diff --git a/.cvsignore b/.cvsignore index 332097b..1ecab65 100644 --- a/.cvsignore +++ b/.cvsignore @@ -148,3 +148,4 @@ serefpolicy-3.5.3.tgz serefpolicy-3.5.4.tgz serefpolicy-3.5.5.tgz serefpolicy-3.5.6.tgz +serefpolicy-3.5.7.tgz diff --git a/modules-targeted.conf b/modules-targeted.conf index 29d0c88..c80fba3 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -278,13 +278,6 @@ cvs = base cyphesis = module # Layer: services -# Module: gamin -# -# FAM File Alteration Monitor API -# -gamin = module - -# Layer: services # Module: cyrus # # Cyrus is an IMAP service intended to be run on sealed servers diff --git a/policy-20080710.patch b/policy-20080710.patch index c0baf8c..5c2066d 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -1,6 +1,6 @@ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.5.6/Makefile +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.5.7/Makefile --- nsaserefpolicy/Makefile 2008-08-07 11:15:00.000000000 -0400 -+++ serefpolicy-3.5.6/Makefile 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/Makefile 2008-09-08 10:19:44.000000000 -0400 @@ -311,20 +311,22 @@ # parse-rolemap modulename,outputfile @@ -45,9 +45,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Mak $(appdir)/%: $(appconf)/% @mkdir -p $(appdir) $(verbose) $(INSTALL) -m 644 $< $@ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.5.6/Rules.modular +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.5.7/Rules.modular --- nsaserefpolicy/Rules.modular 2008-08-07 11:15:00.000000000 -0400 -+++ serefpolicy-3.5.6/Rules.modular 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/Rules.modular 2008-09-08 10:19:44.000000000 -0400 @@ -73,8 +73,8 @@ $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te @echo "Compliling $(NAME) $(@F) module" @@ -77,9 +77,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rul $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.5.6/config/appconfig-mcs/default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.5.7/config/appconfig-mcs/default_contexts --- nsaserefpolicy/config/appconfig-mcs/default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.6/config/appconfig-mcs/default_contexts 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/config/appconfig-mcs/default_contexts 2008-09-08 10:19:44.000000000 -0400 @@ -1,15 +0,0 @@ -system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0 -system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 @@ -96,15 +96,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con - -user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.5.6/config/appconfig-mcs/failsafe_context +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.5.7/config/appconfig-mcs/failsafe_context --- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.6/config/appconfig-mcs/failsafe_context 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/config/appconfig-mcs/failsafe_context 2008-09-08 10:19:44.000000000 -0400 @@ -1 +1 @@ -sysadm_r:sysadm_t:s0 +system_r:unconfined_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.5.6/config/appconfig-mcs/guest_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.5.7/config/appconfig-mcs/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/config/appconfig-mcs/guest_u_default_contexts 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/config/appconfig-mcs/guest_u_default_contexts 2008-09-08 10:19:44.000000000 -0400 @@ -0,0 +1,6 @@ +system_r:local_login_t:s0 guest_r:guest_t:s0 +system_r:remote_login_t:s0 guest_r:guest_t:s0 @@ -112,9 +112,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:crond_t:s0 guest_r:guest_crond_t:s0 +system_r:initrc_su_t:s0 guest_r:guest_t:s0 +guest_r:guest_t:s0 guest_r:guest_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.5.6/config/appconfig-mcs/root_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.5.7/config/appconfig-mcs/root_default_contexts --- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.6/config/appconfig-mcs/root_default_contexts 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/config/appconfig-mcs/root_default_contexts 2008-09-08 10:19:44.000000000 -0400 @@ -1,11 +1,7 @@ system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0 system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 @@ -128,9 +128,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con # -#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.5.6/config/appconfig-mcs/staff_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.5.7/config/appconfig-mcs/staff_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.6/config/appconfig-mcs/staff_u_default_contexts 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/config/appconfig-mcs/staff_u_default_contexts 2008-09-08 10:19:44.000000000 -0400 @@ -5,6 +5,8 @@ system_r:xdm_t:s0 staff_r:staff_t:s0 staff_r:staff_su_t:s0 staff_r:staff_t:s0 @@ -140,9 +140,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.5.6/config/appconfig-mcs/unconfined_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.5.7/config/appconfig-mcs/unconfined_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.6/config/appconfig-mcs/unconfined_u_default_contexts 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/config/appconfig-mcs/unconfined_u_default_contexts 2008-09-08 10:19:44.000000000 -0400 @@ -6,4 +6,6 @@ system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 @@ -150,9 +150,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:initrc_su_t:s0 unconfined_r:unconfined_t:s0 +unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0 system_r:xdm_t:s0 unconfined_r:unconfined_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.5.6/config/appconfig-mcs/user_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.5.7/config/appconfig-mcs/user_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.6/config/appconfig-mcs/user_u_default_contexts 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/config/appconfig-mcs/user_u_default_contexts 2008-09-08 10:19:44.000000000 -0400 @@ -5,4 +5,5 @@ system_r:xdm_t:s0 user_r:user_t:s0 user_r:user_su_t:s0 user_r:user_t:s0 @@ -160,15 +160,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con - +system_r:initrc_su_t:s0 user_r:user_t:s0 +user_r:user_t:s0 user_r:user_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.5.6/config/appconfig-mcs/userhelper_context +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.5.7/config/appconfig-mcs/userhelper_context --- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.6/config/appconfig-mcs/userhelper_context 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/config/appconfig-mcs/userhelper_context 2008-09-08 10:19:44.000000000 -0400 @@ -1 +1 @@ -system_u:sysadm_r:sysadm_t:s0 +system_u:system_r:unconfined_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.5.6/config/appconfig-mcs/xguest_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.5.7/config/appconfig-mcs/xguest_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/config/appconfig-mcs/xguest_u_default_contexts 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/config/appconfig-mcs/xguest_u_default_contexts 2008-09-08 10:19:44.000000000 -0400 @@ -0,0 +1,7 @@ +system_r:local_login_t xguest_r:xguest_t:s0 +system_r:remote_login_t xguest_r:xguest_t:s0 @@ -177,25 +177,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:xdm_t xguest_r:xguest_t:s0 +system_r:initrc_su_t:s0 xguest_r:xguest_t:s0 +xguest_r:xguest_t:s0 xguest_r:xguest_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.5.6/config/appconfig-mls/guest_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.5.7/config/appconfig-mls/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/config/appconfig-mls/guest_u_default_contexts 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/config/appconfig-mls/guest_u_default_contexts 2008-09-08 10:19:44.000000000 -0400 @@ -0,0 +1,4 @@ +system_r:local_login_t:s0 guest_r:guest_t:s0 +system_r:remote_login_t:s0 guest_r:guest_t:s0 +system_r:sshd_t:s0 guest_r:guest_t:s0 +system_r:crond_t:s0 guest_r:guest_crond_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts serefpolicy-3.5.6/config/appconfig-standard/guest_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts serefpolicy-3.5.7/config/appconfig-standard/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/config/appconfig-standard/guest_u_default_contexts 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/config/appconfig-standard/guest_u_default_contexts 2008-09-08 10:19:44.000000000 -0400 @@ -0,0 +1,4 @@ +system_r:local_login_t guest_r:guest_t +system_r:remote_login_t guest_r:guest_t +system_r:sshd_t guest_r:guest_t +system_r:crond_t guest_r:guest_crond_t -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/root_default_contexts serefpolicy-3.5.6/config/appconfig-standard/root_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/root_default_contexts serefpolicy-3.5.7/config/appconfig-standard/root_default_contexts --- nsaserefpolicy/config/appconfig-standard/root_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.6/config/appconfig-standard/root_default_contexts 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/config/appconfig-standard/root_default_contexts 2008-09-08 10:19:44.000000000 -0400 @@ -1,11 +1,7 @@ system_r:crond_t unconfined_r:unconfined_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t system_r:local_login_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t @@ -209,18 +209,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con # -#system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t +system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.5.6/config/appconfig-standard/xguest_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.5.7/config/appconfig-standard/xguest_u_default_contexts --- nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/config/appconfig-standard/xguest_u_default_contexts 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/config/appconfig-standard/xguest_u_default_contexts 2008-09-08 10:19:44.000000000 -0400 @@ -0,0 +1,5 @@ +system_r:local_login_t xguest_r:xguest_t +system_r:remote_login_t xguest_r:xguest_t +system_r:sshd_t xguest_r:xguest_t +system_r:crond_t xguest_r:xguest_crond_t +system_r:xdm_t xguest_r:xguest_t -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.5.6/policy/global_tunables +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.5.7/policy/global_tunables --- nsaserefpolicy/policy/global_tunables 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.6/policy/global_tunables 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/global_tunables 2008-09-08 10:19:44.000000000 -0400 @@ -34,7 +34,7 @@ ## @@ -259,9 +259,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +gen_tunable(allow_console_login,false) + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.5.6/policy/modules/admin/alsa.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.5.7/policy/modules/admin/alsa.te --- nsaserefpolicy/policy/modules/admin/alsa.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/admin/alsa.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/admin/alsa.te 2008-09-08 10:19:44.000000000 -0400 @@ -51,6 +51,8 @@ auth_use_nsswitch(alsa_t) @@ -271,9 +271,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_ld_so(alsa_t) libs_use_shared_libs(alsa_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.5.6/policy/modules/admin/anaconda.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.5.7/policy/modules/admin/anaconda.te --- nsaserefpolicy/policy/modules/admin/anaconda.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/admin/anaconda.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/admin/anaconda.te 2008-09-08 10:19:44.000000000 -0400 @@ -31,6 +31,7 @@ modutils_domtrans_insmod(anaconda_t) @@ -282,9 +282,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unprivuser_home_dir_filetrans_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.5.6/policy/modules/admin/certwatch.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.5.7/policy/modules/admin/certwatch.te --- nsaserefpolicy/policy/modules/admin/certwatch.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/admin/certwatch.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/admin/certwatch.te 2008-09-08 10:19:44.000000000 -0400 @@ -15,8 +15,19 @@ # # Local policy @@ -321,9 +321,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + pcscd_stream_connect(certwatch_t) + pcscd_read_pub_files(certwatch_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.5.6/policy/modules/admin/consoletype.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.5.7/policy/modules/admin/consoletype.te --- nsaserefpolicy/policy/modules/admin/consoletype.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/admin/consoletype.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/admin/consoletype.te 2008-09-08 10:19:44.000000000 -0400 @@ -8,9 +8,11 @@ type consoletype_t; @@ -347,9 +347,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_all_terms(consoletype_t) init_use_fds(consoletype_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.5.6/policy/modules/admin/firstboot.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.5.7/policy/modules/admin/firstboot.te --- nsaserefpolicy/policy/modules/admin/firstboot.te 2008-08-25 09:12:31.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/admin/firstboot.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/admin/firstboot.te 2008-09-08 10:19:44.000000000 -0400 @@ -118,15 +118,7 @@ usermanage_domtrans_admin_passwd(firstboot_t) ') @@ -369,9 +369,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_unconfined(firstboot_t) ') -') dnl end TODO -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.5.6/policy/modules/admin/kismet.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.5.7/policy/modules/admin/kismet.te --- nsaserefpolicy/policy/modules/admin/kismet.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/admin/kismet.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/admin/kismet.te 2008-09-08 10:19:44.000000000 -0400 @@ -26,7 +26,10 @@ # @@ -392,9 +392,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(kismet_t) files_read_etc_files(kismet_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.5.6/policy/modules/admin/kudzu.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.5.7/policy/modules/admin/kudzu.te --- nsaserefpolicy/policy/modules/admin/kudzu.te 2008-08-14 13:08:27.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/admin/kudzu.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/admin/kudzu.te 2008-09-08 10:19:44.000000000 -0400 @@ -21,8 +21,8 @@ # Local policy # @@ -423,9 +423,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # kudzu will telinit to make init re-read # the inittab after configuring serial consoles init_telinit(kudzu_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.5.6/policy/modules/admin/logrotate.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.5.7/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2008-09-03 10:17:00.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/admin/logrotate.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/admin/logrotate.te 2008-09-08 10:19:44.000000000 -0400 @@ -97,6 +97,7 @@ files_read_etc_files(logrotate_t) files_read_etc_runtime_files(logrotate_t) @@ -442,9 +442,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - squid_domtrans(logrotate_t) + squid_signal(logrotate_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.5.6/policy/modules/admin/logwatch.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.5.7/policy/modules/admin/logwatch.te --- nsaserefpolicy/policy/modules/admin/logwatch.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/admin/logwatch.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/admin/logwatch.te 2008-09-08 10:19:44.000000000 -0400 @@ -54,18 +54,19 @@ domain_read_all_domains_state(logwatch_t) @@ -474,9 +474,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol samba_read_log(logwatch_t) + samba_read_share_files(logwatch_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.5.6/policy/modules/admin/mrtg.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.5.7/policy/modules/admin/mrtg.te --- nsaserefpolicy/policy/modules/admin/mrtg.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/admin/mrtg.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/admin/mrtg.te 2008-09-08 10:19:44.000000000 -0400 @@ -78,6 +78,7 @@ dev_read_urand(mrtg_t) @@ -534,9 +534,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr; - dontaudit mrtg_t root_t:lnk_file getattr; -') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.if serefpolicy-3.5.6/policy/modules/admin/netutils.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.if serefpolicy-3.5.7/policy/modules/admin/netutils.if --- nsaserefpolicy/policy/modules/admin/netutils.if 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/admin/netutils.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/admin/netutils.if 2008-09-08 10:19:44.000000000 -0400 @@ -70,7 +70,7 @@ ######################################## @@ -627,9 +627,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.5.6/policy/modules/admin/netutils.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.5.7/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/admin/netutils.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/admin/netutils.te 2008-09-08 10:19:44.000000000 -0400 @@ -50,6 +50,7 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) @@ -749,9 +749,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - nscd_socket_use(traceroute_t) -') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.5.6/policy/modules/admin/prelink.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.5.7/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/admin/prelink.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/admin/prelink.te 2008-09-08 10:19:44.000000000 -0400 @@ -26,7 +26,7 @@ # Local policy # @@ -809,9 +809,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + unconfined_domain(prelink_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.5.6/policy/modules/admin/readahead.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.5.7/policy/modules/admin/readahead.te --- nsaserefpolicy/policy/modules/admin/readahead.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/admin/readahead.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/admin/readahead.te 2008-09-08 10:19:44.000000000 -0400 @@ -22,7 +22,7 @@ # Local policy # @@ -829,9 +829,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mls_file_read_all_levels(readahead_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.5.6/policy/modules/admin/rpm.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.5.7/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/admin/rpm.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/admin/rpm.fc 2008-09-08 10:19:44.000000000 -0400 @@ -11,7 +11,8 @@ /usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -860,9 +860,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # SuSE ifdef(`distro_suse', ` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.5.6/policy/modules/admin/rpm.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.5.7/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/admin/rpm.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/admin/rpm.if 2008-09-08 10:19:44.000000000 -0400 @@ -152,6 +152,24 @@ ######################################## @@ -1168,9 +1168,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 rpm_t:process signull; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.5.6/policy/modules/admin/rpm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.5.7/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/admin/rpm.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/admin/rpm.te 2008-09-08 10:19:44.000000000 -0400 @@ -31,6 +31,9 @@ files_type(rpm_var_lib_t) typealias rpm_var_lib_t alias var_lib_rpm_t; @@ -1257,9 +1257,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` usermanage_domtrans_groupadd(rpm_script_t) usermanage_domtrans_useradd(rpm_script_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.5.6/policy/modules/admin/su.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.5.7/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/admin/su.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/admin/su.if 2008-09-08 10:19:44.000000000 -0400 @@ -41,15 +41,13 @@ allow $2 $1_su_t:process signal; @@ -1415,9 +1415,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.5.6/policy/modules/admin/sudo.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.5.7/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/admin/sudo.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/admin/sudo.if 2008-09-08 10:19:44.000000000 -0400 @@ -55,7 +55,7 @@ # @@ -1530,9 +1530,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + term_relabel_all_user_ttys($1_sudo_t) + term_relabel_all_user_ptys($1_sudo_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.5.6/policy/modules/admin/tmpreaper.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.5.7/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/admin/tmpreaper.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/admin/tmpreaper.te 2008-09-08 10:19:44.000000000 -0400 @@ -22,12 +22,16 @@ dev_read_urand(tmpreaper_t) @@ -1577,9 +1577,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + unconfined_domain(tmpreaper_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.5.6/policy/modules/admin/usermanage.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.5.7/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/admin/usermanage.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/admin/usermanage.te 2008-09-08 10:19:44.000000000 -0400 @@ -97,6 +97,7 @@ # allow checking if a shell is executable @@ -1650,9 +1650,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + unconfined_domain(useradd_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.if serefpolicy-3.5.6/policy/modules/admin/vbetool.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.if serefpolicy-3.5.7/policy/modules/admin/vbetool.if --- nsaserefpolicy/policy/modules/admin/vbetool.if 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/admin/vbetool.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/admin/vbetool.if 2008-09-08 10:19:44.000000000 -0400 @@ -18,3 +18,34 @@ corecmd_search_bin($1) domtrans_pattern($1, vbetool_exec_t, vbetool_t) @@ -1688,9 +1688,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role $2 types vbetool_t; + allow vbetool_t $3:chr_file rw_term_perms; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.5.6/policy/modules/admin/vbetool.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.5.7/policy/modules/admin/vbetool.te --- nsaserefpolicy/policy/modules/admin/vbetool.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/admin/vbetool.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/admin/vbetool.te 2008-09-08 10:19:44.000000000 -0400 @@ -23,6 +23,9 @@ dev_rwx_zero(vbetool_t) dev_read_sysfs(vbetool_t) @@ -1710,9 +1710,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_exec_pid(vbetool_t) + xserver_write_pid(vbetool_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.5.6/policy/modules/admin/vpn.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.5.7/policy/modules/admin/vpn.if --- nsaserefpolicy/policy/modules/admin/vpn.if 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/admin/vpn.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/admin/vpn.if 2008-09-08 10:19:44.000000000 -0400 @@ -48,6 +48,7 @@ vpn_domtrans($1) role $2 types vpnc_t; @@ -1721,9 +1721,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.5.6/policy/modules/admin/vpn.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.5.7/policy/modules/admin/vpn.te --- nsaserefpolicy/policy/modules/admin/vpn.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/admin/vpn.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/admin/vpn.te 2008-09-08 10:19:44.000000000 -0400 @@ -22,9 +22,10 @@ # Local policy # @@ -1745,18 +1745,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sysnet_etc_filetrans_config(vpnc_t) sysnet_manage_config(vpnc_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.fc serefpolicy-3.5.6/policy/modules/apps/ethereal.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.fc serefpolicy-3.5.7/policy/modules/apps/ethereal.fc --- nsaserefpolicy/policy/modules/apps/ethereal.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/ethereal.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/ethereal.fc 2008-09-08 10:19:44.000000000 -0400 @@ -1,4 +1,4 @@ -HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ROLE_ethereal_home_t,s0) +HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ethereal_home_t,s0) /usr/sbin/ethereal.* -- gen_context(system_u:object_r:ethereal_exec_t,s0) /usr/sbin/tethereal.* -- gen_context(system_u:object_r:tethereal_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.if serefpolicy-3.5.6/policy/modules/apps/ethereal.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.if serefpolicy-3.5.7/policy/modules/apps/ethereal.if --- nsaserefpolicy/policy/modules/apps/ethereal.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/ethereal.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/ethereal.if 2008-09-08 10:19:44.000000000 -0400 @@ -35,6 +35,7 @@ template(`ethereal_per_role_template',` @@ -1860,9 +1860,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.te serefpolicy-3.5.6/policy/modules/apps/ethereal.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.te serefpolicy-3.5.7/policy/modules/apps/ethereal.te --- nsaserefpolicy/policy/modules/apps/ethereal.te 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/ethereal.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/ethereal.te 2008-09-08 10:19:44.000000000 -0400 @@ -16,6 +16,13 @@ type tethereal_tmp_t; files_tmp_file(tethereal_tmp_t) @@ -1877,9 +1877,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Tethereal policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/games.if serefpolicy-3.5.6/policy/modules/apps/games.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/games.if serefpolicy-3.5.7/policy/modules/apps/games.if --- nsaserefpolicy/policy/modules/apps/games.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/games.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/games.if 2008-09-08 10:19:44.000000000 -0400 @@ -130,10 +130,10 @@ sysnet_read_config($1_games_t) @@ -1919,9 +1919,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + rw_files_pattern($1, games_data_t, games_data_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.5.6/policy/modules/apps/gnome.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.5.7/policy/modules/apps/gnome.fc --- nsaserefpolicy/policy/modules/apps/gnome.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/gnome.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/gnome.fc 2008-09-08 10:19:44.000000000 -0400 @@ -1,8 +1,10 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:ROLE_gnome_home_t,s0) -HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:ROLE_gconf_home_t,s0) @@ -1939,9 +1939,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# Don't use because toolchain is broken +#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) +HOME_DIR/.pulse(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.5.6/policy/modules/apps/gnome.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.5.7/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/gnome.if 2008-09-04 13:23:42.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/gnome.if 2008-09-08 10:19:44.000000000 -0400 @@ -36,6 +36,7 @@ gen_require(` type gconfd_exec_t, gconf_etc_t; @@ -2188,9 +2188,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + # Connect to pulseaudit server + stream_connect_pattern($1, gnome_home_t, gnome_home_t, $2) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.5.6/policy/modules/apps/gnome.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.5.7/policy/modules/apps/gnome.te --- nsaserefpolicy/policy/modules/apps/gnome.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/gnome.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/gnome.te 2008-09-08 10:19:44.000000000 -0400 @@ -8,8 +8,34 @@ attribute gnomedomain; @@ -2229,9 +2229,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# Local Policy +# + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.5.6/policy/modules/apps/gpg.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.5.7/policy/modules/apps/gpg.fc --- nsaserefpolicy/policy/modules/apps/gpg.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/gpg.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/gpg.fc 2008-09-08 10:19:44.000000000 -0400 @@ -1,9 +1,9 @@ -HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0) +HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) @@ -2246,9 +2246,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) +/usr/lib(64)?/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) +/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.5.6/policy/modules/apps/gpg.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.5.7/policy/modules/apps/gpg.if --- nsaserefpolicy/policy/modules/apps/gpg.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/gpg.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/gpg.if 2008-09-08 10:19:44.000000000 -0400 @@ -37,6 +37,9 @@ template(`gpg_per_role_template',` gen_require(` @@ -2585,9 +2585,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.5.6/policy/modules/apps/gpg.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.5.7/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/gpg.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/gpg.te 2008-09-08 10:19:44.000000000 -0400 @@ -15,15 +15,253 @@ gen_tunable(gpg_agent_env_file, false) @@ -2846,9 +2846,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + xserver_stream_connect_xdm_xserver(gpg_pinentry_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.5.6/policy/modules/apps/java.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.5.7/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/java.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/java.fc 2008-09-08 10:19:44.000000000 -0400 @@ -3,14 +3,15 @@ # /opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) @@ -2880,9 +2880,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) + +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.5.6/policy/modules/apps/java.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.5.7/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/java.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/java.if 2008-09-08 10:19:44.000000000 -0400 @@ -32,7 +32,7 @@ ## ## @@ -3156,9 +3156,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ca_exec($1, java_exec_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.5.6/policy/modules/apps/java.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.5.7/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/java.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/java.te 2008-09-08 10:19:44.000000000 -0400 @@ -6,16 +6,10 @@ # Declarations # @@ -3208,15 +3208,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_xdm_rw_shm(java_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.5.6/policy/modules/apps/livecd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.5.7/policy/modules/apps/livecd.fc --- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/apps/livecd.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/livecd.fc 2008-09-08 10:19:44.000000000 -0400 @@ -0,0 +1,2 @@ + +/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.5.6/policy/modules/apps/livecd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.5.7/policy/modules/apps/livecd.if --- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/apps/livecd.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/livecd.if 2008-09-08 10:19:44.000000000 -0400 @@ -0,0 +1,56 @@ + +## policy for livecd @@ -3274,9 +3274,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + seutil_run_setfiles_mac(livecd_t, $2, $3) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.5.6/policy/modules/apps/livecd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.5.7/policy/modules/apps/livecd.te --- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/apps/livecd.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/livecd.te 2008-09-08 10:19:44.000000000 -0400 @@ -0,0 +1,26 @@ +policy_module(livecd, 1.0.0) + @@ -3304,9 +3304,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +seutil_domtrans_setfiles_mac(livecd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.5.6/policy/modules/apps/loadkeys.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.5.7/policy/modules/apps/loadkeys.te --- nsaserefpolicy/policy/modules/apps/loadkeys.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/loadkeys.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/loadkeys.te 2008-09-08 10:19:44.000000000 -0400 @@ -32,7 +32,6 @@ term_dontaudit_use_console(loadkeys_t) term_use_unallocated_ttys(loadkeys_t) @@ -3323,9 +3323,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +unprivuser_dontaudit_write_home_content_files(loadkeys_t) +unprivuser_dontaudit_list_home_dirs(loadkeys_t) +sysadm_dontaudit_list_home_dirs(loadkeys_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.5.6/policy/modules/apps/mono.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.5.7/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/mono.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/mono.if 2008-09-08 10:19:44.000000000 -0400 @@ -21,7 +21,106 @@ ######################################## @@ -3443,9 +3443,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') corecmd_search_bin($1) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.5.6/policy/modules/apps/mono.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.5.7/policy/modules/apps/mono.te --- nsaserefpolicy/policy/modules/apps/mono.te 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/mono.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/mono.te 2008-09-08 10:19:44.000000000 -0400 @@ -15,7 +15,7 @@ # Local policy # @@ -3463,9 +3463,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + xserver_xdm_rw_shm(mono_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.5.6/policy/modules/apps/mozilla.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.5.7/policy/modules/apps/mozilla.fc --- nsaserefpolicy/policy/modules/apps/mozilla.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/mozilla.