diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index e42b66c..df05051 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -8,7 +8,7 @@ allow_execmod = false
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
-allow_execstack = true
+allow_execstack = false
# Allow ftpd to read cifs directories.
#
diff --git a/modules-minimum.conf b/modules-minimum.conf
index 6a94e6b..806f614 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -671,6 +671,20 @@ jabber = module
#
java = module
+# Layer: system
+# Module: kdump
+#
+# kdump is kernel crash dumping mechanism
+#
+kdump = module
+
+# Layer: apps
+# Module: kdumpgui
+#
+# system-config-kdump policy
+#
+kdumpgui = module
+
# Layer: services
# Module: kerberos
#
diff --git a/modules-mls.conf b/modules-mls.conf
index d45f04a..0d7ee17 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -650,6 +650,20 @@ jabber = module
#
java = module
+# Layer: system
+# Module: kdump
+#
+# kdump is kernel crash dumping mechanism
+#
+kdump = module
+
+# Layer: apps
+# Module: kdumpgui
+#
+# system-config-kdump policy
+#
+kdumpgui = module
+
# Layer: services
# Module: kerberos
#
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 6a94e6b..806f614 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -671,6 +671,20 @@ jabber = module
#
java = module
+# Layer: system
+# Module: kdump
+#
+# kdump is kernel crash dumping mechanism
+#
+kdump = module
+
+# Layer: apps
+# Module: kdumpgui
+#
+# system-config-kdump policy
+#
+kdumpgui = module
+
# Layer: services
# Module: kerberos
#
diff --git a/policy-F12.patch b/policy-F12.patch
index bf1183c..bc49842 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -1922,6 +1922,86 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+')
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.6.26/policy/modules/apps/kdumpgui.fc
+--- nsaserefpolicy/policy/modules/apps/kdumpgui.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.26/policy/modules/apps/kdumpgui.fc 2009-08-10 09:44:30.000000000 -0400
+@@ -0,0 +1,2 @@
++
++/usr/share/system-config-kdump/system-config-kdump-backend.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.6.26/policy/modules/apps/kdumpgui.if
+--- nsaserefpolicy/policy/modules/apps/kdumpgui.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.26/policy/modules/apps/kdumpgui.if 2009-08-10 09:44:30.000000000 -0400
+@@ -0,0 +1,2 @@
++## system-config-kdump policy
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.6.26/policy/modules/apps/kdumpgui.te
+--- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.26/policy/modules/apps/kdumpgui.te 2009-08-10 09:44:30.000000000 -0400
+@@ -0,0 +1,64 @@
++policy_module(kdumpgui,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type kdumpgui_t;
++type kdumpgui_exec_t;
++
++dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
++
++######################################
++#
++# system-config-kdump local policy
++#
++
++allow kdumpgui_t self:capability { net_admin sys_rawio };
++allow kdumpgui_t self:fifo_file rw_fifo_file_perms;
++
++allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms;
++
++kdump_manage_etc(kdumpgui_t)
++kdump_domtrans(kdumpgui_t)
++kdump_initrc_domtrans(kdumpgui_t)
++
++corecmd_exec_bin(kdumpgui_t)
++corecmd_exec_shell(kdumpgui_t)
++consoletype_exec(kdumpgui_t)
++
++kernel_read_system_state(kdumpgui_t)
++kernel_read_network_state(kdumpgui_t)
++
++storage_raw_read_fixed_disk(kdumpgui_t)
++storage_raw_write_fixed_disk(kdumpgui_t)
++
++dev_dontaudit_getattr_all_chr_files(kdumpgui_t)
++dev_read_sysfs(kdumpgui_t)
++
++# for blkid.tab
++files_manage_etc_runtime_files(kdumpgui_t)
++files_etc_filetrans_etc_runtime(kdumpgui_t, file)
++
++files_manage_boot_files(kdumpgui_t)
++files_manage_boot_symlinks(kdumpgui_t)
++# Needed for running chkconfig
++files_manage_etc_symlinks(kdumpgui_t)
++
++auth_use_nsswitch(kdumpgui_t)
++
++miscfiles_read_localization(kdumpgui_t)
++
++dontaudit_init_read_all_script_files(kdumpgui_t)
++
++optional_policy(`
++ dev_rw_lvm_control(kdumpgui_t)
++')
++
++optional_policy(`
++ policykit_dbus_chat(kdumpgui_t)
++')
++
++permissive kdumpgui_t;
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.6.26/policy/modules/apps/livecd.fc
--- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.26/policy/modules/apps/livecd.fc 2009-07-30 15:33:08.000000000 -0400
@@ -4362,7 +4442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.26/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/kernel/devices.if 2009-08-03 06:30:19.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/kernel/devices.if 2009-08-10 10:05:44.000000000 -0400
@@ -1655,6 +1655,78 @@
########################################
@@ -4944,7 +5024,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/nfs/rpc_pipefs(/.*)? <>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.26/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/kernel/files.if 2009-08-05 17:20:50.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/kernel/files.if 2009-08-10 11:51:27.000000000 -0400
@@ -110,6 +110,11 @@
