diff --git a/modules-minimum.conf b/modules-minimum.conf
index 35181dc..6543a87 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -1589,6 +1589,13 @@ tgtd = module
#
udev = base
+# Layer: services
+# Module: usbmuxd
+#
+# Daemon for communicating with Apple's iPod Touch and iPhone
+#
+usbmuxd = module
+
# Layer: system
# Module: userdomain
#
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 35181dc..6543a87 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1589,6 +1589,13 @@ tgtd = module
#
udev = base
+# Layer: services
+# Module: usbmuxd
+#
+# Daemon for communicating with Apple's iPod Touch and iPhone
+#
+usbmuxd = module
+
# Layer: system
# Module: userdomain
#
diff --git a/policy-F13.patch b/policy-F13.patch
index 732e5cf..2c8fb1d 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.8/Makefile
--- nsaserefpolicy/Makefile 2009-08-18 11:41:14.000000000 -0400
-+++ serefpolicy-3.7.8/Makefile 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/Makefile 2010-02-02 10:31:03.000000000 -0500
@@ -244,7 +244,7 @@
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
@@ -12,7 +12,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.8/M
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.8/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.8/policy/global_tunables 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/global_tunables 2010-02-02 10:31:03.000000000 -0500
@@ -61,15 +61,6 @@
##
@@ -50,7 +50,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.7.8/policy/modules/admin/alsa.te
--- nsaserefpolicy/policy/modules/admin/alsa.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/admin/alsa.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/alsa.te 2010-02-02 10:31:03.000000000 -0500
@@ -51,6 +51,8 @@
files_read_etc_files(alsa_t)
files_read_usr_files(alsa_t)
@@ -62,7 +62,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
init_use_fds(alsa_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.7.8/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/admin/anaconda.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/anaconda.te 2010-02-02 10:31:03.000000000 -0500
@@ -31,6 +31,7 @@
modutils_domtrans_insmod(anaconda_t)
@@ -82,7 +82,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.7.8/policy/modules/admin/brctl.te
--- nsaserefpolicy/policy/modules/admin/brctl.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/admin/brctl.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/brctl.te 2010-02-02 10:31:03.000000000 -0500
@@ -21,7 +21,7 @@
allow brctl_t self:unix_dgram_socket create_socket_perms;
allow brctl_t self:tcp_socket create_socket_perms;
@@ -94,7 +94,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.7.8/policy/modules/admin/certwatch.te
--- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/admin/certwatch.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/certwatch.te 2010-02-02 10:31:03.000000000 -0500
@@ -36,7 +36,7 @@
miscfiles_read_localization(certwatch_t)
@@ -106,7 +106,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwat
apache_exec_modules(certwatch_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.7.8/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/admin/consoletype.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/consoletype.te 2010-02-02 10:31:03.000000000 -0500
@@ -10,7 +10,6 @@
type consoletype_exec_t;
application_executable_file(consoletype_exec_t)
@@ -125,7 +125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.7.8/policy/modules/admin/dmesg.fc
--- nsaserefpolicy/policy/modules/admin/dmesg.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/admin/dmesg.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/dmesg.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,2 +1,4 @@
/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
@@ -133,7 +133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.f
+/usr/sbin/mcelog -- gen_context(system_u:object_r:dmesg_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.7.8/policy/modules/admin/dmesg.te
--- nsaserefpolicy/policy/modules/admin/dmesg.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/admin/dmesg.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/dmesg.te 2010-02-02 10:31:03.000000000 -0500
@@ -9,6 +9,7 @@
type dmesg_t;
type dmesg_exec_t;
@@ -177,7 +177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.t
+dev_read_raw_memory(dmesg_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.8/policy/modules/admin/firstboot.te
--- nsaserefpolicy/policy/modules/admin/firstboot.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/admin/firstboot.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/firstboot.te 2010-02-02 10:31:03.000000000 -0500
@@ -91,8 +91,12 @@
userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
@@ -202,7 +202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.7.8/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te 2009-11-25 15:15:48.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/admin/kismet.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/kismet.te 2010-02-02 10:31:03.000000000 -0500
@@ -45,6 +45,7 @@
manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t)
manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
@@ -231,7 +231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.8/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/admin/logrotate.te 2010-01-21 14:59:24.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/logrotate.te 2010-02-02 10:31:03.000000000 -0500
@@ -32,7 +32,7 @@
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
@@ -312,7 +312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.7.8/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/admin/logwatch.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/logwatch.te 2010-02-02 10:31:03.000000000 -0500
@@ -93,6 +93,13 @@
sysnet_exec_ifconfig(logwatch_t)
@@ -335,7 +335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.7.8/policy/modules/admin/mrtg.te
--- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/admin/mrtg.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/mrtg.te 2010-02-02 10:31:03.000000000 -0500
@@ -116,6 +116,7 @@
userdom_use_user_terminals(mrtg_t)
userdom_dontaudit_read_user_home_content_files(mrtg_t)
@@ -346,7 +346,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.8/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/admin/netutils.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/netutils.te 2010-02-02 10:31:03.000000000 -0500
@@ -44,6 +44,7 @@
allow netutils_t self:packet_socket create_socket_perms;
allow netutils_t self:udp_socket create_socket_perms;
@@ -374,7 +374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
term_use_all_user_ptys(traceroute_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.te serefpolicy-3.7.8/policy/modules/admin/portage.te
--- nsaserefpolicy/policy/modules/admin/portage.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/admin/portage.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/portage.te 2010-02-02 10:31:03.000000000 -0500
@@ -196,7 +196,7 @@
# - for rsync and distfile fetching
#
@@ -386,7 +386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage
allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.7.8/policy/modules/admin/prelink.fc
--- nsaserefpolicy/policy/modules/admin/prelink.fc 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/admin/prelink.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/prelink.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,3 +1,4 @@
+/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0)
@@ -394,7 +394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.7.8/policy/modules/admin/prelink.if
--- nsaserefpolicy/policy/modules/admin/prelink.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/admin/prelink.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/prelink.if 2010-02-02 10:31:03.000000000 -0500
@@ -21,6 +21,25 @@
########################################
@@ -437,7 +437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.8/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/admin/prelink.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/prelink.te 2010-02-02 10:31:03.000000000 -0500
@@ -21,8 +21,21 @@
type prelink_tmp_t;
files_tmp_file(prelink_tmp_t)
@@ -493,15 +493,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
libs_manage_ld_so(prelink_t)
libs_relabel_ld_so(prelink_t)
libs_manage_shared_libs(prelink_t)
-@@ -89,6 +106,7 @@
+@@ -89,6 +106,8 @@
miscfiles_read_localization(prelink_t)
userdom_use_user_terminals(prelink_t)
+userdom_manage_user_home_content(prelink_t)
++userdom_execmod_user_home_files(prelink_t)
optional_policy(`
amanda_manage_lib(prelink_t)
-@@ -99,5 +117,58 @@
+@@ -99,5 +118,58 @@
')
optional_policy(`
@@ -562,7 +563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.8/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/admin/readahead.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/readahead.te 2010-02-02 10:31:03.000000000 -0500
@@ -52,6 +52,7 @@
files_list_non_security(readahead_t)
@@ -573,7 +574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahe
files_dontaudit_getattr_all_sockets(readahead_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.8/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/admin/rpm.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/rpm.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,18 +1,19 @@
/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -626,7 +627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.8/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/admin/rpm.if 2010-01-28 10:15:39.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/rpm.if 2010-02-02 10:31:03.000000000 -0500
@@ -13,11 +13,34 @@
interface(`rpm_domtrans',`
gen_require(`
@@ -1039,7 +1040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.8/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/admin/rpm.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/rpm.te 2010-02-02 10:31:03.000000000 -0500
@@ -15,6 +15,9 @@
domain_interactive_fd(rpm_t)
role system_r types rpm_t;
@@ -1316,7 +1317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
java_domtrans_unconfined(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.7.8/policy/modules/admin/shorewall.fc
--- nsaserefpolicy/policy/modules/admin/shorewall.fc 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/admin/shorewall.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/shorewall.fc 2010-02-02 10:31:03.000000000 -0500
@@ -4,8 +4,11 @@
/etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
/etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
@@ -1332,7 +1333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa
+/var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.7.8/policy/modules/admin/shorewall.if
--- nsaserefpolicy/policy/modules/admin/shorewall.if 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/admin/shorewall.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/shorewall.if 2010-02-02 10:31:03.000000000 -0500
@@ -75,6 +75,46 @@
rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
')
@@ -1382,7 +1383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa
## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.8/policy/modules/admin/shorewall.te
--- nsaserefpolicy/policy/modules/admin/shorewall.te 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/admin/shorewall.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/shorewall.te 2010-02-02 10:31:03.000000000 -0500
@@ -29,6 +29,9 @@
type shorewall_var_lib_t;
files_type(shorewall_var_lib_t)
@@ -1415,7 +1416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.7.8/policy/modules/admin/smoltclient.fc
--- nsaserefpolicy/policy/modules/admin/smoltclient.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/admin/smoltclient.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/smoltclient.fc 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,4 @@
+
+/usr/share/smolt/client/sendProfile.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0)
@@ -1423,12 +1424,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltcl
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.if serefpolicy-3.7.8/policy/modules/admin/smoltclient.if
--- nsaserefpolicy/policy/modules/admin/smoltclient.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/admin/smoltclient.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/smoltclient.if 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1 @@
+## The Fedora hardware profiler client
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.7.8/policy/modules/admin/smoltclient.te
--- nsaserefpolicy/policy/modules/admin/smoltclient.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/admin/smoltclient.te 2010-01-27 09:39:20.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/smoltclient.te 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,66 @@
+policy_module(smoltclient,1.0.0)
+
@@ -1498,7 +1499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltcl
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.8/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/admin/sudo.if 2010-01-21 15:18:30.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/sudo.if 2010-02-02 10:31:03.000000000 -0500
@@ -66,8 +66,8 @@
allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
allow $1_sudo_t self:unix_dgram_socket sendto;
@@ -1545,7 +1546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.8/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/admin/tmpreaper.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/tmpreaper.te 2010-02-02 10:31:03.000000000 -0500
@@ -42,6 +42,7 @@
cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
@@ -1580,7 +1581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.7.8/policy/modules/admin/usermanage.if
--- nsaserefpolicy/policy/modules/admin/usermanage.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/admin/usermanage.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/usermanage.if 2010-02-02 10:31:03.000000000 -0500
@@ -113,6 +113,12 @@
files_search_usr($1)
corecmd_search_bin($1)
@@ -1608,7 +1609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.8/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/admin/usermanage.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/usermanage.te 2010-02-02 10:31:03.000000000 -0500
@@ -82,6 +82,7 @@
selinux_compute_relabel_context(chfn_t)
selinux_compute_user_contexts(chfn_t)
@@ -1740,7 +1741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.7.8/policy/modules/admin/vbetool.te
--- nsaserefpolicy/policy/modules/admin/vbetool.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/admin/vbetool.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/vbetool.te 2010-02-02 10:31:03.000000000 -0500
@@ -15,15 +15,20 @@
# Local policy
#
@@ -1775,7 +1776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.8/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/admin/vpn.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/admin/vpn.te 2010-02-02 10:31:03.000000000 -0500
@@ -46,6 +46,7 @@
kernel_read_system_state(vpnc_t)
kernel_read_network_state(vpnc_t)
@@ -1797,13 +1798,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te
dbus_system_bus_client(vpnc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.7.8/policy/modules/apps/chrome.fc
--- nsaserefpolicy/policy/modules/apps/chrome.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/chrome.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/chrome.fc 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,2 @@
+
+/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.8/policy/modules/apps/chrome.if
--- nsaserefpolicy/policy/modules/apps/chrome.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/chrome.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/chrome.if 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,86 @@
+
+## policy for chrome
@@ -1893,7 +1894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.8/policy/modules/apps/chrome.te
--- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/chrome.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/chrome.te 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,82 @@
+policy_module(chrome,1.0.0)
+
@@ -1979,7 +1980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.7.8/policy/modules/apps/cpufreqselector.te
--- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/cpufreqselector.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/cpufreqselector.te 2010-02-02 10:31:03.000000000 -0500
@@ -26,7 +26,7 @@
dev_rw_sysfs(cpufreqselector_t)
@@ -1991,12 +1992,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqs
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.7.8/policy/modules/apps/execmem.fc
--- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/execmem.fc 2010-01-18 15:18:03.000000000 -0500
-@@ -0,0 +1,42 @@
++++ serefpolicy-3.7.8/policy/modules/apps/execmem.fc 2010-02-02 10:31:03.000000000 -0500
+@@ -0,0 +1,43 @@
+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/mutter -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -2037,7 +2039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
+/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.8/policy/modules/apps/execmem.if
--- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/execmem.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/execmem.if 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,103 @@
+## execmem domain
+
@@ -2144,7 +2146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.7.8/policy/modules/apps/execmem.te
--- nsaserefpolicy/policy/modules/apps/execmem.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/execmem.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/execmem.te 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,11 @@
+
+policy_module(execmem, 1.0.0)
@@ -2159,14 +2161,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.7.8/policy/modules/apps/firewallgui.fc
--- nsaserefpolicy/policy/modules/apps/firewallgui.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/firewallgui.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/firewallgui.fc 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,3 @@
+
+/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.7.8/policy/modules/apps/firewallgui.if
--- nsaserefpolicy/policy/modules/apps/firewallgui.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/firewallgui.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/firewallgui.if 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,23 @@
+
+## policy for firewallgui
@@ -2193,8 +2195,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.8/policy/modules/apps/firewallgui.te
--- nsaserefpolicy/policy/modules/apps/firewallgui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/firewallgui.te 2010-01-18 15:18:03.000000000 -0500
-@@ -0,0 +1,62 @@
++++ serefpolicy-3.7.8/policy/modules/apps/firewallgui.te 2010-02-02 10:31:03.000000000 -0500
+@@ -0,0 +1,66 @@
+
+policy_module(firewallgui,1.0.0)
+
@@ -2254,12 +2256,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall
+iptables_initrc_domtrans(firewallgui_t)
+
+optional_policy(`
++ gnome_read_gconf_home_files(firewallgui_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(firewallgui_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.7.8/policy/modules/apps/gitosis.if
--- nsaserefpolicy/policy/modules/apps/gitosis.if 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/apps/gitosis.if 2010-01-26 09:29:35.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/gitosis.if 2010-02-02 10:31:03.000000000 -0500
@@ -43,3 +43,47 @@
role $2 types gitosis_t;
')
@@ -2310,7 +2316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.8/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/apps/gnome.fc 2010-01-21 11:03:33.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/gnome.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,8 +1,25 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
@@ -2341,7 +2347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.8/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/apps/gnome.if 2010-01-25 12:24:02.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/gnome.if 2010-02-02 10:31:03.000000000 -0500
@@ -74,6 +74,24 @@
########################################
@@ -2580,7 +2586,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.7.8/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/apps/gnome.te 2010-01-21 11:01:47.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/gnome.te 2010-02-02 10:31:03.000000000 -0500
@@ -7,18 +7,33 @@
#
@@ -2731,7 +2737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.7.8/policy/modules/apps/gpg.fc
--- nsaserefpolicy/policy/modules/apps/gpg.fc 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/apps/gpg.fc 2010-01-18 15:36:53.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/gpg.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,4 +1,5 @@
HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
+/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
@@ -2740,7 +2746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.8/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/gpg.te 2010-01-18 15:47:52.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/gpg.te 2010-02-02 10:31:03.000000000 -0500
@@ -130,10 +130,10 @@
xserver_rw_xdm_pipes(gpg_t)
')
@@ -2758,7 +2764,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.7.8/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/apps/java.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/java.fc 2010-02-02 10:31:03.000000000 -0500
@@ -2,15 +2,17 @@
# /opt
#
@@ -2801,7 +2807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc
+/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.7.8/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2009-08-18 11:41:14.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/apps/java.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/java.if 2010-02-02 10:31:03.000000000 -0500
@@ -30,6 +30,7 @@
allow java_t $2:unix_stream_socket connectto;
@@ -2946,7 +2952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.8/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/java.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/java.te 2010-02-02 10:31:03.000000000 -0500
@@ -20,6 +20,8 @@
typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
@@ -2994,19 +3000,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.7.8/policy/modules/apps/kdumpgui.fc
--- nsaserefpolicy/policy/modules/apps/kdumpgui.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/kdumpgui.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/kdumpgui.fc 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,2 @@
+
+/usr/share/system-config-kdump/system-config-kdump-backend.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.7.8/policy/modules/apps/kdumpgui.if
--- nsaserefpolicy/policy/modules/apps/kdumpgui.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/kdumpgui.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/kdumpgui.if 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,2 @@
+## system-config-kdump policy
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.8/policy/modules/apps/kdumpgui.te
--- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/kdumpgui.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/kdumpgui.te 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,64 @@
+policy_module(kdumpgui,1.0.0)
+
@@ -3074,13 +3080,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.7.8/policy/modules/apps/livecd.fc
--- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/livecd.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/livecd.fc 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,2 @@
+
+/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.7.8/policy/modules/apps/livecd.if
--- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/livecd.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/livecd.if 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,52 @@
+
+## policy for livecd
@@ -3136,7 +3142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.7.8/policy/modules/apps/livecd.te
--- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/livecd.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/livecd.te 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,27 @@
+policy_module(livecd, 1.0.0)
+
@@ -3167,7 +3173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.t
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.7.8/policy/modules/apps/loadkeys.te
--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/apps/loadkeys.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/loadkeys.te 2010-02-02 10:31:03.000000000 -0500
@@ -40,8 +40,12 @@
miscfiles_read_localization(loadkeys_t)
@@ -3184,13 +3190,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.fc serefpolicy-3.7.8/policy/modules/apps/mono.fc
--- nsaserefpolicy/policy/modules/apps/mono.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/apps/mono.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/mono.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1 +1 @@
-/usr/bin/mono -- gen_context(system_u:object_r:mono_exec_t,s0)
+/usr/bin/mono.* -- gen_context(system_u:object_r:mono_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.8/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/apps/mono.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/mono.if 2010-02-02 10:31:03.000000000 -0500
@@ -21,6 +21,105 @@
########################################
@@ -3308,7 +3314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if
corecmd_search_bin($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.7.8/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/apps/mono.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/mono.te 2010-02-02 10:31:03.000000000 -0500
@@ -15,7 +15,7 @@
# Local policy
#
@@ -3334,7 +3340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.7.8/policy/modules/apps/mozilla.fc
--- nsaserefpolicy/policy/modules/apps/mozilla.fc 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/apps/mozilla.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/mozilla.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,6 +1,7 @@
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -3353,7 +3359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.7.8/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/mozilla.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/mozilla.if 2010-02-02 10:31:03.000000000 -0500
@@ -48,6 +48,12 @@
mozilla_dbus_chat($2)
@@ -3401,7 +3407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.8/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/mozilla.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/mozilla.te 2010-02-02 10:31:03.000000000 -0500
@@ -91,6 +91,7 @@
corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
@@ -3462,7 +3468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.7.8/policy/modules/apps/nsplugin.fc
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/nsplugin.fc 2010-01-21 11:02:11.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/nsplugin.fc 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,10 @@
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
@@ -3476,7 +3482,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.8/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/nsplugin.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/nsplugin.if 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,321 @@
+
+## policy for nsplugin
@@ -3801,7 +3807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.8/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/nsplugin.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/nsplugin.te 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,296 @@
+
+policy_module(nsplugin, 1.0.0)
@@ -4101,14 +4107,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.7.8/policy/modules/apps/openoffice.fc
--- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/openoffice.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/openoffice.fc 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,3 @@
+/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.7.8/policy/modules/apps/openoffice.if
--- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/openoffice.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/openoffice.if 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,92 @@
+## Openoffice
+
@@ -4204,7 +4210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.7.8/policy/modules/apps/openoffice.te
--- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/openoffice.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/openoffice.te 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,11 @@
+
+policy_module(openoffice, 1.0.0)
@@ -4219,7 +4225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi
+application_domain(openoffice_t, openoffice_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.7.8/policy/modules/apps/podsleuth.te
--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/podsleuth.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/podsleuth.te 2010-02-02 10:31:03.000000000 -0500
@@ -50,6 +50,7 @@
fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file })
@@ -4245,7 +4251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut
dbus_system_bus_client(podsleuth_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.7.8/policy/modules/apps/ptchown.if
--- nsaserefpolicy/policy/modules/apps/ptchown.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/apps/ptchown.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/ptchown.if 2010-02-02 10:31:03.000000000 -0500
@@ -18,3 +18,27 @@
domtrans_pattern($1, ptchown_exec_t, ptchown_t)
')
@@ -4276,15 +4282,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.7.8/policy/modules/apps/pulseaudio.fc
--- nsaserefpolicy/policy/modules/apps/pulseaudio.fc 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/apps/pulseaudio.fc 2010-01-18 15:18:03.000000000 -0500
-@@ -1 +1,4 @@
- /usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
-+
++++ serefpolicy-3.7.8/policy/modules/apps/pulseaudio.fc 2010-02-02 10:31:03.000000000 -0500
+@@ -1 +1,7 @@
+HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0)
++
++/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
++
+ /usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.8/policy/modules/apps/pulseaudio.if
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/apps/pulseaudio.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/pulseaudio.if 2010-02-02 10:31:03.000000000 -0500
@@ -40,7 +40,7 @@
userdom_manage_tmpfs_role($1, pulseaudio_t)
@@ -4294,23 +4303,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
')
########################################
-@@ -144,3 +144,61 @@
- allow pulseaudio_t $1:process signull;
- allow $1 pulseaudio_t:unix_stream_socket connectto;
- ')
-+
-+########################################
-+##
+@@ -127,7 +127,7 @@
+
+ ########################################
+ ##
+-## pulsaudio connection template.
