diff --git a/modules-targeted.conf b/modules-targeted.conf
index 474c0b5..f2fc695 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -479,6 +479,13 @@ gnome = module
#
hal = module
+# Layer: services
+# Module: polkit
+#
+# Hardware abstraction layer
+#
+polkit = module
+
# Layer: system
# Module: hostname
#
diff --git a/policy-20071130.patch b/policy-20071130.patch
index 03f871f..03e1063 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.2.3/config/appconfig-mcs/default_contexts
--- nsaserefpolicy/config/appconfig-mcs/default_contexts 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.3/config/appconfig-mcs/default_contexts 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/config/appconfig-mcs/default_contexts 2007-12-06 16:37:24.000000000 -0500
@@ -1,15 +1,9 @@
-system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
@@ -28,13 +28,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default
+system_r:xdm_t:s0 system_r:unconfined_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.2.3/config/appconfig-mcs/failsafe_context
--- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.3/config/appconfig-mcs/failsafe_context 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/config/appconfig-mcs/failsafe_context 2007-12-06 16:37:24.000000000 -0500
@@ -1 +1 @@
-sysadm_r:sysadm_t:s0
+system_r:unconfined_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.2.3/config/appconfig-mcs/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/config/appconfig-mcs/guest_u_default_contexts 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/config/appconfig-mcs/guest_u_default_contexts 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1,4 @@
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
@@ -42,7 +42,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u
+system_r:crond_t:s0 guest_r:guest_crond_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.2.3/config/appconfig-mcs/root_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.3/config/appconfig-mcs/root_default_contexts 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/config/appconfig-mcs/root_default_contexts 2007-12-06 16:37:24.000000000 -0500
@@ -1,11 +1,10 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
-system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
@@ -64,7 +64,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_de
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.2.3/config/appconfig-mcs/seusers
--- nsaserefpolicy/config/appconfig-mcs/seusers 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.3/config/appconfig-mcs/seusers 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/config/appconfig-mcs/seusers 2007-12-06 16:37:24.000000000 -0500
@@ -1,3 +1,2 @@
-system_u:system_u:s0-mcs_systemhigh
root:root:s0-mcs_systemhigh
@@ -72,13 +72,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers
+__default__:system_u:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.2.3/config/appconfig-mcs/userhelper_context
--- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.3/config/appconfig-mcs/userhelper_context 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/config/appconfig-mcs/userhelper_context 2007-12-06 16:37:24.000000000 -0500
@@ -1 +1 @@
-system_u:sysadm_r:sysadm_t:s0
+system_u:system_r:unconfined_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.2.3/config/appconfig-mcs/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2007-11-05 10:28:59.000000000 -0500
-+++ serefpolicy-3.2.3/config/appconfig-mcs/user_u_default_contexts 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/config/appconfig-mcs/user_u_default_contexts 2007-12-06 16:37:24.000000000 -0500
@@ -1,8 +1,7 @@
-system_r:local_login_t:s0 user_r:user_t:s0
-system_r:remote_login_t:s0 user_r:user_t:s0
@@ -97,7 +97,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_
+user_r:user_sudo_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.2.3/config/appconfig-mcs/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/config/appconfig-mcs/xguest_u_default_contexts 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/config/appconfig-mcs/xguest_u_default_contexts 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1,5 @@
+system_r:local_login_t xguest_r:xguest_t:s0
+system_r:remote_login_t xguest_r:xguest_t:s0
@@ -106,7 +106,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_
+system_r:xdm_t xguest_r:xguest_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.2.3/config/appconfig-mls/default_contexts
--- nsaserefpolicy/config/appconfig-mls/default_contexts 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.3/config/appconfig-mls/default_contexts 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/config/appconfig-mls/default_contexts 2007-12-06 16:37:24.000000000 -0500
@@ -1,15 +1,12 @@
-system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
@@ -136,7 +136,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default
+user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.2.3/config/appconfig-mls/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/config/appconfig-mls/guest_u_default_contexts 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/config/appconfig-mls/guest_u_default_contexts 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1,4 @@
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
@@ -144,7 +144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u
+system_r:crond_t:s0 guest_r:guest_crond_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts serefpolicy-3.2.3/config/appconfig-standard/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/config/appconfig-standard/guest_u_default_contexts 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/config/appconfig-standard/guest_u_default_contexts 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1,4 @@
+system_r:local_login_t guest_r:guest_t
+system_r:remote_login_t guest_r:guest_t
@@ -152,16 +152,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/gu
+system_r:crond_t guest_r:guest_crond_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.2.3/config/appconfig-standard/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/config/appconfig-standard/xguest_u_default_contexts 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/config/appconfig-standard/xguest_u_default_contexts 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1,5 @@
+system_r:local_login_t xguest_r:xguest_t
+system_r:remote_login_t xguest_r:xguest_t
+system_r:sshd_t xguest_r:xguest_t
+system_r:crond_t xguest_r:xguest_crond_t
+system_r:xdm_t xguest_r:xguest_t
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.2.3/Makefile
+--- nsaserefpolicy/Makefile 2007-10-12 08:56:10.000000000 -0400
++++ serefpolicy-3.2.3/Makefile 2007-12-11 00:02:37.000000000 -0500
+@@ -305,20 +305,22 @@
+
+ # parse-rolemap modulename,outputfile
+ define parse-rolemap
+- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
++ echo "" >> $2
++# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
++# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+ endef
+
+ # perrole-expansion modulename,outputfile
+ define perrole-expansion
+- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
+- $(call parse-rolemap,$1,$2)
+- $(verbose) echo "')" >> $2
+-
+- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+- $(call parse-rolemap-compat,$1,$2)
+- $(verbose) echo "')" >> $2
++ echo "No longer doing perrole-expansion"
++# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
++# $(call parse-rolemap,$1,$2)
++# $(verbose) echo "')" >> $2
++
++# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
++# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
++# $(call parse-rolemap-compat,$1,$2)
++# $(verbose) echo "')" >> $2
+ endef
+
+ # create-base-per-role-tmpl modulenames,outputfile
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.2.3/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2007-08-11 06:22:29.000000000 -0400
-+++ serefpolicy-3.2.3/policy/flask/access_vectors 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/flask/access_vectors 2007-12-06 16:37:24.000000000 -0500
@@ -639,6 +639,8 @@
send
recv
@@ -173,7 +209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors
class key
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.2.3/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.3/policy/global_tunables 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/global_tunables 2007-12-06 16:37:24.000000000 -0500
@@ -6,38 +6,35 @@
## <desc>
@@ -259,7 +295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.2.3/policy/modules/admin/alsa.fc
--- nsaserefpolicy/policy/modules/admin/alsa.fc 2007-10-29 18:02:32.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/admin/alsa.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/admin/alsa.fc 2007-12-06 16:37:24.000000000 -0500
@@ -1,8 +1,11 @@
+/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
@@ -276,7 +312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc
+/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.2.3/policy/modules/admin/alsa.if
--- nsaserefpolicy/policy/modules/admin/alsa.if 2007-01-02 12:57:51.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/admin/alsa.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/admin/alsa.if 2007-12-06 16:37:24.000000000 -0500
@@ -74,3 +74,21 @@
read_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
read_lnk_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
@@ -301,7 +337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.2.3/policy/modules/admin/alsa.te
--- nsaserefpolicy/policy/modules/admin/alsa.te 2007-10-29 18:02:32.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/admin/alsa.te 2007-12-06 14:18:59.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/admin/alsa.te 2007-12-06 16:37:24.000000000 -0500
@@ -8,12 +8,15 @@
type alsa_t;
@@ -352,7 +388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
hal_use_fds(alsa_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.2.3/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2007-01-02 12:57:51.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/admin/anaconda.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/admin/anaconda.te 2007-12-06 16:37:24.000000000 -0500
@@ -31,16 +31,13 @@
modutils_domtrans_insmod(anaconda_t)
@@ -373,7 +409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.2.3/policy/modules/admin/brctl.te
--- nsaserefpolicy/policy/modules/admin/brctl.te 2007-10-23 07:37:52.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/admin/brctl.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/admin/brctl.te 2007-12-06 16:37:24.000000000 -0500
@@ -40,4 +40,5 @@
optional_policy(`
@@ -382,7 +418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.t
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.2.3/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/admin/consoletype.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/admin/consoletype.te 2007-12-06 16:37:24.000000000 -0500
@@ -8,9 +8,11 @@
type consoletype_t;
@@ -431,7 +467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.2.3/policy/modules/admin/firstboot.te
--- nsaserefpolicy/policy/modules/admin/firstboot.te 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/admin/firstboot.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/admin/firstboot.te 2007-12-06 16:37:24.000000000 -0500
@@ -120,6 +120,10 @@
usermanage_domtrans_admin_passwd(firstboot_t)
')
@@ -453,7 +489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo
') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.fc serefpolicy-3.2.3/policy/modules/admin/kismet.fc
--- nsaserefpolicy/policy/modules/admin/kismet.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/admin/kismet.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/admin/kismet.fc 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1,5 @@
+
+/usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0)
@@ -462,7 +498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
+/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.2.3/policy/modules/admin/kismet.if
--- nsaserefpolicy/policy/modules/admin/kismet.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/admin/kismet.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/admin/kismet.if 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1,275 @@
+
+## <summary>policy for kismet</summary>
@@ -741,7 +777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.2.3/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/admin/kismet.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/admin/kismet.te 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1,58 @@
+policy_module(kismet,1.0.0)
+
@@ -803,7 +839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.2.3/policy/modules/admin/kudzu.te
--- nsaserefpolicy/policy/modules/admin/kudzu.te 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/admin/kudzu.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/admin/kudzu.te 2007-12-06 16:37:24.000000000 -0500
@@ -21,8 +21,8 @@
# Local policy
#
@@ -865,7 +901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.t
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.2.3/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/admin/logrotate.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/admin/logrotate.te 2007-12-06 16:37:24.000000000 -0500
@@ -96,6 +96,7 @@
files_read_etc_files(logrotate_t)
files_read_etc_runtime_files(logrotate_t)
@@ -876,7 +912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
files_manage_generic_spool_dirs(logrotate_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.2.3/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2007-10-23 07:37:52.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/admin/logwatch.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/admin/logwatch.te 2007-12-06 16:37:24.000000000 -0500
@@ -59,10 +59,8 @@
files_read_usr_files(logwatch_t)
files_search_spool(logwatch_t)
@@ -907,7 +943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.2.3/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/admin/netutils.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/admin/netutils.te 2007-12-06 16:37:24.000000000 -0500
@@ -94,6 +94,10 @@
')
@@ -936,7 +972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.2.3/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/admin/prelink.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/admin/prelink.te 2007-12-06 16:37:24.000000000 -0500
@@ -26,7 +26,7 @@
# Local policy
#
@@ -996,7 +1032,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.2.3/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/admin/rpm.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/admin/rpm.fc 2007-12-06 16:37:24.000000000 -0500
@@ -11,6 +11,7 @@
/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -1017,7 +1053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.2.3/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-18 11:12:44.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/admin/rpm.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/admin/rpm.if 2007-12-06 16:37:24.000000000 -0500
@@ -152,6 +152,24 @@
########################################
@@ -1213,7 +1249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.2.3/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2007-12-04 11:02:51.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/admin/rpm.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/admin/rpm.te 2007-12-06 16:37:24.000000000 -0500
@@ -179,7 +179,17 @@
')
@@ -1268,7 +1304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
java_domtrans(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.2.3/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2007-12-04 11:02:51.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/admin/sudo.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/admin/sudo.if 2007-12-06 16:37:24.000000000 -0500
@@ -55,7 +55,7 @@
#
@@ -1340,7 +1376,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.2.3/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/admin/su.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/admin/su.if 2007-12-06 16:37:24.000000000 -0500
@@ -41,12 +41,11 @@
allow $2 $1_su_t:process signal;
@@ -1442,7 +1478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
#######################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.2.3/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2007-10-02 09:54:52.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/admin/tmpreaper.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/admin/tmpreaper.te 2007-12-06 16:37:24.000000000 -0500
@@ -28,6 +28,7 @@
files_purge_tmp(tmpreaper_t)
