diff --git a/Changelog b/Changelog
index 89f9ae3..0d17563 100644
--- a/Changelog
+++ b/Changelog
@@ -67,6 +67,7 @@
Wed, 23 Aug 2006
Thu, 31 Aug 2006
Fri, 01 Sep 2006
+ Tue, 05 Sep 2006
- Added modules:
afs
amavis (Erich Schubert)
diff --git a/Makefile b/Makefile
index 9397d2b..2e2699e 100644
--- a/Makefile
+++ b/Makefile
@@ -47,19 +47,21 @@ endif
BINDIR ?= /usr/bin
SBINDIR ?= /usr/sbin
ifdef TEST_TOOLCHAIN
-tc_bindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(BINDIR)
-tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(SBINDIR)
+tc_usrbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(BINDIR)
+tc_usrsbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(SBINDIR)
+tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)/sbin
else
-tc_bindir := $(BINDIR)
-tc_sbindir := $(SBINDIR)
+tc_usrbindir := $(BINDIR)
+tc_usrsbindir := $(SBINDIR)
+tc_sbindir := /sbin
endif
-CHECKPOLICY ?= $(tc_bindir)/checkpolicy
-CHECKMODULE ?= $(tc_bindir)/checkmodule
-SEMODULE ?= $(tc_sbindir)/semodule
-SEMOD_PKG ?= $(tc_bindir)/semodule_package
-SEMOD_LNK ?= $(tc_bindir)/semodule_link
-SEMOD_EXP ?= $(tc_bindir)/semodule_expand
-LOADPOLICY ?= $(tc_sbindir)/load_policy
+CHECKPOLICY ?= $(tc_usrbindir)/checkpolicy
+CHECKMODULE ?= $(tc_usrbindir)/checkmodule
+SEMODULE ?= $(tc_usrsbindir)/semodule
+SEMOD_PKG ?= $(tc_usrbindir)/semodule_package
+SEMOD_LNK ?= $(tc_usrbindir)/semodule_link
+SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
+LOADPOLICY ?= $(tc_usrsbindir)/load_policy
SETFILES ?= $(tc_sbindir)/setfiles
XMLLINT ?= $(BINDIR)/xmllint
SECHECK ?= $(BINDIR)/sechecker
diff --git a/policy/modules/admin/firstboot.if b/policy/modules/admin/firstboot.if
index ceb0580..4214456 100644
--- a/policy/modules/admin/firstboot.if
+++ b/policy/modules/admin/firstboot.if
@@ -111,20 +111,3 @@ interface(`firstboot_write_pipes',`
allow $1 firstboot_t:fifo_file write;
')
-########################################
-##
-## Read firstboot writable config files.
-##
-##
-##
-## The type of the process performing this action.
-##
-##
-#
-interface(`firstboot_read_rw_files',`
- gen_require(`
- type firstboot_rw_t;
- ')
-
- allow $1 firstboot_rw_t:file r_file_perms;
-')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 9a162b0..b00f0ee 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -125,6 +125,7 @@ ifdef(`distro_gentoo',`
/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 13945b9..513514e 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,5 +1,5 @@
-policy_module(corecommands,1.3.14)
+policy_module(corecommands,1.3.15)
########################################
#
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 526a375..169e582 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
-policy_module(corenetwork,1.1.14)
+policy_module(corenetwork,1.1.15)
########################################
#
@@ -126,7 +126,6 @@ network_port(rndc, tcp,953,s0)
network_port(router, udp,520,s0)
network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0)
-network_port(setroubleshoot, tcp,3267,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 512192a..9f2ed2c 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -2045,6 +2045,25 @@ interface(`fs_dontaudit_search_ramfs',`
########################################
##
+## Create, read, write, and delete
+## directories on a ramfs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_manage_ramfs_dirs',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ allow $1 ramfs_t:dir manage_dir_perms;
+')
+
+########################################
+##
## Dontaudit read on a ramfs files.
##
##
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index fab7a62..b9fa21b 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
-policy_module(filesystem,1.3.13)
+policy_module(filesystem,1.3.14)
########################################
#
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index ddc3042..ce3bc65 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -412,7 +412,7 @@ interface(`term_dontaudit_manage_pty_dirs',`
########################################
##
-## ioctl of generic pty types.
