diff --git a/policy-F13.patch b/policy-F13.patch
index a2e0042..4a2d764 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -765,7 +765,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.1/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/admin/rpm.if 2009-11-18 16:19:24.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/admin/rpm.if 2009-11-24 07:35:57.000000000 -0500
@@ -13,11 +13,34 @@
interface(`rpm_domtrans',`
gen_require(`
@@ -813,7 +813,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_run_loadpolicy(rpm_script_t, $2)
seutil_run_semanage(rpm_script_t, $2)
seutil_run_setfiles(rpm_script_t, $2)
-@@ -146,6 +174,41 @@
+@@ -146,6 +174,42 @@
########################################
##
@@ -848,6 +848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
+ dontaudit $1 rpm_tmpfs_t:file write_file_perms;
+ dontaudit $1 rpm_script_tmp_t:file write_file_perms;
++ dontaudit $1 rpm_var_lib_t:file { read write };
+')
+
+########################################
@@ -855,7 +856,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Send and receive messages from
## rpm over dbus.
##
-@@ -167,6 +230,68 @@
+@@ -167,6 +231,68 @@
########################################
##
@@ -924,7 +925,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Create, read, write, and delete the RPM log.
##
##
-@@ -186,6 +311,24 @@
+@@ -186,6 +312,24 @@
########################################
##
@@ -949,7 +950,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Inherit and use file descriptors from RPM scripts.
##
##
-@@ -219,7 +362,51 @@
+@@ -219,7 +363,51 @@
')
files_search_tmp($1)
@@ -1001,7 +1002,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -241,6 +428,25 @@
+@@ -241,6 +429,25 @@
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -1027,7 +1028,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -265,6 +471,48 @@
+@@ -265,6 +472,48 @@
########################################
##
@@ -1076,7 +1077,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to create, read,
## write, and delete the RPM package database.
##
-@@ -283,3 +531,99 @@
+@@ -283,3 +532,99 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
@@ -1733,7 +1734,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.1/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/admin/usermanage.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/admin/usermanage.te 2009-11-23 11:11:28.000000000 -0500
@@ -82,6 +82,7 @@
selinux_compute_relabel_context(chfn_t)
selinux_compute_user_contexts(chfn_t)
@@ -1783,7 +1784,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_use_all_user_ttys(passwd_t)
term_use_all_user_ptys(passwd_t)
-@@ -333,6 +334,7 @@
+@@ -303,6 +304,7 @@
+
+ # allow checking if a shell is executable
+ corecmd_check_exec_shell(passwd_t)
++corecmd_exec_bin(passwd_t)
+
+ domain_use_interactive_fds(passwd_t)
+
+@@ -333,6 +335,7 @@
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -1791,7 +1800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
nscd_domtrans(passwd_t)
-@@ -382,6 +384,7 @@
+@@ -382,6 +385,7 @@
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -1799,7 +1808,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_use_all_user_ttys(sysadm_passwd_t)
term_use_all_user_ptys(sysadm_passwd_t)
-@@ -450,6 +453,7 @@
+@@ -450,6 +454,7 @@
corecmd_exec_bin(useradd_t)
domain_use_interactive_fds(useradd_t)
@@ -1807,7 +1816,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_manage_etc_files(useradd_t)
files_search_var_lib(useradd_t)
-@@ -469,18 +473,16 @@
+@@ -469,18 +474,16 @@
selinux_compute_relabel_context(useradd_t)
selinux_compute_user_contexts(useradd_t)
@@ -1830,7 +1839,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
init_use_fds(useradd_t)
init_rw_utmp(useradd_t)
-@@ -498,10 +500,8 @@
+@@ -498,10 +501,8 @@
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
@@ -1842,7 +1851,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mta_manage_spool(useradd_t)
-@@ -525,6 +525,12 @@
+@@ -525,6 +526,12 @@
')
optional_policy(`
@@ -1942,8 +1951,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.1/policy/modules/apps/chrome.if
--- nsaserefpolicy/policy/modules/apps/chrome.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/chrome.if 2009-11-17 11:06:58.000000000 -0500
-@@ -0,0 +1,85 @@
++++ serefpolicy-3.7.1/policy/modules/apps/chrome.if 2009-11-23 10:04:49.000000000 -0500
+@@ -0,0 +1,86 @@
+
+## policy for chrome
+
@@ -1963,6 +1972,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+
+ domtrans_pattern($1,chrome_sandbox_exec_t,chrome_sandbox_t)
++ ps_process_pattern(chrome_sandbox_t, $1)
+')
+
+
@@ -2031,8 +2041,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.1/policy/modules/apps/chrome.te
--- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/chrome.te 2009-11-18 07:50:28.000000000 -0500
-@@ -0,0 +1,74 @@
++++ serefpolicy-3.7.1/policy/modules/apps/chrome.te 2009-11-23 09:56:06.000000000 -0500
+@@ -0,0 +1,77 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -2072,10 +2082,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
+fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file)
+
++kernel_read_system_state(chrome_sandbox_t)
+kernel_read_kernel_sysctls(chrome_sandbox_t)
+
+corecmd_exec_bin(chrome_sandbox_t)
+
++domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
++
+dev_read_urand(chrome_sandbox_t)
+
+files_read_etc_files(chrome_sandbox_t)
@@ -2121,8 +2134,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.7.1/policy/modules/apps/execmem.fc
--- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/execmem.fc 2009-11-17 11:06:58.000000000 -0500
-@@ -0,0 +1,40 @@
++++ serefpolicy-3.7.1/policy/modules/apps/execmem.fc 2009-11-23 08:54:39.000000000 -0500
+@@ -0,0 +1,41 @@
+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -2163,6 +2176,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/opt/likewise/bin/domainjoin-cli -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.1/policy/modules/apps/execmem.if
--- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.1/policy/modules/apps/execmem.if 2009-11-17 11:06:58.000000000 -0500
@@ -3080,8 +3094,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.1/policy/modules/apps/kdumpgui.te
--- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/kdumpgui.te 2009-11-17 11:06:58.000000000 -0500
-@@ -0,0 +1,65 @@
++++ serefpolicy-3.7.1/policy/modules/apps/kdumpgui.te 2009-11-23 09:53:25.000000000 -0500
+@@ -0,0 +1,67 @@
+policy_module(kdumpgui,1.0.0)
+
+########################################
@@ -3131,6 +3145,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+auth_use_nsswitch(kdumpgui_t)
+
++logging_send_syslog_msg(kdumpgui_t)
++
+miscfiles_read_localization(kdumpgui_t)
+
+dontaudit_init_read_all_script_files(kdumpgui_t)
@@ -4360,8 +4376,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+application_domain(openoffice_t, openoffice_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.7.1/policy/modules/apps/podsleuth.te
--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/apps/podsleuth.te 2009-11-17 11:06:58.000000000 -0500
-@@ -71,6 +71,8 @@
++++ serefpolicy-3.7.1/policy/modules/apps/podsleuth.te 2009-11-24 18:08:28.000000000 -0500
+@@ -66,11 +66,14 @@
+ fs_search_dos(podsleuth_t)
+ fs_getattr_tmpfs(podsleuth_t)
+ fs_list_tmpfs(podsleuth_t)
++fs_rw_removable_blk_files(podsleuth_t)
+
+ miscfiles_read_localization(podsleuth_t)
sysnet_dns_name_resolve(podsleuth_t)
@@ -4370,6 +4392,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
dbus_system_bus_client(podsleuth_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.7.1/policy/modules/apps/ptchown.if
+--- nsaserefpolicy/policy/modules/apps/ptchown.if 2009-08-31 13:30:04.000000000 -0400
++++ serefpolicy-3.7.1/policy/modules/apps/ptchown.if 2009-11-24 14:56:10.000000000 -0500
+@@ -18,3 +18,27 @@
+ domtrans_pattern($1, ptchown_exec_t, ptchown_t)
+ ')
+
++########################################
++##
++## Execute ptchown in the ptchown domain, and
++## allow the specified role the ptchown domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed the ptchown domain.
