diff --git a/policy-F12.patch b/policy-F12.patch
index 96b3187..8f3d4db 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -1,6 +1,15 @@
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.6.27/config/appconfig-mcs/default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Changelog serefpolicy-3.6.28/Changelog
+--- nsaserefpolicy/Changelog 2009-08-18 11:41:14.000000000 -0400
++++ serefpolicy-3.6.28/Changelog 2009-08-18 13:23:29.000000000 -0400
+@@ -1,5 +1,3 @@
+-- Debian policykit fixes from Martin Orr.
+-- Fix unconfined_r use of unconfined_java_t.
+ - Add missing x_device rules for XI2 functions, from Eamon Walsh.
+ - Add missing rules to make unconfined_cronjob_t a valid cron job domain.
+ - Add btrfs and ext4 to labeling targets.
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.6.28/config/appconfig-mcs/default_contexts
--- nsaserefpolicy/config/appconfig-mcs/default_contexts 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/config/appconfig-mcs/default_contexts 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mcs/default_contexts 2009-08-18 13:23:29.000000000 -0400
@@ -1,15 +1,6 @@
-system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
@@ -22,15 +31,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
-user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.6.27/config/appconfig-mcs/failsafe_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.6.28/config/appconfig-mcs/failsafe_context
--- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/config/appconfig-mcs/failsafe_context 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mcs/failsafe_context 2009-08-18 13:23:29.000000000 -0400
@@ -1 +1 @@
-sysadm_r:sysadm_t:s0
+system_r:unconfined_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.6.27/config/appconfig-mcs/root_default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.6.28/config/appconfig-mcs/root_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/config/appconfig-mcs/root_default_contexts 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mcs/root_default_contexts 2009-08-18 13:23:29.000000000 -0400
@@ -1,11 +1,7 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
@@ -45,9 +54,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
#
-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/securetty_types serefpolicy-3.6.27/config/appconfig-mcs/securetty_types
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/securetty_types serefpolicy-3.6.28/config/appconfig-mcs/securetty_types
--- nsaserefpolicy/config/appconfig-mcs/securetty_types 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/config/appconfig-mcs/securetty_types 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mcs/securetty_types 2009-08-18 13:23:29.000000000 -0400
@@ -1 +1,6 @@
+auditadm_tty_device_t
+secadm_tty_device_t
@@ -55,18 +64,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
+sysadm_tty_device_t
+unconfined_tty_device_t
user_tty_device_t
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.6.27/config/appconfig-mcs/seusers
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.6.28/config/appconfig-mcs/seusers
--- nsaserefpolicy/config/appconfig-mcs/seusers 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/config/appconfig-mcs/seusers 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mcs/seusers 2009-08-18 13:23:29.000000000 -0400
@@ -1,3 +1,3 @@
system_u:system_u:s0-mcs_systemhigh
-root:root:s0-mcs_systemhigh
-__default__:user_u:s0
+root:unconfined_u:s0-mcs_systemhigh
+__default__:unconfined_u:s0-mcs_systemhigh
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.6.27/config/appconfig-mcs/staff_u_default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.6.28/config/appconfig-mcs/staff_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/config/appconfig-mcs/staff_u_default_contexts 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mcs/staff_u_default_contexts 2009-08-18 13:23:29.000000000 -0400
@@ -1,10 +1,12 @@
system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
system_r:remote_login_t:s0 staff_r:staff_t:s0
@@ -81,9 +90,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.6.27/config/appconfig-mcs/unconfined_u_default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.6.28/config/appconfig-mcs/unconfined_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/config/appconfig-mcs/unconfined_u_default_contexts 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mcs/unconfined_u_default_contexts 2009-08-18 13:23:29.000000000 -0400
@@ -1,4 +1,4 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0
@@ -97,15 +106,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
+system_r:initrc_su_t:s0 unconfined_r:unconfined_t:s0
+unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
system_r:xdm_t:s0 unconfined_r:unconfined_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.6.27/config/appconfig-mcs/userhelper_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.6.28/config/appconfig-mcs/userhelper_context
--- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/config/appconfig-mcs/userhelper_context 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mcs/userhelper_context 2009-08-18 13:23:29.000000000 -0400
@@ -1 +1 @@
-system_u:sysadm_r:sysadm_t:s0
+system_u:system_r:unconfined_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.6.27/config/appconfig-mcs/user_u_default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.6.28/config/appconfig-mcs/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/config/appconfig-mcs/user_u_default_contexts 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mcs/user_u_default_contexts 2009-08-18 13:23:29.000000000 -0400
@@ -1,8 +1,9 @@
system_r:local_login_t:s0 user_r:user_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0
@@ -118,20 +127,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
-
+system_r:initrc_su_t:s0 user_r:user_t:s0
+user_r:user_t:s0 user_r:user_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_domain_context serefpolicy-3.6.27/config/appconfig-mcs/virtual_domain_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_domain_context serefpolicy-3.6.28/config/appconfig-mcs/virtual_domain_context
--- nsaserefpolicy/config/appconfig-mcs/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/config/appconfig-mcs/virtual_domain_context 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mcs/virtual_domain_context 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1 @@
+system_u:system_r:svirt_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_image_context serefpolicy-3.6.27/config/appconfig-mcs/virtual_image_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_image_context serefpolicy-3.6.28/config/appconfig-mcs/virtual_image_context
--- nsaserefpolicy/config/appconfig-mcs/virtual_image_context 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/config/appconfig-mcs/virtual_image_context 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mcs/virtual_image_context 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,2 @@
+system_u:object_r:svirt_image_t:s0
+system_u:object_r:virt_content_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.6.27/config/appconfig-mls/default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.6.28/config/appconfig-mls/default_contexts
--- nsaserefpolicy/config/appconfig-mls/default_contexts 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/config/appconfig-mls/default_contexts 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mls/default_contexts 2009-08-18 13:23:29.000000000 -0400
@@ -1,15 +1,6 @@
-system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
@@ -153,9 +162,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
-user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.6.27/config/appconfig-mls/root_default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.6.28/config/appconfig-mls/root_default_contexts
--- nsaserefpolicy/config/appconfig-mls/root_default_contexts 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/config/appconfig-mls/root_default_contexts 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mls/root_default_contexts 2009-08-18 13:23:29.000000000 -0400
@@ -1,11 +1,11 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
-system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
@@ -174,20 +183,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
#
-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.27/config/appconfig-mls/virtual_domain_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.28/config/appconfig-mls/virtual_domain_context
--- nsaserefpolicy/config/appconfig-mls/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/config/appconfig-mls/virtual_domain_context 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mls/virtual_domain_context 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1 @@
+system_u:system_r:qemu_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_image_context serefpolicy-3.6.27/config/appconfig-mls/virtual_image_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_image_context serefpolicy-3.6.28/config/appconfig-mls/virtual_image_context
--- nsaserefpolicy/config/appconfig-mls/virtual_image_context 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/config/appconfig-mls/virtual_image_context 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mls/virtual_image_context 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,2 @@
+system_u:object_r:virt_image_t:s0
+system_u:object_r:virt_content_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/securetty_types serefpolicy-3.6.27/config/appconfig-standard/securetty_types
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/securetty_types serefpolicy-3.6.28/config/appconfig-standard/securetty_types
--- nsaserefpolicy/config/appconfig-standard/securetty_types 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/config/appconfig-standard/securetty_types 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-standard/securetty_types 2009-08-18 13:23:29.000000000 -0400
@@ -1 +1,6 @@
+auditadm_tty_device_t
+secadm_tty_device_t
@@ -195,9 +204,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
+sysadm_tty_device_t
+unconfined_tty_device_t
user_tty_device_t
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.27/Makefile
---- nsaserefpolicy/Makefile 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/Makefile 2009-08-14 16:51:06.000000000 -0400
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.28/Makefile
+--- nsaserefpolicy/Makefile 2009-08-18 11:41:14.000000000 -0400
++++ serefpolicy-3.6.28/Makefile 2009-08-18 13:23:29.000000000 -0400
@@ -102,8 +102,6 @@
comment_move_decl := $(SED) -r -f $(support)/comment_move_decl.sed
gennetfilter := $(PYTHON) -E $(support)/gennetfilter.py
@@ -247,6 +256,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Mak
########################################
#
+@@ -541,7 +537,7 @@
+ #
+ install-headers: $(layerxml) $(tunxml) $(boolxml)
+ @mkdir -p $(headerdir)
+- @echo "Installing $(NAME) policy headers."
++ @echo "Installing $(TYPE) policy headers."
+ $(verbose) $(INSTALL) -m 644 $^ $(headerdir)
+ $(verbose) $(M4) $(M4PARAM) $(rolemap) > $(headerdir)/$(notdir $(rolemap))
+ $(verbose) mkdir -p $(headerdir)/support
@@ -605,7 +601,7 @@
# Filesystem labeling
#
@@ -283,9 +301,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Mak
@if test -z "$(filesystems)"; then \
echo "No filesystems with extended attributes found!" ;\
false ;\
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/rsync_selinux.8 serefpolicy-3.6.27/man/man8/rsync_selinux.8
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/rsync_selinux.8 serefpolicy-3.6.28/man/man8/rsync_selinux.8
--- nsaserefpolicy/man/man8/rsync_selinux.8 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/man/man8/rsync_selinux.8 2009-08-18 08:30:56.000000000 -0400
++++ serefpolicy-3.6.28/man/man8/rsync_selinux.8 2009-08-18 13:23:29.000000000 -0400
@@ -21,10 +21,18 @@
.TP
chcon -t public_content_t /var/rsync
@@ -315,9 +333,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man
.SH "SEE ALSO"
-selinux(8), rsync(1), chcon(1), setsebool(8)
+selinux(8), rsync(1), chcon(1), setsebool(8), semanage(8)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/samba_selinux.8 serefpolicy-3.6.27/man/man8/samba_selinux.8
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/samba_selinux.8 serefpolicy-3.6.28/man/man8/samba_selinux.8
--- nsaserefpolicy/man/man8/samba_selinux.8 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/man/man8/samba_selinux.8 2009-08-18 08:31:04.000000000 -0400
++++ serefpolicy-3.6.28/man/man8/samba_selinux.8 2009-08-18 13:23:29.000000000 -0400
@@ -20,7 +20,7 @@
.TP
This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local:
@@ -333,9 +351,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man
.SH "SEE ALSO"
-selinux(8), samba(7), chcon(1), setsebool(8)
+selinux(8), samba(7), chcon(1), setsebool(8), semanage(8)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.6.27/policy/flask/access_vectors
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.6.28/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/flask/access_vectors 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/flask/access_vectors 2009-08-18 13:23:29.000000000 -0400
@@ -544,8 +544,6 @@
set_property
add
@@ -345,9 +363,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
}
class x_server
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.27/policy/global_tunables
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.28/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.27/policy/global_tunables 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/global_tunables 2009-08-18 13:23:29.000000000 -0400
@@ -61,15 +61,6 @@
## <desc>
@@ -383,9 +401,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## </desc>
+gen_tunable(mmap_low_allowed, false)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.27/policy/mcs
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.28/policy/mcs
--- nsaserefpolicy/policy/mcs 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/mcs 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/mcs 2009-08-18 13:23:29.000000000 -0400
