diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index 1c43a96..ed1af2d 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -140,7 +140,11 @@ samba_enable_home_dirs = false
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
#
-squid_connect_any = false
+squid_connect_any = true
+
+# Allow privoxy to connect to all ports, not justHTTP, FTP, and Gopher ports.
+#
+privoxy_connect_any = true
# Support NFS home directories
#
diff --git a/modules-minimum.conf b/modules-minimum.conf
index 99288a5..35181dc 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -633,6 +633,12 @@ hddtemp = module
#
policykit = module
+# Layer: services
+# Module: puppet
+#
+# A network tool for managing many disparate systems
+#
+puppet = module
# Layer: apps
# Module: ptchown
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 99288a5..35181dc 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -633,6 +633,12 @@ hddtemp = module
#
policykit = module
+# Layer: services
+# Module: puppet
+#
+# A network tool for managing many disparate systems
+#
+puppet = module
# Layer: apps
# Module: ptchown
diff --git a/policy-F13.patch b/policy-F13.patch
index 3c569cd..b3a36ce 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -7601,7 +7601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.7/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.7/policy/modules/kernel/filesystem.te 2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/kernel/filesystem.te 2010-01-14 15:44:55.000000000 -0500
@@ -29,6 +29,7 @@
fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
@@ -9798,7 +9798,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.7/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/roles/xguest.te 2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/roles/xguest.te 2010-01-14 13:49:32.000000000 -0500
+@@ -15,7 +15,7 @@
+
+ ## <desc>
+ ## <p>
+-## Allow xguest to configure Network Manager
++## Allow xguest to configure Network Manager and connect to apache ports
+ ## </p>
+ ## </desc>
+ gen_tunable(xguest_connect_network, true)
@@ -30,11 +30,29 @@
role xguest_r;
@@ -10092,7 +10101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.7/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/services/abrt.te 2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/services/abrt.te 2010-01-14 16:10:21.000000000 -0500
@@ -33,12 +33,24 @@
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -14895,7 +14904,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.7/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/services/cups.fc 2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/services/cups.fc 2010-01-14 09:44:37.000000000 -0500
@@ -13,10 +13,14 @@
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
@@ -14944,7 +14953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.7/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/services/cups.te 2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/services/cups.te 2010-01-14 09:43:53.000000000 -0500
@@ -23,6 +23,9 @@
type cupsd_initrc_exec_t;
init_script_file(cupsd_initrc_exec_t)
@@ -16180,10 +16189,58 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fpri
+ policykit_dbus_chat_auth(fprintd_t)
')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.7.7/policy/modules/services/ftp.if
+--- nsaserefpolicy/policy/modules/services/ftp.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.7/policy/modules/services/ftp.if 2010-01-14 14:06:25.000000000 -0500
+@@ -115,6 +115,44 @@
+ role $2 types ftpdctl_t;
+ ')
+
++#######################################
++## <summary>
++## Allow domain dyntransition to sftpd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ftp_dyntransition_sftpd',`
++ gen_require(`
++ type sftpd_t;
++ ')
++
++ allow $1 sftpd_t:process dyntransition;
++ allow sftpd_t $1:process sigchld;
++')
++
++#######################################
++## <summary>
++## Allow domain dyntransition to sftpd_anon domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ftp_dyntransition_sftpd_anon',`
++ gen_require(`
++ type sftpd_anon_t;
++ ')
++
++ allow $1 sftpd_anon_t:process dyntransition;
++ allow sftpd_anon_t $1:process sigchld;
++')
++
+ ########################################
+ ## <summary>
+ ## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.7/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/services/ftp.te 2010-01-11 09:53:58.000000000 -0500
-@@ -41,6 +41,13 @@
++++ serefpolicy-3.7.7/policy/modules/services/ftp.te 2010-01-14 16:27:16.000000000 -0500
+@@ -41,11 +41,51 @@
## <desc>
## <p>
@@ -16197,7 +16254,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
## Allow ftp to read and write files in the user home directories
## </p>
## </desc>
-@@ -78,12 +85,20 @@
+ gen_tunable(ftp_home_dir, false)
+
++## <desc>
++## <p>
++## Allow anon internal-sftp to upload files, used for
++## public file transfer services. Directories must be labeled
++## public_content_rw_t.
++## </p>
++## </desc>
++gen_tunable(sftpd_anon_write, false)
++
++## <desc>
++## <p>
++## Allow sftp-internal to login to local users and
++## read/write all files on the system, governed by DAC.
++## </p>
++## </desc>
++gen_tunable(sftpd_full_access, false)
++
++## <desc>
++## <p>
++## Allow interlnal-sftp to read and write files
++## in the user ssh home directories.
++## </p>
++## </desc>
++gen_tunable(sftpd_write_ssh_home, false)
++
++## <desc>
++## <p>
++## Allow sftp-internal to read and write files
++## in the user home directories
++## </p>
++## </desc>
++gen_tunable(sftpd_enable_homedirs, false)
++
+ type ftpd_t;
+ type ftpd_exec_t;
+ init_daemon_domain(ftpd_t, ftpd_exec_t)
+@@ -78,12 +118,28 @@
type xferlog_t;
logging_log_file(xferlog_t)
@@ -16209,6 +16304,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
+ init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh)
+')
+
++type sftpd_t;
++domain_type(sftpd_t)
++role system_r types sftpd_t;
++
++type sftpd_anon_t;
++domain_type(sftpd_anon_t)
++role system_r types sftpd_anon_t;
++
########################################
#
# ftpd local policy
@@ -16219,7 +16322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process signal_perms;
allow ftpd_t self:process { getcap setcap setsched setrlimit };
-@@ -92,6 +107,8 @@
+@@ -92,6 +148,8 @@
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
allow ftpd_t self:udp_socket create_socket_perms;
@@ -16228,7 +16331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
allow ftpd_t ftpd_etc_t:file read_file_perms;