++##
++##
++#
++interface(`ptchown_run',`
++ gen_require(`
++ type ptchown_t;
++ ')
++
++ ptchown_domtrans($1)
++ role $2 types ptchown_t;
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.1/policy/modules/apps/pulseaudio.if
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2009-08-31 13:30:04.000000000 -0400
+++ serefpolicy-3.7.1/policy/modules/apps/pulseaudio.if 2009-11-17 11:06:58.000000000 -0500
@@ -4771,8 +4824,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.1/policy/modules/apps/sambagui.te
--- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/sambagui.te 2009-11-17 11:06:58.000000000 -0500
-@@ -0,0 +1,59 @@
++++ serefpolicy-3.7.1/policy/modules/apps/sambagui.te 2009-11-23 10:38:27.000000000 -0500
+@@ -0,0 +1,60 @@
+policy_module(sambagui,1.0.0)
+
+########################################
@@ -4796,6 +4849,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+samba_append_log(sambagui_t)
+samba_manage_config(sambagui_t)
+samba_manage_var_files(sambagui_t)
++samba_read_secrets(sambagui_t)
+samba_initrc_domtrans(sambagui_t)
+samba_domtrans_smbd(sambagui_t)
+samba_domtrans_nmbd(sambagui_t)
@@ -6062,9 +6116,137 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# network_node examples:
#network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.1/policy/modules/kernel/devices.fc
+--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-11-20 10:51:41.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/kernel/devices.fc 2009-11-17 11:06:58.000000000 -0500
+@@ -63,12 +63,10 @@
+ /dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
+-/dev/modem -c gen_context(system_u:object_r:modem_device_t,s0)
+ /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0)
+ /dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0)
+ /dev/network_throughput -c gen_context(system_u:object_r:netcontrol_device_t,s0)
+-/dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0)
+ /dev/null -c gen_context(system_u:object_r:null_device_t,s0)
+ /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
+@@ -107,7 +105,6 @@
+ ')
+ /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+-/dev/vga_arbiter -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
+ /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
+ /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+@@ -145,8 +142,11 @@
+
+ /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0)
+
++/dev/modem -c gen_context(system_u:object_r:modem_device_t,s0)
+ /dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+
++/dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0)
++
+ /dev/pts(/.*)? <>
+
+ /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
+@@ -154,6 +154,8 @@
+ /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
+
++/dev/vga_arbiter -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
++
+ /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0)
+ /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.1/policy/modules/kernel/devices.if
+--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-11-20 10:51:41.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/kernel/devices.if 2009-11-17 11:06:58.000000000 -0500
+@@ -1927,7 +1927,7 @@
+
+ ########################################
+ ##
+-## Do not audit attempts to read and write lvm control device.
++## Delete the lvm control device.
+ ##
+ ##
+ ##
+@@ -1935,17 +1935,17 @@
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_rw_lvm_control',`
++interface(`dev_delete_lvm_control_dev',`
+ gen_require(`
+- type lvm_control_t;
++ type device_t, lvm_control_t;
+ ')
+
+- dontaudit $1 lvm_control_t:chr_file rw_file_perms;
++ delete_chr_files_pattern($1, device_t, lvm_control_t)
+ ')
+
+ ########################################
+ ##
+-## Delete the lvm control device.
++## Do not audit attempts to read and write lvm control device.
+ ##
+ ##
+ ##
+@@ -1953,14 +1953,15 @@
+ ##
+ ##
+ #
+-interface(`dev_delete_lvm_control_dev',`
++interface(`dev_dontaudit_rw_lvm_control_dev',`
+ gen_require(`
+- type device_t, lvm_control_t;
++ type lvm_control_t;
+ ')
+
+- delete_chr_files_pattern($1, device_t, lvm_control_t)
++ dontaudit $1 lvm_control_t:chr_file rw_file_perms;
+ ')
+
++
+ ########################################
+ ##
+ ## dontaudit getattr raw memory devices (e.g. /dev/mem).
+@@ -2535,7 +2536,8 @@
+ type device_t, null_device_t;
+ ')
+
+- delete_chr_files_pattern($1, device_t, null_device_t)
++ allow $1 device_t:dir del_entry_dir_perms;
++ allow $1 null_device_t:chr_file unlink;
+ ')
+
+ ########################################
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.1/policy/modules/kernel/devices.te
+--- nsaserefpolicy/policy/modules/kernel/devices.te 2009-11-20 10:51:41.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/kernel/devices.te 2009-11-17 11:06:58.000000000 -0500
+@@ -1,5 +1,5 @@
+
+-policy_module(devices, 1.9.1)
++policy_module(devices, 1.9.0)
+
+ ########################################
+ #
+@@ -84,7 +84,8 @@
+ dev_node(kmsg_device_t)
+
+ #
+-# ksm_device_t is the type of /dev/ksm
++# ksm_device_t is the type of
++# /dev/ksm
+ #
+ type ksm_device_t;
+ dev_node(ksm_device_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.1/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/kernel/domain.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/kernel/domain.if 2009-11-23 17:52:48.000000000 -0500
@@ -44,34 +44,6 @@
interface(`domain_type',`
# start with basic domain
@@ -6100,7 +6282,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -791,6 +763,24 @@
+@@ -746,10 +718,6 @@
+ dontaudit $1 domain:dir list_dir_perms;
+ dontaudit $1 domain:lnk_file read_lnk_file_perms;
+ dontaudit $1 domain:file read_file_perms;
+-
+- # cjp: these should be removed:
+- dontaudit $1 domain:sock_file read_sock_file_perms;
+- dontaudit $1 domain:fifo_file read_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -791,6 +759,24 @@
########################################
##
@@ -6125,7 +6318,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to get the
## session ID of all domains.
##
-@@ -1039,6 +1029,54 @@
+@@ -1039,6 +1025,54 @@
########################################
##
@@ -6180,7 +6373,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to get the attributes
## of all domains unnamed pipes.
##
-@@ -1248,18 +1286,34 @@
+@@ -1248,18 +1282,34 @@
##
##
#
@@ -6218,7 +6411,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Allow specified type to receive labeled
## networking packets from all domains, over
## all protocols (TCP, UDP, etc)
-@@ -1280,6 +1334,24 @@
+@@ -1280,6 +1330,24 @@
########################################
##
@@ -6243,7 +6436,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Unconfined access to domains.
