diff --git a/.cvsignore b/.cvsignore
index 4c1f1a7..b668565 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -127,3 +127,4 @@ serefpolicy-3.0.6.tgz
serefpolicy-3.0.7.tgz
serefpolicy-3.0.8.tgz
serefpolicy-3.1.0.tgz
+serefpolicy-3.1.1.tgz
diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index eb70247..d122def 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -1,6 +1,6 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
-allow_execmem = true
+allow_execmem = false
# Allow making a modified private filemapping executable (text relocation).
#
@@ -8,7 +8,7 @@ allow_execmod = false
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
-allow_execstack = true
+allow_execstack = false
# Allow ftpd to read cifs directories.
#
@@ -148,7 +148,7 @@ stunnel_is_daemon = false
# Support NFS home directories
#
-use_nfs_home_dirs = false
+use_nfs_home_dirs = true
# Support SAMBA home directories
#
diff --git a/modules-targeted.conf b/modules-targeted.conf
index ad634d3..bec5ec0 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -887,6 +887,13 @@ portmap = base
#
postfix = base
+o# Layer: services
+# Module: postgrey
+#
+# email scanner
+#
+postgrey = base
+
# Layer: services
# Module: ppp
#
@@ -1500,6 +1507,13 @@ vmware = module
guest = module
# Layer: users
+# Module: xguest
+#
+# Minimally privs guest account on X Windows logins
+#
+xguest = module
+
+# Layer: users
# Module: logadm
#
# Minimally prived root role for managing logging system
diff --git a/policy-20071023.patch b/policy-20071023.patch
index 3cac7b8..0e8afd2 100644
--- a/policy-20071023.patch
+++ b/policy-20071023.patch
@@ -1,3 +1,14 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Changelog serefpolicy-3.1.0/Changelog
+--- nsaserefpolicy/Changelog 2007-11-08 09:29:27.000000000 -0500
++++ serefpolicy-3.1.0/Changelog 2007-11-06 09:28:26.000000000 -0500
+@@ -12,7 +12,6 @@
+ of confined and unconfined users.
+ - Added modules:
+ exim (Dan Walsh)
+- postfixpolicyd (Jan-Frode Myklebust)
+
+ * Fri Sep 28 2007 Chris PeBenito - 20070928
+ - Add support for setting the unknown permissions handling.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.1.0/config/appconfig-mcs/default_contexts
--- nsaserefpolicy/config/appconfig-mcs/default_contexts 2007-10-12 08:56:09.000000000 -0400
+++ serefpolicy-3.1.0/config/appconfig-mcs/default_contexts 2007-11-06 09:28:35.000000000 -0500
@@ -283,7 +294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors
class key
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.1.0/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.1.0/policy/global_tunables 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/global_tunables 2007-11-07 15:32:58.000000000 -0500
@@ -6,38 +6,35 @@
##
@@ -328,7 +339,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
##
##
gen_tunable(allow_polyinstantiation,false)
-@@ -132,3 +129,12 @@
+@@ -64,23 +61,14 @@
+
+ ##
+ ##
+@@ -44,14 +46,21 @@
##
##
+-## Allow http daemon to tcp connect
+## Allow http daemon to send mail
+##
+##
@@ -3586,23 +3731,54 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
+##
+##
- ## Allow http daemon to tcp connect
++## Allow HTTPD scripts and modules to connect to the network
+ ##
+ ##
+ gen_tunable(httpd_can_network_connect,false)
+
+ ##
+ ##
+-## Allow httpd to connect to mysql/posgresql
++## Allow HTTPD scripts and modules to network connect to databases, mysql/posgresql
+ ##
+ ##
+ gen_tunable(httpd_can_network_connect_db, false)
+@@ -87,25 +96,46 @@
+
+ ##
+ ##
+-## Run SSI execs in system CGI script domain.