-@@ -121,8 +138,7 @@
+@@ -121,8 +179,7 @@
allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
# Create and modify /var/log/xferlog.
@@ -16238,7 +16341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
logging_log_filetrans(ftpd_t, xferlog_t, file)
kernel_read_kernel_sysctls(ftpd_t)
-@@ -160,6 +176,7 @@
+@@ -160,6 +217,7 @@
fs_search_auto_mountpoints(ftpd_t)
fs_getattr_all_fs(ftpd_t)
@@ -16246,7 +16349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
auth_use_nsswitch(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t)
-@@ -219,10 +236,14 @@
+@@ -219,10 +277,14 @@
# allow access to /home
files_list_home(ftpd_t)
userdom_read_user_home_content_files(ftpd_t)
@@ -16265,7 +16368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -258,7 +279,26 @@
+@@ -258,7 +320,26 @@
')
optional_policy(`
@@ -16293,7 +16396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
')
optional_policy(`
-@@ -270,6 +310,14 @@
+@@ -270,6 +351,14 @@
')
optional_policy(`
@@ -16308,26 +16411,106 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
seutil_sigchld_newrole(ftpd_t)
')
+@@ -294,3 +383,74 @@
+ files_read_etc_files(ftpdctl_t)
+
+ userdom_use_user_terminals(ftpdctl_t)
++
++########################################
++#
++# sftpd-anon local policy
++#
++files_read_etc_files(sftpd_anon_t)
++
++miscfiles_read_public_files(sftpd_anon_t)
++
++tunable_policy(`sftpd_anon_write',`
++ miscfiles_manage_public_files(sftpd_anon_t)
++')
++
++########################################
++#
++# sftpd local policy
++#
++files_read_etc_files(sftpd_t)
++
++# allow read access to /home by default
++userdom_read_user_home_content_files(sftpd_t)
++userdom_read_user_home_content_symlinks(sftpd_t)
++userdom_dontaudit_list_admin_dir(sftpd_t)
++
++tunable_policy(`sftpd_full_access',`
++ allow sftpd_t self:capability { dac_override dac_read_search };
++ fs_read_noxattr_fs_files(sftpd_t)
++ auth_manage_all_files_except_shadow(sftpd_t)
++')
++
++tunable_policy(`sftpd_write_ssh_home',`
++ ssh_manage_user_home_files(sftpd_t)
++')
++
++tunable_policy(`sftpd_enable_homedirs',`
++ allow sftpd_t self:capability { dac_override dac_read_search };
++
++ # allow access to /home
++ files_list_home(sftpd_t)
++ userdom_read_user_home_content_files(sftpd_t)
++ userdom_manage_user_home_content(sftpd_t)
++
++ auth_read_all_dirs_except_shadow(sftpd_t)
++ auth_read_all_files_except_shadow(sftpd_t)
++ auth_read_all_symlinks_except_shadow(sftpd_t)
++', `
++ # Needed for permissive mode, to make sure everything gets labeled correctly
++ userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
++')
++
++tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
++ fs_manage_nfs_dirs(sftpd_t)
++ fs_manage_nfs_files(sftpd_t)
++ fs_manage_nfs_symlinks(sftpd_t)
++')
++
++tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
++ fs_manage_cifs_dirs(sftpd_t)
++ fs_manage_cifs_files(sftpd_t)
++ fs_manage_cifs_symlinks(sftpd_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_read_cifs_files(sftpd_t)
++ fs_read_cifs_symlinks(sftpd_t)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_read_nfs_files(sftpd_t)
++ fs_read_nfs_symlinks(ftpd_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.7/policy/modules/services/git.fc
--- nsaserefpolicy/policy/modules/services/git.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/services/git.fc 2010-01-11 09:53:58.000000000 -0500
-@@ -1,3 +1,9 @@
- /var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
++++ serefpolicy-3.7.7/policy/modules/services/git.fc 2010-01-14 15:37:45.000000000 -0500
+@@ -1,3 +1,12 @@
+-/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
-/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
- /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+-/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
++HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:gitd_session_content_t, s0)
++HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:gitd_session_content_t, s0)
+
-+/srv/git(/.*)? gen_context(system_u:object_r:git_data_t, s0)
++/srv/git(/.*)? gen_context(system_u:object_r:gitd_system_content_t, s0)
+
+/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t, s0)
+
-+# Conflict with Fedora cgit fc spec.
-+/var/lib/git(/.*)? gen_context(system_u:object_r:git_data_t, s0)
++/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
++/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
++
++/var/lib/git(/.*)? gen_context(system_u:object_r:gitd_system_content_t, s0)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.7/policy/modules/services/git.if
--- nsaserefpolicy/policy/modules/services/git.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/services/git.if 2010-01-11 09:53:58.000000000 -0500
-@@ -1 +1,285 @@
++++ serefpolicy-3.7.7/policy/modules/services/git.if 2010-01-14 16:07:07.000000000 -0500
+@@ -1 +1,535 @@
-## <summary>GIT revision control system</summary>
-+## <summary>Git daemon is a really simple server for Git repositories.</summary>
++## <summary>Git - Fast Version Control System.</summary>
+## <desc>
+## <p>
+## A really simple TCP git daemon that normally listens on
@@ -16335,27 +16518,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+## connection asking for a service, and will serve that
+## service if it is enabled.
+## </p>
-+## <p>
-+## It verifies that the directory has the magic file
-+## git-daemon-export-ok, and it will refuse to export any
-+## git directory that has not explicitly been marked for
-+## export this way (unless the --export-all parameter is
-+## specified). If you pass some directory paths as
-+## git-daemon arguments, you can further restrict the
-+## offers to a whitelist comprising of those.
-+## </p>
-+## <p>
-+## By default, only upload-pack service is enabled, which
-+## serves git-fetch-pack and git-ls-remote clients, which
-+## are invoked from git-fetch, git-pull, and git-clone.
-+## </p>
-+## <p>
-+## This is ideally suited for read-only updates, i.e.,
-+## pulling from git repositories.
-+## </p>
-+## <p>
-+## An upload-archive also exists to serve git-archive.
-+## </p>
+## </desc>
+
+#######################################
@@ -16373,73 +16535,174 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+## </summary>
+## </param>
+#
-+interface(`git_session_role', `
++interface(`git_session_role',`
+ gen_require(`
-+ type gitd_session_t, gitd_exec_t, git_home_t;
++ type gitd_session_t, gitd_exec_t;
+ ')
+
+ ########################################
+ #
-+ # Git daemon session data declarations.
++ # Git daemon session shared declarations.
+ #
+
-+ ## <desc>
-+ ## <p>
-+ ## Allow transitions to the Git daemon
-+ ## session domain.
-+ ## </p>
-+ ## </desc>
-+ gen_tunable(gitd_session_transition, false)
-+
+ role $1 types gitd_session_t;
+
+ ########################################
+ #
-+ # Git daemon session data policy.
++ # Git daemon session shared policy.
+ #
+
-+ tunable_policy(`gitd_session_transition', `
-+ domtrans_pattern($2, gitd_exec_t, gitd_session_t)
-+ ', `
-+ can_exec($2, gitd_exec_t)
-+ ')
++ domtrans_pattern($2, gitd_exec_t, gitd_session_t)
+
+ allow $2 gitd_session_t:process { ptrace signal_perms };
+ ps_process_pattern($2, gitd_session_t)
++')
+
-+ exec_files_pattern($2, git_home_t, git_home_t)
-+ manage_dirs_pattern($2, git_home_t, git_home_t)
-+ manage_files_pattern($2, git_home_t, git_home_t)
++########################################
++## <summary>
++## Create a set of derived types for Git
++## daemon shared repository content.
++## </summary>
++## <param name="prefix">
++## <summary>
++## The prefix to be used for deriving type names.
++## </summary>
++## </param>
++#
++template(`git_content_template',`
+
-+ relabel_dirs_pattern($2, git_home_t, git_home_t)
-+ relabel_files_pattern($2, git_home_t, git_home_t)
++ gen_require(`
++ attribute gitd_system_content;
++ attribute gitd_content;
++ ')
++
++ ########################################
++ #
++ # Git daemon content shared declarations.
++ #
++
++ type gitd_$1_content_t, gitd_system_content, gitd_content;
++ files_type(gitd_$1_content_t)
+')
+
+########################################
+## <summary>
-+## Allow the specified domain to execute
-+## Git daemon data files.
++## Create a set of derived types for Git
++## daemon shared repository roles.
++## </summary>
++## <param name="prefix">
++## <summary>
++## The prefix to be used for deriving type names.
++## </summary>
++## </param>
++#
++template(`git_role_template',`
++
++ gen_require(`
++ class context contains;
++ role system_r;
++ ')
++
++ ########################################
++ #
++ # Git daemon role shared declarations.
++ #
++
++ attribute $1_usertype;
++
++ type $1_t;
++ userdom_unpriv_usertype($1, $1_t)
++ domain_type($1_t)
++
++ role $1_r types $1_t;
++ allow system_r $1_r;
++
++ ########################################
++ #
++ # Git daemon role shared policy.