##
##
-@@ -1304,3 +1376,20 @@
+@@ -1304,3 +1372,39 @@
typeattribute $1 process_uncond_exempt;
')
@@ -6264,6 +6457,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 unconfined_domain_type:process signal;
+')
++
++########################################
++##
++## Do not audit attempts to read or write
++## all leaked sockets.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`domain_dontaudit_leaks',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ dontaudit $1 domain:socket_class_set { read write };
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.1/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.1/policy/modules/kernel/domain.te 2009-11-17 11:06:58.000000000 -0500
@@ -6431,7 +6643,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/nfs/rpc_pipefs(/.*)? <>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.1/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-11-12 13:24:12.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/kernel/files.if 2009-11-20 10:08:42.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/kernel/files.if 2009-11-23 11:26:11.000000000 -0500
@@ -932,10 +932,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -6684,7 +6896,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -4906,6 +5057,24 @@
+@@ -4785,6 +4936,24 @@
+
+ ########################################
+ ##
++## Do not audit attempts to getattr daemon runtime data files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_dontaudit_getattr_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ dontaudit $1 pidfile:file getattr;
++')
++
++########################################
++##
+ ## Do not audit attempts to write to daemon runtime data files.
+ ##
+ ##
+@@ -4906,6 +5075,24 @@
########################################
##
@@ -6709,7 +6946,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Search the contents of generic spool
## directories (/var/spool).
##
-@@ -5072,7 +5241,7 @@
+@@ -5072,7 +5259,7 @@
selinux_compute_member($1)
# Need sys_admin capability for mounting
@@ -6718,7 +6955,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Need to give access to the directories to be polyinstantiated
allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-@@ -5094,12 +5263,15 @@
+@@ -5094,12 +5281,15 @@
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -6735,7 +6972,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -5120,3 +5292,173 @@
+@@ -5120,3 +5310,173 @@
typeattribute $1 files_unconfined_type;
')
@@ -7308,6 +7545,74 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.1/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-11-20 10:51:41.000000000 -0500
+++ serefpolicy-3.7.1/policy/modules/kernel/kernel.if 2009-11-19 14:06:58.000000000 -0500
+@@ -508,7 +508,7 @@
+ ##
+ ##
+ ##
+-## Domain allowed access.
++##
+ ##
+ ##
+ #
+@@ -941,43 +941,43 @@
+
+ ########################################
+ ##
+-## Do not audit attempts to get the attributes of
+-## core kernel interfaces.
++## Allows caller to read th core kernel interface.
+ ##
+ ##
+ ##
+-## The process type to not audit.
++## The process type getting the attibutes.
+ ##
+ ##
+ #
+-interface(`kernel_dontaudit_getattr_core_if',`
++interface(`kernel_read_core_if',`
+ gen_require(`
+- type proc_kcore_t;
++ type proc_t, proc_kcore_t;
++ attribute can_dump_kernel;
+ ')
+
+- dontaudit $1 proc_kcore_t:file getattr;
++ read_files_pattern($1, proc_t, proc_kcore_t)
++ list_dirs_pattern($1, proc_t, proc_t)
++
++ typeattribute $1 can_dump_kernel;
+ ')
+
+ ########################################
+ ##
+-## Allows caller to read the core kernel interface.
++## Do not audit attempts to get the attributes of
++## core kernel interfaces.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## The process type to not audit.
+ ##
+ ##
+ #
+-interface(`kernel_read_core_if',`
++interface(`kernel_dontaudit_getattr_core_if',`
+ gen_require(`
+- type proc_t, proc_kcore_t;
+- attribute can_dump_kernel;
++ type proc_kcore_t;
+ ')
+
+- read_files_pattern($1, proc_t, proc_kcore_t)
+- list_dirs_pattern($1, proc_t, proc_t)
+-
+- typeattribute $1 can_dump_kernel;
++ dontaudit $1 proc_kcore_t:file getattr;
+ ')
+
+ ########################################
@@ -1848,7 +1848,7 @@
')
@@ -7394,6 +7699,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.1/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-11-20 10:51:41.000000000 -0500
+++ serefpolicy-3.7.1/policy/modules/kernel/kernel.te 2009-11-17 11:06:58.000000000 -0500
+@@ -1,5 +1,5 @@
+
+-policy_module(kernel, 1.11.1)
++policy_module(kernel, 1.11.0)
+
+ ########################################
+ #
@@ -64,6 +64,15 @@
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
@@ -7533,6 +7845,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ fs_type($1)
+ mls_trusted_object($1)
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.7.1/policy/modules/kernel/storage.fc
+--- nsaserefpolicy/policy/modules/kernel/storage.fc 2009-11-20 10:51:41.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/kernel/storage.fc 2009-11-24 09:55:13.000000000 -0500
+@@ -14,6 +14,7 @@
+ /dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/drbd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/dev/etherd/.+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.7.1/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2009-11-20 10:51:41.000000000 -0500
+++ serefpolicy-3.7.1/policy/modules/kernel/storage.if 2009-11-17 11:06:58.000000000 -0500
@@ -7544,6 +7867,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.te serefpolicy-3.7.1/policy/modules/kernel/storage.te
+--- nsaserefpolicy/policy/modules/kernel/storage.te 2009-11-20 10:51:41.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/kernel/storage.te 2009-11-17 10:55:11.000000000 -0500
+@@ -1,5 +1,5 @@
+
+-policy_module(storage, 1.7.1)
++policy_module(storage, 1.7.0)
+
+ ########################################
+ #
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.7.1/policy/modules/kernel/terminal.fc
--- nsaserefpolicy/policy/modules/kernel/terminal.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.1/policy/modules/kernel/terminal.fc 2009-11-17 11:06:58.000000000 -0500
@@ -7557,7 +7890,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.1/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/kernel/terminal.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/kernel/terminal.if 2009-11-23 11:38:32.000000000 -0500
@@ -196,7 +196,7 @@
dev_list_all_dev_nodes($1)
@@ -7642,6 +7975,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
+@@ -1011,8 +1051,10 @@
+ interface(`term_dontaudit_use_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