++## Allow HTTPD to run SSI executables in the same domain as system CGI scripts
+ ##
+ ##
+ gen_tunable(httpd_ssi_exec,false)
+
+ ##
+ ##
+-## Allow http daemon to communicate with the TTY
++## Unify HTTPD to communicate with the terminal. Needed for handling certificates
##
##
-@@ -106,6 +122,27 @@
+ gen_tunable(httpd_tty_comm,false)
+
+ ##
+ ##
+-## Run CGI in the main httpd domain
++## Unify HTTPD handling of all content files
+ ##
##
gen_tunable(httpd_unified,false)
+##
+##
-+## Allow httpd to read nfs files
++## Allow httpd to access nfs file systems
+##
+##
+gen_tunable(httpd_use_nfs,false)
+
+##
+##
-+## Allow httpd to read cifs files
++## Allow httpd to access cifs file systems
+##
+##
+gen_tunable(httpd_use_cifs,false)
@@ -3617,7 +3793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
attribute httpdcontent;
attribute httpd_user_content_type;
-@@ -144,6 +181,9 @@
+@@ -144,6 +174,9 @@
type httpd_log_t;
logging_log_file(httpd_log_t)
@@ -3627,7 +3803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# httpd_modules_t is the type given to module files (libraries)
# that come with Apache /etc/httpd/modules and /usr/lib/apache
type httpd_modules_t;
-@@ -204,7 +244,7 @@
+@@ -204,7 +237,7 @@
# Apache server local policy
#
@@ -3636,7 +3812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
-@@ -246,6 +286,7 @@
+@@ -246,6 +279,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
@@ -3644,7 +3820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -286,6 +327,7 @@
+@@ -286,6 +320,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -3652,7 +3828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -332,6 +374,10 @@
+@@ -332,6 +367,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -3663,7 +3839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -346,12 +392,8 @@
+@@ -346,12 +385,8 @@
seutil_dontaudit_search_config(httpd_t)
@@ -3676,8 +3852,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
')
-@@ -362,6 +404,7 @@
+@@ -360,8 +395,16 @@
+ #
+ # We need optionals to be able to be within booleans to make this work
#
++##
++##
++## Allow Apache to use mod_auth_pam
++##
++##
++gen_tunable(allow_httpd_mod_auth_pam,false)
++
tunable_policy(`allow_httpd_mod_auth_pam',`
auth_domtrans_chk_passwd(httpd_t)
+ auth_domtrans_upd_passwd(httpd_t)
@@ -4111,7 +4296,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.1.0/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/bind.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/bind.te 2007-11-07 15:41:34.000000000 -0500
+@@ -9,7 +9,7 @@
+ ##
+ ##
+ ## Allow BIND to write the master zone files.
+-## Generally this is used for dynamic DNS.
++## Generally this is used for dynamic DNS, or zone transfers
+ ##
+ ##
+ gen_tunable(named_write_master_zones,false)
@@ -156,6 +156,12 @@
')
@@ -4186,6 +4380,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
+optional_policy(`
+ mailscanner_manage_spool(clamscan_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/comsat.te serefpolicy-3.1.0/policy/modules/services/comsat.te
+--- nsaserefpolicy/policy/modules/services/comsat.te 2007-07-16 14:09:46.000000000 -0400
++++ serefpolicy-3.1.0/policy/modules/services/comsat.te 2007-11-08 13:31:46.000000000 -0500
+@@ -57,6 +57,8 @@
+ files_search_spool(comsat_t)
+ files_search_home(comsat_t)
+
++auth_use_nsswitch(comsat_t)
++