@@ -66,8 +66,8 @@
#
# Note that getattr on files is always permitted.
@@ -419,9 +437,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mlsconstrain process { transition dyntransition }
(( h1 dom h2 ) or ( t1 == mcssetcats ));
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.27/policy/modules/admin/anaconda.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.28/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/anaconda.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/anaconda.te 2009-08-18 13:23:29.000000000 -0400
@@ -31,6 +31,7 @@
modutils_domtrans_insmod(anaconda_t)
@@ -430,9 +448,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.27/policy/modules/admin/certwatch.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.28/policy/modules/admin/certwatch.te
--- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/certwatch.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/certwatch.te 2009-08-18 13:23:29.000000000 -0400
@@ -36,6 +36,7 @@
miscfiles_read_localization(certwatch_t)
@@ -441,17 +459,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
apache_exec_modules(certwatch_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.6.27/policy/modules/admin/dmesg.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.6.28/policy/modules/admin/dmesg.fc
--- nsaserefpolicy/policy/modules/admin/dmesg.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/dmesg.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/dmesg.fc 2009-08-18 13:23:29.000000000 -0400
@@ -1,2 +1,4 @@
/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
+
+/usr/sbin/mcelog -- gen_context(system_u:object_r:dmesg_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.27/policy/modules/admin/dmesg.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.28/policy/modules/admin/dmesg.te
--- nsaserefpolicy/policy/modules/admin/dmesg.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/dmesg.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/dmesg.te 2009-08-18 13:23:29.000000000 -0400
@@ -9,6 +9,7 @@
type dmesg_t;
type dmesg_exec_t;
@@ -486,9 +504,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(dmesg_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.6.27/policy/modules/admin/kismet.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.6.28/policy/modules/admin/kismet.if
--- nsaserefpolicy/policy/modules/admin/kismet.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/kismet.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/kismet.if 2009-08-18 13:23:29.000000000 -0400
@@ -16,6 +16,7 @@
')
@@ -497,9 +515,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.27/policy/modules/admin/kismet.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.28/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/kismet.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/kismet.te 2009-08-18 13:23:29.000000000 -0400
@@ -17,6 +17,9 @@
type kismet_tmp_t;
files_tmp_file(kismet_tmp_t)
@@ -542,9 +560,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ networkmanager_dbus_chat(kismet_t)
+ ')
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.27/policy/modules/admin/logrotate.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.28/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/logrotate.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/logrotate.te 2009-08-18 13:23:29.000000000 -0400
@@ -32,7 +32,7 @@
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
@@ -587,18 +605,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
slrnpull_manage_spool(logrotate_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.27/policy/modules/admin/logwatch.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.28/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/logwatch.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/logwatch.te 2009-08-18 13:23:29.000000000 -0400
@@ -136,4 +136,5 @@
optional_policy(`
samba_read_log(logwatch_t)
+ samba_read_share_files(logwatch_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.27/policy/modules/admin/mrtg.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.28/policy/modules/admin/mrtg.te
--- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/mrtg.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/mrtg.te 2009-08-18 13:23:29.000000000 -0400
@@ -116,6 +116,9 @@
userdom_use_user_terminals(mrtg_t)
userdom_dontaudit_read_user_home_content_files(mrtg_t)
@@ -620,9 +638,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(mrtg_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.27/policy/modules/admin/prelink.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.te serefpolicy-3.6.28/policy/modules/admin/portage.te
+--- nsaserefpolicy/policy/modules/admin/portage.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/portage.te 2009-08-18 13:23:29.000000000 -0400
+@@ -195,7 +195,7 @@
+ # - for rsync and distfile fetching
+ #
+
+-allow portage_fetch_t self:capability { dac_override fowner fsetid };
++allow portage_fetch_t self:capability { dac_override fowner fsetid sys_nice };
+ allow portage_fetch_t self:process signal;
+ allow portage_fetch_t self:unix_stream_socket create_socket_perms;
+ allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.28/policy/modules/admin/prelink.if
--- nsaserefpolicy/policy/modules/admin/prelink.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/prelink.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/prelink.if 2009-08-18 13:23:29.000000000 -0400
@@ -140,3 +140,22 @@
files_search_var_lib($1)
manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
@@ -646,9 +676,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ files_search_var_lib($1)
+ relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.27/policy/modules/admin/readahead.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.28/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/readahead.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/readahead.te 2009-08-18 13:23:29.000000000 -0400
@@ -54,7 +54,10 @@
files_dontaudit_getattr_all_sockets(readahead_t)
files_list_non_security(readahead_t)
@@ -660,9 +690,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_getattr_all_fs(readahead_t)
fs_search_auto_mountpoints(readahead_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.27/policy/modules/admin/rpm.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.28/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/rpm.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/rpm.fc 2009-08-18 13:23:29.000000000 -0400
@@ -4,14 +4,12 @@
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -704,9 +734,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# SuSE
ifdef(`distro_suse', `
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.27/policy/modules/admin/rpm.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.28/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/rpm.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/rpm.if 2009-08-18 13:23:29.000000000 -0400
@@ -66,6 +66,11 @@
rpm_domtrans($1)
role $2 types rpm_t;
@@ -930,9 +960,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 rpm_t:process signull;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.27/policy/modules/admin/rpm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.28/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/rpm.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/rpm.te 2009-08-18 13:23:29.000000000 -0400
@@ -31,11 +31,15 @@
files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
@@ -1159,9 +1189,92 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.27/policy/modules/admin/sudo.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.6.28/policy/modules/admin/smoltclient.fc
+--- nsaserefpolicy/policy/modules/admin/smoltclient.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.28/policy/modules/admin/smoltclient.fc 2009-08-18 13:23:29.000000000 -0400
+@@ -0,0 +1,4 @@
++
++/usr/share/smolt/client/sendProfile.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0)
++
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.if serefpolicy-3.6.28/policy/modules/admin/smoltclient.if
+--- nsaserefpolicy/policy/modules/admin/smoltclient.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.28/policy/modules/admin/smoltclient.if 2009-08-18 13:23:29.000000000 -0400
+@@ -0,0 +1 @@
++## <summary>The Fedora hardware profiler client</summary>
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.6.28/policy/modules/admin/smoltclient.te
+--- nsaserefpolicy/policy/modules/admin/smoltclient.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.28/policy/modules/admin/smoltclient.te 2009-08-18 13:23:29.000000000 -0400
+@@ -0,0 +1,66 @@
++policy_module(smoltclient,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type smoltclient_t;
++type smoltclient_exec_t;
++application_domain(smoltclient_t, smoltclient_exec_t)
++cron_system_entry(smoltclient_t, smoltclient_exec_t)
++
++type smoltclient_tmp_t;
++files_tmp_file(smoltclient_tmp_t)
++
++########################################
++#
++# Local policy
++#
++allow smoltclient_t self:process { setsched getsched };
++
++allow smoltclient_t self:fifo_file rw_fifo_file_perms;
++allow smoltclient_t self:tcp_socket create_socket_perms;
++allow smoltclient_t self:udp_socket create_socket_perms;
++allow smoltclient_t self:netlink_route_socket r_netlink_socket_perms;
++
++can_exec(smoltclient_t, smoltclient_tmp_t)
++manage_dirs_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t)
++manage_files_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t)
++files_tmp_filetrans(smoltclient_t, smoltclient_tmp_t, { dir file })
++
++kernel_read_system_state(smoltclient_t)
++kernel_read_network_state(smoltclient_t)
++kernel_read_kernel_sysctls(smoltclient_t)
++
++corecmd_exec_shell(smoltclient_t)
++
++corenet_tcp_connect_http_port(smoltclient_t)
++
++dev_read_urand(smoltclient_t)
++dev_read_sysfs(smoltclient_t)
++
++fs_getattr_all_fs(smoltclient_t)
++
++files_getattr_generic_locks(smoltclient_t)
++files_read_etc_files(smoltclient_t)
++files_read_usr_files(smoltclient_t)
++
++miscfiles_read_localization(smoltclient_t)
++
++sysnet_read_config(smoltclient_t)
++
++optional_policy(`
++ dbus_system_bus_client(smoltclient_t)
++')
++
++optional_policy(`
++ hal_dbus_chat(smoltclient_t)
++')
++
++optional_policy(`
++ rpm_exec(smoltclient_t)
++ rpm_read_db(smoltclient_t)
++')
++
++permissive smoltclient_t;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.28/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/sudo.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/sudo.if 2009-08-18 13:23:29.000000000 -0400
@@ -66,8 +66,8 @@
allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
allow $1_sudo_t self:unix_dgram_socket sendto;
@@ -1245,9 +1358,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.27/policy/modules/admin/tmpreaper.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.28/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/tmpreaper.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/tmpreaper.te 2009-08-18 13:23:29.000000000 -0400
@@ -52,6 +52,10 @@
')
@@ -1259,9 +1372,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kismet_manage_log(tmpreaper_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.27/policy/modules/admin/usermanage.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.28/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/usermanage.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/usermanage.te 2009-08-18 13:23:29.000000000 -0400
@@ -209,6 +209,7 @@
files_manage_etc_files(groupadd_t)
files_relabel_etc_files(groupadd_t)
@@ -1335,9 +1448,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.27/policy/modules/admin/vbetool.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.28/policy/modules/admin/vbetool.te
--- nsaserefpolicy/policy/modules/admin/vbetool.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/vbetool.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/vbetool.te 2009-08-18 13:23:29.000000000 -0400
@@ -15,15 +15,20 @@
# Local policy
#
@@ -1370,9 +1483,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_exec_pid(vbetool_t)
+ xserver_write_pid(vbetool_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.27/policy/modules/apps/awstats.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.28/policy/modules/apps/awstats.te
--- nsaserefpolicy/policy/modules/apps/awstats.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/awstats.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/awstats.te 2009-08-18 13:23:29.000000000 -0400
@@ -51,6 +51,8 @@
libs_read_lib_files(awstats_t)
@@ -1382,9 +1495,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization(awstats_t)
sysnet_dns_name_resolve(awstats_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/calamaris.te serefpolicy-3.6.27/policy/modules/apps/calamaris.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/calamaris.te serefpolicy-3.6.28/policy/modules/apps/calamaris.te
--- nsaserefpolicy/policy/modules/apps/calamaris.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/calamaris.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/calamaris.te 2009-08-18 13:23:29.000000000 -0400
@@ -84,3 +84,7 @@
optional_policy(`
nis_use_ypbind(calamaris_t)
@@ -1393,9 +1506,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ nscd_socket_use(calamaris_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.27/policy/modules/apps/cpufreqselector.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.28/policy/modules/apps/cpufreqselector.te
--- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/cpufreqselector.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/cpufreqselector.te 2009-08-18 13:23:29.000000000 -0400
@@ -8,7 +8,8 @@
type cpufreqselector_t;
@@ -1414,17 +1527,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
policykit_domtrans_auth(cpufreqselector_t)
policykit_read_lib(cpufreqselector_t)
policykit_read_reload(cpufreqselector_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.6.27/policy/modules/apps/gitosis.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.6.28/policy/modules/apps/gitosis.fc
--- nsaserefpolicy/policy/modules/apps/gitosis.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/gitosis.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/gitosis.fc 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,4 @@
+
+/usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0)
+
+/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.27/policy/modules/apps/gitosis.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.28/policy/modules/apps/gitosis.if
--- nsaserefpolicy/policy/modules/apps/gitosis.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/gitosis.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/gitosis.if 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,96 @@
+## <summary>gitosis interface</summary>
+
@@ -1522,9 +1635,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.te serefpolicy-3.6.27/policy/modules/apps/gitosis.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.te serefpolicy-3.6.28/policy/modules/apps/gitosis.te
--- nsaserefpolicy/policy/modules/apps/gitosis.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/gitosis.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/gitosis.te 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,36 @@
+policy_module(gitosis,1.0.0)
+
@@ -1562,9 +1675,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+files_search_var_lib(gitosis_t)
+
+miscfiles_read_localization(gitosis_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.27/policy/modules/apps/gnome.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.28/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/gnome.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/gnome.fc 2009-08-18 13:23:29.000000000 -0400
@@ -1,8 +1,16 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
@@ -1584,9 +1697,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
+
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.27/policy/modules/apps/gnome.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.28/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/gnome.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/gnome.if 2009-08-18 13:23:29.000000000 -0400
@@ -89,5 +89,175 @@
allow $1 gnome_home_t:dir manage_dir_perms;
@@ -1763,9 +1876,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ # Connect to pulseaudit server
+ stream_connect_pattern($1, gnome_home_t, gnome_home_t, $2)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.27/policy/modules/apps/gnome.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.28/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/gnome.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/gnome.te 2009-08-18 13:23:29.000000000 -0400
@@ -9,16 +9,18 @@
attribute gnomedomain;
@@ -1887,10 +2000,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+permissive gnomesystemmm_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.27/policy/modules/apps/gpg.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.6.28/policy/modules/apps/gpg.if
+--- nsaserefpolicy/policy/modules/apps/gpg.if 2009-07-23 14:11:04.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/gpg.if 2009-08-18 13:23:29.000000000 -0400
+@@ -30,7 +30,7 @@
+
+ # allow ps to show gpg
+ ps_process_pattern($2, gpg_t)
+- allow $2 gpg_t:process { signal sigkill };
++ allow $2 gpg_t:process { signull sigstop signal sigkill };
+
+ # communicate with the user
+ allow gpg_helper_t $2:fd use;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.28/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/gpg.te 2009-08-14 16:51:06.000000000 -0400
-@@ -159,6 +159,19 @@
++++ serefpolicy-3.6.28/policy/modules/apps/gpg.te 2009-08-18 13:23:29.000000000 -0400
+@@ -92,6 +92,7 @@
+
+ dev_read_rand(gpg_t)
+ dev_read_urand(gpg_t)
++dev_read_generic_usb_dev(gpg_t)
+
+ fs_getattr_xattr_fs(gpg_t)
+
+@@ -159,6 +160,19 @@
xserver_rw_xdm_pipes(gpg_t)
')
@@ -1910,16 +2043,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# GPG agent local policy
-@@ -250,5 +263,5 @@
+@@ -250,5 +264,5 @@
')
optional_policy(`
- xserver_stream_connect(gpg_pinentry_t)
+ xserver_common_app(gpg_pinentry_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.27/policy/modules/apps/java.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.28/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/java.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/java.fc 2009-08-18 13:23:29.000000000 -0400
@@ -2,15 +2,16 @@
# /opt
#
@@ -1954,9 +2087,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.27/policy/modules/apps/java.if
---- nsaserefpolicy/policy/modules/apps/java.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/java.if 2009-08-14 16:51:06.000000000 -0400
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.28/policy/modules/apps/java.if
+--- nsaserefpolicy/policy/modules/apps/java.if 2009-08-18 11:41:14.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/java.if 2009-08-18 13:23:29.000000000 -0400
@@ -30,6 +30,7 @@
allow java_t $2:unix_stream_socket connectto;
@@ -1965,23 +2098,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -68,3 +69,131 @@
- domtrans_pattern($1, java_exec_t, unconfined_java_t)
- corecmd_search_bin($1)
- ')
-+
-+########################################
-+## <summary>
+@@ -71,24 +72,128 @@
+
+ ########################################
+ ## <summary>
+-## Execute the java program in the unconfined java domain.
+## Execute java in the java domain, and
+## allow the specified role the java domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## The type of the process performing this action.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
+ ## </summary>
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## Role allowed access.
+## The role to be allowed the java domain.
+## </summary>
+## </param>
@@ -2008,17 +2141,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## <param name="role">
+## <summary>
+## The role to be allowed the java domain.