++ type console_device_t;
+ ')
+
++ dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
+ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
+ ')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-3.7.1/policy/modules/kernel/terminal.te
--- nsaserefpolicy/policy/modules/kernel/terminal.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.1/policy/modules/kernel/terminal.te 2009-11-17 11:06:58.000000000 -0500
@@ -8844,8 +9188,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.1/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/roles/unconfineduser.te 2009-11-20 08:01:52.000000000 -0500
-@@ -0,0 +1,427 @@
++++ serefpolicy-3.7.1/policy/modules/roles/unconfineduser.te 2009-11-24 14:57:49.000000000 -0500
+@@ -0,0 +1,431 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -9180,6 +9524,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+optional_policy(`
++ virt_transition_svirt(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
+ vpn_run(unconfined_t, unconfined_r)
+')
+
@@ -9426,8 +9774,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.1/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/roles/xguest.te 2009-11-20 08:12:41.000000000 -0500
-@@ -31,16 +31,37 @@
++++ serefpolicy-3.7.1/policy/modules/roles/xguest.te 2009-11-24 18:10:12.000000000 -0500
+@@ -31,16 +31,38 @@
userdom_restricted_xwindows_user_template(xguest)
@@ -9453,6 +9801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+# Dontaudit fusermount
+dontaudit xguest_t self:capability sys_admin;
++allow xguest_t self:process execmem;
+
# Allow mounting of file systems
optional_policy(`
@@ -9465,42 +9814,78 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_dontaudit_getattr_boot_dirs(xguest_t)
files_search_mnt(xguest_t)
-@@ -49,6 +70,7 @@
+@@ -49,10 +71,9 @@
fs_manage_noxattr_fs_dirs(xguest_t)
fs_getattr_noxattr_fs(xguest_t)
fs_read_noxattr_fs_symlinks(xguest_t)
+ fs_mount_fusefs(xguest_t)
auth_list_pam_console_data(xguest_t)
+-
+- init_read_utmp(xguest_t)
+ ')
+ ')
-@@ -67,7 +89,11 @@
+@@ -67,17 +88,60 @@
')
optional_policy(`
- java_role(xguest_r, xguest_t)
+ java_role_template(xguest, xguest_r, xguest_t)
-+')
-+
-+optional_policy(`
-+ mono_role_template(xguest, xguest_r, xguest_t)
- ')
-
- optional_policy(`
-@@ -75,9 +101,17 @@
')
optional_policy(`
-+ nsplugin_role(xguest_r, xguest_t)
+- mozilla_role(xguest_r, xguest_t)
++ mono_role_template(xguest, xguest_r, xguest_t)
+')
+
+optional_policy(`
++ nsplugin_role(xguest_r, xguest_t)
+ ')
+
+ optional_policy(`
tunable_policy(`xguest_connect_network',`
networkmanager_dbus_chat(xguest_t)
+ networkmanager_read_var_lib_files(xguest_t)
-+ corenet_tcp_connect_pulseaudio_port(xguest_t)
-+ corenet_tcp_connect_ipp_port(xguest_t)
-+ corenet_tcp_connect_http_port(xguest_t)
++ corenet_tcp_connect_pulseaudio_port(xguest_usertype)
++ corenet_all_recvfrom_unlabeled(xguest_usertype)
++ corenet_all_recvfrom_netlabel(xguest_usertype)
++ corenet_tcp_sendrecv_generic_if(xguest_usertype)
++ corenet_raw_sendrecv_generic_if(xguest_usertype)
++ corenet_tcp_sendrecv_generic_node(xguest_usertype)
++ corenet_raw_sendrecv_generic_node(xguest_usertype)
++ corenet_tcp_sendrecv_http_port(xguest_usertype)
++ corenet_tcp_sendrecv_http_cache_port(xguest_usertype)
++ corenet_tcp_sendrecv_ftp_port(xguest_usertype)
++ corenet_tcp_sendrecv_ipp_port(xguest_usertype)
++ corenet_tcp_connect_http_port(xguest_usertype)
++ corenet_tcp_connect_http_cache_port(xguest_usertype)
++ corenet_tcp_connect_flash_port(xguest_usertype)
++ corenet_tcp_connect_ftp_port(xguest_usertype)
++ corenet_tcp_connect_ipp_port(xguest_usertype)
++ corenet_tcp_connect_generic_port(xguest_usertype)
++ corenet_tcp_connect_soundd_port(xguest_usertype)
++ corenet_sendrecv_http_client_packets(xguest_usertype)
++ corenet_sendrecv_http_cache_client_packets(xguest_usertype)
++ corenet_sendrecv_ftp_client_packets(xguest_usertype)
++ corenet_sendrecv_ipp_client_packets(xguest_usertype)
++ corenet_sendrecv_generic_client_packets(xguest_usertype)
++ # Should not need other ports
++ corenet_dontaudit_tcp_sendrecv_generic_port(xguest_usertype)
++ corenet_dontaudit_tcp_bind_generic_port(xguest_usertype)
++ corenet_tcp_connect_speech_port(xguest_usertype)
++ corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
++ corenet_tcp_connect_transproxy_port(xguest_usertype)
++ ')
')
++
++optional_policy(`
++ gen_require(`
++ type mozilla_t;
++ ')
++
++ allow xguest_t mozilla_t:process transition;
++ role xguest_r types mozilla_t;
')
-#gen_user(xguest_u,, xguest_r, s0, s0)
@@ -9653,8 +10038,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.1/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/abrt.te 2009-11-19 14:06:09.000000000 -0500
-@@ -33,12 +33,23 @@
++++ serefpolicy-3.7.1/policy/modules/services/abrt.te 2009-11-24 10:12:04.000000000 -0500
+@@ -33,12 +33,25 @@
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -9675,11 +10060,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
-allow abrt_t self:capability { setuid setgid sys_nice dac_override };
-+allow abrt_t self:capability { chown setuid setgid sys_nice dac_override };
++allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
++dontaudit abrt_t self:capability { sys_rawio };
++
allow abrt_t self:process { signal signull setsched getsched };
allow abrt_t self:fifo_file rw_fifo_file_perms;
-@@ -58,15 +69,18 @@
+@@ -58,15 +71,18 @@
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -9700,7 +10087,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
kernel_read_ring_buffer(abrt_t)
-@@ -75,10 +89,17 @@
+@@ -75,11 +91,20 @@
corecmd_exec_bin(abrt_t)
corecmd_exec_shell(abrt_t)
@@ -9716,9 +10103,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+domain_read_all_domains_state(abrt_t)
+domain_signull_all_domains(abrt_t)
++files_dontaudit_list_default(abrt_t)
++files_dontaudit_read_default_files(abrt_t)
files_getattr_all_files(abrt_t)
files_read_etc_files(abrt_t)
-@@ -87,6 +108,7 @@
+ files_read_usr_files(abrt_t)
+@@ -87,6 +112,7 @@
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
fs_getattr_all_dirs(abrt_t)
@@ -9726,7 +10116,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
sysnet_read_config(abrt_t)
-@@ -96,22 +118,64 @@
+@@ -96,22 +122,72 @@
miscfiles_read_certs(abrt_t)
miscfiles_read_localization(abrt_t)
@@ -9734,8 +10124,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-# read ~/.abrt/Bugzilla.conf
-userdom_read_user_home_content_files(abrt_t)
+userdom_dontaudit_read_user_home_content_files(abrt_t)
-+
-+optional_policy(`
+
+ optional_policy(`
+- dbus_connect_system_bus(abrt_t)
+- dbus_system_bus_client(abrt_t)
+ dbus_system_domain(abrt_t, abrt_exec_t)
+')
+