+ init_read_utmp(comsat_t)
+ init_dontaudit_write_utmp(comsat_t)
+
+@@ -67,8 +69,6 @@
+
+ miscfiles_read_localization(comsat_t)
+
+-sysnet_read_config(comsat_t)
+-
+ userdom_dontaudit_getattr_sysadm_ttys(comsat_t)
+
+ mta_getattr_spool(comsat_t)
+@@ -77,10 +77,3 @@
+ kerberos_use(comsat_t)
+ ')
+
+-optional_policy(`
+- nis_use_ypbind(comsat_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(comsat_t)
+-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.1.0/policy/modules/services/consolekit.if
--- nsaserefpolicy/policy/modules/services/consolekit.if 2007-03-20 09:23:13.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/services/consolekit.if 2007-11-06 09:28:35.000000000 -0500
@@ -4738,7 +4964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.1.0/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/cups.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/cups.te 2007-11-08 13:32:52.000000000 -0500
@@ -48,9 +48,7 @@
type hplip_t;
type hplip_exec_t;
@@ -4817,7 +5043,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
mls_file_downgrade(cupsd_t)
mls_file_write_all_levels(cupsd_t)
mls_file_read_all_levels(cupsd_t)
-@@ -187,7 +189,7 @@
+@@ -173,6 +175,8 @@
+ term_use_unallocated_ttys(cupsd_t)
+ term_search_ptys(cupsd_t)
+
++auth_use_nsswitch(cupsd_t)
++
+ auth_domtrans_chk_passwd(cupsd_t)
+ auth_dontaudit_read_pam_pid(cupsd_t)
+
+@@ -187,7 +191,7 @@
# read python modules
files_read_usr_files(cupsd_t)
# for /var/lib/defoma
@@ -4826,7 +5061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
-@@ -196,12 +198,9 @@
+@@ -196,12 +200,9 @@
files_read_var_symlinks(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
@@ -4840,7 +5075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
init_exec_script_files(cupsd_t)
-@@ -221,17 +220,37 @@
+@@ -221,17 +222,37 @@
sysnet_read_config(cupsd_t)
@@ -4878,7 +5113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
apm_domtrans_client(cupsd_t)
')
-@@ -262,16 +281,16 @@
+@@ -262,16 +283,16 @@
')
optional_policy(`
@@ -4899,7 +5134,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
seutil_sigchld_newrole(cupsd_t)
')
-@@ -291,7 +310,9 @@
+@@ -291,7 +312,9 @@
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
@@ -4910,7 +5145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t,cupsd_t)
-@@ -330,6 +351,7 @@
+@@ -330,6 +353,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
@@ -4918,7 +5153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
-@@ -354,6 +376,8 @@
+@@ -354,6 +378,8 @@
logging_send_syslog_msg(cupsd_config_t)
@@ -4927,7 +5162,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
miscfiles_read_localization(cupsd_config_t)
seutil_dontaudit_search_config(cupsd_config_t)
-@@ -376,6 +400,14 @@
+@@ -376,6 +402,14 @@
')
optional_policy(`
@@ -4942,7 +5177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-@@ -391,6 +423,7 @@
+@@ -391,6 +425,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
@@ -4950,7 +5185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
')
optional_policy(`
-@@ -402,14 +435,6 @@
+@@ -402,14 +437,6 @@
')
optional_policy(`
@@ -4965,7 +5200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
rpm_read_db(cupsd_config_t)
')
-@@ -430,7 +455,6 @@
+@@ -430,7 +457,6 @@
allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
allow cupsd_lpd_t self:udp_socket create_socket_perms;