+## read pulseaudio homedir content
-+##
-+##
-+##
-+## The type of the user domain.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -135,12 +135,72 @@
+ ##
+ ##
+ #
+-interface(`pulseaudio_stream_connect',`
+template(`pulseaudio_read_home',`
-+ gen_require(`
+ gen_require(`
+- type pulseaudio_t;
+ type pulseaudio_home_t;
+ ')
+
@@ -4332,8 +4341,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
+template(`pulseaudio_manage_home',`
+ gen_require(`
+ type pulseaudio_home_t;
-+ ')
-+
+ ')
+
+ manage_dirs_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
@@ -4356,20 +4365,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
+
+ allow $1 pulseaudio_home_t:dir setattr;
+')
++
++#####################################
++##
++## Connect to pulseaudio over a unix domain
++## stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pulseaudio_stream_connect',`
++ gen_require(`
++ type pulseaudio_t, pulseaudio_var_run_t;
++ ')
++
++ files_search_pids($1)
+ allow $1 pulseaudio_t:process signull;
+ allow pulseaudio_t $1:process signull;
+- allow $1 pulseaudio_t:unix_stream_socket connectto;
++ stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.8/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/pulseaudio.te 2010-01-18 15:18:03.000000000 -0500
-@@ -11,6 +11,9 @@
++++ serefpolicy-3.7.8/policy/modules/apps/pulseaudio.te 2010-02-02 10:31:03.000000000 -0500
+@@ -11,6 +11,12 @@
application_domain(pulseaudio_t, pulseaudio_exec_t)
role system_r types pulseaudio_t;
++type pulseaudio_var_run_t;
++files_pid_file(pulseaudio_var_run_t)
++
+type pulseaudio_home_t;
+userdom_user_home_content(pulseaudio_home_t)
+
########################################
#
# pulseaudio local policy
-@@ -18,7 +21,7 @@
+@@ -18,7 +24,7 @@
allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
allow pulseaudio_t self:fifo_file rw_file_perms;
@@ -4378,7 +4413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
allow pulseaudio_t self:udp_socket create_socket_perms;
-@@ -26,6 +29,7 @@
+@@ -26,6 +32,7 @@
can_exec(pulseaudio_t, pulseaudio_exec_t)
@@ -4386,7 +4421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
kernel_read_system_state(pulseaudio_t)
kernel_read_kernel_sysctls(pulseaudio_t)
-@@ -63,12 +67,17 @@
+@@ -63,12 +70,22 @@
miscfiles_read_localization(pulseaudio_t)
optional_policy(`
@@ -4394,6 +4429,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
+ bluetooth_stream_connect(pulseaudio_t)
')
++manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
++manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
++manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
++files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
++
+userdom_search_user_home_dirs(pulseaudio_t)
+manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
@@ -4405,7 +4445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
optional_policy(`
consolekit_dbus_chat(pulseaudio_t)
-@@ -88,6 +97,10 @@
+@@ -88,6 +105,10 @@
')
optional_policy(`
@@ -4416,7 +4456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
policykit_domtrans_auth(pulseaudio_t)
policykit_read_lib(pulseaudio_t)
policykit_read_reload(pulseaudio_t)
-@@ -98,6 +111,8 @@
+@@ -98,6 +119,8 @@
')
optional_policy(`
@@ -4427,7 +4467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.7.8/policy/modules/apps/qemu.fc
--- nsaserefpolicy/policy/modules/apps/qemu.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/apps/qemu.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/qemu.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,2 +1,2 @@
-/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
-/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
@@ -4435,7 +4475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.8/policy/modules/apps/qemu.if
--- nsaserefpolicy/policy/modules/apps/qemu.if 2009-08-31 13:44:40.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/apps/qemu.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/qemu.if 2010-02-02 10:31:03.000000000 -0500
@@ -40,6 +40,10 @@
qemu_domtrans($1)
@@ -4638,7 +4678,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.8/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/qemu.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/qemu.te 2010-02-02 10:31:03.000000000 -0500
@@ -13,15 +13,46 @@
##
gen_tunable(qemu_full_network, false)
@@ -4749,18 +4789,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.7.8/policy/modules/apps/sambagui.fc
--- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/sambagui.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/sambagui.fc 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1 @@
+/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.7.8/policy/modules/apps/sambagui.if
--- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/sambagui.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/sambagui.if 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,2 @@
+## system-config-samba policy
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.8/policy/modules/apps/sambagui.te
--- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/sambagui.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/sambagui.te 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,61 @@
+policy_module(sambagui,1.0.0)
+
@@ -4825,12 +4865,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.8/policy/modules/apps/sandbox.fc
--- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/sandbox.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/sandbox.fc 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1 @@
+# No types are sandbox_exec_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.8/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/sandbox.if 2010-01-18 17:36:16.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/sandbox.if 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,225 @@
+
+## policy for sandbox
@@ -5059,8 +5099,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.8/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/sandbox.te 2010-01-22 08:46:11.000000000 -0500
-@@ -0,0 +1,345 @@
++++ serefpolicy-3.7.8/policy/modules/apps/sandbox.te 2010-02-02 10:31:03.000000000 -0500
+@@ -0,0 +1,349 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -5309,6 +5349,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+kernel_dontaudit_search_kernel_sysctl(sandbox_web_client_t)
+
+dev_read_rand(sandbox_web_client_t)
++dev_write_sound(sandbox_web_client_t)
++dev_read_sound(sandbox_web_client_t)
+
+# Browse the web, connect to printer
+corenet_all_recvfrom_unlabeled(sandbox_web_client_t)
@@ -5349,6 +5391,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+selinux_compute_user_contexts(sandbox_web_client_t)
+seutil_read_default_contexts(sandbox_web_client_t)
+
++userdom_rw_user_tmpfs_files(sandbox_web_client_t)
++
+optional_policy(`
+ nsplugin_read_rw_files(sandbox_web_client_t)
+ nsplugin_rw_exec(sandbox_web_client_t)
@@ -5408,7 +5452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.7.8/policy/modules/apps/screen.if
--- nsaserefpolicy/policy/modules/apps/screen.if 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/screen.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/screen.if 2010-02-02 10:31:03.000000000 -0500
@@ -141,6 +141,7 @@
userdom_create_user_pty($1_screen_t)
userdom_user_home_domtrans($1_screen_t, $3)
@@ -5419,7 +5463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.i
fs_cifs_domtrans($1_screen_t, $3)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.fc serefpolicy-3.7.8/policy/modules/apps/sectoolm.fc
--- nsaserefpolicy/policy/modules/apps/sectoolm.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/sectoolm.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/sectoolm.fc 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,6 @@
+
+/usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0)
@@ -5429,14 +5473,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm
+/var/log/sectool\.log -- gen_context(system_u:object_r:sectool_var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.if serefpolicy-3.7.8/policy/modules/apps/sectoolm.if
--- nsaserefpolicy/policy/modules/apps/sectoolm.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/sectoolm.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/sectoolm.if 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,3 @@
+
+## policy for sectool-mechanism
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.te serefpolicy-3.7.8/policy/modules/apps/sectoolm.te
--- nsaserefpolicy/policy/modules/apps/sectoolm.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/sectoolm.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/sectoolm.te 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,118 @@
+
+policy_module(sectoolm,1.0.0)
@@ -5558,7 +5602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.8/policy/modules/apps/seunshare.if
--- nsaserefpolicy/policy/modules/apps/seunshare.if 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/seunshare.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/seunshare.if 2010-02-02 10:31:03.000000000 -0500
@@ -44,6 +44,8 @@
allow $1 seunshare_t:process signal_perms;
@@ -5570,7 +5614,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
dontaudit seunshare_t $1:udp_socket rw_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.8/policy/modules/apps/seunshare.te
--- nsaserefpolicy/policy/modules/apps/seunshare.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/seunshare.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/seunshare.te 2010-02-02 10:31:03.000000000 -0500
@@ -15,9 +15,8 @@
#
# seunshare local policy
@@ -5584,7 +5628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.7.8/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/apps/slocate.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/slocate.te 2010-02-02 10:31:03.000000000 -0500
@@ -50,6 +50,7 @@
fs_getattr_all_symlinks(locate_t)
fs_list_all(locate_t)
@@ -5595,7 +5639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.
auth_use_nsswitch(locate_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.7.8/policy/modules/apps/vmware.if
--- nsaserefpolicy/policy/modules/apps/vmware.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/apps/vmware.if 2010-01-25 10:36:28.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/vmware.if 2010-02-02 10:31:03.000000000 -0500
@@ -84,3 +84,22 @@
logging_search_logs($1)
append_files_pattern($1, vmware_log_t, vmware_log_t)
@@ -5619,9 +5663,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.i
+ can_exec($1, vmware_host_exec_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.8/policy/modules/apps/vmware.te
+--- nsaserefpolicy/policy/modules/apps/vmware.te 2009-11-17 10:54:26.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/vmware.te 2010-02-02 10:31:03.000000000 -0500
+@@ -29,6 +29,10 @@
+ type vmware_host_exec_t;
+ init_daemon_domain(vmware_host_t, vmware_host_exec_t)
+
++type vmware_host_tmp_t;
++files_tmp_file(vmware_host_tmp_t)
++ubac_constrained(vmware_host_tmp_t)
++
+ type vmware_host_pid_t alias vmware_var_run_t;
+ files_pid_file(vmware_host_pid_t)
+
+@@ -80,6 +84,11 @@
+ # cjp: the ro and rw files should be split up
+ manage_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
+
++manage_dirs_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
++manage_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
++manage_sock_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
++files_tmp_filetrans(vmware_host_t, vmware_host_tmp_t, { file dir })
++
+ manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
+ manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
+ files_pid_filetrans(vmware_host_t, vmware_var_run_t, { file sock_file })
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.7.8/policy/modules/apps/wine.fc
--- nsaserefpolicy/policy/modules/apps/wine.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/apps/wine.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/wine.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,4 +1,22 @@
-/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
@@ -5650,7 +5720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc
-/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.7.8/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/apps/wine.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/wine.if 2010-02-02 10:31:03.000000000 -0500
@@ -43,3 +43,121 @@
wine_domtrans($1)
role $2 types wine_t;
@@ -5775,7 +5845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.7.8/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/apps/wine.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/wine.te 2010-02-02 10:31:03.000000000 -0500
@@ -1,6 +1,14 @@
policy_module(wine, 1.6.0)
@@ -5849,7 +5919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.8/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/corecommands.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/corecommands.fc 2010-02-02 10:31:03.000000000 -0500
@@ -44,15 +44,17 @@
/etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0)
/etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0)
@@ -5922,7 +5992,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.8/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/corecommands.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/corecommands.if 2010-02-02 10:31:03.000000000 -0500
@@ -893,6 +893,7 @@
read_lnk_files_pattern($1, bin_t, bin_t)
@@ -5965,9 +6035,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
manage_files_pattern($1, bin_t, exec_type)
manage_lnk_files_pattern($1, bin_t, bin_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.7.8/policy/modules/kernel/corenetwork.if.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.8/policy/modules/kernel/corenetwork.if.in 2010-02-02 10:31:03.000000000 -0500
+@@ -1705,6 +1705,24 @@
+
+ ########################################
+ ##
++## dontaudit Read and write the TUN/TAP virtual network device.
++##
++##
++##
++## The domain allowed access.
++##
++##
++#
++interface(`corenet_dontaudit_rw_tun_tap_dev',`
++ gen_require(`
++ type tun_tap_device_t;
++ ')
++
++ dontaudit $1 tun_tap_device_t:chr_file { read write };
++')
++
++########################################
++##
+ ## Getattr the point-to-point device.
+ ##
+ ##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.8/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-01-11 09:40:36.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/corenetwork.te.in 2010-01-21 14:22:12.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/corenetwork.te.in 2010-02-02 10:31:03.000000000 -0500
@@ -65,6 +65,7 @@
type server_packet_t, packet_type, server_packet_type;
@@ -6121,7 +6219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.8/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-11-20 10:51:41.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/devices.fc 2010-01-27 11:30:22.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/devices.fc 2010-02-02 10:31:03.000000000 -0500
@@ -16,13 +16,16 @@
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
@@ -6139,7 +6237,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/event.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
-@@ -101,6 +104,7 @@
+@@ -80,6 +83,7 @@
+ /dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
+ /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
++/dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
+@@ -101,6 +105,7 @@
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0)
@@ -6147,7 +6253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -159,6 +163,8 @@
+@@ -159,6 +164,8 @@
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0)
@@ -6158,7 +6264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.8/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/devices.if 2010-01-27 11:29:35.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/devices.if 2010-02-02 10:31:03.000000000 -0500
@@ -801,6 +801,24 @@
########################################
@@ -6286,7 +6392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Do not audit attempts to get the attributes
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.8/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/devices.te 2010-01-27 11:29:16.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/devices.te 2010-02-02 10:31:03.000000000 -0500
@@ -232,6 +232,18 @@
type usb_device_t;
dev_node(usb_device_t)
@@ -6308,7 +6414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.8/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/kernel/domain.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/domain.if 2010-02-02 10:31:03.000000000 -0500
@@ -44,34 +44,6 @@
interface(`domain_type',`
# start with basic domain
@@ -6540,7 +6646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.8/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/kernel/domain.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/domain.te 2010-02-02 10:31:03.000000000 -0500
@@ -5,6 +5,21 @@
#
# Declarations
@@ -6699,7 +6805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.8/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/kernel/files.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/files.fc 2010-02-02 10:31:03.000000000 -0500
@@ -18,6 +18,7 @@
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -6744,7 +6850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
/var/lib/nfs/rpc_pipefs(/.*)? <>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.8/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/files.if 2010-01-28 08:42:36.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/files.if 2010-02-02 10:31:03.000000000 -0500
@@ -932,10 +932,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -7184,7 +7290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
')
-@@ -5215,3 +5497,192 @@
+@@ -5215,3 +5497,212 @@
typeattribute $1 files_unconfined_type;
')
@@ -7377,9 +7483,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+
+ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
+')
++
++########################################
++##
++## Do not audit attempts to read or write
++## all leaked files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_dontaudit_leaks',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ dontaudit $1 file_type:file rw_inherited_file_perms;
++ dontaudit $1 file_type:lnk_file { read };
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.8/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/files.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/files.te 2010-02-02 10:31:03.000000000 -0500
@@ -12,6 +12,7 @@
attribute mountpoint;
attribute pidfile;
@@ -7422,7 +7548,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/filesystem.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/filesystem.if 2010-02-02 10:31:03.000000000 -0500
@@ -906,7 +906,7 @@
type cifs_t;
')
@@ -7518,7 +7644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Mount a XENFS filesystem.