# why does it need setattr?
@@ -1464,7 +1500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.2.3/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2007-12-04 11:02:51.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/admin/usermanage.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/admin/usermanage.te 2007-12-06 16:37:24.000000000 -0500
@@ -92,6 +92,7 @@
dev_read_urand(chfn_t)
@@ -1504,7 +1540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.fc serefpolicy-3.2.3/policy/modules/admin/vpn.fc
--- nsaserefpolicy/policy/modules/admin/vpn.fc 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/admin/vpn.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/admin/vpn.fc 2007-12-06 16:37:24.000000000 -0500
@@ -7,3 +7,5 @@
# sbin
#
@@ -1513,7 +1549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.fc
+/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.2.3/policy/modules/admin/vpn.if
--- nsaserefpolicy/policy/modules/admin/vpn.if 2007-01-02 12:57:51.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/admin/vpn.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/admin/vpn.if 2007-12-06 16:37:24.000000000 -0500
@@ -67,3 +67,25 @@
allow $1 vpnc_t:process signal;
@@ -1542,7 +1578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.2.3/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te 2007-12-06 13:12:04.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/admin/vpn.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/admin/vpn.te 2007-12-06 16:37:24.000000000 -0500
@@ -22,10 +22,9 @@
# Local policy
#
@@ -1597,7 +1633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.fc serefpolicy-3.2.3/policy/modules/apps/ethereal.fc
--- nsaserefpolicy/policy/modules/apps/ethereal.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/ethereal.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/ethereal.fc 2007-12-06 16:37:24.000000000 -0500
@@ -1,4 +1,4 @@
-HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ROLE_ethereal_home_t,s0)
+HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:user_ethereal_home_t,s0)
@@ -1606,7 +1642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal
/usr/sbin/tethereal.* -- gen_context(system_u:object_r:tethereal_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.if serefpolicy-3.2.3/policy/modules/apps/ethereal.if
--- nsaserefpolicy/policy/modules/apps/ethereal.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/ethereal.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/ethereal.if 2007-12-06 16:37:24.000000000 -0500
@@ -48,12 +48,10 @@
application_domain($1_ethereal_t,ethereal_exec_t)
role $3 types $1_ethereal_t;
@@ -1644,7 +1680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal
#######################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.te serefpolicy-3.2.3/policy/modules/apps/ethereal.te
--- nsaserefpolicy/policy/modules/apps/ethereal.te 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/ethereal.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/ethereal.te 2007-12-06 16:37:24.000000000 -0500
@@ -16,6 +16,13 @@
type tethereal_tmp_t;
files_tmp_file(tethereal_tmp_t)
@@ -1661,7 +1697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal
# Tethereal policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/evolution.fc serefpolicy-3.2.3/policy/modules/apps/evolution.fc
--- nsaserefpolicy/policy/modules/apps/evolution.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/evolution.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/evolution.fc 2007-12-06 16:37:24.000000000 -0500
@@ -2,13 +2,13 @@
# HOME_DIR/
#
@@ -1681,7 +1717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/evolutio
# /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.fc serefpolicy-3.2.3/policy/modules/apps/gift.fc
--- nsaserefpolicy/policy/modules/apps/gift.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/gift.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/gift.fc 2007-12-06 16:37:24.000000000 -0500
@@ -1,4 +1,4 @@
-HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:ROLE_gift_home_t,s0)
+HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:user_gift_home_t,s0)
@@ -1690,7 +1726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.fc
/usr/(local/)?bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.if serefpolicy-3.2.3/policy/modules/apps/gift.if
--- nsaserefpolicy/policy/modules/apps/gift.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/gift.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/gift.if 2007-12-06 16:37:24.000000000 -0500
@@ -43,9 +43,9 @@
application_domain($1_gift_t,gift_exec_t)
role $3 types $1_gift_t;
@@ -1755,7 +1791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.if
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.te serefpolicy-3.2.3/policy/modules/apps/gift.te
--- nsaserefpolicy/policy/modules/apps/gift.te 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/gift.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/gift.te 2007-12-06 16:37:24.000000000 -0500
@@ -11,3 +11,7 @@
type giftd_exec_t;
@@ -1766,7 +1802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.te
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.2.3/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/gnome.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/gnome.fc 2007-12-06 16:37:24.000000000 -0500
@@ -1,8 +1,7 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:ROLE_gnome_home_t,s0)
-HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:ROLE_gconf_home_t,s0)
@@ -1782,7 +1818,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.2.3/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/gnome.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/gnome.if 2007-12-06 16:37:24.000000000 -0500
@@ -33,9 +33,60 @@
## </param>
#
@@ -2015,7 +2051,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.2.3/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/gnome.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/gnome.te 2007-12-06 16:37:24.000000000 -0500
@@ -8,8 +8,15 @@
attribute gnomedomain;
@@ -2037,7 +2073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te
+files_tmp_file(user_gconf_tmp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.2.3/policy/modules/apps/gpg.fc
--- nsaserefpolicy/policy/modules/apps/gpg.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/gpg.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/gpg.fc 2007-12-06 16:37:24.000000000 -0500
@@ -1,4 +1,4 @@
-HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0)
+HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:user_gpg_secret_t,s0)
@@ -2046,7 +2082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc serefpolicy-3.2.3/policy/modules/apps/irc.fc
--- nsaserefpolicy/policy/modules/apps/irc.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/irc.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/irc.fc 2007-12-06 16:37:24.000000000 -0500
@@ -1,7 +1,7 @@
#
# /home
@@ -2058,7 +2094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc s
# /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.if serefpolicy-3.2.3/policy/modules/apps/irc.if
--- nsaserefpolicy/policy/modules/apps/irc.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/irc.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/irc.if 2007-12-06 16:37:24.000000000 -0500
@@ -50,12 +50,11 @@
userdom_user_home_content($1,$1_irc_exec_t)
application_domain($1_irc_t,$1_irc_exec_t)
@@ -2107,7 +2143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.if s
domtrans_pattern($2,irc_exec_t,$1_irc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te serefpolicy-3.2.3/policy/modules/apps/irc.te
--- nsaserefpolicy/policy/modules/apps/irc.te 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/irc.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/irc.te 2007-12-06 16:37:24.000000000 -0500
@@ -8,3 +8,10 @@
type irc_exec_t;
@@ -2121,7 +2157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te s
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.2.3/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2007-03-01 10:01:48.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/apps/java.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/java.fc 2007-12-06 16:37:24.000000000 -0500
@@ -11,6 +11,7 @@
#
/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -2144,7 +2180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc
+/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.2.3/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/java.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/java.if 2007-12-06 16:37:24.000000000 -0500
@@ -32,7 +32,7 @@
## </summary>
## </param>
@@ -2302,7 +2338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.2.3/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/java.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/java.te 2007-12-06 16:37:24.000000000 -0500
@@ -6,13 +6,6 @@
# Declarations
#
@@ -2346,7 +2382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.2.3/policy/modules/apps/loadkeys.te
--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/loadkeys.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/loadkeys.te 2007-12-06 16:37:24.000000000 -0500
@@ -44,3 +44,5 @@
optional_policy(`
nscd_dontaudit_search_pid(loadkeys_t)
@@ -2355,7 +2391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys
+userdom_dontaudit_write_unpriv_user_home_content_files(loadkeys_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.2.3/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2007-01-02 12:57:22.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/apps/mono.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/mono.if 2007-12-06 16:37:24.000000000 -0500
@@ -18,3 +18,105 @@
corecmd_search_bin($1)
domtrans_pattern($1, mono_exec_t, mono_t)
@@ -2464,7 +2500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.2.3/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/mono.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/mono.te 2007-12-06 16:37:24.000000000 -0500
@@ -15,7 +15,7 @@
# Local policy
#
@@ -2484,7 +2520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.2.3/policy/modules/apps/mozilla.fc
--- nsaserefpolicy/policy/modules/apps/mozilla.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/mozilla.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/mozilla.fc 2007-12-06 16:37:24.000000000 -0500
@@ -1,8 +1,8 @@
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
@@ -2501,7 +2537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
# /bin
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.2.3/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-29 07:52:48.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/mozilla.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/mozilla.if 2007-12-11 00:24:49.000000000 -0500
@@ -35,7 +35,10 @@
template(`mozilla_per_role_template',`
gen_require(`
@@ -2628,7 +2664,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
# Look for plugins
corecmd_list_bin($1_mozilla_t)
-@@ -165,11 +197,21 @@
+@@ -165,11 +197,23 @@
files_read_var_files($1_mozilla_t)
files_read_var_symlinks($1_mozilla_t)
files_dontaudit_getattr_boot_dirs($1_mozilla_t)
@@ -2643,6 +2679,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
fs_search_auto_mountpoints($1_mozilla_t)
fs_list_inotifyfs($1_mozilla_t)
++ fs_manage_dos_dirs($1_mozilla_t)
++ fs_manage_dos_files($1_mozilla_t)
fs_rw_tmpfs_files($1_mozilla_t)
+ selinux_dontaudit_getattr_fs($1_mozilla_t)
@@ -2650,7 +2688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
term_dontaudit_getattr_pty_dirs($1_mozilla_t)
libs_use_ld_so($1_mozilla_t)
-@@ -184,12 +226,9 @@
+@@ -184,12 +228,9 @@
sysnet_dns_name_resolve($1_mozilla_t)
sysnet_read_config($1_mozilla_t)
@@ -2666,7 +2704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
-@@ -211,131 +250,8 @@
+@@ -211,131 +252,8 @@
fs_manage_cifs_symlinks($1_mozilla_t)
')
@@ -2800,7 +2838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
')
optional_policy(`
-@@ -350,19 +266,25 @@
+@@ -350,19 +268,26 @@
optional_policy(`
cups_read_rw_config($1_mozilla_t)
cups_dbus_chat($1_mozilla_t)
@@ -2810,6 +2848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
optional_policy(`
dbus_system_bus_client_template($1_mozilla,$1_mozilla_t)
- dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
++# dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
')
optional_policy(`
@@ -2828,7 +2867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
')
optional_policy(`
-@@ -382,25 +304,6 @@
+@@ -382,25 +307,6 @@
thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
')
@@ -2854,7 +2893,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
')
########################################
-@@ -430,11 +333,11 @@
+@@ -430,11 +336,11 @@
#
template(`mozilla_read_user_home_files',`
gen_require(`
@@ -2869,7 +2908,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
')
########################################
-@@ -464,11 +367,11 @@
+@@ -464,11 +370,11 @@
#
template(`mozilla_write_user_home_files',`
gen_require(`
@@ -2884,7 +2923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
')
########################################
-@@ -573,3 +476,27 @@
+@@ -573,3 +479,27 @@
allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
')
@@ -2914,7 +2953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.2.3/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/mozilla.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/mozilla.te 2007-12-06 16:37:24.000000000 -0500
@@ -6,15 +6,15 @@
# Declarations
#
@@ -2940,7 +2979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
+files_tmp_file(user_mozilla_tmp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.2.3/policy/modules/apps/mplayer.fc
--- nsaserefpolicy/policy/modules/apps/mplayer.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/mplayer.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/mplayer.fc 2007-12-06 16:37:24.000000000 -0500
@@ -10,4 +10,4 @@
/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0)
/usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0)
@@ -2949,7 +2988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.
+HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:user_mplayer_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.2.3/policy/modules/apps/mplayer.if
--- nsaserefpolicy/policy/modules/apps/mplayer.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/mplayer.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/mplayer.if 2007-12-06 16:37:24.000000000 -0500
@@ -35,6 +35,7 @@
template(`mplayer_per_role_template',`
gen_require(`
@@ -3029,7 +3068,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.te serefpolicy-3.2.3/policy/modules/apps/mplayer.te
--- nsaserefpolicy/policy/modules/apps/mplayer.te 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/mplayer.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/mplayer.te 2007-12-06 16:37:24.000000000 -0500
@@ -22,3 +22,7 @@
type mplayer_exec_t;
corecmd_executable_file(mplayer_exec_t)
@@ -3040,7 +3079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.2.3/policy/modules/apps/screen.fc
--- nsaserefpolicy/policy/modules/apps/screen.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/screen.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/screen.fc 2007-12-06 16:37:24.000000000 -0500
@@ -1,7 +1,7 @@
#
# /home
@@ -3052,7 +3091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.f
# /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.2.3/policy/modules/apps/screen.if
--- nsaserefpolicy/policy/modules/apps/screen.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/screen.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/screen.if 2007-12-06 16:37:24.000000000 -0500
@@ -50,8 +50,9 @@
type $1_screen_tmp_t;
files_tmp_file($1_screen_tmp_t)
@@ -3099,7 +3138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.i
kernel_read_kernel_sysctls($1_screen_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.te serefpolicy-3.2.3/policy/modules/apps/screen.te
--- nsaserefpolicy/policy/modules/apps/screen.te 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/screen.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/screen.te 2007-12-06 16:37:24.000000000 -0500
@@ -11,3 +11,7 @@
type screen_exec_t;
@@ -3110,7 +3149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.t
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.fc serefpolicy-3.2.3/policy/modules/apps/thunderbird.fc
--- nsaserefpolicy/policy/modules/apps/thunderbird.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/thunderbird.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/thunderbird.fc 2007-12-06 16:37:24.000000000 -0500
@@ -3,4 +3,4 @@
#
/usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
@@ -3119,7 +3158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderb
+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:user_thunderbird_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-3.2.3/policy/modules/apps/thunderbird.if
--- nsaserefpolicy/policy/modules/apps/thunderbird.if 2007-12-06 13:12:03.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/apps/thunderbird.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/thunderbird.if 2007-12-06 16:37:24.000000000 -0500
@@ -43,9 +43,9 @@
application_domain($1_thunderbird_t,thunderbird_exec_t)
role $3 types $1_thunderbird_t;
@@ -3169,7 +3208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderb
kernel_read_network_state($1_thunderbird_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.te serefpolicy-3.2.3/policy/modules/apps/thunderbird.te
--- nsaserefpolicy/policy/modules/apps/thunderbird.te 2007-12-06 13:12:03.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/apps/thunderbird.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/thunderbird.te 2007-12-06 16:37:24.000000000 -0500
@@ -8,3 +8,7 @@
type thunderbird_exec_t;
@@ -3180,7 +3219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderb
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.if serefpolicy-3.2.3/policy/modules/apps/tvtime.if
--- nsaserefpolicy/policy/modules/apps/tvtime.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/tvtime.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/tvtime.if 2007-12-06 16:37:24.000000000 -0500
@@ -46,12 +46,10 @@
application_domain($1_tvtime_t,tvtime_exec_t)
role $3 types $1_tvtime_t;
@@ -3242,7 +3281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.i
ps_process_pattern($2,$1_tvtime_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.te serefpolicy-3.2.3/policy/modules/apps/tvtime.te
--- nsaserefpolicy/policy/modules/apps/tvtime.te 2007-10-02 09:54:50.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/tvtime.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/tvtime.te 2007-12-06 16:37:24.000000000 -0500
@@ -11,3 +11,9 @@
type tvtime_dir_t;
@@ -3255,7 +3294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.t
+files_tmp_file(user_tvtime_tmp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.fc serefpolicy-3.2.3/policy/modules/apps/uml.fc
--- nsaserefpolicy/policy/modules/apps/uml.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/uml.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/uml.fc 2007-12-06 16:37:24.000000000 -0500
@@ -1,7 +1,7 @@
#
# HOME_DIR/
@@ -3267,7 +3306,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.fc s
# /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.2.3/policy/modules/apps/userhelper.if
--- nsaserefpolicy/policy/modules/apps/userhelper.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/userhelper.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/userhelper.if 2007-12-06 16:37:24.000000000 -0500
@@ -130,6 +130,7 @@
term_use_all_user_ptys($1_userhelper_t)
@@ -3303,7 +3342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.2.3/policy/modules/apps/vmware.fc
--- nsaserefpolicy/policy/modules/apps/vmware.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/vmware.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/vmware.fc 2007-12-06 16:37:24.000000000 -0500
@@ -1,9 +1,9 @@
#
# HOME_DIR/
@@ -3350,7 +3389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.f
+/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.2.3/policy/modules/apps/vmware.if
--- nsaserefpolicy/policy/modules/apps/vmware.if 2007-02-19 11:32:52.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/apps/vmware.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/vmware.if 2007-12-06 16:37:24.000000000 -0500
@@ -202,3 +202,22 @@
allow $1 vmware_sys_conf_t:file append;
@@ -3376,7 +3415,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.2.3/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/vmware.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/vmware.te 2007-12-06 16:37:24.000000000 -0500
@@ -22,17 +22,21 @@
type vmware_var_run_t;
files_pid_file(vmware_var_run_t)
@@ -3423,7 +3462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t
domain_use_interactive_fds(vmware_host_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.2.3/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2007-09-12 10:34:17.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/wine.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/wine.if 2007-12-06 16:37:24.000000000 -0500
@@ -49,3 +49,53 @@
role $2 types wine_t;
allow wine_t $3:chr_file rw_term_perms;
@@ -3480,7 +3519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.2.3/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/apps/wine.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/apps/wine.te 2007-12-06 16:37:24.000000000 -0500
@@ -9,6 +9,7 @@
type wine_t;
type wine_exec_t;
@@ -3507,7 +3546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.3/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/kernel/corecommands.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/kernel/corecommands.fc 2007-12-06 16:37:24.000000000 -0500
@@ -168,8 +168,10 @@
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -3539,7 +3578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
+/etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.2.3/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-11-14 08:17:58.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/kernel/corecommands.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/kernel/corecommands.if 2007-12-06 16:37:24.000000000 -0500
@@ -875,6 +875,7 @@
read_lnk_files_pattern($1,bin_t,bin_t)
@@ -3550,7 +3589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.3/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-11-29 13:29:34.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/kernel/corenetwork.te.in 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/kernel/corenetwork.te.in 2007-12-06 16:37:24.000000000 -0500
@@ -133,6 +133,7 @@
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
@@ -3561,7 +3600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(postgresql, tcp,5432,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.2.3/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-11-14 16:20:13.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/kernel/devices.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/kernel/devices.fc 2007-12-06 16:37:24.000000000 -0500
@@ -4,6 +4,7 @@
/dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -3611,7 +3650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
# used by init scripts to initally populate udev /dev
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.2.3/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/kernel/devices.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/kernel/devices.if 2007-12-06 16:37:24.000000000 -0500
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1,device_t,device_node)
@@ -3768,7 +3807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.2.3/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/kernel/devices.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/kernel/devices.te 2007-12-06 16:37:24.000000000 -0500
@@ -72,6 +72,13 @@
dev_node(kmsg_device_t)
@@ -3785,7 +3824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
type lvm_control_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.2.3/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-11-29 13:29:34.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/kernel/domain.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/kernel/domain.te 2007-12-06 16:37:24.000000000 -0500
@@ -148,3 +148,15 @@
# receive from all domains over labeled networking
@@ -3804,7 +3843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.3/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/kernel/files.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/kernel/files.if 2007-12-06 16:37:24.000000000 -0500
@@ -1266,6 +1266,24 @@
########################################
@@ -3895,7 +3934,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.2.3/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/kernel/files.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/kernel/files.te 2007-12-06 16:37:24.000000000 -0500
@@ -55,6 +55,9 @@
# compatibility aliases for removed types:
typealias etc_t alias automount_etc_t;
@@ -3906,9 +3945,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
#
# etc_runtime_t is the type of various
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.2.3/policy/modules/kernel/filesystem.if
+--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-24 15:00:24.000000000 -0400
++++ serefpolicy-3.2.3/policy/modules/kernel/filesystem.if 2007-12-07 15:02:45.000000000 -0500
+@@ -1171,6 +1171,25 @@
+
+ ########################################
+ ## <summary>
++## Create, read, write, and delete dirs
++## on a DOS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_manage_dos_dirs',`
++ gen_require(`
++ type dosfs_t;
++ ')
++
++ manage_dirs_pattern($1,dosfs_t,dosfs_t)
++')
++
++########################################
++## <summary>
+ ## Create, read, write, and delete files
+ ## on a DOS filesystem.
+ ## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.2.3/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/kernel/filesystem.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/kernel/filesystem.te 2007-12-07 13:27:59.000000000 -0500
@@ -25,6 +25,8 @@
fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
@@ -3932,8 +4000,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
files_mountpoint(vxfs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.2.3/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/kernel/kernel.if 2007-12-06 14:13:13.000000000 -0500
-@@ -1194,6 +1194,7 @@
++++ serefpolicy-3.2.3/policy/modules/kernel/kernel.if 2007-12-10 10:59:00.000000000 -0500
+@@ -851,9 +851,8 @@
+ type proc_t, proc_afs_t;
+ ')
+
+- read_files_pattern($1,proc_t,proc_afs_t)
+-
+ list_dirs_pattern($1,proc_t,proc_t)
++ rw_files_pattern($1,proc_afs_t,proc_afs_t)
+ ')
+
+ #######################################
+@@ -1194,6 +1193,7 @@
')
dontaudit $1 proc_type:dir list_dir_perms;
@@ -3941,7 +4020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
')
########################################
-@@ -1764,6 +1765,7 @@
+@@ -1764,6 +1764,7 @@
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -3951,7 +4030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.2.3/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-11-16 13:45:14.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/kernel/selinux.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/kernel/selinux.if 2007-12-06 16:37:24.000000000 -0500
@@ -164,6 +164,7 @@
type security_t;
')
@@ -4044,7 +4123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-3.2.3/policy/modules/kernel/selinux.te
--- nsaserefpolicy/policy/modules/kernel/selinux.te 2007-11-16 13:45:14.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/kernel/selinux.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/kernel/selinux.te 2007-12-06 16:37:24.000000000 -0500
@@ -10,6 +10,7 @@
attribute can_setenforce;
attribute can_setsecparam;
@@ -4067,7 +4146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.2.3/policy/modules/kernel/terminal.fc
--- nsaserefpolicy/policy/modules/kernel/terminal.fc 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/kernel/terminal.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/kernel/terminal.fc 2007-12-06 16:37:24.000000000 -0500
@@ -14,6 +14,7 @@
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
@@ -4076,9 +4155,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.2.3/policy/modules/kernel/terminal.if
+--- nsaserefpolicy/policy/modules/kernel/terminal.if 2007-09-12 10:34:17.000000000 -0400
++++ serefpolicy-3.2.3/policy/modules/kernel/terminal.if 2007-12-10 09:31:12.000000000 -0500
+@@ -525,11 +525,13 @@
+ interface(`term_use_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ attribute server_ptynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir list_dir_perms;
+ allow $1 devpts_t:chr_file { rw_term_perms lock append };
++ allow $1 server_ptynode:chr_file { getattr read write ioctl };
+ ')
+
+ ########################################
+@@ -547,9 +549,11 @@
+ interface(`term_dontaudit_use_generic_ptys',`
+ gen_require(`
+ type devpts_t;
++ attribute server_ptynode;
+ ')
+
+ dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
++ dontaudit $1 server_ptynode:chr_file { getattr read write ioctl };
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.2.3/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/amavis.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/amavis.te 2007-12-06 16:37:24.000000000 -0500
@@ -65,6 +65,7 @@
# Spool Files
manage_dirs_pattern(amavis_t,amavis_spool_t,amavis_spool_t)
@@ -4097,7 +4205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
dev_read_rand(amavis_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.2.3/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/apache.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/apache.fc 2007-12-06 16:37:24.000000000 -0500
@@ -16,7 +16,6 @@
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -4125,7 +4233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.2.3/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/apache.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/apache.if 2007-12-06 16:37:24.000000000 -0500
@@ -18,10 +18,6 @@
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
@@ -4434,7 +4542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.2.3/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/apache.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/apache.te 2007-12-06 16:37:24.000000000 -0500
@@ -20,20 +20,22 @@
# Declarations
#
@@ -4917,7 +5025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.2.3/policy/modules/services/apcupsd.if
--- nsaserefpolicy/policy/modules/services/apcupsd.if 2007-09-12 10:34:18.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/apcupsd.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/apcupsd.if 2007-12-06 16:37:24.000000000 -0500
@@ -90,10 +90,29 @@
## </summary>
## </param>
@@ -4951,7 +5059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.2.3/policy/modules/services/apcupsd.te
--- nsaserefpolicy/policy/modules/services/apcupsd.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/apcupsd.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/apcupsd.te 2007-12-06 16:37:24.000000000 -0500
@@ -86,6 +86,11 @@
miscfiles_read_localization(apcupsd_t)
@@ -4966,7 +5074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.fc serefpolicy-3.2.3/policy/modules/services/automount.fc
--- nsaserefpolicy/policy/modules/services/automount.fc 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/automount.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/automount.fc 2007-12-06 16:37:24.000000000 -0500
@@ -12,4 +12,4 @@
# /var
#
@@ -4975,7 +5083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
+/var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.2.3/policy/modules/services/automount.if
--- nsaserefpolicy/policy/modules/services/automount.if 2007-03-26 10:39:04.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/automount.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/automount.if 2007-12-06 16:37:24.000000000 -0500
@@ -74,3 +74,21 @@
dontaudit $1 automount_tmp_t:dir getattr;
@@ -5000,7 +5108,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.2.3/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/automount.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/automount.te 2007-12-06 16:37:24.000000000 -0500
@@ -52,7 +52,8 @@
files_root_filetrans(automount_t,automount_tmp_t,dir)
@@ -5042,7 +5150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.2.3/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/avahi.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/avahi.te 2007-12-06 16:37:24.000000000 -0500
@@ -85,6 +85,7 @@
dbus_connect_system_bus(avahi_t)
@@ -5053,7 +5161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.2.3/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/bind.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/bind.te 2007-12-06 16:37:24.000000000 -0500
@@ -9,7 +9,7 @@
## <desc>
## <p>
@@ -5065,7 +5173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
gen_tunable(named_write_master_zones,false)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.2.3/policy/modules/services/bluetooth.fc
--- nsaserefpolicy/policy/modules/services/bluetooth.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/bluetooth.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/bluetooth.fc 2007-12-06 16:37:24.000000000 -0500
@@ -22,3 +22,4 @@
#
/var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0)
@@ -5073,7 +5181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
+/var/run/bluetoothd_address gen_context(system_u:object_r:bluetooth_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.2.3/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/bluetooth.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/bluetooth.te 2007-12-06 16:37:24.000000000 -0500
@@ -44,7 +44,7 @@
allow bluetooth_t self:shm create_shm_perms;
allow bluetooth_t self:socket create_stream_socket_perms;
@@ -5093,7 +5201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.2.3/policy/modules/services/clamav.fc
--- nsaserefpolicy/policy/modules/services/clamav.fc 2007-09-05 15:24:44.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/clamav.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/clamav.fc 2007-12-06 16:37:24.000000000 -0500
@@ -5,16 +5,18 @@
/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
@@ -5117,7 +5225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.2.3/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/clamav.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/clamav.te 2007-12-06 16:37:24.000000000 -0500
@@ -87,6 +87,7 @@
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
@@ -5156,7 +5264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.2.3/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/consolekit.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/consolekit.te 2007-12-06 16:37:24.000000000 -0500
@@ -36,6 +36,7 @@
domain_read_all_domains_state(consolekit_t)
@@ -5193,7 +5301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.2.3/policy/modules/services/courier.te
--- nsaserefpolicy/policy/modules/services/courier.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/courier.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/courier.te 2007-12-06 16:37:24.000000000 -0500
@@ -58,6 +58,7 @@
files_getattr_tmp_dirs(courier_authdaemon_t)
@@ -5204,7 +5312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cour
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.2.3/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/cron.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/cron.fc 2007-12-11 00:59:24.000000000 -0500
@@ -17,6 +17,8 @@
/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -5221,7 +5329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.2.3/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/cron.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/cron.if 2007-12-06 16:37:24.000000000 -0500
@@ -35,38 +35,23 @@
#
template(`cron_per_role_template',`
@@ -5473,7 +5581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.2.3/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2007-12-06 13:12:03.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/cron.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/cron.te 2007-12-06 16:37:24.000000000 -0500
@@ -50,6 +50,7 @@
type crond_tmp_t;
@@ -5668,7 +5776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
ifdef(`TODO',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.2.3/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/cups.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/cups.fc 2007-12-06 16:37:24.000000000 -0500
@@ -8,17 +8,15 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -5719,7 +5827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+/usr/local/Printer/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.2.3/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/cups.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/cups.te 2007-12-11 00:11:19.000000000 -0500
@@ -43,14 +43,12 @@
type cupsd_var_run_t;
@@ -5746,9 +5854,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
')