++ #
++
++ allow $1_t self:context contains;
++ allow $1_t self:fifo_file rw_fifo_file_perms;
++
++ corecmd_exec_bin($1_t)
++ corecmd_bin_entry_type($1_t)
++ corecmd_shell_entry_type($1_t)
++
++ domain_interactive_fd($1_t)
++ domain_user_exemption_target($1_t)
++
++ kernel_read_system_state($1_t)
++
++ files_read_etc_files($1_t)
++ files_dontaudit_search_home($1_t)
++
++ miscfiles_read_localization($1_t)
++
++ git_rwx_generic_system_content($1_t)
++
++ ssh_rw_stream_sockets($1_t)
++
++ tunable_policy(`gitd_system_use_cifs',`
++ fs_exec_cifs_files($1_t)
++ fs_manage_cifs_dirs($1_t)
++ fs_manage_cifs_files($1_t)
++ ')
++
++ tunable_policy(`gitd_system_use_nfs',`
++ fs_exec_nfs_files($1_t)
++ fs_manage_nfs_dirs($1_t)
++ fs_manage_nfs_files($1_t)
++ ')
++
++ optional_policy(`
++ nscd_read_pid($1_t)
++ ')
++')
++
++#######################################
++## <summary>
++## Allow specified domain access to the
++## specified Git daemon content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
++## <param name="object">
++## <summary>
++## Type of the object that access is allowed to.
++## </summary>
++## </param>
+#
-+interface(`git_execute_data_files', `
++interface(`git_content_delegation',`
+ gen_require(`
-+ type git_data_t;
++ type $1, $2;
+ ')
+
-+ exec_files_pattern($1, git_data_t, git_data_t)
++ exec_files_pattern($1, $2, $2)
++ manage_dirs_pattern($1, $2, $2)
++ manage_files_pattern($1, $2, $2)
+ files_search_var($1)
++
++ tunable_policy(`gitd_system_use_cifs',`
++ fs_exec_cifs_files($1)
++ fs_manage_cifs_dirs($1)
++ fs_manage_cifs_files($1)
++ ')
++
++ tunable_policy(`gitd_system_use_nfs',`
++ fs_exec_nfs_files($1)
++ fs_manage_nfs_dirs($1)
++ fs_manage_nfs_files($1)
++ ')
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
-+## Git daemon data content.
++## and execute all Git daemon content.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -16448,20 +16711,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+## </param>
+## <rolecap/>
+#
-+interface(`git_manage_data_content', `
++interface(`git_rwx_all_content',`
+ gen_require(`
-+ type git_data_t;
++ attribute gitd_content;
+ ')
+
-+ manage_dirs_pattern($1, git_data_t, git_data_t)
-+ manage_files_pattern($1, git_data_t, git_data_t)
++ exec_files_pattern($1, gitd_content, gitd_content)
++ manage_dirs_pattern($1, gitd_content, gitd_content)
++ manage_files_pattern($1, gitd_content, gitd_content)
++ userdom_search_user_home_dirs($1)
+ files_search_var($1)
++
++ tunable_policy(`use_nfs_home_dirs',`
++ fs_exec_nfs_files($1)
++ fs_manage_nfs_dirs($1)
++ fs_manage_nfs_files($1)
++ ')
++
++ tunable_policy(`use_samba_home_dirs',`
++ fs_exec_cifs_files($1)
++ fs_manage_cifs_dirs($1)
++ fs_manage_cifs_files($1)
++ ')
++
++ tunable_policy(`gitd_system_use_cifs',`
++ fs_exec_cifs_files($1)
++ fs_manage_cifs_dirs($1)
++ fs_manage_cifs_files($1)
++ ')
++
++ tunable_policy(`gitd_system_use_nfs',`
++ fs_exec_nfs_files($1)
++ fs_manage_nfs_dirs($1)
++ fs_manage_nfs_files($1)
++ ')
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
-+## Git daemon home content.
++## and execute all Git daemon system content.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -16470,20 +16759,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+## </param>
+## <rolecap/>
+#
-+interface(`git_manage_home_content', `
++interface(`git_rwx_all_system_content',`
+ gen_require(`
-+ type git_home_t;
++ attribute gitd_system_content;
+ ')
+
-+ manage_dirs_pattern($1, git_home_t, git_home_t)
-+ manage_files_pattern($1, git_home_t, git_home_t)
-+ files_search_home($1)
++ exec_files_pattern($1, gitd_system_content, gitd_system_content)
++ manage_dirs_pattern($1, gitd_system_content, gitd_system_content)
++ manage_files_pattern($1, gitd_system_content, gitd_system_content)
++ files_search_var($1)
++
++ tunable_policy(`gitd_system_use_cifs',`
++ fs_exec_cifs_files($1)
++ fs_manage_cifs_dirs($1)
++ fs_manage_cifs_files($1)
++ ')
++
++ tunable_policy(`gitd_system_use_nfs',`
++ fs_exec_nfs_files($1)
++ fs_manage_nfs_dirs($1)
++ fs_manage_nfs_files($1)
++ ')
+')
+
+########################################
+## <summary>
-+## Allow the specified domain to read
-+## Git daemon home content.
++## Allow the specified domain to manage
++## and execute Git daemon generic system content.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -16492,20 +16794,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+## </param>
+## <rolecap/>
+#
-+interface(`git_read_home_content', `
++interface(`git_rwx_generic_system_content',`
+ gen_require(`
-+ type git_home_t;
++ type gitd_system_content_t;
+ ')
+
-+ list_dirs_pattern($1, git_home_t, git_home_t)
-+ read_files_pattern($1, git_home_t, git_home_t)
-+ files_search_home($1)
++ exec_files_pattern($1, gitd_system_content_t, gitd_system_content_t)
++ manage_dirs_pattern($1, gitd_system_content_t, gitd_system_content_t)
++ manage_files_pattern($1, gitd_system_content_t, gitd_system_content_t)
++ files_search_var($1)
++
++ tunable_policy(`gitd_system_use_cifs',`
++ fs_exec_cifs_files($1)
++ fs_manage_cifs_dirs($1)
++ fs_manage_cifs_files($1)
++ ')
++
++ tunable_policy(`gitd_system_use_nfs',`
++ fs_exec_nfs_files($1)
++ fs_manage_nfs_dirs($1)
++ fs_manage_nfs_files($1)
++ ')
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
-+## Git daemon data content.
++## all Git daemon content files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -16514,20 +16829,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+## </param>
+## <rolecap/>
+#
-+interface(`git_read_data_content', `
++interface(`git_read_all_content_files',`
+ gen_require(`
-+ type git_data_t;
++ attribute gitd_content;
+ ')
+
-+ list_dirs_pattern($1, git_data_t, git_data_t)
-+ read_files_pattern($1, git_data_t, git_data_t)
++ list_dirs_pattern($1, gitd_content, gitd_content)
++ read_files_pattern($1, gitd_content, gitd_content)
++ userdom_search_user_home_dirs($1)
+ files_search_var($1)
++
++ tunable_policy(`use_nfs_home_dirs',`
++ fs_list_nfs($1)
++ fs_read_nfs_files($1)
++ ')
++
++ tunable_policy(`use_samba_home_dirs',`
++ fs_list_cifs($1)
++ fs_read_cifs_files($1)
++ ')
++
++ tunable_policy(`gitd_system_use_cifs',`
++ fs_list_cifs($1)
++ fs_read_cifs_files($1)
++ ')
++
++ tunable_policy(`gitd_system_use_nfs',`
++ fs_list_nfs($1)
++ fs_read_nfs_files($1)
++ ')
+')
+
+########################################
+## <summary>
-+## Allow the specified domain to relabel
-+## Git daemon data content.