##
#
@@ -5374,7 +5454,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.26/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/kernel/kernel.if 2009-08-07 07:36:43.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/kernel/kernel.if 2009-08-10 11:43:18.000000000 -0400
@@ -1807,7 +1807,7 @@
')
@@ -5880,7 +5960,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.26/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/roles/sysadm.te 2009-08-06 07:59:15.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/roles/sysadm.te 2009-08-10 10:28:13.000000000 -0400
@@ -15,7 +15,7 @@
role sysadm_r;
@@ -5890,7 +5970,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifndef(`enable_mls',`
userdom_security_admin_template(sysadm_t, sysadm_r)
-@@ -70,7 +70,6 @@
+@@ -35,6 +35,7 @@
+ ubac_fd_exempt(sysadm_t)
+
+ init_exec(sysadm_t)
++init_exec_script_files(sysadm_t)
+
+ # Add/remove user home directories
+ userdom_manage_user_home_dirs(sysadm_t)
+@@ -70,7 +71,6 @@
apache_run_helper(sysadm_t, sysadm_r)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
@@ -5898,7 +5986,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -87,10 +86,6 @@
+@@ -87,10 +87,6 @@
')
optional_policy(`
@@ -5909,7 +5997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
backup_run(sysadm_t, sysadm_r)
')
-@@ -99,18 +94,10 @@
+@@ -99,18 +95,10 @@
')
optional_policy(`
@@ -5928,7 +6016,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -127,7 +114,7 @@
+@@ -127,7 +115,7 @@
')
optional_policy(`
@@ -5937,7 +6025,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -135,10 +122,6 @@
+@@ -135,10 +123,6 @@
')
optional_policy(`
@@ -5948,7 +6036,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dcc_run_cdcc(sysadm_t, sysadm_r)
dcc_run_client(sysadm_t, sysadm_r)
dcc_run_dbclean(sysadm_t, sysadm_r)
-@@ -166,10 +149,6 @@
+@@ -166,10 +150,6 @@
')
optional_policy(`
@@ -5959,7 +6047,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
firstboot_run(sysadm_t, sysadm_r)
')
-@@ -178,22 +157,6 @@
+@@ -178,22 +158,6 @@
')
optional_policy(`
@@ -5982,7 +6070,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hostname_run(sysadm_t, sysadm_r)
')
-@@ -205,6 +168,8 @@
+@@ -205,6 +169,8 @@
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -5991,7 +6079,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -212,11 +177,7 @@
+@@ -212,11 +178,7 @@
')
optional_policy(`
@@ -6004,7 +6092,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -228,10 +189,6 @@
+@@ -228,10 +190,6 @@
')
optional_policy(`
@@ -6015,7 +6103,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logrotate_run(sysadm_t, sysadm_r)
')
-@@ -255,14 +212,6 @@
+@@ -255,14 +213,6 @@
')
optional_policy(`
@@ -6030,7 +6118,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mta_role(sysadm_r, sysadm_t)
')
-@@ -290,11 +239,6 @@
+@@ -290,11 +240,6 @@
')
optional_policy(`
@@ -6042,7 +6130,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
pcmcia_run_cardctl(sysadm_t, sysadm_r)
')
-@@ -308,7 +252,7 @@
+@@ -308,7 +253,7 @@
')
optional_policy(`
@@ -6051,7 +6139,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -320,10 +264,6 @@
+@@ -320,10 +265,6 @@
')
optional_policy(`
@@ -6062,7 +6150,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rpc_domtrans_nfsd(sysadm_t)
')
-@@ -332,10 +272,6 @@
+@@ -332,10 +273,6 @@
')
optional_policy(`
@@ -6073,7 +6161,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rsync_exec(sysadm_t)
')
-@@ -345,10 +281,6 @@
+@@ -345,10 +282,6 @@
')
optional_policy(`
@@ -6084,7 +6172,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
secadm_role_change(sysadm_r)
')
-@@ -358,35 +290,15 @@
+@@ -358,35 +291,15 @@
')
optional_policy(`
@@ -6120,7 +6208,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r)
tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -394,18 +306,10 @@
+@@ -394,18 +307,10 @@
')
optional_policy(`
@@ -6139,7 +6227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_domtrans(sysadm_t)
')
-@@ -418,17 +322,13 @@
+@@ -418,17 +323,13 @@
')
optional_policy(`
@@ -6158,7 +6246,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -440,13 +340,12 @@
+@@ -440,13 +341,12 @@
')
optional_policy(`
@@ -7578,7 +7666,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.26/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/apache.if 2009-07-30 15:33:08.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/apache.if 2009-08-10 10:52:44.000000000 -0400
@@ -13,21 +13,16 @@
#
template(`apache_content_template',`
@@ -8967,7 +9055,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.26/policy/modules/services/consolekit.if
--- nsaserefpolicy/policy/modules/services/consolekit.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/consolekit.if 2009-07-30 15:33:08.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/consolekit.if 2009-08-10 13:11:45.000000000 -0400
@@ -57,3 +57,23 @@
read_files_pattern($1, consolekit_log_t, consolekit_log_t)
files_search_pids($1)
@@ -9786,19 +9874,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.26/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/cups.fc 2009-08-07 07:43:48.000000000 -0400
-@@ -13,7 +13,9 @@
++++ serefpolicy-3.6.26/policy/modules/services/cups.fc 2009-08-10 13:19:57.000000000 -0400
+@@ -13,10 +13,14 @@
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
--/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