##
##
-@@ -4181,3 +4237,175 @@
+@@ -4181,3 +4237,194 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
')
@@ -7694,9 +7820,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+ write_files_pattern($1, cgroup_t, cgroup_t)
+')
+
++########################################
++##
++## Do not audit attempts to read or write
++## all leaked filesystems files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_dontaudit_leaks',`
++ gen_require(`
++ attribute filesystem_type;
++ ')
++
++ dontaudit $1 filesystem_type:file rw_inherited_file_perms;
++ dontaudit $1 filesystem_type:lnk_file { read };
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.8/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/filesystem.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/filesystem.te 2010-02-02 10:31:03.000000000 -0500
@@ -29,6 +29,7 @@
fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
@@ -7756,7 +7901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
# nfs_t is the default type for NFS file systems
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.8/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/kernel.if 2010-01-27 11:28:51.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/kernel.if 2010-02-02 10:31:03.000000000 -0500
@@ -1849,7 +1849,7 @@
')
@@ -7842,7 +7987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.8/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/kernel.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/kernel.te 2010-02-02 10:31:03.000000000 -0500
@@ -64,6 +64,15 @@
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
@@ -7924,7 +8069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
+files_boot(kernel_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.8/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/kernel/selinux.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/selinux.if 2010-02-02 10:31:03.000000000 -0500
@@ -40,7 +40,7 @@
# because of this statement, any module which
@@ -7984,7 +8129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.7.8/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2009-11-20 10:51:41.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/storage.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/storage.fc 2010-02-02 10:31:03.000000000 -0500
@@ -14,6 +14,7 @@
/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -7995,7 +8140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
/dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.7.8/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/storage.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/storage.if 2010-02-02 10:31:03.000000000 -0500
@@ -304,6 +304,7 @@
dev_list_all_dev_nodes($1)
@@ -8006,7 +8151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.8/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/terminal.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/terminal.if 2010-02-02 10:31:03.000000000 -0500
@@ -273,9 +273,11 @@
interface(`term_dontaudit_use_console',`
gen_require(`
@@ -8073,7 +8218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.8/policy/modules/roles/guest.te
--- nsaserefpolicy/policy/modules/roles/guest.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/roles/guest.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/roles/guest.te 2010-02-02 10:31:03.000000000 -0500
@@ -16,7 +16,11 @@
#
@@ -8090,7 +8235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.t
+gen_user(guest_u, user, guest_r, s0, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.8/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/roles/staff.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/roles/staff.te 2010-02-02 10:31:03.000000000 -0500
@@ -10,161 +10,121 @@
userdom_unpriv_user_template(staff)
@@ -8297,7 +8442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.8/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/roles/sysadm.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/roles/sysadm.te 2010-02-02 10:31:03.000000000 -0500
@@ -15,7 +15,7 @@
role sysadm_r;
@@ -8610,8 +8755,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.7.8/policy/modules/roles/unconfineduser.fc
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/roles/unconfineduser.fc 2010-01-18 15:18:03.000000000 -0500
-@@ -0,0 +1,8 @@
++++ serefpolicy-3.7.8/policy/modules/roles/unconfineduser.fc 2010-02-02 10:31:03.000000000 -0500
+@@ -0,0 +1,10 @@
+# Add programs here which should not be confined by SELinux
+# e.g.:
+# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
@@ -8620,9 +8765,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+
++/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0)
++/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.8/policy/modules/roles/unconfineduser.if
--- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/roles/unconfineduser.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/roles/unconfineduser.if 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,667 @@
+## Unconfiend user role
+
@@ -9293,7 +9440,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.8/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/roles/unconfineduser.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/roles/unconfineduser.te 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,445 @@
+policy_module(unconfineduser, 1.0.0)
+
@@ -9742,7 +9889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.8/policy/modules/roles/unprivuser.te
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/roles/unprivuser.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/roles/unprivuser.te 2010-02-02 10:31:03.000000000 -0500
@@ -14,96 +14,19 @@
userdom_unpriv_user_template(user)
@@ -9893,7 +10040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.8/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/roles/xguest.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/roles/xguest.te 2010-02-02 10:31:03.000000000 -0500
@@ -15,7 +15,7 @@
##
@@ -10011,7 +10158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.8/policy/modules/services/abrt.fc
--- nsaserefpolicy/policy/modules/services/abrt.fc 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/abrt.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/abrt.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,11 +1,17 @@
/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
@@ -10033,8 +10180,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
+/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.8/policy/modules/services/abrt.if
--- nsaserefpolicy/policy/modules/services/abrt.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/abrt.if 2010-01-18 15:18:03.000000000 -0500
-@@ -19,6 +19,24 @@
++++ serefpolicy-3.7.8/policy/modules/services/abrt.if 2010-02-02 10:31:03.000000000 -0500
+@@ -19,6 +19,29 @@
domtrans_pattern($1, abrt_exec_t, abrt_t)
')
@@ -10054,12 +10201,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
+ ')
+
+ domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
++
++ifdef(`hide_broken_symptoms', `
++ dontaudit abrt_helper_t $1:socket_class_set { read write };
++ fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
++')
+')
+
######################################
##
## Execute abrt
-@@ -56,6 +74,32 @@
+@@ -56,6 +79,32 @@
read_files_pattern($1, abrt_etc_t, abrt_etc_t)
')
@@ -10092,7 +10244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
######################################
##
## Read abrt logs.
-@@ -75,6 +119,101 @@
+@@ -75,6 +124,101 @@
read_files_pattern($1, abrt_var_log_t, abrt_var_log_t)
')
@@ -10196,7 +10348,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.8/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/abrt.te 2010-01-26 14:15:44.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/abrt.te 2010-02-02 10:31:03.000000000 -0500
@@ -33,12 +33,24 @@
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -10388,7 +10540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.7.8/policy/modules/services/afs.fc
--- nsaserefpolicy/policy/modules/services/afs.fc 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/afs.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/afs.fc 2010-02-02 10:31:03.000000000 -0500
@@ -22,10 +22,10 @@
/usr/sbin/afsd -- gen_context(system_u:object_r:afs_exec_t,s0)
@@ -10403,7 +10555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.
/vicepb gen_context(system_u:object_r:afs_files_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.7.8/policy/modules/services/afs.te
--- nsaserefpolicy/policy/modules/services/afs.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/afs.te 2010-01-19 16:52:29.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/afs.te 2010-02-02 10:31:03.000000000 -0500
@@ -71,8 +71,8 @@
# afs client local policy
#
@@ -10426,7 +10578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.
# AFS bossserver local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.7.8/policy/modules/services/aiccu.fc
--- nsaserefpolicy/policy/modules/services/aiccu.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/aiccu.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/aiccu.fc 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,5 @@
+
+/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0)
@@ -10435,7 +10587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+/var/run/aiccu.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.7.8/policy/modules/services/aiccu.if
--- nsaserefpolicy/policy/modules/services/aiccu.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/aiccu.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/aiccu.if 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,119 @@
+
+## policy for aiccu
@@ -10558,7 +10710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.7.8/policy/modules/services/aiccu.te
--- nsaserefpolicy/policy/modules/services/aiccu.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/aiccu.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/aiccu.te 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,41 @@
+policy_module(aiccu,1.0.0)
+
@@ -10603,7 +10755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir })
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.8/policy/modules/services/aisexec.fc
--- nsaserefpolicy/policy/modules/services/aisexec.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/aisexec.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/aisexec.fc 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,12 @@
+
+/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:aisexec_initrc_exec_t,s0)
@@ -10619,7 +10771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
+/var/run/cman_.* -s gen_context(system_u:object_r:aisexec_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.7.8/policy/modules/services/aisexec.if
--- nsaserefpolicy/policy/modules/services/aisexec.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/aisexec.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/aisexec.if 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,106 @@
+## SELinux policy for Aisexec Cluster Engine
+
@@ -10729,7 +10881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.8/policy/modules/services/aisexec.te
--- nsaserefpolicy/policy/modules/services/aisexec.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/aisexec.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/aisexec.te 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,112 @@
+
+policy_module(aisexec,1.0.0)
@@ -10845,8 +10997,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.7.8/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/amavis.te 2010-01-18 15:18:03.000000000 -0500
-@@ -143,6 +143,7 @@
++++ serefpolicy-3.7.8/policy/modules/services/amavis.te 2010-02-02 10:31:03.000000000 -0500
+@@ -138,11 +138,13 @@
+
+ auth_dontaudit_read_shadow(amavis_t)
+
++init_read_utmp(amavis_t)
+ init_stream_connect_script(amavis_t)
+
logging_send_syslog_msg(amavis_t)
miscfiles_read_localization(amavis_t)
@@ -10856,8 +11014,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
sysnet_use_ldap(amavis_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.8/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/apache.fc 2010-01-27 15:19:37.000000000 -0500
-@@ -2,12 +2,17 @@
++++ serefpolicy-3.7.8/policy/modules/services/apache.fc 2010-02-02 10:31:03.000000000 -0500
+@@ -2,12 +2,19 @@
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
@@ -10872,20 +11030,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
++/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
++
/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -21,10 +26,16 @@
+@@ -21,10 +28,16 @@
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
/usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib(64)?/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-
++
+/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+
+
+/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -10894,7 +11054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-@@ -32,14 +43,28 @@
+@@ -32,14 +45,28 @@
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
@@ -10923,7 +11083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -47,16 +72,21 @@
+@@ -47,16 +74,21 @@
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -10945,7 +11105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
')
-@@ -64,11 +94,33 @@
+@@ -64,11 +96,34 @@
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -10974,6 +11134,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+
++/var/lib/koji(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
@@ -10982,7 +11143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.8/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/apache.if 2010-01-22 10:26:09.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/apache.if 2010-02-02 10:31:03.000000000 -0500
@@ -13,21 +13,17 @@
#
template(`apache_content_template',`
@@ -11144,7 +11305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_cgi',`
-@@ -149,9 +133,13 @@
+@@ -149,14 +133,19 @@
# privileged users run the script:
domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
@@ -11158,7 +11319,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
-@@ -173,50 +161,7 @@
+ allow httpd_$1_script_t self:process { setsched signal_perms };
+ allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
++ allow httpd_$1_script_t self:unix_dgram_socket create_socket_perms;
+
+ allow httpd_$1_script_t httpd_t:fd use;
+ allow httpd_$1_script_t httpd_t:process sigchld;
+@@ -173,50 +162,7 @@
libs_read_lib_files(httpd_$1_script_t)
miscfiles_read_localization(httpd_$1_script_t)
@@ -11210,7 +11377,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -227,15 +172,13 @@
+@@ -227,15 +173,13 @@
optional_policy(`
postgresql_unpriv_client(httpd_$1_script_t)
@@ -11228,7 +11395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -258,8 +201,8 @@
+@@ -258,8 +202,8 @@
attribute httpdcontent;
type httpd_user_content_t, httpd_user_htaccess_t;
type httpd_user_script_t, httpd_user_script_exec_t;
@@ -11239,7 +11406,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
role $1 types httpd_user_script_t;
-@@ -268,26 +211,26 @@
+@@ -268,26 +212,26 @@
allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
@@ -11286,7 +11453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
-@@ -365,6 +308,24 @@
+@@ -365,6 +309,24 @@
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
@@ -11311,7 +11478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
##
## Send a null signal to apache.
-@@ -441,6 +402,25 @@
+@@ -441,6 +403,25 @@
########################################
##
## Do not audit attempts to read and write Apache
@@ -11337,7 +11504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## TCP sockets.
##
##
-@@ -503,6 +483,105 @@
+@@ -503,6 +484,105 @@
########################################
##
@@ -11443,7 +11610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Allow the specified domain to read
## apache configuration files.
##
-@@ -579,7 +658,7 @@
+@@ -579,7 +659,7 @@
##
##
##
@@ -11452,7 +11619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
##
##
##
-@@ -715,6 +794,7 @@
+@@ -715,6 +795,7 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -11460,7 +11627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -758,6 +838,27 @@
+@@ -758,6 +839,27 @@
########################################
##
@@ -11488,7 +11655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Allow the specified domain to manage
## apache system content files.
##
-@@ -782,6 +883,32 @@
+@@ -782,6 +884,32 @@
########################################
##
@@ -11521,7 +11688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Execute all web scripts in the system
## script domain.
##
-@@ -791,16 +918,18 @@
+@@ -791,16 +919,18 @@
##
##
#
@@ -11544,7 +11711,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -859,6 +988,8 @@
+@@ -859,6 +989,8 @@
##
##
#
@@ -11553,7 +11720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
interface(`apache_run_all_scripts',`
gen_require(`
attribute httpd_exec_scripts, httpd_script_domains;
-@@ -884,7 +1015,7 @@
+@@ -884,7 +1016,7 @@
type httpd_squirrelmail_t;
')
@@ -11562,7 +11729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -1043,6 +1174,44 @@
+@@ -1043,6 +1175,44 @@
########################################
##
@@ -11607,7 +11774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## All of the rules required to administrate an apache environment
##
##
-@@ -1072,11 +1241,17 @@
+@@ -1072,11 +1242,17 @@
type httpd_modules_t, httpd_lock_t;
type httpd_var_run_t, httpd_php_tmp_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
@@ -11625,7 +11792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
-@@ -1096,12 +1271,78 @@
+@@ -1096,12 +1272,78 @@
kernel_search_proc($1)
allow $1 httpd_t:dir list_dir_perms;
@@ -11707,7 +11874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.8/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/apache.te 2010-01-27 08:23:39.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/apache.te 2010-02-02 10:31:03.000000000 -0500
@@ -19,6 +19,8 @@
# Declarations
#
@@ -12559,7 +12726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.7.8/policy/modules/services/apm.te
--- nsaserefpolicy/policy/modules/services/apm.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/apm.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/apm.te 2010-02-02 10:31:03.000000000 -0500
@@ -223,6 +223,10 @@
unconfined_domain(apmd_t)
')
@@ -12573,7 +12740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.
xserver_domtrans(apmd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.8/policy/modules/services/arpwatch.te
--- nsaserefpolicy/policy/modules/services/arpwatch.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/arpwatch.te 2010-01-27 11:31:50.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/arpwatch.te 2010-02-02 10:31:03.000000000 -0500
@@ -34,6 +34,7 @@
allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
allow arpwatch_t self:udp_socket create_socket_perms;
@@ -12600,7 +12767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw
fs_search_auto_mountpoints(arpwatch_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.8/policy/modules/services/asterisk.if
--- nsaserefpolicy/policy/modules/services/asterisk.if 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/asterisk.if 2010-01-21 14:59:59.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/asterisk.if 2010-02-02 10:31:03.000000000 -0500
@@ -2,8 +2,28 @@
#####################################
@@ -12681,7 +12848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.8/policy/modules/services/asterisk.te
--- nsaserefpolicy/policy/modules/services/asterisk.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/asterisk.te 2010-01-21 14:23:14.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/asterisk.te 2010-02-02 10:31:03.000000000 -0500
@@ -40,12 +40,13 @@
#
@@ -12782,7 +12949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.7.8/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/automount.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/automount.te 2010-02-02 10:31:03.000000000 -0500
@@ -75,6 +75,7 @@
fs_mount_all_fs(automount_t)
@@ -12801,7 +12968,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.7.8/policy/modules/services/avahi.fc
--- nsaserefpolicy/policy/modules/services/avahi.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/avahi.fc 2010-01-18 17:04:50.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/avahi.fc 2010-02-02 10:31:03.000000000 -0500
@@ -6,4 +6,4 @@
/var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0)
@@ -12810,7 +12977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
+/var/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.8/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2010-01-11 09:40:36.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/avahi.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/avahi.te 2010-02-02 10:31:03.000000000 -0500
@@ -24,7 +24,7 @@
# Local policy
#
@@ -12857,7 +13024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.8/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/bind.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/bind.if 2010-02-02 10:31:03.000000000 -0500
@@ -2,6 +2,25 @@
########################################
@@ -12956,7 +13123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
allow $2 system_r;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.7.8/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/bluetooth.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/bluetooth.te 2010-02-02 10:31:03.000000000 -0500
@@ -96,6 +96,7 @@
kernel_read_system_state(bluetooth_t)
kernel_read_network_state(bluetooth_t)
@@ -12967,7 +13134,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
corenet_all_recvfrom_netlabel(bluetooth_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-3.7.8/policy/modules/services/ccs.fc
--- nsaserefpolicy/policy/modules/services/ccs.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/ccs.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/ccs.fc 2010-02-02 10:31:03.000000000 -0500
@@ -2,9 +2,5 @@
/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
@@ -12982,7 +13149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.
+/var/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.8/policy/modules/services/ccs.te
--- nsaserefpolicy/policy/modules/services/ccs.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/ccs.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/ccs.te 2010-02-02 10:31:03.000000000 -0500
@@ -10,23 +10,21 @@
type ccs_exec_t;
init_daemon_domain(ccs_t, ccs_exec_t)
@@ -13068,7 +13235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.
files_manage_isid_type_files(ccs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.7.8/policy/modules/services/certmaster.fc
--- nsaserefpolicy/policy/modules/services/certmaster.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/certmaster.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/certmaster.fc 2010-02-02 10:31:03.000000000 -0500
@@ -3,5 +3,6 @@
/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0)
@@ -13078,7 +13245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.fc serefpolicy-3.7.8/policy/modules/services/certmonger.fc
--- nsaserefpolicy/policy/modules/services/certmonger.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/certmonger.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/certmonger.fc 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,6 @@
+/etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0)
+
@@ -13088,7 +13255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.7.8/policy/modules/services/certmonger.if
--- nsaserefpolicy/policy/modules/services/certmonger.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/certmonger.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/certmonger.if 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,217 @@
+
+## Certificate status monitor and PKI enrollment client
@@ -13309,7 +13476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.8/policy/modules/services/certmonger.te
--- nsaserefpolicy/policy/modules/services/certmonger.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/certmonger.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/certmonger.te 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,74 @@
+policy_module(certmonger,1.0.0)
+
@@ -13387,7 +13554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.8/policy/modules/services/cgroup.fc
--- nsaserefpolicy/policy/modules/services/cgroup.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/cgroup.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/cgroup.fc 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t, s0)
+/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t, s0)
@@ -13398,7 +13565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.8/policy/modules/services/cgroup.if
--- nsaserefpolicy/policy/modules/services/cgroup.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/cgroup.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/cgroup.if 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,35 @@
+## Control group rules engine daemon.
