diff --git a/modules-minimum.conf b/modules-minimum.conf
index 3aec438..65ab71f 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -521,6 +521,13 @@ finger = module
#
firstboot = base
+# Layer: apps
+# Module: firewallgui
+#
+# policy for system-config-firewall
+#
+firewallgui = module
+
# Layer: services
# Module: fprintd
#
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 3aec438..65ab71f 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -521,6 +521,13 @@ finger = module
#
firstboot = base
+# Layer: apps
+# Module: firewallgui
+#
+# policy for system-config-firewall
+#
+firewallgui = module
+
# Layer: services
# Module: fprintd
#
diff --git a/policy-F12.patch b/policy-F12.patch
index f1501f4..1c88d9a 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -10,6 +10,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Mak
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.6.31/policy/flask/access_vectors
+--- nsaserefpolicy/policy/flask/access_vectors 2009-08-31 13:30:04.000000000 -0400
++++ serefpolicy-3.6.31/policy/flask/access_vectors 2009-09-14 16:52:50.000000000 -0400
+@@ -349,6 +349,7 @@
+ syslog_read
+ syslog_mod
+ syslog_console
++ request_module
+ }
+
+ #
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.31/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2009-07-23 14:11:04.000000000 -0400
+++ serefpolicy-3.6.31/policy/global_tunables 2009-09-09 15:38:24.000000000 -0400
@@ -251,6 +262,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
netutils_domtrans_ping(mrtg_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.31/policy/modules/admin/netutils.te
+--- nsaserefpolicy/policy/modules/admin/netutils.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/admin/netutils.te 2009-09-14 11:29:19.000000000 -0400
+@@ -85,6 +85,7 @@
+
+ miscfiles_read_localization(netutils_t)
+
++term_dontaudit_use_console(netutils_t)
+ userdom_use_user_terminals(netutils_t)
+ userdom_use_all_users_fds(netutils_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.te serefpolicy-3.6.31/policy/modules/admin/portage.te
--- nsaserefpolicy/policy/modules/admin/portage.te 2009-08-18 18:39:50.000000000 -0400
+++ serefpolicy-3.6.31/policy/modules/admin/portage.te 2009-09-09 15:38:24.000000000 -0400
@@ -302,7 +324,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
amanda_manage_lib(prelink_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.31/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/admin/readahead.te 2009-09-09 15:38:24.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/admin/readahead.te 2009-09-14 12:53:07.000000000 -0400
@@ -54,7 +54,10 @@
files_dontaudit_getattr_all_sockets(readahead_t)
files_list_non_security(readahead_t)
@@ -365,7 +387,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.31/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/admin/rpm.if 2009-09-09 15:38:24.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/admin/rpm.if 2009-09-14 12:43:24.000000000 -0400
@@ -66,6 +66,11 @@
rpm_domtrans($1)
role $2 types rpm_t;
@@ -488,7 +510,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Inherit and use file descriptors from RPM scripts.
##
##
-@@ -219,7 +313,29 @@
+@@ -219,7 +313,51 @@
')
files_search_tmp($1)
@@ -499,6 +521,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+########################################
+##
++## Create, read, write, and delete RPM
++## temporary files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rpm_manage_tmp_files',`
++ gen_require(`
++ type rpm_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ manage_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t)
++ manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
++ manage_lnk_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
++')
++
++########################################
++##
+## read, RPM
+## script temporary files.
+##
@@ -518,7 +562,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -245,6 +361,24 @@
+@@ -245,6 +383,24 @@
########################################
##
@@ -543,7 +587,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Create, read, write, and delete the RPM package database.
##
##
-@@ -283,3 +417,46 @@
+@@ -283,3 +439,46 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
@@ -1227,6 +1271,87 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.6.31/policy/modules/apps/firewallgui.fc
+--- nsaserefpolicy/policy/modules/apps/firewallgui.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.31/policy/modules/apps/firewallgui.fc 2009-09-14 13:14:48.000000000 -0400
+@@ -0,0 +1,3 @@
++
++/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0)
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.6.31/policy/modules/apps/firewallgui.if
+--- nsaserefpolicy/policy/modules/apps/firewallgui.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.31/policy/modules/apps/firewallgui.if 2009-09-14 13:14:48.000000000 -0400
+@@ -0,0 +1,3 @@
++
++## policy for firewallgui
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.6.31/policy/modules/apps/firewallgui.te
+--- nsaserefpolicy/policy/modules/apps/firewallgui.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.31/policy/modules/apps/firewallgui.te 2009-09-14 13:14:49.000000000 -0400
+@@ -0,0 +1,63 @@
++
++policy_module(firewallgui,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type firewallgui_t;
++type firewallgui_exec_t;
++dbus_system_domain(firewallgui_t, firewallgui_exec_t)
++
++type firewallgui_tmp_t;
++files_tmp_file(firewallgui_tmp_t)
++
++permissive firewallgui_t;
++
++########################################
++#
++# firewallgui local policy
++#
++
++allow firewallgui_t self:capability net_admin;
++
++allow firewallgui_t self:fifo_file rw_fifo_file_perms;
++
++manage_files_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
++manage_dirs_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
++files_tmp_filetrans(firewallgui_t,firewallgui_tmp_t, { file dir })
++
++iptables_manage_config(firewallgui_t)
++iptables_etc_filetrans_config(firewallgui_t)
++
++corecmd_exec_shell(firewallgui_t)
++corecmd_exec_bin(firewallgui_t)
++consoletype_exec(firewallgui_t)
++
++kernel_read_system_state(firewallgui_t)
++kernel_read_network_state(firewallgui_t)