########################################
-@@ -81,11 +81,12 @@
+@@ -79,13 +79,14 @@
+ #
+
# /usr/lib/cups/backend/serial needs sys_admin(?!)
- allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
+-allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
++allow cupsd_t self:capability { dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_admin sys_rawio sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
-allow cupsd_t self:process { setsched signal_perms };
-allow cupsd_t self:fifo_file rw_file_perms;
@@ -5792,7 +5903,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
allow cupsd_t hplip_var_run_t:file { read getattr };
stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t)
-@@ -149,31 +156,39 @@
+@@ -149,32 +156,35 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -5818,24 +5929,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
--mls_file_write_all_levels(cupsd_t)
--mls_file_read_all_levels(cupsd_t)
-+mls_file_write_down(cupsd_t)
-+mls_file_read_up(cupsd_t)
+ mls_file_write_all_levels(cupsd_t)
+ mls_file_read_all_levels(cupsd_t)
+mls_rangetrans_target(cupsd_t)
mls_socket_write_all_levels(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
term_search_ptys(cupsd_t)
- auth_domtrans_chk_passwd(cupsd_t)
-+auth_domtrans_upd_passwd_chk(cupsd_t)
- auth_dontaudit_read_pam_pid(cupsd_t)
-+auth_rw_faillog(cupsd_t)
-
+-auth_domtrans_chk_passwd(cupsd_t)
+-auth_dontaudit_read_pam_pid(cupsd_t)
+-
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
corecmd_exec_shell(cupsd_t)
-@@ -186,7 +201,7 @@
+ corecmd_exec_bin(cupsd_t)
+@@ -186,7 +196,7 @@
# read python modules
files_read_usr_files(cupsd_t)
# for /var/lib/defoma
@@ -5844,7 +5952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
-@@ -195,12 +210,9 @@
+@@ -195,15 +205,16 @@
files_read_var_symlinks(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
@@ -5858,7 +5966,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
init_exec_script_files(cupsd_t)
-@@ -220,16 +232,37 @@
++auth_domtrans_chk_passwd(cupsd_t)
++auth_domtrans_upd_passwd_chk(cupsd_t)
++auth_dontaudit_read_pam_pid(cupsd_t)
++auth_rw_faillog(cupsd_t)
+ auth_use_nsswitch(cupsd_t)
+
+ libs_use_ld_so(cupsd_t)
+@@ -220,16 +231,37 @@
seutil_read_config(cupsd_t)
@@ -5898,7 +6013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
')
optional_policy(`
-@@ -242,6 +275,7 @@
+@@ -242,6 +274,7 @@
optional_policy(`
dbus_system_bus_client_template(cupsd,cupsd_t)
@@ -5906,7 +6021,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
userdom_dbus_send_all_users(cupsd_t)
-@@ -263,6 +297,10 @@
+@@ -263,6 +296,10 @@
')
optional_policy(`
@@ -5917,7 +6032,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
-@@ -326,11 +364,13 @@
+@@ -326,6 +363,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
@@ -5925,13 +6040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
-
- corecmd_exec_bin(cupsd_config_t)
-+corecmd_exec_sbin(cupsd_config_t)
- corecmd_exec_shell(cupsd_config_t)
-
- domain_use_interactive_fds(cupsd_config_t)
-@@ -372,12 +412,17 @@
+@@ -372,12 +410,17 @@
')
optional_policy(`
@@ -5949,7 +6058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
optional_policy(`
hal_dbus_chat(cupsd_config_t)
-@@ -387,6 +432,7 @@
+@@ -387,6 +430,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
@@ -5957,7 +6066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
')
optional_policy(`
-@@ -499,14 +545,12 @@
+@@ -499,14 +543,12 @@
allow hplip_t self:udp_socket create_socket_perms;
allow hplip_t self:rawip_socket create_socket_perms;
@@ -5976,7 +6085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-@@ -537,13 +581,15 @@
+@@ -537,14 +579,14 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -5989,11 +6098,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
# for python
corecmd_exec_bin(hplip_t)
-+corecmd_search_sbin(hplip_t)
-
+-
domain_use_interactive_fds(hplip_t)
-@@ -565,6 +611,7 @@
+ files_read_etc_files(hplip_t)
+@@ -565,6 +607,7 @@
userdom_dontaudit_search_all_users_home_content(hplip_t)
lpd_read_config(cupsd_t)
@@ -6003,7 +6112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
seutil_sigchld_newrole(hplip_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.2.3/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2007-11-15 13:40:14.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/cvs.te 2007-12-06 14:18:05.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/cvs.te 2007-12-06 16:37:24.000000000 -0500
@@ -69,6 +69,8 @@
fs_getattr_xattr_fs(cvs_t)
@@ -6036,7 +6145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.3/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/dbus.if 2007-12-06 14:22:51.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/dbus.if 2007-12-06 16:37:24.000000000 -0500
@@ -91,7 +91,7 @@
# SE-DBus specific permissions
allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
@@ -6101,9 +6210,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.2.3/policy/modules/services/dcc.te
+--- nsaserefpolicy/policy/modules/services/dcc.te 2007-10-12 08:56:07.000000000 -0400
++++ serefpolicy-3.2.3/policy/modules/services/dcc.te 2007-12-10 16:49:33.000000000 -0500
+@@ -124,7 +124,7 @@
+ # dcc procmail interface local policy
+ #
+
+-allow dcc_client_t self:capability setuid;
++allow dcc_client_t self:capability { setgid setuid };
+ allow dcc_client_t self:unix_dgram_socket create_socket_perms;
+ allow dcc_client_t self:udp_socket create_socket_perms;
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.fc serefpolicy-3.2.3/policy/modules/services/dictd.fc
--- nsaserefpolicy/policy/modules/services/dictd.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/dictd.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/dictd.fc 2007-12-06 16:37:24.000000000 -0500
@@ -4,3 +4,4 @@
/usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0)
@@ -6111,7 +6232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dict
+/var/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.te serefpolicy-3.2.3/policy/modules/services/dictd.te
--- nsaserefpolicy/policy/modules/services/dictd.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/dictd.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/dictd.te 2007-12-06 16:37:24.000000000 -0500
@@ -16,6 +16,9 @@
type dictd_var_lib_t alias var_lib_dictd_t;
files_type(dictd_var_lib_t)
@@ -6134,7 +6255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dict
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.2.3/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/dnsmasq.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/dnsmasq.te 2007-12-06 16:37:24.000000000 -0500
@@ -94,3 +94,7 @@
optional_policy(`
udev_read_db(dnsmasq_t)
@@ -6145,7 +6266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.2.3/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/dovecot.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/dovecot.fc 2007-12-06 16:37:24.000000000 -0500
@@ -17,19 +17,24 @@
ifdef(`distro_debian', `
@@ -6173,7 +6294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.2.3/policy/modules/services/dovecot.if
--- nsaserefpolicy/policy/modules/services/dovecot.if 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/dovecot.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/dovecot.if 2007-12-06 16:37:24.000000000 -0500
@@ -18,3 +18,43 @@
manage_files_pattern($1,dovecot_spool_t,dovecot_spool_t)
manage_lnk_files_pattern($1,dovecot_spool_t,dovecot_spool_t)
@@ -6220,7 +6341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.2.3/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/dovecot.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/dovecot.te 2007-12-06 20:31:31.000000000 -0500
@@ -15,6 +15,12 @@
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -6308,14 +6429,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
files_read_usr_symlinks(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
-@@ -184,5 +203,45 @@
+@@ -184,5 +203,49 @@
')
optional_policy(`
- logging_send_syslog_msg(dovecot_auth_t)
+ mysql_search_db(dovecot_auth_t)
+ mysql_stream_connect(dovecot_auth_t)
- ')
++')
+
+optional_policy(`
+ nis_authenticate(dovecot_auth_t)
@@ -6324,7 +6445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+optional_policy(`
+ postfix_manage_pivate_sockets(dovecot_auth_t)
+ postfix_search_spool(dovecot_auth_t)
-+')
+ ')
+
+# for gssapi (kerberos)
+userdom_list_unpriv_users_tmp(dovecot_auth_t)
@@ -6335,29 +6456,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+#
+# dovecot deliver local policy
+#
++allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
++
+allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
+allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+
+kernel_read_all_sysctls(dovecot_deliver_t)
+kernel_read_system_state(dovecot_deliver_t)
+
-+dovecot_auth_stream_connect(dovecot_deliver_t)
-+
+files_read_etc_files(dovecot_deliver_t)
+files_read_etc_runtime_files(dovecot_deliver_t)
+
+libs_use_ld_so(dovecot_deliver_t)
+libs_use_shared_libs(dovecot_deliver_t)
+
++logging_send_syslog_msg(dovecot_deliver_t)
++
+miscfiles_read_localization(dovecot_deliver_t)
+
++dovecot_auth_stream_connect(dovecot_deliver_t)
++
+optional_policy(`
+ mta_manage_spool(dovecot_deliver_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.2.3/policy/modules/services/exim.if
--- nsaserefpolicy/policy/modules/services/exim.if 2007-10-24 15:00:24.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/exim.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/exim.if 2007-12-06 16:37:24.000000000 -0500
@@ -117,6 +117,27 @@
########################################
@@ -6388,7 +6513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.2.3/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2007-10-24 15:17:31.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/exim.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/exim.te 2007-12-06 16:37:24.000000000 -0500
@@ -21,9 +21,20 @@
## </desc>
gen_tunable(exim_manage_user_files,false)
@@ -6567,7 +6692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.2.3/policy/modules/services/ftp.if
--- nsaserefpolicy/policy/modules/services/ftp.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/ftp.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/ftp.if 2007-12-06 16:37:24.000000000 -0500
@@ -28,11 +28,13 @@
type ftpd_t;
')
@@ -6589,7 +6714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.2.3/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/ftp.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/ftp.te 2007-12-06 16:37:24.000000000 -0500
@@ -8,8 +8,8 @@
## <desc>
@@ -6672,8 +6797,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.2.3/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2007-11-14 08:17:58.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/hal.fc 2007-12-06 14:13:13.000000000 -0500
-@@ -8,18 +8,21 @@
++++ serefpolicy-3.2.3/policy/modules/services/hal.fc 2007-12-10 23:43:33.000000000 -0500
+@@ -8,6 +8,7 @@
/usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0)
/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
@@ -6681,9 +6806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
/usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
- /var/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
-
-+/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
+@@ -16,10 +17,11 @@
/var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
/var/log/pm-suspend\.log gen_context(system_u:object_r:hald_log_t,s0)
@@ -6697,9 +6820,55 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
ifdef(`distro_gentoo',`
/var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.2.3/policy/modules/services/hal.if
+--- nsaserefpolicy/policy/modules/services/hal.if 2007-09-05 15:24:44.000000000 -0400
++++ serefpolicy-3.2.3/policy/modules/services/hal.if 2007-12-11 00:20:28.000000000 -0500
+@@ -302,3 +302,42 @@
+ files_search_pids($1)
+ allow $1 hald_var_run_t:file rw_file_perms;
+ ')
++
++########################################
++## <summary>
++## Send a SIGCHLD signal to hal.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`hal_getattr',`
++ gen_require(`
++ type hald_t;
++ ')
++
++ allow $1 hald_t:process getattr;
++')
++
++########################################
++## <summary>
++##f Read hal system state
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`hal_read_state',`
++ gen_require(`
++ type hald_t;
++ ')
++ kernel_search_proc($1)
++ allow $1 hald_t:dir list_dir_perms;
++ read_files_pattern($1,hald_t,hald_t)
++ read_lnk_files_pattern($1,hald_t,hald_t)
++ dontaudit $1 hald_t:process ptrace;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.2.3/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-11-14 08:17:58.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/hal.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/hal.te 2007-12-11 00:56:25.000000000 -0500
@@ -49,6 +49,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -6736,7 +6905,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
storage_raw_read_removable_device(hald_t)
storage_raw_write_removable_device(hald_t)
storage_raw_read_fixed_disk(hald_t)
-@@ -291,6 +297,7 @@
+@@ -265,6 +271,10 @@
+ ')
+
+ optional_policy(`
++ polkit_domtrans_auth(hald_t)
++')
++
++optional_policy(`
+ rpc_search_nfs_state_data(hald_t)
+ ')
+
+@@ -291,6 +301,7 @@
#
allow hald_acl_t self:capability { dac_override fowner };
@@ -6744,7 +6924,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
allow hald_acl_t self:fifo_file read_fifo_file_perms;
domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
-@@ -338,10 +345,14 @@
+@@ -325,6 +336,11 @@
+
+ miscfiles_read_localization(hald_acl_t)
+
++optional_policy(`
++ polkit_domtrans_auth(hald_acl_t)
++ polkit_search_lib(hald_acl_t)
++')
++
+ ########################################
+ #
+ # Local hald mac policy
+@@ -338,10 +354,14 @@
manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
files_search_var_lib(hald_mac_t)
@@ -6759,9 +6951,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
libs_use_ld_so(hald_mac_t)
libs_use_shared_libs(hald_mac_t)
+@@ -391,3 +411,4 @@
+ libs_use_shared_libs(hald_keymap_t)
+
+ miscfiles_read_localization(hald_keymap_t)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.2.3/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/inetd.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/inetd.te 2007-12-06 16:37:24.000000000 -0500
@@ -30,6 +30,10 @@
type inetd_child_var_run_t;
files_pid_file(inetd_child_var_run_t)
@@ -6817,7 +7014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.2.3/policy/modules/services/kerberos.fc
--- nsaserefpolicy/policy/modules/services/kerberos.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/kerberos.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/kerberos.fc 2007-12-06 16:37:24.000000000 -0500
@@ -16,3 +16,4 @@
/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
@@ -6825,7 +7022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.2.3/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2007-07-16 14:09:46.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/kerberos.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/kerberos.if 2007-12-06 16:37:24.000000000 -0500
@@ -43,7 +43,13 @@
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
@@ -6906,7 +7103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.2.3/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/kerberos.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/kerberos.te 2007-12-06 16:37:24.000000000 -0500
@@ -8,7 +8,7 @@
## <desc>
@@ -6996,7 +7193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.2.3/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/mailman.te 2007-12-06 14:20:26.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/mailman.te 2007-12-06 16:37:24.000000000 -0500
@@ -53,10 +53,9 @@
apache_use_fds(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t)
@@ -7031,13 +7228,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.2.3/policy/modules/services/mailscanner.fc
--- nsaserefpolicy/policy/modules/services/mailscanner.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/mailscanner.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/mailscanner.fc 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1,2 @@
+/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mailscanner_spool_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.2.3/policy/modules/services/mailscanner.if
--- nsaserefpolicy/policy/modules/services/mailscanner.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/mailscanner.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/mailscanner.if 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1,59 @@
+## <summary>Anti-Virus and Anti-Spam Filter</summary>
+
@@ -7100,7 +7297,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.2.3/policy/modules/services/mailscanner.te
--- nsaserefpolicy/policy/modules/services/mailscanner.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/mailscanner.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/mailscanner.te 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1,5 @@
+
+policy_module(mailscanner,1.0.0)
@@ -7109,7 +7306,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
+files_type(mailscanner_spool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.3/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2007-12-06 13:12:03.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/mta.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/mta.if 2007-12-06 16:48:23.000000000 -0500
@@ -133,6 +133,12 @@
sendmail_create_log($1_mail_t)
')