+##
@@ -13437,7 +13604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.8/policy/modules/services/cgroup.te
--- nsaserefpolicy/policy/modules/services/cgroup.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/cgroup.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/cgroup.te 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,87 @@
+policy_module(cgroup, 1.0.0)
+
@@ -13528,8 +13695,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+kernel_read_system_state(cgconfigparser_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.7.8/policy/modules/services/chronyd.fc
--- nsaserefpolicy/policy/modules/services/chronyd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/chronyd.fc 2010-01-18 15:18:03.000000000 -0500
-@@ -0,0 +1,11 @@
++++ serefpolicy-3.7.8/policy/modules/services/chronyd.fc 2010-02-02 10:31:03.000000000 -0500
+@@ -0,0 +1,13 @@
++/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
++
+
+/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+
@@ -13543,8 +13712,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.8/policy/modules/services/chronyd.if
--- nsaserefpolicy/policy/modules/services/chronyd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/chronyd.if 2010-01-18 15:18:03.000000000 -0500
-@@ -0,0 +1,105 @@
++++ serefpolicy-3.7.8/policy/modules/services/chronyd.if 2010-02-02 10:31:03.000000000 -0500
+@@ -0,0 +1,106 @@
+## chrony background daemon
+
+#####################################
@@ -13624,7 +13793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
+ gen_require(`
+ type chronyd_t, chronyd_var_log_t;
+ type chronyd_var_run_t, chronyd_var_lib_t;
-+ type chronyd_initrc_exec_t;
++ type chronyd_initrc_exec_t, chronyd_keys_t;
+ ')
+
+ allow $1 chronyd_t:process { ptrace signal_perms };
@@ -13647,13 +13816,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
+ files_search_tmp($1)
+ admin_pattern($1, chronyd_tmp_t)
+
++ admin_pattern($1, chronyd_keys_t)
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.8/policy/modules/services/chronyd.te
--- nsaserefpolicy/policy/modules/services/chronyd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/chronyd.te 2010-01-18 15:18:03.000000000 -0500
-@@ -0,0 +1,67 @@
++++ serefpolicy-3.7.8/policy/modules/services/chronyd.te 2010-02-02 10:31:03.000000000 -0500
+@@ -0,0 +1,76 @@
+policy_module(chronyd,1.0.0)
+
+########################################
@@ -13668,6 +13838,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
+type chronyd_initrc_exec_t;
+init_script_file(chronyd_initrc_exec_t)
+
++type chronyd_keys_t;
++files_type(chronyd_keys_t)
++
+# var/lib files
+type chronyd_var_lib_t;
+files_type(chronyd_var_lib_t)
@@ -13686,13 +13859,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
+# chronyd local policy
+#
+
-+allow chronyd_t self:capability { setuid setgid sys_time };
-+allow chronyd_t self:process { getcap setcap };
++allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
++allow chronyd_t self:process { getcap setcap setrlimit };
+
+allow chronyd_t self:udp_socket create_socket_perms;
+allow chronyd_t self:unix_dgram_socket create_socket_perms;
++allow chronyd_t self:shm create_shm_perms;
++
++allow chronyd_t chronyd_keys_t:file read_file_perms;
+
+# chronyd var/lib files
++manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+files_var_lib_filetrans(chronyd_t,chronyd_var_lib_t, { file dir })
@@ -13720,10 +13897,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
+
+miscfiles_read_localization(chronyd_t)
+
-+permissive chronyd_t;
++optional_policy(`
++ gpsd_rw_shm(chronyd_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.8/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/clamav.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/clamav.te 2010-02-02 10:31:03.000000000 -0500
@@ -57,6 +57,7 @@
#
@@ -13749,7 +13928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.8/policy/modules/services/clogd.fc
--- nsaserefpolicy/policy/modules/services/clogd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/clogd.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/clogd.fc 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,4 @@
+
+/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0)
@@ -13757,7 +13936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog
+/var/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.8/policy/modules/services/clogd.if
--- nsaserefpolicy/policy/modules/services/clogd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/clogd.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/clogd.if 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,98 @@
+## clogd - clustered mirror log server
+
@@ -13859,7 +14038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.7.8/policy/modules/services/clogd.te
--- nsaserefpolicy/policy/modules/services/clogd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/clogd.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/clogd.te 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,62 @@
+
+policy_module(clogd,1.0.0)
@@ -13925,7 +14104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.7.8/policy/modules/services/cobbler.fc
--- nsaserefpolicy/policy/modules/services/cobbler.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/cobbler.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/cobbler.fc 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,9 @@
+/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
+/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
@@ -13938,7 +14117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
+/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:httpd_cobbler_content_rw_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.8/policy/modules/services/cobbler.if
--- nsaserefpolicy/policy/modules/services/cobbler.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/cobbler.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/cobbler.if 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,186 @@
+## Cobbler installation server.
+##
@@ -14128,7 +14307,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.8/policy/modules/services/cobbler.te
--- nsaserefpolicy/policy/modules/services/cobbler.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/cobbler.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/cobbler.te 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,127 @@
+
+policy_module(cobbler, 1.0.0)
@@ -14259,7 +14438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
+manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.8/policy/modules/services/consolekit.fc
--- nsaserefpolicy/policy/modules/services/consolekit.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/consolekit.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/consolekit.fc 2010-02-02 10:31:03.000000000 -0500
@@ -2,4 +2,5 @@
/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
@@ -14269,7 +14448,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
+/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.8/policy/modules/services/consolekit.if
--- nsaserefpolicy/policy/modules/services/consolekit.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/consolekit.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/consolekit.if 2010-02-02 10:31:03.000000000 -0500
@@ -57,3 +57,42 @@
read_files_pattern($1, consolekit_log_t, consolekit_log_t)
files_search_pids($1)
@@ -14315,7 +14494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.8/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/consolekit.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/consolekit.te 2010-02-02 10:31:03.000000000 -0500
@@ -21,7 +21,7 @@
# consolekit local policy
#
@@ -14391,7 +14570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.7.8/policy/modules/services/corosync.fc
--- nsaserefpolicy/policy/modules/services/corosync.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/corosync.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/corosync.fc 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,13 @@
+
+/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
@@ -14408,7 +14587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.8/policy/modules/services/corosync.if
--- nsaserefpolicy/policy/modules/services/corosync.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/corosync.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/corosync.if 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,108 @@
+## SELinux policy for Corosync Cluster Engine
+
@@ -14520,7 +14699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.8/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/corosync.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/corosync.te 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,108 @@
+
+policy_module(corosync,1.0.0)
@@ -14632,7 +14811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.8/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/cron.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/cron.fc 2010-02-02 10:31:03.000000000 -0500
@@ -14,7 +14,7 @@
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -14652,7 +14831,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.8/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/cron.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/cron.if 2010-02-02 10:31:03.000000000 -0500
@@ -12,6 +12,10 @@
##
#
@@ -14796,16 +14975,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.8/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/cron.te 2010-01-18 15:18:03.000000000 -0500
-@@ -38,6 +38,7 @@
++++ serefpolicy-3.7.8/policy/modules/services/cron.te 2010-02-02 10:31:03.000000000 -0500
+@@ -38,8 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
+# var/lib files
type cron_var_run_t;
files_type(cron_var_run_t)
++mta_system_content(crond_var_run_t)
-@@ -64,6 +65,8 @@
+ # var/log files
+ type cron_log_t;
+@@ -64,9 +66,12 @@
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
@@ -14814,7 +14996,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
type crond_var_run_t;
files_pid_file(crond_var_run_t)
-@@ -80,6 +83,7 @@
++mta_system_content(crond_var_run_t)
+
+ type crontab_exec_t;
+ application_executable_file(crontab_exec_t)
+@@ -80,6 +85,7 @@
typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
@@ -14822,7 +15008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
type system_cron_spool_t, cron_spool_type;
files_type(system_cron_spool_t)
-@@ -88,6 +92,7 @@
+@@ -88,6 +94,7 @@
init_daemon_domain(system_cronjob_t, anacron_exec_t)
corecmd_shell_entry_type(system_cronjob_t)
role system_r types system_cronjob_t;
@@ -14830,7 +15016,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
type system_cronjob_lock_t alias system_crond_lock_t;
files_lock_file(system_cronjob_lock_t)
-@@ -110,6 +115,13 @@
+@@ -110,6 +117,13 @@
files_type(user_cron_spool_t)
ubac_constrained(user_cron_spool_t)
@@ -14844,7 +15030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
########################################
#
# Admin crontab local policy
-@@ -139,7 +151,7 @@
+@@ -139,7 +153,7 @@
allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
@@ -14853,7 +15039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
allow crond_t self:process { setexec setfscreate };
allow crond_t self:fd use;
allow crond_t self:fifo_file rw_fifo_file_perms;
-@@ -194,6 +206,8 @@
+@@ -194,6 +208,8 @@
corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
@@ -14862,7 +15048,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
files_read_usr_files(crond_t)
files_read_etc_runtime_files(crond_t)
-@@ -209,7 +223,9 @@
+@@ -209,7 +225,9 @@
auth_use_nsswitch(crond_t)
@@ -14872,7 +15058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
-@@ -220,8 +236,10 @@
+@@ -220,8 +238,10 @@
userdom_use_unpriv_users_fds(crond_t)
# Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
@@ -14883,7 +15069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
ifdef(`distro_debian',`
# pam_limits is used
-@@ -241,8 +259,12 @@
+@@ -241,8 +261,12 @@
')
')
@@ -14898,7 +15084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -251,6 +273,20 @@
+@@ -251,6 +275,20 @@
')
optional_policy(`
@@ -14919,7 +15105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
amanda_search_var_lib(crond_t)
')
-@@ -260,6 +296,8 @@
+@@ -260,6 +298,8 @@
optional_policy(`
hal_dbus_chat(crond_t)
@@ -14928,7 +15114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -302,10 +340,17 @@
+@@ -302,10 +342,17 @@
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
@@ -14947,7 +15133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -325,6 +370,7 @@
+@@ -325,6 +372,7 @@
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
@@ -14955,7 +15141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -336,9 +382,13 @@
+@@ -336,9 +384,13 @@
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -14970,7 +15156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -361,6 +411,7 @@
+@@ -361,6 +413,7 @@
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
@@ -14978,7 +15164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
-@@ -387,6 +438,7 @@
+@@ -387,6 +440,7 @@
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
@@ -14986,7 +15172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
-@@ -411,6 +463,8 @@
+@@ -411,6 +465,8 @@
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
@@ -14995,7 +15181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
-@@ -435,6 +489,7 @@
+@@ -435,6 +491,7 @@
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
@@ -15003,7 +15189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -442,6 +497,14 @@
+@@ -442,6 +499,14 @@
')
optional_policy(`
@@ -15018,7 +15204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
ftp_read_log(system_cronjob_t)
')
-@@ -456,11 +519,16 @@
+@@ -456,11 +521,16 @@
')
optional_policy(`
@@ -15035,7 +15221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -476,7 +544,7 @@
+@@ -476,7 +546,7 @@
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -15044,7 +15230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -491,6 +559,7 @@
+@@ -491,6 +561,7 @@
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -15052,7 +15238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -498,6 +567,9 @@
+@@ -498,6 +569,9 @@
')
optional_policy(`
@@ -15064,7 +15250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.8/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/cups.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/cups.fc 2010-02-02 10:31:03.000000000 -0500
@@ -13,10 +13,14 @@
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
@@ -15113,7 +15299,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.8/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/cups.te 2010-01-18 17:30:30.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/cups.te 2010-02-02 10:31:03.000000000 -0500
@@ -23,6 +23,9 @@
type cupsd_initrc_exec_t;
init_script_file(cupsd_initrc_exec_t)
@@ -15266,18 +15452,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
optional_policy(`
hal_dbus_chat(cupsd_config_t)
-@@ -446,6 +472,10 @@
+@@ -432,6 +458,10 @@
+ ')
+
+ optional_policy(`
++ gnome_dontaudit_search_config(cupsd_config_t)
++')
++
++optional_policy(`
+ hal_domtrans(cupsd_config_t)
+ hal_read_tmp_files(cupsd_config_t)
+ hal_dontaudit_use_fds(hplip_t)
+@@ -446,6 +476,11 @@
')
optional_policy(`
+ policykit_dbus_chat(cupsd_config_t)
++ userdom_read_all_users_state(cupsd_config_t)
+')
+
+optional_policy(`
rpm_read_db(cupsd_config_t)
')
-@@ -457,6 +487,10 @@
+@@ -457,6 +492,10 @@
udev_read_db(cupsd_config_t)
')
@@ -15288,7 +15486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
########################################
#
# Cups lpd support
-@@ -520,6 +554,7 @@
+@@ -520,6 +559,7 @@
logging_send_syslog_msg(cupsd_lpd_t)
miscfiles_read_localization(cupsd_lpd_t)
@@ -15296,7 +15494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
cups_stream_connect(cupsd_lpd_t)
-@@ -542,6 +577,8 @@
+@@ -542,6 +582,8 @@
manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
@@ -15305,7 +15503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
kernel_read_system_state(cups_pdf_t)
files_read_etc_files(cups_pdf_t)
-@@ -556,11 +593,15 @@
+@@ -556,11 +598,15 @@
miscfiles_read_fonts(cups_pdf_t)
userdom_home_filetrans_user_home_dir(cups_pdf_t)
@@ -15321,7 +15519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(cups_pdf_t)
-@@ -601,6 +642,9 @@
+@@ -601,6 +647,9 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
@@ -15331,7 +15529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
-@@ -627,6 +671,7 @@
+@@ -627,6 +676,7 @@
corenet_tcp_connect_ipp_port(hplip_t)
corenet_sendrecv_hplip_client_packets(hplip_t)
corenet_receive_hplip_server_packets(hplip_t)
@@ -15341,7 +15539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
dev_rw_printer(hplip_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.7.8/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/cvs.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/cvs.te 2010-02-02 10:31:03.000000000 -0500
@@ -112,4 +112,5 @@
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
@@ -15350,7 +15548,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.8/policy/modules/services/cyrus.te
--- nsaserefpolicy/policy/modules/services/cyrus.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/cyrus.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/cyrus.te 2010-02-02 10:31:03.000000000 -0500
@@ -75,6 +75,7 @@
corenet_tcp_bind_mail_port(cyrus_t)
corenet_tcp_bind_lmtp_port(cyrus_t)
@@ -15369,7 +15567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru
snmp_stream_connect(cyrus_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.8/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/dbus.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/dbus.if 2010-02-02 10:31:03.000000000 -0500
@@ -42,8 +42,10 @@
gen_require(`
class dbus { send_msg acquire_svc };
@@ -15504,7 +15702,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.8/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/dbus.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/dbus.te 2010-02-02 10:31:03.000000000 -0500
@@ -86,6 +86,7 @@
dev_read_sysfs(system_dbusd_t)
@@ -15565,7 +15763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.fc serefpolicy-3.7.8/policy/modules/services/denyhosts.fc
--- nsaserefpolicy/policy/modules/services/denyhosts.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/denyhosts.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/denyhosts.fc 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/denyhosts -- gen_context(system_u:object_r:denyhosts_initrc_exec_t, s0)
+
@@ -15576,7 +15774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.8/policy/modules/services/denyhosts.if
--- nsaserefpolicy/policy/modules/services/denyhosts.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/denyhosts.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/denyhosts.if 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,90 @@
+## Deny Hosts.
+##
@@ -15670,7 +15868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.8/policy/modules/services/denyhosts.te
--- nsaserefpolicy/policy/modules/services/denyhosts.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/denyhosts.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/denyhosts.te 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,72 @@
+
+policy_module(denyhosts, 1.0.0)
@@ -15746,7 +15944,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.8/policy/modules/services/devicekit.fc
--- nsaserefpolicy/policy/modules/services/devicekit.fc 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/devicekit.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/devicekit.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,8 +1,11 @@
/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
@@ -15761,7 +15959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
+/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.8/policy/modules/services/devicekit.if
--- nsaserefpolicy/policy/modules/services/devicekit.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/devicekit.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/devicekit.if 2010-02-02 10:31:03.000000000 -0500
@@ -139,6 +139,26 @@
########################################
@@ -15791,7 +15989,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.8/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/devicekit.te 2010-01-27 08:37:23.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/devicekit.te 2010-02-02 10:44:35.000000000 -0500
@@ -42,6 +42,8 @@
files_read_etc_files(devicekit_t)
@@ -15813,7 +16011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
-@@ -71,29 +75,55 @@
+@@ -71,29 +75,58 @@
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
@@ -15824,6 +16022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
+
+kernel_getattr_message_if(devicekit_disk_t)
+kernel_read_fs_sysctls(devicekit_disk_t)
++kernel_read_network_state(devicekit_disk_t)
kernel_read_software_raid_state(devicekit_disk_t)
+kernel_read_system_state(devicekit_disk_t)
+kernel_request_load_module(devicekit_disk_t)
@@ -15836,14 +16035,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
dev_rw_sysfs(devicekit_disk_t)
dev_read_urand(devicekit_disk_t)
dev_getattr_usbfs_dirs(devicekit_disk_t)
+-
+dev_manage_generic_files(devicekit_disk_t)
+dev_getattr_all_chr_files(devicekit_disk_t)
-
++dev_getattr_mtrr_dev(devicekit_disk_t)
++
+domain_getattr_all_pipes(devicekit_disk_t)
+domain_getattr_all_sockets(devicekit_disk_t)
+domain_getattr_all_stream_sockets(devicekit_disk_t)
+domain_read_all_domains_state(devicekit_disk_t)
+
++files_dontaudit_read_all_symlinks(devicekit_disk_t)
+files_getattr_all_sockets(devicekit_disk_t)
+files_getattr_all_mountpoints(devicekit_disk_t)
+files_getattr_all_files(devicekit_disk_t)
@@ -15870,7 +16072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
auth_use_nsswitch(devicekit_disk_t)
miscfiles_read_localization(devicekit_disk_t)
-@@ -102,6 +132,16 @@
+@@ -102,6 +135,16 @@
userdom_search_user_home_dirs(devicekit_disk_t)
optional_policy(`
@@ -15887,7 +16089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
fstools_domtrans(devicekit_disk_t)
')
-@@ -110,6 +150,7 @@
+@@ -110,6 +153,7 @@
')
optional_policy(`
@@ -15895,7 +16097,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
policykit_domtrans_auth(devicekit_disk_t)
policykit_read_lib(devicekit_disk_t)
policykit_read_reload(devicekit_disk_t)
-@@ -120,18 +161,12 @@
+@@ -120,18 +164,12 @@
')
optional_policy(`
@@ -15917,7 +16119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
')
########################################
-@@ -139,9 +174,11 @@
+@@ -139,9 +177,11 @@
# DeviceKit-Power local policy
#
@@ -15930,7 +16132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
-@@ -151,6 +188,7 @@
+@@ -151,6 +191,7 @@
kernel_read_system_state(devicekit_power_t)
kernel_rw_hotplug_sysctls(devicekit_power_t)
kernel_rw_kernel_sysctl(devicekit_power_t)
@@ -15938,7 +16140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t)
-@@ -159,6 +197,7 @@
+@@ -159,6 +200,7 @@
domain_read_all_domains_state(devicekit_power_t)
@@ -15946,7 +16148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
-@@ -167,12 +206,17 @@
+@@ -167,12 +209,17 @@
files_read_etc_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
@@ -15964,7 +16166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
userdom_read_all_users_state(devicekit_power_t)
optional_policy(`
-@@ -180,6 +224,10 @@
+@@ -180,6 +227,10 @@
')
optional_policy(`
@@ -15975,7 +16177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
dbus_system_bus_client(devicekit_power_t)
allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -203,17 +251,23 @@
+@@ -203,17 +254,23 @@
optional_policy(`
hal_domtrans_mac(devicekit_power_t)
@@ -16001,7 +16203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.7.8/policy/modules/services/dhcp.if
--- nsaserefpolicy/policy/modules/services/dhcp.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/dhcp.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/dhcp.if 2010-02-02 10:31:03.000000000 -0500
@@ -2,6 +2,25 @@
########################################
@@ -16030,7 +16232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.8/policy/modules/services/dnsmasq.fc
--- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/dnsmasq.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/dnsmasq.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,3 +1,4 @@
+/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0)
/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
@@ -16038,7 +16240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.7.8/policy/modules/services/dnsmasq.if
--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/dnsmasq.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/dnsmasq.if 2010-02-02 10:31:03.000000000 -0500
@@ -136,6 +136,44 @@
########################################
@@ -16086,7 +16288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.8/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/dnsmasq.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/dnsmasq.te 2010-02-02 10:31:03.000000000 -0500
@@ -13,6 +13,9 @@
type dnsmasq_initrc_exec_t;
init_script_file(dnsmasq_initrc_exec_t)
@@ -16136,7 +16338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.7.8/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/dovecot.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/dovecot.fc 2010-02-02 10:31:03.000000000 -0500
@@ -34,6 +34,7 @@
/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
@@ -16147,7 +16349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.8/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/dovecot.te 2010-01-27 10:51:08.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/dovecot.te 2010-02-02 10:31:03.000000000 -0500
@@ -73,14 +73,21 @@
can_exec(dovecot_t, dovecot_exec_t)
@@ -16252,7 +16454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.7.8/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/exim.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/exim.te 2010-02-02 10:31:03.000000000 -0500
@@ -192,6 +192,10 @@
')
@@ -16266,7 +16468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.8/policy/modules/services/fail2ban.if
--- nsaserefpolicy/policy/modules/services/fail2ban.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/fail2ban.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/fail2ban.if 2010-02-02 10:31:03.000000000 -0500
@@ -98,6 +98,46 @@
allow $1 fail2ban_var_run_t:file read_file_perms;
')
@@ -16338,7 +16540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.7.8/policy/modules/services/fetchmail.te
--- nsaserefpolicy/policy/modules/services/fetchmail.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/fetchmail.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/fetchmail.te 2010-02-02 10:31:03.000000000 -0500
@@ -48,6 +48,7 @@
kernel_dontaudit_read_system_state(fetchmail_t)
@@ -16349,7 +16551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetc
corenet_all_recvfrom_netlabel(fetchmail_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.8/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/fprintd.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/fprintd.te 2010-02-02 10:31:03.000000000 -0500
@@ -55,4 +55,6 @@
policykit_read_lib(fprintd_t)
policykit_dbus_chat(fprintd_t)
@@ -16359,7 +16561,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fpri
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.7.8/policy/modules/services/ftp.if
--- nsaserefpolicy/policy/modules/services/ftp.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/ftp.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/ftp.if 2010-02-02 10:31:03.000000000 -0500
@@ -115,6 +115,44 @@
role $2 types ftpdctl_t;
')
@@ -16407,7 +16609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.8/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/ftp.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/ftp.te 2010-02-02 10:31:03.000000000 -0500
@@ -41,11 +41,51 @@
##
@@ -16656,7 +16858,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.8/policy/modules/services/git.fc
--- nsaserefpolicy/policy/modules/services/git.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/git.fc 2010-01-21 08:33:33.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/git.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,3 +1,16 @@
-/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
-/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
@@ -16679,7 +16881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.8/policy/modules/services/git.if
--- nsaserefpolicy/policy/modules/services/git.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/git.if 2010-01-21 14:00:18.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/git.if 2010-02-02 10:31:03.000000000 -0500
@@ -1 +1,535 @@
-## GIT revision control system
+## Git - Fast Version Control System.