++kernel_rw_net_sysctls(firewallgui_t)
++kernel_rw_kernel_sysctl(firewallgui_t)
++
++files_read_etc_files(firewallgui_t)
++files_read_usr_files(firewallgui_t)
++files_search_kernel_modules(firewallgui_t)
++files_list_kernel_modules(firewallgui_t)
++
++modutils_getattr_module_deps(firewallgui_t)
++
++dev_read_urand(firewallgui_t)
++dev_read_sysfs(firewallgui_t)
++
++nscd_dontaudit_search_pid(firewallgui_t)
++
++miscfiles_read_localization(firewallgui_t)
++
++iptables_domtrans(firewallgui_t)
++iptables_initrc_domtrans(firewallgui_t)
++
++optional_policy(`
++ policykit_dbus_chat(firewallgui_t)
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.31/policy/modules/apps/gitosis.if
--- nsaserefpolicy/policy/modules/apps/gitosis.if 2009-09-09 09:23:16.000000000 -0400
+++ serefpolicy-3.6.31/policy/modules/apps/gitosis.if 2009-09-09 15:38:24.000000000 -0400
@@ -1603,8 +1728,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.31/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/apps/gpg.te 2009-09-09 15:38:24.000000000 -0400
-@@ -151,6 +151,14 @@
++++ serefpolicy-3.6.31/policy/modules/apps/gpg.te 2009-09-14 12:12:53.000000000 -0400
+@@ -110,6 +110,10 @@
+
+ userdom_use_user_terminals(gpg_t)
+
++optional_policy(`
++ cron_system_entry(gpg_t, gpg_exec_t)
++')
++
+ ########################################
+ #
+ # GPG helper local policy
+@@ -151,6 +155,14 @@
userdom_manage_user_home_content_files(gpg_t)
tunable_policy(`use_nfs_home_dirs',`
@@ -1619,13 +1755,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_manage_nfs_dirs(gpg_t)
fs_manage_nfs_files(gpg_t)
')
-@@ -256,5 +264,5 @@
+@@ -256,5 +268,6 @@
')
optional_policy(`
- xserver_stream_connect(gpg_pinentry_t)
+ xserver_common_app(gpg_pinentry_t)
')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.31/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.31/policy/modules/apps/java.fc 2009-09-09 15:38:24.000000000 -0400
@@ -2298,8 +2435,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.31/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.31/policy/modules/apps/nsplugin.if 2009-09-09 15:38:24.000000000 -0400
-@@ -0,0 +1,313 @@
++++ serefpolicy-3.6.31/policy/modules/apps/nsplugin.if 2009-09-14 12:44:05.000000000 -0400
+@@ -0,0 +1,317 @@
+
+## policy for nsplugin
+
@@ -2425,6 +2562,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ userdom_dontaudit_setattr_user_home_content_files(nsplugin_t)
+ userdom_manage_tmpfs_role($1, nsplugin_t)
+
++ optional_policy(`
++ pulseaudio_role($1, nsplugin_t)
++ ')
++
+ xserver_communicate(nsplugin_t, $2)
+')
+
@@ -4477,7 +4618,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.31/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/kernel/devices.fc 2009-09-09 15:38:24.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/kernel/devices.fc 2009-09-15 11:25:08.000000000 -0400
@@ -47,8 +47,10 @@
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@@ -4497,6 +4638,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/(misc/)?rtc[0-9]* -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
+@@ -101,7 +104,7 @@
+ /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
+ ')
+ /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+-/dev/vboxadd.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
++/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
+ /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
+ /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
@@ -148,6 +151,8 @@
/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -4508,7 +4658,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.31/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/kernel/devices.if 2009-09-09 15:38:24.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/kernel/devices.if 2009-09-15 08:13:32.000000000 -0400
@@ -1692,6 +1692,78 @@
########################################
@@ -4746,7 +4896,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.31/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/kernel/domain.if 2009-09-10 10:26:38.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/kernel/domain.if 2009-09-14 12:06:23.000000000 -0400
@@ -44,34 +44,6 @@
interface(`domain_type',`
# start with basic domain
@@ -4854,7 +5004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ attribute domain;
+ ')
+
-+ dontaudit $1 domain:fifo_file getattr;
++ allow $1 domain:fifo_file getattr;
+')
+
+########################################
@@ -5108,7 +5258,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/nfs/rpc_pipefs(/.*)? <>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.31/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/kernel/files.if 2009-09-09 15:38:24.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/kernel/files.if 2009-09-14 12:48:12.000000000 -0400
@@ -110,6 +110,11 @@
##
#
@@ -6049,7 +6199,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.31/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/kernel/terminal.if 2009-09-09 15:38:24.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/kernel/terminal.if 2009-09-14 11:29:12.000000000 -0400
@@ -196,7 +196,7 @@
dev_list_all_dev_nodes($1)
@@ -8081,8 +8231,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.31/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.31/policy/modules/services/abrt.te 2009-09-11 16:04:15.000000000 -0400
-@@ -0,0 +1,121 @@
++++ serefpolicy-3.6.31/policy/modules/services/abrt.te 2009-09-14 12:19:03.000000000 -0400
+@@ -0,0 +1,122 @@
+
+policy_module(abrt,1.0.0)
+
@@ -8195,6 +8345,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ rpm_manage_db(abrt_t)
+ rpm_domtrans(abrt_t)
++ rpm_signull(abrt_t)
+')
+
+# to run mailx plugin
@@ -8337,7 +8488,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.31/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/services/apache.if 2009-09-10 10:32:22.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/services/apache.if 2009-09-14 12:08:13.000000000 -0400
@@ -13,21 +13,16 @@
#
template(`apache_content_template',`
@@ -8634,12 +8785,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
-@@ -503,6 +443,66 @@
+@@ -503,6 +443,67 @@
########################################
##
+## Allow the specified domain to delete
-+## Apache cache files.
++## Apache cache.