@@ -4973,7 +5208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
# for identd
# cjp: this should probably only be inetd_child rules?
-@@ -480,6 +504,8 @@
+@@ -480,6 +506,8 @@
files_read_etc_files(cupsd_lpd_t)
@@ -4982,7 +5217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
libs_use_ld_so(cupsd_lpd_t)
libs_use_shared_libs(cupsd_lpd_t)
-@@ -495,14 +521,6 @@
+@@ -495,14 +523,6 @@
inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
')
@@ -4997,7 +5232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
########################################
#
# HPLIP local policy
-@@ -523,11 +541,9 @@
+@@ -523,11 +543,9 @@
allow hplip_t cupsd_etc_t:dir search;
cups_stream_connect(hplip_t)
@@ -5012,7 +5247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-@@ -558,7 +574,9 @@
+@@ -558,7 +576,9 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -5023,7 +5258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
-@@ -585,8 +603,6 @@
+@@ -585,8 +605,6 @@
userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
userdom_dontaudit_search_all_users_home_content(hplip_t)
@@ -5032,7 +5267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
optional_policy(`
seutil_sigchld_newrole(hplip_t)
')
-@@ -666,3 +682,15 @@
+@@ -666,3 +684,15 @@
optional_policy(`
udev_read_db(ptal_t)
')
@@ -5050,7 +5285,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.1.0/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2007-07-10 13:21:26.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/cvs.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/cvs.te 2007-11-08 11:58:06.000000000 -0500
@@ -16,6 +16,7 @@
type cvs_t;
type cvs_exec_t;
@@ -5059,15 +5294,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
role system_r types cvs_t;
type cvs_data_t; # customizable
-@@ -68,6 +69,7 @@
+@@ -67,7 +68,9 @@
+
fs_getattr_xattr_fs(cvs_t)
++sysnet_dns_name_resolve(cvs_t)
auth_domtrans_chk_passwd(cvs_t)
+auth_domtrans_upd_passwd_chk(cvs_t)
corecmd_exec_bin(cvs_t)
corecmd_exec_shell(cvs_t)
-@@ -81,6 +83,7 @@
+@@ -81,6 +84,7 @@
libs_use_shared_libs(cvs_t)
logging_send_syslog_msg(cvs_t)
@@ -5075,6 +5312,66 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
miscfiles_read_localization(cvs_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.1.0/policy/modules/services/cyrus.te
+--- nsaserefpolicy/policy/modules/services/cyrus.te 2007-10-12 08:56:07.000000000 -0400
++++ serefpolicy-3.1.0/policy/modules/services/cyrus.te 2007-11-08 13:33:43.000000000 -0500
+@@ -41,7 +41,6 @@
+ allow cyrus_t self:unix_stream_socket connectto;
+ allow cyrus_t self:tcp_socket create_stream_socket_perms;
+ allow cyrus_t self:udp_socket create_socket_perms;
+-allow cyrus_t self:netlink_route_socket r_netlink_socket_perms;
+
+ manage_dirs_pattern(cyrus_t,cyrus_tmp_t,cyrus_tmp_t)
+ manage_files_pattern(cyrus_t,cyrus_tmp_t,cyrus_tmp_t)
+@@ -95,6 +94,8 @@
+ files_read_etc_runtime_files(cyrus_t)
+ files_read_usr_files(cyrus_t)
+
++auth_use_nsswitch(cyrus_t)
++
+ libs_use_ld_so(cyrus_t)
+ libs_use_shared_libs(cyrus_t)
+ libs_exec_lib_files(cyrus_t)
+@@ -122,14 +123,6 @@
+ ')
+
+ optional_policy(`
+- ldap_stream_connect(cyrus_t)
+-')
+-
+-optional_policy(`
+- nis_use_ypbind(cyrus_t)
+-')
+-
+-optional_policy(`
+ sasl_connect(cyrus_t)
+ ')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbskk.te serefpolicy-3.1.0/policy/modules/services/dbskk.te
+--- nsaserefpolicy/policy/modules/services/dbskk.te 2007-07-16 14:09:46.000000000 -0400
++++ serefpolicy-3.1.0/policy/modules/services/dbskk.te 2007-11-08 12:00:39.000000000 -0500
+@@ -63,6 +63,8 @@
+
+ files_read_etc_files(dbskkd_t)
+
++auth_use_nsswitch(dbskkd_t)
++
+ libs_use_ld_so(dbskkd_t)
+ libs_use_shared_libs(dbskkd_t)
+
+@@ -70,12 +72,3 @@
+
+ miscfiles_read_localization(dbskkd_t)
+
+-sysnet_read_config(dbskkd_t)
+-
+-optional_policy(`
+- nis_use_ypbind(dbskkd_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(dbskkd_t)
+-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.1.0/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-10-29 07:52:49.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/services/dbus.if 2007-11-06 09:28:35.000000000 -0500
@@ -5683,12 +5980,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.1.0/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/ftp.te 2007-11-06 09:28:35.000000000 -0500
-@@ -9,7 +9,7 @@
++++ serefpolicy-3.1.0/policy/modules/services/ftp.te 2007-11-07 15:45:09.000000000 -0500
+@@ -8,8 +8,8 @@
+
##
##
- ## Allow ftp servers to modify public files
+-## Allow ftp servers to modify public files
-## used for public file transfer services.