@@ -9747,10 +10139,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ nsplugin_read_rw_files(abrt_t)
+ nsplugin_read_home(abrt_t)
+')
-
- optional_policy(`
-- dbus_connect_system_bus(abrt_t)
-- dbus_system_bus_client(abrt_t)
++
++optional_policy(`
+ policykit_dbus_chat(abrt_t)
+ policykit_domtrans_auth(abrt_t)
+ policykit_read_lib(abrt_t)
@@ -9793,8 +10183,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+
++ifdef(`hide_broken_symptoms', `
++domain_dontaudit_leaks(abrt_helper_t)
++userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
++userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
++')
++
+files_read_etc_files(abrt_helper_t)
+
++auth_use_nsswitch(abrt_helper_t)
++
+userdom_dontaudit_use_user_terminals(abrt_helper_t)
+
+permissive abrt_helper_t;
@@ -10809,7 +11207,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.1/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/apache.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/services/apache.te 2009-11-23 11:25:41.000000000 -0500
@@ -19,6 +19,8 @@
# Declarations
#
@@ -11036,7 +11434,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
corenet_sendrecv_http_server_packets(httpd_t)
-@@ -335,12 +399,11 @@
+@@ -335,15 +399,15 @@
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -11051,7 +11449,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_use_interactive_fds(httpd_t)
-@@ -358,6 +421,10 @@
++files_dontaudit_getattr_all_pids(httpd_t)
+ files_read_usr_files(httpd_t)
+ files_list_mnt(httpd_t)
+ files_search_spool(httpd_t)
+@@ -358,6 +422,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -11062,7 +11464,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
libs_read_lib_files(httpd_t)
-@@ -372,18 +439,33 @@
+@@ -372,18 +440,33 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -11100,7 +11502,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -391,32 +473,70 @@
+@@ -391,32 +474,70 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -11176,7 +11578,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -424,11 +544,23 @@
+@@ -424,11 +545,23 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -11200,7 +11602,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -451,6 +583,14 @@
+@@ -451,6 +584,14 @@
')
optional_policy(`
@@ -11215,7 +11617,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cron_system_entry(httpd_t, httpd_exec_t)
')
-@@ -459,8 +599,13 @@
+@@ -459,8 +600,13 @@
')
optional_policy(`
@@ -11231,7 +11633,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -468,22 +613,19 @@
+@@ -468,22 +614,19 @@
mailman_domtrans_cgi(httpd_t)
# should have separate types for public and private archives
mailman_search_data(httpd_t)
@@ -11257,7 +11659,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -494,12 +636,23 @@
+@@ -494,12 +637,23 @@
')
optional_policy(`
@@ -11281,7 +11683,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -508,6 +661,7 @@
+@@ -508,6 +662,7 @@
')
optional_policy(`
@@ -11289,7 +11691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -535,6 +689,23 @@
+@@ -535,6 +690,23 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -11313,7 +11715,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Apache PHP script local policy
-@@ -564,20 +735,25 @@
+@@ -564,20 +736,25 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -11345,7 +11747,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -595,23 +771,24 @@
+@@ -595,23 +772,24 @@
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
@@ -11374,7 +11776,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -624,6 +801,7 @@
+@@ -624,6 +802,7 @@
logging_send_syslog_msg(httpd_suexec_t)
miscfiles_read_localization(httpd_suexec_t)
@@ -11382,7 +11784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
-@@ -631,22 +809,31 @@
+@@ -631,22 +810,31 @@
corenet_all_recvfrom_unlabeled(httpd_suexec_t)
corenet_all_recvfrom_netlabel(httpd_suexec_t)
@@ -11421,7 +11823,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -672,15 +859,14 @@
+@@ -672,15 +860,14 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -11440,7 +11842,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
dontaudit httpd_sys_script_t httpd_config_t:dir search;
-@@ -699,12 +885,24 @@
+@@ -699,12 +886,24 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -11467,7 +11869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -712,6 +910,35 @@
+@@ -712,6 +911,35 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -11503,7 +11905,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -724,6 +951,10 @@
+@@ -724,6 +952,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -11514,7 +11916,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -735,6 +966,8 @@
+@@ -735,6 +967,8 @@
# httpd_rotatelogs local policy
#
@@ -11523,7 +11925,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -754,11 +987,88 @@
+@@ -754,11 +988,88 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -11640,7 +12042,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xserver_domtrans(apmd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.1/policy/modules/services/arpwatch.te
--- nsaserefpolicy/policy/modules/services/arpwatch.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/arpwatch.te 2009-11-19 09:58:15.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/services/arpwatch.te 2009-11-23 18:39:44.000000000 -0500
@@ -34,6 +34,7 @@
allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
allow arpwatch_t self:udp_socket create_socket_perms;
@@ -11649,6 +12051,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
+@@ -46,6 +47,7 @@
+ manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
+ files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
+
++kernel_read_network_state(arpwatch_t)
+ kernel_read_kernel_sysctls(arpwatch_t)
+ kernel_list_proc(arpwatch_t)
+ kernel_read_proc_symlinks(arpwatch_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.1/policy/modules/services/asterisk.if
--- nsaserefpolicy/policy/modules/services/asterisk.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.1/policy/modules/services/asterisk.if 2009-11-17 11:06:58.000000000 -0500
@@ -11681,7 +12091,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.1/policy/modules/services/asterisk.te
--- nsaserefpolicy/policy/modules/services/asterisk.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/asterisk.te 2009-11-19 13:52:42.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/services/asterisk.te 2009-11-23 13:38:30.000000000 -0500
@@ -34,6 +34,8 @@
type asterisk_var_run_t;
files_pid_file(asterisk_var_run_t)
@@ -11699,6 +12109,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_sendrecv_asterisk_server_packets(asterisk_t)