-+## </summary>
-+## </param>
-+#
-+interface(`java_run_unconfined',`
-+ gen_require(`
-+ type unconfined_java_t;
+ ## </summary>
+ ## </param>
+ #
+ interface(`java_run_unconfined',`
+ gen_require(`
+ type unconfined_java_t;
+ type java_t;
-+ ')
-+
-+ java_domtrans_unconfined($1)
-+ role $2 types unconfined_java_t;
+ ')
+
+ java_domtrans_unconfined($1)
+ role $2 types unconfined_java_t;
+ role $2 types java_t;
+ nsplugin_role_notrans($2, unconfined_java_t)
+')
@@ -2096,10 +2229,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_common_app($1_java_t)
+ xserver_role($1_r, $1_java_t)
+ ')
-+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.27/policy/modules/apps/java.te
---- nsaserefpolicy/policy/modules/apps/java.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/java.te 2009-08-14 16:51:06.000000000 -0400
+ ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.28/policy/modules/apps/java.te
+--- nsaserefpolicy/policy/modules/apps/java.te 2009-08-18 11:41:14.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/java.te 2009-08-18 13:23:29.000000000 -0400
@@ -20,6 +20,8 @@
typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
@@ -2109,15 +2242,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type java_tmp_t;
files_tmp_file(java_tmp_t)
ubac_constrained(java_tmp_t)
-@@ -40,7 +42,7 @@
- # Local policy
- #
-
--allow java_t self:process { signal_perms getsched setsched execmem };
-+allow java_t self:process { signal_perms getsched execmem };
- allow java_t self:fifo_file rw_fifo_file_perms;
- allow java_t self:tcp_socket create_socket_perms;
- allow java_t self:udp_socket create_socket_perms;
@@ -80,6 +82,7 @@
dev_write_sound(java_t)
dev_read_urand(java_t)
@@ -2126,22 +2250,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(java_t)
files_read_usr_files(java_t)
-@@ -116,12 +119,13 @@
-
- allow java_t java_tmp_t:file execute;
-
-- libs_legacy_use_shared_libs(java_t)
- libs_legacy_use_ld_so(java_t)
-
- miscfiles_legacy_read_localization(java_t)
- ')
-
-+libs_legacy_use_shared_libs(java_t)
-+
- optional_policy(`
- nis_use_ypbind(java_t)
- ')
-@@ -131,6 +135,7 @@
+@@ -131,6 +134,7 @@
')
optional_policy(`
@@ -2149,7 +2258,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
')
-@@ -147,4 +152,12 @@
+@@ -147,4 +151,12 @@
unconfined_domain_noaudit(unconfined_java_t)
unconfined_dbus_chat(unconfined_java_t)
@@ -2162,21 +2271,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.6.27/policy/modules/apps/kdumpgui.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.6.28/policy/modules/apps/kdumpgui.fc
--- nsaserefpolicy/policy/modules/apps/kdumpgui.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/kdumpgui.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/kdumpgui.fc 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,2 @@
+
+/usr/share/system-config-kdump/system-config-kdump-backend.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.6.27/policy/modules/apps/kdumpgui.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.6.28/policy/modules/apps/kdumpgui.if
--- nsaserefpolicy/policy/modules/apps/kdumpgui.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/kdumpgui.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/kdumpgui.if 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,2 @@
+## <summary>system-config-kdump policy</summary>
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.6.27/policy/modules/apps/kdumpgui.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.6.28/policy/modules/apps/kdumpgui.te
--- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/kdumpgui.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/kdumpgui.te 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,64 @@
+policy_module(kdumpgui,1.0.0)
+
@@ -2242,15 +2351,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+permissive kdumpgui_t;
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.6.27/policy/modules/apps/livecd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.6.28/policy/modules/apps/livecd.fc
--- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/livecd.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/livecd.fc 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,2 @@
+
+/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.6.27/policy/modules/apps/livecd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.6.28/policy/modules/apps/livecd.if
--- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/livecd.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/livecd.if 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,50 @@
+
+## <summary>policy for livecd</summary>
@@ -2302,9 +2411,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ seutil_run_setfiles_mac(livecd_t, $2)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.6.27/policy/modules/apps/livecd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.6.28/policy/modules/apps/livecd.te
--- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/livecd.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/livecd.te 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,26 @@
+policy_module(livecd, 1.0.0)
+
@@ -2332,9 +2441,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+seutil_domtrans_setfiles_mac(livecd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.27/policy/modules/apps/mono.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.28/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/mono.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/mono.if 2009-08-18 13:23:29.000000000 -0400
@@ -21,6 +21,105 @@
########################################
@@ -2450,9 +2559,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
corecmd_search_bin($1)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.27/policy/modules/apps/mono.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.28/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/mono.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/mono.te 2009-08-18 13:23:29.000000000 -0400
@@ -15,7 +15,7 @@
# Local policy
#
@@ -2476,9 +2585,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ xserver_rw_shm(mono_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.27/policy/modules/apps/mozilla.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.28/policy/modules/apps/mozilla.fc
--- nsaserefpolicy/policy/modules/apps/mozilla.fc 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/mozilla.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/mozilla.fc 2009-08-18 13:23:29.000000000 -0400
@@ -1,6 +1,7 @@
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -2487,9 +2596,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.27/policy/modules/apps/mozilla.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.28/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/mozilla.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/mozilla.if 2009-08-18 13:23:29.000000000 -0400
@@ -45,6 +45,18 @@
relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
@@ -2517,9 +2626,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_search_user_home_dirs($1)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.27/policy/modules/apps/mozilla.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.28/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/mozilla.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/mozilla.te 2009-08-18 13:23:29.000000000 -0400
@@ -59,6 +59,7 @@
manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
@@ -2594,9 +2703,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
thunderbird_domtrans(mozilla_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.27/policy/modules/apps/nsplugin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.28/policy/modules/apps/nsplugin.fc
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/nsplugin.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/nsplugin.fc 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,12 @@
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
@@ -2610,9 +2719,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.27/policy/modules/apps/nsplugin.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.28/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/nsplugin.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/nsplugin.if 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,313 @@
+
+## <summary>policy for nsplugin</summary>
@@ -2927,9 +3036,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.27/policy/modules/apps/nsplugin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.28/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/nsplugin.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/nsplugin.te 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,286 @@
+
+policy_module(nsplugin, 1.0.0)
@@ -3217,16 +3326,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.6.27/policy/modules/apps/openoffice.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.6.28/policy/modules/apps/openoffice.fc
--- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/openoffice.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/openoffice.fc 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,3 @@
+/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.27/policy/modules/apps/openoffice.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.28/policy/modules/apps/openoffice.if
--- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/openoffice.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/openoffice.if 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,93 @@
+## <summary>Openoffice</summary>
+
@@ -3321,9 +3430,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_common_x_domain_template($1, $1_openoffice_t)
+ ')
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.6.27/policy/modules/apps/openoffice.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.6.28/policy/modules/apps/openoffice.te
--- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/openoffice.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/openoffice.te 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,14 @@
+
+policy_module(openoffice, 1.0.0)
@@ -3339,15 +3448,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.fc serefpolicy-3.6.27/policy/modules/apps/ptchown.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.fc serefpolicy-3.6.28/policy/modules/apps/ptchown.fc
--- nsaserefpolicy/policy/modules/apps/ptchown.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/ptchown.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/ptchown.fc 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,2 @@
+
+/usr/libexec/pt_chown -- gen_context(system_u:object_r:ptchown_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.6.27/policy/modules/apps/ptchown.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.6.28/policy/modules/apps/ptchown.if
--- nsaserefpolicy/policy/modules/apps/ptchown.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/ptchown.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/ptchown.if 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,22 @@
+
+## <summary>helper function for grantpt(3), changes ownship and permissions of pseudotty</summary>
@@ -3371,9 +3480,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ domtrans_pattern($1,ptchown_exec_t,ptchown_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.te serefpolicy-3.6.27/policy/modules/apps/ptchown.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.te serefpolicy-3.6.28/policy/modules/apps/ptchown.te
--- nsaserefpolicy/policy/modules/apps/ptchown.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/ptchown.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/ptchown.te 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,38 @@
+policy_module(ptchown,1.0.0)
+
@@ -3413,9 +3522,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+term_setattr_all_user_ptys(ptchown_t)
+
+miscfiles_read_localization(ptchown_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.27/policy/modules/apps/pulseaudio.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.28/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/pulseaudio.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/pulseaudio.te 2009-08-18 13:23:29.000000000 -0400
@@ -22,6 +22,7 @@
allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
@@ -3450,17 +3559,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_common_app(pulseaudio_t)
')
-
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.27/policy/modules/apps/qemu.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.28/policy/modules/apps/qemu.fc
--- nsaserefpolicy/policy/modules/apps/qemu.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/qemu.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/qemu.fc 2009-08-18 13:23:29.000000000 -0400
@@ -1,2 +1,2 @@
-/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
-/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.27/policy/modules/apps/qemu.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.28/policy/modules/apps/qemu.if
--- nsaserefpolicy/policy/modules/apps/qemu.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/qemu.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/qemu.if 2009-08-18 13:23:29.000000000 -0400
@@ -40,6 +40,93 @@
qemu_domtrans($1)
@@ -3767,9 +3876,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.27/policy/modules/apps/qemu.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.28/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/qemu.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/qemu.te 2009-08-18 13:23:29.000000000 -0400
@@ -13,15 +13,46 @@
## </desc>
gen_tunable(qemu_full_network, false)
@@ -3877,20 +3986,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ role unconfined_r types qemu_unconfined_t;
allow qemu_unconfined_t self:process { execstack execmem };
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.6.27/policy/modules/apps/sambagui.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.6.28/policy/modules/apps/sambagui.fc
--- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/sambagui.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/sambagui.fc 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1 @@
+/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.6.27/policy/modules/apps/sambagui.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.6.28/policy/modules/apps/sambagui.if
--- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/sambagui.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/sambagui.if 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,2 @@
+## <summary>system-config-samba policy</summary>
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.27/policy/modules/apps/sambagui.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.28/policy/modules/apps/sambagui.te
--- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/sambagui.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/sambagui.te 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,55 @@
+policy_module(sambagui,1.0.0)
+
@@ -3947,14 +4056,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ policykit_dbus_chat(sambagui_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.6.27/policy/modules/apps/sandbox.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.6.28/policy/modules/apps/sandbox.fc
--- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/sandbox.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/sandbox.fc 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1 @@
+# No types are sandbox_exec_t
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.27/policy/modules/apps/sandbox.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.28/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/sandbox.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/sandbox.if 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,143 @@
+
+## <summary>policy for sandbox</summary>
@@ -4099,9 +4208,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.27/policy/modules/apps/sandbox.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.28/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/sandbox.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/sandbox.te 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,274 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
@@ -4377,9 +4486,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ hal_dbus_chat(sandbox_net_client_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.27/policy/modules/apps/screen.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.28/policy/modules/apps/screen.if
--- nsaserefpolicy/policy/modules/apps/screen.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/screen.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/screen.if 2009-08-18 13:23:29.000000000 -0400
@@ -61,6 +61,8 @@
manage_fifo_files_pattern($1_screen_t, screen_dir_t, screen_var_run_t)
manage_dirs_pattern($1_screen_t, screen_dir_t, screen_dir_t)
@@ -4422,9 +4531,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ manage_lnk_files_pattern($1,screen_var_run_t,screen_var_run_t)
+ manage_fifo_files_pattern($1,screen_var_run_t,screen_var_run_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.27/policy/modules/apps/vmware.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.28/policy/modules/apps/vmware.fc
--- nsaserefpolicy/policy/modules/apps/vmware.fc 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/vmware.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/vmware.fc 2009-08-18 13:23:29.000000000 -0400
@@ -18,6 +18,7 @@
/usr/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
@@ -4433,9 +4542,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
/usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.27/policy/modules/apps/vmware.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.28/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/vmware.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/vmware.te 2009-08-18 13:23:29.000000000 -0400
@@ -157,6 +157,7 @@
optional_policy(`
xserver_read_tmp_files(vmware_host_t)
@@ -4444,9 +4553,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
ifdef(`TODO',`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.6.27/policy/modules/apps/webalizer.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.6.28/policy/modules/apps/webalizer.te
--- nsaserefpolicy/policy/modules/apps/webalizer.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/webalizer.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/webalizer.te 2009-08-18 13:23:29.000000000 -0400
@@ -69,7 +69,6 @@
fs_search_auto_mountpoints(webalizer_t)
fs_getattr_xattr_fs(webalizer_t)
@@ -4455,9 +4564,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(webalizer_t)
files_read_etc_runtime_files(webalizer_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.6.27/policy/modules/apps/wine.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.6.28/policy/modules/apps/wine.fc
--- nsaserefpolicy/policy/modules/apps/wine.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/wine.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/wine.fc 2009-08-18 13:23:29.000000000 -0400
@@ -1,4 +1,21 @@
-/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
@@ -4483,9 +4592,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-/opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
-/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.27/policy/modules/apps/wine.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.28/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/wine.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/wine.if 2009-08-18 13:23:29.000000000 -0400
@@ -43,3 +43,63 @@
wine_domtrans($1)
role $2 types wine_t;
@@ -4550,9 +4659,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ relabel_lnk_files_pattern($2, wine_home_t, wine_home_t)
+
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.27/policy/modules/apps/wine.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.28/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/wine.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/wine.te 2009-08-18 13:23:29.000000000 -0400
@@ -9,20 +9,35 @@
type wine_t;
type wine_exec_t;
@@ -4593,9 +4702,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_common_app(wine_t)
+ xserver_rw_shm(wine_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.27/policy/modules/kernel/corecommands.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.28/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-07-30 13:09:10.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/corecommands.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/corecommands.fc 2009-08-18 13:23:29.000000000 -0400
@@ -125,6 +125,7 @@
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
@@ -4636,9 +4745,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.27/policy/modules/kernel/corecommands.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.28/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/corecommands.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/corecommands.if 2009-08-18 13:23:29.000000000 -0400
@@ -893,6 +893,7 @@
read_lnk_files_pattern($1, bin_t, bin_t)
@@ -4647,9 +4756,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.27/policy/modules/kernel/corenetwork.te.in
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.28/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/corenetwork.te.in 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/corenetwork.te.in 2009-08-18 13:23:29.000000000 -0400
@@ -65,6 +65,7 @@
type server_packet_t, packet_type, server_packet_type;
@@ -4757,9 +4866,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# network_node examples:
#network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.27/policy/modules/kernel/devices.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.28/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/devices.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/devices.fc 2009-08-18 13:23:29.000000000 -0400
@@ -47,8 +47,10 @@
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@@ -4788,9 +4897,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.27/policy/modules/kernel/devices.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.28/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/devices.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/devices.if 2009-08-18 13:23:29.000000000 -0400
@@ -1655,6 +1655,78 @@
########################################
@@ -4983,9 +5092,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read and write Xen devices.
## </summary>
## <param name="domain">
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.27/policy/modules/kernel/devices.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.28/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/devices.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/devices.te 2009-08-18 13:23:29.000000000 -0400
@@ -84,6 +84,13 @@
dev_node(kmsg_device_t)
@@ -5026,9 +5135,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type xen_device_t;
dev_node(xen_device_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.27/policy/modules/kernel/domain.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.28/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/domain.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/domain.if 2009-08-18 13:23:29.000000000 -0400
@@ -44,34 +44,6 @@
interface(`domain_type',`
# start with basic domain
@@ -5209,9 +5318,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 unconfined_domain_type:process signal;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.27/policy/modules/kernel/domain.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.28/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/domain.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/domain.te 2009-08-18 13:39:39.000000000 -0400
@@ -1,10 +1,17 @@
-policy_module(domain, 1.7.0)
@@ -5287,7 +5396,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -153,3 +174,67 @@
+@@ -153,3 +174,69 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -5302,6 +5411,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+init_signull(domain)
+
+ifdef(`distro_redhat',`
++ files_search_mnt(domain)
++ files_search_default(domain)
+ optional_policy(`
+ unconfined_use_fds(domain)
+ ')
@@ -5355,9 +5466,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ userdom_relabelto_user_home_dirs(polydomain)
+ userdom_relabelto_user_home_files(polydomain)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.27/policy/modules/kernel/files.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.28/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/files.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/files.fc 2009-08-18 13:23:29.000000000 -0400
@@ -18,6 +18,7 @@
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -5375,9 +5486,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.27/policy/modules/kernel/files.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.28/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/files.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/files.if 2009-08-18 13:38:01.000000000 -0400
@@ -110,6 +110,11 @@
## </param>
#
@@ -5750,9 +5861,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+ allow $1 file_type:file entrypoint;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.27/policy/modules/kernel/files.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.28/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/files.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/files.te 2009-08-18 13:23:29.000000000 -0400
@@ -42,6 +42,7 @@
#
type boot_t;
@@ -5780,15 +5891,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.27/policy/modules/kernel/filesystem.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.28/policy/modules/kernel/filesystem.fc
--- nsaserefpolicy/policy/modules/kernel/filesystem.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/filesystem.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/filesystem.fc 2009-08-18 13:23:29.000000000 -0400
@@ -1 +1 @@
-# This module currently does not have any file contexts.
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.27/policy/modules/kernel/filesystem.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.28/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/filesystem.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/filesystem.if 2009-08-18 18:27:42.000000000 -0400
@@ -1537,6 +1537,24 @@
########################################
@@ -5839,7 +5950,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read and write NFS server files.