+##
+##
+##
@@ -8647,11 +8798,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+##
+##
+#
-+interface(`apache_delete_cache_files',`
++interface(`apache_delete_cache',`
+ gen_require(`
+ type httpd_cache_t;
+ ')
+
++ delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
+ delete_files_pattern($1, httpd_cache_t, httpd_cache_t)
+')
+
@@ -8701,7 +8853,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Allow the specified domain to read
## apache configuration files.
##
-@@ -579,7 +579,7 @@
+@@ -579,7 +580,7 @@
##
##
##
@@ -8710,7 +8862,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
##
-@@ -715,6 +715,7 @@
+@@ -715,6 +716,7 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -8718,7 +8870,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -782,6 +783,32 @@
+@@ -782,6 +784,32 @@
########################################
##
@@ -8751,7 +8903,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Execute all web scripts in the system
## script domain.
##
-@@ -791,16 +818,18 @@
+@@ -791,16 +819,18 @@
##
##
#
@@ -8774,7 +8926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -859,6 +888,8 @@
+@@ -859,6 +889,8 @@
##
##
#
@@ -8783,7 +8935,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
interface(`apache_run_all_scripts',`
gen_require(`
attribute httpd_exec_scripts, httpd_script_domains;
-@@ -884,7 +915,7 @@
+@@ -884,7 +916,7 @@
type httpd_squirrelmail_t;
')
@@ -8792,7 +8944,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1043,6 +1074,44 @@
+@@ -1043,6 +1075,44 @@
########################################
##
@@ -8837,7 +8989,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate an apache environment
##
##
-@@ -1072,11 +1141,17 @@
+@@ -1072,11 +1142,17 @@
type httpd_modules_t, httpd_lock_t;
type httpd_var_run_t, httpd_php_tmp_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
@@ -8855,7 +9007,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
-@@ -1096,12 +1171,57 @@
+@@ -1096,12 +1172,57 @@
kernel_search_proc($1)
allow $1 httpd_t:dir list_dir_perms;
@@ -8916,7 +9068,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.31/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/services/apache.te 2009-09-11 09:48:03.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/services/apache.te 2009-09-14 11:32:56.000000000 -0400
@@ -19,6 +19,8 @@
# Declarations
#
@@ -9391,7 +9543,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -535,6 +684,22 @@
+@@ -535,6 +684,23 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -9408,13 +9560,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ unconfined_domain(httpd_unconfined_script_t)
+
+ role system_r types httpd_unconfined_script_t;
++ allow httpd_t httpd_unconfined_script_t:process signal_perms;
+')
+
+
########################################
#
# Apache PHP script local policy
-@@ -564,20 +729,25 @@
+@@ -564,20 +730,25 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -9446,7 +9599,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -595,23 +765,24 @@
+@@ -595,23 +766,24 @@
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
@@ -9475,7 +9628,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -624,6 +795,7 @@
+@@ -624,6 +796,7 @@
logging_send_syslog_msg(httpd_suexec_t)
miscfiles_read_localization(httpd_suexec_t)
@@ -9483,7 +9636,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
-@@ -631,22 +803,30 @@
+@@ -631,22 +804,30 @@
corenet_all_recvfrom_unlabeled(httpd_suexec_t)
corenet_all_recvfrom_netlabel(httpd_suexec_t)
@@ -9521,7 +9674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -672,15 +852,14 @@
+@@ -672,15 +853,14 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -9540,7 +9693,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
dontaudit httpd_sys_script_t httpd_config_t:dir search;
-@@ -699,12 +878,24 @@
+@@ -699,12 +879,24 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -9567,7 +9720,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -712,6 +903,35 @@
+@@ -712,6 +904,35 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -9603,7 +9756,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -724,6 +944,10 @@
+@@ -724,6 +945,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -9614,7 +9767,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -735,6 +959,8 @@
+@@ -735,6 +960,8 @@
# httpd_rotatelogs local policy
#
@@ -9623,7 +9776,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -754,6 +980,12 @@
+@@ -754,6 +981,12 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -9636,7 +9789,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
# allow accessing files/dirs below the users home dir
-@@ -762,3 +994,74 @@
+@@ -762,3 +995,74 @@
userdom_search_user_home_dirs(httpd_suexec_t)
userdom_search_user_home_dirs(httpd_user_script_t)
')
@@ -10512,7 +10665,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.31/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/services/cron.if 2009-09-09 15:38:24.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/services/cron.if 2009-09-14 12:11:46.000000000 -0400
@@ -12,6 +12,10 @@
##
#
@@ -10816,7 +10969,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.31/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/services/cron.te 2009-09-09 18:02:56.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/services/cron.te 2009-09-14 12:53:22.000000000 -0400
@@ -38,6 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -10956,15 +11109,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
-@@ -209,6 +239,7 @@
+@@ -207,8 +237,10 @@
+ userdom_use_unpriv_users_fds(crond_t)
+ # Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
++userdom_create_all_users_keys(crond_t)
mta_send_mail(crond_t)
+mta_system_content(cron_spool_t)
ifdef(`distro_debian',`
# pam_limits is used
-@@ -228,21 +259,45 @@
+@@ -228,21 +260,45 @@
')
')
@@ -11011,7 +11167,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -269,8 +324,8 @@
+@@ -269,8 +325,8 @@
# System cron process domain
#
@@ -11022,7 +11178,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-@@ -281,10 +336,17 @@
+@@ -281,10 +337,17 @@
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
@@ -11041,7 +11197,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -304,6 +366,7 @@
+@@ -304,6 +367,7 @@
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
@@ -11049,7 +11205,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -315,9 +378,13 @@
+@@ -315,9 +379,13 @@
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -11064,7 +11220,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -371,7 +438,8 @@
+@@ -340,6 +408,7 @@
+ dev_getattr_all_blk_files(system_cronjob_t)
+ dev_getattr_all_chr_files(system_cronjob_t)
+ dev_read_urand(system_cronjob_t)
++dev_read_sysfs(system_cronjob_t)
+
+ fs_getattr_all_fs(system_cronjob_t)
+ fs_getattr_all_files(system_cronjob_t)
+@@ -366,12 +435,14 @@
+ # Access other spool directories like
+ # /var/spool/anacron and /var/spool/slrnpull.