# for VOIP voice channels.
corenet_tcp_bind_generic_port(asterisk_t)
+@@ -107,6 +110,7 @@
+ dev_read_sysfs(asterisk_t)
+ dev_read_sound(asterisk_t)
+ dev_write_sound(asterisk_t)
++dev_read_urand(asterisk_t)
+
+ domain_use_interactive_fds(asterisk_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.7.1/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.1/policy/modules/services/automount.te 2009-11-17 11:06:58.000000000 -0500
@@ -11912,7 +12330,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.1/policy/modules/services/ccs.te
--- nsaserefpolicy/policy/modules/services/ccs.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/ccs.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/services/ccs.te 2009-11-20 16:30:47.000000000 -0500
@@ -10,23 +10,21 @@
type ccs_exec_t;
init_daemon_domain(ccs_t, ccs_exec_t)
@@ -12749,8 +13167,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.1/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/corosync.te 2009-11-17 11:06:58.000000000 -0500
-@@ -0,0 +1,107 @@
++++ serefpolicy-3.7.1/policy/modules/services/corosync.te 2009-11-23 13:51:04.000000000 -0500
+@@ -0,0 +1,109 @@
+
+policy_module(corosync,1.0.0)
+
@@ -12842,6 +13260,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+logging_send_syslog_msg(corosync_t)
+
++userdom_rw_user_tmpfs_files(corosync_t)
++
+# to communication with RHCS
+dlm_controld_manage_tmpfs_files(corosync_t)
+dlm_controld_rw_semaphores(corosync_t)
@@ -13552,7 +13972,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.1/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/dbus.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/services/dbus.if 2009-11-24 18:53:39.000000000 -0500
@@ -42,8 +42,10 @@
gen_require(`
class dbus { send_msg acquire_svc };
@@ -13618,8 +14038,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
# SE-DBus specific permissions
-- allow $1 { system_dbusd_t self }:dbus send_msg;
-+ allow $1 { system_dbusd_t self dbusd_unconfined }:dbus send_msg;
+ allow $1 { system_dbusd_t self }:dbus send_msg;
+ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
@@ -14877,7 +15296,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.1/policy/modules/services/gpsd.te
--- nsaserefpolicy/policy/modules/services/gpsd.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/gpsd.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/services/gpsd.te 2009-11-23 11:58:28.000000000 -0500
@@ -11,15 +11,21 @@
application_domain(gpsd_t, gpsd_exec_t)
init_daemon_domain(gpsd_t, gpsd_exec_t)
@@ -14897,7 +15316,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
-allow gpsd_t self:capability { setuid sys_nice setgid fowner };
-+allow gpsd_t self:capability { fsetid setuid sys_nice setgid fowner };
++allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_tty_config };
allow gpsd_t self:process setsched;
allow gpsd_t self:shm create_shm_perms;
allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -15399,17 +15818,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg($1_milter_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.1/policy/modules/services/modemmanager.te
--- nsaserefpolicy/policy/modules/services/modemmanager.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/modemmanager.te 2009-11-17 11:06:58.000000000 -0500
-@@ -16,7 +16,7 @@
++++ serefpolicy-3.7.1/policy/modules/services/modemmanager.te 2009-11-24 07:19:22.000000000 -0500
+@@ -16,7 +16,8 @@
#
# ModemManager local policy
#
-
++allow modemmanager_t self:capability sys_admin;
+allow modemmanager_t self:process signal;
allow modemmanager_t self:fifo_file rw_file_perms;
allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -24,6 +24,7 @@
+@@ -24,6 +25,7 @@
kernel_read_system_state(modemmanager_t)
dev_read_sysfs(modemmanager_t)
@@ -15644,8 +16064,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mysql_write_log(mysqld_safe_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.1/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/nagios.fc 2009-11-17 11:06:58.000000000 -0500
-@@ -1,16 +1,22 @@
++++ serefpolicy-3.7.1/policy/modules/services/nagios.fc 2009-11-23 14:12:37.000000000 -0500
+@@ -1,16 +1,26 @@
/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
@@ -15661,10 +16081,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib(64)?/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+#/usr/lib(64)?/nagios/plugins(/.*)? gen_context(system_u:object_r:nagios_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
++/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0)
++
+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
+
ifdef(`distro_debian',`
@@ -15675,7 +16099,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.1/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/nagios.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/services/nagios.if 2009-11-23 14:12:16.000000000 -0500
@@ -64,7 +64,7 @@
########################################
@@ -15736,11 +16160,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#
+interface(`nagios_read_log',`
+ gen_require(`
-+ type nagios_var_log_t;
++ type nagios_log_t;
+ ')
+
+ logging_search_logs($1)
-+ read_files_pattern($1, nagios_var_log_t, nagios_var_log_t)
++ read_files_pattern($1, nagios_log_t, nagios_log_t)
+')
+
+########################################
@@ -15796,7 +16220,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.1/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/nagios.te 2009-11-18 16:57:18.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/services/nagios.te 2009-11-23 14:23:43.000000000 -0500
@@ -10,13 +10,12 @@
type nagios_exec_t;
init_daemon_domain(nagios_t, nagios_exec_t)
@@ -15824,17 +16248,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type nrpe_t;
type nrpe_exec_t;
init_daemon_domain(nrpe_t, nrpe_exec_t)
-@@ -33,6 +35,9 @@
+@@ -33,6 +35,16 @@
type nrpe_etc_t;
files_config_file(nrpe_etc_t)
+type nrpe_var_run_t;
+files_pid_file(nrpe_var_run_t)
+
++type nagios_checkdisk_plugin_t;
++type nagios_checkdisk_plugin_exec_t;
++application_domain(nagios_checkdisk_plugin_t, nagios_checkdisk_plugin_exec_t)
++role system_r types nagios_checkdisk_plugin_t;
++
++permissive nagios_checkdisk_plugin_t;
++
########################################
#
# Nagios local policy
-@@ -60,6 +65,8 @@
+@@ -45,6 +57,9 @@
+ allow nagios_t self:tcp_socket create_stream_socket_perms;
+ allow nagios_t self:udp_socket create_socket_perms;
+
++# needed by command.cfg
++can_exec(nagios_t, nagios_checkdisk_plugin_exec_t)
++
+ read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
+ read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
+ allow nagios_t nagios_etc_t:dir list_dir_perms;
+@@ -60,6 +75,8 @@
manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
files_pid_filetrans(nagios_t, nagios_var_run_t, file)
@@ -15843,7 +16284,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(nagios_t)
kernel_read_kernel_sysctls(nagios_t)
-@@ -127,52 +134,57 @@
+@@ -86,6 +103,7 @@
+ files_read_etc_files(nagios_t)
+ files_read_etc_runtime_files(nagios_t)
+ files_read_kernel_symbol_table(nagios_t)
++files_search_spool(nagios_t)
+
+ fs_getattr_all_fs(nagios_t)
+ fs_search_auto_mountpoints(nagios_t)
+@@ -127,52 +145,59 @@
#
# Nagios CGI local policy
#
@@ -15912,6 +16361,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+allow nrpe_t self:tcp_socket create_stream_socket_perms;
-allow nrpe_t nrpe_etc_t:file read_file_perms;
++domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
++
+read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t)
files_search_etc(nrpe_t)
@@ -15926,7 +16377,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(nrpe_t)
kernel_read_kernel_sysctls(nrpe_t)
-@@ -183,15 +195,19 @@
+@@ -183,15 +208,19 @@
dev_read_urand(nrpe_t)
domain_use_interactive_fds(nrpe_t)
@@ -15946,6 +16397,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
optional_policy(`
+@@ -209,3 +238,22 @@
+ optional_policy(`
+ udev_read_db(nrpe_t)
+ ')
++
++#######################################
++#
++# nagios check_disk and check_ide_smart plugin local policy