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/mozilla.fc 2008-09-08 10:19:44.000000000 -0400 @@ -1,8 +1,8 @@ -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) -HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) @@ -3494,9 +3494,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.5.6/policy/modules/apps/mozilla.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.5.7/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/mozilla.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/mozilla.if 2008-09-08 10:19:44.000000000 -0400 @@ -35,7 +35,10 @@ template(`mozilla_per_role_template',` gen_require(` @@ -3966,9 +3966,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $2 $1_mozilla_t:unix_stream_socket connectto; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.5.6/policy/modules/apps/mozilla.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.5.7/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/mozilla.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/mozilla.te 2008-09-08 10:19:44.000000000 -0400 @@ -6,15 +6,20 @@ # Declarations # @@ -3997,18 +3997,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +typealias mozilla_tmp_t alias unconfined_mozilla_tmp_t; +typealias mozilla_home_t alias user_mozilla_home_t; +typealias mozilla_tmp_t alias user_mozilla_tmp_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.5.6/policy/modules/apps/mplayer.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.5.7/policy/modules/apps/mplayer.fc --- nsaserefpolicy/policy/modules/apps/mplayer.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/mplayer.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/mplayer.fc 2008-09-08 10:19:44.000000000 -0400 @@ -10,4 +10,4 @@ /usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0) /usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0) -HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:ROLE_mplayer_home_t,s0) +HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:mplayer_home_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.5.6/policy/modules/apps/mplayer.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.5.7/policy/modules/apps/mplayer.if --- nsaserefpolicy/policy/modules/apps/mplayer.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/mplayer.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/mplayer.if 2008-09-08 10:19:44.000000000 -0400 @@ -34,7 +34,8 @@ # template(`mplayer_per_role_template',` @@ -4151,9 +4151,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - read_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t) + read_files_pattern($2, mplayer_home_t, mplayer_home_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.te serefpolicy-3.5.6/policy/modules/apps/mplayer.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.te serefpolicy-3.5.7/policy/modules/apps/mplayer.te --- nsaserefpolicy/policy/modules/apps/mplayer.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/mplayer.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/mplayer.te 2008-09-08 10:19:44.000000000 -0400 @@ -22,3 +22,7 @@ type mplayer_exec_t; corecmd_executable_file(mplayer_exec_t) @@ -4162,9 +4162,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +type mplayer_home_t alias user_mplayer_rw_t; +userdom_user_home_content(user, mplayer_home_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.5.6/policy/modules/apps/nsplugin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.5.7/policy/modules/apps/nsplugin.fc --- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/apps/nsplugin.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/nsplugin.fc 2008-09-08 10:19:44.000000000 -0400 @@ -0,0 +1,8 @@ + +/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) @@ -4174,9 +4174,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.6/policy/modules/apps/nsplugin.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.7/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/apps/nsplugin.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/nsplugin.if 2008-09-08 10:19:44.000000000 -0400 @@ -0,0 +1,292 @@ + +## policy for nsplugin @@ -4470,9 +4470,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + can_exec($1, nsplugin_rw_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.6/policy/modules/apps/nsplugin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.7/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/apps/nsplugin.te 2008-09-04 08:53:56.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/nsplugin.te 2008-09-08 10:19:44.000000000 -0400 @@ -0,0 +1,226 @@ + +policy_module(nsplugin, 1.0.0) @@ -4700,16 +4700,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + mozilla_read_user_home_files(user, nsplugin_config_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.5.6/policy/modules/apps/openoffice.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.5.7/policy/modules/apps/openoffice.fc --- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/apps/openoffice.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/openoffice.fc 2008-09-08 10:19:44.000000000 -0400 @@ -0,0 +1,3 @@ +/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) +/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.5.6/policy/modules/apps/openoffice.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.5.7/policy/modules/apps/openoffice.if --- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/apps/openoffice.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/openoffice.if 2008-09-08 10:19:44.000000000 -0400 @@ -0,0 +1,102 @@ +## Openoffice + @@ -4813,9 +4813,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + fs_dontaudit_rw_tmpfs_files($1_openoffice_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.5.6/policy/modules/apps/openoffice.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.5.7/policy/modules/apps/openoffice.te --- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/apps/openoffice.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/openoffice.te 2008-09-08 10:19:44.000000000 -0400 @@ -0,0 +1,14 @@ + +policy_module(openoffice, 1.0.0) @@ -4831,17 +4831,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.fc serefpolicy-3.5.6/policy/modules/apps/podsleuth.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.fc serefpolicy-3.5.7/policy/modules/apps/podsleuth.fc --- nsaserefpolicy/policy/modules/apps/podsleuth.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/podsleuth.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/podsleuth.fc 2008-09-08 10:19:44.000000000 -0400 @@ -1,2 +1,4 @@ /usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) +/usr/libexec/hal-podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) +/var/cache/podsleuth(/.*)? gen_context(system_u:object_r:podsleuth_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.if serefpolicy-3.5.6/policy/modules/apps/podsleuth.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.if serefpolicy-3.5.7/policy/modules/apps/podsleuth.if --- nsaserefpolicy/policy/modules/apps/podsleuth.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/podsleuth.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/podsleuth.if 2008-09-08 10:19:44.000000000 -0400 @@ -16,4 +16,38 @@ ') @@ -4881,9 +4881,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dontaudit podsleuth_t $3:chr_file rw_term_perms; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.5.6/policy/modules/apps/podsleuth.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.5.7/policy/modules/apps/podsleuth.te --- nsaserefpolicy/policy/modules/apps/podsleuth.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/podsleuth.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/podsleuth.te 2008-09-08 10:19:44.000000000 -0400 @@ -11,24 +11,55 @@ application_domain(podsleuth_t, podsleuth_exec_t) role system_r types podsleuth_t; @@ -4942,9 +4942,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(podsleuth_t) dbus_system_bus_client_template(podsleuth, podsleuth_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.5.6/policy/modules/apps/qemu.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.5.7/policy/modules/apps/qemu.if --- nsaserefpolicy/policy/modules/apps/qemu.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/qemu.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/qemu.if 2008-09-08 10:19:44.000000000 -0400 @@ -48,6 +48,48 @@ allow qemu_t $3:chr_file rw_file_perms; ') @@ -5301,9 +5301,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -# xserver_xdm_rw_shm($1_t) - ') -') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.5.6/policy/modules/apps/qemu.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.5.7/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/qemu.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/qemu.te 2008-09-08 10:19:44.000000000 -0400 @@ -6,6 +6,8 @@ # Declarations # @@ -5440,9 +5440,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # qemu_unconfined local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.5.6/policy/modules/apps/screen.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.5.7/policy/modules/apps/screen.fc --- nsaserefpolicy/policy/modules/apps/screen.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/screen.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/screen.fc 2008-09-08 10:19:44.000000000 -0400 @@ -1,7 +1,7 @@ # # /home @@ -5452,9 +5452,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /usr -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.5.6/policy/modules/apps/screen.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.5.7/policy/modules/apps/screen.if --- nsaserefpolicy/policy/modules/apps/screen.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/screen.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/screen.if 2008-09-08 10:19:44.000000000 -0400 @@ -35,6 +35,7 @@ template(`screen_per_role_template',` gen_require(` @@ -5507,9 +5507,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state($1_screen_t) kernel_read_kernel_sysctls($1_screen_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.te serefpolicy-3.5.6/policy/modules/apps/screen.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.te serefpolicy-3.5.7/policy/modules/apps/screen.te --- nsaserefpolicy/policy/modules/apps/screen.te 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/screen.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/screen.te 2008-09-08 10:19:44.000000000 -0400 @@ -11,3 +11,7 @@ type screen_exec_t; @@ -5518,18 +5518,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +type user_screen_ro_home_t; +userdom_user_home_content(user, user_screen_ro_home_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.fc serefpolicy-3.5.6/policy/modules/apps/thunderbird.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.fc serefpolicy-3.5.7/policy/modules/apps/thunderbird.fc --- nsaserefpolicy/policy/modules/apps/thunderbird.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/thunderbird.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/thunderbird.fc 2008-09-08 10:19:44.000000000 -0400 @@ -3,4 +3,4 @@ # /usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0) -HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:ROLE_thunderbird_home_t,s0) +HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:user_thunderbird_home_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-3.5.6/policy/modules/apps/thunderbird.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-3.5.7/policy/modules/apps/thunderbird.if --- nsaserefpolicy/policy/modules/apps/thunderbird.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/thunderbird.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/thunderbird.if 2008-09-08 10:19:44.000000000 -0400 @@ -43,9 +43,9 @@ application_domain($1_thunderbird_t, thunderbird_exec_t) role $3 types $1_thunderbird_t; @@ -5601,9 +5601,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_user_home_dir_filetrans($1, $1_thunderbird_t, $1_untrusted_content_tmp_t, { file dir }) userdom_user_home_content_filetrans($1, $1_thunderbird_t, $1_untrusted_content_tmp_t, { file dir }) ',` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.te serefpolicy-3.5.6/policy/modules/apps/thunderbird.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.te serefpolicy-3.5.7/policy/modules/apps/thunderbird.te --- nsaserefpolicy/policy/modules/apps/thunderbird.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/thunderbird.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/thunderbird.te 2008-09-08 10:19:44.000000000 -0400 @@ -8,3 +8,7 @@ type thunderbird_exec_t; @@ -5612,9 +5612,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +type user_thunderbird_home_t alias user_thunderbird_rw_t; +userdom_user_home_content(user, user_thunderbird_home_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.if serefpolicy-3.5.6/policy/modules/apps/tvtime.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.if serefpolicy-3.5.7/policy/modules/apps/tvtime.if --- nsaserefpolicy/policy/modules/apps/tvtime.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/tvtime.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/tvtime.if 2008-09-08 10:19:44.000000000 -0400 @@ -35,6 +35,7 @@ template(`tvtime_per_role_template',` gen_require(` @@ -5682,9 +5682,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow the user domain to signal/ps. ps_process_pattern($2,$1_tvtime_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.te serefpolicy-3.5.6/policy/modules/apps/tvtime.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.te serefpolicy-3.5.7/policy/modules/apps/tvtime.te --- nsaserefpolicy/policy/modules/apps/tvtime.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/tvtime.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/tvtime.te 2008-09-08 10:19:44.000000000 -0400 @@ -11,3 +11,9 @@ type tvtime_dir_t; @@ -5695,9 +5695,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +type user_tvtime_tmp_t; +files_tmp_file(user_tvtime_tmp_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.fc serefpolicy-3.5.6/policy/modules/apps/uml.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.fc serefpolicy-3.5.7/policy/modules/apps/uml.fc --- nsaserefpolicy/policy/modules/apps/uml.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/uml.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/uml.fc 2008-09-08 10:19:44.000000000 -0400 @@ -1,7 +1,7 @@ # # HOME_DIR/ @@ -5707,9 +5707,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /usr -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.5.6/policy/modules/apps/vmware.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.5.7/policy/modules/apps/vmware.fc --- nsaserefpolicy/policy/modules/apps/vmware.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/vmware.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/vmware.fc 2008-09-08 10:19:44.000000000 -0400 @@ -1,9 +1,9 @@ # # HOME_DIR/ @@ -5768,9 +5768,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0) +/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.5.6/policy/modules/apps/vmware.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.5.7/policy/modules/apps/vmware.if --- nsaserefpolicy/policy/modules/apps/vmware.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/vmware.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/vmware.if 2008-09-08 10:19:44.000000000 -0400 @@ -47,11 +47,8 @@ domain_entry_file($1_vmware_t, vmware_exec_t) role $3 types $1_vmware_t; @@ -5800,9 +5800,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1_vmware_t $1_vmware_tmp_t:file execute; manage_dirs_pattern($1_vmware_t, $1_vmware_tmp_t, $1_vmware_tmp_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.5.6/policy/modules/apps/vmware.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.5.7/policy/modules/apps/vmware.te --- nsaserefpolicy/policy/modules/apps/vmware.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/vmware.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/vmware.te 2008-09-08 10:19:44.000000000 -0400 @@ -10,14 +10,14 @@ type vmware_exec_t; corecmd_executable_file(vmware_exec_t) @@ -5873,9 +5873,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.5.6/policy/modules/apps/wine.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.5.7/policy/modules/apps/wine.if --- nsaserefpolicy/policy/modules/apps/wine.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/wine.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/wine.if 2008-09-08 10:19:44.000000000 -0400 @@ -49,3 +49,53 @@ role $2 types wine_t; allow wine_t $3:chr_file rw_term_perms; @@ -5930,9 +5930,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_xdm_rw_shm($1_wine_t) + ') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.5.6/policy/modules/apps/wine.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.5.7/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/wine.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/wine.te 2008-09-08 10:19:44.000000000 -0400 @@ -9,6 +9,7 @@ type wine_t; type wine_exec_t; @@ -5959,9 +5959,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + xserver_xdm_rw_shm(wine_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wireshark.if serefpolicy-3.5.6/policy/modules/apps/wireshark.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wireshark.if serefpolicy-3.5.7/policy/modules/apps/wireshark.if --- nsaserefpolicy/policy/modules/apps/wireshark.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/apps/wireshark.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/apps/wireshark.if 2008-09-08 10:19:44.000000000 -0400 @@ -134,7 +134,7 @@ sysnet_read_config($1_wireshark_t) @@ -5971,9 +5971,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs($1_wireshark_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.5.6/policy/modules/kernel/corecommands.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.5.7/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/kernel/corecommands.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/kernel/corecommands.fc 2008-09-08 10:19:44.000000000 -0400 @@ -129,6 +129,8 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -6010,9 +6010,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) +/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.5.6/policy/modules/kernel/corecommands.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.5.7/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/kernel/corecommands.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/kernel/corecommands.if 2008-09-08 10:19:44.000000000 -0400 @@ -894,6 +894,7 @@ read_lnk_files_pattern($1, bin_t, bin_t) @@ -6021,9 +6021,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.6/policy/modules/kernel/corenetwork.te.in ---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-09-03 11:05:02.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/kernel/corenetwork.te.in 2008-09-03 15:55:22.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.7/policy/modules/kernel/corenetwork.te.in +--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-09-05 10:28:20.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/kernel/corenetwork.te.in 2008-09-08 10:19:44.000000000 -0400 @@ -75,6 +75,7 @@ network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0) network_port(apcupsd, tcp,3551,s0, udp,3551,s0) @@ -6081,7 +6081,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(spamd, tcp,783,s0) network_port(ssh, tcp,22,s0) network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) -@@ -167,12 +175,17 @@ +@@ -167,14 +175,18 @@ network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -6094,15 +6094,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) + network_port(vnc, tcp,5900,s0) +-network_port(wccp, udp,2048,s0) +# Reserve 100 ports for vnc/virt machines +portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t,s0) -+network_port(whois, tcp,43,s0, udp,43,s0) - network_port(wccp, udp,2048,s0) + network_port(whois, tcp,43,s0, udp,43,s0) ++network_port(wccp, udp,2048,s0) network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.5.6/policy/modules/kernel/devices.fc + network_port(xfs, tcp,7100,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.5.7/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/kernel/devices.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/kernel/devices.fc 2008-09-08 10:19:44.000000000 -0400 @@ -1,7 +1,7 @@ /dev -d gen_context(system_u:object_r:device_t,s0) @@ -6222,9 +6224,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/pts(/.*)? <> -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.5.6/policy/modules/kernel/devices.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.5.7/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/kernel/devices.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/kernel/devices.if 2008-09-08 10:19:44.000000000 -0400 @@ -65,7 +65,7 @@ relabelfrom_dirs_pattern($1, device_t, device_node) @@ -6692,9 +6694,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + rw_chr_files_pattern($1, device_t, qemu_device_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.5.6/policy/modules/kernel/devices.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.5.7/policy/modules/kernel/devices.te --- nsaserefpolicy/policy/modules/kernel/devices.te 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/kernel/devices.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/kernel/devices.te 2008-09-08 10:19:44.000000000 -0400 @@ -32,6 +32,12 @@ type apm_bios_t; dev_node(apm_bios_t) @@ -6760,9 +6762,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Type for /dev/pmu # type power_device_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.5.6/policy/modules/kernel/domain.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.5.7/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/kernel/domain.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/kernel/domain.if 2008-09-08 10:19:44.000000000 -0400 @@ -1247,18 +1247,34 @@ ## ## @@ -6801,9 +6803,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Allow specified type to receive labeled ## networking packets from all domains, over ## all protocols (TCP, UDP, etc) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.5.6/policy/modules/kernel/domain.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.5.7/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/kernel/domain.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/kernel/domain.te 2008-09-08 10:19:44.000000000 -0400 @@ -5,6 +5,13 @@ # # Declarations @@ -6884,9 +6886,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +# broken kernel +dontaudit can_change_object_identity can_change_object_identity:key link; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.5.6/policy/modules/kernel/files.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.5.7/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/kernel/files.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/kernel/files.fc 2008-09-08 10:19:44.000000000 -0400 @@ -32,6 +32,7 @@ /boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /boot/lost\+found/.* <> @@ -6895,9 +6897,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /emul -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.5.6/policy/modules/kernel/files.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.5.7/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/kernel/files.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/kernel/files.if 2008-09-08 10:19:44.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -7135,7 +7137,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -4787,3 +4954,53 @@ +@@ -4787,3 +4954,71 @@ typeattribute $1 files_unconfined_type; ') @@ -7189,9 +7191,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + filetrans_pattern($1, root_t, default_t, dir) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.5.6/policy/modules/kernel/files.te ++######################################## ++## ++## manage generic symbolic links ++## in the /var/run directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_generic_pids_symlinks',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ manage_lnk_files_pattern($1,var_run_t,var_run_t) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.5.7/policy/modules/kernel/files.te --- nsaserefpolicy/policy/modules/kernel/files.te 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/kernel/files.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/kernel/files.te 2008-09-08 10:19:44.000000000 -0400 @@ -52,11 +52,14 @@ # # etc_t is the type of the system etc directories. @@ -7228,9 +7248,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.5.6/policy/modules/kernel/filesystem.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.5.7/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2008-08-14 13:08:27.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/kernel/filesystem.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/kernel/filesystem.if 2008-09-08 10:19:44.000000000 -0400 @@ -535,6 +535,24 @@ ######################################## @@ -7663,9 +7683,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + dontaudit $1 fusefs_t:file manage_file_perms; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.5.6/policy/modules/kernel/filesystem.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.5.7/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-08-14 13:08:27.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/kernel/filesystem.te 2008-09-04 09:20:07.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/kernel/filesystem.te 2008-09-08 10:19:44.000000000 -0400 @@ -21,7 +21,6 @@ # Use xattrs for the following filesystem types. @@ -7694,9 +7714,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.5.6/policy/modules/kernel/kernel.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.5.7/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/kernel/kernel.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/kernel/kernel.if 2008-09-08 10:19:44.000000000 -0400 @@ -1198,6 +1198,7 @@ ') @@ -7738,9 +7758,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Unconfined access to kernel module resources. ## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.5.6/policy/modules/kernel/kernel.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.5.7/policy/modules/kernel/kernel.te --- nsaserefpolicy/policy/modules/kernel/kernel.te 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/kernel/kernel.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/kernel/kernel.te 2008-09-08 10:19:44.000000000 -0400 @@ -63,6 +63,15 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) @@ -7774,9 +7794,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`read_default_t',` files_list_default(kernel_t) files_read_default_files(kernel_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.5.6/policy/modules/kernel/selinux.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.5.7/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/kernel/selinux.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/kernel/selinux.if 2008-09-08 10:19:44.000000000 -0400 @@ -164,6 +164,7 @@ type security_t; ') @@ -7895,9 +7915,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_type($1) + mls_trusted_object($1) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-3.5.6/policy/modules/kernel/selinux.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-3.5.7/policy/modules/kernel/selinux.te --- nsaserefpolicy/policy/modules/kernel/selinux.te 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/kernel/selinux.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/kernel/selinux.te 2008-09-08 10:19:44.000000000 -0400 @@ -10,6 +10,7 @@ attribute can_setenforce; attribute can_setsecparam; @@ -7918,14 +7938,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy; neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce; neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.fc serefpolicy-3.5.6/policy/modules/roles/guest.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.fc serefpolicy-3.5.7/policy/modules/roles/guest.fc --- nsaserefpolicy/policy/modules/roles/guest.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/roles/guest.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/roles/guest.fc 2008-09-08 10:19:44.000000000 -0400 @@ -0,0 +1 @@ +# file contexts handled by userdomain and genhomedircon -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.if serefpolicy-3.5.6/policy/modules/roles/guest.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.if serefpolicy-3.5.7/policy/modules/roles/guest.if --- nsaserefpolicy/policy/modules/roles/guest.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/roles/guest.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/roles/guest.if 2008-09-08 10:19:44.000000000 -0400 @@ -0,0 +1,161 @@ +## Least privledge terminal user role + @@ -8088,9 +8108,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + read_files_pattern($1, { guest_home_dir_t guest_home_t }, guest_home_t) + read_lnk_files_pattern($1, { guest_home_dir_t guest_home_t }, guest_home_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.5.6/policy/modules/roles/guest.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.5.7/policy/modules/roles/guest.te --- nsaserefpolicy/policy/modules/roles/guest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/roles/guest.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/roles/guest.te 2008-09-08 10:19:44.000000000 -0400 @@ -0,0 +1,44 @@ + +policy_module(guest, 1.0.0) @@ -8136,14 +8156,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + domtrans_pattern(xguest_mozilla_t, openoffice_exec_t, xguest_openoffice_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.fc serefpolicy-3.5.6/policy/modules/roles/logadm.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.fc serefpolicy-3.5.7/policy/modules/roles/logadm.fc --- nsaserefpolicy/policy/modules/roles/logadm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/roles/logadm.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/roles/logadm.fc 2008-09-08 10:19:44.000000000 -0400 @@ -0,0 +1 @@ +# file contexts handled by userdomain and genhomedircon -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.if serefpolicy-3.5.6/policy/modules/roles/logadm.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.if serefpolicy-3.5.7/policy/modules/roles/logadm.if --- nsaserefpolicy/policy/modules/roles/logadm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/roles/logadm.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/roles/logadm.if 2008-09-08 10:19:44.000000000 -0400 @@ -0,0 +1,44 @@ +## Audit administrator role + @@ -8189,9 +8209,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +template(`logadm_role_change_to_template',` + userdom_role_change_template(logadm, $1) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.te serefpolicy-3.5.6/policy/modules/roles/logadm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.te serefpolicy-3.5.7/policy/modules/roles/logadm.te --- nsaserefpolicy/policy/modules/roles/logadm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/roles/logadm.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/roles/logadm.te 2008-09-08 10:19:44.000000000 -0400 @@ -0,0 +1,20 @@ + +policy_module(logadm, 1.0.0) @@ -8213,9 +8233,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; + +logging_admin(logadm_t, logadm_r, { logadm_devpts_t logadm_tty_device_t }) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.5.6/policy/modules/roles/staff.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.5.7/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/roles/staff.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/roles/staff.te 2008-09-08 10:19:44.000000000 -0400 @@ -8,23 +8,52 @@ role staff_r; @@ -8270,9 +8290,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + webadm_role_change_template(staff) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.5.6/policy/modules/roles/sysadm.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.5.7/policy/modules/roles/sysadm.if --- nsaserefpolicy/policy/modules/roles/sysadm.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/roles/sysadm.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/roles/sysadm.if 2008-09-08 10:19:44.000000000 -0400 @@ -334,10 +334,10 @@ # interface(`sysadm_getattr_home_dirs',` @@ -8432,9 +8452,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.if serefpolicy-3.5.6/policy/modules/roles/unprivuser.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.5.7/policy/modules/roles/sysadm.te +--- nsaserefpolicy/policy/modules/roles/sysadm.te 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/roles/sysadm.te 2008-09-08 11:37:16.000000000 -0400 +@@ -171,6 +171,10 @@ + ') + + optional_policy(` ++ kerberos_exec_kadmind(sysadm_t) ++') ++ ++optional_policy(` + kudzu_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + ') + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.if serefpolicy-3.5.7/policy/modules/roles/unprivuser.if --- nsaserefpolicy/policy/modules/roles/unprivuser.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/roles/unprivuser.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/roles/unprivuser.if 2008-09-08 10:19:44.000000000 -0400 @@ -62,6 +62,26 @@ files_home_filetrans($1, user_home_dir_t, dir) ') @@ -9078,9 +9112,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.5.6/policy/modules/roles/unprivuser.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.5.7/policy/modules/roles/unprivuser.te --- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/roles/unprivuser.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/roles/unprivuser.te 2008-09-08 10:19:44.000000000 -0400 @@ -13,3 +13,23 @@ userdom_unpriv_user_template(user) @@ -9105,14 +9139,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + setroubleshoot_dontaudit_stream_connect(user_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.fc serefpolicy-3.5.6/policy/modules/roles/webadm.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.fc serefpolicy-3.5.7/policy/modules/roles/webadm.fc --- nsaserefpolicy/policy/modules/roles/webadm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/roles/webadm.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/roles/webadm.fc 2008-09-08 10:19:44.000000000 -0400 @@ -0,0 +1 @@ +# No webadm file contexts. -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.if serefpolicy-3.5.6/policy/modules/roles/webadm.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.if serefpolicy-3.5.7/policy/modules/roles/webadm.if --- nsaserefpolicy/policy/modules/roles/webadm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/roles/webadm.