++## Allow the specified domain to read
++## Git daemon session content files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -16536,20 +16872,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+## </param>
+## <rolecap/>
+#
-+interface(`git_relabel_data_content', `
++interface(`git_read_session_content_files',`
+ gen_require(`
-+ type git_data_t;
++ type gitd_session_content_t;
+ ')
+
-+ relabel_dirs_pattern($1, git_data_t, git_data_t)
-+ relabel_files_pattern($1, git_data_t, git_data_t)
-+ files_search_var($1)
++ list_dirs_pattern($1, gitd_session_content_t, gitd_session_content_t)
++ read_files_pattern($1, gitd_session_content_t, gitd_session_content_t)
++ userdom_search_user_home_dirs($1)
++
++ tunable_policy(`use_nfs_home_dirs',`
++ fs_list_nfs($1)
++ fs_read_nfs_files($1)
++ ')
++
++ tunable_policy(`use_samba_home_dirs',`
++ fs_list_cifs($1)
++ fs_read_cifs_files($1)
++ ')
+')
+
+########################################
+## <summary>
-+## Allow the specified domain to relabel
-+## Git daemon home content.
++## Allow the specified domain to read
++## all Git daemon system content files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -16558,114 +16904,203 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+## </param>
+## <rolecap/>
+#
-+interface(`git_relabel_home_content', `
++interface(`git_read_all_system_content_files',`
+ gen_require(`
-+ type git_home_t;
++ attribute gitd_system_content;
+ ')
+
-+ relabel_dirs_pattern($1, git_home_t, git_home_t)
-+ relabel_files_pattern($1, git_home_t, git_home_t)
-+ files_search_home($1)
++ list_dirs_pattern($1, gitd_system_content, gitd_system_content)
++ read_files_pattern($1, gitd_system_content, gitd_system_content)
++ files_search_var($1)
++
++ tunable_policy(`gitd_system_use_cifs',`
++ fs_list_cifs($1)
++ fs_read_cifs_files($1)
++ ')
++
++ tunable_policy(`gitd_system_use_nfs',`
++ fs_list_nfs($1)
++ fs_read_nfs_files($1)
++ ')
+')
+
+########################################
+## <summary>
-+## All of the rules required to administrate an
-+## Git daemon system environment
++## Allow the specified domain to read
++## Git daemon generic system content files.
+## </summary>
-+## <param name="userdomain_prefix">
++## <param name="domain">
+## <summary>
-+## Prefix of the domain. Example, user would be
-+## the prefix for the user_t domain.
++## Domain allowed access.
+## </summary>
+## </param>
++## <rolecap/>
++#
++interface(`git_read_generic_system_content_files',`
++ gen_require(`
++ type gitd_system_content_t;
++ ')
++
++ list_dirs_pattern($1, gitd_system_content_t, gitd_system_content_t)
++ read_files_pattern($1, gitd_system_content_t, gitd_system_content_t)
++ files_search_var($1)
++
++ tunable_policy(`gitd_system_use_cifs',`
++ fs_list_cifs($1)
++ fs_read_cifs_files($1)
++ ')
++
++ tunable_policy(`gitd_system_use_nfs',`
++ fs_list_nfs($1)
++ fs_read_nfs_files($1)
++ ')
++')
++
++########################################
++## <summary>
++## Allow the specified domain to relabel
++## all Git daemon content.
++## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="role">
++## <rolecap/>
++#
++interface(`git_relabel_all_content',`
++ gen_require(`
++ attribute gitd_content;
++ ')
++
++ relabel_dirs_pattern($1, gitd_content, gitd_content)
++ relabel_files_pattern($1, gitd_content, gitd_content)
++ userdom_search_user_home_dirs($1)
++ files_search_var($1)
++')
++
++########################################
++## <summary>
++## Allow the specified domain to relabel
++## all Git daemon system content.
++## </summary>
++## <param name="domain">
+## <summary>
-+## The role to be allowed to manage the Git daemon domain.
++## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
-+interface(`git_system_admin', `
++interface(`git_relabel_all_system_content',`
+ gen_require(`
-+ type gitd_t, gitd_exec_t;
++ attribute gitd_system_content;
+ ')
+
-+ allow $1 gitd_t:process { getattr ptrace signal_perms };
-+ ps_process_pattern($1, gitd_t)
-+
-+ kernel_search_proc($1)
++ relabel_dirs_pattern($1, gitd_system_content, gitd_system_content)
++ relabel_files_pattern($1, gitd_system_content, gitd_system_content)
++ files_search_var($1)
++')
+
-+ manage_files_pattern($1, gitd_exec_t, gitd_exec_t)
++########################################
++## <summary>
++## Allow the specified domain to relabel
++## Git daemon generic system content.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`git_relabel_generic_system_content',`
++ gen_require(`
++ type gitd_system_content_t;
++ ')
+
-+ # This will not work since git-shell needs to execute gitd content thus public content files.
-+ # There is currently no clean way to execute public content files.
-+ # miscfiles_manage_public_files($1)
++ relabel_dirs_pattern($1, gitd_system_content_t, gitd_system_content_t)
++ relabel_files_pattern($1, gitd_system_content_t, gitd_system_content_t)
++ files_search_var($1)
++')
+
-+ git_manage_data_content($1)
-+ git_relabel_data_content($1)
++########################################
++## <summary>
++## Allow the specified domain to relabel
++## Git daemon session content.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`git_relabel_session_content',`
++ gen_require(`
++ type gitd_session_content_t;
++ ')
+
-+ seutil_domtrans_setfiles($1)
++ relabel_dirs_pattern($1, gitd_session_content_t, gitd_session_content_t)
++ relabel_files_pattern($1, gitd_session_content_t, gitd_session_content_t)
++ userdom_search_user_home_dirs($1)
+')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.7/policy/modules/services/git.te
--- nsaserefpolicy/policy/modules/services/git.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/services/git.te 2010-01-11 09:53:58.000000000 -0500
-@@ -1,9 +1,173 @@
++++ serefpolicy-3.7.7/policy/modules/services/git.te 2010-01-14 16:12:14.000000000 -0500
+@@ -1,9 +1,181 @@
- policy_module(git, 1.0)
-
-+attribute gitd_type;
-+attribute git_content_type;
-+
-+########################################
-+#
-+# Git daemon system private declarations.
-+#
+-policy_module(git, 1.0)
++policy_module(gitd, 1.0.3)
+
+## <desc>
+## <p>
+## Allow Git daemon system to search home directories.
+## </p>
+## </desc>
-+gen_tunable(git_system_enable_homedirs, false)
++gen_tunable(gitd_system_enable_homedirs, false)
+
+## <desc>
+## <p>
+## Allow Git daemon system to access cifs file systems.
+## </p>
+## </desc>
-+gen_tunable(git_system_use_cifs, false)
++gen_tunable(gitd_system_use_cifs, false)
+
+## <desc>
+## <p>
+## Allow Git daemon system to access nfs file systems.
+## </p>
+## </desc>
-+gen_tunable(git_system_use_nfs, false)
++gen_tunable(gitd_system_use_nfs, false)
+
+########################################
+#
+# Git daemon global private declarations.
+#
++
++attribute gitd_domains;
++attribute gitd_system_content;
++attribute gitd_content;
++
+type gitd_exec_t;
+
-+type gitd_t, gitd_type;
-+inetd_service_domain(gitd_t, gitd_exec_t)
-+role system_r types gitd_t;
++########################################
++#
++# Git daemon system private declarations.
++#
+
-+type git_data_t, git_content_type;
-+files_type(git_data_t)
++type gitd_system_t, gitd_domains;
++inetd_service_domain(gitd_system_t, gitd_exec_t)
++role system_r types gitd_system_t;
+
-+permissive gitd_t;
++type gitd_system_content_t, gitd_system_content, gitd_content;
++files_type(gitd_system_content_t)
++typealias gitd_system_content_t alias git_data_t;
+
+########################################
+#
-+# Git daemon session session private declarations.
++# Git daemon session private declarations.
