtualdomain)
-+corenet_tcp_bind_vnc_port(virtualdomain)
-+corenet_rw_tun_tap_dev(virtualdomain)
-+
-+dev_read_sound(virtualdomain)
-+dev_write_sound(virtualdomain)
-+dev_rw_ksm(virtualdomain)
-+dev_rw_kvm(virtualdomain)
-+dev_rw_qemu(virtualdomain)
-+
-+domain_use_interactive_fds(virtualdomain)
-+
-+files_read_etc_files(virtualdomain)
-+files_read_usr_files(virtualdomain)
-+files_read_var_files(virtualdomain)
-+files_search_all(virtualdomain)
-+
-+fs_rw_anon_inodefs_files(virtualdomain)
-+fs_rw_tmpfs_files(virtualdomain)
-+
-+term_use_all_terms(virtualdomain)
-+term_getattr_pty_fs(virtualdomain)
-+term_use_generic_ptys(virtualdomain)
-+term_use_ptmx(virtualdomain)
-+
-+auth_use_nsswitch(virtualdomain)
-+
-+logging_send_syslog_msg(virtualdomain)
-+
-+miscfiles_read_localization(virtualdomain)
-+
-+optional_policy(`
-+ virt_read_config(virtualdomain)
-+ virt_read_lib_files(virtualdomain)
-+ virt_read_content(virtualdomain)
-+')
-+
-+optional_policy(`
-+ xserver_read_xdm_tmp_files(virtualdomain)
-+ xserver_read_xdm_pid(virtualdomain)
-+ xserver_rw_shm(virtualdomain)
-+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.6.24/policy/modules/system/xen.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.6.25/policy/modules/system/xen.fc
--- nsaserefpolicy/policy/modules/system/xen.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/xen.fc 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/xen.fc 2009-07-29 21:34:35.000000000 -0400
@@ -1,5 +1,7 @@
/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0)
@@ -27008,9 +24970,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
/var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.24/policy/modules/system/xen.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.25/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/xen.if 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/xen.if 2009-07-29 21:34:35.000000000 -0400
@@ -71,6 +71,8 @@
')
@@ -27083,9 +25045,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ files_search_pids($1)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.24/policy/modules/system/xen.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.25/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/xen.te 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/xen.te 2009-07-29 21:34:35.000000000 -0400
@@ -6,6 +6,13 @@
# Declarations
#
@@ -27380,9 +25342,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+libs_use_ld_so(evtchnd_t)
+libs_use_shared_libs(evtchnd_t)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.24/policy/support/obj_perm_sets.spt
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.25/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/support/obj_perm_sets.spt 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/support/obj_perm_sets.spt 2009-07-29 21:34:35.000000000 -0400
@@ -201,7 +201,7 @@
define(`setattr_file_perms',`{ setattr }')
define(`read_file_perms',`{ getattr open read lock ioctl }')
@@ -27415,9 +25377,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
+
+define(`manage_key_perms', `{ create link read search setattr view write } ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.24/policy/users
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.25/policy/users
--- nsaserefpolicy/policy/users 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/users 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/users 2009-07-29 21:34:35.000000000 -0400
@@ -25,11 +25,8 @@
# permit any access to such users, then remove this entry.
#
@@ -27442,9 +25404,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.6.24/Rules.modular
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.6.25/Rules.modular
--- nsaserefpolicy/Rules.modular 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/Rules.modular 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/Rules.modular 2009-07-29 21:34:35.000000000 -0400
@@ -73,8 +73,8 @@
$(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
@echo "Compliling $(NAME) $(@F) module"
@@ -27474,9 +25436,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rul
$(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.6.24/support/Makefile.devel
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.6.25/support/Makefile.devel
--- nsaserefpolicy/support/Makefile.devel 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/support/Makefile.devel 2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/support/Makefile.devel 2009-07-29 21:34:35.000000000 -0400
@@ -185,8 +185,7 @@
tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
@$(EINFO) "Compiling $(NAME) $(basename $(@F)) module"