diff --git a/policy-20090105.patch b/policy-20090105.patch index 318af16..e458816 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -120,14 +120,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +user_r:user_t:s0 user_r:user_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_domain_context serefpolicy-3.6.6/config/appconfig-mcs/virtual_domain_context --- nsaserefpolicy/config/appconfig-mcs/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.6/config/appconfig-mcs/virtual_domain_context 2009-02-18 13:57:20.000000000 -0500 ++++ serefpolicy-3.6.6/config/appconfig-mcs/virtual_domain_context 2009-02-25 15:59:16.000000000 -0500 @@ -0,0 +1 @@ -+system_u:system_r:qemu_t:s0 ++system_u:system_r:qemu_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_image_context serefpolicy-3.6.6/config/appconfig-mcs/virtual_image_context --- nsaserefpolicy/config/appconfig-mcs/virtual_image_context 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.6/config/appconfig-mcs/virtual_image_context 2009-02-18 13:57:52.000000000 -0500 ++++ serefpolicy-3.6.6/config/appconfig-mcs/virtual_image_context 2009-02-25 15:59:31.000000000 -0500 @@ -0,0 +1 @@ -+system_u:object_r:virt_image_t:s0 ++system_u:object_r:virt_image_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.6.6/config/appconfig-mcs/xguest_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.6/config/appconfig-mcs/xguest_u_default_contexts 2009-02-16 13:18:06.000000000 -0500 @@ -194,14 +194,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.6/config/appconfig-mls/virtual_domain_context --- nsaserefpolicy/config/appconfig-mls/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.6/config/appconfig-mls/virtual_domain_context 2009-02-18 13:58:20.000000000 -0500 ++++ serefpolicy-3.6.6/config/appconfig-mls/virtual_domain_context 2009-02-25 15:59:44.000000000 -0500 @@ -0,0 +1 @@ -+system_u:system_r:qemu_t:s0 ++system_u:system_r:qemu_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_image_context serefpolicy-3.6.6/config/appconfig-mls/virtual_image_context --- nsaserefpolicy/config/appconfig-mls/virtual_image_context 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.6/config/appconfig-mls/virtual_image_context 2009-02-18 13:58:20.000000000 -0500 ++++ serefpolicy-3.6.6/config/appconfig-mls/virtual_image_context 2009-02-25 15:59:44.000000000 -0500 @@ -0,0 +1 @@ -+system_u:object_r:virt_image_t:s0 ++system_u:object_r:virt_image_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts serefpolicy-3.6.6/config/appconfig-mls/xguest_u_default_contexts --- nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.6/config/appconfig-mls/xguest_u_default_contexts 2009-02-16 13:18:06.000000000 -0500 @@ -1420,8 +1420,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol java_domtrans_unconfined(rpm_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.6/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.6/policy/modules/admin/sudo.if 2009-02-16 13:18:06.000000000 -0500 -@@ -51,7 +51,7 @@ ++++ serefpolicy-3.6.6/policy/modules/admin/sudo.if 2009-02-23 10:23:38.000000000 -0500 +@@ -32,6 +32,7 @@ + + gen_require(` + type sudo_exec_t; ++ attribute sudodomain; + ') + + ############################## +@@ -39,7 +40,7 @@ + # Declarations + # + +- type $1_sudo_t; ++ type $1_sudo_t, sudodomain; + application_domain($1_sudo_t, sudo_exec_t) + domain_interactive_fd($1_sudo_t) + ubac_constrained($1_sudo_t) +@@ -51,7 +52,7 @@ # # Use capabilities. @@ -1430,7 +1447,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_sudo_t self:process { setexec setrlimit }; allow $1_sudo_t self:fd use; -@@ -64,33 +64,37 @@ +@@ -64,33 +65,37 @@ allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; allow $1_sudo_t self:unix_dgram_socket sendto; allow $1_sudo_t self:unix_stream_socket connectto; @@ -1472,7 +1489,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds($1_sudo_t) domain_sigchld_interactive_fds($1_sudo_t) -@@ -102,9 +106,11 @@ +@@ -102,9 +107,11 @@ files_getattr_usr_files($1_sudo_t) # for some PAM modules and for cwd files_dontaudit_search_home($1_sudo_t) @@ -1484,7 +1501,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg($1_sudo_t) miscfiles_read_localization($1_sudo_t) -@@ -114,6 +120,35 @@ +@@ -114,6 +121,54 @@ userdom_manage_user_tmp_files($1_sudo_t) userdom_manage_user_tmp_symlinks($1_sudo_t) userdom_use_user_terminals($1_sudo_t) @@ -1520,6 +1537,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dbus_system_bus_client($1_sudo_t) + ') ') ++ ++######################################## ++## ++## Send a SIGCHLD signal to the sudo domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sudo_sigchld',` ++ gen_require(` ++ attribute sudodomain; ++ ') ++ ++ allow $1 sudodomain:process sigchld; ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.te serefpolicy-3.6.6/policy/modules/admin/sudo.te +--- nsaserefpolicy/policy/modules/admin/sudo.te 2009-01-05 15:39:44.000000000 -0500 ++++ serefpolicy-3.6.6/policy/modules/admin/sudo.te 2009-02-23 10:23:44.000000000 -0500 +@@ -4,6 +4,7 @@ + ######################################## + # + # Declarations ++attribute sudodomain; + + type sudo_exec_t; + application_executable_file(sudo_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.6.6/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.6/policy/modules/admin/su.if 2009-02-16 13:18:06.000000000 -0500 @@ -3590,7 +3637,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.6/policy/modules/apps/qemu.if --- nsaserefpolicy/policy/modules/apps/qemu.if 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.6/policy/modules/apps/qemu.if 2009-02-17 17:18:08.000000000 -0500 ++++ serefpolicy-3.6.6/policy/modules/apps/qemu.if 2009-02-20 11:37:20.000000000 -0500 @@ -40,6 +40,93 @@ qemu_domtrans($1) @@ -3777,7 +3824,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -127,84 +290,85 @@ +@@ -127,84 +290,84 @@ # template(`qemu_domain_template',` @@ -3805,6 +3852,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + type $1_image_t; + virt_image($1_image_t) ++ ++ allow $1_t self:capability kill; ++ allow $1_t self:unix_dgram_socket { create_socket_perms sendto }; - allow $1_t self:capability { dac_read_search dac_override }; - allow $1_t self:process { execstack execmem signal getsched }; @@ -3812,9 +3862,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - allow $1_t self:shm create_shm_perms; - allow $1_t self:unix_stream_socket create_stream_socket_perms; - allow $1_t self:tcp_socket create_stream_socket_perms; -+ allow $1_t self:capability kill; -+ allow $1_t self:unix_dgram_socket { create_socket_perms sendto }; -+ + manage_dirs_pattern($1_t, $1_image_t, $1_image_t) + manage_files_pattern($1_t, $1_image_t, $1_image_t) + read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) @@ -3844,19 +3891,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - files_read_usr_files($1_t) - files_read_var_files($1_t) - files_search_all($1_t) -- -- fs_list_inotifyfs($1_t) -- fs_rw_anon_inodefs_files($1_t) -- fs_rw_tmpfs_files($1_t) + manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) + fs_getattr_tmpfs($1_t) -+ + +- fs_list_inotifyfs($1_t) +- fs_rw_anon_inodefs_files($1_t) +- fs_rw_tmpfs_files($1_t) + userdom_read_user_tmpfs_files($1_t) + userdom_signull_unpriv_users($1_t) -+ userdom_admin_home_dir_filetrans($1_t, $1_tmp_t, {file dir }) - storage_raw_write_removable_device($1_t) - storage_raw_read_removable_device($1_t) @@ -3927,7 +3972,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.6/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.6/policy/modules/apps/qemu.te 2009-02-17 16:14:43.000000000 -0500 ++++ serefpolicy-3.6.6/policy/modules/apps/qemu.te 2009-02-23 16:13:38.000000000 -0500 @@ -6,6 +6,8 @@ # Declarations # @@ -3937,7 +3982,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ##