@@ -7182,7 +7379,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
## Modified mailserver interface for
## sendmail daemon use.
## </summary>
-@@ -383,6 +434,7 @@
+@@ -383,11 +434,13 @@
allow $1 mail_spool_t:dir list_dir_perms;
create_files_pattern($1,mail_spool_t,mail_spool_t)
read_files_pattern($1,mail_spool_t,mail_spool_t)
@@ -7190,7 +7387,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
create_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
-@@ -438,20 +490,18 @@
+ optional_policy(`
+ dovecot_manage_spool($1)
++ dovecot_domtrans_deliver($1)
+ ')
+
+ optional_policy(`
+@@ -438,20 +491,18 @@
interface(`mta_send_mail',`
gen_require(`
attribute mta_user_agent;
@@ -7217,7 +7420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
########################################
-@@ -586,6 +636,25 @@
+@@ -586,6 +637,25 @@
files_search_etc($1)
allow $1 etc_aliases_t:file { rw_file_perms setattr };
')
@@ -7245,7 +7448,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
## <summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.3/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-12-06 13:12:03.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/mta.te 2007-12-06 14:16:01.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/mta.te 2007-12-06 16:37:24.000000000 -0500
@@ -6,6 +6,8 @@
# Declarations
#
@@ -7341,7 +7544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.2.3/policy/modules/services/mysql.fc
--- nsaserefpolicy/policy/modules/services/mysql.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/mysql.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/mysql.fc 2007-12-06 16:37:24.000000000 -0500
@@ -22,3 +22,5 @@
/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
@@ -7350,7 +7553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
+/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.2.3/policy/modules/services/mysql.if
--- nsaserefpolicy/policy/modules/services/mysql.if 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/mysql.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/mysql.if 2007-12-06 16:37:24.000000000 -0500
@@ -157,3 +157,79 @@
logging_search_logs($1)
allow $1 mysqld_log_t:file { write append setattr ioctl };
@@ -7433,7 +7636,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.2.3/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/mysql.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/mysql.te 2007-12-06 16:37:24.000000000 -0500
@@ -25,6 +25,9 @@
type mysqld_tmp_t;
files_tmp_file(mysqld_tmp_t)
@@ -7446,7 +7649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
# Local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.2.3/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/nagios.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/nagios.fc 2007-12-06 16:37:24.000000000 -0500
@@ -4,13 +4,15 @@
/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
@@ -7468,7 +7671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
+/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.2.3/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/nagios.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/nagios.if 2007-12-06 16:37:24.000000000 -0500
@@ -44,25 +44,6 @@
########################################
@@ -7497,7 +7700,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.2.3/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/nagios.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/nagios.te 2007-12-06 16:37:24.000000000 -0500
@@ -8,11 +8,7 @@
type nagios_t;
@@ -7596,7 +7799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.2.3/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-09-12 10:34:18.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/networkmanager.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/networkmanager.fc 2007-12-06 16:37:24.000000000 -0500
@@ -5,3 +5,4 @@
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
@@ -7604,7 +7807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+/var/log/wpa_supplicant\.log -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.3/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/networkmanager.te 2007-12-06 14:23:39.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/networkmanager.te 2007-12-06 16:37:24.000000000 -0500
@@ -13,6 +13,9 @@
type NetworkManager_var_run_t;
files_pid_file(NetworkManager_var_run_t)
@@ -7691,7 +7894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.2.3/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/nis.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/nis.fc 2007-12-06 16:37:24.000000000 -0500
@@ -4,6 +4,7 @@
/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
@@ -7702,7 +7905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.2.3/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2007-07-16 14:09:46.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/nis.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/nis.if 2007-12-06 16:37:24.000000000 -0500
@@ -49,8 +49,8 @@
corenet_udp_bind_all_nodes($1)
corenet_tcp_bind_generic_port($1)
@@ -7742,7 +7945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.2.3/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/nis.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/nis.te 2007-12-06 16:37:24.000000000 -0500
@@ -113,6 +113,17 @@
userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
userdom_dontaudit_search_sysadm_home_dirs(ypbind_t)
@@ -7800,7 +8003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
corenet_tcp_connect_all_ports(ypxfr_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.2.3/policy/modules/services/nscd.fc
--- nsaserefpolicy/policy/modules/services/nscd.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/nscd.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/nscd.fc 2007-12-06 16:37:24.000000000 -0500
@@ -9,3 +9,5 @@
/var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0)
@@ -7809,7 +8012,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
+/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.2.3/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2007-03-26 10:39:04.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/nscd.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/nscd.if 2007-12-06 16:37:24.000000000 -0500
@@ -70,15 +70,14 @@
interface(`nscd_socket_use',`
gen_require(`
@@ -7853,7 +8056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.2.3/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/nscd.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/nscd.te 2007-12-06 16:37:24.000000000 -0500
@@ -23,19 +23,22 @@
type nscd_log_t;
logging_log_file(nscd_log_t)
@@ -7921,7 +8124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.fc serefpolicy-3.2.3/policy/modules/services/ntp.fc
--- nsaserefpolicy/policy/modules/services/ntp.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/ntp.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/ntp.fc 2007-12-06 16:37:24.000000000 -0500
@@ -17,3 +17,8 @@
/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
@@ -7933,7 +8136,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
+/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.2.3/policy/modules/services/ntp.if
--- nsaserefpolicy/policy/modules/services/ntp.if 2007-03-26 10:39:05.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/ntp.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/ntp.if 2007-12-06 16:37:24.000000000 -0500
@@ -53,3 +53,22 @@
corecmd_search_bin($1)
domtrans_pattern($1,ntpdate_exec_t,ntpd_t)
@@ -7959,7 +8162,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.2.3/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/ntp.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/ntp.te 2007-12-06 16:37:24.000000000 -0500
@@ -25,6 +25,12 @@
type ntpdate_exec_t;
init_system_domain(ntpd_t,ntpdate_exec_t)
@@ -8023,7 +8226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.2.3/policy/modules/services/openct.te
--- nsaserefpolicy/policy/modules/services/openct.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/openct.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/openct.te 2007-12-06 16:37:24.000000000 -0500
@@ -22,6 +22,7 @@
allow openct_t self:process signal_perms;
@@ -8034,7 +8237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
kernel_read_kernel_sysctls(openct_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-3.2.3/policy/modules/services/openvpn.fc
--- nsaserefpolicy/policy/modules/services/openvpn.fc 2007-06-11 16:05:22.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/openvpn.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/openvpn.fc 2007-12-06 16:37:24.000000000 -0500
@@ -11,5 +11,5 @@
#
# /var
@@ -8044,7 +8247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
/var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.2.3/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/openvpn.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/openvpn.te 2007-12-10 09:37:01.000000000 -0500
@@ -8,7 +8,7 @@
## <desc>
@@ -8054,6 +8257,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
## </p>
## </desc>
gen_tunable(openvpn_enable_homedirs,false)
+@@ -35,7 +35,7 @@
+ # openvpn local policy
+ #
+
+-allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_tty_config };
++allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
+ allow openvpn_t self:process { signal getsched };
+
+ allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -110,3 +110,12 @@
networkmanager_dbus_chat(openvpn_t)
@@ -8069,7 +8281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.2.3/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/pcscd.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/pcscd.te 2007-12-06 16:37:24.000000000 -0500
@@ -45,6 +45,7 @@
files_read_etc_files(pcscd_t)
files_read_etc_runtime_files(pcscd_t)
@@ -8080,7 +8292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcsc
libs_use_ld_so(pcscd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.2.3/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/pegasus.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/pegasus.te 2007-12-06 16:37:24.000000000 -0500
@@ -42,6 +42,7 @@
allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
@@ -8128,9 +8340,122 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
rpm_exec(pegasus_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.2.3/policy/modules/services/polkit.fc
+--- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/polkit.fc 2007-12-11 00:42:20.000000000 -0500
+@@ -0,0 +1,5 @@
++
++/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0)
++
++/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
++/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.2.3/policy/modules/services/polkit.if
+--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/polkit.if 2007-12-11 00:56:05.000000000 -0500
+@@ -0,0 +1,41 @@
++
++## <summary>policy for polkit_auth</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run polkit_auth.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`polkit_domtrans_auth',`
++ gen_require(`
++ type polkit_auth_t;
++ type polkit_auth_exec_t;
++ ')
++
++ domtrans_pattern($1,polkit_auth_exec_t,polkit_auth_t)
++')
++
++########################################
++## <summary>
++## Search polkit lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`polkit_search_lib',`
++ gen_require(`
++ type polkit_var_lib_t;
++ ')
++
++ allow $1 polkit_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.3/policy/modules/services/polkit.te
+--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/polkit.te 2007-12-11 00:18:16.000000000 -0500
+@@ -0,0 +1,55 @@
++policy_module(polkit_auth,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type polkit_auth_t;
++type polkit_auth_exec_t;
++domain_type(polkit_auth_t)
++init_daemon_domain(polkit_auth_t, polkit_auth_exec_t)
++
++type polkit_var_lib_t;
++files_type(polkit_var_lib_t)
++
++########################################
++#
++# polkit_auth local policy
++#
++
++allow polkit_auth_t self:process getattr;
++
++allow polkit_auth_t self:unix_dgram_socket create_socket_perms;
++allow polkit_auth_t self:fifo_file rw_file_perms;
++allow polkit_auth_t self:unix_stream_socket create_stream_socket_perms;
++
++can_exec(polkit_auth_t, polkit_auth_exec_t)
++corecmd_search_bin(polkit_auth_t)
++
++domain_use_interactive_fds(polkit_auth_t)
++
++files_read_etc_files(polkit_auth_t)
++files_read_usr_files(polkit_auth_t)
++
++auth_use_nsswitch(polkit_auth_t)
++
++libs_use_ld_so(polkit_auth_t)
++libs_use_shared_libs(polkit_auth_t)
++
++miscfiles_read_localization(polkit_auth_t)
++
++logging_send_syslog_msg(polkit_auth_t)
++
++manage_files_pattern(polkit_auth_t, polkit_var_lib_t, polkit_var_lib_t)
++
++optional_policy(`
++ dbus_system_bus_client_template(polkit_auth, polkit_auth_t)
++ consolekit_dbus_chat(polkit_auth_t)
++')
++
++optional_policy(`
++ hal_getattr(polkit_auth_t)
++ hal_read_state(polkit_auth_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portslave.te serefpolicy-3.2.3/policy/modules/services/portslave.te
--- nsaserefpolicy/policy/modules/services/portslave.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/portslave.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/portslave.te 2007-12-06 16:37:24.000000000 -0500
@@ -85,6 +85,7 @@
auth_rw_login_records(portslave_t)
@@ -8141,7 +8466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.2.3/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2007-09-12 10:34:18.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/postfix.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/postfix.fc 2007-12-06 16:37:24.000000000 -0500
@@ -29,12 +29,10 @@
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
@@ -8157,7 +8482,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.2.3/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/postfix.if 2007-12-06 14:21:28.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/postfix.if 2007-12-06 16:37:24.000000000 -0500
@@ -427,6 +427,26 @@
########################################
@@ -8187,7 +8512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.2.3/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/postfix.te 2007-12-06 14:16:10.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/postfix.te 2007-12-06 16:37:24.000000000 -0500
@@ -6,6 +6,14 @@
# Declarations
#
@@ -8309,7 +8634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
# Postfix virtual local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.2.3/policy/modules/services/postgresql.fc
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/postgresql.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/postgresql.fc 2007-12-06 16:37:24.000000000 -0500
@@ -38,3 +38,5 @@
')
@@ -8318,7 +8643,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.2.3/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/postgresql.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/postgresql.if 2007-12-06 16:37:24.000000000 -0500
@@ -120,3 +120,77 @@
# Some versions of postgresql put the sock file in /tmp
allow $1 postgresql_tmp_t:sock_file write;
@@ -8399,7 +8724,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.2.3/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2007-12-06 13:12:03.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/postgresql.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/postgresql.te 2007-12-06 16:37:24.000000000 -0500
@@ -27,6 +27,9 @@
type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)
@@ -8412,7 +8737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
# postgresql Local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.2.3/policy/modules/services/ppp.fc
--- nsaserefpolicy/policy/modules/services/ppp.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/ppp.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/ppp.fc 2007-12-06 16:37:24.000000000 -0500
@@ -25,7 +25,7 @@
#
# /var
@@ -8424,7 +8749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
# Fix pptp sockets
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.2.3/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2007-11-16 13:45:14.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/ppp.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/ppp.te 2007-12-06 16:37:24.000000000 -0500
@@ -194,6 +194,8 @@
optional_policy(`
@@ -8436,7 +8761,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.3/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2007-11-16 13:45:14.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/procmail.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/procmail.te 2007-12-06 16:37:24.000000000 -0500
@@ -133,3 +133,7 @@
spamassassin_exec_client(procmail_t)
spamassassin_read_lib_files(procmail_t)
@@ -8447,7 +8772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.2.3/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/pyzor.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/pyzor.fc 2007-12-06 16:37:24.000000000 -0500
@@ -1,6 +1,6 @@
/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
@@ -8458,7 +8783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.2.3/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/pyzor.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/pyzor.if 2007-12-06 16:37:24.000000000 -0500
@@ -25,16 +25,18 @@
#
template(`pyzor_per_role_template',`
@@ -8487,7 +8812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.2.3/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/pyzor.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/pyzor.te 2007-12-10 16:52:47.000000000 -0500
@@ -28,6 +28,9 @@
type pyzor_var_lib_t;
files_type(pyzor_var_lib_t)
@@ -8500,7 +8825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
# Pyzor local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.2.3/policy/modules/services/radius.te
--- nsaserefpolicy/policy/modules/services/radius.te 2007-11-16 13:45:14.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/radius.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/radius.te 2007-12-06 16:37:24.000000000 -0500
@@ -88,6 +88,7 @@
auth_read_shadow(radiusd_t)
@@ -8511,7 +8836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi
corecmd_exec_shell(radiusd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.2.3/policy/modules/services/razor.fc
--- nsaserefpolicy/policy/modules/services/razor.fc 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/razor.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/razor.fc 2007-12-06 16:37:24.000000000 -0500
@@ -1,4 +1,4 @@
-HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:ROLE_razor_home_t,s0)
+HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:user_razor_home_t,s0)
@@ -8520,7 +8845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.2.3/policy/modules/services/razor.if
--- nsaserefpolicy/policy/modules/services/razor.if 2007-07-16 14:09:46.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/razor.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/razor.if 2007-12-06 16:37:24.000000000 -0500
@@ -137,6 +137,7 @@
template(`razor_per_role_template',`
gen_require(`
@@ -8548,7 +8873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.2.3/policy/modules/services/razor.te
--- nsaserefpolicy/policy/modules/services/razor.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/razor.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/razor.te 2007-12-06 16:37:24.000000000 -0500
@@ -23,6 +23,12 @@
razor_common_domain_template(razor)
@@ -8564,7 +8889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