## </summary>
## <param name="domain">
-@@ -3971,3 +4007,23 @@
+@@ -3971,3 +4007,122 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
')
@@ -5863,9 +5974,108 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ dontaudit $1 cifs_t:dir list_dir_perms;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.6.27/policy/modules/kernel/filesystem.te
++
++########################################
++## <summary>
++## Mount a XENFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_mount_xenfs',`
++ gen_require(`
++ type xenfs_t;
++ ')
++
++ allow $1 xenfs_t:filesystem mount;
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete directories
++## on a XENFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_manage_xenfs_dirs',`
++ gen_require(`
++ type xenfs_t;
++ ')
++
++ allow $1 xenfs_t:dir manage_dir_perms;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to create, read,
++## write, and delete directories
++## on a XENFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`fs_dontaudit_manage_xenfs_dirs',`
++ gen_require(`
++ type xenfs_t;
++ ')
++
++ dontaudit $1 xenfs_t:dir manage_dir_perms;
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete files
++## on a XENFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_manage_xenfs_files',`
++ gen_require(`
++ type xenfs_t;
++ ')
++
++ manage_files_pattern($1, xenfs_t, xenfs_t)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to create,
++## read, write, and delete files
++## on a XENFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`fs_dontaudit_manage_xenfs_files',`
++ gen_require(`
++ type xenfs_t;
++ ')
++
++ dontaudit $1 xenfs_t:file manage_file_perms;
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.6.28/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/filesystem.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/filesystem.te 2009-08-18 18:24:23.000000000 -0400
@@ -93,7 +93,7 @@
type hugetlbfs_t;
fs_type(hugetlbfs_t)
@@ -5875,9 +6085,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type ibmasmfs_t;
fs_type(ibmasmfs_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.27/policy/modules/kernel/kernel.if
+@@ -250,9 +250,13 @@
+ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
+-genfscon xenfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
+
++type xenfs_t;
++fs_noxattr_type(xenfs_t)
++files_mountpoint(xenfs_t)
++genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0)
++
+ ########################################
+ #
+ # Rules for all filesystem types
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.28/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/kernel.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/kernel.if 2009-08-18 13:23:29.000000000 -0400
@@ -1807,7 +1807,7 @@
')
@@ -5935,9 +6160,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 kernel_t:unix_stream_socket connectto;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.27/policy/modules/kernel/kernel.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.28/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/kernel.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/kernel.te 2009-08-18 13:23:29.000000000 -0400
@@ -63,6 +63,15 @@
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
@@ -6019,9 +6244,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
+
+files_boot(kernel_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.27/policy/modules/kernel/selinux.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.28/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/selinux.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/selinux.if 2009-08-18 13:23:29.000000000 -0400
@@ -40,7 +40,7 @@
# because of this statement, any module which
@@ -6079,9 +6304,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ fs_type($1)
+ mls_trusted_object($1)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.6.27/policy/modules/kernel/terminal.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.6.28/policy/modules/kernel/terminal.fc
--- nsaserefpolicy/policy/modules/kernel/terminal.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/terminal.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/terminal.fc 2009-08-18 13:23:29.000000000 -0400
@@ -13,6 +13,7 @@
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
@@ -6090,9 +6315,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.27/policy/modules/kernel/terminal.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.28/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/terminal.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/terminal.if 2009-08-18 13:23:29.000000000 -0400
@@ -173,7 +173,7 @@
dev_list_all_dev_nodes($1)
@@ -6164,9 +6389,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
## <summary>
## Read and write the controlling
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-3.6.27/policy/modules/kernel/terminal.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-3.6.28/policy/modules/kernel/terminal.te
--- nsaserefpolicy/policy/modules/kernel/terminal.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/terminal.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/terminal.te 2009-08-18 13:23:29.000000000 -0400
@@ -44,6 +44,7 @@
type ptmx_t;
dev_node(ptmx_t)
@@ -6175,9 +6400,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
# tty_device_t is the type of /dev/*tty*
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.27/policy/modules/roles/guest.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.28/policy/modules/roles/guest.te
--- nsaserefpolicy/policy/modules/roles/guest.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/roles/guest.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/roles/guest.te 2009-08-18 13:23:29.000000000 -0400
@@ -16,7 +16,11 @@
#
@@ -6192,9 +6417,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+gen_user(guest_u, user, guest_r, s0, s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.27/policy/modules/roles/staff.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.28/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/roles/staff.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/roles/staff.te 2009-08-18 13:23:29.000000000 -0400
@@ -15,156 +15,109 @@
# Local policy
#
@@ -6390,9 +6615,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- xserver_role(staff_r, staff_t)
+ virt_stream_connect(staff_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.27/policy/modules/roles/sysadm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.28/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/roles/sysadm.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/roles/sysadm.te 2009-08-18 13:23:29.000000000 -0400
@@ -15,7 +15,7 @@
role sysadm_r;
@@ -6696,9 +6921,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+init_script_role_transition(sysadm_r)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.27/policy/modules/roles/unconfineduser.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.28/policy/modules/roles/unconfineduser.fc
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/roles/unconfineduser.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/roles/unconfineduser.fc 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,37 @@
+# Add programs here which should not be confined by SELinux
+# e.g.:
@@ -6737,9 +6962,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.27/policy/modules/roles/unconfineduser.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.28/policy/modules/roles/unconfineduser.if
--- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/roles/unconfineduser.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/roles/unconfineduser.if 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,638 @@
+## <summary>Unconfiend user role</summary>
+
@@ -7379,9 +7604,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 unconfined_r;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.27/policy/modules/roles/unconfineduser.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.28/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/roles/unconfineduser.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/roles/unconfineduser.te 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,395 @@
+policy_module(unconfineduser, 1.0.0)
+
@@ -7778,9 +8003,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#
+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.27/policy/modules/roles/unprivuser.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.28/policy/modules/roles/unprivuser.te
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/roles/unprivuser.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/roles/unprivuser.te 2009-08-18 13:23:29.000000000 -0400
@@ -14,142 +14,21 @@
userdom_unpriv_user_template(user)
@@ -7929,9 +8154,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- xserver_role(user_r, user_t)
+ setroubleshoot_dontaudit_stream_connect(user_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.27/policy/modules/roles/xguest.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.28/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/roles/xguest.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/roles/xguest.te 2009-08-18 13:23:29.000000000 -0400
@@ -36,11 +36,17 @@
# Local policy
#
@@ -7978,9 +8203,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.6.27/policy/modules/services/amavis.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.6.28/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/amavis.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/amavis.te 2009-08-18 13:23:29.000000000 -0400
@@ -103,6 +103,8 @@
kernel_dontaudit_read_proc_symlinks(amavis_t)
kernel_dontaudit_read_system_state(amavis_t)
@@ -7990,9 +8215,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# find perl
corecmd_exec_bin(amavis_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.27/policy/modules/services/apache.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.28/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/apache.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/apache.fc 2009-08-18 13:23:29.000000000 -0400
@@ -1,12 +1,13 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -8086,9 +8311,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.27/policy/modules/services/apache.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.28/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/apache.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/apache.if 2009-08-18 13:23:29.000000000 -0400
@@ -13,21 +13,16 @@
#
template(`apache_content_template',`
@@ -8588,9 +8813,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+ typeattribute $1 httpd_rw_content;
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.27/policy/modules/services/apache.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.28/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/apache.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/apache.te 2009-08-18 13:23:29.000000000 -0400
@@ -19,6 +19,8 @@
# Declarations
#
@@ -9344,9 +9569,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.27/policy/modules/services/apm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.28/policy/modules/services/apm.te
--- nsaserefpolicy/policy/modules/services/apm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/apm.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/apm.te 2009-08-18 13:23:29.000000000 -0400
@@ -60,7 +60,7 @@
# mknod: controlling an orderly resume of PCMCIA requires creating device
# nodes 254,{0,1,2} for some reason.
@@ -9356,9 +9581,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
allow apmd_t self:unix_dgram_socket create_socket_perms;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.27/policy/modules/services/automount.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.28/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/automount.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/automount.te 2009-08-18 13:23:29.000000000 -0400
@@ -129,6 +129,7 @@
fs_unmount_autofs(automount_t)
fs_mount_autofs(automount_t)
@@ -9367,9 +9592,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
storage_rw_fuse(automount_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.27/policy/modules/services/bind.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.28/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/bind.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/bind.if 2009-08-18 13:23:29.000000000 -0400
@@ -287,6 +287,25 @@
########################################
@@ -9396,9 +9621,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
## an bind environment
## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.27/policy/modules/services/bluetooth.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.28/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/bluetooth.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/bluetooth.te 2009-08-18 13:23:29.000000000 -0400
@@ -64,6 +64,7 @@
allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow bluetooth_t self:tcp_socket create_stream_socket_perms;
@@ -9426,9 +9651,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
pulseaudio_dbus_chat(bluetooth_t)
')
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.27/policy/modules/services/certmaster.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.28/policy/modules/services/certmaster.te
--- nsaserefpolicy/policy/modules/services/certmaster.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/certmaster.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/certmaster.te 2009-08-18 13:23:29.000000000 -0400
@@ -30,7 +30,7 @@
# certmaster local policy
#
@@ -9438,9 +9663,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow certmaster_t self:tcp_socket create_stream_socket_perms;
# config files
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.27/policy/modules/services/clamav.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.28/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/clamav.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/clamav.te 2009-08-18 13:23:29.000000000 -0400
@@ -117,9 +117,9 @@
logging_send_syslog_msg(clamd_t)
@@ -9475,9 +9700,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
apache_read_sys_content(clamscan_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.27/policy/modules/services/consolekit.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.28/policy/modules/services/consolekit.if
--- nsaserefpolicy/policy/modules/services/consolekit.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/consolekit.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/consolekit.if 2009-08-18 13:23:29.000000000 -0400
@@ -57,3 +57,42 @@
read_files_pattern($1, consolekit_log_t, consolekit_log_t)
files_search_pids($1)
@@ -9521,9 +9746,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.27/policy/modules/services/consolekit.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.28/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/consolekit.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/consolekit.te 2009-08-18 13:23:29.000000000 -0400
@@ -62,12 +62,15 @@
init_telinit(consolekit_t)
@@ -9582,9 +9807,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_stream_connect(consolekit_t)
')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.27/policy/modules/services/courier.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.28/policy/modules/services/courier.if
--- nsaserefpolicy/policy/modules/services/courier.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/courier.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/courier.if 2009-08-18 13:23:29.000000000 -0400
@@ -179,6 +179,24 @@
########################################
@@ -9610,9 +9835,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read and write to courier spool pipes.
## </summary>
## <param name="domain">
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.27/policy/modules/services/courier.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.28/policy/modules/services/courier.te
--- nsaserefpolicy/policy/modules/services/courier.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/courier.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/courier.te 2009-08-18 13:23:29.000000000 -0400
@@ -10,6 +10,7 @@
type courier_etc_t;
@@ -9621,9 +9846,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
courier_domain_template(pcp)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.27/policy/modules/services/cron.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.28/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/cron.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/cron.fc 2009-08-18 13:23:29.000000000 -0400
@@ -1,3 +1,4 @@
+/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
@@ -9655,9 +9880,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
+
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.27/policy/modules/services/cron.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.28/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/cron.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/cron.if 2009-08-18 13:23:29.000000000 -0400
@@ -12,6 +12,10 @@
## </param>
#
@@ -9959,9 +10184,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ init_labeled_script_domtrans($1, crond_initrc_exec_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.27/policy/modules/services/cron.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.28/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/cron.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/cron.te 2009-08-18 13:23:29.000000000 -0400
@@ -38,6 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -10167,8 +10392,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-@@ -284,7 +339,14 @@
- allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
+@@ -281,10 +336,17 @@
+
+ # This is to handle /var/lib/misc directory. Used currently
+ # by prelink var/lib files for cron
+-allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
++allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabelfrom relabelto };
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
+allow system_cronjob_t cron_var_run_t:file manage_file_perms;
@@ -10177,7 +10406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow system_cronjob_t system_cron_spool_t:file read_file_perms;
+
+# anacron forces the following
-+allow system_cronjob_t system_cron_spool_t:file { write setattr };
++manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
+
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
@@ -10331,9 +10560,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-
unconfined_domain(unconfined_cronjob_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.27/policy/modules/services/cups.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.28/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/cups.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/cups.fc 2009-08-18 13:23:29.000000000 -0400
@@ -13,10 +13,14 @@
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
@@ -10349,7 +10578,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-@@ -52,6 +56,8 @@
+@@ -30,6 +34,7 @@
+ /usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+ /usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+
++/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+ /usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+
+ /usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
+@@ -52,6 +57,8 @@
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -10358,7 +10595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
-@@ -61,4 +67,10 @@
+@@ -61,4 +68,10 @@
/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
@@ -10369,9 +10606,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.27/policy/modules/services/cups.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.28/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/cups.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/cups.te 2009-08-18 13:23:29.000000000 -0400
@@ -23,6 +23,9 @@
type cupsd_initrc_exec_t;
init_script_file(cupsd_initrc_exec_t)
@@ -10417,7 +10654,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_read_config(cupsd_t)
sysnet_exec_ifconfig(cupsd_t)
-@@ -419,6 +429,10 @@
+@@ -327,7 +337,7 @@
+
+ allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
+ dontaudit cupsd_config_t self:capability sys_tty_config;
+-allow cupsd_config_t self:process signal_perms;
++allow cupsd_config_t self:process { getsched signal_perms };
+ allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
+ allow cupsd_config_t self:unix_stream_socket create_socket_perms;
+ allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
+@@ -419,12 +429,15 @@
')
optional_policy(`
@@ -10428,7 +10674,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-@@ -542,6 +556,8 @@
+ optional_policy(`
+- dbus_system_bus_client(cupsd_config_t)
+- dbus_connect_system_bus(cupsd_config_t)
++ dbus_system_domain(cupsd_config_t, cupsd_config_exec_t)
+
+ optional_policy(`
+ hal_dbus_chat(cupsd_config_t)
+@@ -542,6 +555,8 @@
manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
@@ -10437,7 +10690,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(cups_pdf_t)
files_read_etc_files(cups_pdf_t)
-@@ -601,6 +617,9 @@
+@@ -601,6 +616,9 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
@@ -10447,18 +10700,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.27/policy/modules/services/cvs.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.28/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/cvs.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/cvs.te 2009-08-18 13:23:29.000000000 -0400
@@ -112,4 +112,5 @@
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.27/policy/modules/services/dbus.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.28/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/dbus.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/dbus.if 2009-08-18 13:23:29.000000000 -0400
@@ -42,8 +42,10 @@
gen_require(`
class dbus { send_msg acquire_svc };
@@ -10550,9 +10803,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## for service (acquire_svc).
## </summary>
## <param name="domain">
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.27/policy/modules/services/dbus.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.28/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/dbus.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/dbus.te 2009-08-18 13:23:29.000000000 -0400
@@ -86,6 +86,7 @@
dev_read_sysfs(system_dbusd_t)
@@ -10605,9 +10858,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.27/policy/modules/services/dcc.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.28/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/dcc.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/dcc.te 2009-08-18 13:23:29.000000000 -0400
@@ -130,11 +130,13 @@
# Access files in /var/dcc. The map file can be updated
@@ -10634,9 +10887,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
spamassassin_read_spamd_tmp_files(dcc_client_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.6.27/policy/modules/services/ddclient.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.6.28/policy/modules/services/ddclient.if
--- nsaserefpolicy/policy/modules/services/ddclient.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/ddclient.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/ddclient.if 2009-08-18 13:23:29.000000000 -0400
@@ -21,6 +21,31 @@
########################################
@@ -10669,18 +10922,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
## an ddclient environment
## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.27/policy/modules/services/devicekit.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.28/policy/modules/services/devicekit.fc
--- nsaserefpolicy/policy/modules/services/devicekit.fc 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/devicekit.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/devicekit.fc 2009-08-18 13:23:29.000000000 -0400
@@ -5,4 +5,4 @@
/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
-/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.27/policy/modules/services/devicekit.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.28/policy/modules/services/devicekit.if
--- nsaserefpolicy/policy/modules/services/devicekit.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/devicekit.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/devicekit.if 2009-08-18 13:23:29.000000000 -0400
@@ -139,6 +139,26 @@
########################################
@@ -10717,9 +10970,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
allow $1 devicekit_t:process { ptrace signal_perms getattr };
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.27/policy/modules/services/devicekit.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.28/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/devicekit.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/devicekit.te 2009-08-18 13:23:29.000000000 -0400
@@ -36,12 +36,15 @@
manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
@@ -10893,9 +11146,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.27/policy/modules/services/dnsmasq.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.28/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/dnsmasq.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/dnsmasq.te 2009-08-18 13:23:29.000000000 -0400
@@ -83,6 +83,14 @@
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
@@ -10911,9 +11164,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(dnsmasq_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.27/policy/modules/services/dovecot.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.28/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/dovecot.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/dovecot.te 2009-08-18 13:23:29.000000000 -0400
@@ -103,6 +103,7 @@
dev_read_urand(dovecot_t)
@@ -10938,9 +11191,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# dovecot deliver local policy
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.27/policy/modules/services/exim.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.28/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/exim.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/exim.te 2009-08-18 13:23:29.000000000 -0400
@@ -191,6 +191,10 @@
')
@@ -10952,9 +11205,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
spamassassin_exec(exim_t)
spamassassin_exec_client(exim_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.27/policy/modules/services/fetchmail.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.28/policy/modules/services/fetchmail.te
--- nsaserefpolicy/policy/modules/services/fetchmail.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/fetchmail.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/fetchmail.te 2009-08-18 13:23:29.000000000 -0400
@@ -47,6 +47,8 @@
kernel_read_proc_symlinks(fetchmail_t)
kernel_dontaudit_read_system_state(fetchmail_t)
@@ -10964,9 +11217,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(fetchmail_t)
corenet_all_recvfrom_netlabel(fetchmail_t)
corenet_tcp_sendrecv_generic_if(fetchmail_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.27/policy/modules/services/fprintd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.28/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/fprintd.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/fprintd.te 2009-08-18 13:23:29.000000000 -0400
@@ -37,6 +37,8 @@
files_read_etc_files(fprintd_t)
files_read_usr_files(fprintd_t)
@@ -10984,9 +11237,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
policykit_domtrans_auth(fprintd_t)
')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.27/policy/modules/services/ftp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.28/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/ftp.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/ftp.te 2009-08-18 13:23:29.000000000 -0400
@@ -41,6 +41,13 @@
## <desc>
@@ -11088,16 +11341,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(ftpd_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.6.27/policy/modules/services/gnomeclock.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.6.28/policy/modules/services/gnomeclock.fc
--- nsaserefpolicy/policy/modules/services/gnomeclock.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/gnomeclock.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/gnomeclock.fc 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,3 @@
+
+/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.6.27/policy/modules/services/gnomeclock.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.6.28/policy/modules/services/gnomeclock.if
--- nsaserefpolicy/policy/modules/services/gnomeclock.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/gnomeclock.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/gnomeclock.if 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,69 @@
+
+## <summary>policy for gnomeclock</summary>
@@ -11168,9 +11421,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 gnomeclock_t:dbus send_msg;
+ allow gnomeclock_t $1:dbus send_msg;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.27/policy/modules/services/gnomeclock.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.28/policy/modules/services/gnomeclock.te
--- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/gnomeclock.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/gnomeclock.te 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,50 @@
+policy_module(gnomeclock, 1.0.0)
+########################################
@@ -11222,9 +11475,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ policykit_read_reload(gnomeclock_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.27/policy/modules/services/gpsd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.28/policy/modules/services/gpsd.fc
--- nsaserefpolicy/policy/modules/services/gpsd.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/gpsd.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/gpsd.fc 2009-08-18 13:23:29.000000000 -0400
@@ -1 +1,6 @@
+/etc/rc\.d/init\.d/gpsd -- gen_context(system_u:object_r:gpsd_initrc_exec_t,s0)
+
@@ -11232,9 +11485,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/var/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0)
+/var/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.6.27/policy/modules/services/gpsd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.6.28/policy/modules/services/gpsd.if
--- nsaserefpolicy/policy/modules/services/gpsd.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/gpsd.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/gpsd.if 2009-08-18 13:23:29.000000000 -0400