## Allow qemu to connect fully to the network -@@ -13,28 +15,160 @@ +@@ -13,28 +15,162 @@ ## gen_tunable(qemu_full_network, false) @@ -3989,8 +4034,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_files_pattern(qemu_t, qemu_cache_t, qemu_cache_t) +files_var_filetrans(qemu_t, qemu_cache_t, { file dir }) + ++manage_dirs_pattern(qemu_t, qemu_var_run_t, qemu_var_run_t) +manage_files_pattern(qemu_t, qemu_var_run_t, qemu_var_run_t) -+files_pid_filetrans(qemu_t, qemu_var_run_t, file) ++manage_lnk_files_pattern(qemu_t, qemu_var_run_t, qemu_var_run_t) ++files_pid_filetrans(qemu_t, qemu_var_run_t, { dir file }) + +kernel_read_system_state(qemutype) + @@ -4453,7 +4500,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +corecmd_executable_file(wm_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.6/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.6/policy/modules/kernel/corecommands.fc 2009-02-16 17:52:43.000000000 -0500 ++++ serefpolicy-3.6.6/policy/modules/kernel/corecommands.fc 2009-02-23 10:54:44.000000000 -0500 @@ -58,6 +58,8 @@ /etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) @@ -4479,7 +4526,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0) -@@ -130,6 +133,8 @@ +@@ -124,12 +127,15 @@ + + /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) + ++/opt/real/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0) + ifdef(`distro_gentoo',` + /opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0) + /opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0) /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -4488,7 +4542,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /usr # -@@ -203,6 +208,7 @@ +@@ -203,6 +209,7 @@ /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -4496,7 +4550,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) -@@ -223,14 +229,15 @@ +@@ -223,14 +230,15 @@ /usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -4514,7 +4568,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0) -@@ -293,3 +300,14 @@ +@@ -293,3 +301,14 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -8468,7 +8522,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +permissive afs_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.6/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.6/policy/modules/services/apache.fc 2009-02-16 13:18:06.000000000 -0500 ++++ serefpolicy-3.6.6/policy/modules/services/apache.fc 2009-02-23 11:47:03.000000000 -0500 @@ -1,12 +1,13 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -8528,7 +8582,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -@@ -64,11 +71,24 @@ +@@ -64,11 +71,26 @@ /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -8552,7 +8606,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) +/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + -+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) ++/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) ++ ++/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.6/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.6/policy/modules/services/apache.if 2009-02-16 13:18:06.000000000 -0500 @@ -10825,7 +10881,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.6/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.6/policy/modules/services/cron.if 2009-02-16 13:18:06.000000000 -0500 ++++ serefpolicy-3.6.6/policy/modules/services/cron.if 2009-02-23 10:28:03.000000000 -0500 @@ -12,6 +12,10 @@ ## # @@ -10837,7 +10893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # # Declarations -@@ -31,13 +35,18 @@ +@@ -31,16 +35,21 @@ # dac_override is to create the file in the directory under /tmp allow $1_t self:capability { fowner setuid setgid chown dac_override }; @@ -10856,8 +10912,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_files_pattern($1_t, user_cron_spool_t, user_cron_spool_t) manage_files_pattern($1_t, cron_spool_t, user_cron_spool_t) filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file) - files_search_spool($1_t) -@@ -58,6 +67,12 @@ +- files_search_spool($1_t) ++ files_list_spool($1_t) + + # crontab signals crond by updating the mtime on the spooldir + allow $1_t cron_spool_t:dir setattr; +@@ -55,9 +64,16 @@ + domain_use_interactive_fds($1_t) + + files_read_etc_files($1_t) ++ files_read_usr_files($1_t) files_dontaudit_search_pids($1_t) logging_send_syslog_msg($1_t) @@ -10870,7 +10934,43 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization($1_t) -@@ -261,6 +276,7 @@ +@@ -147,26 +163,26 @@ + # + interface(`cron_unconfined_role',` + gen_require(` +- type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t; ++ type unconfined_cronjob_t, admin_crontab_t, crontab_tmp_t, crontab_exec_t; + ') + +- role $1 types { unconfined_cronjob_t crontab_t }; ++ role $1 types { unconfined_cronjob_t admin_crontab_t }; + + # cronjob shows up in user ps + ps_process_pattern($2, unconfined_cronjob_t) + + # Transition from the user domain to the derived domain. +- domtrans_pattern($2, crontab_exec_t, crontab_t) ++ domtrans_pattern($2, crontab_exec_t, admin_crontab_t) + + # crontab shows up in user ps +- ps_process_pattern($2, crontab_t) +- allow $2 crontab_t:process signal; ++ ps_process_pattern($2, admin_crontab_t) ++ allow $2 admin_crontab_t:process signal; + + # Run helper programs as the user domain +- #corecmd_bin_domtrans(crontab_t, $2) +- #corecmd_shell_domtrans(crontab_t, $2) +- corecmd_exec_bin(crontab_t) +- corecmd_exec_shell(crontab_t) ++ #corecmd_bin_domtrans(admin_crontab_t, $2) ++ #corecmd_shell_domtrans(admin_crontab_t, $2) ++ corecmd_exec_bin(admin_crontab_t) ++ corecmd_exec_shell(admin_crontab_t) + + optional_policy(` + gen_require(` +@@ -261,6 +277,7 @@ allow $1 system_cronjob_t:fifo_file rw_file_perms; allow $1 system_cronjob_t:process sigchld; @@ -10878,7 +10978,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1 crond_t:fifo_file rw_file_perms; allow $1 crond_t:fd use; allow $1 crond_t:process sigchld; -@@ -343,6 +359,24 @@ +@@ -343,6 +360,24 @@ ######################################## ##

@@ -10903,7 +11003,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write a cron daemon unnamed pipe. ## ## -@@ -361,7 +395,7 @@ +@@ -361,7 +396,7 @@ ######################################## ## @@ -10912,7 +11012,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -369,7 +403,7 @@ +@@ -369,7 +404,7 @@ ## ## # @@ -10921,7 +11021,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol gen_require(` type crond_t; ') -@@ -416,6 +450,42 @@ +@@ -416,6 +451,42 @@ ######################################## ## @@ -10964,7 +11064,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Inherit and use a file descriptor ## from system cron jobs. ## -@@ -481,11 +551,14 @@ +@@ -481,11 +552,14 @@ # interface(`cron_read_system_job_tmp_files',` gen_require(` @@ -10980,7 +11080,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -506,3 +579,101 @@ +@@ -506,3 +580,101 @@ dontaudit $1 system_cronjob_tmp_t:file append; ') @@ -11084,7 +11184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.6/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.6/policy/modules/services/cron.te 2009-02-16 13:18:06.000000000 -0500 ++++ serefpolicy-3.6.6/policy/modules/services/cron.te 2009-02-20 12:00:11.000000000 -0500 @@ -38,6 +38,10 @@ type cron_var_lib_t; files_type(cron_var_lib_t) @@ -13043,7 +13143,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.6/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.6/policy/modules/services/dovecot.te 2009-02-16 13:18:06.000000000 -0500 ++++ serefpolicy-3.6.6/policy/modules/services/dovecot.te 2009-02-23 15:07:16.000000000 -0500 @@ -15,12 +15,21 @@ domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t) role system_r types dovecot_auth_t; @@ -13166,14 +13266,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_usr_symlinks(dovecot_auth_t) files_search_tmp(dovecot_auth_t) files_read_var_lib_files(dovecot_t) -@@ -182,5 +213,55 @@ +@@ -182,5 +213,58 @@ ') optional_policy(` - logging_send_syslog_msg(dovecot_auth_t) + mysql_search_db(dovecot_auth_t) + mysql_stream_connect(dovecot_auth_t) -+') + ') + +optional_policy(` + nis_authenticate(dovecot_auth_t) @@ -13212,16 +13312,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +dovecot_auth_stream_connect(dovecot_deliver_t) + -+userdom_manage_user_home_content_dirs(dovecot_t) -+userdom_manage_user_home_content_files(dovecot_t) -+userdom_manage_user_home_content_symlinks(dovecot_t) -+userdom_manage_user_home_content_pipes(dovecot_t) -+userdom_manage_user_home_content_sockets(dovecot_t) -+userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file }) ++files_search_tmp(dovecot_deliver_t) ++fs_getattr_all_fs(dovecot_deliver_t) ++ ++userdom_manage_user_home_content_dirs(dovecot_deliver_t) ++userdom_manage_user_home_content_files(dovecot_deliver_t) ++userdom_manage_user_home_content_symlinks(dovecot_deliver_t) ++userdom_manage_user_home_content_pipes(dovecot_deliver_t) ++userdom_manage_user_home_content_sockets(dovecot_deliver_t) ++userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) + +optional_policy(` + mta_manage_spool(dovecot_deliver_t) - ') ++') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.6.6/policy/modules/services/exim.if --- nsaserefpolicy/policy/modules/services/exim.if 2008-08-07 11:15:11.000000000 -0400 @@ -14335,6 +14438,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_ring_buffer(kerneloops_t) # Init script handling +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.6/policy/modules/services/ktalk.te +--- nsaserefpolicy/policy/modules/services/ktalk.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.6/policy/modules/services/ktalk.te 2009-02-23 10:01:40.000000000 -0500 +@@ -69,6 +69,7 @@ + files_read_etc_files(ktalkd_t) + + term_search_ptys(ktalkd_t) ++term_use_all_terms(ktalkd_t) + + auth_use_nsswitch(ktalkd_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.6.6/policy/modules/services/ldap.te --- nsaserefpolicy/policy/modules/services/ldap.te 2009-02-16 08:44:12.000000000 -0500 +++ serefpolicy-3.6.6/policy/modules/services/ldap.te 2009-02-16 13:18:06.000000000 -0500 @@ -15063,7 +15177,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.6.6/policy/modules/services/mysql.if --- nsaserefpolicy/policy/modules/services/mysql.if 2008-11-18 18:57:20.000000000 -0500 -+++ serefpolicy-3.6.6/policy/modules/services/mysql.if 2009-02-16 13:18:06.000000000 -0500 ++++ serefpolicy-3.6.6/policy/modules/services/mysql.if 2009-02-24 07:19:21.000000000 -0500 @@ -161,6 +161,25 @@ allow $1 mysqld_db_t:sock_file rw_sock_file_perms; ') @@ -15090,9 +15204,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Write to the MySQL log. +@@ -177,7 +196,7 @@ + ') + + logging_search_logs($1) +- allow $1 mysqld_log_t:file { write_file_perms setattr }; ++ allow $1 mysqld_log_t:file { write_file_perms setattr getattr }; + ') + + ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.6/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.6/policy/modules/services/mysql.te 2009-02-16 13:18:06.000000000 -0500 ++++ serefpolicy-3.6.6/policy/modules/services/mysql.te 2009-02-24 07:41:51.000000000 -0500 @@ -10,6 +10,10 @@ type mysqld_exec_t; init_daemon_domain(mysqld_t, mysqld_exec_t) @@ -15113,7 +15236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service }; -@@ -121,3 +125,32 @@ +@@ -121,3 +125,36 @@ optional_policy(` udev_read_db(mysqld_t) ') @@ -15128,14 +15251,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow mysqld_safe_t self:capability { dac_override fowner chown }; +allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; + ++append_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) ++ +mysql_read_config(mysqld_safe_t) -+mysql_search_db(mysqld_safe_t) +mysql_search_pid_files(mysqld_safe_t) +mysql_write_log(mysqld_safe_t) + +kernel_read_system_state(mysqld_safe_t) + +files_read_etc_files(mysqld_safe_t) ++files_read_usr_files(mysqld_safe_t) ++ ++dev_list_sysfs(mysqld_safe_t) + +corecmd_exec_bin(mysqld_safe_t) + @@ -21114,7 +21241,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.6/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.6/policy/modules/services/samba.te 2009-02-16 13:18:06.000000000 -0500 ++++ serefpolicy-3.6.6/policy/modules/services/samba.te 2009-02-23 14:27:45.000000000 -0500 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -21294,16 +21421,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_manage_nfs_symlinks(smbd_t) + fs_manage_nfs_named_pipes(smbd_t) + fs_manage_nfs_named_sockets(smbd_t) - ') - ++') ++ +# Support Samba sharing of ntfs/fusefs mount points +tunable_policy(`samba_share_fusefs',` + fs_manage_fusefs_dirs(smbd_t) + fs_manage_fusefs_files(smbd_t) +',` + fs_search_fusefs_dirs(smbd_t) -+') -+ + ') + + optional_policy(` cups_read_rw_config(smbd_t) @@ -21352,7 +21479,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -@@ -454,6 +501,7 @@ +@@ -417,14 +464,11 @@ + files_pid_filetrans(nmbd_t, nmbd_var_run_t, file) + + read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) ++read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) + + manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) + manage_files_pattern(nmbd_t, samba_log_t, samba_log_t) + +-read_files_pattern(nmbd_t, samba_log_t, samba_log_t) +-create_files_pattern(nmbd_t, samba_log_t, samba_log_t) +-allow nmbd_t samba_log_t:dir setattr; +- + manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) + + allow nmbd_t smbd_var_run_t:dir rw_dir_perms; +@@ -454,6 +498,7 @@ dev_getattr_mtrr_dev(nmbd_t) fs_getattr_all_fs(nmbd_t) @@ -21360,7 +21503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_auto_mountpoints(nmbd_t) domain_use_interactive_fds(nmbd_t) -@@ -553,19 +601,33 @@ +@@ -553,21 +598,36 @@ userdom_use_user_terminals(smbmount_t) userdom_use_all_users_fds(smbmount_t) @@ -21396,8 +21539,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow swat_t nmbd_var_run_t:file { lock read unlink }; rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) ++read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t) -@@ -585,6 +647,9 @@ + append_files_pattern(swat_t, samba_log_t, samba_log_t) + +@@ -585,6 +645,9 @@ files_pid_filetrans(swat_t, swat_var_run_t, file) allow swat_t winbind_exec_t:file mmap_file_perms; @@ -21407,7 +21553,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -609,15 +674,18 @@ +@@ -609,15 +672,18 @@ dev_read_urand(swat_t) @@ -21426,7 +21572,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_search_logs(swat_t) miscfiles_read_localization(swat_t) -@@ -635,6 +703,17 @@ +@@ -635,6 +701,17 @@ kerberos_use(swat_t) ') @@ -21444,7 +21590,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Winbind local policy -@@ -642,7 +721,7 @@ +@@ -642,7 +719,7 @@ allow winbind_t self:capability { dac_override ipc_lock setuid }; dontaudit winbind_t self:capability sys_tty_config; @@ -21453,7 +21599,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow winbind_t self:fifo_file rw_fifo_file_perms; allow winbind_t self:unix_dgram_socket create_socket_perms; allow winbind_t self:unix_stream_socket create_stream_socket_perms; -@@ -683,9 +762,10 @@ +@@ -683,9 +760,10 @@ manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) files_pid_filetrans(winbind_t, winbind_var_run_t, file) @@ -21466,7 +21612,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(winbind_t) corenet_all_recvfrom_netlabel(winbind_t) -@@ -709,10 +789,12 @@ +@@ -709,10 +787,12 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) @@ -21479,7 +21625,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(winbind_t) -@@ -768,8 +850,13 @@ +@@ -768,8 +848,13 @@ userdom_use_user_terminals(winbind_helper_t) optional_policy(` @@ -21493,7 +21639,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -778,6 +865,16 @@ +@@ -778,6 +863,16 @@ # optional_policy(` @@ -21510,7 +21656,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -788,9 +885,43 @@ +@@ -788,9 +883,43 @@ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -23519,7 +23665,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.6/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.6/policy/modules/services/xserver.if 2009-02-16 13:18:06.000000000 -0500 ++++ serefpolicy-3.6.6/policy/modules/services/xserver.if 2009-02-20 14:25:25.000000000 -0500 @@ -90,7 +90,7 @@ allow $2 xauth_home_t:file manage_file_perms; allow $2 xauth_home_t:file { relabelfrom relabelto }; @@ -24946,8 +25092,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +logging_send_syslog_msg(zos_remote_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.6/policy/modules/system/application.te --- nsaserefpolicy/policy/modules/system/application.