+/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0)
+
-+/etc/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
+ /etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -52,6 +54,8 @@
++/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
++
+ /opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+ /usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+@@ -52,6 +56,8 @@
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -9807,7 +9899,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
-@@ -62,3 +67,8 @@
+@@ -62,3 +69,8 @@
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
@@ -9818,7 +9910,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.26/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/cups.te 2009-08-07 07:43:13.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/cups.te 2009-08-10 13:25:05.000000000 -0400
@@ -23,6 +23,9 @@
type cupsd_initrc_exec_t;
init_script_file(cupsd_initrc_exec_t)
@@ -9829,23 +9921,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type cupsd_rw_etc_t;
files_config_file(cupsd_rw_etc_t)
-@@ -64,12 +67,12 @@
+@@ -64,11 +67,14 @@
# For CUPS to run as a backend
cups_backend(hplip_t, hplip_exec_t)
--type hplip_etc_t;
--files_config_file(hplip_etc_t)
--
- type hplip_tmp_t;
- files_tmp_file(hplip_tmp_t)
++type hplip_tmp_t;
++files_tmp_file(hplip_tmp_t)
++
+ type hplip_etc_t;
+ files_config_file(hplip_etc_t)
-+type hplip_var_lib_t alias hplip_etc_t;
+-type hplip_tmp_t;
+-files_tmp_file(hplip_tmp_t)
++type hplip_var_lib_t;
+files_type(hplip_var_lib_t)
-+
+
type hplip_var_run_t;
files_pid_file(hplip_var_run_t)
-
-@@ -116,6 +119,9 @@
+@@ -116,6 +122,9 @@
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
files_search_etc(cupsd_t)
@@ -9855,16 +9948,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
-@@ -146,7 +152,7 @@
-
- allow cupsd_t hplip_t:process { signal sigkill };
-
--read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
-+read_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
-
- allow cupsd_t hplip_var_run_t:file read_file_perms;
-
-@@ -250,6 +256,7 @@
+@@ -250,6 +259,7 @@
miscfiles_read_localization(cupsd_t)
# invoking ghostscript needs to read fonts
miscfiles_read_fonts(cupsd_t)
@@ -9872,16 +9956,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_read_config(cupsd_t)
sysnet_exec_ifconfig(cupsd_t)
-@@ -360,7 +367,7 @@
-
- domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-
--read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
-+read_files_pattern(cupsd_config_t, hplip_var_lib_t, hplip_var_lib_t)
-
- kernel_read_system_state(cupsd_config_t)
- kernel_read_all_sysctls(cupsd_config_t)
-@@ -419,6 +426,10 @@
+@@ -419,6 +429,10 @@
')
optional_policy(`
@@ -9892,7 +9967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-@@ -542,6 +553,8 @@
+@@ -542,6 +556,8 @@
manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
@@ -9901,19 +9976,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(cups_pdf_t)
files_read_etc_files(cups_pdf_t)
-@@ -596,9 +609,9 @@
-
- cups_stream_connect(hplip_t)
-
--allow hplip_t hplip_etc_t:dir list_dir_perms;
--read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
--read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
-+allow hplip_t hplip_var_lib_t:dir list_dir_perms;
-+read_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
-+read_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+@@ -601,6 +617,9 @@
+ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
++manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
++manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
++
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
+ files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.26/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/services/cvs.te 2009-07-30 15:33:08.000000000 -0400
@@ -10185,7 +10257,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $1 devicekit_t:process { ptrace signal_perms getattr };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.26/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/devicekit.te 2009-08-07 07:49:12.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/devicekit.te 2009-08-10 11:51:36.000000000 -0400
@@ -36,12 +36,15 @@
manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
@@ -10215,20 +10287,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
-@@ -72,6 +78,7 @@
+@@ -71,7 +77,9 @@
+ manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
++kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_software_raid_state(devicekit_disk_t)
+kernel_read_system_state(devicekit_disk_t)
kernel_setsched(devicekit_disk_t)
corecmd_exec_bin(devicekit_disk_t)
-@@ -79,21 +86,26 @@
+@@ -79,21 +87,30 @@
dev_rw_sysfs(devicekit_disk_t)
dev_read_urand(devicekit_disk_t)
dev_getattr_usbfs_dirs(devicekit_disk_t)
+dev_manage_generic_files(devicekit_disk_t)
++domain_read_all_domains_state(devicekit_disk_t)
++
++files_getattr_all_mountpoints(devicekit_disk_t)
++files_getattr_all_files(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
files_read_etc_files(devicekit_disk_t)
files_read_etc_runtime_files(devicekit_disk_t)
@@ -10251,7 +10329,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(devicekit_disk_t)