# Local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.if serefpolicy-3.2.3/policy/modules/services/remotelogin.if
--- nsaserefpolicy/policy/modules/services/remotelogin.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/remotelogin.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/remotelogin.if 2007-12-06 16:37:24.000000000 -0500
@@ -18,3 +18,20 @@
auth_domtrans_login_program($1,remote_login_t)
')
@@ -8588,7 +8913,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remo
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.2.3/policy/modules/services/remotelogin.te
--- nsaserefpolicy/policy/modules/services/remotelogin.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/remotelogin.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/remotelogin.te 2007-12-06 16:37:24.000000000 -0500
@@ -85,6 +85,7 @@
miscfiles_read_localization(remote_login_t)
@@ -8599,7 +8924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remo
# Only permit unprivileged user domains to be entered via rlogin,
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.2.3/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2007-11-16 13:45:14.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/ricci.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/ricci.te 2007-12-06 16:37:24.000000000 -0500
@@ -138,6 +138,7 @@
files_create_boot_flag(ricci_t)
@@ -8621,7 +8946,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.2.3/policy/modules/services/rlogin.te
--- nsaserefpolicy/policy/modules/services/rlogin.te 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/rlogin.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/rlogin.te 2007-12-06 16:37:24.000000000 -0500
@@ -36,6 +36,8 @@
allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty(rlogind_t,rlogind_devpts_t)
@@ -8669,7 +8994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.2.3/policy/modules/services/rpcbind.te
--- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/rpcbind.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/rpcbind.te 2007-12-10 14:43:15.000000000 -0500
@@ -21,11 +21,13 @@
# rpcbind local policy
#
@@ -8687,7 +9012,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcb
manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.2.3/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/rpc.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/rpc.if 2007-12-06 16:37:24.000000000 -0500
@@ -88,8 +88,11 @@
# bind to arbitary unused ports
corenet_tcp_bind_generic_port($1_t)
@@ -8728,7 +9053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.2.3/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/rpc.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/rpc.te 2007-12-10 14:41:10.000000000 -0500
@@ -8,7 +8,7 @@
## <desc>
@@ -8827,7 +9152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
userdom_read_unpriv_users_tmp_files(gssd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.2.3/policy/modules/services/rshd.te
--- nsaserefpolicy/policy/modules/services/rshd.te 2007-12-06 13:12:03.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/rshd.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/rshd.te 2007-12-06 16:37:24.000000000 -0500
@@ -16,7 +16,7 @@
#
# Local policy
@@ -8890,7 +9215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.2.3/policy/modules/services/rsync.fc
--- nsaserefpolicy/policy/modules/services/rsync.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/rsync.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/rsync.fc 2007-12-06 16:37:24.000000000 -0500
@@ -1,2 +1,4 @@
/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
@@ -8898,7 +9223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
+/var/log/rsync.log -- gen_context(system_u:object_r:rsync_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.2.3/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/rsync.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/rsync.te 2007-12-06 16:37:24.000000000 -0500
@@ -8,7 +8,7 @@
## <desc>
@@ -8964,7 +9289,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.2.3/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/samba.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/samba.fc 2007-12-06 16:37:24.000000000 -0500
@@ -15,6 +15,7 @@
/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
@@ -8984,7 +9309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.2.3/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/samba.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/samba.if 2007-12-06 16:37:24.000000000 -0500
@@ -331,6 +331,25 @@
########################################
@@ -9124,7 +9449,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.2.3/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-12-06 13:12:03.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/samba.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/samba.te 2007-12-06 16:37:24.000000000 -0500
@@ -9,14 +9,14 @@
## <desc>
## <p>
@@ -9449,7 +9774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+allow smbcontrol_t nmbd_var_run_t:file { read lock };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.2.3/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/sasl.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/sasl.te 2007-12-06 16:37:24.000000000 -0500
@@ -64,6 +64,7 @@
selinux_compute_access_vector(saslauthd_t)
@@ -9471,7 +9796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.2.3/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2007-08-27 13:57:20.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/sendmail.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/sendmail.if 2007-12-06 16:37:24.000000000 -0500
@@ -149,3 +149,85 @@
logging_log_filetrans($1,sendmail_log_t,file)
@@ -9560,7 +9885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.3/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-12-06 13:12:03.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/sendmail.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/sendmail.te 2007-12-06 16:37:24.000000000 -0500
@@ -20,12 +20,16 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -9660,7 +9985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.2.3/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/setroubleshoot.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/setroubleshoot.te 2007-12-06 16:37:24.000000000 -0500
@@ -27,8 +27,8 @@
# setroubleshootd local policy
#
@@ -9701,7 +10026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.2.3/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/snmp.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/snmp.te 2007-12-06 16:37:24.000000000 -0500
@@ -81,8 +81,7 @@
files_read_usr_files(snmpd_t)
files_read_etc_runtime_files(snmpd_t)
@@ -9714,7 +10039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp
fs_getattr_all_fs(snmpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.fc serefpolicy-3.2.3/policy/modules/services/soundserver.fc
--- nsaserefpolicy/policy/modules/services/soundserver.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/soundserver.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/soundserver.fc 2007-12-06 16:37:24.000000000 -0500
@@ -1,5 +1,3 @@
-/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
-/etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
@@ -9730,7 +10055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
/var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.2.3/policy/modules/services/soundserver.te
--- nsaserefpolicy/policy/modules/services/soundserver.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/soundserver.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/soundserver.te 2007-12-06 16:37:24.000000000 -0500
@@ -10,9 +10,6 @@
type soundd_exec_t;
init_daemon_domain(soundd_t,soundd_exec_t)
@@ -9793,7 +10118,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.2.3/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/spamassassin.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/spamassassin.fc 2007-12-06 16:37:24.000000000 -0500
@@ -1,4 +1,4 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:user_spamassassin_home_t,s0)
@@ -9802,7 +10127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.3/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/spamassassin.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/spamassassin.if 2007-12-06 16:37:24.000000000 -0500
@@ -38,6 +38,8 @@
gen_require(`
type spamc_exec_t, spamassassin_exec_t;
@@ -9930,7 +10255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.3/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/spamassassin.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/spamassassin.te 2007-12-06 16:37:24.000000000 -0500
@@ -44,6 +44,15 @@
type spamassassin_exec_t;
application_executable_file(spamassassin_exec_t)
@@ -9975,7 +10300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.2.3/policy/modules/services/squid.fc
--- nsaserefpolicy/policy/modules/services/squid.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/squid.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/squid.fc 2007-12-06 16:37:24.000000000 -0500
@@ -12,3 +12,5 @@
/var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
@@ -9984,7 +10309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
+/usr/lib64/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.2.3/policy/modules/services/squid.if
--- nsaserefpolicy/policy/modules/services/squid.if 2007-05-07 10:32:44.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/squid.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/squid.if 2007-12-06 16:37:24.000000000 -0500
@@ -131,3 +131,22 @@
interface(`squid_use',`
refpolicywarn(`$0($*) has been deprecated.')
@@ -10010,7 +10335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.2.3/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/squid.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/squid.te 2007-12-06 16:37:24.000000000 -0500
@@ -36,7 +36,7 @@
# Local policy
#
@@ -10069,7 +10394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.2.3/policy/modules/services/ssh.fc
--- nsaserefpolicy/policy/modules/services/ssh.fc 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/ssh.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/ssh.fc 2007-12-06 16:37:24.000000000 -0500
@@ -1,4 +1,4 @@
-HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ROLE_home_ssh_t,s0)
+HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:user_ssh_home_t,s0)
@@ -10078,7 +10403,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.2.3/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2007-07-23 10:20:13.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/ssh.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/ssh.if 2007-12-06 16:37:24.000000000 -0500
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -10240,7 +10565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.2.3/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/ssh.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/ssh.te 2007-12-06 16:37:24.000000000 -0500
@@ -24,7 +24,7 @@
# Type for the ssh-agent executable.
@@ -10299,7 +10624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.2.3/policy/modules/services/telnet.te
--- nsaserefpolicy/policy/modules/services/telnet.te 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/telnet.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/telnet.te 2007-12-06 16:37:24.000000000 -0500
@@ -37,6 +37,8 @@
allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty(telnetd_t,telnetd_devpts_t)
@@ -10350,7 +10675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-3.2.3/policy/modules/services/tftp.fc
--- nsaserefpolicy/policy/modules/services/tftp.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/tftp.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/tftp.fc 2007-12-06 16:37:24.000000000 -0500
@@ -4,3 +4,4 @@
/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
@@ -10358,7 +10683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp
+/var/lib/tftp(/.*)? gen_context(system_u:object_r:tftpdir_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwimap.te serefpolicy-3.2.3/policy/modules/services/uwimap.te
--- nsaserefpolicy/policy/modules/services/uwimap.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/uwimap.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/uwimap.te 2007-12-06 16:37:24.000000000 -0500
@@ -64,6 +64,7 @@
fs_search_auto_mountpoints(imapd_t)
@@ -10369,18 +10694,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwim
libs_use_shared_libs(imapd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.fc serefpolicy-3.2.3/policy/modules/services/w3c.fc
--- nsaserefpolicy/policy/modules/services/w3c.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/w3c.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/w3c.fc 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1,2 @@
+/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0)
+/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.if serefpolicy-3.2.3/policy/modules/services/w3c.if
--- nsaserefpolicy/policy/modules/services/w3c.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/w3c.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/w3c.if 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1 @@
+## <summary>W3C</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.2.3/policy/modules/services/w3c.te
--- nsaserefpolicy/policy/modules/services/w3c.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/w3c.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/w3c.te 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1,14 @@
+policy_module(w3c,1.2.1)
+
@@ -10398,7 +10723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.
+miscfiles_read_certs(httpd_w3c_validator_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.2.3/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2007-10-15 16:11:05.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/xserver.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/xserver.fc 2007-12-06 16:37:24.000000000 -0500
@@ -1,13 +1,13 @@
#
# HOME_DIR
@@ -10467,7 +10792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.3/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/xserver.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/xserver.if 2007-12-06 16:37:24.000000000 -0500
@@ -115,8 +115,7 @@
dev_rw_agp($1_xserver_t)
dev_rw_framebuffer($1_xserver_t)
@@ -10988,7 +11313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.3/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-06 13:12:03.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/xserver.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/xserver.te 2007-12-06 20:54:40.000000000 -0500
@@ -16,6 +16,13 @@
## <desc>
@@ -11153,9 +11478,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
-@@ -305,6 +354,11 @@
+@@ -304,7 +353,16 @@
+ ')
optional_policy(`
++ bootloader_domtrans(xdm_t)
++')
++
++optional_policy(`
consolekit_dbus_chat(xdm_t)
+ dbus_system_bus_client_template(xdm, xdm_t)
+ dbus_per_role_template(xdm, xdm_t, system_r)
@@ -11165,7 +11495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -322,6 +376,10 @@
+@@ -322,6 +380,10 @@
')
optional_policy(`
@@ -11176,7 +11506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
loadkeys_exec(xdm_t)
')
-@@ -343,8 +401,8 @@
+@@ -343,8 +405,8 @@
')
optional_policy(`
@@ -11186,7 +11516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -380,7 +438,7 @@
+@@ -380,7 +442,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -11195,7 +11525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -392,6 +450,15 @@
+@@ -392,6 +454,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@@ -11211,7 +11541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -404,6 +471,7 @@
+@@ -404,6 +475,7 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@@ -11219,7 +11549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_use_all_users_fonts(xdm_xserver_t)
-@@ -420,6 +488,14 @@
+@@ -420,6 +492,14 @@
')
optional_policy(`
@@ -11234,7 +11564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
resmgr_stream_connect(xdm_t)
')
-@@ -429,47 +505,30 @@
+@@ -429,47 +509,30 @@
')
optional_policy(`
@@ -11305,17 +11635,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.2.3/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/system/authlogin.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/authlogin.fc 2007-12-11 00:57:25.000000000 -0500
@@ -41,3 +41,6 @@
/var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
-+/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
++/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.2.3/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/authlogin.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/authlogin.if 2007-12-06 16:37:24.000000000 -0500
@@ -169,6 +169,7 @@
interface(`auth_login_pgm_domain',`
gen_require(`
@@ -11496,7 +11826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.2.3/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-12-06 13:12:03.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/authlogin.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/authlogin.te 2007-12-10 14:49:03.000000000 -0500
@@ -59,6 +59,9 @@
type utempter_exec_t;
application_domain(utempter_t,utempter_exec_t)
@@ -11517,17 +11847,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
########################################
#
# PAM local policy
-@@ -121,6 +127,9 @@
+@@ -121,6 +127,10 @@
logging_send_syslog_msg(pam_t)
userdom_use_unpriv_users_fds(pam_t)
+userdom_write_unpriv_users_tmp_files(pam_t)
-+userdom_dontaudit_read_unpriv_users_home_content_files(pam_t)
+userdom_unlink_unpriv_users_tmp_files(pam_t)
++userdom_read_unpriv_users_home_content_files(pam_t)
++userdom_append_unpriv_users_home_content_files(pam_t)
optional_policy(`
locallogin_use_fds(pam_t)
-@@ -279,8 +288,10 @@
+@@ -279,8 +289,10 @@
files_manage_etc_files(updpwd_t)
term_dontaudit_use_console(updpwd_t)
@@ -11539,7 +11870,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
auth_manage_shadow(updpwd_t)
auth_use_nsswitch(updpwd_t)
-@@ -329,11 +340,6 @@
+@@ -329,11 +341,6 @@
')
optional_policy(`
@@ -11553,7 +11884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.2.3/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2007-09-26 12:15:01.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/system/fstools.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/fstools.fc 2007-12-06 16:37:24.000000000 -0500
@@ -1,4 +1,3 @@
-/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -11569,7 +11900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.2.3/policy/modules/system/fstools.if
--- nsaserefpolicy/policy/modules/system/fstools.if 2007-08-22 17:33:53.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/system/fstools.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/fstools.if 2007-12-06 16:37:24.000000000 -0500
@@ -142,3 +142,20 @@
allow $1 swapfile_t:file getattr;
@@ -11593,7 +11924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.2.3/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/system/fstools.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/fstools.te 2007-12-06 16:37:24.000000000 -0500
@@ -109,8 +109,7 @@
term_use_console(fsadm_t)
@@ -11612,7 +11943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.2.3/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/system/getty.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/getty.te 2007-12-06 16:37:24.000000000 -0500
@@ -33,7 +33,8 @@
#
@@ -11625,7 +11956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.