@@ -33,11 +33,6 @@
## The role to be allowed the gpsd domain.
## </summary>
@@ -11280,9 +11533,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
+ read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.27/policy/modules/services/gpsd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.28/policy/modules/services/gpsd.te
--- nsaserefpolicy/policy/modules/services/gpsd.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/gpsd.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/gpsd.te 2009-08-18 13:23:29.000000000 -0400
@@ -11,9 +11,15 @@
application_domain(gpsd_t, gpsd_exec_t)
init_daemon_domain(gpsd_t, gpsd_exec_t)
@@ -11317,9 +11570,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- ntpd_rw_shm(gpsd_t)
+ ntp_rw_shm(gpsd_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.6.27/policy/modules/services/hal.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.6.28/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/hal.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/hal.fc 2009-08-18 13:23:29.000000000 -0400
@@ -26,6 +26,7 @@
/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
/var/run/pm-utils(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
@@ -11328,9 +11581,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_gentoo',`
/var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.27/policy/modules/services/hal.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.28/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/hal.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/hal.if 2009-08-18 13:23:29.000000000 -0400
@@ -413,3 +413,21 @@
files_search_pids($1)
manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
@@ -11353,9 +11606,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ dontaudit $1 hald_t:unix_dgram_socket { read write };
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.27/policy/modules/services/hal.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.28/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/hal.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/hal.te 2009-08-18 13:23:29.000000000 -0400
@@ -55,6 +55,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -11499,17 +11752,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ dbus_system_bus_client(hald_dccm_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.fc serefpolicy-3.6.27/policy/modules/services/hddtemp.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.fc serefpolicy-3.6.28/policy/modules/services/hddtemp.fc
--- nsaserefpolicy/policy/modules/services/hddtemp.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/hddtemp.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/hddtemp.fc 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,4 @@
+
+/etc/rc\.d/init\.d/hddtemp -- gen_context(system_u:object_r:hddtemp_initrc_exec_t,s0)
+
+/usr/sbin/hddtemp -- gen_context(system_u:object_r:hddtemp_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.if serefpolicy-3.6.27/policy/modules/services/hddtemp.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.if serefpolicy-3.6.28/policy/modules/services/hddtemp.if
--- nsaserefpolicy/policy/modules/services/hddtemp.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/hddtemp.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/hddtemp.if 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,38 @@
+## <summary>hddtemp hard disk temperature tool running as a daemon</summary>
+
@@ -11549,9 +11802,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ can_exec($1, hddtemp_exec_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.te serefpolicy-3.6.27/policy/modules/services/hddtemp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.te serefpolicy-3.6.28/policy/modules/services/hddtemp.te
--- nsaserefpolicy/policy/modules/services/hddtemp.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/hddtemp.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/hddtemp.te 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,40 @@
+policy_module(hddtemp,1.0.0)
+
@@ -11593,9 +11846,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+permissive hddtemp_t;
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.27/policy/modules/services/kerberos.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.28/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/kerberos.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/kerberos.te 2009-08-18 13:23:29.000000000 -0400
@@ -277,6 +277,8 @@
#
@@ -11635,9 +11888,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
sysnet_dns_name_resolve(kpropd_t)
kerberos_use(kpropd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.27/policy/modules/services/ktalk.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.28/policy/modules/services/ktalk.te
--- nsaserefpolicy/policy/modules/services/ktalk.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/ktalk.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/ktalk.te 2009-08-18 13:23:29.000000000 -0400
@@ -69,6 +69,7 @@
files_read_etc_files(ktalkd_t)
@@ -11646,9 +11899,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(ktalkd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.27/policy/modules/services/lircd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.28/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/lircd.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/lircd.te 2009-08-18 13:23:29.000000000 -0400
@@ -42,7 +42,18 @@
# /dev/lircd socket
manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t)
@@ -11668,9 +11921,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
miscfiles_read_localization(lircd_t)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.27/policy/modules/services/mailman.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.28/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/mailman.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/mailman.te 2009-08-18 13:23:29.000000000 -0400
@@ -78,6 +78,10 @@
mta_dontaudit_rw_queue(mailman_mail_t)
@@ -11682,9 +11935,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cron_read_pipes(mailman_mail_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.27/policy/modules/services/memcached.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.28/policy/modules/services/memcached.te
--- nsaserefpolicy/policy/modules/services/memcached.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/memcached.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/memcached.te 2009-08-18 13:23:29.000000000 -0400
@@ -44,6 +44,8 @@
files_read_etc_files(memcached_t)
@@ -11694,15 +11947,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization(memcached_t)
sysnet_dns_name_resolve(memcached_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.fc serefpolicy-3.6.27/policy/modules/services/modemmanager.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.fc serefpolicy-3.6.28/policy/modules/services/modemmanager.fc
--- nsaserefpolicy/policy/modules/services/modemmanager.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/modemmanager.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/modemmanager.fc 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,2 @@
+
+/usr/sbin/modem-manager -- gen_context(system_u:object_r:ModemManager_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.if serefpolicy-3.6.27/policy/modules/services/modemmanager.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.if serefpolicy-3.6.28/policy/modules/services/modemmanager.if
--- nsaserefpolicy/policy/modules/services/modemmanager.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/modemmanager.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/modemmanager.if 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,43 @@
+
+## <summary>policy for ModemManager</summary>
@@ -11747,9 +12000,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 ModemManager_t:dbus send_msg;
+ allow ModemManager_t $1:dbus send_msg;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.6.27/policy/modules/services/modemmanager.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.6.28/policy/modules/services/modemmanager.te
--- nsaserefpolicy/policy/modules/services/modemmanager.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/modemmanager.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/modemmanager.te 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,46 @@
+policy_module(ModemManager,1.0.0)
+
@@ -11797,18 +12050,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+permissive ModemManager_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.27/policy/modules/services/mta.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.28/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/mta.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/mta.fc 2009-08-18 13:23:29.000000000 -0400
@@ -26,3 +26,5 @@
/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
+/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.27/policy/modules/services/mta.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.28/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/mta.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/mta.if 2009-08-18 13:23:29.000000000 -0400
@@ -311,6 +311,7 @@
allow $1 mail_spool_t:dir list_dir_perms;
create_files_pattern($1, mail_spool_t, mail_spool_t)
@@ -11842,9 +12095,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.27/policy/modules/services/mta.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.28/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/mta.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/mta.te 2009-08-18 13:23:29.000000000 -0400
@@ -27,6 +27,9 @@
type mail_spool_t;
files_mountpoint(mail_spool_t)
@@ -11958,9 +12211,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# User send mail local policy
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.27/policy/modules/services/munin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.28/policy/modules/services/munin.fc
--- nsaserefpolicy/policy/modules/services/munin.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/munin.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/munin.fc 2009-08-18 13:23:29.000000000 -0400
@@ -9,3 +9,6 @@
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
@@ -11968,9 +12221,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.27/policy/modules/services/munin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.28/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/munin.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/munin.te 2009-08-18 13:23:29.000000000 -0400
@@ -33,7 +33,7 @@
# Local policy
#
@@ -11988,9 +12241,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.27/policy/modules/services/mysql.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.28/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/mysql.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/mysql.te 2009-08-18 13:23:29.000000000 -0400
@@ -136,7 +136,12 @@
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
@@ -12013,9 +12266,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mysql_read_config(mysqld_safe_t)
mysql_search_pid_files(mysqld_safe_t)
mysql_write_log(mysqld_safe_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.27/policy/modules/services/nagios.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.28/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/nagios.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/nagios.fc 2009-08-18 13:23:29.000000000 -0400
@@ -1,16 +1,21 @@
/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
@@ -12041,9 +12294,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
+/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.27/policy/modules/services/nagios.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.28/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/nagios.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/nagios.if 2009-08-18 13:23:29.000000000 -0400
@@ -64,7 +64,7 @@
########################################
@@ -12143,9 +12396,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ admin_pattern($1, nrpe_etc_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.27/policy/modules/services/nagios.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.28/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/nagios.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/nagios.te 2009-08-18 13:23:29.000000000 -0400
@@ -10,13 +10,12 @@
type nagios_exec_t;
init_daemon_domain(nagios_t, nagios_exec_t)
@@ -12241,9 +12494,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.27/policy/modules/services/networkmanager.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.28/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/networkmanager.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/networkmanager.fc 2009-08-18 13:23:29.000000000 -0400
@@ -1,12 +1,25 @@
+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0)
+/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -12270,9 +12523,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.27/policy/modules/services/networkmanager.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.28/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/networkmanager.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/networkmanager.if 2009-08-18 13:23:29.000000000 -0400
@@ -118,6 +118,24 @@
########################################
@@ -12329,9 +12582,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ role $2 types NetworkManager_t;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.27/policy/modules/services/networkmanager.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.28/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/networkmanager.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/networkmanager.te 2009-08-18 13:23:29.000000000 -0400
@@ -19,6 +19,9 @@
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
@@ -12569,9 +12822,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.27/policy/modules/services/nis.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.28/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/nis.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/nis.fc 2009-08-18 13:23:29.000000000 -0400
@@ -1,4 +1,7 @@
-
+/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0)
@@ -12581,9 +12834,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0)
/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.6.27/policy/modules/services/nis.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.6.28/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/nis.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/nis.if 2009-08-18 13:23:29.000000000 -0400
@@ -28,7 +28,7 @@
type var_yp_t;
')
@@ -12725,9 +12978,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ role $2 types ypbind_t;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.27/policy/modules/services/nis.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.28/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/nis.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/nis.te 2009-08-18 13:23:29.000000000 -0400
@@ -13,6 +13,9 @@
type ypbind_exec_t;
init_daemon_domain(ypbind_t, ypbind_exec_t)
@@ -12777,9 +13030,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_all_rpc_ports(ypxfr_t)
corenet_udp_bind_all_rpc_ports(ypxfr_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.27/policy/modules/services/nscd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.28/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/nscd.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/nscd.if 2009-08-18 13:23:29.000000000 -0400
@@ -236,6 +236,24 @@
########################################
@@ -12805,9 +13058,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
## an nscd environment
## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.27/policy/modules/services/nscd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.28/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/nscd.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/nscd.te 2009-08-18 13:23:29.000000000 -0400
@@ -65,6 +65,7 @@
fs_getattr_all_fs(nscd_t)
@@ -12837,17 +13090,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.fc serefpolicy-3.6.27/policy/modules/services/nslcd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.fc serefpolicy-3.6.28/policy/modules/services/nslcd.fc
--- nsaserefpolicy/policy/modules/services/nslcd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/nslcd.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/nslcd.fc 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,4 @@
+/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
+/etc/nss-ldapd.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0)
+/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
+/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.6.27/policy/modules/services/nslcd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.6.28/policy/modules/services/nslcd.if
--- nsaserefpolicy/policy/modules/services/nslcd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/nslcd.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/nslcd.if 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,142 @@
+
+## <summary>policy for nslcd</summary>
@@ -12991,9 +13244,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ nslcd_manage_var_run($1)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.6.27/policy/modules/services/nslcd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.6.28/policy/modules/services/nslcd.te
--- nsaserefpolicy/policy/modules/services/nslcd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/nslcd.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/nslcd.te 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,48 @@
+policy_module(nslcd,1.0.0)
+
@@ -13043,9 +13296,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+auth_use_nsswitch(nslcd_t)
+
+logging_send_syslog_msg(nslcd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.27/policy/modules/services/ntp.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.28/policy/modules/services/ntp.if
--- nsaserefpolicy/policy/modules/services/ntp.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/ntp.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/ntp.if 2009-08-18 13:23:29.000000000 -0400
@@ -37,6 +37,32 @@
########################################
@@ -13113,9 +13366,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
## an ntp environment
## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.27/policy/modules/services/ntp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.28/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/ntp.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/ntp.te 2009-08-18 13:23:29.000000000 -0400
@@ -41,10 +41,11 @@
# sys_resource and setrlimit is for locking memory
@@ -13154,9 +13407,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.27/policy/modules/services/nx.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.28/policy/modules/services/nx.te
--- nsaserefpolicy/policy/modules/services/nx.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/nx.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/nx.te 2009-08-18 13:23:29.000000000 -0400
@@ -25,6 +25,9 @@
type nx_server_var_run_t;
files_pid_file(nx_server_var_run_t)
@@ -13177,9 +13430,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(nx_server_t)
kernel_read_kernel_sysctls(nx_server_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.27/policy/modules/services/oddjob.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.28/policy/modules/services/oddjob.if
--- nsaserefpolicy/policy/modules/services/oddjob.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/oddjob.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/oddjob.if 2009-08-18 13:23:29.000000000 -0400
@@ -44,6 +44,7 @@
')
@@ -13188,9 +13441,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.27/policy/modules/services/openvpn.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.28/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/openvpn.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/openvpn.te 2009-08-18 13:23:29.000000000 -0400
@@ -86,6 +86,7 @@
corenet_udp_bind_openvpn_port(openvpn_t)
corenet_tcp_connect_openvpn_port(openvpn_t)
@@ -13216,9 +13469,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
daemontools_service_domain(openvpn_t, openvpn_exec_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.27/policy/modules/services/pcscd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.28/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/pcscd.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/pcscd.te 2009-08-18 13:23:29.000000000 -0400
@@ -29,6 +29,7 @@
manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
@@ -13236,9 +13489,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_use_unallocated_ttys(pcscd_t)
term_dontaudit_getattr_pty_dirs(pcscd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.27/policy/modules/services/pegasus.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.28/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/pegasus.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/pegasus.te 2009-08-18 13:23:29.000000000 -0400
@@ -30,7 +30,7 @@
# Local policy
#
@@ -13310,10 +13563,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xen_stream_connect(pegasus_t)
+ xen_stream_connect_xenstore(pegasus_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.6.27/policy/modules/services/policykit.fc
---- nsaserefpolicy/policy/modules/services/policykit.fc 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/policykit.fc 2009-08-14 16:51:06.000000000 -0400
-@@ -1,10 +1,13 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.6.28/policy/modules/services/policykit.fc
+--- nsaserefpolicy/policy/modules/services/policykit.fc 2009-08-18 11:41:14.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/policykit.fc 2009-08-18 13:23:29.000000000 -0400
+@@ -1,15 +1,13 @@
+-/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+-/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
+-/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
+-/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+-
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
@@ -13328,9 +13586,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.6.27/policy/modules/services/policykit.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.6.28/policy/modules/services/policykit.if
--- nsaserefpolicy/policy/modules/services/policykit.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/policykit.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/policykit.if 2009-08-18 13:23:29.000000000 -0400
@@ -17,6 +17,8 @@
class dbus send_msg;
')
@@ -13405,9 +13663,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 policykit_auth_t:process signal;
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.27/policy/modules/services/policykit.te
---- nsaserefpolicy/policy/modules/services/policykit.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/policykit.te 2009-08-14 16:51:06.000000000 -0400
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.28/policy/modules/services/policykit.te
+--- nsaserefpolicy/policy/modules/services/policykit.te 2009-08-18 11:41:14.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/policykit.te 2009-08-18 13:23:29.000000000 -0400
@@ -38,9 +38,10 @@
allow policykit_t self:capability { setgid setuid };
@@ -13467,7 +13725,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
-@@ -95,7 +111,10 @@
+@@ -92,12 +108,13 @@
+ manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+ files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
+
+-kernel_read_system_state(policykit_auth_t)
+-
files_read_etc_files(policykit_auth_t)
files_read_usr_files(policykit_auth_t)
@@ -13478,15 +13741,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(policykit_auth_t)
-@@ -104,6 +123,7 @@
+@@ -106,7 +123,7 @@
userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