+## ioctl of generic pty devices.
##
##
##
@@ -433,6 +433,26 @@ interface(`term_ioctl_generic_ptys',`
########################################
##
+## Dontaudit setting the attributes of
+## generic pty devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+# dwalsh: added for rhgb
+interface(`term_dontaudit_setattr_generic_ptys',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ dontaudit $1 devpts_t:chr_file setattr;
+')
+
+########################################
+##
## Read and write the generic pty
## type. This is generally only used in
## the targeted policy.
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index 885f01c..fb4e1c2 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -1,5 +1,5 @@
-policy_module(terminal,1.1.7)
+policy_module(terminal,1.1.8)
########################################
#
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 14dc4bd..d2794d4 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -1,5 +1,5 @@
-policy_module(dovecot,1.2.6)
+policy_module(dovecot,1.2.7)
########################################
#
@@ -46,7 +46,6 @@ allow dovecot_t self:fifo_file rw_file_perms;
allow dovecot_t self:tcp_socket create_stream_socket_perms;
allow dovecot_t self:unix_dgram_socket create_socket_perms;
allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow dovecot_t self:netlink_route_socket r_netlink_socket_perms;
domain_auto_trans(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
allow dovecot_t dovecot_auth_t:fd use;
diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
index 7170171..958f90c 100644
--- a/policy/modules/services/rhgb.te
+++ b/policy/modules/services/rhgb.te
@@ -1,5 +1,5 @@
-policy_module(rhgb,1.0.1)
+policy_module(rhgb,1.0.2)
########################################
#
@@ -10,18 +10,20 @@ type rhgb_t;
type rhgb_exec_t;
init_daemon_domain(rhgb_t,rhgb_exec_t)
-type rhgb_devpts_t;
-term_pty(rhgb_devpts_t)
-
type rhgb_tmpfs_t;
files_tmpfs_file(rhgb_tmpfs_t)
+ifdef(`strict_policy',`
+ type rhgb_devpts_t;
+ term_pty(rhgb_devpts_t)
+')
+
########################################
#
# Local policy
#
-allow rhgb_t self:capability { sys_admin sys_tty_config };
+allow rhgb_t self:capability { fsetid setgid setuid sys_admin sys_tty_config };
dontaudit rhgb_t self:capability sys_tty_config;
allow rhgb_t self:process signal_perms;
allow rhgb_t self:shm create_shm_perms;
@@ -29,9 +31,7 @@ allow rhgb_t self:unix_stream_socket create_stream_socket_perms;
allow rhgb_t self:fifo_file rw_file_perms;
allow rhgb_t self:tcp_socket create_socket_perms;
allow rhgb_t self:udp_socket create_socket_perms;
-
-allow rhgb_t rhgb_devpts_t:chr_file { rw_file_perms setattr };
-term_create_pty(rhgb_t,rhgb_devpts_t)
+allow rhgb_t self:netlink_route_socket r_netlink_socket_perms;
allow rhgb_t rhgb_tmpfs_t:dir manage_dir_perms;
allow rhgb_t rhgb_tmpfs_t:file manage_file_perms;
@@ -45,6 +45,7 @@ kernel_read_system_state(rhgb_t)
corecmd_exec_bin(rhgb_t)
corecmd_exec_sbin(rhgb_t)
+corecmd_exec_shell(rhgb_t)
corenet_non_ipsec_sendrecv(rhgb_t)
corenet_tcp_sendrecv_generic_if(rhgb_t)
@@ -61,6 +62,7 @@ dev_read_sysfs(rhgb_t)
domain_use_interactive_fds(rhgb_t)
files_read_etc_files(rhgb_t)
+files_read_var_files(rhgb_t)
files_read_etc_runtime_files(rhgb_t)
files_search_tmp(rhgb_t)
files_read_usr_files(rhgb_t)