miscfiles_read_localization(devicekit_disk_t)
-@@ -110,6 +122,7 @@
+@@ -110,6 +127,7 @@
')
optional_policy(`
@@ -10259,7 +10337,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
policykit_domtrans_auth(devicekit_disk_t)
policykit_read_lib(devicekit_disk_t)
policykit_read_reload(devicekit_disk_t)
-@@ -134,14 +147,28 @@
+@@ -134,14 +152,28 @@
udev_read_db(devicekit_disk_t)
')
@@ -10289,7 +10367,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
-@@ -151,6 +178,7 @@
+@@ -151,6 +183,7 @@
kernel_read_system_state(devicekit_power_t)
kernel_rw_hotplug_sysctls(devicekit_power_t)
kernel_rw_kernel_sysctl(devicekit_power_t)
@@ -10297,7 +10375,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t)
-@@ -159,6 +187,7 @@
+@@ -159,6 +192,7 @@
domain_read_all_domains_state(devicekit_power_t)
@@ -10305,7 +10383,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
-@@ -167,6 +196,8 @@
+@@ -167,6 +201,8 @@
files_read_etc_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
@@ -10314,7 +10392,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_use_all_terms(devicekit_power_t)
auth_use_nsswitch(devicekit_power_t)
-@@ -180,8 +211,11 @@
+@@ -180,8 +216,11 @@
')
optional_policy(`
@@ -10327,7 +10405,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow devicekit_power_t devicekit_t:dbus send_msg;
optional_policy(`
-@@ -203,17 +237,23 @@
+@@ -203,17 +242,23 @@
optional_policy(`
hal_domtrans_mac(devicekit_power_t)
@@ -11677,7 +11755,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.26/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/networkmanager.te 2009-08-05 08:04:33.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/networkmanager.te 2009-08-10 11:32:36.000000000 -0400
@@ -19,6 +19,9 @@
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
@@ -12734,7 +12812,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.26/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/policykit.te 2009-08-07 06:11:40.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/policykit.te 2009-08-10 10:24:17.000000000 -0400
@@ -38,9 +38,10 @@
allow policykit_t self:capability { setgid setuid };
@@ -12748,7 +12826,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
policykit_domtrans_auth(policykit_t)
-@@ -62,14 +63,25 @@
+@@ -62,13 +63,25 @@
files_read_etc_files(policykit_t)
files_read_usr_files(policykit_t)
@@ -12762,7 +12840,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+userdom_getattr_all_users(policykit_t)
userdom_read_all_users_state(policykit_t)
-
++userdom_dontaudit_search_admin_dir(policykit_t)
++
+optional_policy(`
+ dbus_system_domain(policykit_t, policykit_exec_t)
+
@@ -12770,11 +12849,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ consolekit_dbus_chat(policykit_t)
+ ')
+')
-+
+
########################################
#
- # polkit_auth local policy
-@@ -77,12 +89,15 @@
+@@ -77,12 +90,15 @@
allow policykit_auth_t self:capability setgid;
allow policykit_auth_t self:process getattr;
@@ -12792,7 +12870,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
-@@ -95,7 +110,10 @@
+@@ -95,7 +111,10 @@
files_read_etc_files(policykit_auth_t)
files_read_usr_files(policykit_auth_t)
@@ -12803,7 +12881,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(policykit_auth_t)
-@@ -104,6 +122,7 @@
+@@ -104,6 +123,7 @@
userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
optional_policy(`
@@ -12811,7 +12889,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -116,6 +135,13 @@
+@@ -116,6 +136,13 @@
hal_read_state(policykit_auth_t)
')
@@ -12825,7 +12903,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# polkit_grant local policy
-@@ -123,7 +149,8 @@
+@@ -123,7 +150,8 @@
allow policykit_grant_t self:capability setuid;
allow policykit_grant_t self:process getattr;
@@ -12835,7 +12913,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -153,9 +180,12 @@
+@@ -153,9 +181,12 @@
userdom_read_all_users_state(policykit_grant_t)
optional_policy(`
@@ -12849,7 +12927,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -167,7 +197,8 @@
+@@ -167,7 +198,8 @@
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
allow policykit_resolve_t self:process getattr;
@@ -19231,7 +19309,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.26/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/system/init.if 2009-07-30 15:33:09.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/system/init.if 2009-08-10 10:27:53.000000000 -0400
@@ -174,6 +174,7 @@
role system_r types $1;
@@ -19318,7 +19396,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -646,19 +679,39 @@
+@@ -646,23 +679,43 @@
#
interface(`init_domtrans_script',`
gen_require(`
@@ -19339,11 +19417,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
-+ ')
-+')
-+
-+########################################
-+##
+ ')
+ ')
+
+ ########################################
+ ##
+## Execute a file in a bin directory
+## in the initrc_t domain
+##
@@ -19356,13 +19434,42 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
- ')
++ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
++')
++
++########################################
++##
+ ## Execute a init script in a specified domain.