optional_policy(`
+- dbus_system_bus_client(policykit_auth_t)
+ dbus_system_domain( policykit_auth_t, policykit_auth_exec_t)
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -116,6 +136,14 @@
+@@ -119,6 +136,14 @@
hal_read_state(policykit_auth_t)
')
@@ -13501,7 +13765,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# polkit_grant local policy
-@@ -123,7 +151,8 @@
+@@ -126,7 +151,8 @@
allow policykit_grant_t self:capability setuid;
allow policykit_grant_t self:process getattr;
@@ -13511,7 +13775,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -153,9 +182,12 @@
+@@ -156,9 +182,12 @@
userdom_read_all_users_state(policykit_grant_t)
optional_policy(`
@@ -13525,7 +13789,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -167,7 +199,8 @@
+@@ -170,7 +199,8 @@
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
allow policykit_resolve_t self:process getattr;
@@ -13535,9 +13799,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.27/policy/modules/services/postfix.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.28/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/postfix.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/postfix.fc 2009-08-18 13:23:29.000000000 -0400
@@ -29,12 +29,10 @@
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
@@ -13551,9 +13815,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.27/policy/modules/services/postfix.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.28/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/postfix.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/postfix.if 2009-08-18 13:23:29.000000000 -0400
@@ -46,6 +46,7 @@
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
@@ -13800,9 +14064,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ role $2 types postfix_postdrop_t;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.27/policy/modules/services/postfix.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.28/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/postfix.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/postfix.te 2009-08-18 13:23:29.000000000 -0400
@@ -1,11 +1,20 @@
-policy_module(postfix, 1.11.0)
@@ -14188,9 +14452,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+userdom_manage_user_home_content(postfix_virtual_t)
+userdom_home_filetrans_user_home_dir(postfix_virtual_t)
+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.27/policy/modules/services/postgresql.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.28/policy/modules/services/postgresql.fc
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/postgresql.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/postgresql.fc 2009-08-18 13:23:29.000000000 -0400
@@ -2,6 +2,7 @@
# /etc
#
@@ -14199,9 +14463,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
# /usr
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.27/policy/modules/services/postgresql.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.28/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/postgresql.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/postgresql.if 2009-08-18 13:23:29.000000000 -0400
@@ -384,3 +384,46 @@
typeattribute $1 sepgsql_unconfined_type;
@@ -14249,9 +14513,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ admin_pattern($1, postgresql_tmp_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.27/policy/modules/services/postgresql.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.28/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/postgresql.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/postgresql.te 2009-08-18 13:23:29.000000000 -0400
@@ -32,6 +32,9 @@
type postgresql_etc_t;
files_config_file(postgresql_etc_t)
@@ -14290,9 +14554,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization(postgresql_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.27/policy/modules/services/ppp.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.28/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/ppp.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/ppp.if 2009-08-18 13:23:29.000000000 -0400
@@ -177,10 +177,16 @@
interface(`ppp_run',`
gen_require(`
@@ -14310,9 +14574,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.27/policy/modules/services/ppp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.28/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/ppp.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/ppp.te 2009-08-18 13:23:29.000000000 -0400
@@ -193,6 +193,8 @@
optional_policy(`
@@ -14337,9 +14601,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hostname_exec(pptp_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.27/policy/modules/services/privoxy.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.28/policy/modules/services/privoxy.te
--- nsaserefpolicy/policy/modules/services/privoxy.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/privoxy.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/privoxy.te 2009-08-18 13:23:29.000000000 -0400
@@ -47,9 +47,8 @@
manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t)
files_pid_filetrans(privoxy_t, privoxy_var_run_t, file)
@@ -14351,9 +14615,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(privoxy_t)
corenet_all_recvfrom_netlabel(privoxy_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.27/policy/modules/services/procmail.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.28/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/procmail.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/procmail.te 2009-08-18 13:23:29.000000000 -0400
@@ -22,7 +22,7 @@
# Local policy
#
@@ -14401,9 +14665,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.27/policy/modules/services/pyzor.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.28/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/pyzor.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/pyzor.fc 2009-08-18 13:23:29.000000000 -0400
@@ -1,6 +1,10 @@
/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
+/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
@@ -14415,9 +14679,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.27/policy/modules/services/pyzor.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.28/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/pyzor.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/pyzor.if 2009-08-18 13:23:29.000000000 -0400
@@ -88,3 +88,50 @@
corecmd_search_bin($1)
can_exec($1, pyzor_exec_t)
@@ -14469,9 +14733,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.27/policy/modules/services/pyzor.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.28/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/pyzor.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/pyzor.te 2009-08-18 13:23:29.000000000 -0400
@@ -1,11 +1,43 @@
-policy_module(pyzor, 2.1.0)
@@ -14542,17 +14806,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_dontaudit_search_user_home_dirs(pyzor_t)
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.6.27/policy/modules/services/razor.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.6.28/policy/modules/services/razor.fc
--- nsaserefpolicy/policy/modules/services/razor.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/razor.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/razor.fc 2009-08-18 13:23:29.000000000 -0400
@@ -1,3 +1,4 @@
+/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.27/policy/modules/services/razor.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.28/policy/modules/services/razor.if
--- nsaserefpolicy/policy/modules/services/razor.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/razor.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/razor.if 2009-08-18 13:23:29.000000000 -0400
@@ -157,3 +157,45 @@
domtrans_pattern($1, razor_exec_t, razor_t)
@@ -14599,9 +14863,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.27/policy/modules/services/razor.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.28/policy/modules/services/razor.te
--- nsaserefpolicy/policy/modules/services/razor.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/razor.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/razor.te 2009-08-18 13:23:29.000000000 -0400
@@ -1,11 +1,37 @@
-policy_module(razor, 2.1.0)
@@ -14659,9 +14923,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.27/policy/modules/services/ricci.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.28/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/ricci.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/ricci.te 2009-08-18 13:23:29.000000000 -0400
@@ -264,6 +264,7 @@
allow ricci_modclusterd_t self:socket create_socket_perms;
@@ -14681,9 +14945,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
storage_raw_read_fixed_disk(ricci_modstorage_t)
term_dontaudit_use_console(ricci_modstorage_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.6.27/policy/modules/services/rpcbind.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.6.28/policy/modules/services/rpcbind.if
--- nsaserefpolicy/policy/modules/services/rpcbind.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/rpcbind.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/rpcbind.if 2009-08-18 13:23:29.000000000 -0400
@@ -97,6 +97,26 @@
########################################
@@ -14711,9 +14975,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
## an rpcbind environment
## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.27/policy/modules/services/rpc.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.28/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/rpc.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/rpc.if 2009-08-18 13:23:29.000000000 -0400
@@ -54,7 +54,7 @@
allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
@@ -14734,9 +14998,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole($1_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.27/policy/modules/services/rpc.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.28/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/rpc.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/rpc.te 2009-08-18 13:23:29.000000000 -0400
@@ -91,6 +91,8 @@
seutil_dontaudit_search_config(rpcd_t)
@@ -14784,9 +15048,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(gssd_t)
auth_manage_cache(gssd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.27/policy/modules/services/rsync.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.28/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/rsync.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/rsync.te 2009-08-18 13:23:29.000000000 -0400
@@ -8,6 +8,13 @@
## <desc>
@@ -14829,15 +15093,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
auth_can_read_shadow_passwords(rsync_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.fc serefpolicy-3.6.27/policy/modules/services/rtkit_daemon.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.fc serefpolicy-3.6.28/policy/modules/services/rtkit_daemon.fc
--- nsaserefpolicy/policy/modules/services/rtkit_daemon.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/rtkit_daemon.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/rtkit_daemon.fc 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,2 @@
+
+/usr/libexec/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.if serefpolicy-3.6.27/policy/modules/services/rtkit_daemon.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.if serefpolicy-3.6.28/policy/modules/services/rtkit_daemon.if
--- nsaserefpolicy/policy/modules/services/rtkit_daemon.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/rtkit_daemon.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/rtkit_daemon.if 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,64 @@
+
+## <summary>policy for rtkit_daemon</summary>
@@ -14903,9 +15167,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow rtkit_daemon_t $1:process { getsched setsched };
+ rtkit_daemon_dbus_chat($1)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.te serefpolicy-3.6.27/policy/modules/services/rtkit_daemon.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.te serefpolicy-3.6.28/policy/modules/services/rtkit_daemon.te
--- nsaserefpolicy/policy/modules/services/rtkit_daemon.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/rtkit_daemon.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/rtkit_daemon.te 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,38 @@
+policy_module(rtkit_daemon,1.0.0)
+
@@ -14945,9 +15209,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ policykit_dbus_chat(rtkit_daemon_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.27/policy/modules/services/samba.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.28/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/samba.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/samba.fc 2009-08-18 13:23:29.000000000 -0400
@@ -51,3 +51,7 @@
/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
@@ -14956,9 +15220,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ifndef(`enable_mls',`
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.27/policy/modules/services/samba.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.28/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/samba.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/samba.if 2009-08-18 13:23:29.000000000 -0400
@@ -62,6 +62,25 @@
########################################
@@ -15131,9 +15395,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
admin_pattern($1, winbind_var_run_t)
+ admin_pattern($1, samba_unconfined_script_exec_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.27/policy/modules/services/samba.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.28/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/samba.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/samba.te 2009-08-18 13:23:29.000000000 -0400
@@ -66,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
@@ -15341,9 +15605,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+',`
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.27/policy/modules/services/sasl.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.28/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/sasl.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/sasl.te 2009-08-18 13:25:10.000000000 -0400
@@ -31,7 +31,7 @@
# Local policy
#
@@ -15406,9 +15670,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(saslauthd_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.27/policy/modules/services/sendmail.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.28/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/sendmail.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/sendmail.if 2009-08-18 13:23:29.000000000 -0400
@@ -59,20 +59,20 @@
########################################
@@ -15581,9 +15845,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 sendmail_t:fifo_file rw_fifo_file_perms;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.27/policy/modules/services/sendmail.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.28/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/sendmail.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/sendmail.te 2009-08-18 13:23:29.000000000 -0400
@@ -20,13 +20,17 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -15759,18 +16023,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
-') dnl end TODO
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.6.27/policy/modules/services/setroubleshoot.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.6.28/policy/modules/services/setroubleshoot.fc
--- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/setroubleshoot.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/setroubleshoot.fc 2009-08-18 13:23:29.000000000 -0400
@@ -5,3 +5,5 @@
/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
+
+/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.27/policy/modules/services/setroubleshoot.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.28/policy/modules/services/setroubleshoot.if
--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/setroubleshoot.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/setroubleshoot.if 2009-08-18 13:23:29.000000000 -0400
@@ -16,8 +16,8 @@
')
@@ -15847,9 +16111,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ files_list_pids($1)
+ admin_pattern($1, setroubleshoot_var_run_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.27/policy/modules/services/setroubleshoot.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.28/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/setroubleshoot.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/setroubleshoot.te 2009-08-18 13:23:29.000000000 -0400
@@ -22,13 +22,19 @@
type setroubleshoot_var_run_t;
files_pid_file(setroubleshoot_var_run_t)
@@ -15968,9 +16232,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+permissive setroubleshoot_fixit_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.fc serefpolicy-3.6.27/policy/modules/services/shorewall.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.fc serefpolicy-3.6.28/policy/modules/services/shorewall.fc
--- nsaserefpolicy/policy/modules/services/shorewall.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/shorewall.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/shorewall.fc 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,12 @@
+
+/etc/rc\.d/init\.d/shorewall -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
@@ -15984,9 +16248,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+/var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.if serefpolicy-3.6.27/policy/modules/services/shorewall.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.if serefpolicy-3.6.28/policy/modules/services/shorewall.if
--- nsaserefpolicy/policy/modules/services/shorewall.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/shorewall.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/shorewall.if 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,166 @@
+## <summary>policy for shorewall</summary>
+
@@ -16154,9 +16418,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ admin_pattern($1, shorewall_tmp_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.te serefpolicy-3.6.27/policy/modules/services/shorewall.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.te serefpolicy-3.6.28/policy/modules/services/shorewall.te
--- nsaserefpolicy/policy/modules/services/shorewall.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/shorewall.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/shorewall.te 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,95 @@
+policy_module(shorewall,1.0.0)
+
@@ -16253,9 +16517,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ ulogd_search_log(shorewall_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.27/policy/modules/services/smartmon.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.28/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/smartmon.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/smartmon.te 2009-08-18 13:23:29.000000000 -0400
@@ -19,6 +19,10 @@
type fsdaemon_tmp_t;
files_tmp_file(fsdaemon_tmp_t)
@@ -16313,9 +16577,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.27/policy/modules/services/spamassassin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.28/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/spamassassin.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/spamassassin.fc 2009-08-18 13:23:29.000000000 -0400
@@ -1,15 +1,25 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
@@ -16342,11 +16606,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
-+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
-+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.27/policy/modules/services/spamassassin.if
++/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
++/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.28/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/spamassassin.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/spamassassin.if 2009-08-18 13:23:29.000000000 -0400
@@ -111,6 +111,7 @@
')
@@ -16380,7 +16644,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#
+interface(`spamd_stream_connect',`
+ gen_require(`
-+ type spamd_t, spamd_var_run_t;
++ type spamd_t, spamd_var_run_t, spamd_spool_t;
+ ')
+
+ stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
@@ -16433,9 +16697,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ files_list_pids($1)
+ admin_pattern($1, spamd_var_run_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.27/policy/modules/services/spamassassin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.28/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/spamassassin.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/spamassassin.te 2009-08-18 13:23:29.000000000 -0400
@@ -20,6 +20,35 @@
## </desc>
gen_tunable(spamd_enable_home_dirs, true)
@@ -16728,9 +16992,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
udev_read_db(spamd_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.27/policy/modules/services/squid.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.28/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/squid.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/squid.te 2009-08-18 13:23:29.000000000 -0400
@@ -118,6 +118,8 @@
fs_getattr_all_fs(squid_t)
@@ -16749,18 +17013,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-#squid requires the following when run in diskd mode, the recommended setting
-allow squid_t tmpfs_t:file { read write };
-') dnl end TODO
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.27/policy/modules/services/ssh.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.28/policy/modules/services/ssh.fc
--- nsaserefpolicy/policy/modules/services/ssh.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/ssh.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/ssh.fc 2009-08-18 13:23:29.000000000 -0400
@@ -14,3 +14,5 @@
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
+
+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.27/policy/modules/services/ssh.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.28/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/ssh.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/ssh.if 2009-08-18 13:23:29.000000000 -0400
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -17061,9 +17325,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ read_lnk_files_pattern($1, home_ssh_t, home_ssh_t)
+ userdom_search_user_home_dirs($1)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.27/policy/modules/services/ssh.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.28/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/ssh.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/ssh.te 2009-08-18 13:23:29.000000000 -0400
@@ -41,6 +41,9 @@
files_tmp_file(sshd_tmp_t)
files_poly_parent(sshd_tmp_t)
@@ -17235,18 +17499,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(ssh_keygen_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.27/policy/modules/services/sssd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.28/policy/modules/services/sssd.fc
--- nsaserefpolicy/policy/modules/services/sssd.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/sssd.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/sssd.fc 2009-08-18 13:23:29.000000000 -0400
@@ -1,4 +1,4 @@
-/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.27/policy/modules/services/sssd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.28/policy/modules/services/sssd.if
--- nsaserefpolicy/policy/modules/services/sssd.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/sssd.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/sssd.if 2009-08-18 13:23:29.000000000 -0400
@@ -12,12 +12,32 @@
#
interface(`sssd_domtrans',`
@@ -17309,9 +17573,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Send and receive messages from