+ files_manage_generic_spool(system_cronjob_t)
++files_create_boot_flag(system_cronjob_t)
+
+ init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
init_dontaudit_rw_utmp(system_cronjob_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
@@ -11074,7 +11244,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(system_cronjob_t)
-@@ -379,6 +447,7 @@
+@@ -379,6 +450,7 @@
libs_exec_ld_so(system_cronjob_t)
logging_read_generic_logs(system_cronjob_t)
@@ -11082,7 +11252,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(system_cronjob_t)
miscfiles_read_localization(system_cronjob_t)
-@@ -388,6 +457,8 @@
+@@ -388,6 +460,8 @@
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
@@ -11091,15 +11261,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
-@@ -412,6 +483,7 @@
+@@ -412,6 +486,7 @@
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
-+ apache_delete_cache_files(system_cronjob_t)
++ apache_delete_cache(system_cronjob_t)
')
optional_policy(`
-@@ -419,6 +491,14 @@
+@@ -419,6 +494,14 @@
')
optional_policy(`
@@ -11114,7 +11284,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ftp_read_log(system_cronjob_t)
')
-@@ -429,11 +509,20 @@
+@@ -429,11 +512,20 @@
')
optional_policy(`
@@ -11135,7 +11305,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -445,9 +534,11 @@
+@@ -445,9 +537,11 @@
')
optional_policy(`
@@ -11149,7 +11319,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -461,8 +552,8 @@
+@@ -461,8 +555,8 @@
')
optional_policy(`
@@ -11160,7 +11330,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -470,24 +561,17 @@
+@@ -470,24 +564,17 @@
')
optional_policy(`
@@ -11188,7 +11358,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow cronjob_t self:process { signal_perms setsched };
allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
-@@ -571,6 +655,9 @@
+@@ -571,6 +658,9 @@
userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
@@ -11198,7 +11368,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`fcron_crond', `
allow crond_t user_cron_spool_t:file manage_file_perms;
')
-@@ -590,13 +677,5 @@
+@@ -590,13 +680,5 @@
#
optional_policy(`
@@ -11658,7 +11828,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $1 devicekit_t:process { ptrace signal_perms getattr };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.31/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/services/devicekit.te 2009-09-10 10:27:07.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/services/devicekit.te 2009-09-14 12:14:36.000000000 -0400
@@ -36,12 +36,15 @@
manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
@@ -11698,15 +11868,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_setsched(devicekit_disk_t)
corecmd_exec_bin(devicekit_disk_t)
-@@ -79,21 +87,31 @@
+@@ -79,21 +87,34 @@
dev_rw_sysfs(devicekit_disk_t)
dev_read_urand(devicekit_disk_t)
dev_getattr_usbfs_dirs(devicekit_disk_t)
+dev_manage_generic_files(devicekit_disk_t)
-+
-+domain_read_all_domains_state(devicekit_disk_t)
-+domain_getattr_all_stream_sockets(devicekit_disk_t)
++dev_getattr_all_chr_files(devicekit_disk_t)
++domain_read_all_domains_state(devicekit_disk_t)
++domain_getattr_all_sockets(devicekit_disk_t)
++domain_getattr_all_pipes(devicekit_disk_t)
++
++files_getattr_all_sockets(devicekit_disk_t)
+files_getattr_all_mountpoints(devicekit_disk_t)
+files_getattr_all_files(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
@@ -11731,7 +11904,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(devicekit_disk_t)
miscfiles_read_localization(devicekit_disk_t)
-@@ -110,6 +128,7 @@
+@@ -110,6 +131,7 @@
')
optional_policy(`
@@ -11739,7 +11912,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
policykit_domtrans_auth(devicekit_disk_t)
policykit_read_lib(devicekit_disk_t)
policykit_read_reload(devicekit_disk_t)
-@@ -134,14 +153,22 @@
+@@ -134,14 +156,22 @@
udev_read_db(devicekit_disk_t)
')
@@ -11756,14 +11929,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
-allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice sys_ptrace };
-+allow devicekit_power_t self:capability { dac_override net_admin sys_tty_config sys_nice sys_ptrace };
++allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
+allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
-@@ -151,6 +178,7 @@
+@@ -151,6 +181,7 @@
kernel_read_system_state(devicekit_power_t)
kernel_rw_hotplug_sysctls(devicekit_power_t)
kernel_rw_kernel_sysctl(devicekit_power_t)
@@ -11771,7 +11944,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t)
-@@ -159,6 +187,7 @@
+@@ -159,6 +190,7 @@
domain_read_all_domains_state(devicekit_power_t)
@@ -11779,7 +11952,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
-@@ -167,12 +196,17 @@
+@@ -167,12 +199,17 @@
files_read_etc_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
@@ -11797,7 +11970,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_read_all_users_state(devicekit_power_t)
optional_policy(`
-@@ -180,8 +214,11 @@
+@@ -180,8 +217,11 @@
')
optional_policy(`
@@ -11810,7 +11983,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow devicekit_power_t devicekit_t:dbus send_msg;
optional_policy(`
-@@ -203,17 +240,23 @@
+@@ -203,17 +243,23 @@
optional_policy(`
hal_domtrans_mac(devicekit_power_t)
@@ -11901,6 +12074,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
spamassassin_exec(exim_t)
spamassassin_exec_client(exim_t)
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.6.31/policy/modules/services/fail2ban.te
+--- nsaserefpolicy/policy/modules/services/fail2ban.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/services/fail2ban.te 2009-09-15 11:24:45.000000000 -0400
+@@ -33,6 +33,7 @@
+ allow fail2ban_t self:process signal;
+ allow fail2ban_t self:fifo_file rw_fifo_file_perms;
+ allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