+ ##
+ ##
+@@ -904,6 +957,24 @@
+ allow $1 init_script_file_type:file read_file_perms;
')
++#######################################
++##
++## Dontaudit read all init script files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dontaudit_init_read_all_script_files',`
++ gen_require(`
++ attribute init_script_file_type;
++ ')
++
++ dontaudit $1 init_script_file_type:file read_file_perms;
++')
++
########################################
-@@ -1291,6 +1344,25 @@
+ ##
+ ## Execute all init scripts in the caller domain.
+@@ -1291,6 +1362,25 @@
########################################
##
@@ -19388,7 +19495,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Create files in a init script
## temporary data directory.
##
-@@ -1521,3 +1593,51 @@
+@@ -1521,3 +1611,51 @@
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -19442,7 +19549,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.26/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-07-30 09:44:08.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/system/init.te 2009-08-05 07:18:15.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/system/init.te 2009-08-10 13:12:20.000000000 -0400
@@ -17,6 +17,20 @@
##
gen_tunable(init_upstart, false)
@@ -19490,7 +19597,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# For /var/run/shutdown.pid.
allow init_t init_var_run_t:file manage_file_perms;
-@@ -167,6 +182,8 @@
+@@ -140,6 +155,7 @@
+ files_dontaudit_rw_root_files(init_t)
+ files_dontaudit_rw_root_chr_files(init_t)
+
++fs_list_inotifyfs(init_t)
+ # cjp: this may be related to /dev/log
+ fs_write_ramfs_sockets(init_t)
+
+@@ -167,6 +183,8 @@
miscfiles_read_localization(init_t)
@@ -19499,10 +19614,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
-@@ -189,6 +206,14 @@
+@@ -189,6 +207,18 @@
')
optional_policy(`
++ consolekit_read_log(init_t)
++')
++
++optional_policy(`
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
@@ -19514,7 +19633,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
nscd_socket_use(init_t)
')
-@@ -202,9 +227,10 @@
+@@ -202,9 +232,10 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -19526,7 +19645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow IPC with self
allow initrc_t self:unix_dgram_socket create_socket_perms;
-@@ -217,7 +243,8 @@
+@@ -217,7 +248,8 @@
term_create_pty(initrc_t, initrc_devpts_t)
# Going to single user mode
@@ -19536,7 +19655,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
can_exec(initrc_t, init_script_file_type)
-@@ -230,10 +257,16 @@
+@@ -230,10 +262,16 @@
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -19555,7 +19674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
init_write_initctl(initrc_t)
-@@ -249,8 +282,12 @@
+@@ -249,8 +287,12 @@
kernel_rw_all_sysctls(initrc_t)
# for lsof which is used by alsa shutdown:
kernel_dontaudit_getattr_message_if(initrc_t)
@@ -19568,7 +19687,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(initrc_t)
corenet_all_recvfrom_netlabel(initrc_t)
-@@ -270,17 +307,22 @@
+@@ -270,17 +312,22 @@
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
@@ -19592,7 +19711,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
fs_write_ramfs_pipes(initrc_t)
-@@ -328,7 +370,7 @@
+@@ -328,7 +375,7 @@
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -19601,7 +19720,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -343,14 +385,15 @@
+@@ -343,14 +390,15 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -19619,7 +19738,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_exec_etc_files(initrc_t)
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
-@@ -366,7 +409,9 @@
+@@ -366,7 +414,9 @@
libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t)
@@ -19629,7 +19748,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(initrc_t)
logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
-@@ -423,8 +468,6 @@
+@@ -423,8 +473,6 @@
# init scripts touch this
clock_dontaudit_write_adjtime(initrc_t)
@@ -19638,7 +19757,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for integrated run_init to read run_init_type.