@@ -17219,7 +17421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.8/policy/modules/services/git.te
--- nsaserefpolicy/policy/modules/services/git.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/git.te 2010-01-21 13:49:27.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/git.te 2010-02-02 10:31:03.000000000 -0500
@@ -1,9 +1,182 @@
-policy_module(git, 1.0)
@@ -17408,7 +17610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+#gen_user(git_shell_u, user, git_shell_r, s0, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.8/policy/modules/services/gpsd.te
--- nsaserefpolicy/policy/modules/services/gpsd.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/gpsd.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/gpsd.te 2010-02-02 10:31:03.000000000 -0500
@@ -25,7 +25,7 @@
# gpsd local policy
#
@@ -17420,7 +17622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd
allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.7.8/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/hal.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/hal.fc 2010-02-02 10:31:03.000000000 -0500
@@ -26,6 +26,7 @@
/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
/var/run/pm-utils(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
@@ -17431,7 +17633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
/var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.7.8/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/hal.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/hal.if 2010-02-02 10:31:03.000000000 -0500
@@ -413,3 +413,21 @@
files_search_pids($1)
manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
@@ -17456,7 +17658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.8/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/hal.te 2010-01-27 13:13:18.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/hal.te 2010-02-02 10:31:03.000000000 -0500
@@ -55,6 +55,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -17626,7 +17828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl.te serefpolicy-3.7.8/policy/modules/services/howl.te
--- nsaserefpolicy/policy/modules/services/howl.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/howl.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/howl.te 2010-02-02 10:31:03.000000000 -0500
@@ -30,7 +30,7 @@
kernel_read_network_state(howl_t)
@@ -17638,7 +17840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.8/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/kerberos.if 2010-01-22 09:59:42.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/kerberos.if 2010-02-02 10:31:03.000000000 -0500
@@ -74,7 +74,7 @@
')
@@ -17661,7 +17863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
allow $1 self:udp_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.8/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/kerberos.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/kerberos.te 2010-02-02 10:31:03.000000000 -0500
@@ -112,6 +112,7 @@
kernel_read_kernel_sysctls(kadmind_t)
@@ -17681,7 +17883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.7.8/policy/modules/services/ksmtuned.fc
--- nsaserefpolicy/policy/modules/services/ksmtuned.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/ksmtuned.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/ksmtuned.fc 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,5 @@
+/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0)
+
@@ -17690,7 +17892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt
+/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.7.8/policy/modules/services/ksmtuned.if
--- nsaserefpolicy/policy/modules/services/ksmtuned.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/ksmtuned.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/ksmtuned.if 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,76 @@
+
+## policy for Kernel Samepage Merging (KSM) Tuning Daemon
@@ -17770,7 +17972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.7.8/policy/modules/services/ksmtuned.te
--- nsaserefpolicy/policy/modules/services/ksmtuned.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/ksmtuned.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/ksmtuned.te 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,44 @@
+policy_module(ksmtuned,1.0.0)
+
@@ -17818,7 +18020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt
+miscfiles_read_localization(ksmtuned_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.7.8/policy/modules/services/ktalk.te
--- nsaserefpolicy/policy/modules/services/ktalk.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/ktalk.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/ktalk.te 2010-02-02 10:31:03.000000000 -0500
@@ -69,6 +69,7 @@
files_read_etc_files(ktalkd_t)
@@ -17829,7 +18031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktal
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.7.8/policy/modules/services/ldap.fc
--- nsaserefpolicy/policy/modules/services/ldap.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/ldap.fc 2010-01-27 15:28:08.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/ldap.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,8 +1,12 @@
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
@@ -17858,7 +18060,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
+/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.7.8/policy/modules/services/ldap.if
--- nsaserefpolicy/policy/modules/services/ldap.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/ldap.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/ldap.if 2010-02-02 10:31:03.000000000 -0500
@@ -1,5 +1,43 @@
## OpenLDAP directory server
@@ -17905,7 +18107,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
## Read the contents of the OpenLDAP
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.7.8/policy/modules/services/ldap.te
--- nsaserefpolicy/policy/modules/services/ldap.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/ldap.te 2010-01-28 08:13:48.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/ldap.te 2010-02-02 10:31:03.000000000 -0500
@@ -28,6 +28,9 @@
type slapd_replog_t;
files_type(slapd_replog_t)
@@ -17929,17 +18131,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.8/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 2010-01-11 09:40:36.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/lircd.te 2010-01-18 15:18:03.000000000 -0500
-@@ -26,6 +26,8 @@
++++ serefpolicy-3.7.8/policy/modules/services/lircd.te 2010-02-02 10:31:03.000000000 -0500
+@@ -24,8 +24,11 @@
+ # lircd local policy
+ #
- allow lircd_t self:process signal;
+-allow lircd_t self:process signal;
++allow lircd_t self:capability { chown kill sys_admin };
++allow lircd_t self:process { fork signal };
allow lircd_t self:unix_dgram_socket create_socket_perms;
-+allow lircd_t self:fifo_file rw_file_perms;
++allow lircd_t self:fifo_file rw_fifo_file_perms;
+allow lircd_t self:tcp_socket create_stream_socket_perms;
# etc file
read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
-@@ -34,21 +36,31 @@
+@@ -34,21 +37,31 @@
manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file })
@@ -17976,7 +18182,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.7.8/policy/modules/services/mailman.fc
--- nsaserefpolicy/policy/modules/services/mailman.fc 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/mailman.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/mailman.fc 2010-02-02 11:12:02.000000000 -0500
+@@ -1,4 +1,4 @@
+-/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
++/usr/lib(64)?/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+ /usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+
+ /var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
@@ -25,10 +25,10 @@
ifdef(`distro_redhat', `
/etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
@@ -17994,7 +18206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.7.8/policy/modules/services/memcached.te
--- nsaserefpolicy/policy/modules/services/memcached.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/memcached.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/memcached.te 2010-02-02 10:31:03.000000000 -0500
@@ -22,9 +22,12 @@
#
@@ -18027,7 +18239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memc
+term_dontaudit_use_console(memcached_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.8/policy/modules/services/modemmanager.te
--- nsaserefpolicy/policy/modules/services/modemmanager.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/modemmanager.te 2010-01-27 08:38:46.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/modemmanager.te 2010-02-02 10:31:03.000000000 -0500
@@ -16,8 +16,8 @@
#
# ModemManager local policy
@@ -18049,7 +18261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mode
miscfiles_read_localization(modemmanager_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.8/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/mta.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/mta.fc 2010-02-02 10:31:03.000000000 -0500
@@ -13,6 +13,8 @@
/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -18061,7 +18273,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.8/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/mta.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/mta.if 2010-02-02 10:31:03.000000000 -0500
@@ -335,6 +335,7 @@
# apache should set close-on-exec
apache_dontaudit_rw_stream_sockets($1)
@@ -18117,7 +18329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.8/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/mta.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/mta.te 2010-02-02 10:31:03.000000000 -0500
@@ -63,6 +63,8 @@
can_exec(system_mail_t, mta_exec_type)
@@ -18163,7 +18375,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -185,6 +195,10 @@
+@@ -126,6 +136,7 @@
+
+ optional_policy(`
+ fail2ban_append_log(system_mail_t)
++ fail2ban_dontaudit_leaks(system_mail_t)
+ ')
+
+ optional_policy(`
+@@ -185,6 +196,10 @@
')
optional_policy(`
@@ -18174,7 +18394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
smartmon_read_tmp_files(system_mail_t)
')
-@@ -216,6 +230,7 @@
+@@ -216,6 +231,7 @@
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -18184,7 +18404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.8/policy/modules/services/munin.fc
--- nsaserefpolicy/policy/modules/services/munin.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/munin.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/munin.fc 2010-02-02 10:31:03.000000000 -0500
@@ -9,3 +9,6 @@
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
@@ -18194,7 +18414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.8/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/munin.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/munin.te 2010-02-02 10:31:03.000000000 -0500
@@ -33,7 +33,7 @@
# Local policy
#
@@ -18224,7 +18444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.7.8/policy/modules/services/mysql.if
--- nsaserefpolicy/policy/modules/services/mysql.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/mysql.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/mysql.if 2010-02-02 10:31:03.000000000 -0500
@@ -1,5 +1,43 @@
## Policy for MySQL
@@ -18271,7 +18491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
## Send a generic signal to MySQL.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.8/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/mysql.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/mysql.te 2010-02-02 10:31:03.000000000 -0500
@@ -1,6 +1,13 @@
policy_module(mysql, 1.11.1)
@@ -18336,7 +18556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
mysql_write_log(mysqld_safe_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.8/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/nagios.fc 2010-01-27 08:48:15.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/nagios.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,16 +1,85 @@
/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
@@ -18430,7 +18650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
+/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.8/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/nagios.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/nagios.if 2010-02-02 10:31:03.000000000 -0500
@@ -64,7 +64,7 @@
########################################
@@ -18588,7 +18808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.8/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/nagios.te 2010-01-27 08:54:01.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/nagios.te 2010-02-02 10:31:03.000000000 -0500
@@ -6,17 +6,23 @@
# Declarations
#
@@ -18904,7 +19124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.7.8/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/networkmanager.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/networkmanager.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,12 +1,28 @@
+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0)
+/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -18936,7 +19156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.8/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/networkmanager.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/networkmanager.if 2010-02-02 10:31:03.000000000 -0500
@@ -118,6 +118,24 @@
########################################
@@ -19015,7 +19235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.8/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/networkmanager.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/networkmanager.te 2010-02-02 10:31:03.000000000 -0500
@@ -19,6 +19,9 @@
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
@@ -19043,12 +19263,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
-@@ -51,8 +55,13 @@
+@@ -51,8 +55,14 @@
manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
-rw_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
-files_search_tmp(NetworkManager_t)
++can_exec(NetworkManager_t, NetworkManager_tmp_t)
+manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
+manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
+files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
@@ -19059,7 +19280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
-@@ -62,7 +71,9 @@
+@@ -62,7 +72,9 @@
kernel_read_system_state(NetworkManager_t)
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
@@ -19070,7 +19291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
corenet_all_recvfrom_unlabeled(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t)
-@@ -81,13 +92,18 @@
+@@ -81,13 +93,18 @@
corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
corenet_sendrecv_all_client_packets(NetworkManager_t)
@@ -19089,7 +19310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
mls_file_read_all_levels(NetworkManager_t)
-@@ -98,15 +114,20 @@
+@@ -98,15 +115,20 @@
domain_use_interactive_fds(NetworkManager_t)
domain_read_confined_domains_state(NetworkManager_t)
@@ -19111,7 +19332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
-@@ -116,25 +137,40 @@
+@@ -116,25 +138,40 @@
seutil_read_config(NetworkManager_t)
@@ -19159,7 +19380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
-@@ -146,8 +182,25 @@
+@@ -146,8 +183,25 @@
')
optional_policy(`
@@ -19187,7 +19408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
-@@ -155,23 +208,51 @@
+@@ -155,23 +209,51 @@
')
optional_policy(`
@@ -19242,7 +19463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
-@@ -179,12 +260,15 @@
+@@ -179,12 +261,15 @@
')
optional_policy(`
@@ -19260,7 +19481,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.7.8/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/nis.fc 2010-01-28 10:40:55.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/nis.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,4 +1,7 @@
-
+/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0)
@@ -19281,7 +19502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
+/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.7.8/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/nis.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/nis.if 2010-02-02 10:31:03.000000000 -0500
@@ -28,7 +28,7 @@
type var_yp_t;
')
@@ -19425,7 +19646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.7.8/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/nis.te 2010-01-28 10:38:39.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/nis.te 2010-02-02 10:31:03.000000000 -0500
@@ -13,6 +13,9 @@
type ypbind_exec_t;
init_daemon_domain(ypbind_t, ypbind_exec_t)
@@ -19490,7 +19711,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.7.8/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/nscd.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/nscd.if 2010-02-02 10:31:03.000000000 -0500
@@ -121,6 +121,24 @@
########################################
@@ -19527,7 +19748,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.7.8/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/nscd.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/nscd.te 2010-02-02 10:31:03.000000000 -0500
@@ -1,10 +1,17 @@
-policy_module(nscd, 1.10.0)
@@ -19574,7 +19795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.fc serefpolicy-3.7.8/policy/modules/services/ntop.fc
--- nsaserefpolicy/policy/modules/services/ntop.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/ntop.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/ntop.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,7 +1,6 @@
/etc/ntop(/.*)? gen_context(system_u:object_r:ntop_etc_t,s0)
@@ -19585,7 +19806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop
/var/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.7.8/policy/modules/services/ntop.te
--- nsaserefpolicy/policy/modules/services/ntop.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/ntop.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/ntop.te 2010-02-02 10:31:03.000000000 -0500
@@ -11,12 +11,12 @@
init_daemon_domain(ntop_t, ntop_exec_t)
application_domain(ntop_t, ntop_exec_t)
@@ -19678,7 +19899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.7.8/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/ntp.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/ntp.te 2010-02-02 10:31:03.000000000 -0500
@@ -100,6 +100,8 @@
fs_getattr_all_fs(ntpd_t)
@@ -19690,7 +19911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.fc serefpolicy-3.7.8/policy/modules/services/nut.fc
--- nsaserefpolicy/policy/modules/services/nut.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/nut.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/nut.fc 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,16 @@
+
+/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
@@ -19710,7 +19931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.if serefpolicy-3.7.8/policy/modules/services/nut.if
--- nsaserefpolicy/policy/modules/services/nut.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/nut.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/nut.if 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,58 @@
+## SELinux policy for NUT - Network UPS Tools
+
@@ -19772,7 +19993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.8/policy/modules/services/nut.te
--- nsaserefpolicy/policy/modules/services/nut.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/nut.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/nut.te 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,188 @@
+
+policy_module(nut, 1.0.0)
@@ -19964,7 +20185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.7.8/policy/modules/services/nx.fc
--- nsaserefpolicy/policy/modules/services/nx.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/nx.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/nx.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,7 +1,15 @@
/opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
@@ -19984,7 +20205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.f
/usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.7.8/policy/modules/services/nx.if
--- nsaserefpolicy/policy/modules/services/nx.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/nx.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/nx.if 2010-02-02 10:31:03.000000000 -0500
@@ -17,3 +17,70 @@
spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t)
@@ -20058,7 +20279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.7.8/policy/modules/services/nx.te
--- nsaserefpolicy/policy/modules/services/nx.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/nx.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/nx.te 2010-02-02 10:31:03.000000000 -0500
@@ -25,6 +25,12 @@
type nx_server_var_run_t;
files_pid_file(nx_server_var_run_t)
@@ -20095,7 +20316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.8/policy/modules/services/oddjob.if
--- nsaserefpolicy/policy/modules/services/oddjob.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/oddjob.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/oddjob.if 2010-02-02 10:31:03.000000000 -0500
@@ -44,6 +44,7 @@
')
@@ -20106,7 +20327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.7.8/policy/modules/services/oddjob.te
--- nsaserefpolicy/policy/modules/services/oddjob.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/oddjob.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/oddjob.te 2010-02-02 10:31:03.000000000 -0500
@@ -100,8 +100,7 @@
# Add/remove user home directories
@@ -20120,7 +20341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.8/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/openvpn.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/openvpn.te 2010-02-02 10:31:03.000000000 -0500
@@ -41,7 +41,7 @@
# openvpn local policy
#
@@ -20158,7 +20379,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
userdom_use_user_terminals(openvpn_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.7.8/policy/modules/services/pcscd.if
--- nsaserefpolicy/policy/modules/services/pcscd.if 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/pcscd.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/pcscd.if 2010-02-02 10:31:03.000000000 -0500
@@ -39,6 +39,44 @@
########################################
@@ -20206,7 +20427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcsc
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.8/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/pegasus.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/pegasus.te 2010-02-02 10:31:03.000000000 -0500
@@ -30,7 +30,7 @@
# Local policy
#
@@ -20280,7 +20501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.fc serefpolicy-3.7.8/policy/modules/services/plymouth.fc
--- nsaserefpolicy/policy/modules/services/plymouth.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/plymouth.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/plymouth.fc 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,5 @@
+/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t, s0)
+/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t, s0)
@@ -20289,7 +20510,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym
+/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.if serefpolicy-3.7.8/policy/modules/services/plymouth.if
--- nsaserefpolicy/policy/modules/services/plymouth.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/plymouth.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/plymouth.if 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,322 @@
+## policy for plymouthd
+
@@ -20615,7 +20836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.7.8/policy/modules/services/plymouth.te
--- nsaserefpolicy/policy/modules/services/plymouth.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/plymouth.te 2010-01-27 10:37:10.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/plymouth.te 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,101 @@
+policy_module(plymouthd, 1.0.0)
+
@@ -20720,7 +20941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.7.8/policy/modules/services/policykit.fc
--- nsaserefpolicy/policy/modules/services/policykit.fc 2009-08-18 11:41:14.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/policykit.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/policykit.fc 2010-02-02 10:31:03.000000000 -0500
@@ -6,10 +6,13 @@
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
@@ -20738,7 +20959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.7.8/policy/modules/services/policykit.if
--- nsaserefpolicy/policy/modules/services/policykit.if 2009-08-18 18:39:50.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/policykit.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/policykit.if 2010-02-02 10:31:03.000000000 -0500
@@ -17,12 +17,37 @@
class dbus send_msg;
')
@@ -20837,7 +21058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.8/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/policykit.te 2010-01-28 09:30:05.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/policykit.te 2010-02-02 10:31:03.000000000 -0500
@@ -36,11 +36,12 @@
# policykit local policy
#
@@ -20917,12 +21138,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
-@@ -92,21 +118,25 @@
+@@ -92,21 +118,29 @@
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
-kernel_read_system_state(policykit_auth_t)
--
++dev_read_video_dev(policykit_auth_t)
+
files_read_etc_files(policykit_auth_t)
files_read_usr_files(policykit_auth_t)
+files_search_home(policykit_auth_t)
@@ -20937,8 +21159,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
miscfiles_read_localization(policykit_auth_t)
+miscfiles_read_fonts(policykit_auth_t)
++miscfiles_setattr_fonts_cache_dirs(policykit_auth_t)
userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
++userdom_read_admin_home_files(policykit_auth_t)
optional_policy(`
- dbus_system_bus_client(policykit_auth_t)
@@ -20946,7 +21170,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -119,6 +149,14 @@
+@@ -119,6 +153,14 @@
hal_read_state(policykit_auth_t)
')
@@ -20961,7 +21185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
########################################
#
# polkit_grant local policy
-@@ -126,7 +164,8 @@
+@@ -126,7 +168,8 @@
allow policykit_grant_t self:capability setuid;
allow policykit_grant_t self:process getattr;
@@ -20971,7 +21195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -156,9 +195,12 @@
+@@ -156,9 +199,12 @@
userdom_read_all_users_state(policykit_grant_t)
optional_policy(`
@@ -20985,7 +21209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -170,7 +212,8 @@
+@@ -170,7 +216,8 @@
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
allow policykit_resolve_t self:process getattr;
@@ -20997,7 +21221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.7.8/policy/modules/services/portreserve.te
--- nsaserefpolicy/policy/modules/services/portreserve.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/portreserve.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/portreserve.te 2010-02-02 10:31:03.000000000 -0500
@@ -21,6 +21,7 @@
# Portreserve local policy
#
@@ -21017,7 +21241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port
corenet_tcp_bind_generic_node(portreserve_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.8/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/postfix.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/postfix.fc 2010-02-02 10:31:03.000000000 -0500
@@ -29,12 +29,10 @@
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
@@ -21033,7 +21257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.8/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/postfix.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/postfix.if 2010-02-02 10:31:03.000000000 -0500
@@ -46,6 +46,7 @@
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
@@ -21282,7 +21506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.8/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/postfix.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/postfix.te 2010-02-02 10:31:03.000000000 -0500
@@ -6,6 +6,15 @@
# Declarations
#
@@ -21685,7 +21909,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.7.8/policy/modules/services/postgresql.fc
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/postgresql.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/postgresql.fc 2010-02-02 10:31:03.000000000 -0500
@@ -2,6 +2,8 @@
# /etc
#
@@ -21725,7 +21949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.7.8/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/postgresql.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/postgresql.if 2010-02-02 10:31:03.000000000 -0500
@@ -125,6 +125,23 @@
typeattribute $1 sepgsql_table_type;
')
@@ -21799,7 +22023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.8/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/postgresql.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/postgresql.te 2010-02-02 10:31:03.000000000 -0500
@@ -32,6 +32,9 @@
type postgresql_etc_t;
files_config_file(postgresql_etc_t)
@@ -21844,9 +22068,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
miscfiles_read_localization(postgresql_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.7.8/policy/modules/services/ppp.fc
+--- nsaserefpolicy/policy/modules/services/ppp.fc 2009-07-23 14:11:04.000000000 -0400
++++ serefpolicy-3.7.8/policy/modules/services/ppp.fc 2010-02-02 10:31:03.000000000 -0500
+@@ -3,6 +3,7 @@
+ #
+ /etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+
++/root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0)
+ /etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
+ /etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+ /etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+@@ -34,3 +35,4 @@
+
+ /var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
+ /var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.8/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2010-01-18 15:04:31.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/ppp.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/ppp.if 2010-02-02 10:31:03.000000000 -0500
@@ -182,6 +182,10 @@
ppp_domtrans($1)
role $2 types pppd_t;
@@ -21860,8 +22100,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.7.8/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2010-01-18 15:04:31.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/ppp.te 2010-01-18 15:18:03.000000000 -0500
-@@ -193,6 +193,8 @@
++++ serefpolicy-3.7.8/policy/modules/services/ppp.te 2010-02-02 10:31:03.000000000 -0500
+@@ -66,14 +66,17 @@
+ type pptp_var_run_t;
+ files_pid_file(pptp_var_run_t)
+
++type pppd_home_t;
++files_type(pppd_secret_t)
++
+ ########################################
+ #
+ # PPPD Local policy
+ #
+
+-allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override };
++allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override };
+ dontaudit pppd_t self:capability sys_tty_config;
+-allow pppd_t self:process signal;
++allow pppd_t self:process { getsched signal };
+ allow pppd_t self:fifo_file rw_fifo_file_perms;
+ allow pppd_t self:socket create_socket_perms;
+ allow pppd_t self:unix_dgram_socket create_socket_perms;
+@@ -193,6 +196,8 @@
optional_policy(`
mta_send_mail(pppd_t)
@@ -21870,7 +22130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
')
optional_policy(`
-@@ -289,6 +291,7 @@
+@@ -289,6 +294,7 @@
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
userdom_dontaudit_search_user_home_dirs(pptp_t)
@@ -21880,7 +22140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
consoletype_exec(pppd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.7.8/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/prelude.te 2010-01-26 09:32:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/prelude.te 2010-02-02 10:31:03.000000000 -0500
@@ -90,6 +90,7 @@
corenet_tcp_bind_prelude_port(prelude_t)
corenet_tcp_connect_prelude_port(prelude_t)
@@ -21900,7 +22160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
auth_use_nsswitch(prelude_lml_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.8/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/procmail.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/procmail.te 2010-02-02 10:31:03.000000000 -0500
@@ -22,7 +22,7 @@
# Local policy
#
@@ -21950,7 +22210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.te serefpolicy-3.7.8/policy/modules/services/puppet.te
--- nsaserefpolicy/policy/modules/services/puppet.te 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/puppet.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/puppet.te 2010-02-02 10:31:03.000000000 -0500
@@ -17,6 +17,7 @@
type puppet_t;
type puppet_exec_t;
@@ -21969,7 +22229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp
init_script_file(puppetmaster_initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.8/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/pyzor.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/pyzor.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,6 +1,10 @@
/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
+/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
@@ -21983,7 +22243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.7.8/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/pyzor.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/pyzor.if 2010-02-02 10:31:03.000000000 -0500
@@ -88,3 +88,50 @@
corecmd_search_bin($1)
can_exec($1, pyzor_exec_t)
@@ -22037,7 +22297,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.7.8/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/pyzor.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/pyzor.te 2010-02-02 10:31:03.000000000 -0500
@@ -6,6 +6,38 @@
# Declarations
#
@@ -22104,7 +22364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.8/policy/modules/services/razor.fc
--- nsaserefpolicy/policy/modules/services/razor.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/razor.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/razor.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,3 +1,4 @@
+/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
@@ -22112,7 +22372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.7.8/policy/modules/services/razor.if
--- nsaserefpolicy/policy/modules/services/razor.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/razor.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/razor.if 2010-02-02 10:31:03.000000000 -0500
@@ -157,3 +157,45 @@
domtrans_pattern($1, razor_exec_t, razor_t)
@@ -22161,7 +22421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.7.8/policy/modules/services/razor.te
--- nsaserefpolicy/policy/modules/services/razor.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/razor.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/razor.te 2010-02-02 10:31:03.000000000 -0500
@@ -6,6 +6,32 @@
# Declarations
#
@@ -22215,7 +22475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.if serefpolicy-3.7.8/policy/modules/services/rdisc.if
--- nsaserefpolicy/policy/modules/services/rdisc.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/rdisc.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/rdisc.if 2010-02-02 10:31:03.000000000 -0500
@@ -1 +1,20 @@
## Network router discovery daemon
+
@@ -22239,7 +22499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdis
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.8/policy/modules/services/rgmanager.fc
--- nsaserefpolicy/policy/modules/services/rgmanager.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/rgmanager.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/rgmanager.fc 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,8 @@
+
+/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
@@ -22251,7 +22511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.8/policy/modules/services/rgmanager.if
--- nsaserefpolicy/policy/modules/services/rgmanager.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/rgmanager.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/rgmanager.if 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,59 @@
+## SELinux policy for rgmanager
+
@@ -22271,7 +22531,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+ ')
+
+ corecmd_search_bin($1)
-+ domrans_pattern($1,rgmanager_exec_t,rgmanager_t)
++ domtrans_pattern($1,rgmanager_exec_t,rgmanager_t)
+
+')
+
@@ -22314,7 +22574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.8/policy/modules/services/rgmanager.te
--- nsaserefpolicy/policy/modules/services/rgmanager.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/rgmanager.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/rgmanager.te 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,186 @@
+
+policy_module(rgmanager,1.0.0)
@@ -22504,8 +22764,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.8/policy/modules/services/rhcs.fc
--- nsaserefpolicy/policy/modules/services/rhcs.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/rhcs.fc 2010-01-18 15:18:03.000000000 -0500
-@@ -0,0 +1,22 @@
++++ serefpolicy-3.7.8/policy/modules/services/rhcs.fc 2010-02-02 10:31:03.000000000 -0500
+@@ -0,0 +1,24 @@
++/dev/misc/dlm.* -- gen_context(system_u:object_r:dlm_control_dev_t,s0)
+
+/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
@@ -22528,9 +22789,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
+/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
+/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.8/policy/modules/services/rhcs.if
--- nsaserefpolicy/policy/modules/services/rhcs.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/rhcs.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/rhcs.if 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,367 @@
+## SELinux policy for RHCS - Red Hat Cluster Suite
+
@@ -22901,8 +23163,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.8/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/rhcs.te 2010-01-18 15:18:03.000000000 -0500
-@@ -0,0 +1,410 @@
++++ serefpolicy-3.7.8/policy/modules/services/rhcs.te 2010-02-02 10:31:26.000000000 -0500
+@@ -0,0 +1,422 @@
+
+policy_module(rhcs,1.0.0)
+
@@ -22933,6 +23195,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+type dlm_controld_tmpfs_t;
+files_tmpfs_file(dlm_controld_tmpfs_t)
+
++type dlm_control_dev_t;
++dev_node(dlm_control_dev_t)
+
+type fenced_t;
+type fenced_exec_t;
@@ -23017,6 +23281,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+allow dlm_controld_t self:unix_dgram_socket { create_socket_perms };
+allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
+
++allow dlm_controld_t dlm_control_dev_t:chr_file rw_chr_file_perms;
++
+manage_dirs_pattern(dlm_controld_t, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
+manage_files_pattern(dlm_controld_t, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
+fs_tmpfs_filetrans(dlm_controld_t, dlm_controld_tmpfs_t,{ dir file })
@@ -23051,6 +23317,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+
+miscfiles_read_localization(dlm_controld_t)
+
++optional_policy(`
++ corosync_stream_connect(dlm_controld_t)
++')
++
+#######################################
+#
+# fenced local policy
@@ -23183,6 +23453,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+miscfiles_read_localization(gfs_controld_t)
+
+optional_policy(`
++ corosync_stream_connect(gfs_controld_t)
++')
++
++optional_policy(`
+ lvm_exec(gfs_controld_t)
+ dev_rw_lvm_control(gfs_controld_t)
+')
@@ -23315,7 +23589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.8/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/ricci.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/ricci.te 2010-02-02 10:31:03.000000000 -0500
@@ -194,10 +194,13 @@
# ricci_modcluster local policy
#
@@ -23407,7 +23681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.7.8/policy/modules/services/rpc.fc
--- nsaserefpolicy/policy/modules/services/rpc.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/rpc.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/rpc.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,6 +1,10 @@
#
# /etc
@@ -23421,7 +23695,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.8/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/rpc.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/rpc.if 2010-02-02 10:31:03.000000000 -0500
@@ -54,7 +54,7 @@
allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
@@ -23511,7 +23785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
## Read NFS exported content.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.8/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/rpc.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/rpc.te 2010-02-02 10:31:03.000000000 -0500