+#
+
+## <desc>
@@ -16674,87 +17109,84 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+## tcp sockets to all unreserved ports.
+## </p>
+## </desc>
-+gen_tunable(git_session_bind_all_unreserved_ports, false)
++gen_tunable(gitd_session_bind_all_unreserved_ports, false)
+
-+type gitd_session_t, gitd_type;
++type gitd_session_t, gitd_domains;
+application_domain(gitd_session_t, gitd_exec_t)
+ubac_constrained(gitd_session_t)
+
-+type git_home_t, git_content_type;
-+userdom_user_home_content(git_home_t)
-+
-+permissive gitd_session_t;
++type gitd_session_content_t, gitd_content;
++userdom_user_home_content(gitd_session_content_t)
+
+########################################
+#
+# Git daemon global private policy.
+#
+
-+allow gitd_type self:fifo_file rw_fifo_file_perms;
-+allow gitd_type self:tcp_socket create_socket_perms;
-+allow gitd_type self:udp_socket create_socket_perms;
-+allow gitd_type self:unix_dgram_socket create_socket_perms;
++allow gitd_domains self:fifo_file rw_fifo_file_perms;
++allow gitd_domains self:netlink_route_socket create_netlink_socket_perms;
++allow gitd_domains self:tcp_socket { create_socket_perms listen };
++allow gitd_domains self:udp_socket create_socket_perms;
++allow gitd_domains self:unix_dgram_socket create_socket_perms;
++
++corenet_all_recvfrom_netlabel(gitd_domains)
++corenet_all_recvfrom_unlabeled(gitd_domains)
+
-+corenet_all_recvfrom_netlabel(gitd_type)
-+corenet_all_recvfrom_unlabeled(gitd_type)
++corenet_tcp_bind_generic_node(gitd_domains)
+
-+corenet_tcp_sendrecv_all_if(gitd_type)
-+corenet_tcp_sendrecv_all_nodes(gitd_type)
-+corenet_tcp_sendrecv_all_ports(gitd_type)
++corenet_tcp_sendrecv_generic_if(gitd_domains)
++corenet_tcp_sendrecv_generic_node(gitd_domains)
++corenet_tcp_sendrecv_generic_port(gitd_domains)
+
-+corenet_tcp_bind_all_nodes(gitd_type)
-+corenet_tcp_bind_git_port(gitd_type)
++corenet_tcp_bind_git_port(gitd_domains)
++corenet_sendrecv_git_server_packets(gitd_domains)
+
-+corecmd_exec_bin(gitd_type)
++corecmd_exec_bin(gitd_domains)
+
-+files_read_etc_files(gitd_type)
-+files_read_usr_files(gitd_type)
++files_read_etc_files(gitd_domains)
++files_read_usr_files(gitd_domains)
+
-+fs_search_auto_mountpoints(gitd_type)
++fs_search_auto_mountpoints(gitd_domains)
+
-+kernel_read_system_state(gitd_type)
++kernel_read_system_state(gitd_domains)
+
-+logging_send_syslog_msg(gitd_type)
++auth_use_nsswitch(gitd_domains)
+
-+auth_use_nsswitch(gitd_type)
++logging_send_syslog_msg(gitd_domains)
+
-+miscfiles_read_localization(gitd_type)
++miscfiles_read_localization(gitd_domains)
+
+########################################
+#
+# Git daemon system repository private policy.
+#
+
-+list_dirs_pattern(gitd_t, git_content_type, git_content_type)
-+read_files_pattern(gitd_t, git_content_type, git_content_type)
-+files_search_var(gitd_t)
++list_dirs_pattern(gitd_system_t, gitd_content, gitd_content)
++read_files_pattern(gitd_system_t, gitd_content, gitd_content)
++files_search_var(gitd_system_t)
+
-+# This will not work since git-shell needs to execute gitd content thus public content files.
-+# There is currently no clean way to execute public content files.
-+# miscfiles_read_public_files(gitd_t)
-+
-+tunable_policy(`git_system_enable_homedirs', `
-+ userdom_search_user_home_dirs(gitd_t)
++tunable_policy(`gitd_system_enable_homedirs', `
++ userdom_search_user_home_dirs(gitd_system_t)
+')
+
-+tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', `
-+ fs_list_nfs(gitd_t)
-+ fs_read_nfs_files(gitd_t)
++tunable_policy(`gitd_system_enable_homedirs && use_nfs_home_dirs', `
++ fs_list_nfs(gitd_system_t)
++ fs_read_nfs_files(gitd_system_t)
+')
+
-+tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', `
-+ fs_list_cifs(gitd_t)
-+ fs_read_cifs_files(gitd_t)
++tunable_policy(`gitd_system_enable_homedirs && use_samba_home_dirs', `
++ fs_list_cifs(gitd_system_t)
++ fs_read_cifs_files(gitd_system_t)
+')
+
-+tunable_policy(`git_system_use_cifs', `
-+ fs_list_cifs(gitd_t)
-+ fs_read_cifs_files(gitd_t)
++tunable_policy(`gitd_system_use_cifs', `
++ fs_list_cifs(gitd_system_t)
++ fs_read_cifs_files(gitd_system_t)
+')
+
-+tunable_policy(`git_system_use_nfs', `
-+ fs_list_nfs(gitd_t)
-+ fs_read_nfs_files(gitd_t)
++tunable_policy(`gitd_system_use_nfs', `
++ fs_list_nfs(gitd_system_t)
++ fs_read_nfs_files(gitd_system_t)
+')
+
+########################################
@@ -16762,13 +17194,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+# Git daemon session repository private policy.
+#
+
-+list_dirs_pattern(gitd_session_t, git_home_t, git_home_t)
-+read_files_pattern(gitd_session_t, git_home_t, git_home_t)
++list_dirs_pattern(gitd_session_t, gitd_session_content_t, gitd_session_content_t)
++read_files_pattern(gitd_session_t, gitd_session_content_t, gitd_session_content_t)
+userdom_search_user_home_dirs(gitd_session_t)
+
+userdom_use_user_terminals(gitd_session_t)
+
-+tunable_policy(`git_session_bind_all_unreserved_ports', `
++tunable_policy(`gitd_session_bind_all_unreserved_ports', `
+ corenet_tcp_bind_all_unreserved_ports(gitd_session_t)
+')
+
@@ -16782,14 +17214,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+ fs_read_cifs_files(gitd_session_t)
+')
+
++########################################
++#
++# cgi git Declarations
++#
++
++optional_policy(`
++ apache_content_template(git)
++ git_read_session_content_files(httpd_git_script_t)
++')
+
########################################
#
-# Declarations
-+# cgi git Declarations
++# Git-shell private policy.
#
- apache_content_template(git)
-+git_read_data_content(httpd_git_script_t)
+-apache_content_template(git)
++git_role_template(git_shell)
++gen_user(git_shell_u, user, git_shell_r, s0, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.7/policy/modules/services/gpsd.te
--- nsaserefpolicy/policy/modules/services/gpsd.te 2010-01-07 14:53:53.000000000 -0500
+++ serefpolicy-3.7.7/policy/modules/services/gpsd.te 2010-01-11 09:53:58.000000000 -0500
@@ -21251,6 +21694,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.te serefpolicy-3.7.7/policy/modules/services/puppet.te
+--- nsaserefpolicy/policy/modules/services/puppet.te 2009-11-12 12:51:51.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/services/puppet.te 2010-01-14 10:36:57.000000000 -0500
+@@ -17,6 +17,7 @@
+ type puppet_t;
+ type puppet_exec_t;
+ init_daemon_domain(puppet_t, puppet_exec_t)
++permissive puppet_t;
+
+ type puppet_etc_t;
+ files_config_file(puppet_etc_t)
+@@ -39,6 +40,7 @@
+ type puppetmaster_t;
+ type puppetmaster_exec_t;
+ init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
++permissive puppetmaster_t;
+
+ type puppetmaster_initrc_exec_t;
+ init_script_file(puppetmaster_initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.7/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.7/policy/modules/services/pyzor.fc 2010-01-11 09:53:58.000000000 -0500
@@ -24969,54 +25431,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.7/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/services/ssh.te 2010-01-11 09:53:58.000000000 -0500
-@@ -8,6 +8,31 @@
-
- ## <desc>
- ## <p>
-+## Allow sftp to upload files, used for public file
-+## transfer services. Directories must be labeled
-+## public_content_rw_t.