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.6/policy/modules/system/application.te 2009-02-16 13:18:06.000000000 -0500 -@@ -7,6 +7,12 @@ ++++ serefpolicy-3.6.6/policy/modules/system/application.te 2009-02-23 10:22:08.000000000 -0500 +@@ -7,8 +7,18 @@ # Executables to be run by user attribute application_exec_type; @@ -24960,6 +25106,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ssh_sigchld(application_domain_type) ssh_rw_stream_sockets(application_domain_type) + ') + ++optional_policy(` ++ sudo_sigchld(application_domain_type) ++') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.6/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2008-08-07 11:15:12.000000000 -0400 +++ serefpolicy-3.6.6/policy/modules/system/authlogin.fc 2009-02-16 13:18:06.000000000 -0500 @@ -26162,7 +26314,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow iscsid_t iscsi_tmp_t:dir manage_dir_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.6/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.6/policy/modules/system/libraries.fc 2009-02-18 09:32:59.000000000 -0500 ++++ serefpolicy-3.6.6/policy/modules/system/libraries.fc 2009-02-23 11:26:27.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -26179,7 +26331,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_gentoo',` # despite the extensions, they are actually libs /opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0) -@@ -84,9 +87,10 @@ +@@ -84,12 +87,14 @@ ifdef(`distro_redhat',` /opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26192,7 +26344,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/ibm/java.*/jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -103,6 +107,7 @@ ++/opt/ibm/java.*/jre/bin/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + ') + +@@ -103,6 +108,7 @@ # /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26200,7 +26356,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) -@@ -115,24 +120,34 @@ +@@ -115,24 +121,34 @@ /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26236,7 +26392,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -168,7 +183,8 @@ +@@ -168,7 +184,8 @@ # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php /usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26246,7 +26402,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -187,6 +203,7 @@ +@@ -187,6 +204,7 @@ /usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26254,7 +26410,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -233,7 +250,7 @@ +@@ -233,7 +251,7 @@ /usr/lib(64)?/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame @@ -26263,7 +26419,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -246,12 +263,13 @@ +@@ -246,12 +264,13 @@ # Flash plugin, Macromedia HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26279,7 +26435,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Jai, Sun Microsystems (Jpackage SPRM) /usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -267,6 +285,9 @@ +@@ -267,6 +286,9 @@ /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26289,7 +26445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -291,6 +312,8 @@ +@@ -291,6 +313,8 @@ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26298,7 +26454,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') dnl end distro_redhat # -@@ -303,6 +326,8 @@ +@@ -303,6 +327,8 @@ /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) @@ -26307,7 +26463,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_suse',` /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) ') -@@ -310,3 +335,25 @@ +@@ -310,3 +336,30 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -26333,6 +26489,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/oracle/.*/lib/libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/opt/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.6/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.6/policy/modules/system/libraries.te 2009-02-16 13:18:06.000000000 -0500 @@ -28164,7 +28325,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.6/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.6/policy/modules/system/sysnetwork.if 2009-02-17 11:02:02.000000000 -0500 ++++ serefpolicy-3.6.6/policy/modules/system/sysnetwork.if 2009-02-23 13:58:44.000000000 -0500 @@ -43,6 +43,39 @@ sysnet_domtrans_dhcpc($1) @@ -28714,7 +28875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.6/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.6/policy/modules/system/unconfined.if 2009-02-16 13:18:06.000000000 -0500 ++++ serefpolicy-3.6.6/policy/modules/system/unconfined.if 2009-02-23 10:16:08.000000000 -0500 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',`