++allow fail2ban_t self:unix_dgram_socket create_socket_perms;
+ allow fail2ban_t self:tcp_socket create_stream_socket_perms;
+
+ # log files
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.31/policy/modules/services/fetchmail.te
--- nsaserefpolicy/policy/modules/services/fetchmail.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.31/policy/modules/services/fetchmail.te 2009-09-09 15:38:24.000000000 -0400
@@ -12498,8 +12682,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization(inetd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/irqbalance.te serefpolicy-3.6.31/policy/modules/services/irqbalance.te
--- nsaserefpolicy/policy/modules/services/irqbalance.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/services/irqbalance.te 2009-09-10 11:10:00.000000000 -0400
-@@ -22,7 +22,7 @@
++++ serefpolicy-3.6.31/policy/modules/services/irqbalance.te 2009-09-14 11:37:06.000000000 -0400
+@@ -18,11 +18,11 @@
+ # Local policy
+ #
+
+-allow irqbalance_t self:capability net_admin;
++allow irqbalance_t self:capability { setpcap net_admin };
allow irqbalance_t self:udp_socket create_socket_perms;
dontaudit irqbalance_t self:capability sys_tty_config;
@@ -13884,8 +14073,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.6.31/policy/modules/services/nx.if
--- nsaserefpolicy/policy/modules/services/nx.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/services/nx.if 2009-09-09 15:38:24.000000000 -0400
-@@ -17,3 +17,21 @@
++++ serefpolicy-3.6.31/policy/modules/services/nx.if 2009-09-14 13:19:13.000000000 -0400
+@@ -17,3 +17,22 @@
spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t)
')
@@ -13906,6 +14095,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+
+ read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
++ read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.31/policy/modules/services/nx.te
--- nsaserefpolicy/policy/modules/services/nx.te 2009-08-14 16:14:31.000000000 -0400
@@ -17256,7 +17446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.31/policy/modules/services/setroubleshoot.if
--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/services/setroubleshoot.if 2009-09-09 15:38:24.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/services/setroubleshoot.if 2009-09-14 12:25:32.000000000 -0400
@@ -16,8 +16,8 @@
')
@@ -17356,14 +17546,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.31/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/services/setroubleshoot.te 2009-09-09 15:38:24.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/services/setroubleshoot.te 2009-09-14 12:26:18.000000000 -0400
@@ -22,13 +22,19 @@
type setroubleshoot_var_run_t;
files_pid_file(setroubleshoot_var_run_t)
-+ type setroubleshoot_fixit_t;
-+ type setroubleshoot_fixit_exec_t;
-+ dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
++type setroubleshoot_fixit_t;
++type setroubleshoot_fixit_exec_t;
++dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
+
########################################
#
@@ -17372,10 +17562,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-allow setroubleshootd_t self:capability { dac_override sys_tty_config };
-allow setroubleshootd_t self:process { signull signal getattr getsched };
-+ allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
-+ allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
++allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
++allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
+# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run
-+ allow setroubleshootd_t self:process { execmem execstack };
++allow setroubleshootd_t self:process { execmem execstack };
allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -17418,7 +17608,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
-@@ -94,23 +113,73 @@
+@@ -94,23 +113,74 @@
locallogin_dontaudit_use_fds(setroubleshootd_t)
@@ -17455,35 +17645,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#
+# setroubleshoot_fixit local policy
+#
-+ allow setroubleshoot_fixit_t self:capability sys_nice;
-+ allow setroubleshoot_fixit_t self:process { setsched getsched };
-+ allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms;
-+ allow setroubleshoot_fixit_t self:unix_dgram_socket create_socket_perms;
++allow setroubleshoot_fixit_t self:capability sys_nice;
++allow setroubleshoot_fixit_t self:process { setsched getsched };
++allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms;
++allow setroubleshoot_fixit_t self:unix_dgram_socket create_socket_perms;
+
-+ setroubleshoot_dbus_chat(setroubleshoot_fixit_t)
++setroubleshoot_dbus_chat(setroubleshoot_fixit_t)
++setroubleshoot_stream_connect(setroubleshoot_fixit_t)
+
-+ corecmd_exec_bin(setroubleshoot_fixit_t)
-+ corecmd_exec_shell(setroubleshoot_fixit_t)
++corecmd_exec_bin(setroubleshoot_fixit_t)
++corecmd_exec_shell(setroubleshoot_fixit_t)
+
-+ seutil_domtrans_restorecon(setroubleshoot_fixit_t)
++seutil_domtrans_restorecon(setroubleshoot_fixit_t)
+
-+ files_read_usr_files(setroubleshoot_fixit_t)
-+ files_read_etc_files(setroubleshoot_fixit_t)
-+ files_list_tmp(setroubleshoot_fixit_t)
++files_read_usr_files(setroubleshoot_fixit_t)
++files_read_etc_files(setroubleshoot_fixit_t)
++files_list_tmp(setroubleshoot_fixit_t)
+
-+ kernel_read_system_state(setroubleshoot_fixit_t)
++kernel_read_system_state(setroubleshoot_fixit_t)
+
-+ auth_use_nsswitch(setroubleshoot_fixit_t)
++auth_use_nsswitch(setroubleshoot_fixit_t)
+
-+ logging_send_audit_msgs(setroubleshoot_fixit_t)
-+ logging_send_syslog_msg(setroubleshoot_fixit_t)
++logging_send_audit_msgs(setroubleshoot_fixit_t)
++logging_send_syslog_msg(setroubleshoot_fixit_t)
+
-+ miscfiles_read_localization(setroubleshoot_fixit_t)
++miscfiles_read_localization(setroubleshoot_fixit_t)
+