-+## </p>
-+## </desc>
-+gen_tunable(allow_sftpd_anon_write, false)
-+
-+## <desc>
-+## <p>
-+## Allow sftp to login to local users and
-+## read/write all files on the system, governed by DAC.
-+## </p>
-+## </desc>
-+gen_tunable(allow_sftpd_full_access, false)
-+
-+## <desc>
-+## <p>
-+## Allow interlnal-sftp to read and write files
-+## in the user ssh home directories.
-+## </p>
-+## </desc>
-+gen_tunable(sftpd_ssh_home_dir, false)
-+
-+## <desc>
-+## <p>
- ## allow host key based authentication
- ## </p>
- ## </desc>
-@@ -41,6 +66,13 @@
++++ serefpolicy-3.7.7/policy/modules/services/ssh.te 2010-01-14 14:12:19.000000000 -0500
+@@ -41,6 +41,9 @@
files_tmp_file(sshd_tmp_t)
files_poly_parent(sshd_tmp_t)
+type sshd_tmpfs_t;
+files_tmpfs_file(sshd_tmpfs_t)
+
-+type sftpd_t;
-+domain_type(sftpd_t)
-+role system_r types sftpd_t;
-+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
')
-@@ -75,7 +107,7 @@
+@@ -75,7 +78,7 @@
ubac_constrained(ssh_tmpfs_t)
type home_ssh_t;
@@ -25025,7 +25451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
typealias home_ssh_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
files_type(home_ssh_t)
userdom_user_home_content(home_ssh_t)
-@@ -95,8 +127,7 @@
+@@ -95,8 +98,7 @@
allow ssh_t self:sem create_sem_perms;
allow ssh_t self:msgq create_msgq_perms;
allow ssh_t self:msg { send receive };
@@ -25035,7 +25461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
# Read the ssh key file.
allow ssh_t sshd_key_t:file read_file_perms;
-@@ -115,6 +146,7 @@
+@@ -115,6 +117,7 @@
manage_dirs_pattern(ssh_t, home_ssh_t, home_ssh_t)
manage_sock_files_pattern(ssh_t, home_ssh_t, home_ssh_t)
userdom_user_home_dir_filetrans(ssh_t, home_ssh_t, { dir sock_file })
@@ -25043,7 +25469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
-@@ -126,11 +158,13 @@
+@@ -126,11 +129,13 @@
read_lnk_files_pattern(ssh_t, home_ssh_t, home_ssh_t)
# ssh servers can read the user keys and config
@@ -25060,7 +25486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
corenet_all_recvfrom_unlabeled(ssh_t)
corenet_all_recvfrom_netlabel(ssh_t)
-@@ -139,6 +173,8 @@
+@@ -139,6 +144,8 @@
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
@@ -25069,7 +25495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
dev_read_urand(ssh_t)
-@@ -160,19 +196,19 @@
+@@ -160,19 +167,19 @@
logging_send_syslog_msg(ssh_t)
logging_read_generic_logs(ssh_t)
@@ -25092,7 +25518,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
tunable_policy(`allow_ssh_keysign',`
domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-@@ -194,18 +230,7 @@
+@@ -194,18 +201,7 @@
# for port forwarding
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_ssh_port(ssh_t)
@@ -25112,7 +25538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
optional_policy(`
-@@ -294,6 +319,8 @@
+@@ -294,6 +290,8 @@
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -25121,7 +25547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
-@@ -310,16 +337,30 @@
+@@ -310,27 +308,50 @@
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
@@ -25140,21 +25566,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
- userdom_spec_domtrans_all_users(sshd_t)
userdom_signal_all_users(sshd_t)
-',`
-+')
+- userdom_spec_domtrans_unpriv_users(sshd_t)
+- userdom_signal_unpriv_users(sshd_t)
+ ')
+
++userdom_spec_domtrans_unpriv_users(sshd_t)
++userdom_signal_unpriv_users(sshd_t)
+
- userdom_spec_domtrans_unpriv_users(sshd_t)
- userdom_signal_unpriv_users(sshd_t)
+ optional_policy(`
+ daemontools_service_domain(sshd_t, sshd_exec_t)
+ ')
+
+ optional_policy(`
++ kerberos_keytab_template(sshd, sshd_t)
++')
+
+optional_policy(`
-+ kerberos_keytab_template(sshd, sshd_t)
++ ftp_dyntransition_sftpd(sshd_t)
++ ftp_dyntransition_sftpd_anon(sshd_t)
+')
+
+optional_policy(`
+ gitosis_manage_var_lib(sshd_t)
- ')
-
- optional_policy(`
-@@ -331,6 +372,10 @@
++')
++
++optional_policy(`
+ inetd_tcp_service_domain(sshd_t, sshd_exec_t)
')
optional_policy(`
@@ -25165,7 +25602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
rpm_use_script_fds(sshd_t)
')
-@@ -341,10 +386,18 @@
+@@ -341,10 +362,18 @@
')
optional_policy(`
@@ -25185,7 +25622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
ifdef(`TODO',`
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
-@@ -400,18 +453,63 @@
+@@ -400,15 +429,13 @@
init_use_fds(ssh_keygen_t)
init_use_script_ptys(ssh_keygen_t)
@@ -25203,56 +25640,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
seutil_sigchld_newrole(ssh_keygen_t)
')
- optional_policy(`
- udev_read_db(ssh_keygen_t)
- ')
-+
-+#######################################
-+#
-+# sftp Local policy
-+#
-+
-+allow ssh_server sftpd_t:process dyntransition;
-+
-+ssh_sigchld(sftpd_t)
-+
-+files_read_all_files(sftpd_t)
-+files_read_all_symlinks(sftpd_t)
-+
-+fs_read_noxattr_fs_files(sftpd_t)
-+fs_read_nfs_files(sftpd_t)
-+fs_read_cifs_files(sftpd_t)
-+
-+# allow access to /home by default
-+userdom_manage_user_home_content_dirs(sftpd_t)
-+userdom_manage_user_home_content_files(sftpd_t)
-+userdom_manage_user_home_content_symlinks(sftpd_t)
-+
-+userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
-+
-+tunable_policy(`allow_sftpd_anon_write',`
-+ miscfiles_manage_public_files(sftpd_t)
-+')
-+
-+tunable_policy(`allow_sftpd_full_access',`
-+ allow sftpd_t self:capability { dac_override dac_read_search };
-+ fs_read_noxattr_fs_files(sftpd_t)
-+ auth_manage_all_files_except_shadow(sftpd_t)
-+')
-+
-+tunable_policy(`sftpd_ssh_home_dir',`
-+ ssh_manage_user_home_files(sftpd_t)
-+')
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_manage_nfs_dirs(sftpd_t)
-+ fs_manage_nfs_files(sftpd_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_manage_cifs_dirs(sftpd_t)
-+ fs_manage_cifs_files(sftpd_t)
-+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.7/policy/modules/services/sssd.if
--- nsaserefpolicy/policy/modules/services/sssd.if 2010-01-07 14:53:53.000000000 -0500
+++ serefpolicy-3.7.7/policy/modules/services/sssd.if 2010-01-11 09:53:58.000000000 -0500
@@ -25849,8 +26236,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.7/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/services/virt.fc 2010-01-11 09:53:58.000000000 -0500
-@@ -8,5 +8,18 @@
++++ serefpolicy-3.7.7/policy/modules/services/virt.fc 2010-01-12 10:28:03.000000000 -0500
+@@ -4,9 +4,26 @@
+ /etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
+ /etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
+
++/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0)
++/etc/xen/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
++/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
++/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
+ /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
@@ -26574,7 +26969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.7/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/services/xserver.fc 2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/services/xserver.fc 2010-01-14 09:21:39.000000000 -0500
@@ -3,12 +3,21 @@
#
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
@@ -26609,16 +27004,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
#
# /opt
#
-@@ -47,8 +51,6 @@
+@@ -47,21 +51,22 @@
# /tmp
#
-/tmp/\.ICE-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
-/tmp/\.ICE-unix/.* -s <<none>>
/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
- /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
- /tmp/\.X11-unix/.* -s <<none>>
-@@ -58,10 +60,14 @@
+-/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
+-/tmp/\.X11-unix/.* -s <<none>>
++/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0)
+
+ #
+ # /usr
#
/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -26633,7 +27031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
ifdef(`distro_debian', `
-@@ -89,17 +95,37 @@
+@@ -89,17 +94,37 @@
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
@@ -26676,7 +27074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.7/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.7/policy/modules/services/xserver.if 2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/services/xserver.if 2010-01-14 14:21:14.000000000 -0500
@@ -19,7 +19,7 @@
interface(`xserver_restricted_role',`
gen_require(`
@@ -26686,7 +27084,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
type iceauth_t, iceauth_exec_t, iceauth_home_t;
type xauth_t, xauth_exec_t, xauth_home_t;
')
-@@ -56,6 +56,13 @@
+@@ -45,6 +45,7 @@
+ manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+
+ stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
++ allow $2 xserver_tmp_t:sock_file unlink;
+ files_search_tmp($2)
+
+ # Communicate via System V shared memory.