++## Allow ftp servers to upload files,
+## used for public file transfer services. Directories must be labeled public_content_rw_t
##
##
@@ -5764,7 +6063,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.1.0/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/hal.fc 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/hal.fc 2007-11-10 08:16:03.000000000 -0500
@@ -8,14 +8,18 @@
/usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0)
/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
@@ -5857,7 +6156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.1.0/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/inetd.te 2007-11-07 10:34:39.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/inetd.te 2007-11-08 13:24:56.000000000 -0500
@@ -84,6 +84,7 @@
corenet_udp_bind_ftp_port(inetd_t)
corenet_tcp_bind_inetd_child_port(inetd_t)
@@ -6074,6 +6373,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.1.0/policy/modules/services/ldap.te
+--- nsaserefpolicy/policy/modules/services/ldap.te 2007-10-12 08:56:07.000000000 -0400
++++ serefpolicy-3.1.0/policy/modules/services/ldap.te 2007-11-08 13:18:08.000000000 -0500
+@@ -42,7 +42,6 @@
+ dontaudit slapd_t self:capability sys_tty_config;
+ allow slapd_t self:process setsched;
+ allow slapd_t self:fifo_file { read write };
+-allow slapd_t self:netlink_route_socket r_netlink_socket_perms;
+ allow slapd_t self:udp_socket create_socket_perms;
+ #slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach)
+ allow slapd_t self:tcp_socket create_stream_socket_perms;
+@@ -104,6 +103,8 @@
+ files_read_usr_files(slapd_t)
+ files_list_var_lib(slapd_t)
+
++auth_use_nsswitch(slapd_t)
++
+ libs_use_ld_so(slapd_t)
+ libs_use_shared_libs(slapd_t)
+
+@@ -112,8 +113,6 @@
+ miscfiles_read_certs(slapd_t)
+ miscfiles_read_localization(slapd_t)
+
+-sysnet_read_config(slapd_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(slapd_t)
+ userdom_dontaudit_search_sysadm_home_dirs(slapd_t)
+
+@@ -122,10 +121,6 @@
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(slapd_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(slapd_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-3.1.0/policy/modules/services/lpd.fc
--- nsaserefpolicy/policy/modules/services/lpd.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/services/lpd.fc 2007-11-06 09:28:35.000000000 -0500
@@ -6387,7 +6726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.1.0/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/mta.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/mta.te 2007-11-08 08:57:27.000000000 -0500
@@ -6,6 +6,8 @@
# Declarations
#
@@ -7151,7 +7490,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.1.0/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/openvpn.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/openvpn.te 2007-11-07 15:47:03.000000000 -0500
+@@ -8,7 +8,7 @@
+
+ ##
+ ##
+-## Allow openvpn to read home directories
++## Allow openvpn service access to users home directories
+ ##
+ ##
+ gen_tunable(openvpn_enable_homedirs,false)
@@ -110,3 +110,12 @@
networkmanager_dbus_chat(openvpn_t)
@@ -7275,8 +7623,80 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.fc serefpolicy-3.1.0/policy/modules/services/postfixpolicyd.fc
+--- nsaserefpolicy/policy/modules/services/postfixpolicyd.fc 2007-11-08 09:29:27.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/postfixpolicyd.fc 1969-12-31 19:00:00.000000000 -0500
+@@ -1,5 +0,0 @@
+-/etc/policyd.conf -- gen_context(system_u:object_r:postfix_policyd_conf_t, s0)
+-
+-/usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0)
+-