-+ userdom_dontaudit_search_admin_dir(setroubleshoot_fixit_t)
++userdom_dontaudit_search_admin_dir(setroubleshoot_fixit_t)
+
-+ optional_policy(`
-+ rpm_signull(setroubleshoot_fixit_t)
++optional_policy(`
++ rpm_signull(setroubleshoot_fixit_t)
+ rpm_read_db(setroubleshoot_fixit_t)
+ rpm_dontaudit_manage_db(setroubleshoot_fixit_t)
+ rpm_use_script_fds(setroubleshoot_fixit_t)
@@ -17590,7 +17781,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.31/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/services/spamassassin.if 2009-09-09 15:38:24.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/services/spamassassin.if 2009-09-15 08:26:58.000000000 -0400
@@ -111,6 +111,27 @@
')
@@ -17619,15 +17810,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -166,6 +187,7 @@
+@@ -166,7 +187,9 @@
')
files_search_var_lib($1)
+ list_dirs_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
++ read_lnk_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
')
-@@ -225,3 +247,69 @@
+ ########################################
+@@ -225,3 +248,69 @@
dontaudit $1 spamd_tmp_t:sock_file getattr;
')
@@ -17699,7 +17892,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.31/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/services/spamassassin.te 2009-09-09 15:38:24.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/services/spamassassin.te 2009-09-15 08:27:19.000000000 -0400
@@ -20,6 +20,35 @@
##
gen_tunable(spamd_enable_home_dirs, true)
@@ -17901,12 +18094,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -316,10 +396,11 @@
+@@ -316,10 +396,12 @@
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
-read_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
+manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
++manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
@@ -17914,7 +18108,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
kernel_read_all_sysctls(spamd_t)
-@@ -369,22 +450,27 @@
+@@ -369,22 +451,27 @@
init_dontaudit_rw_utmp(spamd_t)
@@ -17946,7 +18140,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_manage_cifs_files(spamd_t)
')
-@@ -402,23 +488,16 @@
+@@ -402,23 +489,16 @@
optional_policy(`
dcc_domtrans_client(spamd_t)
@@ -17971,7 +18165,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
postfix_read_config(spamd_t)
')
-@@ -433,6 +512,10 @@
+@@ -433,6 +513,10 @@
optional_policy(`
razor_domtrans(spamd_t)
@@ -17982,7 +18176,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -445,5 +528,9 @@
+@@ -445,5 +529,9 @@
')
optional_policy(`
@@ -18875,7 +19069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.31/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/services/virt.te 2009-09-11 10:18:49.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/services/virt.te 2009-09-14 13:14:55.000000000 -0400
@@ -20,6 +20,28 @@
##
gen_tunable(virt_use_samba, false)
@@ -18990,7 +19184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -97,30 +156,54 @@
+@@ -97,30 +156,55 @@
corenet_tcp_sendrecv_generic_node(virtd_t)
corenet_tcp_sendrecv_all_ports(virtd_t)
corenet_tcp_bind_generic_node(virtd_t)
@@ -19024,6 +19218,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+files_read_usr_src_files(virtd_t)
+
+# Manages /etc/sysconfig/system-config-firewall
++iptables_manage_config(virtd_t)
+files_manage_etc_files(virtd_t)
+
+modutils_read_module_deps(virtd_t)
@@ -19048,7 +19243,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
-@@ -130,7 +213,14 @@
+@@ -130,7 +214,14 @@
logging_send_syslog_msg(virtd_t)
@@ -19063,7 +19258,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -168,22 +258,35 @@
+@@ -168,22 +259,35 @@
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
@@ -19104,7 +19299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -196,8 +299,159 @@
+@@ -196,8 +300,159 @@
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
@@ -21521,7 +21716,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.31/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/system/init.te 2009-09-09 15:38:24.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/system/init.te 2009-09-15 08:13:39.000000000 -0400
@@ -17,6 +17,20 @@
##
gen_tunable(init_upstart, false)
@@ -21664,7 +21859,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(initrc_t)
corenet_all_recvfrom_netlabel(initrc_t)
-@@ -272,16 +315,62 @@
+@@ -272,16 +315,63 @@
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
@@ -21683,6 +21878,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_delete_generic_symlinks(initrc_t)
+dev_getattr_all_blk_files(initrc_t)
+dev_getattr_all_chr_files(initrc_t)
++dev_rw_xserver_misc(initrc_t)
+
+fs_list_inotifyfs(initrc_t)
+fs_register_binary_executable_type(initrc_t)
@@ -21728,7 +21924,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -291,7 +380,7 @@
+@@ -291,7 +381,7 @@
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -21737,7 +21933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -306,14 +395,15 @@
+@@ -306,14 +396,15 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -21755,7 +21951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_exec_etc_files(initrc_t)
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
-@@ -324,48 +414,16 @@
+@@ -324,48 +415,16 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -21808,7 +22004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(initrc_t)
logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
-@@ -374,19 +432,22 @@
+@@ -374,19 +433,22 @@
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -21832,7 +22028,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -422,8 +483,6 @@
+@@ -422,8 +484,6 @@
# init scripts touch this
clock_dontaudit_write_adjtime(initrc_t)
@@ -21841,7 +22037,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for integrated run_init to read run_init_type.