+@@ -56,6 +57,13 @@
domtrans_pattern($2, iceauth_exec_t, iceauth_t)
@@ -26700,7 +27106,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow $2 iceauth_home_t:file read_file_perms;
domtrans_pattern($2, xauth_exec_t, xauth_t)
-@@ -71,9 +78,10 @@
+@@ -71,9 +79,10 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
allow $2 xdm_t:fifo_file { getattr read write ioctl };
@@ -26713,7 +27119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Client read xserver shm
allow $2 xserver_t:fd use;
-@@ -96,7 +104,6 @@
+@@ -96,7 +105,6 @@
miscfiles_read_fonts($2)
xserver_common_x_domain_template(user, $2)
@@ -26721,7 +27127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
xserver_stream_connect_xdm($2)
-@@ -104,6 +111,7 @@
+@@ -104,6 +112,7 @@
xserver_read_xdm_pid($2)
# gnome-session creates socket under /tmp/.ICE-unix/
xserver_create_xdm_tmp_sockets($2)
@@ -26729,7 +27135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)
-@@ -162,7 +170,6 @@
+@@ -162,7 +171,6 @@
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
@@ -26737,7 +27143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
#######################################
-@@ -197,7 +204,7 @@
+@@ -197,7 +205,7 @@
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -26746,7 +27152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -260,12 +267,12 @@
+@@ -260,12 +268,12 @@
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -26762,7 +27168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow $1 xdm_tmp_t:dir search;
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -445,6 +452,7 @@
+@@ -445,6 +453,7 @@
xserver_use_user_fonts($2)
xserver_read_xdm_tmp_files($2)
@@ -26770,7 +27176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# X object manager
xserver_object_types_template($1)
-@@ -514,6 +522,12 @@
+@@ -514,6 +523,12 @@
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
@@ -26783,7 +27189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -567,6 +581,7 @@
+@@ -567,6 +582,7 @@
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -26791,7 +27197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -774,7 +789,7 @@
+@@ -774,7 +790,7 @@
')
files_search_pids($1)
@@ -26800,7 +27206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1219,3 +1234,329 @@
+@@ -1219,3 +1235,329 @@
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
@@ -28404,6 +28810,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.
dev_read_sysfs(getty_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.7.7/policy/modules/system/hotplug.te
+--- nsaserefpolicy/policy/modules/system/hotplug.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.7.7/policy/modules/system/hotplug.te 2010-01-14 09:14:35.000000000 -0500
+@@ -125,6 +125,10 @@
+ ')
+
+ optional_policy(`
++ brctl_domtrans(hotplug_t)
++')
++
++optional_policy(`
+ consoletype_exec(hotplug_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.7/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.7/policy/modules/system/init.fc 2010-01-11 09:53:58.000000000 -0500
@@ -28432,7 +28852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
# /var
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.7/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.7/policy/modules/system/init.if 2010-01-11 10:12:28.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/system/init.if 2010-01-14 10:25:44.000000000 -0500
@@ -162,6 +162,7 @@
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
@@ -28690,7 +29110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.7/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.7/policy/modules/system/init.te 2010-01-11 10:27:23.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/system/init.te 2010-01-14 15:15:41.000000000 -0500
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart, false)
@@ -28756,7 +29176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
-@@ -189,6 +208,18 @@
+@@ -189,6 +208,22 @@
')
optional_policy(`
@@ -28764,6 +29184,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+')
+
+optional_policy(`
++ dbus_system_bus_client(init_t)
++')
++
++optional_policy(`
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
@@ -28775,7 +29199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
nscd_socket_use(init_t)
')
-@@ -202,9 +233,10 @@
+@@ -202,9 +237,10 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -28787,7 +29211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# Allow IPC with self
allow initrc_t self:unix_dgram_socket create_socket_perms;
-@@ -217,7 +249,8 @@
+@@ -217,7 +253,8 @@
term_create_pty(initrc_t, initrc_devpts_t)
# Going to single user mode
@@ -28797,7 +29221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
can_exec(initrc_t, init_script_file_type)
-@@ -230,10 +263,16 @@
+@@ -230,10 +267,16 @@
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -28816,7 +29240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
init_write_initctl(initrc_t)
-@@ -246,13 +285,19 @@
+@@ -246,13 +289,19 @@
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -28838,7 +29262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corenet_all_recvfrom_unlabeled(initrc_t)
corenet_all_recvfrom_netlabel(initrc_t)
-@@ -272,16 +317,66 @@
+@@ -272,16 +321,66 @@
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
@@ -28906,7 +29330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -291,7 +386,7 @@
+@@ -291,7 +390,7 @@
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -28915,7 +29339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -306,14 +401,15 @@
+@@ -306,14 +405,15 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -28933,7 +29357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_exec_etc_files(initrc_t)
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
-@@ -324,48 +420,16 @@
+@@ -324,48 +424,16 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -28986,7 +29410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
logging_send_syslog_msg(initrc_t)
logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
-@@ -374,19 +438,22 @@
+@@ -374,19 +442,22 @@
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -29010,7 +29434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -422,16 +489,12 @@
+@@ -422,16 +493,12 @@
# init scripts touch this
clock_dontaudit_write_adjtime(initrc_t)
@@ -29028,7 +29452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
arpwatch_manage_data_files(initrc_t)
-@@ -450,11 +513,9 @@
+@@ -450,11 +517,9 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -29041,7 +29465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# These seem to be from the initrd
# during device initialization:
dev_create_generic_dirs(initrc_t)
-@@ -464,6 +525,7 @@
+@@ -464,6 +529,7 @@
storage_raw_read_fixed_disk(initrc_t)
storage_raw_write_fixed_disk(initrc_t)
@@ -29049,7 +29473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
# wants to read /.fonts directory
-@@ -492,15 +554,26 @@
+@@ -492,15 +558,26 @@
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -29076,7 +29500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -515,6 +588,33 @@
+@@ -515,6 +592,33 @@
')
')
@@ -29110,7 +29534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -567,10 +667,19 @@
+@@ -567,10 +671,19 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -29130,7 +29554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -590,6 +699,10 @@
+@@ -590,6 +703,10 @@
')
optional_policy(`
@@ -29141,7 +29565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dev_read_usbfs(initrc_t)
# init scripts run /etc/hotplug/usb.rc
-@@ -646,20 +759,20 @@
