diff --git a/.cvsignore b/.cvsignore index 9053fff..73061b7 100644 --- a/.cvsignore +++ b/.cvsignore @@ -163,3 +163,4 @@ serefpolicy-3.6.5.tgz serefpolicy-3.6.6.tgz serefpolicy-3.6.7.tgz serefpolicy-3.6.8.tgz +serefpolicy-3.6.9.tgz diff --git a/nsadiff b/nsadiff index 3557048..68fd9bf 100755 --- a/nsadiff +++ b/nsadiff @@ -1 +1 @@ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.6.8 > /tmp/diff +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.6.9 > /tmp/diff diff --git a/policy-20090105.patch b/policy-20090105.patch index d88174a..f4594fd 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -1,6 +1,6 @@ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.6.8/config/appconfig-mcs/default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.6.9/config/appconfig-mcs/default_contexts --- nsaserefpolicy/config/appconfig-mcs/default_contexts 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.8/config/appconfig-mcs/default_contexts 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/config/appconfig-mcs/default_contexts 2009-03-12 11:23:09.000000000 -0400 @@ -1,15 +1,6 @@ -system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 -system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 @@ -22,15 +22,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con -user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 +system_r:xdm_t:s0 user_r:user_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.6.8/config/appconfig-mcs/failsafe_context +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.6.9/config/appconfig-mcs/failsafe_context --- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.6.8/config/appconfig-mcs/failsafe_context 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/config/appconfig-mcs/failsafe_context 2009-03-12 11:23:09.000000000 -0400 @@ -1 +1 @@ -sysadm_r:sysadm_t:s0 +system_r:unconfined_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.6.8/config/appconfig-mcs/guest_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.6.9/config/appconfig-mcs/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/config/appconfig-mcs/guest_u_default_contexts 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/config/appconfig-mcs/guest_u_default_contexts 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,6 @@ +system_r:local_login_t:s0 guest_r:guest_t:s0 +system_r:remote_login_t:s0 guest_r:guest_t:s0 @@ -38,9 +38,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:crond_t:s0 guest_r:guest_t:s0 +system_r:initrc_su_t:s0 guest_r:guest_t:s0 +guest_r:guest_t:s0 guest_r:guest_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.6.8/config/appconfig-mcs/root_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.6.9/config/appconfig-mcs/root_default_contexts --- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.8/config/appconfig-mcs/root_default_contexts 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/config/appconfig-mcs/root_default_contexts 2009-03-12 11:23:09.000000000 -0400 @@ -1,11 +1,7 @@ -system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0 +system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 @@ -55,18 +55,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con # -#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.6.8/config/appconfig-mcs/seusers +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.6.9/config/appconfig-mcs/seusers --- nsaserefpolicy/config/appconfig-mcs/seusers 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.6.8/config/appconfig-mcs/seusers 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/config/appconfig-mcs/seusers 2009-03-12 11:23:09.000000000 -0400 @@ -1,3 +1,3 @@ system_u:system_u:s0-mcs_systemhigh -root:root:s0-mcs_systemhigh -__default__:user_u:s0 +root:unconfined_u:s0-mcs_systemhigh +__default__:unconfined_u:s0-mcs_systemhigh -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.6.8/config/appconfig-mcs/staff_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.6.9/config/appconfig-mcs/staff_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.8/config/appconfig-mcs/staff_u_default_contexts 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/config/appconfig-mcs/staff_u_default_contexts 2009-03-12 11:23:09.000000000 -0400 @@ -1,10 +1,12 @@ system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 system_r:remote_login_t:s0 staff_r:staff_t:s0 @@ -81,9 +81,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.6.8/config/appconfig-mcs/unconfined_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.6.9/config/appconfig-mcs/unconfined_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.8/config/appconfig-mcs/unconfined_u_default_contexts 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/config/appconfig-mcs/unconfined_u_default_contexts 2009-03-12 11:23:09.000000000 -0400 @@ -1,4 +1,4 @@ -system_r:crond_t:s0 unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0 +system_r:crond_t:s0 unconfined_r:unconfined_t:s0 @@ -97,15 +97,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:initrc_su_t:s0 unconfined_r:unconfined_t:s0 +unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0 system_r:xdm_t:s0 unconfined_r:unconfined_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.6.8/config/appconfig-mcs/userhelper_context +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.6.9/config/appconfig-mcs/userhelper_context --- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.6.8/config/appconfig-mcs/userhelper_context 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/config/appconfig-mcs/userhelper_context 