# happens during boot (/sbin/rc execs init scripts)
seutil_read_default_contexts(initrc_t)
-@@ -450,11 +509,9 @@
+@@ -450,11 +510,9 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -21854,7 +22050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# These seem to be from the initrd
# during device initialization:
dev_create_generic_dirs(initrc_t)
-@@ -464,6 +521,7 @@
+@@ -464,6 +522,7 @@
storage_raw_read_fixed_disk(initrc_t)
storage_raw_write_fixed_disk(initrc_t)
@@ -21862,7 +22058,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
# wants to read /.fonts directory
-@@ -492,11 +550,17 @@
+@@ -492,11 +551,17 @@
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -21880,7 +22076,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -515,6 +579,33 @@
+@@ -515,6 +580,33 @@
')
')
@@ -21914,7 +22110,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -567,10 +658,19 @@
+@@ -567,10 +659,19 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -21934,7 +22130,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -590,6 +690,10 @@
+@@ -590,6 +691,10 @@
')
optional_policy(`
@@ -21945,7 +22141,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_usbfs(initrc_t)
# init scripts run /etc/hotplug/usb.rc
-@@ -646,20 +750,20 @@
+@@ -646,20 +751,20 @@
')
optional_policy(`
@@ -21972,7 +22168,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
ifdef(`distro_redhat',`
-@@ -668,6 +772,7 @@
+@@ -668,6 +773,7 @@
mysql_stream_connect(initrc_t)
mysql_write_log(initrc_t)
@@ -21980,7 +22176,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -696,7 +801,6 @@
+@@ -696,7 +802,6 @@
')
optional_policy(`
@@ -21988,7 +22184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -718,8 +822,6 @@
+@@ -718,8 +823,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -21997,7 +22193,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -732,13 +834,16 @@
+@@ -732,13 +835,16 @@
squid_manage_logs(initrc_t)
')
@@ -22014,7 +22210,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -747,6 +852,7 @@
+@@ -747,6 +853,7 @@
optional_policy(`
udev_rw_db(initrc_t)
@@ -22022,7 +22218,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -754,6 +860,15 @@
+@@ -754,6 +861,15 @@
')
optional_policy(`
@@ -22038,7 +22234,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_domain(initrc_t)
ifdef(`distro_redhat',`
-@@ -764,6 +879,13 @@
+@@ -764,6 +880,13 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -22052,7 +22248,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -789,3 +911,31 @@
+@@ -789,3 +912,31 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -22294,9 +22490,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ipsec_setcontext_default_spd(setkey_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.31/policy/modules/system/iptables.fc
--- nsaserefpolicy/policy/modules/system/iptables.fc 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/system/iptables.fc 2009-09-09 15:38:24.000000000 -0400
-@@ -1,7 +1,10 @@
++++ serefpolicy-3.6.31/policy/modules/system/iptables.fc 2009-09-14 13:14:55.000000000 -0400
+@@ -1,7 +1,16 @@
-/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
++
++/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
++
++/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
++/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
++
/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -22310,10 +22512,144 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.6.31/policy/modules/system/iptables.if
+--- nsaserefpolicy/policy/modules/system/iptables.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/system/iptables.if 2009-09-14 13:14:55.000000000 -0400
+@@ -19,6 +19,24 @@
+ domtrans_pattern($1, iptables_exec_t, iptables_t)
+ ')
+
++#####################################
++##
++## Execute iptables in the iptables domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`iptables_initrc_domtrans',`
++ gen_require(`
++ type iptables_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, iptables_initrc_exec_t)
++')
++
+ ########################################
+ ##
+ ## Execute iptables in the iptables domain, and
+@@ -69,3 +87,82 @@
+ corecmd_search_bin($1)
+ can_exec($1, iptables_exec_t)
+ ')
++
++#####################################
++##
++## Set the attributes of iptables config files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`iptables_setattr_config',`
++ gen_require(`
++ type iptables_conf_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 iptables_conf_t:file setattr;
++')
++
++#####################################
++##
++## Read iptables config files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`iptables_read_config',`
++ gen_require(`
++ type iptables_conf_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 iptables_conf_t:dir list_dir_perms;
++ read_files_pattern($1, iptables_conf_t, iptables_conf_t)
++')
++
++#####################################
++##
++## Create files in /etc with the type used for
++## the iptables config files.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`iptables_etc_filetrans_config',`
++ gen_require(`
++ type iptables_conf_t;
++ ')
++
++ files_etc_filetrans($1, iptables_conf_t, file)
++')
++
++###################################
++##
++## Manage iptables config files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`iptables_manage_config',`
++ gen_require(`
++ type iptables_conf_t;
++ type etc_t;
++ ')
++
++ files_search_etc($1)
++ manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.31/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/system/iptables.te 2009-09-09 15:38:24.000000000 -0400
-@@ -53,6 +53,7 @@
++++ serefpolicy-3.6.31/policy/modules/system/iptables.te 2009-09-14 13:14:55.000000000 -0400
+@@ -11,6 +11,12 @@
+ init_system_domain(iptables_t, iptables_exec_t)
+ role system_r types iptables_t;
+
++type iptables_initrc_exec_t;
++init_script_file(iptables_initrc_exec_t)
++
++type iptables_conf_t;
++files_config_file(iptables_conf_t)
++
+ type iptables_tmp_t;
+ files_tmp_file(iptables_tmp_t)
+
+@@ -27,6 +33,9 @@
+ allow iptables_t self:process { sigchld sigkill sigstop signull signal };
+ allow iptables_t self:rawip_socket create_socket_perms;
+
++manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
++files_etc_filetrans(iptables_t, iptables_conf_t, file)
++
+ manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
+ files_pid_filetrans(iptables_t, iptables_var_run_t, file)
+
+@@ -53,6 +62,7 @@
mls_file_read_all_levels(iptables_t)
term_dontaudit_use_console(iptables_t)
@@ -22321,7 +22657,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_use_interactive_fds(iptables_t)
-@@ -100,6 +101,10 @@
+@@ -100,6 +110,10 @@
')
optional_policy(`
@@ -23129,8 +23465,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# gentoo init scripts still manage this file
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.6.31/policy/modules/system/modutils.if
--- nsaserefpolicy/policy/modules/system/modutils.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/system/modutils.if 2009-09-11 10:18:38.000000000 -0400
-@@ -41,8 +41,8 @@
++++ serefpolicy-3.6.31/policy/modules/system/modutils.if 2009-09-14 13:14:55.000000000 -0400
+@@ -1,5 +1,24 @@
+ ## Policy for kernel module utilities
+
++######################################
++##
++## Getattr the dependencies of kernel modules.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`modutils_getattr_module_deps',`
++ gen_require(`
++ type modules_dep_t;
++ ')
++
++
++ getattr_files_pattern($1,modules_object_t,modules_dep_t)
++')
++
+ ########################################
+ ##
+ ## Read the dependencies of kernel modules.