allow getty_t self:fifo_file rw_fifo_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.2.3/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2007-01-02 12:57:49.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/hostname.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/hostname.te 2007-12-06 16:37:24.000000000 -0500
@@ -8,7 +8,9 @@
type hostname_t;
@@ -11651,7 +11982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.2.3/policy/modules/system/hotplug.te
--- nsaserefpolicy/policy/modules/system/hotplug.te 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/system/hotplug.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/hotplug.te 2007-12-06 16:37:24.000000000 -0500
@@ -179,6 +179,7 @@
sysnet_read_dhcpc_pid(hotplug_t)
sysnet_rw_dhcp_config(hotplug_t)
@@ -11662,7 +11993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.2.3/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/system/init.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/init.if 2007-12-06 16:37:24.000000000 -0500
@@ -211,6 +211,13 @@
kernel_dontaudit_use_fds($1)
')
@@ -11906,7 +12237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.2.3/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/init.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/init.te 2007-12-06 16:37:24.000000000 -0500
@@ -10,6 +10,20 @@
# Declarations
#
@@ -12073,7 +12404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.2.3/policy/modules/system/ipsec.fc
--- nsaserefpolicy/policy/modules/system/ipsec.fc 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/ipsec.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/ipsec.fc 2007-12-06 16:37:24.000000000 -0500
@@ -32,3 +32,4 @@
/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
@@ -12081,7 +12412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
+/var/run/racoon.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.2.3/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/ipsec.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/ipsec.te 2007-12-06 16:37:24.000000000 -0500
@@ -302,6 +302,7 @@
corenet_all_recvfrom_unlabeled(racoon_t)
corenet_tcp_bind_all_nodes(racoon_t)
@@ -12092,7 +12423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.3/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/system/libraries.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/libraries.fc 2007-12-06 16:37:24.000000000 -0500
@@ -65,11 +65,15 @@
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -12171,7 +12502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.2.3/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/system/libraries.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/libraries.te 2007-12-06 16:37:24.000000000 -0500
@@ -23,6 +23,9 @@
init_system_domain(ldconfig_t,ldconfig_exec_t)
role system_r types ldconfig_t;
@@ -12226,7 +12557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.2.3/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2007-10-29 07:52:50.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/system/locallogin.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/locallogin.te 2007-12-06 16:37:24.000000000 -0500
@@ -25,7 +25,6 @@
domain_role_change_exemption(sulogin_t)
domain_interactive_fd(sulogin_t)
@@ -12266,7 +12597,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.2.3/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2007-11-06 09:18:37.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/logging.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/logging.fc 2007-12-06 16:37:24.000000000 -0500
@@ -29,6 +29,11 @@
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
@@ -12297,7 +12628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.2.3/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2007-11-06 09:51:43.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/logging.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/logging.if 2007-12-06 16:37:24.000000000 -0500
@@ -577,6 +577,8 @@
files_search_var($1)
manage_files_pattern($1,logfile,logfile)
@@ -12396,7 +12727,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.2.3/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2007-11-06 09:18:37.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/logging.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/logging.te 2007-12-06 16:37:24.000000000 -0500
@@ -61,6 +61,12 @@
logging_log_file(var_log_t)
files_mountpoint(var_log_t)
@@ -12420,7 +12751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.2.3/policy/modules/system/lvm.fc
--- nsaserefpolicy/policy/modules/system/lvm.fc 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/system/lvm.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/lvm.fc 2007-12-06 16:37:24.000000000 -0500
@@ -15,6 +15,7 @@
#
/etc/lvm(/.*)? gen_context(system_u:object_r:lvm_etc_t,s0)
@@ -12431,7 +12762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc
/etc/lvm/lock(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.2.3/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/lvm.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/lvm.te 2007-12-06 16:37:24.000000000 -0500
@@ -44,9 +44,9 @@
# Cluster LVM daemon local policy
#
@@ -12579,7 +12910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.2.3/policy/modules/system/modutils.if
--- nsaserefpolicy/policy/modules/system/modutils.if 2007-03-26 10:39:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/system/modutils.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/modutils.if 2007-12-06 16:37:24.000000000 -0500
@@ -66,6 +66,25 @@
########################################
@@ -12608,7 +12939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.2.3/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/system/modutils.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/modutils.te 2007-12-06 16:37:24.000000000 -0500
@@ -42,7 +42,7 @@
# insmod local policy
#
@@ -12713,7 +13044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.2.3/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/mount.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/mount.fc 2007-12-06 16:37:24.000000000 -0500
@@ -1,4 +1,2 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
@@ -12721,7 +13052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.2.3/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2007-12-06 13:12:03.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/mount.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/mount.te 2007-12-06 16:37:24.000000000 -0500
@@ -8,7 +8,7 @@
## <desc>
@@ -12834,7 +13165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.2.3/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/system/raid.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/raid.te 2007-12-06 16:37:24.000000000 -0500
@@ -19,7 +19,7 @@
# Local policy
#
@@ -12862,7 +13193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.2.3/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2007-05-18 11:12:44.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/system/selinuxutil.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/selinuxutil.fc 2007-12-06 16:37:24.000000000 -0500
@@ -38,7 +38,7 @@
/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
@@ -12874,7 +13205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.2.3/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/selinuxutil.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/selinuxutil.if 2007-12-06 16:37:24.000000000 -0500
@@ -215,8 +215,6 @@
seutil_domtrans_newrole($1)
role $2 types newrole_t;
@@ -13158,7 +13489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.2.3/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/selinuxutil.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/selinuxutil.te 2007-12-06 16:37:24.000000000 -0500
@@ -75,7 +75,6 @@
type restorecond_exec_t;
init_daemon_domain(restorecond_t,restorecond_exec_t)
@@ -13440,7 +13771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.2.3/policy/modules/system/sysnetwork.fc
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/sysnetwork.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/sysnetwork.fc 2007-12-06 16:37:24.000000000 -0500
@@ -52,8 +52,7 @@
/var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
@@ -13453,7 +13784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.2.3/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-07-16 14:09:49.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/system/sysnetwork.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/sysnetwork.if 2007-12-06 16:37:24.000000000 -0500
@@ -145,6 +145,25 @@
########################################
@@ -13526,7 +13857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.2.3/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2007-10-29 07:52:50.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/system/sysnetwork.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/sysnetwork.te 2007-12-06 16:37:24.000000000 -0500
@@ -45,7 +45,7 @@
dontaudit dhcpc_t self:capability sys_tty_config;
# for access("/etc/bashrc", X_OK) on Red Hat
@@ -13659,7 +13990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
xen_append_log(ifconfig_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.2.3/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/udev.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/udev.te 2007-12-06 16:37:24.000000000 -0500
@@ -96,9 +96,6 @@
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
@@ -13680,8 +14011,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.2.3/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/system/unconfined.fc 2007-12-06 14:13:13.000000000 -0500
-@@ -10,3 +10,7 @@
++++ serefpolicy-3.2.3/policy/modules/system/unconfined.fc 2007-12-10 14:53:22.000000000 -0500
+@@ -10,3 +10,8 @@
/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
@@ -13689,9 +14020,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+/usr/bin/livecd-creator -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
++/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.2.3/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/unconfined.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/unconfined.if 2007-12-06 16:37:24.000000000 -0500
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -13941,7 +14273,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.3/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/unconfined.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/unconfined.te 2007-12-11 00:36:12.000000000 -0500
@@ -9,32 +9,46 @@
# usage in this module of types created by these
# calls is not correct, however we dont currently
@@ -14042,21 +14374,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -118,11 +139,11 @@
+@@ -118,11 +139,7 @@
')
optional_policy(`
- inn_domtrans(unconfined_t)
-+ iptables_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- ')
-
- optional_policy(`
+-')
+-
+-optional_policy(`
- java_domtrans(unconfined_t)
-+ java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ iptables_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
-@@ -134,11 +155,7 @@
+@@ -134,14 +151,6 @@
')
optional_policy(`
@@ -14065,11 +14396,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
-
-optional_policy(`
- mta_per_role_template(unconfined, unconfined_t, unconfined_r)
-+ mono_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+-')
+-
+-optional_policy(`
+ oddjob_domtrans_mkhomedir(unconfined_t)
')
- optional_policy(`
-@@ -154,33 +171,20 @@
+@@ -154,33 +163,20 @@
')
optional_policy(`
@@ -14107,22 +14440,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -205,11 +209,22 @@
+@@ -205,11 +201,22 @@
')
optional_policy(`
- wine_domtrans(unconfined_t)
+ wine_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++')
++
++optional_policy(`
++ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r)
++ unconfined_domain(unconfined_mozilla_t)
++ allow unconfined_mozilla_t self:process { execstack execmem };
')
optional_policy(`
- xserver_domtrans_xdm_xserver(unconfined_t)
-+ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r)
-+ unconfined_domain(unconfined_mozilla_t)
-+ allow unconfined_mozilla_t self:process { execstack execmem };
-+')
-+
-+optional_policy(`
+ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
+')
+
@@ -14132,7 +14465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
########################################
-@@ -219,14 +234,35 @@
+@@ -219,14 +226,35 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -14162,15 +14495,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+
+########################################
+#
-+# Unconfined Execmem Local policy
++# Unconfined notrans Local policy
+#
+
+allow unconfined_notrans_t self:process { execstack execmem };
+unconfined_domain_noaudit(unconfined_notrans_t)
-+
++domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.2.3/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/userdomain.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/userdomain.fc 2007-12-06 16:37:24.000000000 -0500
@@ -1,4 +1,5 @@
-HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
-HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0)
@@ -14183,7 +14516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+/root(/.*) gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.3/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/userdomain.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/userdomain.if 2007-12-10 23:50:13.000000000 -0500
@@ -29,8 +29,9 @@
')
@@ -14868,7 +15201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
typeattribute $1_tty_device_t user_ttynode;
##############################
-@@ -1025,12 +991,12 @@
+@@ -1025,16 +991,37 @@
#
# privileged home directory writers
@@ -14884,10 +15217,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ manage_sock_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
+ manage_fifo_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
+ filetrans_pattern(privhome,user_home_dir_t,user_home_t,{ dir file lnk_file sock_file fifo_file })
++
++ optional_policy(`
++ dbus_per_role_template($1, $1_usertype, $1_r)
++ dbus_system_bus_client_template($1, $1_usertype)
++
++ optional_policy(`
++ consolekit_dbus_chat($1_usertype)
++ ')
++ optional_policy(`
++ cups_dbus_chat($1_usertype)
++ ')
++ ')
++
++ optional_policy(`
++ java_per_role_template($1, $1_t, $1_r)
++ ')
optional_policy(`
loadkeys_run($1_t,$1_r,$1_tty_device_t)
-@@ -1062,6 +1028,13 @@
+ ')
++
++ optional_policy(`
++ mono_per_role_template($1, $1_t, $1_r)
++ ')
++
+ ')
+
+ #######################################
+@@ -1062,6 +1049,13 @@
userdom_restricted_user_template($1)
@@ -14901,7 +15259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_xwindows_client_template($1)
##############################
-@@ -1070,14 +1043,14 @@
+@@ -1070,14 +1064,14 @@
#
authlogin_per_role_template($1, $1_t, $1_r)
@@ -14921,33 +15279,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -1085,19 +1058,18 @@
+@@ -1085,33 +1079,14 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
- alsa_read_rw_config($1_t)
-+ alsa_read_rw_config($1_usertype)
- ')
-
- optional_policy(`
+- ')
+-
+- optional_policy(`
- dbus_per_role_template($1, $1_t, $1_r)
- dbus_system_bus_client_template($1, $1_t)
-+ dbus_per_role_template($1, $1_usertype, $1_r)
-+ dbus_system_bus_client_template($1, $1_usertype)
-
- optional_policy(`
+-
+- optional_policy(`
- consolekit_dbus_chat($1_t)
-+ consolekit_dbus_chat($1_usertype)
- ')
+- ')
-
- optional_policy(`
+- optional_policy(`
- cups_dbus_chat($1_t)
-+ cups_dbus_chat($1_usertype)
- ')
- ')
-
-@@ -1109,9 +1081,11 @@
- mono_per_role_template($1, $1_t, $1_r)
+- ')
+- ')
+-
+- optional_policy(`
+- java_per_role_template($1, $1_t, $1_r)
+- ')
+-
+- optional_policy(`
+- mono_per_role_template($1, $1_t, $1_r)
++ alsa_read_rw_config($1_usertype)
')
- optional_policy(`
@@ -14961,7 +15319,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -1121,10 +1095,10 @@
+@@ -1121,10 +1096,10 @@
## </summary>
## <desc>
## <p>
@@ -14976,7 +15334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
-@@ -1187,12 +1161,11 @@
+@@ -1187,12 +1162,11 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
@@ -14991,7 +15349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
# Run pppd in pppd_t by default for user
-@@ -1278,8 +1251,6 @@
+@@ -1278,8 +1252,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -15000,7 +15358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1416,6 +1387,7 @@
+@@ -1416,6 +1388,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -15008,7 +15366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1781,10 +1753,14 @@
+@@ -1781,10 +1754,14 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -15024,7 +15382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1880,11 +1856,11 @@
+@@ -1880,11 +1857,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -15038,7 +15396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1914,11 +1890,11 @@
+@@ -1914,11 +1891,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -15052,7 +15410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1962,12 +1938,12 @@
+@@ -1962,12 +1939,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -15068,7 +15426,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1997,10 +1973,10 @@
+@@ -1997,10 +1974,10 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -15081,7 +15439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2032,11 +2008,47 @@
+@@ -2032,11 +2009,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -15131,7 +15489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2068,10 +2080,10 @@
+@@ -2068,10 +2081,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -15144,7 +15502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2101,11 +2113,11 @@
+@@ -2101,11 +2114,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -15158,7 +15516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2135,11 +2147,11 @@
+@@ -2135,11 +2148,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -15173,7 +15531,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2169,10 +2181,10 @@
+@@ -2169,10 +2182,10 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -15186,7 +15544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2202,11 +2214,11 @@
+@@ -2202,11 +2215,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -15200,7 +15558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2236,11 +2248,11 @@
+@@ -2236,11 +2249,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -15214,7 +15572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2270,10 +2282,10 @@
+@@ -2270,10 +2283,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -15227,7 +15585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2305,12 +2317,12 @@
+@@ -2305,12 +2318,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -15243,7 +15601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2342,10 +2354,10 @@
+@@ -2342,10 +2355,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -15256,7 +15614,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2377,12 +2389,12 @@