@@ -37,8 +37,14 @@
# rpc_exec_t is the type of rpc daemon programs.
rpc_domain_template(rpcd)
@@ -23627,7 +23901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.7.8/policy/modules/services/rsync.fc
--- nsaserefpolicy/policy/modules/services/rsync.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/rsync.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/rsync.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,3 +1,4 @@
+/etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0)
@@ -23635,7 +23909,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.7.8/policy/modules/services/rsync.if
--- nsaserefpolicy/policy/modules/services/rsync.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/rsync.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/rsync.if 2010-02-02 10:31:03.000000000 -0500
@@ -103,3 +103,41 @@
can_exec($1, rsync_exec_t)
@@ -23680,7 +23954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.7.8/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/rsync.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/rsync.te 2010-02-02 10:31:03.000000000 -0500
@@ -8,6 +8,13 @@
##
@@ -23740,7 +24014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
auth_can_read_shadow_passwords(rsync_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.7.8/policy/modules/services/rtkit.if
--- nsaserefpolicy/policy/modules/services/rtkit.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/rtkit.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/rtkit.if 2010-02-02 10:31:03.000000000 -0500
@@ -38,3 +38,23 @@
allow $1 rtkit_daemon_t:dbus send_msg;
allow rtkit_daemon_t $1:dbus send_msg;
@@ -23767,7 +24041,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.7.8/policy/modules/services/rtkit.te
--- nsaserefpolicy/policy/modules/services/rtkit.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/rtkit.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/rtkit.te 2010-02-02 10:31:03.000000000 -0500
@@ -17,9 +17,11 @@
allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace };
@@ -23791,7 +24065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki
policykit_dbus_chat(rtkit_daemon_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.8/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/samba.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/samba.fc 2010-02-02 10:31:03.000000000 -0500
@@ -51,3 +51,7 @@
/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
@@ -23802,7 +24076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.8/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/samba.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/samba.if 2010-02-02 10:31:03.000000000 -0500
@@ -62,6 +62,25 @@
########################################
@@ -24018,7 +24292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.8/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/samba.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/samba.te 2010-02-02 10:31:03.000000000 -0500
@@ -66,6 +66,13 @@
##
gen_tunable(samba_share_nfs, false)
@@ -24070,10 +24344,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
# Allow samba to list mnt_t for potential mounted dirs
files_list_mnt(smbd_t)
-@@ -338,9 +351,12 @@
+@@ -337,10 +350,13 @@
+ miscfiles_read_public_files(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)
- userdom_dontaudit_search_user_home_dirs(smbd_t)
+-userdom_dontaudit_search_user_home_dirs(smbd_t)
++userdom_search_user_home_content(smbd_t)
+userdom_signal_all_users(smbd_t)
usermanage_read_crack_db(smbd_t)
@@ -24301,7 +24577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.8/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/sasl.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/sasl.te 2010-02-02 10:31:03.000000000 -0500
@@ -31,7 +31,7 @@
# Local policy
#
@@ -24366,7 +24642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.8/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2010-01-11 09:40:36.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/sendmail.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/sendmail.if 2010-02-02 10:31:03.000000000 -0500
@@ -277,3 +277,22 @@
sendmail_domtrans_unconfined($1)
role $2 types unconfined_sendmail_t;
@@ -24392,7 +24668,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.8/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-11 09:40:36.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/sendmail.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/sendmail.te 2010-02-02 10:31:03.000000000 -0500
@@ -30,7 +30,7 @@
#
@@ -24473,7 +24749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.7.8/policy/modules/services/setroubleshoot.fc
--- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/setroubleshoot.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/setroubleshoot.fc 2010-02-02 10:31:03.000000000 -0500
@@ -5,3 +5,5 @@
/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
@@ -24482,7 +24758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
+/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.8/policy/modules/services/setroubleshoot.if
--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/setroubleshoot.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/setroubleshoot.if 2010-02-02 10:31:03.000000000 -0500
@@ -16,8 +16,8 @@
')
@@ -24622,7 +24898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.8/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/setroubleshoot.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/setroubleshoot.te 2010-02-02 10:31:03.000000000 -0500
@@ -22,13 +22,19 @@
type setroubleshoot_var_run_t;
files_pid_file(setroubleshoot_var_run_t)
@@ -24684,7 +24960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
-@@ -94,23 +113,77 @@
+@@ -94,23 +113,75 @@
locallogin_dontaudit_use_fds(setroubleshootd_t)
@@ -24701,16 +24977,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
optional_policy(`
-+ locate_read_lib_files(setroubleshootd_t)
-+ ')
-+
-+ optional_policy(`
- dbus_system_bus_client(setroubleshootd_t)
- dbus_connect_system_bus(setroubleshootd_t)
-+ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
+- dbus_system_bus_client(setroubleshootd_t)
+- dbus_connect_system_bus(setroubleshootd_t)
++ locate_read_lib_files(setroubleshootd_t)
')
optional_policy(`
++ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
++')
++
++optional_policy(`
+ rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
@@ -24766,7 +25042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.7.8/policy/modules/services/snmp.if
--- nsaserefpolicy/policy/modules/services/snmp.if 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/snmp.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/snmp.if 2010-02-02 10:31:03.000000000 -0500
@@ -69,6 +69,24 @@
########################################
@@ -24794,7 +25070,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.8/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/snmp.te 2010-01-19 08:13:42.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/snmp.te 2010-02-02 10:31:03.000000000 -0500
@@ -25,7 +25,7 @@
#
# Local policy
@@ -24806,7 +25082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp
allow snmpd_t self:fifo_file rw_fifo_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.8/policy/modules/services/snort.te
--- nsaserefpolicy/policy/modules/services/snort.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/snort.te 2010-01-27 11:31:24.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/snort.te 2010-02-02 10:31:03.000000000 -0500
@@ -37,6 +37,7 @@
allow snort_t self:tcp_socket create_stream_socket_perms;
allow snort_t self:udp_socket create_socket_perms;
@@ -24841,7 +25117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.8/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/spamassassin.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/spamassassin.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,15 +1,26 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
@@ -24873,7 +25149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.8/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/spamassassin.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/spamassassin.if 2010-02-02 10:31:03.000000000 -0500
@@ -111,6 +111,45 @@
')
@@ -25002,7 +25278,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.8/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/spamassassin.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/spamassassin.te 2010-02-02 10:31:03.000000000 -0500
@@ -20,6 +20,35 @@
##
gen_tunable(spamd_enable_home_dirs, true)
@@ -25307,7 +25583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.8/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/squid.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/squid.te 2010-02-02 10:31:03.000000000 -0500
@@ -67,7 +67,9 @@
can_exec(squid_t, squid_exec_t)
@@ -25338,7 +25614,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.8/policy/modules/services/ssh.fc
--- nsaserefpolicy/policy/modules/services/ssh.fc 2010-01-18 15:04:31.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/ssh.fc 2010-01-18 15:27:58.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/ssh.fc 2010-02-02 10:31:03.000000000 -0500
@@ -14,3 +14,5 @@
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
@@ -25347,7 +25623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.8/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2010-01-18 15:04:31.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/ssh.if 2010-01-18 15:23:05.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/ssh.if 2010-02-02 10:31:03.000000000 -0500
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -25496,7 +25772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
## Delete from the ssh temp files.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.8/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-01-18 15:04:31.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/ssh.te 2010-01-18 15:26:09.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/ssh.te 2010-02-02 10:31:03.000000000 -0500
@@ -111,9 +111,10 @@
manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -25632,7 +25908,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
# Relabel and access ptys created by sshd
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.7.8/policy/modules/services/sssd.fc
--- nsaserefpolicy/policy/modules/services/sssd.fc 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/sssd.fc 2010-01-19 10:48:54.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/sssd.fc 2010-02-02 10:31:03.000000000 -0500
@@ -4,6 +4,8 @@
/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
@@ -25644,7 +25920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.8/policy/modules/services/sssd.if
--- nsaserefpolicy/policy/modules/services/sssd.if 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/sssd.if 2010-01-22 09:59:38.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/sssd.if 2010-02-02 10:31:03.000000000 -0500
@@ -38,6 +38,25 @@
########################################
@@ -25725,7 +26001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.8/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/sssd.te 2010-01-19 10:48:27.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/sssd.te 2010-02-02 10:31:03.000000000 -0500
@@ -13,6 +13,9 @@
type sssd_initrc_exec_t;
init_script_file(sssd_initrc_exec_t)
@@ -25774,7 +26050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
dbus_connect_system_bus(sssd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.8/policy/modules/services/sysstat.te
--- nsaserefpolicy/policy/modules/services/sysstat.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/sysstat.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/sysstat.te 2010-02-02 10:31:03.000000000 -0500
@@ -19,14 +19,15 @@
# Local policy
#
@@ -25795,7 +26071,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/syss
# get info from /proc
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.7.8/policy/modules/services/telnet.te
--- nsaserefpolicy/policy/modules/services/telnet.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/telnet.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/telnet.te 2010-02-02 10:31:03.000000000 -0500
@@ -85,6 +85,7 @@
remotelogin_domtrans(telnetd_t)
@@ -25806,7 +26082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln
kerberos_keytab_template(telnetd, telnetd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.if serefpolicy-3.7.8/policy/modules/services/tftp.if
--- nsaserefpolicy/policy/modules/services/tftp.if 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/tftp.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/tftp.if 2010-02-02 10:31:03.000000000 -0500
@@ -2,6 +2,44 @@
########################################
@@ -25854,7 +26130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.7.8/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/tftp.te 2010-01-18 18:12:28.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/tftp.te 2010-02-02 10:31:03.000000000 -0500
@@ -50,9 +50,8 @@
manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t)
files_pid_filetrans(tftpd_t, tftpd_var_run_t, file)
@@ -25868,7 +26144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp
corenet_all_recvfrom_netlabel(tftpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.if serefpolicy-3.7.8/policy/modules/services/tgtd.if
--- nsaserefpolicy/policy/modules/services/tgtd.if 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/tgtd.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/tgtd.if 2010-02-02 10:31:03.000000000 -0500
@@ -9,3 +9,20 @@
##
##
@@ -25892,7 +26168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.7.8/policy/modules/services/tgtd.te
--- nsaserefpolicy/policy/modules/services/tgtd.te 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/tgtd.te 2010-01-26 08:47:40.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/tgtd.te 2010-02-02 10:31:03.000000000 -0500
@@ -60,7 +60,7 @@
files_read_etc_files(tgtd_t)
@@ -25904,7 +26180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.8/policy/modules/services/tor.te
--- nsaserefpolicy/policy/modules/services/tor.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/tor.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/tor.te 2010-02-02 10:31:03.000000000 -0500
@@ -6,6 +6,14 @@
# Declarations
#
@@ -25938,7 +26214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.7.8/policy/modules/services/tuned.te
--- nsaserefpolicy/policy/modules/services/tuned.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/tuned.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/tuned.te 2010-02-02 10:31:03.000000000 -0500
@@ -27,6 +27,7 @@
files_pid_filetrans(tuned_t, tuned_var_run_t, file)
@@ -25947,9 +26223,108 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune
kernel_read_system_state(tuned_t)
kernel_read_network_state(tuned_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.8/policy/modules/services/usbmuxd.fc
+--- nsaserefpolicy/policy/modules/services/usbmuxd.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/usbmuxd.fc 2010-02-02 10:31:03.000000000 -0500
+@@ -0,0 +1,4 @@
++
++/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0)
++
++/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+\ No newline at end of file
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.if serefpolicy-3.7.8/policy/modules/services/usbmuxd.if
+--- nsaserefpolicy/policy/modules/services/usbmuxd.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/usbmuxd.if 2010-02-02 10:31:03.000000000 -0500
+@@ -0,0 +1,39 @@
++## Daemon for communicating with Apple's iPod Touch and iPhone
++
++########################################
++##
++## Execute a domain transition to run usbmuxd.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`usbmuxd_domtrans',`
++ gen_require(`
++ type usbmuxd_t, usbmuxd_exec_t;
++ ')
++
++ domtrans_pattern($1, usbmuxd_exec_t, usbmuxd_t)
++')
++
++#####################################
++##
++## Connect to usbmuxd over a unix domain
++## stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`usbmuxd_stream_connect',`
++ gen_require(`
++ type usbmuxd_t, usbmuxd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.7.8/policy/modules/services/usbmuxd.te
+--- nsaserefpolicy/policy/modules/services/usbmuxd.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/usbmuxd.te 2010-02-02 10:31:03.000000000 -0500
+@@ -0,0 +1,43 @@
++policy_module(usbmuxd,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type usbmuxd_t;
++type usbmuxd_exec_t;
++application_domain(usbmuxd_t, usbmuxd_exec_t)
++
++type usbmuxd_var_run_t;
++files_pid_file(usbmuxd_var_run_t)
++
++permissive usbmuxd_t;
++
++########################################
++#
++# usbmuxd local policy
++#
++
++allow usbmuxd_t self:capability { kill setgid setuid };
++allow usbmuxd_t self:process { fork };
++
++# Init script handling
++domain_use_interactive_fds(usbmuxd_t)
++
++# internal communication is often done using fifo and unix sockets.
++allow usbmuxd_t self:fifo_file rw_fifo_file_perms;
++allow usbmuxd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
++manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
++manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
++files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file })
++
++files_read_etc_files(usbmuxd_t)
++
++miscfiles_read_localization(usbmuxd_t)
++
++auth_use_nsswitch(usbmuxd_t)
++
++logging_send_syslog_msg(usbmuxd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.8/policy/modules/services/uucp.te
--- nsaserefpolicy/policy/modules/services/uucp.te 2010-01-11 09:40:36.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/uucp.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/uucp.te 2010-02-02 10:31:03.000000000 -0500
@@ -1,5 +1,5 @@
-policy_module(uucp, 1.10.1)
@@ -25976,7 +26351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.fc serefpolicy-3.7.8/policy/modules/services/vhostmd.fc
--- nsaserefpolicy/policy/modules/services/vhostmd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/vhostmd.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/vhostmd.fc 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,6 @@
+
+/usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0)
@@ -25986,7 +26361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.7.8/policy/modules/services/vhostmd.if
--- nsaserefpolicy/policy/modules/services/vhostmd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/vhostmd.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/vhostmd.if 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,228 @@
+
+## policy for vhostmd
@@ -26218,7 +26593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.7.8/policy/modules/services/vhostmd.te
--- nsaserefpolicy/policy/modules/services/vhostmd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/vhostmd.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/vhostmd.te 2010-02-02 10:31:03.000000000 -0500
@@ -0,0 +1,84 @@
+
+policy_module(vhostmd,1.0.0)
@@ -26306,7 +26681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.8/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/virt.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/virt.fc 2010-02-02 10:31:03.000000000 -0500
@@ -4,9 +4,26 @@
/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
@@ -26336,7 +26711,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.8/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/virt.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/virt.if 2010-02-02 10:31:03.000000000 -0500
@@ -136,7 +136,7 @@
')
@@ -26592,7 +26967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.8/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/virt.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/virt.te 2010-02-02 10:31:03.000000000 -0500
@@ -8,6 +8,13 @@
##
@@ -27017,7 +27392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.7.8/policy/modules/services/w3c.te
--- nsaserefpolicy/policy/modules/services/w3c.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/w3c.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/w3c.te 2010-02-02 10:31:03.000000000 -0500
@@ -8,11 +8,18 @@
apache_content_template(w3c_validator)
@@ -27039,7 +27414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.8/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/xserver.fc 2010-01-28 08:44:25.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/xserver.fc 2010-02-02 10:31:03.000000000 -0500
@@ -3,12 +3,21 @@
#
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
@@ -27101,7 +27476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
ifdef(`distro_debian', `
-@@ -89,17 +94,40 @@
+@@ -89,17 +94,42 @@
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
@@ -27132,6 +27507,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/slim\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/lxdm(/*.)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
+/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
@@ -27147,7 +27524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.8/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/xserver.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/xserver.if 2010-02-02 10:31:03.000000000 -0500
@@ -19,7 +19,7 @@
interface(`xserver_restricted_role',`
gen_require(`
@@ -27611,7 +27988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/xserver.te 2010-01-28 08:43:20.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/xserver.te 2010-02-02 10:31:03.000000000 -0500
@@ -36,6 +36,13 @@
##
@@ -27774,7 +28151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(iceauth_t)
-@@ -250,30 +274,49 @@
+@@ -250,30 +274,52 @@
fs_manage_cifs_files(iceauth_t)
')
@@ -27816,19 +28193,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
-userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
-
domain_use_interactive_fds(xauth_t)
++domain_dontaudit_leaks(xauth_t)
files_read_etc_files(xauth_t)
+files_read_usr_files(xauth_t)
files_search_pids(xauth_t)
+files_dontaudit_getattr_all_dirs(xauth_t)
++files_dontaudit_leaks(xauth_t)
+files_var_lib_filetrans(xauth_t, xauth_home_t, file)
-fs_getattr_xattr_fs(xauth_t)
++fs_dontaudit_leaks(xauth_t)
+fs_getattr_all_fs(xauth_t)
fs_search_auto_mountpoints(xauth_t)
# cjp: why?
-@@ -283,6 +326,14 @@
+@@ -283,6 +329,14 @@
userdom_use_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
@@ -27843,7 +28223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_xdm_tmp_files(xauth_t)
-@@ -294,6 +345,15 @@
+@@ -294,6 +348,15 @@
fs_manage_cifs_files(xauth_t)
')
@@ -27859,7 +28239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
-@@ -305,20 +365,31 @@
+@@ -305,20 +368,31 @@
# XDM Local policy
#
@@ -27894,7 +28274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -334,22 +405,40 @@
+@@ -334,22 +408,40 @@
manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
@@ -27938,7 +28318,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t xserver_t:process signal;
allow xdm_t xserver_t:unix_stream_socket connectto;
-@@ -363,6 +452,7 @@
+@@ -363,6 +455,7 @@
allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xserver_t:shm rw_shm_perms;
@@ -27946,7 +28326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -371,10 +461,14 @@
+@@ -371,10 +464,14 @@
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -27962,7 +28342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xdm_t)
kernel_read_kernel_sysctls(xdm_t)
-@@ -394,11 +488,13 @@
+@@ -394,11 +491,13 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -27976,7 +28356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -406,6 +502,7 @@
+@@ -406,6 +505,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -27984,7 +28364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -414,18 +511,21 @@
+@@ -414,18 +514,21 @@
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -28009,7 +28389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -436,9 +536,15 @@
+@@ -436,9 +539,15 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -28025,7 +28405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -447,6 +553,7 @@
+@@ -447,6 +556,7 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -28033,7 +28413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
term_setattr_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
-@@ -455,6 +562,7 @@
+@@ -455,6 +565,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -28041,7 +28421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -465,10 +573,12 @@
+@@ -465,10 +576,12 @@
logging_read_generic_logs(xdm_t)
@@ -28056,7 +28436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -477,6 +587,11 @@
+@@ -477,6 +590,11 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -28068,7 +28448,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -509,10 +624,12 @@
+@@ -509,10 +627,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@@ -28081,7 +28461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -520,12 +637,49 @@
+@@ -520,12 +640,49 @@
')
optional_policy(`
@@ -28131,7 +28511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
hostname_exec(xdm_t)
')
-@@ -543,9 +697,42 @@
+@@ -543,9 +700,43 @@
')
optional_policy(`
@@ -28154,6 +28534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+optional_policy(`
+ pulseaudio_exec(xdm_t)
+ pulseaudio_dbus_chat(xdm_t)
++ pulseaudio_stream_connect(xdm_t)
+')
+
+optional_policy(`
@@ -28174,7 +28555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
seutil_sigchld_newrole(xdm_t)
')
-@@ -555,8 +742,9 @@
+@@ -555,8 +746,9 @@
')
optional_policy(`
@@ -28186,7 +28567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -565,7 +753,6 @@
+@@ -565,7 +757,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -28194,7 +28575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -576,6 +763,10 @@
+@@ -576,6 +767,10 @@
')
optional_policy(`
@@ -28205,7 +28586,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xdm_t)
')
-@@ -600,10 +791,9 @@
+@@ -600,10 +795,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -28217,7 +28598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -615,6 +805,18 @@
+@@ -615,6 +809,18 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -28236,7 +28617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -634,12 +836,19 @@
+@@ -634,12 +840,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -28258,7 +28639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -673,7 +882,6 @@
+@@ -673,7 +886,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -28266,7 +28647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -683,9 +891,12 @@
+@@ -683,9 +895,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -28280,7 +28661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +911,12 @@
+@@ -700,8 +915,12 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -28293,7 +28674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -723,6 +938,7 @@
+@@ -723,6 +942,7 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -28301,7 +28682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
modutils_domtrans_insmod(xserver_t)
-@@ -779,12 +995,20 @@
+@@ -779,12 +999,20 @@
')
optional_policy(`
@@ -28323,7 +28704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -811,7 +1035,7 @@
+@@ -811,7 +1039,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -28332,7 +28713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1056,14 @@
+@@ -832,9 +1060,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -28347,7 +28728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1078,14 @@
+@@ -849,11 +1082,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -28364,7 +28745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -1000,17 +1232,32 @@
+@@ -1000,17 +1236,32 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -28411,7 +28792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.7.8/policy/modules/services/zebra.if
--- nsaserefpolicy/policy/modules/services/zebra.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/zebra.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/zebra.if 2010-02-02 10:31:03.000000000 -0500
@@ -24,6 +24,26 @@
########################################
@@ -28441,7 +28822,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.8/policy/modules/system/application.te
--- nsaserefpolicy/policy/modules/system/application.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/application.te 2010-01-21 15:16:58.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/application.te 2010-02-02 10:31:03.000000000 -0500
@@ -7,6 +7,13 @@
# Executables to be run by user
attribute application_exec_type;
@@ -28458,7 +28839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic
ssh_rw_stream_sockets(application_domain_type)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.8/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/authlogin.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/authlogin.fc 2010-02-02 10:31:03.000000000 -0500
@@ -7,12 +7,10 @@
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
@@ -28486,7 +28867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/authlogin.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/authlogin.if 2010-02-02 10:31:03.000000000 -0500
@@ -40,17 +40,76 @@
##
##
@@ -28804,7 +29185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.8/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/authlogin.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/authlogin.te 2010-02-02 10:31:03.000000000 -0500
@@ -103,8 +103,10 @@
fs_dontaudit_getattr_xattr_fs(chkpwd_t)
@@ -28837,7 +29218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
# PAM local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.7.8/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/fstools.fc 2010-01-27 09:25:00.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/fstools.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,4 +1,3 @@
-/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -28857,7 +29238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.8/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/fstools.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/fstools.te 2010-02-02 10:31:03.000000000 -0500
@@ -118,6 +118,8 @@
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dirs(fsadm_t)
@@ -28879,7 +29260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.7.8/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/getty.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/getty.te 2010-02-02 10:31:03.000000000 -0500
@@ -56,11 +56,10 @@
manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t)
files_pid_filetrans(getty_t, getty_var_run_t, file)
@@ -28895,9 +29276,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.
dev_read_sysfs(getty_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.7.8/policy/modules/system/hostname.te
+--- nsaserefpolicy/policy/modules/system/hostname.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.7.8/policy/modules/system/hostname.te 2010-02-02 10:31:03.000000000 -0500
+@@ -27,15 +27,18 @@
+
+ dev_read_sysfs(hostname_t)
+
++domain_dontaudit_leaks(hostname_t)
+ domain_use_interactive_fds(hostname_t)
+
+ files_read_etc_files(hostname_t)
++files_dontaudit_leaks(hostname_t)
+ files_dontaudit_search_var(hostname_t)
+ # for when /usr is not mounted:
+ files_dontaudit_search_isid_type_dirs(hostname_t)
+
+ fs_getattr_xattr_fs(hostname_t)
+ fs_search_auto_mountpoints(hostname_t)
++fs_dontaudit_leaks(hostname_t)
+ fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
+
+ term_dontaudit_use_console(hostname_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.7.8/policy/modules/system/hotplug.te
--- nsaserefpolicy/policy/modules/system/hotplug.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/hotplug.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/hotplug.te 2010-02-02 10:31:03.000000000 -0500
@@ -125,6 +125,10 @@
')
@@ -28911,7 +29314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.8/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/init.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/init.fc 2010-02-02 10:31:03.000000000 -0500
@@ -4,10 +4,10 @@
/etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -28937,7 +29340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
# /var
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.8/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/init.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/init.if 2010-02-02 10:45:19.000000000 -0500
@@ -162,6 +162,7 @@
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
@@ -29037,7 +29440,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
')
-@@ -646,19 +685,39 @@
+@@ -646,23 +685,43 @@
#
interface(`init_domtrans_script',`
gen_require(`
@@ -29058,11 +29461,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
-+ ')
-+')
-+
-+########################################
-+##
+ ')
+ ')
+
+ ########################################
+ ##
+## Execute a file in a bin directory
+## in the initrc_t domain
+##
@@ -29075,12 +29478,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
- ')
++ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
- ')
-
- ########################################
++')
++
++########################################
++##
+ ## Execute a init script in a specified domain.