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/roles/webadm.if 2008-09-08 10:19:44.000000000 -0400 @@ -0,0 +1,44 @@ +## Policy for webadm role + @@ -9158,9 +9192,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +template(`webadm_role_change_to_template',` + userdom_role_change_template(webadm, $1) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.te serefpolicy-3.5.6/policy/modules/roles/webadm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.te serefpolicy-3.5.7/policy/modules/roles/webadm.te --- nsaserefpolicy/policy/modules/roles/webadm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/roles/webadm.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/roles/webadm.te 2008-09-08 10:19:44.000000000 -0400 @@ -0,0 +1,65 @@ + +policy_module(webadm, 1.0.0) @@ -9227,14 +9261,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + unprivuser_write_tmp_files(webadm_t) +') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.fc serefpolicy-3.5.6/policy/modules/roles/xguest.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.fc serefpolicy-3.5.7/policy/modules/roles/xguest.fc --- nsaserefpolicy/policy/modules/roles/xguest.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/roles/xguest.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/roles/xguest.fc 2008-09-08 10:19:44.000000000 -0400 @@ -0,0 +1 @@ +# file contexts handled by userdomain and genhomedircon -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.if serefpolicy-3.5.6/policy/modules/roles/xguest.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.if serefpolicy-3.5.7/policy/modules/roles/xguest.if --- nsaserefpolicy/policy/modules/roles/xguest.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/roles/xguest.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/roles/xguest.if 2008-09-08 10:19:44.000000000 -0400 @@ -0,0 +1,161 @@ +## Least privledge X Windows user role + @@ -9397,9 +9431,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + read_files_pattern($1, { xguest_home_dir_t xguest_home_t }, xguest_home_t) + read_lnk_files_pattern($1, { xguest_home_dir_t xguest_home_t }, xguest_home_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.5.6/policy/modules/roles/xguest.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.5.7/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/roles/xguest.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/roles/xguest.te 2008-09-08 10:19:44.000000000 -0400 @@ -0,0 +1,83 @@ + +policy_module(xguest, 1.0.0) @@ -9484,9 +9518,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.if serefpolicy-3.5.6/policy/modules/services/aide.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.if serefpolicy-3.5.7/policy/modules/services/aide.if --- nsaserefpolicy/policy/modules/services/aide.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/aide.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/aide.if 2008-09-08 10:19:44.000000000 -0400 @@ -70,9 +70,11 @@ allow $1 aide_t:process { ptrace signal_perms }; ps_process_pattern($1, aide_t) @@ -9501,11 +9535,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - manage_files_pattern($1, aide_log_t, aide_log_t) + admin_pattern($1, aide_log_t, aide_log_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.fc serefpolicy-3.5.6/policy/modules/services/amavis.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.fc serefpolicy-3.5.7/policy/modules/services/amavis.fc --- nsaserefpolicy/policy/modules/services/amavis.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/amavis.fc 2008-09-03 15:55:22.000000000 -0400 -@@ -3,6 +3,7 @@ - /etc/amavisd(/.*)? -- gen_context(system_u:object_r:amavis_etc_t,s0) ++++ serefpolicy-3.5.7/policy/modules/services/amavis.fc 2008-09-08 16:03:15.000000000 -0400 +@@ -1,8 +1,9 @@ + + /etc/amavis\.conf -- gen_context(system_u:object_r:amavis_etc_t,s0) +-/etc/amavisd(/.*)? -- gen_context(system_u:object_r:amavis_etc_t,s0) ++/etc/amavisd(/.*)? gen_context(system_u:object_r:amavis_etc_t,s0) /usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0) +/usr/lib(64)?/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0) @@ -9518,9 +9555,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0) + +/etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-3.5.6/policy/modules/services/amavis.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-3.5.7/policy/modules/services/amavis.if --- nsaserefpolicy/policy/modules/services/amavis.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/amavis.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/amavis.if 2008-09-08 10:19:44.000000000 -0400 @@ -189,6 +189,25 @@ ######################################## @@ -9590,9 +9627,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - manage_files_pattern($1, amavis_var_run_t, amavis_var_run_t) + admin_pattern($1, amavis_var_run_t, amavis_var_run_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.5.6/policy/modules/services/amavis.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.5.7/policy/modules/services/amavis.te --- nsaserefpolicy/policy/modules/services/amavis.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/amavis.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/amavis.te 2008-09-08 10:19:44.000000000 -0400 @@ -13,7 +13,7 @@ # configuration files @@ -9621,9 +9658,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # configuration files allow amavis_t amavis_etc_t:dir list_dir_perms; read_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.5.6/policy/modules/services/apache.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.5.7/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/apache.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/apache.fc 2008-09-08 10:19:44.000000000 -0400 @@ -1,10 +1,10 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0) +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -9712,9 +9749,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.5.6/policy/modules/services/apache.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.5.7/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/apache.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/apache.if 2008-09-08 10:19:44.000000000 -0400 @@ -13,21 +13,16 @@ # template(`apache_content_template',` @@ -10383,9 +10420,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + typeattribute $1 httpd_rw_content; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.6/policy/modules/services/apache.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.7/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/apache.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/apache.te 2008-09-08 10:19:44.000000000 -0400 @@ -20,6 +20,8 @@ # Declarations # @@ -10583,8 +10620,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +gen_tunable(allow_httpd_mod_auth_pam, false) + - tunable_policy(`allow_httpd_mod_auth_pam',` -- auth_domtrans_chk_passwd(httpd_t) ++tunable_policy(`allow_httpd_mod_auth_pam',` + auth_domtrans_chkpwd(httpd_t) +') + @@ -10595,12 +10631,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false) +optional_policy(` -+tunable_policy(`allow_httpd_mod_auth_pam',` + tunable_policy(`allow_httpd_mod_auth_pam',` +- auth_domtrans_chk_passwd(httpd_t) + samba_domtrans_winbind_helper(httpd_t) ') ') -@@ -370,35 +437,57 @@ +@@ -370,20 +437,45 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -10627,30 +10664,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_sendrecv_http_cache_client_packets(httpd_t) ') --tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` -- domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) +tunable_policy(`httpd_enable_cgi && httpd_unified',` + allow httpd_sys_script_t httpd_sys_content_t:file entrypoint; + filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file }) + can_exec(httpd_sys_script_t, httpd_sys_content_t) +') - -- manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) -- manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -- manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent) ++ +tunable_policy(`allow_httpd_sys_script_anon_write',` + miscfiles_manage_public_files(httpd_sys_script_t) +') + -+tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` + tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` +- domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) + domtrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_script_t) + filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file }) + manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t) + manage_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t) + manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t) - ') - tunable_policy(`httpd_enable_ftp_server',` + manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) + manage_files_pattern(httpd_t, httpdcontent, httpdcontent) +@@ -394,11 +486,12 @@ corenet_tcp_bind_ftp_port(httpd_t) ') @@ -10666,7 +10700,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_read_nfs_files(httpd_t) fs_read_nfs_symlinks(httpd_t) ') -@@ -408,6 +497,11 @@ +@@ -408,6 +501,11 @@ fs_read_cifs_symlinks(httpd_t) ') @@ -10678,7 +10712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -441,8 +535,13 @@ +@@ -441,8 +539,13 @@ ') optional_policy(` @@ -10694,7 +10728,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -454,18 +553,13 @@ +@@ -454,18 +557,13 @@ ') optional_policy(` @@ -10714,7 +10748,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -475,6 +569,12 @@ +@@ -475,6 +573,12 @@ openca_kill(httpd_t) ') @@ -10727,7 +10761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) -@@ -482,6 +582,7 @@ +@@ -482,6 +586,7 @@ tunable_policy(`httpd_can_network_connect_db',` postgresql_tcp_connect(httpd_t) @@ -10735,7 +10769,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -490,6 +591,7 @@ +@@ -490,6 +595,7 @@ ') optional_policy(` @@ -10743,7 +10777,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -519,9 +621,28 @@ +@@ -519,9 +625,28 @@ logging_send_syslog_msg(httpd_helper_t) tunable_policy(`httpd_tty_comm',` @@ -10772,7 +10806,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Apache PHP script local policy -@@ -551,22 +672,27 @@ +@@ -551,22 +676,27 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -10806,7 +10840,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -590,6 +716,8 @@ +@@ -590,6 +720,8 @@ manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -10815,7 +10849,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -598,9 +726,7 @@ +@@ -598,9 +730,7 @@ fs_search_auto_mountpoints(httpd_suexec_t) @@ -10826,7 +10860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -633,12 +759,21 @@ +@@ -633,12 +763,25 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -10842,6 +10876,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + domtrans_pattern(httpd_suexec_t, httpd_user_script_ro_t, httpd_user_script_t) + domtrans_pattern(httpd_suexec_t, httpd_user_script_ra_t, httpd_user_script_t) + domtrans_pattern(httpd_suexec_t, httpd_user_script_rw_t, httpd_user_script_t) ++ ++ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) ++ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) ++ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) ') - -tunable_policy(`httpd_enable_homedirs',` @@ -10851,7 +10889,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -647,6 +782,12 @@ +@@ -647,6 +790,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -10864,7 +10902,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -664,10 +805,6 @@ +@@ -664,10 +813,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -10875,7 +10913,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Apache system script local policy -@@ -677,7 +814,8 @@ +@@ -677,7 +822,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -10885,7 +10923,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) -@@ -691,12 +829,15 @@ +@@ -691,12 +837,15 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -10903,7 +10941,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -704,6 +845,28 @@ +@@ -704,6 +853,28 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -10932,7 +10970,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -716,10 +879,10 @@ +@@ -716,10 +887,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -10947,7 +10985,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -727,6 +890,8 @@ +@@ -727,6 +898,8 @@ # httpd_rotatelogs local policy # @@ -10956,7 +10994,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -741,3 +906,56 @@ +@@ -741,3 +914,56 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -11013,18 +11051,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_dirs_pattern(httpd_t,httpdcontent,httpd_rw_content) +manage_files_pattern(httpd_t,httpdcontent,httpd_rw_content) +manage_lnk_files_pattern(httpd_t,httpdcontent,httpd_rw_content) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.5.6/policy/modules/services/apcupsd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.5.7/policy/modules/services/apcupsd.fc --- nsaserefpolicy/policy/modules/services/apcupsd.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/apcupsd.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/apcupsd.fc 2008-09-08 10:19:44.000000000 -0400 @@ -13,3 +13,5 @@ /var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) /var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) /var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) + +/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.5.6/policy/modules/services/apcupsd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.5.7/policy/modules/services/apcupsd.if --- nsaserefpolicy/policy/modules/services/apcupsd.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/apcupsd.if 2008-09-04 16:00:46.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/apcupsd.if 2008-09-08 10:19:44.000000000 -0400 @@ -90,10 +90,81 @@ ## ## @@ -11108,9 +11146,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_list_pids($1) + admin_pattern($1, apcupsd_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.5.6/policy/modules/services/apcupsd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.5.7/policy/modules/services/apcupsd.te --- nsaserefpolicy/policy/modules/services/apcupsd.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/apcupsd.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/apcupsd.te 2008-09-08 10:19:44.000000000 -0400 @@ -22,6 +22,9 @@ type apcupsd_var_run_t; files_pid_file(apcupsd_var_run_t) @@ -11140,18 +11178,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.fc serefpolicy-3.5.6/policy/modules/services/arpwatch.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.fc serefpolicy-3.5.7/policy/modules/services/arpwatch.fc --- nsaserefpolicy/policy/modules/services/arpwatch.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/arpwatch.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/arpwatch.fc 2008-09-08 10:19:44.000000000 -0400 @@ -9,3 +9,5 @@ # /var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) /var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) + +/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.if serefpolicy-3.5.6/policy/modules/services/arpwatch.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.if serefpolicy-3.5.7/policy/modules/services/arpwatch.if --- nsaserefpolicy/policy/modules/services/arpwatch.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/arpwatch.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/arpwatch.if 2008-09-08 10:19:44.000000000 -0400 @@ -90,3 +90,73 @@ dontaudit $1 arpwatch_t:packet_socket { read write }; @@ -11226,9 +11264,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, arpwatch_var_run_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.5.6/policy/modules/services/arpwatch.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.5.7/policy/modules/services/arpwatch.te --- nsaserefpolicy/policy/modules/services/arpwatch.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/arpwatch.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/arpwatch.te 2008-09-08 10:19:44.000000000 -0400 @@ -19,6 +19,9 @@ type arpwatch_var_run_t; files_pid_file(arpwatch_var_run_t) @@ -11239,17 +11277,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.fc serefpolicy-3.5.6/policy/modules/services/asterisk.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.fc serefpolicy-3.5.7/policy/modules/services/asterisk.fc --- nsaserefpolicy/policy/modules/services/asterisk.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/asterisk.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/asterisk.fc 2008-09-08 10:19:44.000000000 -0400 @@ -6,3 +6,4 @@ /var/log/asterisk(/.*)? gen_context(system_u:object_r:asterisk_log_t,s0) /var/run/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_run_t,s0) /var/spool/asterisk(/.*)? gen_context(system_u:object_r:asterisk_spool_t,s0) +/etc/rc\.d/init\.d/asterisk -- gen_context(system_u:object_r:asterisk_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.5.6/policy/modules/services/asterisk.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.5.7/policy/modules/services/asterisk.if --- nsaserefpolicy/policy/modules/services/asterisk.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/asterisk.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/asterisk.if 2008-09-08 10:19:44.000000000 -0400 @@ -1 +1,83 @@ ## Asterisk IP telephony server + @@ -11334,9 +11372,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, asterisk_var_run_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.5.6/policy/modules/services/asterisk.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.5.7/policy/modules/services/asterisk.te --- nsaserefpolicy/policy/modules/services/asterisk.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/asterisk.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/asterisk.te 2008-09-08 10:19:44.000000000 -0400 @@ -31,6 +31,9 @@ type asterisk_var_run_t; files_pid_file(asterisk_var_run_t) @@ -11347,18 +11385,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.fc serefpolicy-3.5.6/policy/modules/services/audioentropy.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.fc serefpolicy-3.5.7/policy/modules/services/audioentropy.fc --- nsaserefpolicy/policy/modules/services/audioentropy.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/audioentropy.fc 2008-09-04 08:51:02.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/audioentropy.fc 2008-09-08 10:19:44.000000000 -0400 @@ -2,3 +2,5 @@ # /usr # /usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0) + +/var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.te serefpolicy-3.5.6/policy/modules/services/audioentropy.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.te serefpolicy-3.5.7/policy/modules/services/audioentropy.te --- nsaserefpolicy/policy/modules/services/audioentropy.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/audioentropy.te 2008-09-04 08:51:20.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/audioentropy.te 2008-09-08 10:19:44.000000000 -0400 @@ -35,6 +35,7 @@ dev_read_rand(entropyd_t) dev_write_rand(entropyd_t) @@ -11367,9 +11405,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(entropyd_t) fs_search_auto_mountpoints(entropyd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.fc serefpolicy-3.5.6/policy/modules/services/automount.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.fc serefpolicy-3.5.7/policy/modules/services/automount.fc --- nsaserefpolicy/policy/modules/services/automount.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/automount.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/automount.fc 2008-09-08 10:19:44.000000000 -0400 @@ -12,4 +12,7 @@ # /var # @@ -11379,9 +11417,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_script_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.5.6/policy/modules/services/automount.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.5.7/policy/modules/services/automount.if --- nsaserefpolicy/policy/modules/services/automount.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/automount.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/automount.if 2008-09-08 10:19:44.000000000 -0400 @@ -74,3 +74,109 @@ dontaudit $1 automount_tmp_t:dir getattr; @@ -11492,9 +11530,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_list_pids($1) + admin_pattern($1, automount_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.5.6/policy/modules/services/automount.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.5.7/policy/modules/services/automount.te --- nsaserefpolicy/policy/modules/services/automount.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/automount.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/automount.te 2008-09-08 10:19:44.000000000 -0400 @@ -20,6 +20,9 @@ files_tmp_file(automount_tmp_t) files_mountpoint(automount_tmp_t) @@ -11588,9 +11626,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.5.6/policy/modules/services/avahi.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.5.7/policy/modules/services/avahi.fc --- nsaserefpolicy/policy/modules/services/avahi.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/avahi.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/avahi.fc 2008-09-08 10:19:44.000000000 -0400 @@ -3,3 +3,7 @@ /usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0) @@ -11599,9 +11637,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/etc/rc\.d/init\.d/avahi -- gen_context(system_u:object_r:avahi_script_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.5.6/policy/modules/services/avahi.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.5.7/policy/modules/services/avahi.if --- nsaserefpolicy/policy/modules/services/avahi.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/avahi.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/avahi.if 2008-09-08 10:19:44.000000000 -0400 @@ -57,3 +57,64 @@ dontaudit $1 avahi_var_run_t:dir search_dir_perms; @@ -11667,9 +11705,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_list_pids($1) + admin_pattern($1, avahi_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.5.6/policy/modules/services/avahi.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.5.7/policy/modules/services/avahi.te --- nsaserefpolicy/policy/modules/services/avahi.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/avahi.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/avahi.te 2008-09-08 10:19:44.000000000 -0400 @@ -13,6 +13,9 @@ type avahi_var_run_t; files_pid_file(avahi_var_run_t) @@ -11697,18 +11735,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.5.6/policy/modules/services/bind.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.5.7/policy/modules/services/bind.fc --- nsaserefpolicy/policy/modules/services/bind.fc 2008-09-03 10:17:00.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/bind.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/bind.fc 2008-09-08 10:19:44.000000000 -0400 @@ -51,3 +51,5 @@ /var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) /var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) ') + +/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.5.6/policy/modules/services/bind.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.5.7/policy/modules/services/bind.if --- nsaserefpolicy/policy/modules/services/bind.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/bind.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/bind.if 2008-09-08 10:19:44.000000000 -0400 @@ -254,3 +254,86 @@ interface(`bind_udp_chat_named',` refpolicywarn(`$0($*) has been deprecated.') @@ -11796,9 +11834,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_list_pids($1) + admin_pattern($1, named_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.5.6/policy/modules/services/bind.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.5.7/policy/modules/services/bind.te --- nsaserefpolicy/policy/modules/services/bind.te 2008-09-03 10:17:00.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/bind.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/bind.te 2008-09-08 10:19:45.000000000 -0400 @@ -53,6 +53,9 @@ init_system_domain(ndc_t, ndc_exec_t) role system_r types ndc_t; @@ -11826,9 +11864,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_sendrecv_rndc_client_packets(ndc_t) domain_use_interactive_fds(ndc_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.fc serefpolicy-3.5.6/policy/modules/services/bitlbee.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.fc serefpolicy-3.5.7/policy/modules/services/bitlbee.fc --- nsaserefpolicy/policy/modules/services/bitlbee.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/bitlbee.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/bitlbee.fc 2008-09-08 10:19:45.000000000 -0400 @@ -1,3 +1,6 @@ /usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0) /etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0) @@ -11836,9 +11874,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + +/etc/rc\.d/init\.d/bitlbee -- gen_context(system_u:object_r:bitlbee_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.if serefpolicy-3.5.6/policy/modules/services/bitlbee.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.if serefpolicy-3.5.7/policy/modules/services/bitlbee.if --- nsaserefpolicy/policy/modules/services/bitlbee.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/bitlbee.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/bitlbee.if 2008-09-08 10:19:45.000000000 -0400 @@ -20,3 +20,70 @@ allow $1 bitlbee_conf_t:file { read getattr }; ') @@ -11910,9 +11948,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.5.6/policy/modules/services/bitlbee.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.5.7/policy/modules/services/bitlbee.te --- nsaserefpolicy/policy/modules/services/bitlbee.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/bitlbee.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/bitlbee.te 2008-09-08 10:19:45.000000000 -0400 @@ -17,6 +17,12 @@ type bitlbee_var_t; files_type(bitlbee_var_t) @@ -11964,9 +12002,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sysnet_dns_name_resolve(bitlbee_t) optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.5.6/policy/modules/services/bluetooth.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.5.7/policy/modules/services/bluetooth.fc --- nsaserefpolicy/policy/modules/services/bluetooth.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/bluetooth.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/bluetooth.fc 2008-09-08 10:19:45.000000000 -0400 @@ -22,3 +22,8 @@ # /var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0) @@ -11976,9 +12014,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/rc\.d/init\.d/bluetooth -- gen_context(system_u:object_r:bluetooth_script_exec_t,s0) +/etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_script_exec_t,s0) +/etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.5.6/policy/modules/services/bluetooth.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.5.7/policy/modules/services/bluetooth.if --- nsaserefpolicy/policy/modules/services/bluetooth.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/bluetooth.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/bluetooth.if 2008-09-08 10:19:45.000000000 -0400 @@ -226,3 +226,88 @@ dontaudit $1 bluetooth_helper_domain:dir search; dontaudit $1 bluetooth_helper_domain:file { read getattr }; @@ -12068,9 +12106,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, bluetooth_var_run_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.5.6/policy/modules/services/bluetooth.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.5.7/policy/modules/services/bluetooth.te --- nsaserefpolicy/policy/modules/services/bluetooth.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/bluetooth.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/bluetooth.te 2008-09-08 10:19:45.000000000 -0400 @@ -32,19 +32,22 @@ type bluetooth_var_run_t; files_pid_file(bluetooth_var_run_t) @@ -12143,18 +12181,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.fc serefpolicy-3.5.6/policy/modules/services/canna.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.fc serefpolicy-3.5.7/policy/modules/services/canna.fc --- nsaserefpolicy/policy/modules/services/canna.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/canna.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/canna.fc 2008-09-08 10:19:45.000000000 -0400 @@ -20,3 +20,5 @@ /var/run/\.iroha_unix -d gen_context(system_u:object_r:canna_var_run_t,s0) /var/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_var_run_t,s0) /var/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_var_run_t,s0) + +/etc/rc\.d/init\.d/canna -- gen_context(system_u:object_r:canna_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.if serefpolicy-3.5.6/policy/modules/services/canna.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.if serefpolicy-3.5.7/policy/modules/services/canna.if --- nsaserefpolicy/policy/modules/services/canna.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/canna.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/canna.if 2008-09-08 10:19:45.000000000 -0400 @@ -18,3 +18,74 @@ files_search_pids($1) stream_connect_pattern($1, canna_var_run_t, canna_var_run_t,canna_t) @@ -12230,9 +12268,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.te serefpolicy-3.5.6/policy/modules/services/canna.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.te serefpolicy-3.5.7/policy/modules/services/canna.te --- nsaserefpolicy/policy/modules/services/canna.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/canna.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/canna.te 2008-09-08 10:19:45.000000000 -0400 @@ -19,6 +19,9 @@ type canna_var_run_t; files_pid_file(canna_var_run_t) @@ -12243,9 +12281,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.5.6/policy/modules/services/clamav.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.5.7/policy/modules/services/clamav.fc --- nsaserefpolicy/policy/modules/services/clamav.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/clamav.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/clamav.fc 2008-09-08 10:19:45.000000000 -0400 @@ -5,16 +5,18 @@ /usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0) @@ -12270,9 +12308,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) + +/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.5.6/policy/modules/services/clamav.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.5.7/policy/modules/services/clamav.if --- nsaserefpolicy/policy/modules/services/clamav.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/clamav.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/clamav.if 2008-09-08 10:19:45.000000000 -0400 @@ -38,6 +38,27 @@ ######################################## @@ -12418,9 +12456,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, freshclam_var_log_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.5.6/policy/modules/services/clamav.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.5.7/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/clamav.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/clamav.te 2008-09-08 10:19:45.000000000 -0400 @@ -13,7 +13,7 @@ # configuration files @@ -12517,9 +12555,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + mailscanner_manage_spool(clamscan_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.5.6/policy/modules/services/consolekit.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.5.7/policy/modules/services/consolekit.fc --- nsaserefpolicy/policy/modules/services/consolekit.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/consolekit.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/consolekit.fc 2008-09-08 10:19:45.000000000 -0400 @@ -1,3 +1,6 @@ /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) @@ -12527,9 +12565,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0) + +/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.5.6/policy/modules/services/consolekit.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.5.7/policy/modules/services/consolekit.if --- nsaserefpolicy/policy/modules/services/consolekit.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/consolekit.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/consolekit.if 2008-09-08 10:19:45.000000000 -0400 @@ -38,3 +38,24 @@ allow $1 consolekit_t:dbus send_msg; allow consolekit_t $1:dbus send_msg; @@ -12555,9 +12593,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.5.6/policy/modules/services/consolekit.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.5.7/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/consolekit.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/consolekit.te 2008-09-08 10:19:45.000000000 -0400 @@ -13,6 +13,9 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -12672,17 +12710,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_dontaudit_rw_cifs_files(consolekit_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.fc serefpolicy-3.5.6/policy/modules/services/courier.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.fc serefpolicy-3.5.7/policy/modules/services/courier.fc --- nsaserefpolicy/policy/modules/services/courier.fc 2008-08-14 13:08:27.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/courier.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/courier.fc 2008-09-08 10:19:45.000000000 -0400 @@ -21,3 +21,4 @@ /var/run/courier(/.*)? -- gen_context(system_u:object_r:courier_var_run_t,s0) /var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) +/var/spool/authdaemon(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.5.6/policy/modules/services/courier.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.5.7/policy/modules/services/courier.te --- nsaserefpolicy/policy/modules/services/courier.te 2008-08-14 13:08:27.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/courier.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/courier.te 2008-09-08 10:19:45.000000000 -0400 @@ -28,6 +28,7 @@ type courier_exec_t; @@ -12701,9 +12739,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Calendar (PCP) local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.5.6/policy/modules/services/cron.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.5.7/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/cron.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/cron.fc 2008-09-08 10:19:45.000000000 -0400 @@ -17,6 +17,8 @@ /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) @@ -12718,9 +12756,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) +/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.5.6/policy/modules/services/cron.