## sssd over dbus.
## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.6.27/policy/modules/services/sysstat.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.6.28/policy/modules/services/sysstat.te
--- nsaserefpolicy/policy/modules/services/sysstat.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/sysstat.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/sysstat.te 2009-08-18 13:23:29.000000000 -0400
@@ -19,7 +19,7 @@
# Local policy
#
@@ -17321,9 +17585,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit sysstat_t self:capability sys_admin;
allow sysstat_t self:fifo_file rw_fifo_file_perms;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.27/policy/modules/services/uucp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.28/policy/modules/services/uucp.te
--- nsaserefpolicy/policy/modules/services/uucp.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/uucp.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/uucp.te 2009-08-18 13:23:29.000000000 -0400
@@ -95,6 +95,8 @@
files_search_home(uucpd_t)
files_search_spool(uucpd_t)
@@ -17341,9 +17605,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.27/policy/modules/services/virt.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.28/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/virt.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/virt.fc 2009-08-18 13:23:29.000000000 -0400
@@ -8,5 +8,16 @@
/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
@@ -17361,9 +17625,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0)
+
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.27/policy/modules/services/virt.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.28/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/virt.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/virt.if 2009-08-18 13:23:29.000000000 -0400
@@ -103,7 +103,7 @@
########################################
@@ -17539,9 +17803,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ manage_files_pattern($1, svirt_cache_t, svirt_cache_t)
+ manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.27/policy/modules/services/virt.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.28/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/virt.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/virt.te 2009-08-18 13:23:29.000000000 -0400
@@ -20,6 +20,28 @@
## </desc>
gen_tunable(virt_use_samba, false)
@@ -17921,9 +18185,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ virt_read_content(virt_domain)
+ virt_stream_connect(virt_domain)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.27/policy/modules/services/w3c.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.28/policy/modules/services/w3c.te
--- nsaserefpolicy/policy/modules/services/w3c.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/w3c.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/w3c.te 2009-08-18 13:23:29.000000000 -0400
@@ -8,11 +8,18 @@
apache_content_template(w3c_validator)
@@ -17943,9 +18207,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.27/policy/modules/services/xserver.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.28/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/xserver.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/xserver.fc 2009-08-18 13:23:29.000000000 -0400
@@ -3,12 +3,17 @@
#
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
@@ -18017,9 +18281,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_suse',`
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.27/policy/modules/services/xserver.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.28/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/xserver.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/xserver.if 2009-08-18 13:23:29.000000000 -0400
@@ -90,7 +90,7 @@
allow $2 xauth_home_t:file manage_file_perms;
allow $2 xauth_home_t:file { relabelfrom relabelto };
@@ -18713,9 +18977,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow xdm_t $1:dbus send_msg;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.27/policy/modules/services/xserver.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.28/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/xserver.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/xserver.te 2009-08-18 13:23:29.000000000 -0400
@@ -34,6 +34,13 @@
## <desc>
@@ -19437,9 +19701,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-#
-allow xdm_t user_home_type:file unlink;
-') dnl end TODO
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.6.27/policy/modules/system/application.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.6.28/policy/modules/system/application.if
--- nsaserefpolicy/policy/modules/system/application.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/application.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/application.if 2009-08-18 13:23:29.000000000 -0400
@@ -2,7 +2,7 @@
########################################
@@ -19471,9 +19735,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 application_domain_type:process signull;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.27/policy/modules/system/application.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.28/policy/modules/system/application.te
--- nsaserefpolicy/policy/modules/system/application.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/application.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/application.te 2009-08-18 13:23:29.000000000 -0400
@@ -7,7 +7,18 @@
# Executables to be run by user
attribute application_exec_type;
@@ -19493,9 +19757,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ sudo_sigchld(application_domain_type)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.27/policy/modules/system/authlogin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.28/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/authlogin.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/authlogin.fc 2009-08-18 13:23:29.000000000 -0400
@@ -7,12 +7,10 @@
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
@@ -19521,9 +19785,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.27/policy/modules/system/authlogin.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.28/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/authlogin.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/authlogin.if 2009-08-18 13:23:29.000000000 -0400
@@ -40,17 +40,76 @@
## </summary>
## </param>
@@ -19831,9 +20095,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.27/policy/modules/system/authlogin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.28/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/authlogin.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/authlogin.te 2009-08-18 13:23:29.000000000 -0400
@@ -125,9 +125,18 @@
')
@@ -19925,9 +20189,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_use_interactive_fds(utempter_t)
logging_search_logs(utempter_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/clock.te serefpolicy-3.6.27/policy/modules/system/clock.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/clock.te serefpolicy-3.6.28/policy/modules/system/clock.te
--- nsaserefpolicy/policy/modules/system/clock.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/clock.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/clock.te 2009-08-18 13:23:29.000000000 -0400
@@ -38,10 +38,6 @@
dev_read_sysfs(hwclock_t)
dev_rw_realtime_clock(hwclock_t)
@@ -19950,9 +20214,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_audit_msgs(hwclock_t)
logging_send_syslog_msg(hwclock_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.27/policy/modules/system/fstools.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.28/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/fstools.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/fstools.fc 2009-08-18 13:23:29.000000000 -0400
@@ -1,4 +1,3 @@
-/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -19966,9 +20230,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.27/policy/modules/system/fstools.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.28/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/fstools.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/fstools.te 2009-08-18 13:23:29.000000000 -0400
@@ -65,13 +65,7 @@
kernel_rw_unlabeled_dirs(fsadm_t)
kernel_rw_unlabeled_blk_files(fsadm_t)
@@ -20075,9 +20339,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xen_rw_image_files(fsadm_t)
')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.6.27/policy/modules/system/getty.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.6.28/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/getty.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/getty.te 2009-08-18 13:23:29.000000000 -0400
@@ -59,16 +59,8 @@
kernel_list_proc(getty_t)
kernel_read_proc_symlinks(getty_t)
@@ -20110,9 +20374,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
init_rw_utmp(getty_t)
init_use_script_ptys(getty_t)
init_dontaudit_use_script_ptys(getty_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.27/policy/modules/system/hostname.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.28/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/hostname.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/hostname.te 2009-08-18 13:23:29.000000000 -0400
@@ -8,7 +8,9 @@
type hostname_t;
@@ -20162,9 +20426,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
unconfined_dontaudit_rw_pipes(hostname_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.27/policy/modules/system/init.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.28/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/init.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/init.fc 2009-08-18 13:23:29.000000000 -0400
@@ -4,10 +4,10 @@
/etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -20187,9 +20451,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
# /var
#
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.27/policy/modules/system/init.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.28/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/init.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/init.if 2009-08-18 13:23:29.000000000 -0400
@@ -174,6 +174,7 @@
role system_r types $1;
@@ -20427,9 +20691,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 init_t:unix_dgram_socket sendto;
+ allow init_t $1:unix_dgram_socket sendto;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.27/policy/modules/system/init.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.28/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/init.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/init.te 2009-08-18 13:23:29.000000000 -0400
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart, false)
@@ -20931,18 +21195,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ fail2ban_read_lib_files(daemon)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.6.27/policy/modules/system/ipsec.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.6.28/policy/modules/system/ipsec.fc
--- nsaserefpolicy/policy/modules/system/ipsec.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/ipsec.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/ipsec.fc 2009-08-18 13:23:29.000000000 -0400
@@ -1,3 +1,5 @@
+/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+
/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
/etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
/etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.6.27/policy/modules/system/ipsec.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.6.28/policy/modules/system/ipsec.if
--- nsaserefpolicy/policy/modules/system/ipsec.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/ipsec.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/ipsec.if 2009-08-18 13:23:29.000000000 -0400
@@ -229,3 +229,28 @@
ipsec_domtrans_setkey($1)
role $2 types setkey_t;
@@ -20972,10 +21236,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ipsec_domtrans_racoon($1)
+ role $2 types racoon_t;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.27/policy/modules/system/ipsec.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.28/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/ipsec.te 2009-08-14 16:51:06.000000000 -0400
-@@ -15,6 +15,9 @@
++++ serefpolicy-3.6.28/policy/modules/system/ipsec.te 2009-08-18 13:42:27.000000000 -0400
+@@ -6,6 +6,13 @@
+ # Declarations
+ #
+
++## <desc>
++## <p>
++## Allow racoon to read shadow
++## </p>
++## </desc>
++gen_tunable(racoon_read_shadow, false)
++
+ type ipsec_t;
+ type ipsec_exec_t;
+ init_daemon_domain(ipsec_t, ipsec_exec_t)
+@@ -15,6 +22,9 @@
type ipsec_conf_file_t;
files_type(ipsec_conf_file_t)
@@ -20985,7 +21263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# type for file(s) containing ipsec keys - RSA or preshared
type ipsec_key_file_t;
files_type(ipsec_key_file_t)
-@@ -53,21 +56,23 @@
+@@ -53,21 +63,23 @@
# ipsec Local policy
#
@@ -21012,7 +21290,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
-@@ -76,7 +81,7 @@
+@@ -76,7 +88,7 @@
can_exec(ipsec_t, ipsec_mgmt_exec_t)
@@ -21021,7 +21299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# a shell script, we need to find a way to make things work without
# letting all sorts of stuff possibly be run...
# so try flipping back into the ipsec_mgmt_t domain
-@@ -95,9 +100,6 @@
+@@ -95,9 +107,6 @@
kernel_getattr_core_if(ipsec_t)
kernel_getattr_message_if(ipsec_t)
@@ -21031,7 +21309,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Pluto needs network access
corenet_all_recvfrom_unlabeled(ipsec_t)
corenet_tcp_sendrecv_all_if(ipsec_t)
-@@ -118,21 +120,26 @@
+@@ -118,21 +127,26 @@
dev_read_rand(ipsec_t)
dev_read_urand(ipsec_t)
@@ -21063,7 +21341,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(ipsec_t)
miscfiles_read_localization(ipsec_t)
-@@ -154,12 +161,12 @@
+@@ -154,12 +168,12 @@
#
allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
@@ -21078,7 +21356,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
-@@ -209,15 +216,21 @@
+@@ -209,15 +223,21 @@
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
@@ -21103,7 +21381,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_use_interactive_fds(ipsec_mgmt_t)