@@ -73,13 +75,17 @@ files_dontaudit_search_var(rhgb_t)
fs_search_auto_mountpoints(rhgb_t)
fs_mount_ramfs(rhgb_t)
fs_unmount_ramfs(rhgb_t)
+fs_getattr_tmpfs(rhgb_t)
# for ramfs file systems
+fs_manage_ramfs_dirs(rhgb_t)
fs_manage_ramfs_files(rhgb_t)
fs_manage_ramfs_pipes(rhgb_t)
fs_manage_ramfs_sockets(rhgb_t)
term_dontaudit_use_console(rhgb_t)
term_use_unallocated_ttys(rhgb_t)
+term_use_ptmx(rhgb_t)
+term_getattr_pty_fs(rhgb_t)
init_use_fds(rhgb_t)
init_use_script_ptys(rhgb_t)
@@ -96,22 +102,30 @@ miscfiles_read_localization(rhgb_t)
miscfiles_read_fonts(rhgb_t)
sysnet_read_config(rhgb_t)
+sysnet_domtrans_ifconfig(rhgb_t)
userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
+userdom_dontaudit_search_sysadm_home_dirs(rhgb_t)
xserver_read_xdm_xserver_tmp_files(rhgb_t)
xserver_kill_xdm_xserver(rhgb_t)
# for running setxkbmap
xserver_read_xkb_libs(rhgb_t)
-ifdef(`targeted_policy',`
+ifdef(`strict_policy',`
+ allow rhgb_t rhgb_devpts_t:chr_file { rw_file_perms setattr };
+ term_create_pty(rhgb_t,rhgb_devpts_t)
+', `
+ files_dontaudit_read_root_files(rhgb_t)
+
+ term_dontaudit_use_generic_ptys(rhgb_t)
+ term_dontaudit_setattr_generic_ptys(rhgb_t)
term_dontaudit_use_unallocated_ttys(rhgb_t)
term_dontaudit_use_generic_ptys(rhgb_t)
- files_dontaudit_read_root_files(rhgb_t)
-')
-optional_policy(`
- firstboot_read_rw_files(rhgb_t)
+ xserver_domtrans_xdm_xserver(rhgb_t)
+ xserver_signal_xdm_xserver(rhgb_t)
+ xserver_read_xdm_tmp_files(rhgb_t)
')
optional_policy(`
@@ -127,21 +141,7 @@ optional_policy(`
')
ifdef(`TODO',`
- #TODO
- ifdef(`hide_broken_symptoms', `
- # for a bug in the X server
- dontaudit mount_t rhgb_gph_t:fd use;
- ')
- #TODO this seems a bit much
+ #this seems a bit much
allow domain rhgb_devpts_t:chr_file { read write };
- #TODO this (ie files_dontaudit_read_default_files(rhgb_t))doesn't make sense with the following
- allow rhgb_t default_t:file { getattr read };
- #TODO
- # for gnome-pty-helper
- gph_domain(rhgb, system)
allow initrc_t rhgb_gph_t:fd use;
- ifdef(`hide_broken_symptoms', `
- # it should not do this
- dontaudit rhgb_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
- ')
')
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
index 5286e4f..c3ced2a 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -1,5 +1,5 @@
-policy_module(setroubleshoot,1.0.0)
+policy_module(setroubleshoot,1.0.1)
########################################
#
@@ -64,9 +64,7 @@ corenet_tcp_sendrecv_generic_if(setroubleshootd_t)
corenet_tcp_sendrecv_all_nodes(setroubleshootd_t)
corenet_tcp_sendrecv_all_ports(setroubleshootd_t)
corenet_tcp_bind_all_nodes(setroubleshootd_t)
-corenet_tcp_bind_setroubleshoot_port(setroubleshootd_t)
corenet_tcp_connect_smtp_port(setroubleshootd_t)
-corenet_sendrecv_setroubleshoot_server_packets(setroubleshootd_t)
corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
dev_read_urand(setroubleshootd_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 289f530..232c005 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,5 +1,5 @@
-policy_module(ssh,1.3.9)
+policy_module(ssh,1.3.10)
########################################
#
@@ -12,8 +12,10 @@ attribute ssh_server;
type ssh_exec_t;
corecmd_executable_file(ssh_exec_t)
+type ssh_keygen_t;
type ssh_keygen_exec_t;
-corecmd_executable_file(ssh_keygen_exec_t)