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.5.7/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/cron.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/cron.if 2008-09-08 10:19:45.000000000 -0400 @@ -35,39 +35,24 @@ # template(`cron_per_role_template',` @@ -13088,9 +13126,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + read_files_pattern($1, system_crond_var_lib_t, system_crond_var_lib_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.5.6/policy/modules/services/cron.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.5.7/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/cron.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/cron.te 2008-09-08 10:19:45.000000000 -0400 @@ -12,14 +12,6 @@ ## @@ -13361,9 +13399,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + userdom_priveleged_home_dir_manager(system_crond_t) ') -') dnl end TODO -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.5.6/policy/modules/services/cups.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.5.7/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/cups.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/cups.fc 2008-09-08 11:56:29.000000000 -0400 @@ -8,6 +8,7 @@ /etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -13406,7 +13444,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -@@ -43,10 +49,21 @@ +@@ -43,10 +49,22 @@ /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) @@ -13414,6 +13452,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) /var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) ++/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) @@ -13429,9 +13468,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) + +/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cups_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.5.6/policy/modules/services/cups.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.5.7/policy/modules/services/cups.if --- nsaserefpolicy/policy/modules/services/cups.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/cups.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/cups.if 2008-09-08 10:19:45.000000000 -0400 @@ -20,6 +20,30 @@ ######################################## @@ -13589,9 +13628,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, hplip_var_run_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.5.6/policy/modules/services/cups.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.5.7/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2008-09-03 07:59:15.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/cups.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/cups.te 2008-09-08 11:56:12.000000000 -0400 @@ -48,6 +48,10 @@ type hplip_t; type hplip_exec_t; @@ -13650,7 +13689,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cupsd_t cupsd_exec_t:lnk_file read; manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) -@@ -116,13 +134,19 @@ +@@ -116,13 +134,20 @@ manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) @@ -13664,6 +13703,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cupsd_t cupsd_var_run_t:dir setattr; manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) ++manage_fifo_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t) files_pid_filetrans(cupsd_t, cupsd_var_run_t, file) -read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) @@ -13672,7 +13712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cupsd_t hplip_var_run_t:file { read getattr }; stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) -@@ -149,32 +173,35 @@ +@@ -149,32 +174,35 @@ corenet_tcp_bind_reserved_port(cupsd_t) corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) @@ -13712,7 +13752,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp corecmd_exec_shell(cupsd_t) corecmd_exec_bin(cupsd_t) -@@ -186,7 +213,7 @@ +@@ -186,7 +214,7 @@ # read python modules files_read_usr_files(cupsd_t) # for /var/lib/defoma @@ -13721,7 +13761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_list_world_readable(cupsd_t) files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) -@@ -195,15 +222,16 @@ +@@ -195,15 +223,16 @@ files_read_var_symlinks(cupsd_t) # for /etc/printcap files_dontaudit_write_etc_files(cupsd_t) @@ -13742,7 +13782,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(cupsd_t) libs_use_ld_so(cupsd_t) -@@ -219,17 +247,22 @@ +@@ -219,17 +248,22 @@ miscfiles_read_fonts(cupsd_t) seutil_read_config(cupsd_t) @@ -13767,7 +13807,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -246,8 +279,16 @@ +@@ -246,8 +280,16 @@ userdom_dbus_send_all_users(cupsd_t) optional_policy(` @@ -13784,7 +13824,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -263,6 +304,10 @@ +@@ -263,6 +305,10 @@ ') optional_policy(` @@ -13795,7 +13835,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) -@@ -281,7 +326,7 @@ +@@ -281,7 +327,7 @@ # Cups configuration daemon local policy # @@ -13804,7 +13844,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit cupsd_config_t self:capability sys_tty_config; allow cupsd_config_t self:process signal_perms; allow cupsd_config_t self:fifo_file rw_fifo_file_perms; -@@ -326,6 +371,7 @@ +@@ -326,6 +372,7 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) @@ -13812,7 +13852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t) -@@ -343,7 +389,7 @@ +@@ -343,7 +390,7 @@ files_read_var_symlinks(cupsd_config_t) # Alternatives asks for this @@ -13821,7 +13861,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(cupsd_config_t) -@@ -353,6 +399,7 @@ +@@ -353,6 +400,7 @@ logging_send_syslog_msg(cupsd_config_t) miscfiles_read_localization(cupsd_config_t) @@ -13829,7 +13869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_dontaudit_search_config(cupsd_config_t) -@@ -365,14 +412,16 @@ +@@ -365,14 +413,16 @@ sysadm_dontaudit_search_home_dirs(cupsd_config_t) ifdef(`distro_redhat',` @@ -13848,7 +13888,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') -@@ -388,6 +437,7 @@ +@@ -388,6 +438,7 @@ optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) @@ -13856,7 +13896,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -500,7 +550,7 @@ +@@ -500,7 +551,7 @@ allow hplip_t self:udp_socket create_socket_perms; allow hplip_t self:rawip_socket create_socket_perms; @@ -13865,7 +13905,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cups_stream_connect(hplip_t) -@@ -509,6 +559,8 @@ +@@ -509,6 +560,8 @@ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) @@ -13874,7 +13914,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) -@@ -538,7 +590,8 @@ +@@ -538,7 +591,8 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -13884,7 +13924,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(hplip_t) fs_search_auto_mountpoints(hplip_t) -@@ -564,12 +617,14 @@ +@@ -564,12 +618,14 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_all_users_home_content(hplip_t) @@ -13900,7 +13940,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -651,3 +706,45 @@ +@@ -651,3 +707,45 @@ optional_policy(` udev_read_db(ptal_t) ') @@ -13946,9 +13986,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +sysadm_dontaudit_read_home_content_files(cups_pdf_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.fc serefpolicy-3.5.6/policy/modules/services/cvs.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.fc serefpolicy-3.5.7/policy/modules/services/cvs.fc --- nsaserefpolicy/policy/modules/services/cvs.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/cvs.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/cvs.fc 2008-09-08 10:19:45.000000000 -0400 @@ -5,3 +5,6 @@ /var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) @@ -13956,9 +13996,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +#CVSWeb file context +/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) +/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.5.6/policy/modules/services/cvs.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.5.7/policy/modules/services/cvs.if --- nsaserefpolicy/policy/modules/services/cvs.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/cvs.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/cvs.if 2008-09-08 10:19:45.000000000 -0400 @@ -36,3 +36,70 @@ can_exec($1, cvs_exec_t) @@ -14030,9 +14070,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, cvs_var_run_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.5.6/policy/modules/services/cvs.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.5.7/policy/modules/services/cvs.te --- nsaserefpolicy/policy/modules/services/cvs.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/cvs.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/cvs.te 2008-09-08 10:19:45.000000000 -0400 @@ -28,6 +28,9 @@ type cvs_var_run_t; files_pid_file(cvs_var_run_t) @@ -14087,18 +14127,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - nscd_socket_use(cvs_t) -') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.fc serefpolicy-3.5.6/policy/modules/services/cyrus.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.fc serefpolicy-3.5.7/policy/modules/services/cyrus.fc --- nsaserefpolicy/policy/modules/services/cyrus.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/cyrus.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/cyrus.fc 2008-09-08 10:19:45.000000000 -0400 @@ -2,3 +2,5 @@ /usr/lib(64)?/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0) /var/lib/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0) + +/etc/rc\.d/init\.d/cyrus -- gen_context(system_u:object_r:cyrus_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.if serefpolicy-3.5.6/policy/modules/services/cyrus.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.if serefpolicy-3.5.7/policy/modules/services/cyrus.if --- nsaserefpolicy/policy/modules/services/cyrus.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/cyrus.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/cyrus.if 2008-09-08 10:19:45.000000000 -0400 @@ -39,3 +39,74 @@ files_search_var_lib($1) stream_connect_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t, cyrus_t) @@ -14174,9 +14214,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.5.6/policy/modules/services/cyrus.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.5.7/policy/modules/services/cyrus.te --- nsaserefpolicy/policy/modules/services/cyrus.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/cyrus.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/cyrus.te 2008-09-08 10:19:45.000000000 -0400 @@ -19,6 +19,9 @@ type cyrus_var_run_t; files_pid_file(cyrus_var_run_t) @@ -14196,9 +14236,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.5.6/policy/modules/services/dbus.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.5.7/policy/modules/services/dbus.fc --- nsaserefpolicy/policy/modules/services/dbus.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/dbus.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/dbus.fc 2008-09-08 10:19:45.000000000 -0400 @@ -4,6 +4,9 @@ /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:system_dbusd_exec_t,s0) /bin/dbus-daemon -- gen_context(system_u:object_r:system_dbusd_exec_t,s0) @@ -14209,9 +14249,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.5.6/policy/modules/services/dbus.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.5.7/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/dbus.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/dbus.if 2008-09-08 10:19:45.000000000 -0400 @@ -53,6 +53,7 @@ gen_require(` type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t; @@ -14507,9 +14547,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 system_dbusd_t:tcp_socket { read write }; + allow $1 system_dbusd_t:fd use; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.5.6/policy/modules/services/dbus.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.5.7/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/dbus.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/dbus.te 2008-09-08 10:19:45.000000000 -0400 @@ -9,9 +9,10 @@ # # Delcarations @@ -14631,9 +14671,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_xdm_rw_shm(unconfined_dbusd_t) + ') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.5.6/policy/modules/services/dcc.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.5.7/policy/modules/services/dcc.if --- nsaserefpolicy/policy/modules/services/dcc.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/dcc.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/dcc.if 2008-09-08 10:19:45.000000000 -0400 @@ -72,6 +72,24 @@ ######################################## @@ -14659,9 +14699,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute dcc_client in the dcc_client domain, and ## allow the specified role the dcc_client domain. ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.5.6/policy/modules/services/dcc.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.5.7/policy/modules/services/dcc.te --- nsaserefpolicy/policy/modules/services/dcc.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/dcc.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/dcc.te 2008-09-08 10:19:45.000000000 -0400 @@ -105,6 +105,8 @@ files_read_etc_files(cdcc_t) files_read_etc_runtime_files(cdcc_t) @@ -14831,18 +14871,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(dccm_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.fc serefpolicy-3.5.6/policy/modules/services/ddclient.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.fc serefpolicy-3.5.7/policy/modules/services/ddclient.fc --- nsaserefpolicy/policy/modules/services/ddclient.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/ddclient.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/ddclient.fc 2008-09-08 10:19:45.000000000 -0400 @@ -9,3 +9,5 @@ /var/log/ddtcd\.log.* -- gen_context(system_u:object_r:ddclient_log_t,s0) /var/run/ddclient\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0) /var/run/ddtcd\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0) +/etc/rc\.d/init\.d/ddclient -- gen_context(system_u:object_r:ddclient_script_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.5.6/policy/modules/services/ddclient.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.5.7/policy/modules/services/ddclient.if --- nsaserefpolicy/policy/modules/services/ddclient.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/ddclient.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/ddclient.if 2008-09-08 10:19:45.000000000 -0400 @@ -18,3 +18,81 @@ corecmd_search_bin($1) domtrans_pattern($1, ddclient_exec_t, ddclient_t) @@ -14925,9 +14965,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, ddclient_var_run_t) + +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.te serefpolicy-3.5.6/policy/modules/services/ddclient.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.te serefpolicy-3.5.7/policy/modules/services/ddclient.te --- nsaserefpolicy/policy/modules/services/ddclient.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/ddclient.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/ddclient.te 2008-09-08 10:19:45.000000000 -0400 @@ -11,7 +11,7 @@ init_daemon_domain(ddclient_t, ddclient_exec_t) @@ -14947,9 +14987,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Declarations -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.fc serefpolicy-3.5.6/policy/modules/services/dhcp.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.fc serefpolicy-3.5.7/policy/modules/services/dhcp.fc --- nsaserefpolicy/policy/modules/services/dhcp.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/dhcp.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/dhcp.fc 2008-09-08 10:19:45.000000000 -0400 @@ -5,3 +5,6 @@ /var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0) @@ -14957,9 +14997,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_script_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.5.6/policy/modules/services/dhcp.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.5.7/policy/modules/services/dhcp.if --- nsaserefpolicy/policy/modules/services/dhcp.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/dhcp.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/dhcp.if 2008-09-08 10:19:45.000000000 -0400 @@ -19,3 +19,71 @@ sysnet_search_dhcp_state($1) allow $1 dhcpd_state_t:file setattr; @@ -15032,9 +15072,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_list_pids($1) + admin_pattern($1, dhcpd_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.5.6/policy/modules/services/dhcp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.5.7/policy/modules/services/dhcp.te --- nsaserefpolicy/policy/modules/services/dhcp.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/dhcp.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/dhcp.te 2008-09-08 10:19:45.000000000 -0400 @@ -19,18 +19,20 @@ type dhcpd_var_run_t; files_pid_file(dhcpd_var_run_t) @@ -15098,9 +15138,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(dhcpd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.fc serefpolicy-3.5.6/policy/modules/services/dictd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.fc serefpolicy-3.5.7/policy/modules/services/dictd.fc --- nsaserefpolicy/policy/modules/services/dictd.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/dictd.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/dictd.fc 2008-09-08 10:19:45.000000000 -0400 @@ -4,3 +4,6 @@ /usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0) @@ -15108,9 +15148,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0) + +/etc/rc\.d/init\.d/dictd -- gen_context(system_u:object_r:dictd_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.if serefpolicy-3.5.6/policy/modules/services/dictd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.if serefpolicy-3.5.7/policy/modules/services/dictd.if --- nsaserefpolicy/policy/modules/services/dictd.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/dictd.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/dictd.if 2008-09-08 10:19:45.000000000 -0400 @@ -14,3 +14,73 @@ interface(`dictd_tcp_connect',` refpolicywarn(`$0($*) has been deprecated.') @@ -15185,9 +15225,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, dictd_var_run_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.te serefpolicy-3.5.6/policy/modules/services/dictd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.te serefpolicy-3.5.7/policy/modules/services/dictd.te --- nsaserefpolicy/policy/modules/services/dictd.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/dictd.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/dictd.te 2008-09-08 10:19:45.000000000 -0400 @@ -16,6 +16,12 @@ type dictd_var_lib_t alias var_lib_dictd_t; files_type(dictd_var_lib_t) @@ -15211,9 +15251,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(dictd_t) kernel_read_kernel_sysctls(dictd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.5.6/policy/modules/services/dnsmasq.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.5.7/policy/modules/services/dnsmasq.fc --- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/dnsmasq.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/dnsmasq.fc 2008-09-08 10:19:45.000000000 -0400 @@ -1,4 +1,7 @@ /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) @@ -15222,9 +15262,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) + +/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.5.6/policy/modules/services/dnsmasq.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.5.7/policy/modules/services/dnsmasq.if --- nsaserefpolicy/policy/modules/services/dnsmasq.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/dnsmasq.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/dnsmasq.if 2008-09-08 10:19:45.000000000 -0400 @@ -1 +1,125 @@ ## dnsmasq DNS forwarder and DHCP server + @@ -15351,9 +15391,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_list_pids($1) + admin_pattern($1, dnsmasq_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.5.6/policy/modules/services/dnsmasq.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.5.7/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/dnsmasq.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/dnsmasq.te 2008-09-08 10:19:45.000000000 -0400 @@ -16,6 +16,9 @@ type dnsmasq_var_run_t; files_pid_file(dnsmasq_var_run_t) @@ -15399,9 +15439,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + virt_manage_lib_files(dnsmasq_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.5.6/policy/modules/services/dovecot.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.5.7/policy/modules/services/dovecot.fc --- nsaserefpolicy/policy/modules/services/dovecot.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/dovecot.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/dovecot.fc 2008-09-08 10:19:45.000000000 -0400 @@ -17,23 +17,24 @@ ifdef(`distro_debian', ` @@ -15432,9 +15472,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) +/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.5.6/policy/modules/services/dovecot.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.5.7/policy/modules/services/dovecot.if --- nsaserefpolicy/policy/modules/services/dovecot.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/dovecot.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/dovecot.if 2008-09-08 10:19:45.000000000 -0400 @@ -21,7 +21,46 @@ ######################################## @@ -15573,9 +15613,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.5.6/policy/modules/services/dovecot.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.5.7/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/dovecot.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/dovecot.te 2008-09-08 10:19:45.000000000 -0400 @@ -15,6 +15,12 @@ domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t) role system_r types dovecot_auth_t; @@ -15739,9 +15779,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + mta_manage_spool(dovecot_deliver_t) ') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.5.6/policy/modules/services/exim.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.5.7/policy/modules/services/exim.if --- nsaserefpolicy/policy/modules/services/exim.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/exim.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/exim.if 2008-09-08 10:19:45.000000000 -0400 @@ -97,6 +97,26 @@ ######################################## @@ -15793,9 +15833,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_dirs_pattern($1, exim_spool_t, exim_spool_t) + files_search_spool($1) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.5.6/policy/modules/services/exim.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.5.7/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/exim.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/exim.te 2008-09-08 10:19:45.000000000 -0400 @@ -21,9 +21,20 @@ ## gen_tunable(exim_manage_user_files, false) @@ -15969,20 +16009,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + spamassassin_exec(exim_t) + spamassassin_exec_client(exim_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.5.6/policy/modules/services/fail2ban.fc ---- nsaserefpolicy/policy/modules/services/fail2ban.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/fail2ban.fc 2008-09-03 15:55:22.000000000 -0400 -@@ -1,3 +1,7 @@ - /usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0) -+/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) - /var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0) - /var/run/fail2ban\.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0) -+/var/run/fail2ban\.sock -s gen_context(system_u:object_r:fail2ban_var_run_t,s0) -+/etc/rc\.d/init\.d/fail2ban -- gen_context(system_u:object_r:fail2ban_script_exec_t,s0) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.5.6/policy/modules/services/fail2ban.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.5.7/policy/modules/services/fail2ban.if --- nsaserefpolicy/policy/modules/services/fail2ban.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/fail2ban.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/fail2ban.if 2008-09-08 10:19:45.000000000 -0400 @@ -78,3 +78,67 @@ files_search_pids($1) allow $1 fail2ban_var_run_t:file read_file_perms; @@ -16051,87 +16080,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_list_pids($1) + admin_pattern($1, fail2ban_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.5.6/policy/modules/services/fail2ban.te ---- nsaserefpolicy/policy/modules/services/fail2ban.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/fail2ban.te 2008-09-03 15:55:22.000000000 -0400 -@@ -18,6 +18,9 @@ - type fail2ban_var_run_t; - files_pid_file(fail2ban_var_run_t) - -+type fail2ban_script_exec_t; -+init_script_file(fail2ban_script_exec_t) -+ - ######################################## - # - # fail2ban local policy -@@ -25,7 +28,8 @@ - - allow fail2ban_t self:process signal; - allow fail2ban_t self:fifo_file rw_fifo_file_perms; --allow fail2ban_t self:unix_stream_socket create_stream_socket_perms; -+allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms }; -+allow fail2ban_t self:tcp_socket create_stream_socket_perms; - - # log files - allow fail2ban_t fail2ban_log_t:dir setattr; -@@ -33,8 +37,9 @@ - logging_log_filetrans(fail2ban_t, fail2ban_log_t, file) - - # pid file -+manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) - manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) --files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file) -+files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { file sock_file }) - - kernel_read_system_state(fail2ban_t) - -@@ -46,15 +51,32 @@ - domain_use_interactive_fds(fail2ban_t) - - files_read_etc_files(fail2ban_t) -+files_read_etc_runtime_files(fail2ban_t) - files_read_usr_files(fail2ban_t) -+files_list_var(fail2ban_t) -+files_search_var_lib(fail2ban_t) -+ -+fs_list_inotifyfs(fail2ban_t) -+fs_getattr_all_fs(fail2ban_t) -+ -+corenet_all_recvfrom_unlabeled(fail2ban_t) -+corenet_all_recvfrom_netlabel(fail2ban_t) -+corenet_tcp_sendrecv_generic_if(fail2ban_t) -+corenet_tcp_sendrecv_all_nodes(fail2ban_t) -+corenet_tcp_sendrecv_all_ports(fail2ban_t) -+corenet_tcp_connect_whois_port(fail2ban_t) -+ -+auth_use_nsswitch(fail2ban_t) - - libs_use_ld_so(fail2ban_t) - libs_use_shared_libs(fail2ban_t) - --logging_read_generic_logs(fail2ban_t) -+logging_read_all_logs(fail2ban_t) - - miscfiles_read_localization(fail2ban_t) - -+mta_send_mail(fail2ban_t) -+ - optional_policy(` - apache_read_log(fail2ban_t) - ') -@@ -64,5 +86,9 @@ - ') - - optional_policy(` -+ gamin_exec(fail2ban_t) -+') -+ -+optional_policy(` - iptables_domtrans(fail2ban_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.if serefpolicy-3.5.6/policy/modules/services/fetchmail.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.if serefpolicy-3.5.7/policy/modules/services/fetchmail.if --- nsaserefpolicy/policy/modules/services/fetchmail.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/fetchmail.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/fetchmail.if 2008-09-08 10:19:45.000000000 -0400 @@ -21,10 +21,10 @@ ps_process_pattern($1, fetchmail_t) @@ -16146,9 +16097,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - manage_files_pattern($1, fetchmail_var_run_t, fetchmail_var_run_t) + admin_pattern($1, fetchmail_var_run_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.5.6/policy/modules/services/fetchmail.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.5.7/policy/modules/services/fetchmail.te --- nsaserefpolicy/policy/modules/services/fetchmail.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/fetchmail.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/fetchmail.te 2008-09-08 10:19:45.000000000 -0400 @@ -91,6 +91,10 @@ ') @@ -16160,9 +16111,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(fetchmail_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.5.6/policy/modules/services/ftp.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.5.7/policy/modules/services/ftp.fc --- nsaserefpolicy/policy/modules/services/ftp.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/ftp.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/ftp.fc 2008-09-08 10:19:45.000000000 -0400 @@ -27,3 +27,6 @@ /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) @@ -16170,9 +16121,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftp_script_exec_t,s0) +/etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftp_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.5.6/policy/modules/services/ftp.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.5.7/policy/modules/services/ftp.if --- nsaserefpolicy/policy/modules/services/ftp.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/ftp.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/ftp.if 2008-09-08 10:19:45.000000000 -0400 @@ -28,11 +28,13 @@ type ftpd_t; ') @@ -16287,9 +16238,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_list_pids($1) + admin_pattern($1, ftp_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.5.6/policy/modules/services/ftp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.5.7/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/ftp.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/ftp.te 2008-09-08 10:19:45.000000000 -0400 @@ -75,6 +75,9 @@ type xferlog_t; logging_log_file(xferlog_t) @@ -16368,15 +16319,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(ftpd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.fc serefpolicy-3.5.6/policy/modules/services/gamin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.fc serefpolicy-3.5.7/policy/modules/services/gamin.fc --- nsaserefpolicy/policy/modules/services/gamin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/services/gamin.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/gamin.fc 2008-09-08 10:19:45.000000000 -0400 @@ -0,0 +1,2 @@ + +/usr/libexec/gam_server -- gen_context(system_u:object_r:gamin_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.if serefpolicy-3.5.6/policy/modules/services/gamin.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.if serefpolicy-3.5.7/policy/modules/services/gamin.if --- nsaserefpolicy/policy/modules/services/gamin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/services/gamin.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/gamin.if 2008-09-08 10:19:45.000000000 -0400 @@ -0,0 +1,57 @@ + +## policy for gamin @@ -16435,9 +16386,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 gamin_t:unix_stream_socket connectto; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.te serefpolicy-3.5.6/policy/modules/services/gamin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.te serefpolicy-3.5.7/policy/modules/services/gamin.te --- nsaserefpolicy/policy/modules/services/gamin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/services/gamin.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/gamin.te 2008-09-08 10:19:45.000000000 -0400 @@ -0,0 +1,39 @@ +policy_module(gamin, 1.0.0) + @@ -16478,16 +16429,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +miscfiles_read_localization(gamin_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.5.6/policy/modules/services/gnomeclock.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.5.7/policy/modules/services/gnomeclock.fc --- nsaserefpolicy/policy/modules/services/gnomeclock.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/services/gnomeclock.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/gnomeclock.fc 2008-09-08 10:19:45.000000000 -0400 @@ -0,0 +1,3 @@ + +/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.5.6/policy/modules/services/gnomeclock.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.5.7/policy/modules/services/gnomeclock.if --- nsaserefpolicy/policy/modules/services/gnomeclock.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/services/gnomeclock.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/gnomeclock.if 2008-09-08 10:19:45.000000000 -0400 @@ -0,0 +1,75 @@ + +## policy for gnomeclock @@ -16564,9 +16515,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 gnomeclock_t:dbus send_msg; + allow gnomeclock_t $1:dbus send_msg; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.5.6/policy/modules/services/gnomeclock.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.5.7/policy/modules/services/gnomeclock.te --- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/services/gnomeclock.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/gnomeclock.te 2008-09-08 10:19:45.000000000 -0400 @@ -0,0 +1,55 @@ +policy_module(gnomeclock, 1.0.0) +######################################## @@ -16623,9 +16574,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + polkit_read_lib(gnomeclock_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.5.6/policy/modules/services/hal.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.5.7/policy/modules/services/hal.fc --- nsaserefpolicy/policy/modules/services/hal.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/hal.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/hal.fc 2008-09-08 10:19:45.000000000 -0400 @@ -9,6 +9,7 @@ /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) @@ -16634,9 +16585,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.5.6/policy/modules/services/hal.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.5.7/policy/modules/services/hal.if --- nsaserefpolicy/policy/modules/services/hal.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/hal.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/hal.if 2008-09-08 10:19:45.000000000 -0400 @@ -302,3 +302,42 @@ files_search_pids($1) allow $1 hald_var_run_t:file rw_file_perms; @@ -16680,9 +16631,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + read_lnk_files_pattern($1, hald_t, hald_t) + dontaudit $1 hald_t:process ptrace; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.5.6/policy/modules/services/hal.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.5.7/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/hal.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/hal.te 2008-09-08 10:19:45.000000000 -0400 @@ -49,6 +49,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -16794,9 +16745,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Should be removed when this is fixed -#cron_read_system_job_lib_files(hald_t) +cron_read_system_job_lib_files(hald_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.fc serefpolicy-3.5.6/policy/modules/services/inetd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.fc serefpolicy-3.5.7/policy/modules/services/inetd.fc --- nsaserefpolicy/policy/modules/services/inetd.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/inetd.