# happens during boot (/sbin/rc execs init scripts)
seutil_read_default_contexts(initrc_t)
-@@ -451,11 +494,9 @@
+@@ -451,11 +499,9 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -19651,7 +19770,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# These seem to be from the initrd
# during device initialization:
dev_create_generic_dirs(initrc_t)
-@@ -465,6 +506,7 @@
+@@ -465,6 +511,7 @@
storage_raw_read_fixed_disk(initrc_t)
storage_raw_write_fixed_disk(initrc_t)
@@ -19659,7 +19778,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
# wants to read /.fonts directory
-@@ -498,6 +540,7 @@
+@@ -498,6 +545,7 @@
optional_policy(`
#for /etc/rc.d/init.d/nfs to create /etc/exports
rpc_write_exports(initrc_t)
@@ -19667,7 +19786,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -516,6 +559,33 @@
+@@ -516,6 +564,33 @@
')
')
@@ -19701,7 +19820,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -570,6 +640,10 @@
+@@ -570,6 +645,10 @@
dbus_read_config(initrc_t)
optional_policy(`
@@ -19712,7 +19831,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
networkmanager_dbus_chat(initrc_t)
')
')
-@@ -591,6 +665,10 @@
+@@ -591,6 +670,10 @@
')
optional_policy(`
@@ -19723,7 +19842,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_usbfs(initrc_t)
# init scripts run /etc/hotplug/usb.rc
-@@ -647,20 +725,20 @@
+@@ -647,20 +730,20 @@
')
optional_policy(`
@@ -19750,7 +19869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
ifdef(`distro_redhat',`
-@@ -669,6 +747,7 @@
+@@ -669,6 +752,7 @@
mysql_stream_connect(initrc_t)
mysql_write_log(initrc_t)
@@ -19758,7 +19877,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -697,7 +776,6 @@
+@@ -697,7 +781,6 @@
')
optional_policy(`
@@ -19766,7 +19885,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -719,8 +797,6 @@
+@@ -719,8 +802,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -19775,7 +19894,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -733,10 +809,12 @@
+@@ -733,10 +814,12 @@
squid_manage_logs(initrc_t)
')
@@ -19788,7 +19907,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -754,6 +832,11 @@
+@@ -754,6 +837,11 @@
uml_setattr_util_sockets(initrc_t)
')
@@ -19800,7 +19919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
unconfined_domain(initrc_t)
-@@ -765,6 +848,13 @@
+@@ -765,6 +853,13 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -19814,7 +19933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -790,3 +880,31 @@
+@@ -790,3 +885,31 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -20104,9 +20223,178 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-sysnet_dns_name_resolve(iscsid_t)
+miscfiles_read_localization(iscsid_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.fc serefpolicy-3.6.26/policy/modules/system/kdump.fc
+--- nsaserefpolicy/policy/modules/system/kdump.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.26/policy/modules/system/kdump.fc 2009-08-10 09:44:25.000000000 -0400
+@@ -0,0 +1,8 @@
++
++/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
++
++/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
++/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
++
++/etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0)
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.if serefpolicy-3.6.26/policy/modules/system/kdump.if
+--- nsaserefpolicy/policy/modules/system/kdump.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.26/policy/modules/system/kdump.if 2009-08-10 09:47:15.000000000 -0400
+@@ -0,0 +1,111 @@
++## kdump is kernel crash dumping mechanism
++
++######################################
++##
++## Execute kdump in the kdump domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`kdump_domtrans',`
++ gen_require(`
++ type kdump_t, kdump_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, kdump_exec_t, kdump_t)
++')
++
++#######################################
++##
++## Execute kdump in the kdump domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`kdump_initrc_domtrans',`
++ gen_require(`
++ type kdump_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, kdump_initrc_exec_t)
++')
++
++#####################################
++##
++## Read kdump configuration file.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kdump_read_etc',`
++ gen_require(`
++ type kdump_etc_t;
++ ')
++
++ files_search_etc($1)
++ read_files_pattern($1, kdump_etc_t, kdump_etc_t)
++')
++
++####################################
++##
++## Manage kdump configuration file.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kdump_manage_etc',`
++ gen_require(`
++ type kdump_etc_t;
++ ')
++
++ files_search_etc($1)
++ manage_files_pattern($1, kdump_etc_t, kdump_etc_t)
++')
++
++######################################
++##
++## All of the rules required to administrate
++## an kdump environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed to manage the kdump domain.