+-/var/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t, s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.if serefpolicy-3.1.0/policy/modules/services/postfixpolicyd.if
+--- nsaserefpolicy/policy/modules/services/postfixpolicyd.if 2007-11-08 09:29:27.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/postfixpolicyd.if 1969-12-31 19:00:00.000000000 -0500
+@@ -1 +0,0 @@
+-## Postfix policy server
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.te serefpolicy-3.1.0/policy/modules/services/postfixpolicyd.te
+--- nsaserefpolicy/policy/modules/services/postfixpolicyd.te 2007-11-08 09:29:27.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/postfixpolicyd.te 1969-12-31 19:00:00.000000000 -0500
+@@ -1,54 +0,0 @@
+-
+-policy_module(postfixpolicyd, 1.0.0)
+-
+-########################################
+-#
+-# Declarations
+-#
+-
+-type postfix_policyd_t;
+-type postfix_policyd_exec_t;
+-init_daemon_domain(postfix_policyd_t, postfix_policyd_exec_t)
+-
+-type postfix_policyd_conf_t;
+-files_config_file(postfix_policyd_conf_t)
+-
+-type postfix_policyd_var_run_t;
+-files_pid_file(postfix_policyd_var_run_t)
+-
+-########################################
+-#
+-# Local Policy
+-#
+-
+-allow postfix_policyd_t self:tcp_socket create_stream_socket_perms;
+-allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid };
+-allow postfix_policyd_t self:process setrlimit;
+-allow postfix_policyd_t self:unix_dgram_socket { connect create write};
+-
+-allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms;
+-allow postfix_policyd_t postfix_policyd_conf_t:file read_file_perms;
+-allow postfix_policyd_t postfix_policyd_conf_t:lnk_file { getattr read };
+-
+-manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
+-files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
+-
+-corenet_all_recvfrom_unlabeled(postfix_policyd_t)
+-corenet_tcp_sendrecv_generic_if(postfix_policyd_t)
+-corenet_tcp_sendrecv_all_nodes(postfix_policyd_t)
+-corenet_tcp_sendrecv_all_ports(postfix_policyd_t)
+-corenet_tcp_bind_all_nodes(postfix_policyd_t)
+-corenet_tcp_bind_postfix_policyd_port(postfix_policyd_t)
+-corenet_tcp_bind_mysqld_port(postfix_policyd_t)
+-
+-files_read_etc_files(postfix_policyd_t)
+-files_read_usr_files(postfix_policyd_t)
+-
+-libs_use_ld_so(postfix_policyd_t)
+-libs_use_shared_libs(postfix_policyd_t)
+-
+-logging_send_syslog_msg(postfix_policyd_t)
+-
+-miscfiles_read_localization(postfix_policyd_t)
+-
+-sysnet_dns_name_resolve(postfix_policyd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.1.0/policy/modules/services/postfix.te
---- nsaserefpolicy/policy/modules/services/postfix.te 2007-10-12 08:56:07.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/postfix.te 2007-11-08 09:29:27.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/services/postfix.te 2007-11-06 09:28:35.000000000 -0500
@@ -6,6 +6,14 @@
# Declarations
@@ -7404,7 +7824,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix smtp delivery local policy
-@@ -569,6 +581,10 @@
+@@ -547,9 +559,6 @@
+ # connect to master process
+ stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
+
+-# Connect to policy server
+-corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
+-
+ # for prng_exch
+ allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
+ allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
+@@ -572,6 +581,10 @@
sasl_connect(postfix_smtpd_t)
')
@@ -7507,7 +7937,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.1.0/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/postgresql.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/postgresql.te 2007-11-08 13:36:00.000000000 -0500