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/inetd.fc 2008-09-08 10:19:45.000000000 -0400 @@ -1,6 +1,8 @@ /usr/sbin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0) @@ -16806,18 +16757,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/inetd -- gen_context(system_u:object_r:inetd_exec_t,s0) /usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0) /usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.fc serefpolicy-3.5.6/policy/modules/services/inn.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.fc serefpolicy-3.5.7/policy/modules/services/inn.fc --- nsaserefpolicy/policy/modules/services/inn.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/inn.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/inn.fc 2008-09-08 10:19:45.000000000 -0400 @@ -64,3 +64,5 @@ /var/run/news(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0) /var/spool/news(/.*)? gen_context(system_u:object_r:news_spool_t,s0) + +/etc/rc\.d/init\.d/innd -- gen_context(system_u:object_r:innd_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.if serefpolicy-3.5.6/policy/modules/services/inn.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.if serefpolicy-3.5.7/policy/modules/services/inn.if --- nsaserefpolicy/policy/modules/services/inn.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/inn.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/inn.if 2008-09-08 10:19:45.000000000 -0400 @@ -54,8 +54,7 @@ ') @@ -16909,9 +16860,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_list_pids($1) + admin_pattern($1, innd_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.5.6/policy/modules/services/inn.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.5.7/policy/modules/services/inn.te --- nsaserefpolicy/policy/modules/services/inn.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/inn.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/inn.te 2008-09-08 10:19:45.000000000 -0400 @@ -22,7 +22,10 @@ files_pid_file(innd_var_run_t) @@ -16924,17 +16875,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.fc serefpolicy-3.5.6/policy/modules/services/jabber.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.fc serefpolicy-3.5.7/policy/modules/services/jabber.fc --- nsaserefpolicy/policy/modules/services/jabber.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/jabber.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/jabber.fc 2008-09-08 10:19:45.000000000 -0400 @@ -2,3 +2,4 @@ /var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) /var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) +/etc/rc\.d/init\.d/jabber -- gen_context(system_u:object_r:jabber_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.if serefpolicy-3.5.6/policy/modules/services/jabber.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.if serefpolicy-3.5.7/policy/modules/services/jabber.if --- nsaserefpolicy/policy/modules/services/jabber.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/jabber.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/jabber.if 2008-09-08 10:19:45.000000000 -0400 @@ -13,3 +13,73 @@ interface(`jabber_tcp_connect',` refpolicywarn(`$0($*) has been deprecated.') @@ -17009,9 +16960,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, jabber_var_run_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.te serefpolicy-3.5.6/policy/modules/services/jabber.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.te serefpolicy-3.5.7/policy/modules/services/jabber.te --- nsaserefpolicy/policy/modules/services/jabber.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/jabber.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/jabber.te 2008-09-08 10:19:45.000000000 -0400 @@ -19,6 +19,9 @@ type jabberd_var_run_t; files_pid_file(jabberd_var_run_t) @@ -17022,10 +16973,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.5.6/policy/modules/services/kerberos.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.5.7/policy/modules/services/kerberos.fc --- nsaserefpolicy/policy/modules/services/kerberos.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/kerberos.fc 2008-09-03 15:55:22.000000000 -0400 -@@ -13,6 +13,14 @@ ++++ serefpolicy-3.5.7/policy/modules/services/kerberos.fc 2008-09-08 11:37:57.000000000 -0400 +@@ -7,12 +7,21 @@ + + /usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) + /usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) ++/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0) + + /usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) + /usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) /var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) @@ -17040,9 +16998,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_script_exec_t,s0) +/etc/rc\.d/init\.d/kpropd -- gen_context(system_u:object_r:kerberos_script_exec_t,s0) +/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.5.6/policy/modules/services/kerberos.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.5.7/policy/modules/services/kerberos.if --- nsaserefpolicy/policy/modules/services/kerberos.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/kerberos.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/kerberos.if 2008-09-08 11:37:38.000000000 -0400 @@ -23,6 +23,25 @@ ######################################## @@ -17129,7 +17087,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). ## ## -@@ -168,6 +216,175 @@ +@@ -168,6 +216,193 @@ ') files_search_etc($1) @@ -17303,12 +17261,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, krb5kdc_tmp_t) + + admin_pattern($1, krb5kdc_var_run_t) - ++ + admin_pattern($1, krb5_host_rcache_t) ++') ++ ++######################################## ++## ++## Execute a kadmind_exec_t in the current domain ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`kerberos_exec_kadmind',` ++ gen_require(` ++ type kpropd_exec_t; ++ ') + ++ can_exec($1,kadmind_exec_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.5.6/policy/modules/services/kerberos.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.5.7/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/kerberos.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/kerberos.te 2008-09-08 10:19:45.000000000 -0400 @@ -16,6 +16,7 @@ type kadmind_t; type kadmind_exec_t; @@ -17504,16 +17480,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +sysnet_dns_name_resolve(kpropd_t) + +kerberos_use(kpropd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.fc serefpolicy-3.5.6/policy/modules/services/kerneloops.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.fc serefpolicy-3.5.7/policy/modules/services/kerneloops.fc --- nsaserefpolicy/policy/modules/services/kerneloops.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/kerneloops.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/kerneloops.fc 2008-09-08 10:19:45.000000000 -0400 @@ -1 +1,3 @@ /usr/sbin/kerneloops -- gen_context(system_u:object_r:kerneloops_exec_t,s0) + +/etc/rc\.d/init\.d/kerneloops -- gen_context(system_u:object_r:kerneloops_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.5.6/policy/modules/services/kerneloops.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.5.7/policy/modules/services/kerneloops.if --- nsaserefpolicy/policy/modules/services/kerneloops.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/kerneloops.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/kerneloops.if 2008-09-08 10:19:45.000000000 -0400 @@ -21,6 +21,24 @@ ######################################## @@ -17571,10 +17547,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $2 system_r; + ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.5.6/policy/modules/services/kerneloops.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.5.7/policy/modules/services/kerneloops.te --- nsaserefpolicy/policy/modules/services/kerneloops.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/kerneloops.te 2008-09-03 15:55:22.000000000 -0400 -@@ -10,6 +10,9 @@ ++++ serefpolicy-3.5.7/policy/modules/services/kerneloops.te 2008-09-08 10:19:45.000000000 -0400 +@@ -10,13 +10,16 @@ type kerneloops_exec_t; init_daemon_domain(kerneloops_t, kerneloops_exec_t) @@ -17584,6 +17560,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # kerneloops local policy + # + + allow kerneloops_t self:capability sys_nice; +-allow kerneloops_t self:process { setsched getsched }; ++allow kerneloops_t self:process { setsched getsched signal }; + allow kerneloops_t self:fifo_file rw_file_perms; + + kernel_read_ring_buffer(kerneloops_t) @@ -24,6 +27,8 @@ # Init script handling domain_use_interactive_fds(kerneloops_t) @@ -17593,18 +17577,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(kerneloops_t) corenet_all_recvfrom_netlabel(kerneloops_t) corenet_tcp_sendrecv_all_if(kerneloops_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.5.6/policy/modules/services/ldap.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.5.7/policy/modules/services/ldap.fc --- nsaserefpolicy/policy/modules/services/ldap.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/ldap.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/ldap.fc 2008-09-08 10:19:45.000000000 -0400 @@ -14,3 +14,5 @@ /var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) + +/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:ldap_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.5.6/policy/modules/services/ldap.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.5.7/policy/modules/services/ldap.if --- nsaserefpolicy/policy/modules/services/ldap.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/ldap.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/ldap.if 2008-09-08 10:19:45.000000000 -0400 @@ -73,3 +73,80 @@ allow $1 slapd_var_run_t:sock_file write; allow $1 slapd_t:unix_stream_socket connectto; @@ -17686,9 +17670,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.5.6/policy/modules/services/ldap.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.5.7/policy/modules/services/ldap.te --- nsaserefpolicy/policy/modules/services/ldap.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/ldap.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/ldap.te 2008-09-08 10:19:45.000000000 -0400 @@ -31,6 +31,9 @@ type slapd_var_run_t; files_pid_file(slapd_var_run_t) @@ -17708,9 +17692,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-3.5.6/policy/modules/services/lpd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-3.5.7/policy/modules/services/lpd.fc --- nsaserefpolicy/policy/modules/services/lpd.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/lpd.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/lpd.fc 2008-09-08 10:19:45.000000000 -0400 @@ -22,11 +22,14 @@ /usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0) /usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0) @@ -17726,17 +17710,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) /var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0) /var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.5.6/policy/modules/services/mailman.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.5.7/policy/modules/services/mailman.fc --- nsaserefpolicy/policy/modules/services/mailman.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/mailman.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/mailman.fc 2008-09-08 10:35:20.000000000 -0400 @@ -31,3 +31,4 @@ /var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) /var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) ') +/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.5.6/policy/modules/services/mailman.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.5.7/policy/modules/services/mailman.if --- nsaserefpolicy/policy/modules/services/mailman.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/mailman.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/mailman.if 2008-09-08 10:19:45.000000000 -0400 @@ -211,6 +211,7 @@ type mailman_data_t; ') @@ -17771,9 +17755,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Append to mailman logs. ## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.5.6/policy/modules/services/mailman.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.5.7/policy/modules/services/mailman.te --- nsaserefpolicy/policy/modules/services/mailman.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/mailman.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/mailman.te 2008-09-08 10:19:45.000000000 -0400 @@ -53,10 +53,9 @@ apache_use_fds(mailman_cgi_t) apache_dontaudit_append_log(mailman_cgi_t) @@ -17821,15 +17805,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` cron_system_entry(mailman_queue_t, mailman_queue_exec_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.5.6/policy/modules/services/mailscanner.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.5.7/policy/modules/services/mailscanner.fc --- nsaserefpolicy/policy/modules/services/mailscanner.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/services/mailscanner.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/mailscanner.fc 2008-09-08 10:19:45.000000000 -0400 @@ -0,0 +1,2 @@ +/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mailscanner_spool_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.5.6/policy/modules/services/mailscanner.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.5.7/policy/modules/services/mailscanner.if --- nsaserefpolicy/policy/modules/services/mailscanner.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/services/mailscanner.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/mailscanner.if 2008-09-08 10:19:45.000000000 -0400 @@ -0,0 +1,59 @@ +## Anti-Virus and Anti-Spam Filter + @@ -17890,27 +17874,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_search_spool($1) + manage_files_pattern($1, mailscanner_spool_t, mailscanner_spool_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.5.6/policy/modules/services/mailscanner.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.5.7/policy/modules/services/mailscanner.te --- nsaserefpolicy/policy/modules/services/mailscanner.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/services/mailscanner.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/mailscanner.te 2008-09-08 10:19:45.000000000 -0400 @@ -0,0 +1,5 @@ + +policy_module(mailscanner, 1.0.0) + +type mailscanner_spool_t; +files_type(mailscanner_spool_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.fc serefpolicy-3.5.6/policy/modules/services/memcached.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.fc serefpolicy-3.5.7/policy/modules/services/memcached.fc --- nsaserefpolicy/policy/modules/services/memcached.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/services/memcached.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/memcached.fc 2008-09-08 10:19:45.000000000 -0400 @@ -0,0 +1,5 @@ + +/usr/bin/memcached -- gen_context(system_u:object_r:memcached_exec_t,s0) + +/etc/rc\.d/init\.d/memcached -- gen_context(system_u:object_r:memcached_script_exec_t,s0) +/var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.if serefpolicy-3.5.6/policy/modules/services/memcached.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.if serefpolicy-3.5.7/policy/modules/services/memcached.if --- nsaserefpolicy/policy/modules/services/memcached.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/services/memcached.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/memcached.if 2008-09-08 10:19:45.000000000 -0400 @@ -0,0 +1,125 @@ + +## high-performance memory object caching system @@ -18037,9 +18021,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + memcached_manage_var_run($1) + +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.5.6/policy/modules/services/memcached.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.5.7/policy/modules/services/memcached.te --- nsaserefpolicy/policy/modules/services/memcached.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/services/memcached.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/memcached.te 2008-09-08 10:19:45.000000000 -0400 @@ -0,0 +1,52 @@ +policy_module(memcached,1.0.0) + @@ -18093,9 +18077,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +sysnet_dns_name_resolve(memcached_t) + +permissive memcached_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.5.6/policy/modules/services/mta.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.5.7/policy/modules/services/mta.fc --- nsaserefpolicy/policy/modules/services/mta.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/mta.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/mta.fc 2008-09-08 10:19:45.000000000 -0400 @@ -11,6 +11,7 @@ /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) @@ -18112,9 +18096,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -#ifdef(`postfix.te', `', ` -#/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) -#') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.5.6/policy/modules/services/mta.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.5.7/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/mta.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/mta.if 2008-09-08 10:19:45.000000000 -0400 @@ -133,6 +133,15 @@ sendmail_create_log($1_mail_t) ') @@ -18300,9 +18284,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete ## mail queue files. ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.5.6/policy/modules/services/mta.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.5.7/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/mta.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/mta.te 2008-09-08 10:19:45.000000000 -0400 @@ -6,6 +6,8 @@ # Declarations # @@ -18462,9 +18446,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` # why is mail delivered to a directory of type arpwatch_data_t? arpwatch_search_data(mailserver_delivery) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.5.6/policy/modules/services/munin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.5.7/policy/modules/services/munin.fc --- nsaserefpolicy/policy/modules/services/munin.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/munin.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/munin.fc 2008-09-08 10:19:45.000000000 -0400 @@ -6,6 +6,9 @@ /usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0) @@ -18477,9 +18461,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) + +/etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.5.6/policy/modules/services/munin.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.5.7/policy/modules/services/munin.if --- nsaserefpolicy/policy/modules/services/munin.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/munin.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/munin.if 2008-09-08 10:19:45.000000000 -0400 @@ -80,3 +80,105 @@ dontaudit $1 munin_var_lib_t:dir search_dir_perms; @@ -18586,9 +18570,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, httpd_munin_content_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.5.6/policy/modules/services/munin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.5.7/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/munin.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/munin.te 2008-09-08 10:19:45.000000000 -0400 @@ -25,26 +25,33 @@ type munin_var_run_t alias lrrd_var_run_t; files_pid_file(munin_var_run_t) @@ -18714,18 +18698,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) +manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.5.6/policy/modules/services/mysql.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.5.7/policy/modules/services/mysql.fc --- nsaserefpolicy/policy/modules/services/mysql.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/mysql.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/mysql.fc 2008-09-08 10:19:45.000000000 -0400 @@ -22,3 +22,5 @@ /var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) /var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0) + +/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.5.6/policy/modules/services/mysql.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.5.7/policy/modules/services/mysql.if --- nsaserefpolicy/policy/modules/services/mysql.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/mysql.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/mysql.if 2008-09-08 10:19:45.000000000 -0400 @@ -53,9 +53,11 @@ interface(`mysql_stream_connect',` gen_require(` @@ -18810,9 +18794,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + admin_pattern($1, mysqld_tmp_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.5.6/policy/modules/services/mysql.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.5.7/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/mysql.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/mysql.te 2008-09-08 10:19:45.000000000 -0400 @@ -25,6 +25,9 @@ type mysqld_tmp_t; files_tmp_file(mysqld_tmp_t) @@ -18841,9 +18825,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(mysqld_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.5.6/policy/modules/services/nagios.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.5.7/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/nagios.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/nagios.fc 2008-09-08 10:19:45.000000000 -0400 @@ -4,13 +4,17 @@ /usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) /usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) @@ -18866,9 +18850,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_script_exec_t,s0) +/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_script_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.5.6/policy/modules/services/nagios.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.5.7/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/nagios.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/nagios.if 2008-09-08 10:19:45.000000000 -0400 @@ -44,7 +44,7 @@ ######################################## @@ -18974,9 +18958,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + admin_pattern($1, nrpe_etc_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.5.6/policy/modules/services/nagios.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.5.7/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/nagios.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/nagios.te 2008-09-08 10:19:45.000000000 -0400 @@ -10,10 +10,6 @@ type nagios_exec_t; init_daemon_domain(nagios_t, nagios_exec_t) @@ -19079,9 +19063,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.5.6/policy/modules/services/networkmanager.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.5.7/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/networkmanager.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/networkmanager.fc 2008-09-08 10:19:45.000000000 -0400 @@ -1,7 +1,13 @@ /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) @@ -19096,9 +19080,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/var/log/wpa_supplicant\.log.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) +/etc/NetworkManager/dispatcher.d(/.*) gen_context(system_u:object_r:NetworkManager_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.5.6/policy/modules/services/networkmanager.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.5.7/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/networkmanager.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/networkmanager.if 2008-09-08 10:19:45.000000000 -0400 @@ -97,3 +97,58 @@ allow $1 NetworkManager_t:dbus send_msg; allow NetworkManager_t $1:dbus send_msg; @@ -19158,9 +19142,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_search_pids($1) + allow $1 NetworkManager_var_run_t:file read_file_perms; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.6/policy/modules/services/networkmanager.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.7/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/networkmanager.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/networkmanager.te 2008-09-08 10:19:45.000000000 -0400 @@ -10,9 +10,16 @@ type NetworkManager_exec_t; init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) @@ -19305,9 +19289,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.5.6/policy/modules/services/nis.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.5.7/policy/modules/services/nis.fc --- nsaserefpolicy/policy/modules/services/nis.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/nis.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/nis.fc 2008-09-08 10:19:45.000000000 -0400 @@ -4,9 +4,14 @@ /sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) @@ -19323,9 +19307,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_script_exec_t,s0) +/etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_script_exec_t,s0) +/etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.5.6/policy/modules/services/nis.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.5.7/policy/modules/services/nis.if --- nsaserefpolicy/policy/modules/services/nis.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/nis.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/nis.if 2008-09-08 10:19:45.000000000 -0400 @@ -28,7 +28,7 @@ type var_yp_t; ') @@ -19462,9 +19446,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.5.6/policy/modules/services/nis.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.5.7/policy/modules/services/nis.te --- nsaserefpolicy/policy/modules/services/nis.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/nis.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/nis.te 2008-09-08 10:19:45.000000000 -0400 @@ -44,6 +44,9 @@ type ypxfr_exec_t; init_daemon_domain(ypxfr_t, ypxfr_exec_t) @@ -19533,18 +19517,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) corenet_tcp_connect_all_ports(ypxfr_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.5.6/policy/modules/services/nscd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.5.7/policy/modules/services/nscd.fc --- nsaserefpolicy/policy/modules/services/nscd.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/nscd.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/nscd.fc 2008-09-08 10:19:45.000000000 -0400 @@ -9,3 +9,5 @@ /var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0) /var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) + +/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.5.6/policy/modules/services/nscd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.5.7/policy/modules/services/nscd.if --- nsaserefpolicy/policy/modules/services/nscd.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/nscd.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/nscd.if 2008-09-08 10:19:45.000000000 -0400 @@ -70,15 +70,14 @@ interface(`nscd_socket_use',` gen_require(` @@ -19630,9 +19614,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, nscd_var_run_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.5.6/policy/modules/services/nscd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.5.7/policy/modules/services/nscd.te --- nsaserefpolicy/policy/modules/services/nscd.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/nscd.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/nscd.te 2008-09-08 10:19:45.000000000 -0400 @@ -23,19 +23,22 @@ type nscd_log_t; logging_log_file(nscd_log_t) @@ -19728,9 +19712,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + samba_read_config(nscd_t) + samba_read_var_files(nscd_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.fc serefpolicy-3.5.6/policy/modules/services/ntp.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.fc serefpolicy-3.5.7/policy/modules/services/ntp.fc --- nsaserefpolicy/policy/modules/services/ntp.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/ntp.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/ntp.fc 2008-09-08 10:19:45.000000000 -0400 @@ -17,3 +17,8 @@ /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) @@ -19740,9 +19724,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0) + +/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.5.6/policy/modules/services/ntp.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.5.7/policy/modules/services/ntp.if --- nsaserefpolicy/policy/modules/services/ntp.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/ntp.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/ntp.if 2008-09-08 10:19:45.000000000 -0400 @@ -53,3 +53,72 @@ corecmd_search_bin($1) domtrans_pattern($1, ntpdate_exec_t, ntpd_t) @@ -19816,9 +19800,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, ntp_var_run_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.5.6/policy/modules/services/ntp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.5.7/policy/modules/services/ntp.te --- nsaserefpolicy/policy/modules/services/ntp.te 2008-08-25 09:12:31.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/ntp.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/ntp.te 2008-09-08 10:19:45.000000000 -0400 @@ -25,6 +25,12 @@ type ntpdate_exec_t; init_system_domain(ntpd_t, ntpdate_exec_t) @@ -19889,18 +19873,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logrotate_exec(ntpd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.5.6/policy/modules/services/oddjob.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.5.7/policy/modules/services/oddjob.fc --- nsaserefpolicy/policy/modules/services/oddjob.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/oddjob.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/oddjob.fc 2008-09-08 10:19:45.000000000 -0400 @@ -1,4 +1,4 @@ -/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) +/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.5.6/policy/modules/services/oddjob.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.5.7/policy/modules/services/oddjob.if --- nsaserefpolicy/policy/modules/services/oddjob.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/oddjob.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/oddjob.if 2008-09-08 10:19:45.000000000 -0400 @@ -44,6 +44,7 @@ ') @@ -19944,9 +19928,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role $2 types oddjob_mkhomedir_t; + dontaudit oddjob_mkhomedir_t $3:chr_file rw_term_perms; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.5.6/policy/modules/services/oddjob.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.5.7/policy/modules/services/oddjob.te --- nsaserefpolicy/policy/modules/services/oddjob.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/oddjob.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/oddjob.te 2008-09-08 10:19:45.000000000 -0400 @@ -10,14 +10,21 @@ type oddjob_exec_t; domain_type(oddjob_t) @@ -20006,9 +19990,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Add/remove user home directories unprivuser_home_filetrans_home_dir(oddjob_mkhomedir_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-3.5.6/policy/modules/services/openvpn.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-3.5.7/policy/modules/services/openvpn.fc --- nsaserefpolicy/policy/modules/services/openvpn.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/openvpn.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/openvpn.fc 2008-09-08 10:19:45.000000000 -0400 @@ -11,5 +11,7 @@ # # /var @@ -20018,9 +20002,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0) + +/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.if serefpolicy-3.5.6/policy/modules/services/openvpn.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.if serefpolicy-3.5.7/policy/modules/services/openvpn.if --- nsaserefpolicy/policy/modules/services/openvpn.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/openvpn.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/openvpn.if 2008-09-08 10:19:45.000000000 -0400 @@ -90,3 +90,74 @@ read_files_pattern($1, openvpn_etc_t, openvpn_etc_t) read_lnk_files_pattern($1, openvpn_etc_t, openvpn_etc_t) @@ -20096,9 +20080,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.5.6/policy/modules/services/openvpn.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.5.7/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/openvpn.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/openvpn.te 2008-09-08 10:19:45.000000000 -0400 @@ -8,7 +8,7 @@ ## @@ -20163,9 +20147,109 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + unconfined_use_terminals(openvpn_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.5.6/policy/modules/services/pcscd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.fc serefpolicy-3.5.7/policy/modules/services/pads.fc +--- nsaserefpolicy/policy/modules/services/pads.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.5.7/policy/modules/services/pads.fc 2008-09-08 16:03:15.000000000 -0400 +@@ -0,0 +1,12 @@ ++ ++/etc/pads-ether-codes -- gen_context(system_u:object_r:pads_config_t, s0) ++/etc/pads-signature-list -- gen_context(system_u:object_r:pads_config_t, s0) ++/etc/pads.conf -- gen_context(system_u:object_r:pads_config_t, s0) ++/etc/pads-assets.csv -- gen_context(system_u:object_r:pads_config_t, s0) ++ ++/etc/rc\.d/init\.d/pads -- gen_context(system_u:object_r:pads_script_exec_t, s0) ++ ++/usr/bin/pads -- gen_context(system_u:object_r:pads_exec_t, s0) ++ ++/var/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0) ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.if serefpolicy-3.5.7/policy/modules/services/pads.if +--- nsaserefpolicy/policy/modules/services/pads.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.5.7/policy/modules/services/pads.if 2008-09-08 16:03:15.000000000 -0400 +@@ -0,0 +1,10 @@ ++## SELinux policy for PADS daemon. ++## ++##

++## PADS is a libpcap based detection engine used to ++## passively detect network assets. It is designed to ++## complement IDS technology by providing context to IDS ++## alerts. ++##

++## ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.5.7/policy/modules/services/pads.te +--- nsaserefpolicy/policy/modules/services/pads.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.5.7/policy/modules/services/pads.te 2008-09-08 16:03:15.000000000 -0400 +@@ -0,0 +1,66 @@ ++ ++policy_module(pads, 0.0.1) ++ ++######################################## ++# ++# Declarations ++# ++ ++type pads_t; ++type pads_exec_t; ++init_daemon_domain(pads_t, pads_exec_t) ++role system_r types pads_t; ++ ++type pads_script_exec_t; ++init_script_type(pads_script_exec_t) ++ ++type pads_config_t; ++files_config_file(pads_config_t) ++ ++type pads_var_run_t; ++files_pid_file(pads_var_run_t) ++ ++######################################## ++# ++# Declarations ++# ++ ++allow pads_t self:capability net_raw; ++allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; ++allow pads_t self:packet_socket { ioctl setopt getopt read bind create }; ++allow pads_t self:udp_socket { create ioctl }; ++allow pads_t self:unix_dgram_socket { write create connect }; ++ ++allow pads_t pads_config_t:file manage_file_perms; ++files_etc_filetrans(pads_t, pads_config_t, file) ++ ++allow pads_t pads_var_run_t:file manage_file_perms; ++files_pid_filetrans(pads_t, pads_var_run_t, file) ++ ++corecmd_search_sbin(pads_t) ++ ++corenet_all_recvfrom_unlabeled(pads_t) ++corenet_all_recvfrom_netlabel(pads_t) ++corenet_tcp_sendrecv_all_if(pads_t) ++corenet_tcp_sendrecv_all_nodes(pads_t) ++ ++corenet_tcp_connect_prelude_port(pads_t) ++ ++dev_read_rand(pads_t) ++dev_read_urand(pads_t) ++ ++files_read_etc_files(pads_t) ++files_search_spool(pads_t) ++ ++libs_use_ld_so(pads_t) ++libs_use_shared_libs(pads_t) ++ ++miscfiles_read_localization(pads_t) ++ ++logging_send_syslog_msg(pads_t) ++ ++sysnet_dns_name_resolve(pads_t) ++ ++optional_policy(` ++ prelude_rw_spool(pads_t) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.5.7/policy/modules/services/pcscd.te --- nsaserefpolicy/policy/modules/services/pcscd.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/pcscd.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/pcscd.te 2008-09-08 10:19:45.000000000 -0400 @@ -10,6 +10,7 @@ type pcscd_exec_t; domain_type(pcscd_t) @@ -20185,9 +20269,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol openct_stream_connect(pcscd_t) openct_read_pid_files(pcscd_t) openct_signull(pcscd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.5.6/policy/modules/services/pegasus.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.5.7/policy/modules/services/pegasus.te --- nsaserefpolicy/policy/modules/services/pegasus.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/pegasus.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/pegasus.te 2008-09-08 10:19:45.000000000 -0400 @@ -96,13 +96,12 @@ auth_use_nsswitch(pegasus_t) @@ -20212,9 +20296,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sysnet_domtrans_ifconfig(pegasus_t) userdom_dontaudit_use_unpriv_user_fds(pegasus_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.5.6/policy/modules/services/polkit.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.5.7/policy/modules/services/polkit.fc --- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/services/polkit.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/polkit.fc 2008-09-08 10:19:45.000000000 -0400 @@ -0,0 +1,9 @@ + +/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0) @@ -20225,9 +20309,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) +/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0) +/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.5.6/policy/modules/services/polkit.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.5.7/policy/modules/services/polkit.if --- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/services/polkit.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/polkit.if 2008-09-08 10:19:45.000000000 -0400 @@ -0,0 +1,212 @@ + +## policy for polkit_auth @@ -20441,9 +20525,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + polkit_read_lib($2) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.5.6/policy/modules/services/polkit.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.5.7/policy/modules/services/polkit.te --- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.6/policy/modules/services/polkit.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/polkit.te 2008-09-08 10:19:45.000000000 -0400 @@ -0,0 +1,231 @@ +policy_module(polkit_auth, 1.0.0) + @@ -20676,9 +20760,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + unconfined_ptrace(polkit_resolve_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.5.6/policy/modules/services/postfix.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portmap.te serefpolicy-3.5.7/policy/modules/services/portmap.te +--- nsaserefpolicy/policy/modules/services/portmap.te 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/portmap.te 2008-09-08 10:19:45.000000000 -0400 +@@ -41,6 +41,7 @@ + manage_files_pattern(portmap_t, portmap_var_run_t, portmap_var_run_t) + files_pid_filetrans(portmap_t, portmap_var_run_t, file) + ++kernel_read_system_state(portmap_t) + kernel_read_kernel_sysctls(portmap_t) + kernel_list_proc(portmap_t) + kernel_read_proc_symlinks(portmap_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.5.7/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/postfix.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/postfix.fc 2008-09-08 10:19:45.000000000 -0400 @@ -29,12 +29,10 @@ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) @@ -20703,9 +20798,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/spool/postfix(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.5.6/policy/modules/services/postfix.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.5.7/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/postfix.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/postfix.if 2008-09-08 10:19:45.000000000 -0400 @@ -211,9 +211,8 @@ type postfix_etc_t; ') @@ -20803,9 +20898,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.6/policy/modules/services/postfix.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.7/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/postfix.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/postfix.te 2008-09-08 10:19:45.000000000 -0400 @@ -6,6 +6,14 @@ # Declarations # @@ -21069,18 +21164,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_shell(postfix_virtual_t) corecmd_exec_bin(postfix_virtual_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.fc serefpolicy-3.5.6/policy/modules/services/postfixpolicyd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.fc serefpolicy-3.5.7/policy/modules/services/postfixpolicyd.fc --- nsaserefpolicy/policy/modules/services/postfixpolicyd.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/postfixpolicyd.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/postfixpolicyd.fc 2008-09-08 10:19:45.000000000 -0400 @@ -3,3 +3,5 @@ /usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0) /var/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t, s0) + +/etc/rc\.d/init\.d/postfixpolicyd -- gen_context(system_u:object_r:postfixpolicyd_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.if serefpolicy-3.5.6/policy/modules/services/postfixpolicyd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.if serefpolicy-3.5.7/policy/modules/services/postfixpolicyd.if --- nsaserefpolicy/policy/modules/services/postfixpolicyd.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/postfixpolicyd.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/postfixpolicyd.if 2008-09-08 10:19:45.000000000 -0400 @@ -1 +1,68 @@ ## Postfix policy server + @@ -21150,9 +21245,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.te serefpolicy-3.5.6/policy/modules/services/postfixpolicyd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.te serefpolicy-3.5.7/policy/modules/services/postfixpolicyd.te --- nsaserefpolicy/policy/modules/services/postfixpolicyd.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/postfixpolicyd.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/postfixpolicyd.te 2008-09-08 10:19:45.000000000 -0400 @@ -16,6 +16,9 @@ type postfix_policyd_var_run_t; files_pid_file(postfix_policyd_var_run_t) @@ -21163,9 +21258,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Local Policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.5.6/policy/modules/services/postgresql.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.5.7/policy/modules/services/postgresql.fc --- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-08-14 13:08:27.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/postgresql.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/postgresql.fc 2008-09-08 10:19:45.000000000 -0400 @@ -28,13 +28,13 @@ /var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) @@ -21187,9 +21282,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) + +/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.5.6/policy/modules/services/postgresql.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.5.7/policy/modules/services/postgresql.if --- nsaserefpolicy/policy/modules/services/postgresql.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/postgresql.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/postgresql.if 2008-09-08 10:19:45.000000000 -0400 @@ -372,3 +372,70 @@ typeattribute $1 sepgsql_unconfined_type; @@ -21261,9 +21356,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + admin_pattern($1, postgresql_tmp_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.5.6/policy/modules/services/postgresql.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.5.7/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2008-08-14 13:08:27.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/postgresql.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/postgresql.te 2008-09-08 16:03:15.000000000 -0400 @@ -44,6 +44,9 @@ type postgresql_var_run_t; files_pid_file(postgresql_var_run_t) @@ -21274,6 +21369,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # database clients attribute attribute sepgsql_client_type; attribute sepgsql_unconfined_type; +@@ -159,7 +162,7 @@ + + manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) + manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) +-files_pid_filetrans(postgresql_t, postgresql_var_run_t, file) ++files_pid_filetrans(postgresql_t, postgresql_var_run_t, { file sock_file }) + + kernel_read_kernel_sysctls(postgresql_t) + kernel_read_system_state(postgresql_t) @@ -289,7 +292,7 @@ allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; @@ -21292,9 +21396,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto }; allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.fc serefpolicy-3.5.6/policy/modules/services/postgrey.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.fc serefpolicy-3.5.7/policy/modules/services/postgrey.fc --- nsaserefpolicy/policy/modules/services/postgrey.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/postgrey.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/postgrey.fc 2008-09-08 10:19:45.000000000 -0400 @@ -7,3 +7,7 @@ /var/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0) @@ -21303,9 +21407,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/rc\.d/init\.d/postgrey -- gen_context(system_u:object_r:postgrey_script_exec_t,s0) + +/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.if serefpolicy-3.5.6/policy/modules/services/postgrey.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.if serefpolicy-3.5.7/policy/modules/services/postgrey.if --- nsaserefpolicy/policy/modules/services/postgrey.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/postgrey.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/postgrey.if 2008-09-08 10:19:45.000000000 -0400 @@ -12,10 +12,80 @@ # interface(`postgrey_stream_connect',` @@ -21388,9 +21492,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.5.6/policy/modules/services/postgrey.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.5.7/policy/modules/services/postgrey.te --- nsaserefpolicy/policy/modules/services/postgrey.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/postgrey.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/postgrey.te 2008-09-08 10:19:45.000000000 -0400 @@ -13,26 +13,38 @@ type postgrey_etc_t; files_config_file(postgrey_etc_t) @@ -21443,18 +21547,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(postgrey_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.5.6/policy/modules/services/ppp.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.5.7/policy/modules/services/ppp.fc --- nsaserefpolicy/policy/modules/services/ppp.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/ppp.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/ppp.fc 2008-09-08 10:19:45.000000000 -0400 @@ -33,3 +33,5 @@ /var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0) /var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0) + +/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.5.6/policy/modules/services/ppp.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.5.7/policy/modules/services/ppp.if --- nsaserefpolicy/policy/modules/services/ppp.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/ppp.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/ppp.if 2008-09-08 10:19:45.000000000 -0400 @@ -76,6 +76,24 @@ ######################################## @@ -21526,9 +21630,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - manage_files_pattern($1, pptp_var_run_t, pptp_var_run_t) + admin_pattern($1, pptp_var_run_t, pptp_var_run_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.5.6/policy/modules/services/ppp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.5.7/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/ppp.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/ppp.te 2008-09-08 10:19:45.000000000 -0400 @@ -71,7 +71,7 @@ # PPPD Local policy # @@ -21575,10 +21679,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_exec(pptp_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.5.6/policy/modules/services/prelude.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.5.7/policy/modules/services/prelude.fc --- nsaserefpolicy/policy/modules/services/prelude.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/prelude.fc 2008-09-03 15:55:22.000000000 -0400 -@@ -5,7 +5,16 @@ ++++ serefpolicy-3.5.7/policy/modules/services/prelude.fc 2008-09-08 16:03:15.000000000 -0400 +@@ -5,7 +5,20 @@ /var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0) @@ -21592,12 +21696,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0) +/var/run/prelude-lml.pid -- gen_context(system_u:object_r:prelude_lml_var_run_t,s0) + ++/etc/rc\.d/init\.d/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_script_exec_t, s0) +/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_lml_script_exec_t,s0) +/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_script_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.5.6/policy/modules/services/prelude.if ++/etc/prelude-correlator(/.*)? gen_context(system_u:object_r:prelude_correlator_config_t, s0) ++/usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t, s0) ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.5.7/policy/modules/services/prelude.if --- nsaserefpolicy/policy/modules/services/prelude.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/prelude.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/prelude.if 2008-09-08 10:19:45.000000000 -0400 @@ -6,7 +6,7 @@ ## ## @@ -21757,10 +21865,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, prelude_lml_tmp_t) + admin_pattern($1, prelude_lml_var_run_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.5.6/policy/modules/services/prelude.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.5.7/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/prelude.te 2008-09-03 15:55:22.000000000 -0400 -@@ -13,18 +13,40 @@ ++++ serefpolicy-3.5.7/policy/modules/services/prelude.te 2008-09-08 16:37:38.000000000 -0400 +@@ -13,18 +13,56 @@ type prelude_spool_t; files_type(prelude_spool_t) @@ -21798,10 +21906,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +type prelude_lml_tmp_t; +files_tmp_file(prelude_lml_tmp_t) ++ ++######################################## ++# ++# prelude_correlator declarations ++# ++ ++type prelude_correlator_t; ++type prelude_correlator_exec_t; ++init_daemon_domain(prelude_correlator_t, prelude_correlator_exec_t) ++role system_r types prelude_correlator_t; ++ ++type prelude_correlator_script_exec_t; ++init_script_file(prelude_correlator_script_exec_t) ++ ++type prelude_correlator_config_t; ++files_config_file(prelude_correlator_config_t) ######################################## # -@@ -49,6 +71,9 @@ +@@ -49,6 +87,9 @@ manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) files_pid_filetrans(prelude_t, prelude_var_run_t, file) @@ -21811,7 +21935,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_search_bin(prelude_t) corenet_all_recvfrom_unlabeled(prelude_t) -@@ -56,6 +81,9 @@ +@@ -56,6 +97,9 @@ corenet_tcp_sendrecv_all_if(prelude_t) corenet_tcp_sendrecv_all_nodes(prelude_t) corenet_tcp_bind_all_nodes(prelude_t) @@ -21821,17 +21945,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_rand(prelude_t) dev_read_urand(prelude_t) -@@ -65,6 +93,9 @@ +@@ -65,6 +109,11 @@ files_read_etc_files(prelude_t) files_read_usr_files(prelude_t) +files_search_tmp(prelude_t) + ++files_search_tmp(prelude_t) ++ +fs_rw_anon_inodefs_files(prelude_t) auth_use_nsswitch(prelude_t) -@@ -110,6 +141,7 @@ +@@ -110,6 +159,7 @@ corenet_tcp_sendrecv_all_if(prelude_audisp_t) corenet_tcp_sendrecv_all_nodes(prelude_audisp_t) corenet_tcp_bind_all_nodes(prelude_audisp_t) @@ -21839,7 +21965,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_rand(prelude_audisp_t) dev_read_urand(prelude_audisp_t) -@@ -123,9 +155,84 @@ +@@ -123,9 +173,119 @@ libs_use_shared_libs(prelude_audisp_t) logging_send_syslog_msg(prelude_audisp_t) @@ -21851,11 +21977,47 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +# ++# prelude_correlator local policy ++# ++ ++allow prelude_correlator_t self:netlink_route_socket r_netlink_socket_perms; ++allow prelude_correlator_t self:tcp_socket create_stream_socket_perms; ++allow prelude_correlator_t self:unix_dgram_socket create_socket_perms; ++ ++read_files_pattern(prelude_correlator_t, prelude_correlator_config_t, prelude_correlator_config_t) ++ ++prelude_manage_spool(prelude_correlator_t) ++ ++corecmd_search_sbin(prelude_correlator_t) ++ ++corenet_all_recvfrom_unlabeled(prelude_correlator_t) ++corenet_all_recvfrom_netlabel(prelude_correlator_t) ++corenet_tcp_sendrecv_all_if(prelude_correlator_t) ++corenet_tcp_sendrecv_all_nodes(prelude_correlator_t) ++corenet_tcp_connect_prelude_port(prelude_correlator_t) ++ ++dev_read_rand(prelude_correlator_t) ++dev_read_urand(prelude_correlator_t) ++ ++files_read_etc_files(prelude_correlator_t) ++files_read_usr_files(prelude_correlator_t) ++files_search_spool(prelude_correlator_t) ++ ++libs_use_ld_so(prelude_correlator_t) ++libs_use_shared_libs(prelude_correlator_t) ++ ++logging_send_syslog_msg(prelude_correlator_t) ++ ++miscfiles_read_localization(prelude_correlator_t) ++ ++sysnet_dns_name_resolve(prelude_correlator_t) ++ ++######################################## ++# +# prelude_lml local declarations +# + +# Init script handling -+# Test me +domain_use_interactive_fds(prelude_lml_t) + +allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect }; @@ -21913,9 +22075,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +miscfiles_read_localization(prelude_lml_t) + -+optional_policy(` -+ gamin_exec(prelude_lml_t) -+') ++# if prelude_lml wants to relay to a remote prelude-manager using dns ++sysnet_dns_name_resolve(prelude_lml_t) + +optional_policy(` + apache_read_log(prelude_lml_t) @@ -21924,7 +22085,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # prewikka_cgi Declarations -@@ -133,8 +240,19 @@ +@@ -133,8 +293,19 @@ optional_policy(` apache_content_template(prewikka) @@ -21944,9 +22105,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` mysql_search_db(httpd_prewikka_script_t) mysql_stream_connect(httpd_prewikka_script_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.5.6/policy/modules/services/privoxy.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.5.7/policy/modules/services/privoxy.fc --- nsaserefpolicy/policy/modules/services/privoxy.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/privoxy.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/privoxy.fc 2008-09-08 10:19:45.000000000 -0400 @@ -1,6 +1,10 @@ /etc/privoxy/user\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0) @@ -21958,9 +22119,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/etc/rc\.d/init\.d/privoxy -- gen_context(system_u:object_r:privoxy_script_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.if serefpolicy-3.5.6/policy/modules/services/privoxy.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.if serefpolicy-3.5.7/policy/modules/services/privoxy.if --- nsaserefpolicy/policy/modules/services/privoxy.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/privoxy.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/privoxy.if 2008-09-08 10:19:45.000000000 -0400 @@ -2,6 +2,25 @@ ######################################## @@ -22015,9 +22176,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - manage_files_pattern($1, privoxy_var_run_t, privoxy_var_run_t) + admin_pattern($1, privoxy_var_run_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.5.6/policy/modules/services/privoxy.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.5.7/policy/modules/services/privoxy.te --- nsaserefpolicy/policy/modules/services/privoxy.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/privoxy.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/privoxy.te 2008-09-08 10:19:45.000000000 -0400 @@ -19,6 +19,9 @@ type privoxy_var_run_t; files_pid_file(privoxy_var_run_t) @@ -22036,18 +22197,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_tor_port(privoxy_t) corenet_sendrecv_http_cache_client_packets(privoxy_t) corenet_sendrecv_http_cache_server_packets(privoxy_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.5.6/policy/modules/services/procmail.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.5.7/policy/modules/services/procmail.fc --- nsaserefpolicy/policy/modules/services/procmail.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/procmail.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/procmail.fc 2008-09-08 10:19:45.000000000 -0400 @@ -1,2 +1,5 @@ /usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0) + +/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0) +/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.5.6/policy/modules/services/procmail.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.5.7/policy/modules/services/procmail.if --- nsaserefpolicy/policy/modules/services/procmail.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/procmail.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/procmail.if 2008-09-08 10:19:45.000000000 -0400 @@ -39,3 +39,41 @@ corecmd_search_bin($1) can_exec($1, procmail_exec_t) @@ -22090,9 +22251,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_search_tmp($1) + rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.5.6/policy/modules/services/procmail.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.5.7/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/procmail.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/procmail.te 2008-09-08 10:19:45.000000000 -0400 @@ -14,6 +14,10 @@ type procmail_tmp_t; files_tmp_file(procmail_tmp_t) @@ -22170,9 +22331,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + mailscanner_read_spool(procmail_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.5.6/policy/modules/services/pyzor.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.5.7/policy/modules/services/pyzor.fc --- nsaserefpolicy/policy/modules/services/pyzor.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/pyzor.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/pyzor.fc 2008-09-08 10:19:45.000000000 -0400 @@ -1,9 +1,12 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) @@ -22187,9 +22348,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/log/pyzord\.log -- gen_context(system_u:object_r:pyzord_log_t,s0) + +/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.5.6/policy/modules/services/pyzor.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.5.7/policy/modules/services/pyzor.if --- nsaserefpolicy/policy/modules/services/pyzor.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/pyzor.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/pyzor.if 2008-09-08 10:19:45.000000000 -0400 @@ -25,16 +25,16 @@ # template(`pyzor_per_role_template',` @@ -22293,9 +22454,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.5.6/policy/modules/services/pyzor.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.5.7/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/pyzor.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/pyzor.te 2008-09-08 10:19:45.000000000 -0400 @@ -6,6 +6,37 @@ # Declarations # @@ -22381,9 +22542,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.te serefpolicy-3.5.6/policy/modules/services/qmail.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.te serefpolicy-3.5.7/policy/modules/services/qmail.te --- nsaserefpolicy/policy/modules/services/qmail.te 2008-08-11 11:23:34.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/qmail.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/qmail.te 2008-09-08 10:19:45.000000000 -0400 @@ -124,6 +124,10 @@ qmail_domtrans_queue(qmail_local_t) @@ -22406,18 +22567,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ucspitcp_service_domain(qmail_smtpd_t, qmail_smtpd_exec_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.fc serefpolicy-3.5.6/policy/modules/services/radius.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.fc serefpolicy-3.5.7/policy/modules/services/radius.fc --- nsaserefpolicy/policy/modules/services/radius.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/radius.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/radius.fc 2008-09-08 10:19:45.000000000 -0400 @@ -20,3 +20,5 @@ /var/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_run_t,s0) /var/run/radiusd\.pid -- gen_context(system_u:object_r:radiusd_var_run_t,s0) + +/etc/rc\.d/init\.d/radiusd -- gen_context(system_u:object_r:radius_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.if serefpolicy-3.5.6/policy/modules/services/radius.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.if serefpolicy-3.5.7/policy/modules/services/radius.if --- nsaserefpolicy/policy/modules/services/radius.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/radius.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/radius.if 2008-09-08 10:19:45.000000000 -0400 @@ -16,6 +16,25 @@ ######################################## @@ -22479,9 +22640,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - manage_files_pattern($1, radiusd_var_run_t, radiusd_var_run_t) + admin_pattern($1, radiusd_var_run_t, radiusd_var_run_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.5.6/policy/modules/services/radius.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.5.7/policy/modules/services/radius.te --- nsaserefpolicy/policy/modules/services/radius.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/radius.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/radius.te 2008-09-08 10:19:45.000000000 -0400 @@ -25,6 +25,9 @@ type radiusd_var_run_t; files_pid_file(radiusd_var_run_t) @@ -22554,17 +22715,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.fc serefpolicy-3.5.6/policy/modules/services/radvd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.fc serefpolicy-3.5.7/policy/modules/services/radvd.fc --- nsaserefpolicy/policy/modules/services/radvd.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/radvd.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/radvd.fc 2008-09-08 10:19:45.000000000 -0400 @@ -5,3 +5,4 @@ /var/run/radvd\.pid -- gen_context(system_u:object_r:radvd_var_run_t,s0) /var/run/radvd(/.*)? gen_context(system_u:object_r:radvd_var_run_t,s0) +/etc/rc\.d/init\.d/radvd -- gen_context(system_u:object_r:radvd_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.if serefpolicy-3.5.6/policy/modules/services/radvd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.if serefpolicy-3.5.7/policy/modules/services/radvd.if --- nsaserefpolicy/policy/modules/services/radvd.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/radvd.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/radvd.if 2008-09-08 10:19:45.000000000 -0400 @@ -2,6 +2,25 @@ ######################################## @@ -22615,9 +22776,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - manage_files_pattern($1, radvd_var_run_t, radvd_var_run_t) + admin_pattern($1, radvd_var_run_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.5.6/policy/modules/services/radvd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.5.7/policy/modules/services/radvd.te --- nsaserefpolicy/policy/modules/services/radvd.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/radvd.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/radvd.te 2008-09-08 10:19:45.000000000 -0400 @@ -15,6 +15,9 @@ type radvd_etc_t; files_config_file(radvd_etc_t) @@ -22636,18 +22797,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow radvd_t radvd_etc_t:file read_file_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.5.6/policy/modules/services/razor.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.5.7/policy/modules/services/razor.fc --- nsaserefpolicy/policy/modules/services/razor.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/razor.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/razor.fc 2008-09-08 10:19:45.000000000 -0400 @@ -1,4 +1,4 @@ -HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:ROLE_razor_home_t,s0) +HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.5.6/policy/modules/services/razor.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.5.7/policy/modules/services/razor.if --- nsaserefpolicy/policy/modules/services/razor.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/razor.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/razor.if 2008-09-08 10:19:45.000000000 -0400 @@ -137,6 +137,7 @@ template(`razor_per_role_template',` gen_require(` @@ -22767,9 +22928,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.5.6/policy/modules/services/razor.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.5.7/policy/modules/services/razor.te --- nsaserefpolicy/policy/modules/services/razor.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/razor.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/razor.te 2008-09-08 10:19:45.000000000 -0400 @@ -6,21 +6,51 @@ # Declarations # @@ -22825,9 +22986,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol razor_common_domain_template(razor) ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.5.6/policy/modules/services/ricci.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.5.7/policy/modules/services/ricci.te --- nsaserefpolicy/policy/modules/services/ricci.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/ricci.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/ricci.te 2008-09-08 10:19:45.000000000 -0400 @@ -205,7 +205,7 @@ corecmd_exec_shell(ricci_modcluster_t) corecmd_exec_bin(ricci_modcluster_t) @@ -22864,9 +23025,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol #Needed for editing /etc/fstab files_manage_etc_files(ricci_modstorage_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.5.6/policy/modules/services/rlogin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.5.7/policy/modules/services/rlogin.te --- nsaserefpolicy/policy/modules/services/rlogin.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/rlogin.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/rlogin.te 2008-09-08 10:19:45.000000000 -0400 @@ -94,8 +94,8 @@ remotelogin_signal(rlogind_t) @@ -22878,18 +23039,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roundup.fc serefpolicy-3.5.6/policy/modules/services/roundup.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roundup.fc serefpolicy-3.5.7/policy/modules/services/roundup.fc --- nsaserefpolicy/policy/modules/services/roundup.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/roundup.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/roundup.fc 2008-09-08 10:19:45.000000000 -0400 @@ -7,3 +7,5 @@ # /var # /var/lib/roundup(/.*)? -- gen_context(system_u:object_r:roundup_var_lib_t,s0) + +/etc/rc\.d/init\.d/roundup -- gen_context(system_u:object_r:roundup_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roundup.if serefpolicy-3.5.6/policy/modules/services/roundup.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roundup.if serefpolicy-3.5.7/policy/modules/services/roundup.if --- nsaserefpolicy/policy/modules/services/roundup.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/roundup.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/roundup.if 2008-09-08 10:19:45.000000000 -0400 @@ -1 +1,66 @@ ## Roundup Issue Tracking System policy + @@ -22957,9 +23118,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_list_pids($1) + admin_pattern($1, roundup_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roundup.te serefpolicy-3.5.6/policy/modules/services/roundup.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roundup.te serefpolicy-3.5.7/policy/modules/services/roundup.te --- nsaserefpolicy/policy/modules/services/roundup.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/roundup.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/roundup.te 2008-09-08 10:19:45.000000000 -0400 @@ -16,6 +16,9 @@ type roundup_var_lib_t; files_type(roundup_var_lib_t) @@ -22970,9 +23131,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.5.6/policy/modules/services/rpc.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.5.7/policy/modules/services/rpc.if --- nsaserefpolicy/policy/modules/services/rpc.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/rpc.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/rpc.if 2008-09-08 10:19:45.000000000 -0400 @@ -88,8 +88,11 @@ # bind to arbitary unused ports corenet_tcp_bind_generic_port($1_t) @@ -23011,9 +23172,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read NFS exported content. ## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.5.6/policy/modules/services/rpc.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.5.7/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2008-08-14 13:08:27.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/rpc.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/rpc.te 2008-09-08 10:19:45.000000000 -0400 @@ -23,7 +23,7 @@ gen_tunable(allow_nfsd_anon_write, false) @@ -23071,18 +23232,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.5.6/policy/modules/services/rpcbind.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.5.7/policy/modules/services/rpcbind.fc --- nsaserefpolicy/policy/modules/services/rpcbind.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/rpcbind.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/rpcbind.fc 2008-09-08 10:19:45.000000000 -0400 @@ -5,3 +5,5 @@ /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) /var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) /var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0) + +/etc/rc\.d/init\.d/rpcbind -- gen_context(system_u:object_r:rpcbind_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.5.6/policy/modules/services/rpcbind.