++##
++##
++##
++#
++interface(`kdump_admin',`
++ gen_require(`
++ type kdump_t,kdump_etc_t;
++ type kdump_initrc_exec_t;
++ ')
++
++ allow $1 kdump_t:process { ptrace signal_perms };
++ ps_process_pattern($1, kdump_t)
++
++ init_labeled_script_domtrans($1, kdump_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 kdump_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_etc($1)
++ admin_pattern($1, kdump_etc_t)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.te serefpolicy-3.6.26/policy/modules/system/kdump.te
+--- nsaserefpolicy/policy/modules/system/kdump.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.26/policy/modules/system/kdump.te 2009-08-10 09:44:25.000000000 -0400
+@@ -0,0 +1,38 @@
++policy_module(kdump,1.0.0)
++
++#######################################
++#
++# Declarations
++#
++
++type kdump_t;
++type kdump_exec_t;
++init_system_domain(kdump_t, kdump_exec_t)
++
++type kdump_etc_t;
++files_config_file(kdump_etc_t)
++
++type kdump_initrc_exec_t;
++init_script_file(kdump_initrc_exec_t)
++
++#####################################
++#
++# kdump local policy
++#
++
++allow kdump_t self:capability { sys_boot dac_override };
++
++read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
++
++files_read_etc_runtime_files(kdump_t)
++files_read_kernel_img(kdump_t)
++
++kernel_read_system_state(kdump_t)
++
++dev_read_framebuffer(kdump_t)
++dev_read_sysfs(kdump_t)
++
++term_use_console(kdump_t)
++
++permissive kdump_t;
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.26/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/system/libraries.fc 2009-08-03 07:56:50.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/system/libraries.fc 2009-08-10 11:54:48.000000000 -0400
@@ -60,12 +60,15 @@
#
# /opt
@@ -20156,7 +20444,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
-@@ -115,27 +120,29 @@
+@@ -115,27 +120,30 @@
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -20168,6 +20456,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib64/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -20194,7 +20483,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -143,11 +150,8 @@
+@@ -143,11 +151,8 @@
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -20206,7 +20495,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -168,12 +172,12 @@
+@@ -168,12 +173,12 @@
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
@@ -20221,7 +20510,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -185,15 +189,10 @@
+@@ -185,15 +190,10 @@
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -20238,7 +20527,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -228,31 +227,17 @@
+@@ -228,31 +228,17 @@
/usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -20274,7 +20563,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -268,6 +253,9 @@
+@@ -268,6 +254,9 @@
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -20284,7 +20573,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -292,6 +280,8 @@
+@@ -292,6 +281,8 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -20293,7 +20582,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') dnl end distro_redhat
#
-@@ -304,10 +294,92 @@
+@@ -304,10 +295,91 @@
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
@@ -20330,6 +20619,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libnnz11.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
+
+/opt/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -20344,8 +20635,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/usr/lib(64)?/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+
-+
+ifdef(`fixed',`
+/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -20367,7 +20656,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -20927,7 +21215,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.26/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/system/mount.te 2009-07-30 15:33:09.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/system/mount.te 2009-08-10 10:06:05.000000000 -0400
@@ -18,8 +18,12 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -20965,7 +21253,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -47,12 +59,25 @@
+@@ -47,12 +59,26 @@
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
@@ -20988,10 +21276,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_list_all_dev_nodes(mount_t)
+dev_read_usbfs(mount_t)
+dev_read_rand(mount_t)
++dev_read_sysfs(mount_t)
dev_rw_lvm_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
-@@ -62,16 +87,19 @@
+@@ -62,16 +88,19 @@
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@@ -21014,7 +21303,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_use_all_terms(mount_t)
-@@ -79,6 +107,7 @@
+@@ -79,6 +108,7 @@
corecmd_exec_bin(mount_t)
domain_use_interactive_fds(mount_t)
@@ -21022,7 +21311,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_search_all(mount_t)
files_read_etc_files(mount_t)
-@@ -87,7 +116,7 @@
+@@ -87,7 +117,7 @@
files_mounton_all_mountpoints(mount_t)
files_unmount_rootfs(mount_t)
# These rules need to be generalized. Only admin, initrc should have it:
@@ -21031,7 +21320,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_mount_all_file_type_fs(mount_t)
files_unmount_all_file_type_fs(mount_t)
# for when /etc/mtab loses its type
-@@ -100,6 +129,8 @@
+@@ -100,6 +130,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -21040,7 +21329,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(mount_t)
-@@ -116,6 +147,7 @@
+@@ -116,6 +148,7 @@
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -21048,7 +21337,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_redhat',`
optional_policy(`
-@@ -131,9 +163,13 @@
+@@ -131,9 +164,13 @@
')
')
@@ -21063,7 +21352,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_mounton_non_security(mount_t)
')
-@@ -164,6 +200,8 @@
+@@ -164,6 +201,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -21072,7 +21361,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -171,6 +209,21 @@
+@@ -171,6 +210,21 @@
')
optional_policy(`
@@ -21094,7 +21383,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -178,6 +231,11 @@
+@@ -178,6 +232,11 @@
')
')
@@ -21106,7 +21395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -185,6 +243,7 @@
+@@ -185,6 +244,7 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -21114,7 +21403,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -194,5 +253,8 @@
+@@ -194,5 +254,8 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
@@ -22302,7 +22591,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.26/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/system/udev.te 2009-07-30 15:33:09.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/system/udev.te 2009-08-10 10:36:14.000000000 -0400
@@ -50,6 +50,7 @@
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -22361,7 +22650,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