+@@ -2377,12 +2390,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -15272,7 +15630,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2414,12 +2426,12 @@
+@@ -2414,12 +2427,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -15288,7 +15646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2451,12 +2463,12 @@
+@@ -2451,12 +2464,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -15304,7 +15662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2501,11 +2513,11 @@
+@@ -2501,11 +2514,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -15318,7 +15676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2550,11 +2562,11 @@
+@@ -2550,11 +2563,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -15332,7 +15690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2594,11 +2606,11 @@
+@@ -2594,11 +2607,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -15346,7 +15704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2628,11 +2640,11 @@
+@@ -2628,11 +2641,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -15360,7 +15718,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2662,11 +2674,11 @@
+@@ -2662,11 +2675,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -15374,7 +15732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2698,10 +2710,10 @@
+@@ -2698,10 +2711,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -15387,7 +15745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2733,10 +2745,10 @@
+@@ -2733,10 +2746,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -15400,7 +15758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2766,12 +2778,12 @@
+@@ -2766,12 +2779,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -15416,7 +15774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2803,10 +2815,10 @@
+@@ -2803,10 +2816,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -15429,15 +15787,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2838,10 +2850,48 @@
+@@ -2838,10 +2851,48 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
- type $1_tmp_t;
+ type user_tmp_t;
- ')
-
-- dontaudit $2 $1_tmp_t:file append;
++ ')
++
+ dontaudit $2 user_tmp_t:file append;
+')
+
@@ -15474,13 +15831,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ gen_require(`
+ attribute user_tmpfile;
+ attribute userdomain;
-+ ')
-+
+ ')
+
+- dontaudit $2 $1_tmp_t:file append;
+ stream_connect_pattern($1, user_tmpfile, user_tmpfile, userdomain)
')
########################################
-@@ -2871,12 +2921,12 @@
+@@ -2871,12 +2922,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -15496,7 +15854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2908,10 +2958,10 @@
+@@ -2908,10 +2959,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -15509,7 +15867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2943,12 +2993,12 @@
+@@ -2943,12 +2994,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -15525,7 +15883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2980,11 +3030,11 @@
+@@ -2980,11 +3031,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -15539,7 +15897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3016,11 +3066,11 @@
+@@ -3016,11 +3067,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -15553,7 +15911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3052,11 +3102,11 @@
+@@ -3052,11 +3103,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -15567,7 +15925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3088,11 +3138,11 @@
+@@ -3088,11 +3139,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -15581,7 +15939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3124,11 +3174,11 @@
+@@ -3124,11 +3175,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -15595,7 +15953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3173,10 +3223,10 @@
+@@ -3173,10 +3224,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -15608,7 +15966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_tmp($2)
')
-@@ -3217,10 +3267,10 @@
+@@ -3217,10 +3268,10 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -15621,7 +15979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4225,11 +4275,11 @@
+@@ -4225,11 +4276,11 @@
#
interface(`userdom_search_staff_home_dirs',`
gen_require(`
@@ -15635,7 +15993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4245,10 +4295,10 @@
+@@ -4245,10 +4296,10 @@
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(`
@@ -15648,7 +16006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4264,11 +4314,11 @@
+@@ -4264,11 +4315,11 @@
#
interface(`userdom_manage_staff_home_dirs',`
gen_require(`
@@ -15662,7 +16020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4283,11 +4333,11 @@
+@@ -4283,11 +4334,11 @@
#
interface(`userdom_relabelto_staff_home_dirs',`
gen_require(`
@@ -15676,7 +16034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4303,10 +4353,10 @@
+@@ -4303,10 +4354,10 @@
#
interface(`userdom_dontaudit_append_staff_home_content_files',`
gen_require(`
@@ -15689,7 +16047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4321,13 +4371,13 @@
+@@ -4321,13 +4372,13 @@
#
interface(`userdom_read_staff_home_content_files',`
gen_require(`
@@ -15707,7 +16065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4525,10 +4575,10 @@
+@@ -4525,10 +4576,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@@ -15720,7 +16078,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4545,10 +4595,10 @@
+@@ -4545,10 +4596,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@@ -15733,7 +16091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4563,10 +4613,10 @@
+@@ -4563,10 +4614,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@@ -15746,7 +16104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4582,10 +4632,10 @@
+@@ -4582,10 +4633,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@@ -15759,7 +16117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4600,10 +4650,10 @@
+@@ -4600,10 +4651,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@@ -15772,7 +16130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4619,10 +4669,10 @@
+@@ -4619,10 +4670,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@@ -15785,7 +16143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4638,12 +4688,11 @@
+@@ -4638,12 +4689,11 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
@@ -15801,7 +16159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4670,10 +4719,10 @@
+@@ -4670,10 +4720,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -15814,7 +16172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4688,10 +4737,10 @@
+@@ -4688,10 +4738,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -15827,7 +16185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4706,13 +4755,13 @@
+@@ -4706,13 +4756,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -15845,7 +16203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4748,11 +4797,29 @@
+@@ -4748,11 +4798,29 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -15876,7 +16234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4772,6 +4839,14 @@
+@@ -4772,6 +4840,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -15891,7 +16249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -5109,7 +5184,7 @@
+@@ -5109,7 +5185,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -15900,10 +16258,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
files_search_home($1)
-@@ -5298,6 +5373,28 @@
+@@ -5298,8 +5374,8 @@
########################################
## <summary>
+-## Create, read, write, and delete directories in
+-## unprivileged users home directories.
++## append all unprivileged users home directory
++## files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5307,13 +5383,56 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_manage_unpriv_users_home_content_dirs',`
++interface(`userdom_append_unpriv_users_home_content_files',`
+ gen_require(`
+ attribute user_home_dir_type, user_home_type;
+ ')
+
+ files_search_home($1)
+- manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
++ allow $1 user_home_type:dir list_dir_perms;
++ append_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
++')
++
++########################################
++## <summary>
+## dontaudit Read all unprivileged users home directory
+## files.
+## </summary>
@@ -15926,10 +16309,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
+########################################
+## <summary>
- ## Create, read, write, and delete directories in
- ## unprivileged users home directories.
- ## </summary>
-@@ -5503,6 +5600,24 @@
++## Create, read, write, and delete directories in
++## unprivileged users home directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_manage_unpriv_users_home_content_dirs',`
++ gen_require(`
++ attribute user_home_dir_type, user_home_type;
++ ')
++
++ files_search_home($1)
++ manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
+ ')
+
+ ########################################
+@@ -5503,6 +5622,24 @@
########################################
## <summary>
@@ -15954,7 +16353,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
-@@ -5668,6 +5783,24 @@
+@@ -5668,6 +5805,24 @@
########################################
## <summary>
@@ -15979,7 +16378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5698,3 +5831,277 @@
+@@ -5698,3 +5853,277 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -16259,7 +16658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.2.3/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/userdomain.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/userdomain.te 2007-12-06 16:37:24.000000000 -0500
@@ -17,20 +17,13 @@
## <desc>
@@ -16435,12 +16834,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.fc serefpolicy-3.2.3/policy/modules/system/virt.fc
--- nsaserefpolicy/policy/modules/system/virt.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/virt.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/virt.fc 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1 @@
+/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.2.3/policy/modules/system/virt.if
--- nsaserefpolicy/policy/modules/system/virt.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/virt.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/virt.if 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1,78 @@
+## <summary>Virtualization </summary>
+
@@ -16522,14 +16921,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.2.3/policy/modules/system/virt.te
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/system/virt.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/virt.te 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1,3 @@
+# var/lib files
+type virt_var_lib_t;
+files_type(virt_var_lib_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.2.3/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2007-06-21 09:32:04.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/system/xen.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/xen.if 2007-12-06 16:37:24.000000000 -0500
@@ -191,3 +191,24 @@
domtrans_pattern($1,xm_exec_t,xm_t)
@@ -16557,7 +16956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.2.3/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/system/xen.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/system/xen.te 2007-12-06 16:37:24.000000000 -0500
@@ -6,6 +6,13 @@
# Declarations
#
@@ -16744,17 +17143,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.fc serefpolicy-3.2.3/policy/modules/users/guest.fc
--- nsaserefpolicy/policy/modules/users/guest.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/users/guest.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/users/guest.fc 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1 @@
+# No guest file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.if serefpolicy-3.2.3/policy/modules/users/guest.if
--- nsaserefpolicy/policy/modules/users/guest.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/users/guest.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/users/guest.if 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1 @@
+## <summary>Policy for guest user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.2.3/policy/modules/users/guest.te
--- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/users/guest.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/users/guest.te 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1,4 @@
+policy_module(guest,1.0.1)
+userdom_restricted_user_template(guest)
@@ -16762,17 +17161,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.t
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.2.3/policy/modules/users/logadm.fc
--- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/users/logadm.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/users/logadm.fc 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1 @@
+# No logadm file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.if serefpolicy-3.2.3/policy/modules/users/logadm.if
--- nsaserefpolicy/policy/modules/users/logadm.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/users/logadm.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/users/logadm.if 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1 @@
+## <summary>Policy for logadm user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.te serefpolicy-3.2.3/policy/modules/users/logadm.te
--- nsaserefpolicy/policy/modules/users/logadm.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/users/logadm.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/users/logadm.te 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1,11 @@
+policy_module(logadm,1.0.0)
+
@@ -16787,22 +17186,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.
+logging_admin(logadm_t, logadm_r, { logadm_devpts_t logadm_tty_device_t })
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/metadata.xml serefpolicy-3.2.3/policy/modules/users/metadata.xml
--- nsaserefpolicy/policy/modules/users/metadata.xml 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/users/metadata.xml 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/users/metadata.xml 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1 @@
+<summary>Policy modules for users</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.fc serefpolicy-3.2.3/policy/modules/users/webadm.fc
--- nsaserefpolicy/policy/modules/users/webadm.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/users/webadm.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/users/webadm.fc 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1 @@
+# No webadm file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.if serefpolicy-3.2.3/policy/modules/users/webadm.if
--- nsaserefpolicy/policy/modules/users/webadm.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/users/webadm.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/users/webadm.if 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1 @@
+## <summary>Policy for webadm user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.2.3/policy/modules/users/webadm.te
--- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/users/webadm.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/users/webadm.te 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1,42 @@
+policy_module(webadm,1.0.0)
+
@@ -16848,17 +17247,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.
+allow webadm_t gadmin_t:dir getattr;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.fc serefpolicy-3.2.3/policy/modules/users/xguest.fc
--- nsaserefpolicy/policy/modules/users/xguest.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/users/xguest.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/users/xguest.fc 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1 @@
+# No xguest file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.if serefpolicy-3.2.3/policy/modules/users/xguest.if
--- nsaserefpolicy/policy/modules/users/xguest.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/users/xguest.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/users/xguest.if 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1 @@
+## <summary>Policy for xguest user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.te serefpolicy-3.2.3/policy/modules/users/xguest.te
--- nsaserefpolicy/policy/modules/users/xguest.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/users/xguest.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/users/xguest.te 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1,55 @@
+policy_module(xguest,1.0.1)
+
@@ -16917,7 +17316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.2.3/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.3/policy/support/obj_perm_sets.spt 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/support/obj_perm_sets.spt 2007-12-06 16:37:24.000000000 -0500
@@ -204,7 +204,7 @@
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
@@ -16943,7 +17342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets
+define(`manage_key_perms', `{ create link read search setattr view write } ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.2.3/policy/users
--- nsaserefpolicy/policy/users 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.3/policy/users 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/users 2007-12-06 16:37:24.000000000 -0500
@@ -16,7 +16,7 @@
# and a user process should never be assigned the system user
# identity.
@@ -16978,9 +17377,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.2
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
+gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.2.3/Rules.modular
+--- nsaserefpolicy/Rules.modular 2007-10-02 09:54:53.000000000 -0400
++++ serefpolicy-3.2.3/Rules.modular 2007-12-11 00:14:37.000000000 -0500
+@@ -74,8 +74,8 @@
+ $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
+ @echo "Compliling $(NAME) $(@F) module"
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+- $(call perrole-expansion,$(basename $(@F)),$@.role)
+- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
++# $(call perrole-expansion,$(basename $(@F)),$@.role)
++ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
+ $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+
+ $(tmpdir)/%.mod.fc: $(m4support) %.fc
+@@ -130,7 +130,7 @@
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ # define all available object classes
+ $(verbose) $(genperm) $(avs) $(secclass) > $@
+- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
++# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
+ $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
+
+ $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
+@@ -148,7 +148,7 @@
+ $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/rolemap.conf: $(rolemap)
+ $(verbose) echo "" > $@
+- $(call parse-rolemap,base,$@)
++# $(call parse-rolemap,base,$@)
+
+ $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.2.3/Rules.monolithic
--- nsaserefpolicy/Rules.monolithic 2007-11-20 06:55:20.000000000 -0500
-+++ serefpolicy-3.2.3/Rules.monolithic 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/Rules.monolithic 2007-12-06 16:37:24.000000000 -0500
@@ -96,7 +96,7 @@
#
# Load the binary policy