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.5.7/policy/modules/services/rpcbind.if --- nsaserefpolicy/policy/modules/services/rpcbind.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/rpcbind.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/rpcbind.if 2008-09-08 10:19:45.000000000 -0400 @@ -95,3 +95,65 @@ manage_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t) files_search_var_lib($1) @@ -23149,9 +23310,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_list_pids($1) + admin_pattern($1, rpcbind_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.5.6/policy/modules/services/rpcbind.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.5.7/policy/modules/services/rpcbind.te --- nsaserefpolicy/policy/modules/services/rpcbind.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/rpcbind.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/rpcbind.te 2008-09-08 10:19:45.000000000 -0400 @@ -16,16 +16,21 @@ type rpcbind_var_lib_t; files_type(rpcbind_var_lib_t) @@ -23183,9 +23344,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_network_state(rpcbind_t) corenet_all_recvfrom_unlabeled(rpcbind_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.5.6/policy/modules/services/rshd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.5.7/policy/modules/services/rshd.te --- nsaserefpolicy/policy/modules/services/rshd.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/rshd.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/rshd.te 2008-09-08 10:19:45.000000000 -0400 @@ -16,7 +16,7 @@ # # Local policy @@ -23247,9 +23408,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_shell_domtrans(rshd_t) + unconfined_signal(rshd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.5.6/policy/modules/services/rsync.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.5.7/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/rsync.te 2008-09-04 10:40:02.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/rsync.te 2008-09-08 10:19:45.000000000 -0400 @@ -45,7 +45,7 @@ # Local policy # @@ -23259,18 +23420,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow rsync_t self:process signal_perms; allow rsync_t self:fifo_file rw_fifo_file_perms; allow rsync_t self:tcp_socket create_stream_socket_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.fc serefpolicy-3.5.6/policy/modules/services/rwho.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.fc serefpolicy-3.5.7/policy/modules/services/rwho.fc --- nsaserefpolicy/policy/modules/services/rwho.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/rwho.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/rwho.fc 2008-09-08 10:19:45.000000000 -0400 @@ -3,3 +3,5 @@ /var/spool/rwho(/.*)? gen_context(system_u:object_r:rwho_spool_t,s0) /var/log/rwhod(/.*)? gen_context(system_u:object_r:rwho_log_t,s0) + +/etc/rc\.d/init\.d/rwhod -- gen_context(system_u:object_r:rwho_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.if serefpolicy-3.5.6/policy/modules/services/rwho.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.if serefpolicy-3.5.7/policy/modules/services/rwho.if --- nsaserefpolicy/policy/modules/services/rwho.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/rwho.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/rwho.if 2008-09-08 10:19:45.000000000 -0400 @@ -118,6 +118,25 @@ ######################################## @@ -23321,9 +23482,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - manage_files_pattern($1, rwho_spool_t, rwho_spool_t) + admin_pattern($1, rwho_spool_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.te serefpolicy-3.5.6/policy/modules/services/rwho.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.te serefpolicy-3.5.7/policy/modules/services/rwho.te --- nsaserefpolicy/policy/modules/services/rwho.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/rwho.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/rwho.te 2008-09-08 10:19:45.000000000 -0400 @@ -16,6 +16,9 @@ type rwho_spool_t; files_type(rwho_spool_t) @@ -23334,9 +23495,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # rwho local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.5.6/policy/modules/services/samba.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.5.7/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/samba.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/samba.fc 2008-09-08 10:19:45.000000000 -0400 @@ -15,6 +15,7 @@ /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) /usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0) @@ -23357,9 +23518,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +ifndef(`enable_mls',` +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.5.6/policy/modules/services/samba.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.5.7/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/samba.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/samba.if 2008-09-08 10:19:45.000000000 -0400 @@ -33,12 +33,12 @@ ') @@ -23727,9 +23888,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, samba_unconfined_script_exec_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.5.6/policy/modules/services/samba.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.5.7/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/samba.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/samba.te 2008-09-08 10:19:45.000000000 -0400 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -24082,18 +24243,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow winbind_t smbcontrol_t:process signal; + +allow smbcontrol_t nmbd_var_run_t:file { read lock }; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.fc serefpolicy-3.5.6/policy/modules/services/sasl.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.fc serefpolicy-3.5.7/policy/modules/services/sasl.fc --- nsaserefpolicy/policy/modules/services/sasl.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/sasl.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/sasl.fc 2008-09-08 10:19:45.000000000 -0400 @@ -8,3 +8,5 @@ # /var # /var/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) + +/etc/rc\.d/init\.d/sasl -- gen_context(system_u:object_r:sasl_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.if serefpolicy-3.5.6/policy/modules/services/sasl.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.if serefpolicy-3.5.7/policy/modules/services/sasl.if --- nsaserefpolicy/policy/modules/services/sasl.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/sasl.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/sasl.if 2008-09-08 10:19:45.000000000 -0400 @@ -21,6 +21,25 @@ ######################################## @@ -24144,9 +24305,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - manage_files_pattern($1, saslauthd_var_run_t, saslauthd_var_run_t) + admin_pattern($1, saslauthd_var_run_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.5.6/policy/modules/services/sasl.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.5.7/policy/modules/services/sasl.te --- nsaserefpolicy/policy/modules/services/sasl.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/sasl.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/sasl.te 2008-09-08 10:19:45.000000000 -0400 @@ -23,6 +23,9 @@ type saslauthd_var_run_t; files_pid_file(saslauthd_var_run_t) @@ -24177,9 +24338,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(saslauthd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.5.6/policy/modules/services/sendmail.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.5.7/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/sendmail.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/sendmail.if 2008-09-08 10:19:45.000000000 -0400 @@ -149,3 +149,104 @@ logging_log_filetrans($1, sendmail_log_t, file) @@ -24285,9 +24446,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 sendmail_t:fifo_file rw_fifo_file_perms; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.5.6/policy/modules/services/sendmail.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.5.7/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/sendmail.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/sendmail.te 2008-09-08 10:19:45.000000000 -0400 @@ -20,13 +20,17 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -24447,18 +24608,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; -') dnl end TODO -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.5.6/policy/modules/services/setroubleshoot.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.5.7/policy/modules/services/setroubleshoot.fc --- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/setroubleshoot.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/setroubleshoot.fc 2008-09-08 10:19:45.000000000 -0400 @@ -5,3 +5,5 @@ /var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) /var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) + +/etc/rc\.d/init\.d/setroubleshoot -- gen_context(system_u:object_r:setroubleshoot_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.5.6/policy/modules/services/setroubleshoot.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.5.7/policy/modules/services/setroubleshoot.if --- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/setroubleshoot.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/setroubleshoot.if 2008-09-08 10:19:45.000000000 -0400 @@ -16,8 +16,8 @@ ') @@ -24547,9 +24708,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_list_pids($1) + admin_pattern($1, setroubleshoot_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.5.6/policy/modules/services/setroubleshoot.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.5.7/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2008-08-25 09:12:31.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/setroubleshoot.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/setroubleshoot.te 2008-09-08 10:19:45.000000000 -0400 @@ -22,13 +22,16 @@ type setroubleshoot_var_run_t; files_pid_file(setroubleshoot_var_run_t) @@ -24632,17 +24793,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpm_read_db(setroubleshootd_t) rpm_dontaudit_manage_db(setroubleshootd_t) rpm_use_script_fds(setroubleshootd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.fc serefpolicy-3.5.6/policy/modules/services/smartmon.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.fc serefpolicy-3.5.7/policy/modules/services/smartmon.fc --- nsaserefpolicy/policy/modules/services/smartmon.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/smartmon.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/smartmon.fc 2008-09-08 10:19:45.000000000 -0400 @@ -8,3 +8,4 @@ # /var/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_var_run_t,s0) +/etc/rc\.d/init\.d/smartd -- gen_context(system_u:object_r:fsdaemon_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.if serefpolicy-3.5.6/policy/modules/services/smartmon.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.if serefpolicy-3.5.7/policy/modules/services/smartmon.if --- nsaserefpolicy/policy/modules/services/smartmon.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/smartmon.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/smartmon.if 2008-09-08 10:19:45.000000000 -0400 @@ -20,6 +20,25 @@ ######################################## @@ -24693,9 +24854,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - manage_files_pattern($1, fsdaemon_var_run_t, fsdaemon_var_run_t) + admin_pattern($1, fsdaemon_var_run_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.5.6/policy/modules/services/smartmon.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.5.7/policy/modules/services/smartmon.te --- nsaserefpolicy/policy/modules/services/smartmon.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/smartmon.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/smartmon.te 2008-09-08 10:19:45.000000000 -0400 @@ -16,6 +16,10 @@ type fsdaemon_tmp_t; files_tmp_file(fsdaemon_tmp_t) @@ -24735,9 +24896,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sysadm_dontaudit_search_home_dirs(fsdaemon_t) optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.5.6/policy/modules/services/snmp.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.5.7/policy/modules/services/snmp.fc --- nsaserefpolicy/policy/modules/services/snmp.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/snmp.fc 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/snmp.fc 2008-09-08 10:19:45.000000000 -0400 @@ -17,3 +17,6 @@ /var/run/snmpd -d gen_context(system_u:object_r:snmpd_var_run_t,s0) @@ -24745,9 +24906,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/etc/rc\.d/init\.d/snmpd -- gen_context(system_u:object_r:snmp_script_exec_t,s0) +/etc/rc\.d/init\.d/snmptrapd -- gen_context(system_u:object_r:snmp_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.5.6/policy/modules/services/snmp.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.5.7/policy/modules/services/snmp.if --- nsaserefpolicy/policy/modules/services/snmp.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/snmp.if 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/snmp.if 2008-09-08 10:19:45.000000000 -0400 @@ -87,6 +87,25 @@ ######################################## @@ -24818,9 +24979,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - manage_files_pattern($1, snmpd_var_run_t, snmpd_var_run_t) + admin_pattern($1, snmpd_var_run_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.5.6/policy/modules/services/snmp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.5.7/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/snmp.te 2008-09-03 15:55:22.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/snmp.te 2008-09-08 10:19:45.000000000 -0400 @@ -18,12 +18,16 @@ type snmpd_var_lib_t; files_type(snmpd_var_lib_t) @@ -24882,24 +25043,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.fc serefpolicy-3.5.6/policy/modules/services/snort.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.fc serefpolicy-3.5.7/policy/modules/services/snort.fc --- nsaserefpolicy/policy/modules/services/snort.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/snort.fc 2008-09-03 15:55:22.000000000 -0400 -@@ -1,6 +1,10 @@ -+/usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0) -+/usr/sbin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0) - ++++ serefpolicy-3.5.7/policy/modules/services/snort.fc 2008-09-08 16:11:51.000000000 -0400 +@@ -2,5 +1,10 @@ /etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0) --/usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0) -+/var/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0) + /usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0) ++/usr/sbin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0) /var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0) + ++/var/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0) ++ +/etc/rc\.d/init\.d/snortd -- gen_context(system_u:object_r:snort_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.if serefpolicy-3.5.6/policy/modules/services/snort.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.if serefpolicy-3.5.7/policy/modules/services/snort.if --- nsaserefpolicy/policy/modules/services/snort.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/snort.if 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/snort.if 2008-09-08 10:19:45.000000000 -0400 @@ -1 +1,91 @@ ## Snort network intrusion detection system + @@ -24992,9 +25152,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 snort_t:process signal; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.5.6/policy/modules/services/snort.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.5.7/policy/modules/services/snort.te --- nsaserefpolicy/policy/modules/services/snort.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/snort.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/snort.te 2008-09-08 16:03:15.000000000 -0400 @@ -10,8 +10,11 @@ type snort_exec_t; init_daemon_domain(snort_t, snort_exec_t) @@ -25008,7 +25168,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type snort_log_t; logging_log_file(snort_log_t) -@@ -65,8 +68,11 @@ +@@ -30,6 +33,8 @@ + allow snort_t self:capability { setgid setuid net_admin net_raw dac_override }; + dontaudit snort_t self:capability sys_tty_config; + allow snort_t self:process signal_perms; ++# Snort IPS node. unverified. netlink_firewall_socket ++allow snort_t self:netlink_firewall_socket { bind create getattr }; + allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; + allow snort_t self:tcp_socket create_stream_socket_perms; + allow snort_t self:udp_socket create_socket_perms; +@@ -65,8 +70,11 @@ corenet_raw_sendrecv_all_nodes(snort_t) corenet_tcp_sendrecv_all_ports(snort_t) corenet_udp_sendrecv_all_ports(snort_t) @@ -25020,7 +25189,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(snort_t) -@@ -79,6 +85,8 @@ +@@ -79,6 +87,8 @@ libs_use_ld_so(snort_t) libs_use_shared_libs(snort_t) @@ -25029,20 +25198,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(snort_t) miscfiles_read_localization(snort_t) -@@ -90,6 +98,10 @@ +@@ -89,6 +99,13 @@ + sysadm_dontaudit_search_home_dirs(snort_t) - optional_policy(` ++# snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager ++sysnet_dns_name_resolve(snort_t) ++ ++optional_policy(` + prelude_manage_spool(snort_t) +') + -+optional_policy(` + optional_policy(` seutil_sigchld_newrole(snort_t) ') - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.fc serefpolicy-3.5.6/policy/modules/services/soundserver.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.fc serefpolicy-3.5.7/policy/modules/services/soundserver.fc --- nsaserefpolicy/policy/modules/services/soundserver.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/soundserver.fc 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/soundserver.fc 2008-09-08 10:19:45.000000000 -0400 @@ -7,4 +7,8 @@ /usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0) @@ -25052,9 +25224,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0) + +/etc/rc\.d/init\.d/nasd -- gen_context(system_u:object_r:soundd_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.if serefpolicy-3.5.6/policy/modules/services/soundserver.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.if serefpolicy-3.5.7/policy/modules/services/soundserver.if --- nsaserefpolicy/policy/modules/services/soundserver.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/soundserver.if 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/soundserver.if 2008-09-08 10:19:45.000000000 -0400 @@ -13,3 +13,70 @@ interface(`soundserver_tcp_connect',` refpolicywarn(`$0($*) has been deprecated.') @@ -25126,9 +25298,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_list_pids($1) + admin_pattern($1, soundd_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.5.6/policy/modules/services/soundserver.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.5.7/policy/modules/services/soundserver.te --- nsaserefpolicy/policy/modules/services/soundserver.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/soundserver.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/soundserver.te 2008-09-08 10:19:45.000000000 -0400 @@ -11,7 +11,7 @@ init_daemon_domain(soundd_t, soundd_exec_t) @@ -25193,10 +25365,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(soundd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.5.6/policy/modules/services/spamassassin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.5.7/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/spamassassin.fc 2008-09-03 15:55:23.000000000 -0400 -@@ -1,16 +1,22 @@ ++++ serefpolicy-3.5.7/policy/modules/services/spamassassin.fc 2008-09-08 16:32:32.000000000 -0400 +@@ -1,16 +1,27 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) @@ -25208,10 +25380,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) +/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamd_exec_t,s0) ++/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0) /var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) +/var/log/spamd\.log -- gen_context(system_u:object_r:spamd_log_t,s0) ++/var/log/mimedefang -- gen_context(system_u:object_r:spamd_log_t,s0) + /var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) -/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) @@ -25220,11 +25394,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) ++/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) ++/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) + +/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.5.6/policy/modules/services/spamassassin.if ++/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_script_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.5.7/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/spamassassin.if 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/spamassassin.if 2008-09-08 10:19:45.000000000 -0400 @@ -34,10 +34,10 @@ # cjp: when tunables are available, spamc stuff should be # toggled on activation of spamc, and similarly for spamd. @@ -25787,9 +25964,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_files_pattern($1, spamc_home_t, spamc_home_t) + razor_manage_user_home_files(user, $1) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.5.6/policy/modules/services/spamassassin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.5.7/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/spamassassin.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/spamassassin.te 2008-09-08 16:46:47.000000000 -0400 @@ -21,8 +21,10 @@ gen_tunable(spamd_enable_home_dirs, true) @@ -25847,7 +26024,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; -@@ -69,7 +89,9 @@ +@@ -69,10 +89,13 @@ allow spamd_t self:unix_stream_socket connectto; allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; @@ -25858,7 +26035,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -@@ -81,10 +103,11 @@ ++manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t) + files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) + + manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) +@@ -81,10 +104,11 @@ # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -25871,7 +26052,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) kernel_read_all_sysctls(spamd_t) -@@ -134,6 +157,8 @@ +@@ -134,6 +158,8 @@ init_dontaudit_rw_utmp(spamd_t) @@ -25880,7 +26061,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_ld_so(spamd_t) libs_use_shared_libs(spamd_t) -@@ -141,20 +166,40 @@ +@@ -141,20 +167,40 @@ miscfiles_read_localization(spamd_t) @@ -25926,7 +26107,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_manage_cifs_files(spamd_t) ') -@@ -172,6 +217,7 @@ +@@ -172,6 +218,7 @@ optional_policy(` dcc_domtrans_client(spamd_t) @@ -25934,7 +26115,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dcc_stream_connect_dccifd(spamd_t) ') -@@ -181,10 +227,6 @@ +@@ -181,10 +228,6 @@ ') optional_policy(` @@ -25945,7 +26126,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol postfix_read_config(spamd_t) ') -@@ -199,6 +241,10 @@ +@@ -199,6 +242,10 @@ optional_policy(` razor_domtrans(spamd_t) @@ -25956,7 +26137,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -213,3 +259,121 @@ +@@ -213,3 +260,121 @@ optional_policy(` udev_read_db(spamd_t) ') @@ -26078,9 +26259,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + sendmail_stub(spamc_t) + sendmail_rw_pipes(spamc_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.5.6/policy/modules/services/squid.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.5.7/policy/modules/services/squid.fc --- nsaserefpolicy/policy/modules/services/squid.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/squid.fc 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/squid.fc 2008-09-08 10:19:45.000000000 -0400 @@ -12,3 +12,8 @@ /var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0) @@ -26090,9 +26271,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_script_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.5.6/policy/modules/services/squid.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.5.7/policy/modules/services/squid.if --- nsaserefpolicy/policy/modules/services/squid.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/squid.if 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/squid.if 2008-09-08 10:19:45.000000000 -0400 @@ -131,3 +131,114 @@ interface(`squid_use',` refpolicywarn(`$0($*) has been deprecated.') @@ -26208,9 +26389,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 squid_t:process signal; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.5.6/policy/modules/services/squid.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.5.7/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/squid.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/squid.te 2008-09-08 10:19:45.000000000 -0400 @@ -31,12 +31,15 @@ type squid_var_run_t; files_pid_file(squid_var_run_t) @@ -26296,18 +26477,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + corenet_all_recvfrom_unlabeled(httpd_squid_script_t) + corenet_all_recvfrom_netlabel(httpd_squid_script_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.5.6/policy/modules/services/ssh.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.5.7/policy/modules/services/ssh.fc --- nsaserefpolicy/policy/modules/services/ssh.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/ssh.fc 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/ssh.fc 2008-09-08 10:19:45.000000000 -0400 @@ -1,4 +1,4 @@ -HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ROLE_home_ssh_t,s0) +HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.6/policy/modules/services/ssh.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.7/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/ssh.if 2008-09-04 13:51:46.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/ssh.if 2008-09-08 10:19:45.000000000 -0400 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -26544,9 +26725,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_search_tmp($1) + delete_files_pattern($1, ssh_tmp_t, ssh_tmp_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.5.6/policy/modules/services/ssh.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.5.7/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/ssh.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/ssh.te 2008-09-08 10:19:45.000000000 -0400 @@ -24,7 +24,7 @@ # Type for the ssh-agent executable. @@ -26607,9 +26788,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_shell_domtrans(sshd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.5.6/policy/modules/services/stunnel.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.5.7/policy/modules/services/stunnel.te --- nsaserefpolicy/policy/modules/services/stunnel.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/stunnel.te 2008-09-04 10:48:02.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/stunnel.te 2008-09-08 10:19:45.000000000 -0400 @@ -54,6 +54,8 @@ kernel_read_system_state(stunnel_t) kernel_read_network_state(stunnel_t) @@ -26619,9 +26800,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(stunnel_t) corenet_all_recvfrom_netlabel(stunnel_t) corenet_tcp_sendrecv_all_if(stunnel_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.5.6/policy/modules/services/telnet.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.5.7/policy/modules/services/telnet.te --- nsaserefpolicy/policy/modules/services/telnet.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/telnet.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/telnet.te 2008-09-08 10:19:45.000000000 -0400 @@ -89,15 +89,19 @@ userdom_search_unpriv_users_home_dirs(telnetd_t) @@ -26646,9 +26827,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_manage_cifs_files(telnetd_t) ') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.if serefpolicy-3.5.6/policy/modules/services/tftp.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.if serefpolicy-3.5.7/policy/modules/services/tftp.if --- nsaserefpolicy/policy/modules/services/tftp.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/tftp.if 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/tftp.if 2008-09-08 10:19:45.000000000 -0400 @@ -20,10 +20,10 @@ allow $1 tftpd_t:process { ptrace signal_perms getattr }; ps_process_pattern($1, tftpd_t) @@ -26663,9 +26844,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - manage_files_pattern($1, tftpd_var_run_t, tftpd_var_run_t) + admin_pattern($1, tftpd_var_run_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.5.6/policy/modules/services/tftp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.5.7/policy/modules/services/tftp.te --- nsaserefpolicy/policy/modules/services/tftp.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/tftp.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/tftp.te 2008-09-08 10:19:45.000000000 -0400 @@ -37,7 +37,6 @@ allow tftpd_t self:udp_socket create_socket_perms; allow tftpd_t self:unix_dgram_socket create_socket_perms; @@ -26710,18 +26891,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(tftpd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.fc serefpolicy-3.5.6/policy/modules/services/tor.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.fc serefpolicy-3.5.7/policy/modules/services/tor.fc --- nsaserefpolicy/policy/modules/services/tor.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/tor.fc 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/tor.fc 2008-09-08 10:19:45.000000000 -0400 @@ -6,3 +6,5 @@ /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) /var/log/tor(/.*)? gen_context(system_u:object_r:tor_var_log_t,s0) /var/run/tor(/.*)? gen_context(system_u:object_r:tor_var_run_t,s0) + +/etc/rc\.d/init\.d/tor -- gen_context(system_u:object_r:tor_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.if serefpolicy-3.5.6/policy/modules/services/tor.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.if serefpolicy-3.5.7/policy/modules/services/tor.if --- nsaserefpolicy/policy/modules/services/tor.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/tor.if 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/tor.if 2008-09-08 10:19:45.000000000 -0400 @@ -20,6 +20,25 @@ ######################################## @@ -26781,9 +26962,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, tor_var_run_t) ') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.5.6/policy/modules/services/tor.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.5.7/policy/modules/services/tor.te --- nsaserefpolicy/policy/modules/services/tor.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/tor.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/tor.te 2008-09-08 10:19:45.000000000 -0400 @@ -26,11 +26,15 @@ type tor_var_run_t; files_pid_file(tor_var_run_t) @@ -26816,9 +26997,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` seutil_sigchld_newrole(tor_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.if serefpolicy-3.5.6/policy/modules/services/uucp.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.if serefpolicy-3.5.7/policy/modules/services/uucp.if --- nsaserefpolicy/policy/modules/services/uucp.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/uucp.if 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/uucp.if 2008-09-08 10:19:45.000000000 -0400 @@ -84,18 +84,18 @@ ps_process_pattern($1, uucpd_t) @@ -26844,9 +27025,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - manage_files_pattern($1, uucpd_var_run_t, uucpd_var_run_t) + admin_pattern($1, uucpd_var_run_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.5.6/policy/modules/services/uucp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.5.7/policy/modules/services/uucp.te --- nsaserefpolicy/policy/modules/services/uucp.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/uucp.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/uucp.te 2008-09-08 10:19:45.000000000 -0400 @@ -116,6 +116,8 @@ files_read_etc_files(uux_t) @@ -26856,9 +27037,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_ld_so(uux_t) libs_use_shared_libs(uux_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.5.6/policy/modules/services/virt.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.5.7/policy/modules/services/virt.fc --- nsaserefpolicy/policy/modules/services/virt.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/virt.fc 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/virt.fc 2008-09-08 10:19:45.000000000 -0400 @@ -9,3 +9,6 @@ /var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) /var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) @@ -26866,9 +27047,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_script_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.5.6/policy/modules/services/virt.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.5.7/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/virt.if 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/virt.if 2008-09-08 10:19:45.000000000 -0400 @@ -68,7 +68,7 @@ ## ## @@ -26966,9 +27147,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol virt_manage_pid_files($1) virt_manage_lib_files($1) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.5.6/policy/modules/services/virt.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.5.7/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/virt.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/virt.te 2008-09-08 10:19:45.000000000 -0400 @@ -1,6 +1,8 @@ policy_module(virt, 1.0.0) @@ -27099,9 +27280,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + unconfined_domain(virtd_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.5.6/policy/modules/services/xserver.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.5.7/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/xserver.fc 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/xserver.fc 2008-09-08 10:19:45.000000000 -0400 @@ -1,13 +1,15 @@ # # HOME_DIR @@ -27173,9 +27354,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_suse',` /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.6/policy/modules/services/xserver.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.7/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/xserver.if 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/xserver.if 2008-09-08 10:19:45.000000000 -0400 @@ -16,6 +16,7 @@ gen_require(` type xkb_var_lib_t, xserver_exec_t, xserver_log_t; @@ -28318,9 +28499,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - typeattribute $1 xserver_unconfined_type; + dontaudit $1 xdm_home_t:file rw_file_perms; ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.6/policy/modules/services/xserver.