@@ -27,6 +27,9 @@
type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)
@@ -7518,6 +7948,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# postgresql Local policy
+@@ -42,7 +45,6 @@
+ allow postgresql_t self:udp_socket create_stream_socket_perms;
+ allow postgresql_t self:unix_dgram_socket create_socket_perms;
+ allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
+-allow postgresql_t self:netlink_route_socket r_netlink_socket_perms;
+
+ manage_dirs_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
+ manage_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
+@@ -118,6 +120,8 @@
+
+ init_read_utmp(postgresql_t)
+
++auth_use_nsswitch(postgresql_t)
++
+ libs_use_ld_so(postgresql_t)
+ libs_use_shared_libs(postgresql_t)
+
+@@ -127,9 +131,6 @@
+
+ seutil_dontaudit_search_config(postgresql_t)
+
+-sysnet_read_config(postgresql_t)
+-sysnet_use_ldap(postgresql_t)
+-
+ userdom_dontaudit_search_sysadm_home_dirs(postgresql_t)
+ userdom_dontaudit_use_sysadm_ttys(postgresql_t)
+ userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
+@@ -158,10 +159,6 @@
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(postgresql_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(postgresql_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.1.0/policy/modules/services/ppp.fc
--- nsaserefpolicy/policy/modules/services/ppp.fc 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/services/ppp.fc 2007-11-06 09:28:35.000000000 -0500
@@ -7914,7 +8382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.1.0/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/rpc.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/rpc.te 2007-11-08 12:02:07.000000000 -0500
@@ -8,7 +8,7 @@
##
@@ -7987,18 +8455,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
')
tunable_policy(`nfs_export_all_ro',`
-@@ -143,6 +159,9 @@
+@@ -143,6 +159,7 @@
manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
-+auth_use_nsswitch(gssd_t)
-+
+kernel_read_system_state(gssd_t)
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
-@@ -158,6 +177,9 @@
+@@ -156,8 +173,14 @@
+ files_list_tmp(gssd_t)
+ files_read_usr_symlinks(gssd_t)
++auth_read_cache(gssd_t)
++auth_use_nsswitch(gssd_t)
++
miscfiles_read_certs(gssd_t)
+userdom_dontaudit_search_users_home_dirs(rpcd_t)
@@ -8083,12 +8554,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.1.0/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/rsync.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/rsync.te 2007-11-08 13:36:17.000000000 -0500
@@ -8,8 +8,15 @@
##
##
-+## Allow rsync export files read only
++## Allow rsync to export any files/directories read only
+##
+##
+gen_tunable(rsync_export_all_ro,false)
@@ -8101,15 +8572,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
##
##
gen_tunable(allow_rsync_anon_write,false)
-@@ -58,6 +65,8 @@
- manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t)
- files_pid_filetrans(rsync_t,rsync_var_run_t,file)
+@@ -81,6 +88,8 @@
+ files_read_etc_files(rsync_t)
+ files_search_home(rsync_t)
+auth_use_nsswitch(rsync_t)
+
- kernel_read_kernel_sysctls(rsync_t)
- kernel_read_system_state(rsync_t)
- kernel_read_network_state(rsync_t)
+ libs_use_ld_so(rsync_t)
+ libs_use_shared_libs(rsync_t)
+
@@ -90,8 +99,6 @@
miscfiles_read_localization(rsync_t)
miscfiles_read_public_files(rsync_t)
@@ -8296,8 +8767,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.1.0/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/samba.te 2007-11-06 09:28:35.000000000 -0500
-@@ -9,7 +9,7 @@
++++ serefpolicy-3.1.0/policy/modules/services/samba.te 2007-11-07 16:11:34.000000000 -0500
+@@ -9,14 +9,14 @@
##