+init_system_domain(ssh_keygen_t,ssh_keygen_exec_t)
+role system_r types ssh_keygen_t;
type ssh_keysign_exec_t;
corecmd_executable_file(ssh_keysign_exec_t)
@@ -39,10 +41,6 @@ ifdef(`targeted_policy',`
type ssh_agent_exec_t;
files_type(ssh_agent_exec_t)
- type ssh_keygen_t;
- init_system_domain(ssh_keygen_t,ssh_keygen_exec_t)
- role system_r types ssh_keygen_t;
-
ssh_server_template(sshd)
ssh_server_template(sshd_extern)
@@ -193,62 +191,64 @@ ifdef(`strict_policy',`
# ssh_keygen local policy
#
-ifdef(`targeted_policy',`',`
- # ssh_keygen_t is the type of the ssh-keygen program when run at install time
- # and by sysadm_t
+# ssh_keygen_t is the type of the ssh-keygen program when run at install time
+# and by sysadm_t
- dontaudit ssh_keygen_t self:capability sys_tty_config;
- allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
+dontaudit ssh_keygen_t self:capability sys_tty_config;
+allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
- allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
+allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
- allow ssh_keygen_t sshd_key_t:file create_file_perms;
- files_etc_filetrans(ssh_keygen_t,sshd_key_t,file)
+allow ssh_keygen_t sshd_key_t:file create_file_perms;
+files_etc_filetrans(ssh_keygen_t,sshd_key_t,file)
- kernel_read_kernel_sysctls(ssh_keygen_t)
+kernel_read_kernel_sysctls(ssh_keygen_t)
- fs_search_auto_mountpoints(ssh_keygen_t)
+fs_search_auto_mountpoints(ssh_keygen_t)
- dev_read_sysfs(ssh_keygen_t)
- dev_read_urand(ssh_keygen_t)
+dev_read_sysfs(ssh_keygen_t)
+dev_read_urand(ssh_keygen_t)
- term_dontaudit_use_console(ssh_keygen_t)
+term_dontaudit_use_console(ssh_keygen_t)
- domain_use_interactive_fds(ssh_keygen_t)
+domain_use_interactive_fds(ssh_keygen_t)
- files_read_etc_files(ssh_keygen_t)
+files_read_etc_files(ssh_keygen_t)
- init_use_fds(ssh_keygen_t)
- init_use_script_ptys(ssh_keygen_t)
+init_use_fds(ssh_keygen_t)
+init_use_script_ptys(ssh_keygen_t)
- libs_use_ld_so(ssh_keygen_t)
- libs_use_shared_libs(ssh_keygen_t)
+libs_use_ld_so(ssh_keygen_t)
+libs_use_shared_libs(ssh_keygen_t)
- logging_send_syslog_msg(ssh_keygen_t)
+logging_send_syslog_msg(ssh_keygen_t)
- allow ssh_keygen_t proc_t:dir r_dir_perms;
- allow ssh_keygen_t proc_t:lnk_file read;
+allow ssh_keygen_t proc_t:dir r_dir_perms;
+allow ssh_keygen_t proc_t:lnk_file read;
- userdom_use_sysadm_ttys(ssh_keygen_t)
- userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
+userdom_use_sysadm_ttys(ssh_keygen_t)
+userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
- # cjp: with the old daemon_(base_)domain being broken up into
- # a daemon and system interface, this probably is not needed:
- ifdef(`direct_sysadm_daemon',`
- userdom_dontaudit_use_sysadm_terms(ssh_keygen_t)
- ')
+# cjp: with the old daemon_(base_)domain being broken up into
+# a daemon and system interface, this probably is not needed:
+ifdef(`direct_sysadm_daemon',`
+ userdom_dontaudit_use_sysadm_terms(ssh_keygen_t)
+')
- ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(ssh_keygen_t)
- term_dontaudit_use_generic_ptys(ssh_keygen_t)
- files_dontaudit_read_root_files(ssh_keygen_t)
- ')
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(ssh_keygen_t)
+ term_dontaudit_use_generic_ptys(ssh_keygen_t)
+ files_dontaudit_read_root_files(ssh_keygen_t)