++#
++
++# needed by ioctl()
++allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
++
++# leaked file descriptor
++dontaudit nagios_checkdisk_plugin_t nrpe_t:tcp_socket { read write };
++
++files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
++
++fs_getattr_all_fs(nagios_checkdisk_plugin_t)
++
++storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
++
++miscfiles_read_localization(nagios_checkdisk_plugin_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.7.1/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.1/policy/modules/services/networkmanager.fc 2009-11-17 11:06:58.000000000 -0500
@@ -16059,7 +16533,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.1/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/networkmanager.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/services/networkmanager.te 2009-11-24 07:18:48.000000000 -0500
@@ -19,6 +19,9 @@
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
@@ -16821,8 +17295,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.1/policy/modules/services/nut.te
--- nsaserefpolicy/policy/modules/services/nut.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/nut.te 2009-11-17 11:06:58.000000000 -0500
-@@ -0,0 +1,128 @@
++++ serefpolicy-3.7.1/policy/modules/services/nut.te 2009-11-24 15:02:15.000000000 -0500
+@@ -0,0 +1,127 @@
+
+policy_module(nut,1.0.0)
+
@@ -16855,8 +17329,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#
+# upsd local policy
+#
-+
-+allow upsd_t self:capability { setuid setgid };
++allow upsd_t self:capability { dac_override setuid setgid };
+
+allow upsd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow upsd_t self:tcp_socket create_stream_socket_perms;
@@ -16953,11 +17426,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+miscfiles_read_localization(upsdrvctl_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.7.1/policy/modules/services/nx.fc
--- nsaserefpolicy/policy/modules/services/nx.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/nx.fc 2009-11-20 10:11:27.000000000 -0500
-@@ -1,6 +1,8 @@
++++ serefpolicy-3.7.1/policy/modules/services/nx.fc 2009-11-23 10:16:14.000000000 -0500
+@@ -1,6 +1,9 @@
/opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
++/opt/NX/home/nx(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
+/var/lib/nxserver/home/.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
+/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0)
@@ -20333,7 +20807,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.7.1/policy/modules/services/rtkit.te
--- nsaserefpolicy/policy/modules/services/rtkit.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/rtkit.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/services/rtkit.te 2009-11-23 11:53:29.000000000 -0500
@@ -17,9 +17,11 @@
allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace };
@@ -20346,6 +20820,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_read_all_domains_state(rtkit_daemon_t)
fs_rw_anon_inodefs_files(rtkit_daemon_t)
+@@ -28,7 +30,7 @@
+
+ logging_send_syslog_msg(rtkit_daemon_t)
+
+-miscfiles_read_localization(locale_t)
++miscfiles_read_localization(rtkit_daemon_t)
+
+ optional_policy(`
+ policykit_dbus_chat(rtkit_daemon_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.1/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2009-07-29 15:15:33.000000000 -0400
+++ serefpolicy-3.7.1/policy/modules/services/samba.fc 2009-11-17 11:06:58.000000000 -0500
@@ -20359,7 +20842,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.1/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/samba.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/services/samba.if 2009-11-23 10:38:07.000000000 -0500
@@ -62,6 +62,25 @@
########################################
@@ -21614,6 +22097,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_list_sysfs(snmpd_t)
dev_read_sysfs(snmpd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.1/policy/modules/services/snort.te
+--- nsaserefpolicy/policy/modules/services/snort.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.7.1/policy/modules/services/snort.te 2009-11-23 10:22:33.000000000 -0500
+@@ -37,6 +37,7 @@
+ allow snort_t self:tcp_socket create_stream_socket_perms;
+ allow snort_t self:udp_socket create_socket_perms;
+ allow snort_t self:packet_socket create_socket_perms;
++allow snort_t self:socket create_socket_perms;
+ # Snort IPS node. unverified.
+ allow snort_t self:netlink_firewall_socket { bind create getattr };
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.1/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.1/policy/modules/services/spamassassin.fc 2009-11-17 11:06:58.000000000 -0500
@@ -21759,7 +22253,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.1/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/spamassassin.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/services/spamassassin.te 2009-11-24 18:16:01.000000000 -0500
@@ -20,6 +20,35 @@
##
gen_tunable(spamd_enable_home_dirs, true)
@@ -21826,15 +22320,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# this should probably be removed
corecmd_list_bin(spamassassin_t)
-@@ -150,6 +191,7 @@
+@@ -150,6 +191,8 @@
corenet_udp_sendrecv_all_ports(spamassassin_t)
corenet_tcp_connect_all_ports(spamassassin_t)
corenet_sendrecv_all_client_packets(spamassassin_t)
+ corenet_udp_bind_generic_node(spamassassin_t)
++ corenet_udp_bind_generic_port(spamassassin_t)
sysnet_read_config(spamassassin_t)
')
-@@ -186,6 +228,8 @@
+@@ -186,6 +229,8 @@
optional_policy(`
mta_read_config(spamassassin_t)
sendmail_stub(spamassassin_t)
@@ -21843,7 +22338,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -207,16 +251,33 @@
+@@ -207,16 +252,33 @@
allow spamc_t self:unix_stream_socket connectto;
allow spamc_t self:tcp_socket create_stream_socket_perms;
allow spamc_t self:udp_socket create_socket_perms;
@@ -21877,7 +22372,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
-@@ -246,9 +307,16 @@
+@@ -246,9 +308,16 @@
files_dontaudit_search_var(spamc_t)
# cjp: this may be removable:
files_list_home(spamc_t)
@@ -21894,7 +22389,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
-@@ -256,27 +324,40 @@
+@@ -256,27 +325,40 @@
sysnet_read_config(spamc_t)
@@ -21941,7 +22436,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -288,7 +369,7 @@
+@@ -288,7 +370,7 @@
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -21950,7 +22445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -304,10 +385,17 @@
+@@ -304,10 +386,17 @@
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
@@ -21969,7 +22464,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -316,10 +404,12 @@
+@@ -316,10 +405,12 @@
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -21983,7 +22478,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
kernel_read_all_sysctls(spamd_t)
-@@ -369,22 +459,27 @@
+@@ -369,22 +460,27 @@
init_dontaudit_rw_utmp(spamd_t)
@@ -22015,7 +22510,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_manage_cifs_files(spamd_t)
')
-@@ -402,23 +497,16 @@
+@@ -402,23 +498,16 @@
optional_policy(`
dcc_domtrans_client(spamd_t)
@@ -22040,7 +22535,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
postfix_read_config(spamd_t)
')
-@@ -433,6 +521,10 @@
+@@ -433,6 +522,10 @@
optional_policy(`
razor_domtrans(spamd_t)
@@ -22051,7 +22546,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -445,5 +537,9 @@
+@@ -445,5 +538,9 @@
')
optional_policy(`
@@ -22846,7 +23341,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.1/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/sssd.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/services/sssd.te 2009-11-23 17:38:47.000000000 -0500
@@ -16,6 +16,9 @@
type sssd_var_lib_t;
files_type(sssd_var_lib_t)
@@ -22866,7 +23361,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow sssd_t self:process { setsched signal getsched };
allow sssd_t self:fifo_file rw_file_perms;
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -33,10 +36,15 @@
+@@ -33,16 +36,23 @@
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