+@@ -646,20 +763,20 @@
')
optional_policy(`
@@ -29168,7 +29592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ifdef(`distro_redhat',`
-@@ -668,6 +781,7 @@
+@@ -668,6 +785,7 @@
mysql_stream_connect(initrc_t)
mysql_write_log(initrc_t)
@@ -29176,7 +29600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -700,7 +814,6 @@
+@@ -700,7 +818,6 @@
')
optional_policy(`
@@ -29184,7 +29608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -722,8 +835,6 @@
+@@ -722,8 +839,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -29193,7 +29617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -736,13 +847,16 @@
+@@ -736,13 +851,16 @@
squid_manage_logs(initrc_t)
')
@@ -29210,7 +29634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -751,6 +865,7 @@
+@@ -751,6 +869,7 @@
optional_policy(`
udev_rw_db(initrc_t)
@@ -29218,7 +29642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -758,7 +873,17 @@
+@@ -758,7 +877,17 @@
')
optional_policy(`
@@ -29236,7 +29660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -768,6 +893,21 @@
+@@ -768,6 +897,21 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -29258,7 +29682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -793,3 +933,31 @@
+@@ -793,3 +937,31 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -31384,7 +31808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.7/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/system/selinuxutil.te 2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/system/selinuxutil.te 2010-01-14 10:26:10.000000000 -0500
@@ -23,6 +23,9 @@
type selinux_config_t;
files_type(selinux_config_t)
@@ -31442,7 +31866,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
########################################
#
# Checkpolicy local policy
-@@ -191,15 +204,6 @@
+@@ -177,6 +190,7 @@
+
+ init_use_script_fds(load_policy_t)
+ init_use_script_ptys(load_policy_t)
++init_write_script_pipes(load_policy_t)
+
+ miscfiles_read_localization(load_policy_t)
+
+@@ -191,15 +205,6 @@
')
')
@@ -31458,7 +31890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
########################################
#
# Newrole local policy
-@@ -217,7 +221,7 @@
+@@ -217,7 +222,7 @@
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -31467,7 +31899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
-@@ -270,12 +274,14 @@
+@@ -270,12 +275,14 @@
init_rw_utmp(newrole_t)
init_use_fds(newrole_t)
@@ -31482,7 +31914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# for some PAM modules and for cwd
userdom_dontaudit_search_user_home_content(newrole_t)
userdom_search_user_home_dirs(newrole_t)
-@@ -313,6 +319,8 @@
+@@ -313,6 +320,8 @@
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
@@ -31491,7 +31923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
fs_relabelfrom_noxattr_fs(restorecond_t)
fs_dontaudit_list_nfs(restorecond_t)
fs_getattr_xattr_fs(restorecond_t)
-@@ -336,6 +344,8 @@
+@@ -336,6 +345,8 @@
seutil_libselinux_linked(restorecond_t)
@@ -31500,7 +31932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
-@@ -354,7 +364,7 @@
+@@ -354,7 +365,7 @@
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@@ -31509,7 +31941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
-@@ -383,7 +393,6 @@
+@@ -383,7 +394,6 @@
auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
@@ -31517,7 +31949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
auth_dontaudit_read_shadow(run_init_t)
init_spec_domtrans_script(run_init_t)
-@@ -406,6 +415,10 @@
+@@ -406,6 +416,10 @@
')
')
@@ -31528,7 +31960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -421,61 +434,22 @@
+@@ -421,61 +435,22 @@
# semodule local policy
#
@@ -31598,7 +32030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-@@ -484,12 +458,23 @@
+@@ -484,12 +459,23 @@
files_read_var_lib_symlinks(semanage_t)
')
@@ -31622,7 +32054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -499,111 +484,43 @@
+@@ -499,111 +485,43 @@
userdom_read_user_tmp_files(semanage_t)
')
@@ -32288,7 +32720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.7/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/system/unconfined.if 2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/system/unconfined.if 2010-01-13 14:39:35.000000000 -0500
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -32360,7 +32792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -111,16 +123,16 @@
+@@ -111,16 +123,15 @@
## </param>
#
interface(`unconfined_domain',`
@@ -32373,7 +32805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
tunable_policy(`allow_execheap',`
auditallow $1 self:process execheap;
')
-
+-
-# Turn off this audit for FC5
-# tunable_policy(`allow_execmem',`
-# auditallow $1 self:process execmem;
@@ -32381,7 +32813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
########################################
-@@ -173,411 +185,3 @@
+@@ -173,411 +184,3 @@
refpolicywarn(`$0($1) has been deprecated.')
')
@@ -33027,12 +33459,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.7/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.7/policy/modules/system/userdomain.fc 2010-01-11 09:53:58.000000000 -0500
-@@ -1,4 +1,10 @@
++++ serefpolicy-3.7.7/policy/modules/system/userdomain.fc 2010-01-14 09:22:34.000000000 -0500
+@@ -1,4 +1,11 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
-
++/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0)
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
+/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
@@ -35549,7 +35982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.7/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.7/policy/modules/system/xen.te 2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/modules/system/xen.te 2010-01-12 10:27:16.000000000 -0500
@@ -85,6 +85,7 @@
type xenconsoled_t;
type xenconsoled_exec_t;
@@ -35602,7 +36035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
storage_raw_read_fixed_disk(xenstored_t)
storage_raw_write_fixed_disk(xenstored_t)
storage_raw_read_removable_device(xenstored_t)
-@@ -421,6 +431,12 @@
+@@ -421,7 +431,14 @@
xen_stream_connect_xenstore(xm_t)
optional_policy(`
@@ -35613,9 +36046,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
+
+optional_policy(`
virt_manage_images(xm_t)
++ virt_manage_config(xm_t)
virt_stream_connect(xm_t)
')
-@@ -438,6 +454,8 @@
+
+@@ -438,6 +455,8 @@
fs_manage_xenfs_dirs(xm_ssh_t)
fs_manage_xenfs_files(xm_ssh_t)
@@ -35626,7 +36061,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
files_search_mnt(xend_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.7/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.7/policy/support/obj_perm_sets.spt 2010-01-11 09:53:58.000000000 -0500
++++ serefpolicy-3.7.7/policy/support/obj_perm_sets.spt 2010-01-14 09:16:41.000000000 -0500
+@@ -28,7 +28,7 @@
+ #
+ # All socket classes.
+ #
+-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }')
++define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+
+
+ #
@@ -199,12 +199,14 @@
#
define(`getattr_file_perms',`{ getattr }')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 91386ed..0b0225e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.7
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -455,6 +455,10 @@ exit 0
%endif
%changelog
+* Thu Jan 7 2010 Dan Walsh <dwalsh@redhat.com> 3.7.7-2
+- Turn on puppet policy
+- Update to dgrift git policy
+
* Mon Jan 7 2010 Dan Walsh <dwalsh@redhat.com> 3.7.7-1
- Move users file to selection by spec file.
- Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t