+')
- optional_policy(`
- seutil_sigchld_newrole(ssh_keygen_t)
- ')
+optional_policy(`
+ nscd_socket_use(ssh_keygen_t)
+')
- optional_policy(`
- udev_read_db(ssh_keygen_t)
- ')
+optional_policy(`
+ seutil_sigchld_newrole(ssh_keygen_t)
+')
+
+optional_policy(`
+ udev_read_db(ssh_keygen_t)
')
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 7e33cf8..6c6ccf2 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1072,11 +1072,30 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
+ allow $1 xdm_tmp_t:dir search_dir_perms;
allow $1 xdm_tmp_t:file { getattr read };
')
########################################
##
+## Signal XDM X servers
+##
+##
+##
+## Domain to not audit
+##
+##
+#
+interface(`xserver_signal_xdm_xserver',`
+ gen_require(`
+ type xdm_xserver_t;
+ ')
+
+ allow $1 xdm_xserver_t:process signal;
+')
+
+########################################
+##
## Kill XDM X servers
##
##
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 6099a00..9e92fc2 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,5 +1,5 @@
-policy_module(xserver,1.1.14)
+policy_module(xserver,1.1.15)
########################################
#
@@ -99,6 +99,11 @@ dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+allow xdm_t xdm_tmp_t:dir manage_dir_perms;
+allow xdm_t xdm_tmp_t:file manage_file_perms;
+allow xdm_t xdm_tmp_t:sock_file manage_file_perms;
+files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
+
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
@@ -218,11 +223,6 @@ ifdef(`strict_policy',`
allow xdm_t xdm_lock_t:file create_file_perms;
files_lock_filetrans(xdm_t,xdm_lock_t,file)
- allow xdm_t xdm_tmp_t:dir manage_dir_perms;
- allow xdm_t xdm_tmp_t:file manage_file_perms;
- allow xdm_t xdm_tmp_t:sock_file manage_file_perms;
- files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
-
allow xdm_t xdm_tmpfs_t:dir manage_dir_perms;
allow xdm_t xdm_tmpfs_t:file manage_file_perms;
allow xdm_t xdm_tmpfs_t:lnk_file create_lnk_perms;
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 769abdc..ca83c75 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
-policy_module(authlogin,1.3.13)
+policy_module(authlogin,1.3.14)
########################################
#
@@ -176,7 +176,7 @@ dev_getattr_xserver_misc_dev(pam_console_t)
dev_setattr_xserver_misc_dev(pam_console_t)
dev_read_urand(pam_console_t)
-fs_search_auto_mountpoints(pam_console_t)
+fs_list_auto_mountpoints(pam_console_t)
mls_file_read_up(pam_console_t)
mls_file_write_down(pam_console_t)
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index 4382e10..4954537 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -1,5 +1,5 @@
-policy_module(xen,1.0.9)
+policy_module(xen,1.0.10)
########################################
#
@@ -131,6 +131,7 @@ corenet_tcp_bind_all_nodes(xend_t)
corenet_tcp_bind_xen_port(xend_t)
corenet_tcp_bind_soundd_port(xend_t)
corenet_tcp_bind_generic_port(xend_t)
+corenet_tcp_bind_vnc_port(xend_t)
corenet_sendrecv_xen_server_packets(xend_t)
corenet_sendrecv_soundd_server_packets(xend_t)
corenet_rw_tun_tap_dev(xend_t)
@@ -175,6 +176,8 @@ sysnet_dns_name_resolve(xend_t)
sysnet_delete_dhcpc_pid(xend_t)
sysnet_read_dhcpc_pid(xend_t)
+userdom_dontaudit_search_sysadm_home_dirs(xend_t)
+
xen_stream_connect_xenstore(xend_t)
netutils_domtrans(xend_t)