2009-03-12 11:23:09.000000000 -0400 @@ -1 +1 @@ -system_u:sysadm_r:sysadm_t:s0 +system_u:system_r:unconfined_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.6.8/config/appconfig-mcs/user_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.6.9/config/appconfig-mcs/user_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.8/config/appconfig-mcs/user_u_default_contexts 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/config/appconfig-mcs/user_u_default_contexts 2009-03-12 11:23:09.000000000 -0400 @@ -1,8 +1,9 @@ system_r:local_login_t:s0 user_r:user_t:s0 system_r:remote_login_t:s0 user_r:user_t:s0 @@ -118,19 +118,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con - +system_r:initrc_su_t:s0 user_r:user_t:s0 +user_r:user_t:s0 user_r:user_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_domain_context serefpolicy-3.6.8/config/appconfig-mcs/virtual_domain_context +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_domain_context serefpolicy-3.6.9/config/appconfig-mcs/virtual_domain_context --- nsaserefpolicy/config/appconfig-mcs/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/config/appconfig-mcs/virtual_domain_context 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/config/appconfig-mcs/virtual_domain_context 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1 @@ +system_u:system_r:svirt_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_image_context serefpolicy-3.6.8/config/appconfig-mcs/virtual_image_context +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_image_context serefpolicy-3.6.9/config/appconfig-mcs/virtual_image_context --- nsaserefpolicy/config/appconfig-mcs/virtual_image_context 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/config/appconfig-mcs/virtual_image_context 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/config/appconfig-mcs/virtual_image_context 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1 @@ +system_u:object_r:virt_image_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.6.8/config/appconfig-mcs/xguest_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.6.9/config/appconfig-mcs/xguest_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/config/appconfig-mcs/xguest_u_default_contexts 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/config/appconfig-mcs/xguest_u_default_contexts 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,7 @@ +system_r:local_login_t xguest_r:xguest_t:s0 +system_r:remote_login_t xguest_r:xguest_t:s0 @@ -139,9 +139,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:xdm_t xguest_r:xguest_t:s0 +system_r:initrc_su_t:s0 xguest_r:xguest_t:s0 +xguest_r:xguest_t:s0 xguest_r:xguest_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.6.8/config/appconfig-mls/default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.6.9/config/appconfig-mls/default_contexts --- nsaserefpolicy/config/appconfig-mls/default_contexts 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.8/config/appconfig-mls/default_contexts 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/config/appconfig-mls/default_contexts 2009-03-12 11:23:09.000000000 -0400 @@ -1,15 +1,6 @@ -system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 -system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 @@ -163,17 +163,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con -user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 +system_r:xdm_t:s0 user_r:user_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.6.8/config/appconfig-mls/guest_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.6.9/config/appconfig-mls/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/config/appconfig-mls/guest_u_default_contexts 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/config/appconfig-mls/guest_u_default_contexts 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,4 @@ +system_r:local_login_t:s0 guest_r:guest_t:s0 +system_r:remote_login_t:s0 guest_r:guest_t:s0 +system_r:sshd_t:s0 guest_r:guest_t:s0 +system_r:crond_t:s0 guest_r:guest_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.6.8/config/appconfig-mls/root_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.6.9/config/appconfig-mls/root_default_contexts --- nsaserefpolicy/config/appconfig-mls/root_default_contexts 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.8/config/appconfig-mls/root_default_contexts 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/config/appconfig-mls/root_default_contexts 2009-03-12 11:23:09.000000000 -0400 @@ -1,11 +1,11 @@ -system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0 -system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 @@ -192,19 +192,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con # -#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.8/config/appconfig-mls/virtual_domain_context +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.9/config/appconfig-mls/virtual_domain_context --- nsaserefpolicy/config/appconfig-mls/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/config/appconfig-mls/virtual_domain_context 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/config/appconfig-mls/virtual_domain_context 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1 @@ +system_u:system_r:qemu_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_image_context serefpolicy-3.6.8/config/appconfig-mls/virtual_image_context +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_image_context serefpolicy-3.6.9/config/appconfig-mls/virtual_image_context --- nsaserefpolicy/config/appconfig-mls/virtual_image_context 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/config/appconfig-mls/virtual_image_context 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/config/appconfig-mls/virtual_image_context 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1 @@ +system_u:object_r:virt_image_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts serefpolicy-3.6.8/config/appconfig-mls/xguest_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts serefpolicy-3.6.9/config/appconfig-mls/xguest_u_default_contexts --- nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/config/appconfig-mls/xguest_u_default_contexts 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/config/appconfig-mls/xguest_u_default_contexts 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,7 @@ +system_r:local_login_t xguest_r:xguest_t:s0 +system_r:remote_login_t xguest_r:xguest_t:s0 @@ -213,9 +213,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:xdm_t xguest_r:xguest_t:s0 +system_r:initrc_su_t:s0 xguest_r:xguest_t:s0 +xguest_r:xguest_t:s0 xguest_r:xguest_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.8/Makefile +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.9/Makefile --- nsaserefpolicy/Makefile 2009-01-19 11:07:35.000000000 -0500 -+++ serefpolicy-3.6.8/Makefile 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/Makefile 2009-03-12 11:23:09.000000000 -0400 @@ -241,7 +241,7 @@ appdir := $(contextpath) user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) @@ -278,9 +278,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Mak $(appdir)/%: $(appconf)/% @mkdir -p $(appdir) $(verbose) $(INSTALL) -m 644 $< $@ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.6.8/man/man8/httpd_selinux.8 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.6.9/man/man8/httpd_selinux.8 --- nsaserefpolicy/man/man8/httpd_selinux.8 2009-03-05 09:22:34.000000000 -0500 -+++ serefpolicy-3.6.8/man/man8/httpd_selinux.8 2009-03-10 09:36:15.000000000 -0400 ++++ serefpolicy-3.6.9/man/man8/httpd_selinux.8 2009-03-12 11:23:09.000000000 -0400 @@ -22,7 +22,7 @@ .EX httpd_sys_content_t @@ -304,22 +304,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man .EX httpd_unconfined_script_exec_t .EE -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.6.8/policy/flask/access_vectors ---- nsaserefpolicy/policy/flask/access_vectors 2009-03-05 10:02:34.000000000 -0500 -+++ serefpolicy-3.6.8/policy/flask/access_vectors 2009-03-10 08:25:54.000000000 -0400 -@@ -157,6 +157,9 @@ - - class sock_file - inherits file -+{ -+ open -+} - - class fifo_file - inherits file -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.8/policy/global_tunables +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.9/policy/global_tunables --- nsaserefpolicy/policy/global_tunables 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.8/policy/global_tunables 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/global_tunables 2009-03-12 11:23:09.000000000 -0400 @@ -61,15 +61,6 @@ ## @@ -349,9 +336,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +gen_tunable(allow_console_login,false) + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.8/policy/mcs +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.9/policy/mcs --- nsaserefpolicy/policy/mcs 2009-02-03 22:50:50.000000000 -0500 -+++ serefpolicy-3.6.8/policy/mcs 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/mcs 2009-03-12 11:23:09.000000000 -0400 @@ -67,7 +67,8 @@ # Note that getattr on files is always permitted. # @@ -389,20 +376,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mlsconstrain process { transition dyntransition } (( h1 dom h2 ) or ( t1 == mcssetcats )); -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.6.8/policy/modules/admin/alsa.te ---- nsaserefpolicy/policy/modules/admin/alsa.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/admin/alsa.te 2009-03-10 08:25:54.000000000 -0400 -@@ -43,6 +43,7 @@ - - dev_read_sound(alsa_t) - dev_write_sound(alsa_t) -+dev_read_sysfs(alsa_t) - - corecmd_exec_bin(alsa_t) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.8/policy/modules/admin/anaconda.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.9/policy/modules/admin/anaconda.te --- nsaserefpolicy/policy/modules/admin/anaconda.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/admin/anaconda.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/admin/anaconda.te 2009-03-12 11:23:09.000000000 -0400 @@ -31,6 +31,7 @@ modutils_domtrans_insmod(anaconda_t) @@ -411,9 +387,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.8/policy/modules/admin/certwatch.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.9/policy/modules/admin/certwatch.te --- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/admin/certwatch.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/admin/certwatch.te 2009-03-12 11:23:09.000000000 -0400 @@ -27,15 +27,20 @@ fs_list_inotifyfs(certwatch_t) @@ -435,29 +411,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.6.8/policy/modules/admin/consoletype.te ---- nsaserefpolicy/policy/modules/admin/consoletype.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/admin/consoletype.te 2009-03-10 08:25:54.000000000 -0400 -@@ -18,7 +18,7 @@ - # Local declarations - # - --allow consoletype_t self:capability sys_admin; -+allow consoletype_t self:capability { sys_admin sys_tty_config }; - allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow consoletype_t self:fd use; - allow consoletype_t self:fifo_file rw_fifo_file_perms; -@@ -38,6 +38,7 @@ - fs_getattr_all_fs(consoletype_t) - fs_search_auto_mountpoints(consoletype_t) - fs_write_nfs_files(consoletype_t) -+fs_list_inotifyfs(consoletype_t) - - mls_file_read_all_levels(consoletype_t) - mls_file_write_all_levels(consoletype_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.6.8/policy/modules/admin/kismet.