@@ -22882,7 +23377,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(sssd_t)
corecmd_exec_bin(sssd_t)
-@@ -58,6 +66,8 @@
+
+ dev_read_urand(sssd_t)
+
++domain_read_all_domains_state(sssd_t)
++
+ files_list_tmp(sssd_t)
+ files_read_etc_files(sssd_t)
+ files_read_usr_files(sssd_t)
+@@ -58,6 +68,8 @@
miscfiles_read_localization(sssd_t)
@@ -23002,7 +23505,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.1/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/virt.if 2009-11-19 16:38:10.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/services/virt.if 2009-11-24 14:56:33.000000000 -0500
@@ -136,7 +136,7 @@
')
@@ -23043,19 +23546,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs($1)
-@@ -304,8 +306,79 @@
+@@ -304,7 +306,7 @@
')
tunable_policy(`virt_use_samba',`
- fs_manage_nfs_files($1)
- fs_manage_cifs_files($1)
+ fs_manage_cifs_files($1)
-+ fs_read_cifs_symlinks($1)
-+ ')
-+')
-+
-+########################################
-+##
+ fs_manage_cifs_files($1)
+ fs_read_cifs_symlinks($1)
+ ')
+@@ -312,6 +314,77 @@
+
+ ########################################
+ ##
+## Allow domain to read virt image files
+##
+##
@@ -23121,10 +23624,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ tunable_policy(`virt_use_samba',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
- fs_read_cifs_symlinks($1)
- ')
- ')
-@@ -346,3 +419,95 @@
++ fs_read_cifs_symlinks($1)
++ ')
++')
++
++########################################
++##
+ ## All of the rules required to administrate
+ ## an virt environment
+ ##
+@@ -346,3 +419,124 @@
virt_manage_log($1)
')
@@ -23220,6 +23729,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ manage_files_pattern($1, svirt_cache_t, svirt_cache_t)
+ manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t)
+')
++
++########################################
++##
++## Execute qemu in the svirt domain, and
++## allow the specified role the svirt domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the sandbox domain.
++##
++##
++#
++interface(`virt_transition_svirt',`
++ gen_require(`
++ type svirt_t;
++ ')
++
++ allow $1 svirt_t:process transition;
++ role $2 types svirt_t;
++
++ optional_policy(`
++ ptchown_run(svirt_t, $2)
++ ')
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.1/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-11-17 10:54:26.000000000 -0500
+++ serefpolicy-3.7.1/policy/modules/services/virt.te 2009-11-17 11:06:58.000000000 -0500
@@ -24610,7 +25148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/xserver.te 2009-11-20 10:12:02.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/services/xserver.te 2009-11-20 16:23:57.000000000 -0500
@@ -34,6 +34,13 @@
##
@@ -24749,7 +25287,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_tmpfs_file(xserver_tmpfs_t)
ubac_constrained(xserver_tmpfs_t)
-@@ -250,23 +269,28 @@
+@@ -250,25 +269,30 @@
# Xauth local policy
#
@@ -24779,8 +25317,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_search_pids(xauth_t)
+files_dontaudit_getattr_all_dirs(xauth_t)
- fs_getattr_xattr_fs(xauth_t)
+-fs_getattr_xattr_fs(xauth_t)
++fs_getattr_all_fs(xauth_t)
fs_search_auto_mountpoints(xauth_t)
+
+ # cjp: why?
@@ -279,6 +303,11 @@
userdom_use_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
@@ -27317,7 +27858,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+permissive kdump_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.1/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/libraries.fc 2009-11-18 17:00:01.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/system/libraries.fc 2009-11-25 06:13:34.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
@@ -27342,8 +27883,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/opt/netscape/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/RealPlayer/codecs(/.*)? gen_context(system_u:object_r:lib_t,s0)
/opt/RealPlayer/common(/.*)? gen_context(system_u:object_r:lib_t,s0)
-@@ -84,12 +86,14 @@
+@@ -82,14 +84,18 @@
+ /opt/RealPlayer/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
+ ')
++/opt/Komodo-Edit-5/lib/python/lib/python2.6/lib-dynload/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
ifdef(`distro_redhat',`
/opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/opt/Adobe/Reader8/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -27359,7 +27904,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
')
-@@ -103,6 +107,7 @@
+@@ -103,6 +109,7 @@
#
/usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -27367,10 +27912,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
-@@ -115,27 +120,38 @@
+@@ -115,27 +122,41 @@
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -27386,6 +27932,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/libADM5avcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/ADM_plugins/videoFilter/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -27414,7 +27962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -143,11 +159,8 @@
+@@ -143,11 +164,8 @@
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -27426,7 +27974,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -168,12 +181,12 @@
+@@ -168,12 +186,13 @@
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
@@ -27434,6 +27982,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-HOME_DIR/.*/\.gstreamer-.*/plugins/*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -27441,7 +27990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -185,15 +198,10 @@
+@@ -185,15 +204,10 @@
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -27458,7 +28007,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -228,31 +236,17 @@
+@@ -228,31 +242,17 @@
/usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -27494,9 +28043,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -268,8 +262,8 @@
+@@ -267,9 +267,10 @@
+ /usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/vmware/lib(/.*)?/libvmware-gksu.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-# RPM Fusion, refpolicy ticket #48
-/usr/lib(64)?/libavfilter.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -27505,7 +28056,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -295,6 +289,8 @@
+@@ -295,6 +296,8 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -27514,7 +28065,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') dnl end distro_redhat
#
-@@ -307,10 +303,104 @@
+@@ -307,10 +310,107 @@
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
@@ -27547,6 +28098,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/google/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0)
+
@@ -27584,6 +28136,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib/libADM5avformat\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libADM_coreImage\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
++/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
+ifdef(`fixed',`
+/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -27600,9 +28157,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/netscape/plugins/libflashplayer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -31006,7 +31560,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+HOME_DIR/\.gvfs(/.*)? <>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/userdomain.if 2009-11-18 10:28:50.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/system/userdomain.if 2009-11-23 14:09:57.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -32705,7 +33259,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_search_proc($1)
')
-@@ -3064,3 +3395,578 @@
+@@ -3064,3 +3395,597 @@
allow $1 userdomain:dbus send_msg;
')
@@ -33249,6 +33803,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+########################################
+##
++## Read files inherited
++## in a user home subdirectory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_read_inherited_user_home_content_files',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:file { getattr read };
++')
++
++########################################
++##
+## Append files inherited
+## in a user home subdirectory.
+##