+@@ -41,8 +60,8 @@
files_search_etc($1)
files_search_boot($1)
@@ -23141,7 +23502,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -61,7 +61,7 @@
+@@ -61,7 +80,7 @@
type modules_conf_t;
')
@@ -23150,7 +23511,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -80,7 +80,26 @@
+@@ -80,7 +99,26 @@
type modules_conf_t;
')
@@ -23180,7 +23541,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.31/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/system/modutils.te 2009-09-09 15:47:14.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/system/modutils.te 2009-09-14 13:14:55.000000000 -0400
@@ -19,6 +19,7 @@
type insmod_exec_t;
application_domain(insmod_t, insmod_exec_t)
@@ -23189,6 +23550,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
role system_r types insmod_t;
# module loading config
+@@ -45,7 +46,7 @@
+ can_exec(depmod_t, depmod_exec_t)
+
+ # Read conf.modules.
+-allow depmod_t modules_conf_t:file read_file_perms;
++read_files_pattern(depmod_t, modules_conf_t, modules_conf_t)
+
+ allow depmod_t modules_dep_t:file manage_file_perms;
+ files_kernel_modules_filetrans(depmod_t, modules_dep_t, file)
@@ -56,6 +57,7 @@
domain_use_interactive_fds(depmod_t)
@@ -23211,7 +23581,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -91,7 +99,7 @@
+@@ -91,19 +99,21 @@
# insmod local policy
#
@@ -23220,7 +23590,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket create_socket_perms;
-@@ -104,6 +112,7 @@
+ allow insmod_t self:rawip_socket create_socket_perms;
+
+ # Read module config and dependency information
+-allow insmod_t { modules_conf_t modules_dep_t }:file read_file_perms;
++read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
++read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
+
+ can_exec(insmod_t, insmod_exec_t)
kernel_load_module(insmod_t)
kernel_read_system_state(insmod_t)
@@ -23228,7 +23605,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_write_proc_files(insmod_t)
kernel_mount_debugfs(insmod_t)
kernel_mount_kvmfs(insmod_t)
-@@ -112,6 +121,7 @@
+@@ -112,6 +122,7 @@
kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
kernel_read_hotplug_sysctls(insmod_t)
@@ -23236,7 +23613,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(insmod_t)
corecmd_exec_shell(insmod_t)
-@@ -124,9 +134,7 @@
+@@ -124,9 +135,7 @@
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
@@ -23247,7 +23624,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
-@@ -144,11 +152,14 @@
+@@ -144,11 +153,14 @@
files_write_kernel_modules(insmod_t)
fs_getattr_xattr_fs(insmod_t)
@@ -23262,7 +23639,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(insmod_t)
logging_search_logs(insmod_t)
-@@ -157,19 +168,30 @@
+@@ -157,19 +169,30 @@
seutil_read_file_contexts(insmod_t)
@@ -23296,6 +23673,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hotplug_search_config(insmod_t)
')
+@@ -228,7 +251,7 @@
+ can_exec(update_modules_t, update_modules_exec_t)
+
+ # manage module loading configuration
+-allow update_modules_t modules_conf_t:file manage_file_perms;
++manage_files_pattern(update_modules_t, modules_conf_t, modules_conf_t)
+ files_kernel_modules_filetrans(update_modules_t, modules_conf_t, file)
+ files_etc_filetrans(update_modules_t, modules_conf_t, file)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.6.31/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.31/policy/modules/system/mount.fc 2009-09-09 15:38:24.000000000 -0400
@@ -24923,7 +25309,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.31/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/system/unconfined.if 2009-09-09 15:38:24.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/system/unconfined.if 2009-09-14 09:54:34.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -24994,17 +25380,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -111,16 +122,17 @@
+@@ -111,16 +122,16 @@
##
#
interface(`unconfined_domain',`
-- unconfined_domain_noaudit($1)
+ gen_require(`
+ attribute unconfined_services;
+ ')
+
-+ # unconfined_domain_noaudit($1)
-+ permissive $1;
+ unconfined_domain_noaudit($1)
tunable_policy(`allow_execheap',`
auditallow $1 self:process execheap;
@@ -25017,7 +25401,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -173,411 +185,3 @@
+@@ -173,411 +184,3 @@
refpolicywarn(`$0($1) has been deprecated.')
')
@@ -25676,7 +26060,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+HOME_DIR/\.gvfs(/.*)? <>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.31/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/system/userdomain.if 2009-09-09 17:50:51.000000000 -0400
++++ serefpolicy-3.6.31/policy/modules/system/userdomain.if 2009-09-14 12:43:18.000000000 -0400
@@ -30,8 +30,9 @@
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 77b2c4c..dddd78d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.31
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -304,6 +304,7 @@ Requires(pre): coreutils
Requires(pre): selinux-policy = %{version}-%{release}
Conflicts: audispd-plugins <= 1.7.7-1
Obsoletes: mod_fcgid-selinux
+Conflicts: seedit
%description targeted
SELinux Reference policy targeted base module.
@@ -355,6 +356,7 @@ Group: System Environment/Base
Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER}
Requires(pre): coreutils
Requires(pre): selinux-policy = %{version}-%{release}
+Conflicts: seedit
%description minimum
SELinux Reference policy minimum base module.
@@ -388,6 +390,7 @@ Provides: selinux-policy-base
Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER}
Requires(pre): coreutils
Requires(pre): selinux-policy = %{version}-%{release}
+Conflicts: seedit
%description olpc
SELinux Reference policy olpc base module.
@@ -419,6 +422,7 @@ Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd
Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER}
Requires(pre): coreutils
Requires(pre): selinux-policy = %{version}-%{release}
+Conflicts: seedit
%description mls
SELinux Reference policy mls base module.
@@ -443,6 +447,11 @@ exit 0
%endif
%changelog
+* Mon Sep 14 2009 Dan Walsh 3.6.31-4
+- Fix devicekit_disk_t to getattr on all domains sockets and fifo_files
+- Conflicts seedit (You can not use selinux-policy-targeted and seedit at the same time.)
+
+
* Thu Sep 10 2009 Dan Walsh 3.6.31-3
- Add wordpress/wp-content/uploads label
- Fixes for sandbox when run from staff_t