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.6.9/policy/modules/admin/kismet.if --- nsaserefpolicy/policy/modules/admin/kismet.if 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/admin/kismet.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/admin/kismet.if 2009-03-12 11:23:09.000000000 -0400 @@ -16,6 +16,7 @@ ') @@ -466,9 +422,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.8/policy/modules/admin/kismet.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.9/policy/modules/admin/kismet.te --- nsaserefpolicy/policy/modules/admin/kismet.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/admin/kismet.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/admin/kismet.te 2009-03-12 11:23:09.000000000 -0400 @@ -14,27 +14,36 @@ type kismet_var_run_t; files_pid_file(kismet_var_run_t) @@ -534,9 +490,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_use_user_terminals(kismet_t) +userdom_read_user_tmpfs_files(kismet_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.8/policy/modules/admin/logrotate.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.9/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/admin/logrotate.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/admin/logrotate.te 2009-03-12 11:23:09.000000000 -0400 @@ -116,8 +116,9 @@ seutil_dontaudit_read_config(logrotate_t) @@ -555,9 +511,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - squid_signal(logrotate_t) + squid_domtrans(logrotate_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.8/policy/modules/admin/logwatch.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.9/policy/modules/admin/logwatch.te --- nsaserefpolicy/policy/modules/admin/logwatch.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/admin/logwatch.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/admin/logwatch.te 2009-03-12 11:23:09.000000000 -0400 @@ -43,6 +43,8 @@ kernel_read_fs_sysctls(logwatch_t) kernel_read_kernel_sysctls(logwatch_t) @@ -627,9 +583,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol samba_read_log(logwatch_t) + samba_read_share_files(logwatch_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.8/policy/modules/admin/mrtg.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.9/policy/modules/admin/mrtg.te --- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/admin/mrtg.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/admin/mrtg.te 2009-03-12 11:23:09.000000000 -0400 @@ -116,6 +116,7 @@ userdom_use_user_terminals(mrtg_t) userdom_dontaudit_read_user_home_content_files(mrtg_t) @@ -638,26 +594,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`enable_mls',` corenet_udp_sendrecv_lo_if(mrtg_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.8/policy/modules/admin/netutils.te ---- nsaserefpolicy/policy/modules/admin/netutils.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/admin/netutils.te 2009-03-10 08:25:54.000000000 -0400 -@@ -128,6 +128,8 @@ - files_read_etc_files(ping_t) - files_dontaudit_search_var(ping_t) - -+kernel_read_system_state(ping_t) -+ - auth_use_nsswitch(ping_t) - - logging_send_syslog_msg(ping_t) -@@ -146,6 +148,14 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.9/policy/modules/admin/netutils.te +--- nsaserefpolicy/policy/modules/admin/netutils.te 2009-03-12 11:16:47.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/admin/netutils.te 2009-03-12 11:23:09.000000000 -0400 +@@ -152,6 +152,10 @@ ') optional_policy(` -+ munin_append_log(ping_t) -+') -+ -+optional_policy(` + nagios_dontaudit_rw_pipes(ping_t) +') + @@ -665,18 +608,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol pcmcia_use_cardmgr_fds(ping_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.6.8/policy/modules/admin/prelink.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.6.9/policy/modules/admin/prelink.fc --- nsaserefpolicy/policy/modules/admin/prelink.fc 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/admin/prelink.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/admin/prelink.fc 2009-03-12 11:23:09.000000000 -0400 @@ -5,3 +5,5 @@ /var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0) /var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0) + +/var/lib/misc/prelink\* -- gen_context(system_u:object_r:prelink_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.8/policy/modules/admin/prelink.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.9/policy/modules/admin/prelink.if --- nsaserefpolicy/policy/modules/admin/prelink.if 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/admin/prelink.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/admin/prelink.if 2009-03-12 11:23:09.000000000 -0400 @@ -120,3 +120,23 @@ logging_search_logs($1) manage_files_pattern($1, prelink_log_t, prelink_log_t) @@ -701,9 +644,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_search_var_lib($1) + manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.8/policy/modules/admin/prelink.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.9/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/admin/prelink.