+ ##
+ ##
@@ -923,6 +982,24 @@
allow $1 init_script_file_type:file read_file_perms;
')
@@ -29141,7 +29548,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
## Create files in a init script
## temporary data directory.
##
-@@ -1540,3 +1636,51 @@
+@@ -1540,3 +1636,75 @@
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -29193,9 +29600,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+ allow $1 init_t:unix_dgram_socket sendto;
+ allow init_t $1:unix_dgram_socket sendto;
+')
++
++########################################
++##
++## dontaudit read and write an leaked init scrip file descriptors
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`init_dontaudit_script_leaks',`
++ gen_require(`
++ type initrc_t;
++ ')
++
++ dontaudit $1 initrc_t:tcp_socket { read write };
++ dontaudit $1 initrc_t:unix_dgram_socket { read write };
++ dontaudit $1 initrc_t:unix_stream_socket { read write };
++ dontaudit $1 initrc_t:shm rw_shm_perms;
++ init_dontaudit_use_script_ptys($1)
++ init_dontaudit_use_script_fds($1)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.8/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/init.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/init.te 2010-02-02 10:31:03.000000000 -0500
@@ -17,6 +17,20 @@
##
gen_tunable(init_upstart, false)
@@ -29801,7 +30232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.7.8/policy/modules/system/ipsec.fc
--- nsaserefpolicy/policy/modules/system/ipsec.fc 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/ipsec.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/ipsec.fc 2010-02-02 10:31:03.000000000 -0500
@@ -37,6 +37,8 @@
/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
@@ -29814,7 +30245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
-/var/run/racoon.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.8/policy/modules/system/ipsec.if
--- nsaserefpolicy/policy/modules/system/ipsec.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/ipsec.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/ipsec.if 2010-02-02 10:31:03.000000000 -0500
@@ -39,6 +39,25 @@
########################################
@@ -29934,7 +30365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.8/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/ipsec.te 2010-01-27 11:40:13.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/ipsec.te 2010-02-02 10:31:03.000000000 -0500
@@ -29,9 +29,15 @@
type ipsec_key_file_t;
files_type(ipsec_key_file_t)
@@ -30059,7 +30490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
+userdom_read_user_tmp_files(setkey_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.8/policy/modules/system/iptables.fc
--- nsaserefpolicy/policy/modules/system/iptables.fc 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/iptables.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/iptables.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,13 +1,16 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
@@ -30082,7 +30513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.8/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/iptables.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/iptables.te 2010-02-02 10:31:03.000000000 -0500
@@ -14,9 +14,6 @@
type iptables_initrc_exec_t;
init_script_file(iptables_initrc_exec_t)
@@ -30108,7 +30539,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
files_pid_filetrans(iptables_t, iptables_var_run_t, file)
-@@ -63,6 +61,7 @@
+@@ -53,6 +51,7 @@
+ kernel_use_fds(iptables_t)
+
+ corenet_relabelto_all_packets(iptables_t)
++corenet_dontaudit_rw_tun_tap_dev(iptables_t)
+
+ dev_read_sysfs(iptables_t)
+
+@@ -63,6 +62,7 @@
mls_file_read_all_levels(iptables_t)
term_dontaudit_use_console(iptables_t)
@@ -30116,7 +30555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
domain_use_interactive_fds(iptables_t)
-@@ -89,6 +88,7 @@
+@@ -89,6 +89,7 @@
optional_policy(`
fail2ban_append_log(iptables_t)
@@ -30124,7 +30563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
')
optional_policy(`
-@@ -122,5 +122,10 @@
+@@ -122,5 +123,10 @@
')
optional_policy(`
@@ -30137,19 +30576,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.7.8/policy/modules/system/iscsi.fc
--- nsaserefpolicy/policy/modules/system/iscsi.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/iscsi.fc 2010-01-18 15:18:03.000000000 -0500
-@@ -1,4 +1,6 @@
++++ serefpolicy-3.7.8/policy/modules/system/iscsi.fc 2010-02-02 10:31:03.000000000 -0500
+@@ -1,5 +1,10 @@
-/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-+
+
+-/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
+/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-
- /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
++
++/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_lock_t,s0)
/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
++
++/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
++
+ /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.7.8/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/iscsi.te 2010-01-18 15:18:03.000000000 -0500
-@@ -35,10 +35,13 @@
++++ serefpolicy-3.7.8/policy/modules/system/iscsi.te 2010-02-02 10:31:03.000000000 -0500
+@@ -14,6 +14,9 @@
+ type iscsi_lock_t;
+ files_lock_file(iscsi_lock_t)
+
++type iscsid_log_t;
++logging_log_file(iscsid_log_t)
++
+ type iscsi_tmp_t;
+ files_tmp_file(iscsi_tmp_t)
+
+@@ -35,16 +38,22 @@
allow iscsid_t self:unix_dgram_socket create_socket_perms;
allow iscsid_t self:sem create_sem_perms;
allow iscsid_t self:shm create_shm_perms;
@@ -30164,7 +30618,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
files_lock_filetrans(iscsid_t, iscsi_lock_t, file)
-@@ -54,6 +57,7 @@
+-allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
+-allow iscsid_t iscsi_tmp_t:file manage_file_perms;
+-fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, file )
++manage_files_pattern(iscsid_t, iscsid_log_t, iscsid_log_t)
++logging_log_filetrans(iscsid_t, iscsid_log_t, file)
++
++manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
++manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
++fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file } )
+
+ allow iscsid_t iscsi_var_lib_t:dir list_dir_perms;
+ read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
+@@ -54,6 +63,7 @@
manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t)
files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
@@ -30172,7 +30638,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
kernel_read_system_state(iscsid_t)
kernel_search_debugfs(iscsid_t)
-@@ -67,13 +71,21 @@
+@@ -67,13 +77,21 @@
corenet_tcp_connect_isns_port(iscsid_t)
dev_rw_sysfs(iscsid_t)
@@ -30196,7 +30662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.8/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/libraries.fc 2010-01-26 15:36:44.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/libraries.fc 2010-02-02 10:31:03.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
@@ -30550,10 +31016,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+
+/opt/Unify/SQLBase/libgptsblmsui11\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/opt/real/RealPlayer/plugins/oggfformat\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/real/RealPlayer/plugins(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.8/policy/modules/system/libraries.if
--- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/libraries.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/libraries.if 2010-02-02 10:31:03.000000000 -0500
@@ -17,6 +17,7 @@
corecmd_search_bin($1)
@@ -30582,7 +31048,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.7.8/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/libraries.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/libraries.te 2010-02-02 10:31:03.000000000 -0500
@@ -58,11 +58,11 @@
# ldconfig local policy
#
@@ -30646,7 +31112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.8/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/locallogin.te 2010-01-21 08:29:33.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/locallogin.te 2010-02-02 10:31:03.000000000 -0500
@@ -33,7 +33,7 @@
# Local login local policy
#
@@ -30744,8 +31210,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.8/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/logging.fc 2010-01-18 15:18:03.000000000 -0500
-@@ -51,17 +51,21 @@
++++ serefpolicy-3.7.8/policy/modules/system/logging.fc 2010-02-02 10:31:03.000000000 -0500
+@@ -51,17 +51,22 @@
ifdef(`distro_redhat',`
/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
@@ -30771,9 +31237,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
++/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.8/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/logging.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/logging.if 2010-02-02 10:31:03.000000000 -0500
@@ -69,6 +69,20 @@
########################################
@@ -30817,7 +31284,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.8/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/logging.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/logging.te 2010-02-02 10:31:03.000000000 -0500
@@ -123,10 +123,10 @@
allow auditd_t self:capability { chown fsetid sys_nice sys_resource };
@@ -30914,7 +31381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
-@@ -461,6 +481,10 @@
+@@ -461,10 +481,18 @@
')
optional_policy(`
@@ -30925,9 +31392,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
inn_manage_log(syslogd_t)
')
+ optional_policy(`
++ mysql_stream_connect(syslogd_t)
++')
++
++optional_policy(`
+ postgresql_stream_connect(syslogd_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.8/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/lvm.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/lvm.te 2010-02-02 10:31:03.000000000 -0500
@@ -142,6 +142,10 @@
')
@@ -30968,7 +31443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.7.8/policy/modules/system/miscfiles.fc
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/miscfiles.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/miscfiles.fc 2010-02-02 10:31:03.000000000 -0500
@@ -42,6 +42,7 @@
/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
@@ -30988,7 +31463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.8/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/miscfiles.if 2010-01-18 17:31:02.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/miscfiles.if 2010-02-02 10:31:03.000000000 -0500
@@ -73,7 +73,8 @@
#
interface(`miscfiles_read_fonts',`
@@ -31083,7 +31558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.7.8/policy/modules/system/miscfiles.te
--- nsaserefpolicy/policy/modules/system/miscfiles.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/miscfiles.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/miscfiles.te 2010-02-02 10:31:03.000000000 -0500
@@ -19,6 +19,9 @@
type fonts_t;
files_type(fonts_t)
@@ -31096,7 +31571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.8/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/modutils.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/modutils.te 2010-02-02 10:31:03.000000000 -0500
@@ -19,6 +19,7 @@
type insmod_exec_t;
application_domain(insmod_t, insmod_exec_t)
@@ -31188,7 +31663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.7.8/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/mount.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/mount.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,4 +1,9 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
@@ -31202,7 +31677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.8/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/mount.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/mount.if 2010-02-02 10:31:03.000000000 -0500
@@ -16,6 +16,7 @@
')
@@ -31292,7 +31767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.8/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/mount.te 2010-01-25 10:51:48.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/mount.te 2010-02-02 10:31:03.000000000 -0500
@@ -18,8 +18,15 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -31421,15 +31896,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
logging_send_syslog_msg(mount_t)
-@@ -117,6 +155,7 @@
+@@ -117,6 +155,8 @@
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
+userdom_manage_user_home_content_dirs(mount_t)
++userdom_read_user_home_content_symlinks(mount_t)
ifdef(`distro_redhat',`
optional_policy(`
-@@ -132,10 +171,17 @@
+@@ -132,10 +172,17 @@
')
')
@@ -31447,7 +31923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -165,6 +211,8 @@
+@@ -165,6 +212,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -31456,7 +31932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
-@@ -172,6 +220,25 @@
+@@ -172,6 +221,25 @@
')
optional_policy(`
@@ -31482,7 +31958,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -179,6 +246,11 @@
+@@ -179,6 +247,11 @@
')
')
@@ -31494,7 +31970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -186,6 +258,11 @@
+@@ -186,6 +259,15 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -31502,11 +31978,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+')
+
+optional_policy(`
++ usbmuxd_stream_connect(mount_t)
++')
++
++optional_policy(`
+ vmware_exec_host(mount_t)
')
########################################
-@@ -195,5 +272,9 @@
+@@ -195,5 +277,9 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
@@ -31519,7 +31999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.7.8/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/raid.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/raid.te 2010-02-02 10:31:03.000000000 -0500
@@ -51,11 +51,13 @@
dev_dontaudit_getattr_generic_chr_files(mdadm_t)
dev_dontaudit_getattr_generic_blk_files(mdadm_t)
@@ -31536,7 +32016,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t
fs_dontaudit_list_tmpfs(mdadm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.7.8/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/selinuxutil.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/selinuxutil.fc 2010-02-02 10:31:03.000000000 -0500
@@ -6,13 +6,13 @@
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
@@ -31578,7 +32058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.8/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/selinuxutil.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/selinuxutil.if 2010-02-02 10:31:03.000000000 -0500
@@ -351,6 +351,27 @@
########################################
@@ -31936,7 +32416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.8/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/selinuxutil.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/selinuxutil.te 2010-02-02 10:31:03.000000000 -0500
@@ -23,6 +23,9 @@
type selinux_config_t;
files_type(selinux_config_t)
@@ -32322,7 +32802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.8/policy/modules/system/sysnetwork.fc
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/sysnetwork.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/sysnetwork.fc 2010-02-02 10:31:03.000000000 -0500
@@ -11,15 +11,24 @@
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
@@ -32364,7 +32844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.8/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/sysnetwork.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/sysnetwork.if 2010-02-02 10:31:03.000000000 -0500
@@ -43,6 +43,36 @@
sysnet_domtrans_dhcpc($1)
@@ -32543,7 +33023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.8/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/sysnetwork.te 2010-01-27 11:22:49.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/sysnetwork.te 2010-02-02 10:31:03.000000000 -0500
@@ -20,6 +20,9 @@
init_daemon_domain(dhcpc_t, dhcpc_exec_t)
role system_r types dhcpc_t;
@@ -32769,7 +33249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.8/policy/modules/system/udev.if
--- nsaserefpolicy/policy/modules/system/udev.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/udev.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/udev.if 2010-02-02 10:31:03.000000000 -0500
@@ -186,6 +186,7 @@
dev_list_all_dev_nodes($1)
@@ -32780,7 +33260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.8/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/udev.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/udev.te 2010-02-02 10:31:03.000000000 -0500
@@ -50,6 +50,7 @@
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -32830,7 +33310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
xen_manage_log(udev_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.7.8/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/unconfined.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/unconfined.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,16 +1 @@
# Add programs here which should not be confined by SELinux
-# e.g.:
@@ -32850,7 +33330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.8/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/unconfined.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/unconfined.if 2010-02-02 10:31:03.000000000 -0500
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -33357,7 +33837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.7.8/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/unconfined.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/unconfined.te 2010-02-02 10:31:03.000000000 -0500
@@ -5,227 +5,5 @@
#
# Declarations
@@ -33589,7 +34069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.8/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/userdomain.fc 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/userdomain.fc 2010-02-02 10:31:03.000000000 -0500
@@ -1,4 +1,11 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
@@ -33605,7 +34085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.gvfs(/.*)? <>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/userdomain.if 2010-01-27 11:14:58.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/userdomain.if 2010-02-02 10:31:03.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -35988,7 +36468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.8/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/userdomain.te 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/userdomain.te 2010-02-02 10:31:03.000000000 -0500
@@ -8,13 +8,6 @@
##
@@ -36079,7 +36559,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+allow userdomain userdomain:process signull;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.7.8/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/xen.if 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/xen.if 2010-02-02 10:31:03.000000000 -0500
@@ -180,6 +180,25 @@
########################################
@@ -36108,7 +36588,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.8/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/xen.te 2010-01-25 11:49:09.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/xen.te 2010-02-02 10:31:03.000000000 -0500
@@ -85,6 +85,7 @@
type xenconsoled_t;
type xenconsoled_exec_t;
@@ -36188,13 +36668,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
files_search_mnt(xend_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.8/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/support/obj_perm_sets.spt 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/support/obj_perm_sets.spt 2010-02-02 10:31:03.000000000 -0500
@@ -28,7 +28,7 @@
#
# All socket classes.
#
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }')
-+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
++define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
#
@@ -36252,7 +36732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets
+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.8/policy/users
--- nsaserefpolicy/policy/users 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.8/policy/users 2010-01-18 15:18:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/users 2010-02-02 10:31:03.000000000 -0500
@@ -6,7 +6,7 @@
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 947f49e..c0c05c8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.8
-Release: 5%{?dist}
+Release: 6%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -284,8 +284,6 @@ else
# if first time update booleans.local needs to be copied to sandbox
[ -f /etc/selinux/${SELINUXTYPE}/booleans.local ] && mv /etc/selinux/${SELINUXTYPE}/booleans.local /etc/selinux/targeted/modules/active/
[ -f /etc/selinux/${SELINUXTYPE}/seusers ] && cp -f /etc/selinux/${SELINUXTYPE}/seusers /etc/selinux/${SELINUXTYPE}/modules/active/seusers
- grep -q "^SETLOCALDEFS" /etc/selinux/config || echo -n "
-">> /etc/selinux/config
fi
exit 0
@@ -459,6 +457,9 @@ exit 0
%endif
%changelog
+* Mon Feb 1 2010 Dan Walsh 3.7.8-6
+- Lots of fixes found in F12
+
* Thu Jan 27 2010 Dan Walsh 3.7.8-5
- Fix rpm_dontaudit_leaks
diff --git a/sources b/sources
index d1a2e3f..3b5d2a7 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-3651679c4b12a31d2ba5f4305bba5540 config.tgz
6ed233bfd5c6a20877d98e74f967ce0f serefpolicy-3.7.8.tgz
+4c7d323036f1662a06a7a4f2a7da57a5 config.tgz