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.7/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/xserver.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/xserver.te 2008-09-08 10:19:45.000000000 -0400 @@ -8,6 +8,14 @@ ## @@ -28818,18 +28999,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.fc serefpolicy-3.5.6/policy/modules/services/zabbix.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.fc serefpolicy-3.5.7/policy/modules/services/zabbix.fc --- nsaserefpolicy/policy/modules/services/zabbix.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/zabbix.fc 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/zabbix.fc 2008-09-08 10:19:45.000000000 -0400 @@ -3,3 +3,5 @@ /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) /var/run/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_run_t,s0) + +/etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.if serefpolicy-3.5.6/policy/modules/services/zabbix.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.if serefpolicy-3.5.7/policy/modules/services/zabbix.if --- nsaserefpolicy/policy/modules/services/zabbix.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/zabbix.if 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/zabbix.if 2008-09-08 10:19:45.000000000 -0400 @@ -79,6 +79,25 @@ ######################################## @@ -28882,9 +29063,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - manage_files_pattern($1, zabbix_var_run_t, zabbix_var_run_t) + admin_pattern($1, zabbix_var_run_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.te serefpolicy-3.5.6/policy/modules/services/zabbix.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.te serefpolicy-3.5.7/policy/modules/services/zabbix.te --- nsaserefpolicy/policy/modules/services/zabbix.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/zabbix.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/zabbix.te 2008-09-08 10:19:45.000000000 -0400 @@ -18,6 +18,9 @@ type zabbix_var_run_t; files_pid_file(zabbix_var_run_t) @@ -28895,9 +29076,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # zabbix local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.fc serefpolicy-3.5.6/policy/modules/services/zebra.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.fc serefpolicy-3.5.7/policy/modules/services/zebra.fc --- nsaserefpolicy/policy/modules/services/zebra.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/zebra.fc 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/zebra.fc 2008-09-08 10:19:45.000000000 -0400 @@ -14,3 +14,10 @@ /var/run/\.zebra -s gen_context(system_u:object_r:zebra_var_run_t,s0) /var/run/\.zserv -s gen_context(system_u:object_r:zebra_var_run_t,s0) @@ -28909,9 +29090,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/rc\.d/init\.d/ripd -- gen_context(system_u:object_r:zebra_script_exec_t,s0) +/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_script_exec_t,s0) +/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.5.6/policy/modules/services/zebra.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.5.7/policy/modules/services/zebra.if --- nsaserefpolicy/policy/modules/services/zebra.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/zebra.if 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/zebra.if 2008-09-08 10:19:45.000000000 -0400 @@ -24,6 +24,26 @@ ######################################## @@ -28973,9 +29154,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - manage_files_pattern($1, zebra_var_run_t, zebra_var_run_t) + admin_pattern($1, zebra_var_run_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.te serefpolicy-3.5.6/policy/modules/services/zebra.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.te serefpolicy-3.5.7/policy/modules/services/zebra.te --- nsaserefpolicy/policy/modules/services/zebra.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/services/zebra.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/services/zebra.te 2008-09-08 10:19:45.000000000 -0400 @@ -30,6 +30,9 @@ type zebra_var_run_t; files_pid_file(zebra_var_run_t) @@ -29003,9 +29184,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(zebra_t) kernel_rw_net_sysctls(zebra_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.5.6/policy/modules/system/application.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.5.7/policy/modules/system/application.te --- nsaserefpolicy/policy/modules/system/application.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/application.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/application.te 2008-09-08 10:19:45.000000000 -0400 @@ -7,6 +7,12 @@ # Executables to be run by user attribute application_exec_type; @@ -29019,9 +29200,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ssh_sigchld(application_domain_type) ssh_rw_stream_sockets(application_domain_type) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.5.6/policy/modules/system/authlogin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.5.7/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/authlogin.fc 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/authlogin.fc 2008-09-08 10:19:45.000000000 -0400 @@ -7,12 +7,10 @@ /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) @@ -29048,9 +29229,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.5.6/policy/modules/system/authlogin.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.5.7/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/authlogin.if 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/authlogin.if 2008-09-08 10:19:45.000000000 -0400 @@ -56,10 +56,6 @@ miscfiles_read_localization($1_chkpwd_t) @@ -29311,9 +29492,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + manage_files_pattern($1, auth_cache_t, auth_cache_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.5.6/policy/modules/system/authlogin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.5.7/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/authlogin.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/authlogin.te 2008-09-08 10:19:45.000000000 -0400 @@ -59,6 +59,9 @@ type utempter_exec_t; application_domain(utempter_t,utempter_exec_t) @@ -29413,9 +29594,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_use_xdm_fds(utempter_t) xserver_rw_xdm_pipes(utempter_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.5.6/policy/modules/system/fstools.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.5.7/policy/modules/system/fstools.fc --- nsaserefpolicy/policy/modules/system/fstools.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/fstools.fc 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/fstools.fc 2008-09-08 10:19:45.000000000 -0400 @@ -1,4 +1,3 @@ -/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -29429,9 +29610,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.5.6/policy/modules/system/fstools.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.5.7/policy/modules/system/fstools.te --- nsaserefpolicy/policy/modules/system/fstools.te 2008-08-14 10:07:04.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/fstools.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/fstools.te 2008-09-08 10:19:45.000000000 -0400 @@ -97,6 +97,10 @@ fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) @@ -29453,9 +29634,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + unconfined_domain(fsadm_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.5.6/policy/modules/system/hostname.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.5.7/policy/modules/system/hostname.te --- nsaserefpolicy/policy/modules/system/hostname.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/hostname.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/hostname.te 2008-09-08 10:19:45.000000000 -0400 @@ -8,7 +8,9 @@ type hostname_t; @@ -29467,9 +29648,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol role system_r types hostname_t; ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.5.6/policy/modules/system/init.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.5.7/policy/modules/system/init.fc --- nsaserefpolicy/policy/modules/system/init.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/init.fc 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/init.fc 2008-09-08 10:19:45.000000000 -0400 @@ -4,8 +4,7 @@ /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -29489,9 +29670,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /var # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.5.6/policy/modules/system/init.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.5.7/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2008-09-03 07:59:15.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/init.if 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/init.if 2008-09-08 10:19:45.000000000 -0400 @@ -278,6 +278,27 @@ kernel_dontaudit_use_fds($1) ') @@ -29745,9 +29926,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + range_transition $1 $2:process s0 - mls_systemhigh; + ') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.6/policy/modules/system/init.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.7/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2008-09-03 07:59:15.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/init.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/init.te 2008-09-08 10:19:45.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart,false) @@ -29839,7 +30020,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol can_exec(initrc_t, init_script_file_type) -@@ -276,7 +303,7 @@ +@@ -232,6 +259,7 @@ + + allow initrc_t initrc_var_run_t:file manage_file_perms; + files_pid_filetrans(initrc_t,initrc_var_run_t,file) ++files_manage_generic_pids_symlinks(initrc_t) + + can_exec(initrc_t,initrc_tmp_t) + allow initrc_t initrc_tmp_t:file manage_file_perms; +@@ -276,7 +304,7 @@ dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) @@ -29848,7 +30037,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -521,6 +548,31 @@ +@@ -521,6 +549,31 @@ ') ') @@ -29880,7 +30069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -579,6 +631,10 @@ +@@ -579,6 +632,10 @@ dbus_read_config(initrc_t) optional_policy(` @@ -29891,7 +30080,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol networkmanager_dbus_chat(initrc_t) ') ') -@@ -664,12 +720,6 @@ +@@ -664,12 +721,6 @@ mta_read_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') @@ -29904,7 +30093,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ifdef(`distro_redhat',` -@@ -730,6 +780,9 @@ +@@ -730,6 +781,9 @@ # why is this needed: rpm_manage_db(initrc_t) @@ -29914,7 +30103,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -742,10 +795,12 @@ +@@ -742,10 +796,12 @@ squid_manage_logs(initrc_t) ') @@ -29927,7 +30116,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -763,6 +818,11 @@ +@@ -763,6 +819,11 @@ uml_setattr_util_sockets(initrc_t) ') @@ -29939,7 +30128,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` unconfined_domain(initrc_t) -@@ -777,6 +837,10 @@ +@@ -777,6 +838,10 @@ ') optional_policy(` @@ -29950,7 +30139,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol vmware_read_system_config(initrc_t) vmware_append_system_config(initrc_t) ') -@@ -799,3 +863,11 @@ +@@ -799,3 +864,11 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -29962,9 +30151,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + xserver_rw_xdm_home_files(daemon) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.5.6/policy/modules/system/iscsi.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.5.7/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2008-08-11 11:23:34.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/iscsi.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/iscsi.te 2008-09-08 10:19:45.000000000 -0400 @@ -28,7 +28,7 @@ # iscsid local policy # @@ -29974,9 +30163,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow iscsid_t self:process { setrlimit setsched signal }; allow iscsid_t self:fifo_file { read write }; allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto }; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.6/policy/modules/system/libraries.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.7/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2008-08-13 15:24:56.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/libraries.fc 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/libraries.fc 2008-09-08 10:19:45.000000000 -0400 @@ -66,6 +66,8 @@ /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) @@ -30031,7 +30220,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -291,6 +297,8 @@ +@@ -267,6 +273,8 @@ + /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + ++/usr/lib(64)?/(virtualbox(-ose)?/)?(components/)?VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ + # Java, Sun Microsystems (JPackage SRPM) + /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -291,6 +299,8 @@ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -30040,7 +30238,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') dnl end distro_redhat # -@@ -310,3 +318,13 @@ +@@ -310,3 +320,13 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -30054,9 +30252,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.5.6/policy/modules/system/libraries.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.5.7/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2008-08-13 15:24:56.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/libraries.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/libraries.te 2008-09-08 10:19:45.000000000 -0400 @@ -52,11 +52,11 @@ # ldconfig local policy # @@ -30113,9 +30311,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + unconfined_domain(ldconfig_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.5.6/policy/modules/system/locallogin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.5.7/policy/modules/system/locallogin.te --- nsaserefpolicy/policy/modules/system/locallogin.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/locallogin.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/locallogin.te 2008-09-08 10:19:45.000000000 -0400 @@ -100,7 +100,6 @@ auth_rw_login_records(local_login_t) @@ -30184,9 +30382,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - nscd_socket_use(sulogin_t) -') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.5.6/policy/modules/system/logging.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.5.7/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2008-08-25 09:12:31.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/logging.fc 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/logging.fc 2008-09-08 10:19:45.000000000 -0400 @@ -63,3 +63,6 @@ /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0) @@ -30194,9 +30392,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_script_exec_t,s0) +/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.5.6/policy/modules/system/logging.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.5.7/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2008-09-03 14:55:50.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/logging.if 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/logging.if 2008-09-08 10:19:45.000000000 -0400 @@ -281,7 +281,7 @@ role system_r types $1; @@ -30308,9 +30506,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - logging_admin_syslog($1) + logging_admin_syslog($1, $2, $3) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.5.6/policy/modules/system/logging.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.5.7/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2008-09-03 10:17:00.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/logging.te 2008-09-04 08:47:19.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/logging.te 2008-09-08 10:19:45.000000000 -0400 @@ -72,6 +72,12 @@ logging_log_file(var_log_t) files_mountpoint(var_log_t) @@ -30340,9 +30538,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(audisp_remote_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.5.6/policy/modules/system/lvm.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.5.7/policy/modules/system/lvm.fc --- nsaserefpolicy/policy/modules/system/lvm.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/lvm.fc 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/lvm.fc 2008-09-08 10:19:45.000000000 -0400 @@ -55,6 +55,7 @@ /sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0) @@ -30356,9 +30554,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0) /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) +/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.5.6/policy/modules/system/lvm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.5.7/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/lvm.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/lvm.te 2008-09-08 10:19:45.000000000 -0400 @@ -13,6 +13,9 @@ type clvmd_var_run_t; files_pid_file(clvmd_var_run_t) @@ -30539,9 +30737,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xen_append_log(lvm_t) + xen_dontaudit_rw_unix_stream_sockets(lvm_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.5.6/policy/modules/system/modutils.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.5.7/policy/modules/system/modutils.if --- nsaserefpolicy/policy/modules/system/modutils.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/modutils.if 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/modutils.if 2008-09-08 10:19:45.000000000 -0400 @@ -66,6 +66,25 @@ ######################################## @@ -30576,9 +30774,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.5.6/policy/modules/system/modutils.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.5.7/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/modutils.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/modutils.te 2008-09-08 10:19:45.000000000 -0400 @@ -22,6 +22,8 @@ type insmod_exec_t; application_domain(insmod_t,insmod_exec_t) @@ -30717,9 +30915,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ################################# -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.5.6/policy/modules/system/mount.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.5.7/policy/modules/system/mount.fc --- nsaserefpolicy/policy/modules/system/mount.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/mount.fc 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/mount.fc 2008-09-08 10:19:45.000000000 -0400 @@ -1,4 +1,6 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) @@ -30728,9 +30926,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) /usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.5.6/policy/modules/system/mount.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.5.7/policy/modules/system/mount.if --- nsaserefpolicy/policy/modules/system/mount.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/mount.if 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/mount.if 2008-09-08 10:19:45.000000000 -0400 @@ -49,6 +49,8 @@ mount_domtrans($1) role $2 types mount_t; @@ -30740,9 +30938,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` samba_run_smbmount($1, $2, $3) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.5.6/policy/modules/system/mount.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.5.7/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/mount.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/mount.te 2008-09-08 10:19:45.000000000 -0400 @@ -18,17 +18,18 @@ init_system_domain(mount_t,mount_exec_t) role system_r types mount_t; @@ -30901,9 +31099,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + hal_rw_pipes(mount_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.5.6/policy/modules/system/raid.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.5.7/policy/modules/system/raid.te --- nsaserefpolicy/policy/modules/system/raid.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/raid.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/raid.te 2008-09-08 10:19:45.000000000 -0400 @@ -39,6 +39,7 @@ dev_dontaudit_getattr_generic_files(mdadm_t) dev_dontaudit_getattr_generic_chr_files(mdadm_t) @@ -30912,9 +31110,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_auto_mountpoints(mdadm_t) fs_dontaudit_list_tmpfs(mdadm_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.5.6/policy/modules/system/selinuxutil.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.5.7/policy/modules/system/selinuxutil.fc --- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/selinuxutil.fc 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/selinuxutil.fc 2008-09-08 10:19:45.000000000 -0400 @@ -38,7 +38,7 @@ /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0) /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0) @@ -30933,9 +31131,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# /var/lib +# +/var/lib/selinux(/.*)? gen_context(system_u:object_r:selinux_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.5.6/policy/modules/system/selinuxutil.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.5.7/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/selinuxutil.if 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/selinuxutil.if 2008-09-08 10:19:45.000000000 -0400 @@ -555,6 +555,59 @@ ######################################## @@ -31396,9 +31594,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + hotplug_use_fds($1) +') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.5.6/policy/modules/system/selinuxutil.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.5.7/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/selinuxutil.te 2008-09-04 16:04:28.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/selinuxutil.te 2008-09-08 10:19:45.000000000 -0400 @@ -23,6 +23,9 @@ type selinux_config_t; files_type(selinux_config_t) @@ -31580,12 +31778,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # netfilter_contexts: seutil_manage_default_contexts(semanage_t) -@@ -501,12 +464,25 @@ +@@ -501,12 +464,27 @@ files_read_var_lib_symlinks(semanage_t) ') +optional_policy(` + setrans_script_domtrans(semanage_t) ++ domain_system_change_exemption(semanage_t) ++ consoletype_exec(semanage_t) +') + +optional_policy(` @@ -31606,7 +31806,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files -@@ -514,121 +490,42 @@ +@@ -514,121 +492,42 @@ # Handle pp files created in homedir and /tmp sysadm_read_home_content_files(semanage_t) sysadm_read_tmp_files(semanage_t) @@ -31751,18 +31951,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - hotplug_use_fds(setfiles_t) + unconfined_domain(setfiles_mac_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.fc serefpolicy-3.5.6/policy/modules/system/setrans.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.fc serefpolicy-3.5.7/policy/modules/system/setrans.fc --- nsaserefpolicy/policy/modules/system/setrans.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/setrans.fc 2008-09-04 16:00:18.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/setrans.fc 2008-09-08 10:19:45.000000000 -0400 @@ -1,3 +1,5 @@ /sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0) /var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh) + +/etc/rc\.d/init\.d/mcstrans -- gen_context(system_u:object_r:setrans_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.5.6/policy/modules/system/setrans.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.5.7/policy/modules/system/setrans.if --- nsaserefpolicy/policy/modules/system/setrans.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/setrans.if 2008-09-04 16:01:16.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/setrans.if 2008-09-08 10:19:45.000000000 -0400 @@ -21,3 +21,23 @@ stream_connect_pattern($1,setrans_var_run_t,setrans_var_run_t,setrans_t) files_list_pids($1) @@ -31787,9 +31987,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + init_script_domtrans_spec($1, setrans_script_exec_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-3.5.6/policy/modules/system/setrans.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-3.5.7/policy/modules/system/setrans.te --- nsaserefpolicy/policy/modules/system/setrans.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/setrans.te 2008-09-04 15:59:46.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/setrans.te 2008-09-08 10:19:45.000000000 -0400 @@ -14,6 +14,9 @@ files_pid_file(setrans_var_run_t) mls_trusted_object(setrans_var_run_t) @@ -31817,18 +32017,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_compute_access_vector(setrans_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.5.6/policy/modules/system/sysnetwork.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.5.7/policy/modules/system/sysnetwork.fc --- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/sysnetwork.fc 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/sysnetwork.fc 2008-09-08 10:19:45.000000000 -0400 @@ -57,3 +57,5 @@ ifdef(`distro_gentoo',` /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) ') + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.5.6/policy/modules/system/sysnetwork.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.5.7/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/sysnetwork.if 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/sysnetwork.if 2008-09-08 10:19:45.000000000 -0400 @@ -553,6 +553,7 @@ type net_conf_t; ') @@ -31907,9 +32107,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + role_transition $1 dhcpc_exec_t system_r; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.6/policy/modules/system/sysnetwork.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.7/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-08-11 11:23:34.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/sysnetwork.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/sysnetwork.te 2008-09-08 10:19:45.000000000 -0400 @@ -20,6 +20,10 @@ init_daemon_domain(dhcpc_t,dhcpc_exec_t) role system_r types dhcpc_t; @@ -32091,9 +32291,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_xen_state(ifconfig_t) kernel_write_xen_state(ifconfig_t) xen_append_log(ifconfig_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.5.6/policy/modules/system/udev.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.5.7/policy/modules/system/udev.if --- nsaserefpolicy/policy/modules/system/udev.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/udev.if 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/udev.if 2008-09-08 10:19:45.000000000 -0400 @@ -96,6 +96,24 @@ ######################################## @@ -32147,9 +32347,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - allow $1 udev_tdb_t:file rw_file_perms; + allow $1 udev_tbl_t:file rw_file_perms; ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.5.6/policy/modules/system/udev.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.5.7/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/udev.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/udev.te 2008-09-08 10:19:45.000000000 -0400 @@ -83,6 +83,7 @@ kernel_rw_unix_dgram_sockets(udev_t) kernel_dgram_send(udev_t) @@ -32205,9 +32405,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` xserver_read_xdm_pid(udev_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.5.6/policy/modules/system/unconfined.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.5.7/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/unconfined.fc 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/unconfined.fc 2008-09-08 10:19:45.000000000 -0400 @@ -2,15 +2,11 @@ # e.g.: # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) @@ -32246,9 +32446,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) + +/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.5.6/policy/modules/system/unconfined.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.5.7/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/unconfined.if 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/unconfined.if 2008-09-08 10:19:45.000000000 -0400 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -32592,9 +32792,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + userdom_role_change_template(unconfined, $1) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.5.6/policy/modules/system/unconfined.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.5.7/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-09-03 07:59:15.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/unconfined.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/unconfined.te 2008-09-08 10:19:45.000000000 -0400 @@ -1,40 +1,80 @@ -policy_module(unconfined, 2.3.1) @@ -32929,9 +33129,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# Allow SELinux aware applications to request rpm_script execution +rpm_transition_script(unconfined_notrans_t) +domain_ptrace_all_domains(unconfined_notrans_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.5.6/policy/modules/system/userdomain.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.5.7/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/userdomain.fc 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/userdomain.fc 2008-09-08 10:19:45.000000000 -0400 @@ -1,4 +1,5 @@ -HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh) -HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0) @@ -32942,9 +33142,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) +/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.6/policy/modules/system/userdomain.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.7/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/userdomain.if 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/userdomain.if 2008-09-08 10:19:45.000000000 -0400 @@ -28,10 +28,14 @@ class context contains; ') @@ -35504,9 +35704,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + dontaudit $1 user_home_t:file unlink; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.5.6/policy/modules/system/userdomain.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.5.7/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/userdomain.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/userdomain.te 2008-09-08 10:19:45.000000000 -0400 @@ -8,13 +8,6 @@ ## @@ -35621,9 +35821,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_fifo_files_pattern(privhome, cifs_t, cifs_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.5.6/policy/modules/system/xen.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.5.7/policy/modules/system/xen.fc --- nsaserefpolicy/policy/modules/system/xen.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/xen.fc 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/xen.fc 2008-09-08 10:19:45.000000000 -0400 @@ -20,6 +20,7 @@ /var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) /var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) @@ -35632,9 +35832,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) /var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.5.6/policy/modules/system/xen.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.5.7/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/xen.if 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/xen.if 2008-09-08 10:19:45.000000000 -0400 @@ -167,11 +167,14 @@ # interface(`xen_stream_connect',` @@ -35676,9 +35876,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 xend_var_lib_t:dir search_dir_perms; + rw_files_pattern($1, xen_image_t, xen_image_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.5.6/policy/modules/system/xen.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.5.7/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.6/policy/modules/system/xen.te 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/modules/system/xen.te 2008-09-08 10:19:45.000000000 -0400 @@ -6,6 +6,13 @@ # Declarations # @@ -35915,9 +36115,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + unconfined_domain(xend_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/file_patterns.spt serefpolicy-3.5.6/policy/support/file_patterns.spt +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/file_patterns.spt serefpolicy-3.5.7/policy/support/file_patterns.spt --- nsaserefpolicy/policy/support/file_patterns.spt 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.6/policy/support/file_patterns.spt 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/support/file_patterns.spt 2008-09-08 10:19:45.000000000 -0400 @@ -537,3 +537,18 @@ allow $1 $2:dir rw_dir_perms; type_transition $1 $2:$4 $3; @@ -35937,9 +36137,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + relabel_sock_files_pattern($1,$2,$2) + +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.5.6/policy/support/obj_perm_sets.spt +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.5.7/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.6/policy/support/obj_perm_sets.spt 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/support/obj_perm_sets.spt 2008-09-08 10:19:45.000000000 -0400 @@ -316,3 +316,13 @@ # define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') @@ -35954,9 +36154,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') + +define(`manage_key_perms', `{ create link read search setattr view write } ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.5.6/policy/users +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.5.7/policy/users --- nsaserefpolicy/policy/users 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.6/policy/users 2008-09-03 15:55:23.000000000 -0400 ++++ serefpolicy-3.5.7/policy/users 2008-09-08 10:19:45.000000000 -0400 @@ -25,11 +25,8 @@ # permit any access to such users, then remove this entry. # diff --git a/selinux-policy.spec b/selinux-policy.spec index ee68dbb..166e57d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -16,8 +16,8 @@ %define CHECKPOLICYVER 2.0.16-1 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.5.6 -Release: 2%{?dist} +Version: 3.5.7 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -290,6 +290,7 @@ __eof restorecon -R /root /var/log /var/run 2> /dev/null else semodule -s targeted -r moilscanner 2>/dev/null +semodule -s targeted -r gamin 2>/dev/null %loadpolicy targeted %relabel targeted fi @@ -380,6 +381,9 @@ exit 0 %endif %changelog +* Fri Sep 5 2008 Dan Walsh 3.5.7-1 +- Remove gamin policy + * Thu Sep 4 2008 Dan Walsh 3.5.6-2 - Add tinyxs-max file system support diff --git a/sources b/sources index 50b926d..a615848 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -3df6acf59f55a2b00b7757111baf474d serefpolicy-3.5.6.tgz +08cbc69d40ae75771c6201f2812a2eba serefpolicy-3.5.7.tgz