brctl_domtrans(udev_t)
')
-@@ -202,6 +212,10 @@
+@@ -202,14 +212,27 @@
')
optional_policy(`
@@ -22372,7 +22661,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
consoletype_exec(udev_t)
')
-@@ -210,6 +224,11 @@
+ optional_policy(`
++ cups_domtrans_config(udev_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(udev_t)
')
optional_policy(`
@@ -22384,7 +22678,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
lvm_domtrans(udev_t)
')
-@@ -219,6 +238,7 @@
+@@ -219,6 +242,7 @@
optional_policy(`
hal_dgram_send(udev_t)
@@ -22392,7 +22686,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -228,6 +248,10 @@
+@@ -228,6 +252,10 @@
')
optional_policy(`
@@ -22403,7 +22697,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -242,6 +266,10 @@
+@@ -242,6 +270,10 @@
')
optional_policy(`
@@ -23181,7 +23475,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.26/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/system/userdomain.if 2009-08-07 06:43:58.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/system/userdomain.if 2009-08-10 11:36:42.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -23619,9 +23913,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
-@@ -512,181 +519,192 @@
+@@ -511,182 +518,194 @@
+ # evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
++ allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
- allow $1_t unpriv_userdomain:fd use;
+ allow $1_usertype unpriv_userdomain:fd use;
@@ -23888,7 +24184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -714,13 +732,26 @@
+@@ -714,13 +733,26 @@
userdom_base_user_template($1)
@@ -23920,7 +24216,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_change_password_template($1)
-@@ -738,70 +769,71 @@
+@@ -738,70 +770,71 @@
allow $1_t self:context contains;
@@ -24025,7 +24321,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -838,6 +870,28 @@
+@@ -838,6 +871,28 @@
# Local policy
#
@@ -24054,7 +24350,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
loadkeys_run($1_t,$1_r)
')
-@@ -868,7 +922,10 @@
+@@ -868,7 +923,10 @@
userdom_restricted_user_template($1)
@@ -24066,7 +24362,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
-@@ -876,14 +933,19 @@
+@@ -876,14 +934,19 @@
#
auth_role($1_r, $1_t)
@@ -24091,7 +24387,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -891,28 +953,47 @@
+@@ -891,28 +954,47 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -24146,7 +24442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -946,8 +1027,8 @@
+@@ -946,8 +1028,8 @@
# Declarations
#
@@ -24156,7 +24452,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_common_user_template($1)
##############################
-@@ -956,11 +1037,12 @@
+@@ -956,11 +1038,12 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -24171,7 +24467,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -978,36 +1060,53 @@
+@@ -978,36 +1061,53 @@
')
')
@@ -24239,7 +24535,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -1042,7 +1141,7 @@
+@@ -1042,7 +1142,7 @@
#
template(`userdom_admin_user_template',`
gen_require(`
@@ -24248,7 +24544,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
##############################
-@@ -1051,8 +1150,7 @@
+@@ -1051,8 +1151,7 @@
#
# Inherit rules for ordinary users.
@@ -24258,7 +24554,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1075,7 +1173,8 @@
+@@ -1075,7 +1174,8 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -24268,7 +24564,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1091,6 +1190,7 @@
+@@ -1091,6 +1191,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -24276,7 +24572,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1098,8 +1198,6 @@
+@@ -1098,8 +1199,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -24285,7 +24581,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1154,20 +1252,6 @@
+@@ -1154,20 +1253,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -24306,7 +24602,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1213,6 +1297,7 @@
+@@ -1213,6 +1298,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -24314,7 +24610,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1278,11 +1363,15 @@
+@@ -1278,11 +1364,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -24330,7 +24626,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1374,12 +1463,13 @@
+@@ -1374,12 +1464,13 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -24345,7 +24641,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
##
-@@ -1412,6 +1502,14 @@
+@@ -1412,6 +1503,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -24360,7 +24656,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1427,9 +1525,11 @@
+@@ -1427,9 +1526,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -24372,7 +24668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1486,6 +1586,25 @@
+@@ -1486,6 +1587,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -24398,7 +24694,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
##
## Create directories in the home dir root with
-@@ -1560,6 +1679,8 @@
+@@ -1560,6 +1680,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -24407,7 +24703,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1653,6 +1774,7 @@
+@@ -1653,6 +1775,7 @@
type user_home_dir_t, user_home_t;
')
@@ -24415,7 +24711,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1780,19 +1902,32 @@
+@@ -1780,19 +1903,32 @@
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -24455,7 +24751,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1827,6 +1962,7 @@
+@@ -1827,6 +1963,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -24463,7 +24759,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2374,7 +2510,7 @@
+@@ -2374,7 +2511,7 @@
########################################
##
@@ -24472,7 +24768,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
##
-@@ -2728,11 +2864,32 @@
+@@ -2728,11 +2865,32 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -24507,7 +24803,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2860,7 +3017,25 @@
+@@ -2860,7 +3018,25 @@
type user_tmp_t;
')
@@ -24534,7 +24830,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2897,6 +3072,7 @@
+@@ -2897,6 +3073,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -24542,7 +24838,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_search_proc($1)
')
-@@ -3027,3 +3203,501 @@
+@@ -3027,3 +3204,501 @@
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 40aed6d..ef29733 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.26
-Release: 8%{?dist}
+Release: 9%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -475,6 +475,10 @@ exit 0
%endif
%changelog
+* Mon Aug 10 2009 Dan Walsh 3.6.26-9
+- Add kdump policy for Miroslav Grepl
+- Turn off execstack boolean
+
* Fri Aug 7 2009 Bill Nottingham 3.6.26-8
- Turn on execstack on a temporary basis (#512845)