# denials when ps tries to search /proc. Do not audit these denials.
domain_dontaudit_list_all_domains_state(ipsec_mgmt_t)
-@@ -232,12 +245,6 @@
+@@ -232,12 +252,6 @@
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
@@ -21116,15 +21394,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
-@@ -280,6 +287,7 @@
+@@ -280,6 +294,9 @@
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
allow racoon_t self:key_socket create_socket_perms;
+allow racoon_t self:fifo_file rw_fifo_file_perms;
++
++can_exec(racoon_t, setkey_exec_t)
# manage pid file
manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
-@@ -297,6 +305,13 @@
+@@ -297,6 +314,13 @@
kernel_read_system_state(racoon_t)
kernel_read_network_state(racoon_t)
@@ -21138,7 +21418,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(racoon_t)
corenet_tcp_sendrecv_all_if(racoon_t)
corenet_udp_sendrecv_all_if(racoon_t)
-@@ -317,10 +332,10 @@
+@@ -314,13 +338,15 @@
+
+ files_read_etc_files(racoon_t)
+
++fs_dontaudit_getattr_xattr_fs(racoon_t)
++
# allow racoon to use avc_has_perm to check context on proposed SA
selinux_compute_access_vector(racoon_t)
@@ -21151,7 +21436,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
-@@ -347,6 +362,7 @@
+@@ -328,6 +354,11 @@
+
+ miscfiles_read_localization(racoon_t)
+
++auth_can_read_shadow_passwords(racoon_t)
++tunable_policy(`racoon_read_shadow',`
++ auth_tunable_read_shadow(racoon_t)
++')
++
+ ########################################
+ #
+ # Setkey local policy
+@@ -347,6 +378,7 @@
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
@@ -21159,9 +21456,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.27/policy/modules/system/iptables.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.28/policy/modules/system/iptables.fc
--- nsaserefpolicy/policy/modules/system/iptables.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/iptables.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/iptables.fc 2009-08-18 13:23:29.000000000 -0400
@@ -1,9 +1,10 @@
-/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -21178,9 +21475,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/var/lib/shorewall(/.*)? -- gen_context(system_u:object_r:iptables_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.27/policy/modules/system/iptables.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.28/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/iptables.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/iptables.te 2009-08-18 13:23:29.000000000 -0400
@@ -53,6 +53,7 @@
mls_file_read_all_levels(iptables_t)
@@ -21200,9 +21497,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rhgb_dontaudit_use_ptys(iptables_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.6.27/policy/modules/system/iscsi.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.6.28/policy/modules/system/iscsi.if
--- nsaserefpolicy/policy/modules/system/iscsi.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/iscsi.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/iscsi.if 2009-08-18 13:23:29.000000000 -0400
@@ -17,3 +17,43 @@
domtrans_pattern($1, iscsid_exec_t, iscsid_t)
@@ -21247,9 +21544,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ stream_connect_pattern($1,iscsi_var_lib_t,iscsi_var_lib_t,iscsid_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.27/policy/modules/system/iscsi.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.28/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/iscsi.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/iscsi.te 2009-08-18 13:23:29.000000000 -0400
@@ -55,6 +55,7 @@
files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
@@ -21273,9 +21570,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-sysnet_dns_name_resolve(iscsid_t)
+miscfiles_read_localization(iscsid_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.fc serefpolicy-3.6.27/policy/modules/system/kdump.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.fc serefpolicy-3.6.28/policy/modules/system/kdump.fc
--- nsaserefpolicy/policy/modules/system/kdump.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/system/kdump.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/kdump.fc 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,8 @@
+
+/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
@@ -21285,9 +21582,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.if serefpolicy-3.6.27/policy/modules/system/kdump.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.if serefpolicy-3.6.28/policy/modules/system/kdump.if
--- nsaserefpolicy/policy/modules/system/kdump.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/system/kdump.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/kdump.if 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,111 @@
+## <summary>kdump is kernel crash dumping mechanism</summary>
+
@@ -21400,9 +21697,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ files_search_etc($1)
+ admin_pattern($1, kdump_etc_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.te serefpolicy-3.6.27/policy/modules/system/kdump.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.te serefpolicy-3.6.28/policy/modules/system/kdump.te
--- nsaserefpolicy/policy/modules/system/kdump.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/system/kdump.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/kdump.te 2009-08-18 13:23:29.000000000 -0400
@@ -0,0 +1,38 @@
+policy_module(kdump,1.0.0)
+
@@ -21442,9 +21739,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+permissive kdump_t;
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.27/policy/modules/system/libraries.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.28/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/libraries.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/libraries.fc 2009-08-18 13:23:29.000000000 -0400
@@ -60,12 +60,15 @@
#
# /opt
@@ -21725,9 +22022,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.27/policy/modules/system/libraries.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.28/policy/modules/system/libraries.if
--- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/libraries.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/libraries.if 2009-08-18 13:23:29.000000000 -0400
@@ -247,7 +247,7 @@
type lib_t;
')
@@ -21746,9 +22043,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $1 lib_t:dir list_dir_perms;
read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.27/policy/modules/system/libraries.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.28/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/libraries.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/libraries.te 2009-08-18 13:23:29.000000000 -0400
@@ -58,11 +58,11 @@
# ldconfig local policy
#
@@ -21802,9 +22099,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ unconfined_domain(ldconfig_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.27/policy/modules/system/locallogin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.28/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/locallogin.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/locallogin.te 2009-08-18 13:23:29.000000000 -0400
@@ -61,19 +61,13 @@
kernel_search_key(local_login_t)
kernel_link_key(local_login_t)
@@ -21955,9 +22252,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-optional_policy(`
- nscd_socket_use(sulogin_t)
-')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.27/policy/modules/system/logging.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.28/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/logging.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/logging.fc 2009-08-18 13:23:29.000000000 -0400
@@ -53,15 +53,18 @@
/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
')
@@ -21981,9 +22278,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.27/policy/modules/system/logging.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.28/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/logging.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/logging.if 2009-08-18 13:23:29.000000000 -0400
@@ -623,7 +623,7 @@
')
@@ -22002,9 +22299,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.27/policy/modules/system/logging.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.28/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/logging.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/logging.te 2009-08-18 13:23:29.000000000 -0400
@@ -126,7 +126,7 @@
allow auditd_t self:process { signal_perms setpgid setsched };
allow auditd_t self:file rw_file_perms;
@@ -22097,9 +22394,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.27/policy/modules/system/lvm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.28/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/lvm.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/lvm.te 2009-08-18 13:23:29.000000000 -0400
@@ -10,6 +10,9 @@
type clvmd_exec_t;
init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -22216,9 +22513,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
modutils_domtrans_insmod(lvm_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.27/policy/modules/system/miscfiles.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.28/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/miscfiles.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/miscfiles.if 2009-08-18 13:23:29.000000000 -0400
@@ -87,6 +87,25 @@
########################################
@@ -22245,9 +22542,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to write fonts.
## </summary>
## <param name="domain">
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.27/policy/modules/system/modutils.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.28/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/modutils.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/modutils.te 2009-08-18 13:23:29.000000000 -0400
@@ -39,59 +39,10 @@
########################################
@@ -22503,9 +22800,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(update_modules_t)
miscfiles_read_localization(update_modules_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.6.27/policy/modules/system/mount.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.6.28/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/mount.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/mount.fc 2009-08-18 13:23:29.000000000 -0400
@@ -1,4 +1,9 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
@@ -22517,9 +22814,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.27/policy/modules/system/mount.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.28/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/mount.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/mount.te 2009-08-18 13:23:29.000000000 -0400
@@ -18,8 +18,12 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -22755,9 +23052,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ rpc_domtrans_rpcd(unconfined_mount_t)
')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/pcmcia.te serefpolicy-3.6.27/policy/modules/system/pcmcia.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/pcmcia.te serefpolicy-3.6.28/policy/modules/system/pcmcia.te
--- nsaserefpolicy/policy/modules/system/pcmcia.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/pcmcia.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/pcmcia.te 2009-08-18 13:23:29.000000000 -0400
@@ -51,7 +51,7 @@
kernel_read_kernel_sysctls(cardmgr_t)
kernel_dontaudit_getattr_message_if(cardmgr_t)
@@ -22805,9 +23102,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
libs_exec_ld_so(cardmgr_t)
libs_exec_lib_files(cardmgr_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.6.27/policy/modules/system/raid.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.6.28/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/raid.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/raid.te 2009-08-18 13:23:29.000000000 -0400
@@ -32,10 +32,6 @@
kernel_rw_software_raid_state(mdadm_t)
kernel_getattr_core_if(mdadm_t)
@@ -22856,9 +23153,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
init_dontaudit_getattr_initctl(mdadm_t)
logging_send_syslog_msg(mdadm_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.27/policy/modules/system/selinuxutil.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.28/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/selinuxutil.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/selinuxutil.fc 2009-08-18 13:23:29.000000000 -0400
@@ -6,13 +6,13 @@
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
@@ -22897,9 +23194,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.27/policy/modules/system/selinuxutil.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.28/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/selinuxutil.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/selinuxutil.if 2009-08-18 13:23:29.000000000 -0400
@@ -535,6 +535,53 @@
########################################
@@ -23227,9 +23524,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ hotplug_use_fds($1)
+')
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.27/policy/modules/system/selinuxutil.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.28/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/selinuxutil.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/selinuxutil.te 2009-08-18 13:23:29.000000000 -0400
@@ -23,6 +23,9 @@
type selinux_config_t;
files_type(selinux_config_t)
@@ -23589,9 +23886,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- hotplug_use_fds(setfiles_t)
+ unconfined_domain(setfiles_mac_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.6.27/policy/modules/system/setrans.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.6.28/policy/modules/system/setrans.if
--- nsaserefpolicy/policy/modules/system/setrans.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/setrans.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/setrans.if 2009-08-18 13:23:29.000000000 -0400
@@ -21,3 +21,23 @@
stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t)
files_list_pids($1)
@@ -23616,9 +23913,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ init_labeled_script_domtrans($1, setrans_initrc_exec_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.27/policy/modules/system/sysnetwork.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.28/policy/modules/system/sysnetwork.fc
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/sysnetwork.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/sysnetwork.fc 2009-08-18 13:23:29.000000000 -0400
@@ -11,15 +11,20 @@
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
@@ -23647,9 +23944,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
+
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.27/policy/modules/system/sysnetwork.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.28/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/sysnetwork.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/sysnetwork.if 2009-08-18 13:23:29.000000000 -0400
@@ -43,6 +43,39 @@
sysnet_domtrans_dhcpc($1)
@@ -23827,9 +24124,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ role_transition $1 dhcpc_exec_t system_r;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.27/policy/modules/system/sysnetwork.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.28/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/sysnetwork.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/sysnetwork.te 2009-08-18 13:23:29.000000000 -0400
@@ -20,6 +20,9 @@
init_daemon_domain(dhcpc_t, dhcpc_exec_t)
role system_r types dhcpc_t;
@@ -24075,9 +24372,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ hal_dontaudit_rw_dgram_sockets(dhcpc_t)
+ hal_dontaudit_rw_pipes(ifconfig_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.6.27/policy/modules/system/udev.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.6.28/policy/modules/system/udev.fc
--- nsaserefpolicy/policy/modules/system/udev.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/udev.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/udev.fc 2009-08-18 13:23:29.000000000 -0400
@@ -7,6 +7,9 @@
/etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
@@ -24088,9 +24385,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.27/policy/modules/system/udev.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.28/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/udev.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/udev.te 2009-08-18 13:23:29.000000000 -0400
@@ -50,6 +50,7 @@
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -24200,9 +24497,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_write_xen_state(udev_t)
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.6.27/policy/modules/system/unconfined.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.6.28/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/unconfined.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/unconfined.fc 2009-08-18 13:23:29.000000000 -0400
@@ -1,16 +1 @@
# Add programs here which should not be confined by SELinux
-# e.g.:
@@ -24220,9 +24517,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-ifdef(`distro_gentoo',`
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.27/policy/modules/system/unconfined.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.28/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/unconfined.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/unconfined.if 2009-08-18 13:23:29.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -24728,15 +25025,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-
- allow $1 unconfined_t:dbus acquire_svc;
-')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.27/policy/modules/system/unconfined.te
---- nsaserefpolicy/policy/modules/system/unconfined.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/unconfined.te 2009-08-14 16:51:06.000000000 -0400
-@@ -1,231 +1,9 @@
-
--policy_module(unconfined, 3.0.0)
-+policy_module(unconfined, 3.0.1)
-
- ########################################
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.28/policy/modules/system/unconfined.te
+--- nsaserefpolicy/policy/modules/system/unconfined.te 2009-08-18 11:41:14.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/unconfined.te 2009-08-18 13:23:29.000000000 -0400
+@@ -5,227 +5,5 @@
#
# Declarations
#
@@ -24859,7 +25151,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-')
-
-optional_policy(`
-- java_domtrans_unconfined(unconfined_t)
+- java_run_unconfined(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
@@ -24965,9 +25257,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- hal_dbus_chat(unconfined_execmem_t)
- ')
-')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.27/policy/modules/system/userdomain.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.28/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/userdomain.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/userdomain.fc 2009-08-18 13:23:29.000000000 -0400
@@ -1,4 +1,7 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
@@ -24977,9 +25269,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
+/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.27/policy/modules/system/userdomain.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.28/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/userdomain.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/userdomain.if 2009-08-18 13:23:29.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -26845,9 +27137,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 user_home_dir_t:dir search_dir_perms;
+ files_search_home($1)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.27/policy/modules/system/userdomain.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.28/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/userdomain.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/userdomain.te 2009-08-18 13:23:29.000000000 -0400
@@ -8,13 +8,6 @@
## <desc>
@@ -26933,9 +27225,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+allow userdomain userdomain:process signull;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.6.27/policy/modules/system/xen.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.6.28/policy/modules/system/xen.fc
--- nsaserefpolicy/policy/modules/system/xen.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/xen.fc 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/xen.fc 2009-08-18 13:23:29.000000000 -0400
@@ -1,5 +1,7 @@
/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0)
@@ -26963,9 +27255,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
/var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.27/policy/modules/system/xen.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.28/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/xen.if 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/xen.if 2009-08-18 13:23:29.000000000 -0400
@@ -71,6 +71,8 @@
')
@@ -27016,9 +27308,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 xend_var_lib_t:dir search_dir_perms;
+ rw_files_pattern($1, xen_image_t, xen_image_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.27/policy/modules/system/xen.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.28/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/xen.te 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/xen.te 2009-08-18 18:28:36.000000000 -0400
@@ -1,11 +1,18 @@
-policy_module(xen, 1.9.0)
@@ -27248,7 +27540,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_runtime_files(xm_t)
files_read_usr_files(xm_t)
-@@ -339,15 +389,62 @@
+@@ -339,15 +389,69 @@
storage_raw_read_fixed_disk(xm_t)
@@ -27312,9 +27604,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+manage_files_pattern(evtchnd_t,evtchnd_var_run_t,evtchnd_var_run_t)
+manage_sock_files_pattern(evtchnd_t,evtchnd_var_run_t,evtchnd_var_run_t)
+files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.27/policy/support/obj_perm_sets.spt
++
++fs_manage_xenfs_dirs(xend_t)
++fs_manage_xenfs_files(xend_t)
++fs_manage_xenfs_dirs(xenstored_t)
++fs_manage_xenfs_files(xenstored_t)
++fs_manage_xenfs_dirs(xm_t)
++fs_manage_xenfs_files(xm_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.28/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/support/obj_perm_sets.spt 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/support/obj_perm_sets.spt 2009-08-18 13:23:29.000000000 -0400
@@ -201,7 +201,7 @@
define(`setattr_file_perms',`{ setattr }')
define(`read_file_perms',`{ getattr open read lock ioctl }')
@@ -27347,9 +27646,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
+
+define(`manage_key_perms', `{ create link read search setattr view write } ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.27/policy/users
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.28/policy/users
--- nsaserefpolicy/policy/users 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/users 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/users 2009-08-18 13:23:29.000000000 -0400
@@ -25,11 +25,8 @@
# permit any access to such users, then remove this entry.
#
@@ -27374,9 +27673,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.6.27/Rules.modular
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.6.28/Rules.modular
--- nsaserefpolicy/Rules.modular 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/Rules.modular 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/Rules.modular 2009-08-18 13:23:29.000000000 -0400
@@ -73,8 +73,8 @@
$(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
@echo "Compliling $(NAME) $(@F) module"
@@ -27406,15 +27705,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rul
$(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/divert.m4 serefpolicy-3.6.27/support/divert.m4
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/divert.m4 serefpolicy-3.6.28/support/divert.m4
--- nsaserefpolicy/support/divert.m4 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/support/divert.m4 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.28/support/divert.m4 1969-12-31 19:00:00.000000000 -0500
@@ -1 +0,0 @@
-divert(`-1')
\ No newline at end of file
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.6.27/support/Makefile.devel
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.6.28/support/Makefile.devel
--- nsaserefpolicy/support/Makefile.devel 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/support/Makefile.devel 2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/support/Makefile.devel 2009-08-18 13:23:29.000000000 -0400
@@ -185,8 +185,7 @@
tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
@$(EINFO) "Compiling $(NAME) $(basename $(@F)) module"
@@ -27425,9 +27724,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/sup
$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
tmp/%.mod.fc: $(m4support) %.fc
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/undivert.m4 serefpolicy-3.6.27/support/undivert.m4
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/undivert.m4 serefpolicy-3.6.28/support/undivert.m4
--- nsaserefpolicy/support/undivert.m4 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/support/undivert.m4 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.28/support/undivert.m4 1969-12-31 19:00:00.000000000 -0500
@@ -1 +0,0 @@
-divert
\ No newline at end of file