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/admin/prelink.te 2009-03-12 11:23:09.000000000 -0400 @@ -21,12 +21,15 @@ type prelink_tmp_t; files_tmp_file(prelink_tmp_t) @@ -772,9 +715,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + unconfined_domain(prelink_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.8/policy/modules/admin/rpm.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.9/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/admin/rpm.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/admin/rpm.fc 2009-03-12 11:23:09.000000000 -0400 @@ -3,6 +3,7 @@ /usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -814,9 +757,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # SuSE ifdef(`distro_suse', ` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.8/policy/modules/admin/rpm.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.9/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/admin/rpm.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/admin/rpm.if 2009-03-12 11:23:09.000000000 -0400 @@ -146,6 +146,24 @@ ######################################## @@ -1147,9 +1090,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 rpm_t:process signull; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.8/policy/modules/admin/rpm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.9/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/admin/rpm.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/admin/rpm.te 2009-03-12 11:23:09.000000000 -0400 @@ -31,6 +31,9 @@ files_type(rpm_var_lib_t) typealias rpm_var_lib_t alias var_lib_rpm_t; @@ -1365,9 +1308,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` java_domtrans_unconfined(rpm_script_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.8/policy/modules/admin/sudo.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.9/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/admin/sudo.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/admin/sudo.if 2009-03-12 11:23:09.000000000 -0400 @@ -32,6 +32,7 @@ gen_require(` @@ -1503,9 +1446,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 sudodomain:process sigchld; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.te serefpolicy-3.6.8/policy/modules/admin/sudo.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.te serefpolicy-3.6.9/policy/modules/admin/sudo.te --- nsaserefpolicy/policy/modules/admin/sudo.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/admin/sudo.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/admin/sudo.te 2009-03-12 11:23:09.000000000 -0400 @@ -4,6 +4,7 @@ ######################################## # @@ -1514,9 +1457,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type sudo_exec_t; application_executable_file(sudo_exec_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.6.8/policy/modules/admin/su.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.6.9/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/admin/su.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/admin/su.if 2009-03-12 11:23:09.000000000 -0400 @@ -90,15 +90,6 @@ miscfiles_read_localization($1_su_t) @@ -1549,9 +1492,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_rhel4',` domain_role_change_exemption($1_su_t) domain_subj_id_change_exemption($1_su_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.8/policy/modules/admin/tmpreaper.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.9/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/admin/tmpreaper.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/admin/tmpreaper.te 2009-03-12 11:23:09.000000000 -0400 @@ -22,12 +22,16 @@ dev_read_urand(tmpreaper_t) @@ -1596,9 +1539,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + unconfined_domain(tmpreaper_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.6.8/policy/modules/admin/usermanage.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.6.9/policy/modules/admin/usermanage.if --- nsaserefpolicy/policy/modules/admin/usermanage.if 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/admin/usermanage.if 2009-03-11 15:22:10.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/admin/usermanage.if 2009-03-12 11:23:09.000000000 -0400 @@ -117,6 +117,24 @@ ######################################## @@ -1632,9 +1575,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.8/policy/modules/admin/usermanage.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.9/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/admin/usermanage.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/admin/usermanage.te 2009-03-12 11:23:09.000000000 -0400 @@ -288,6 +288,7 @@ term_use_all_user_ttys(passwd_t) term_use_all_user_ptys(passwd_t) @@ -1680,52 +1623,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + unconfined_domain(useradd_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.if serefpolicy-3.6.8/policy/modules/admin/vbetool.if ---- nsaserefpolicy/policy/modules/admin/vbetool.if 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/admin/vbetool.if 2009-03-10 08:25:54.000000000 -0400 -@@ -18,3 +18,28 @@ - corecmd_search_bin($1) - domtrans_pattern($1, vbetool_exec_t, vbetool_t) - ') -+ -+######################################## -+## -+## Execute vbetool in the vbetool domain, and -+## allow the specified role the vbetool domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed the vbetool domain. -+## -+## -+# -+interface(`vbetool_run',` -+ gen_require(` -+ type vbetool_t; -+ ') -+ -+ vbetool_domtrans($1) -+ role $2 types vbetool_t; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.8/policy/modules/admin/vbetool.te ---- nsaserefpolicy/policy/modules/admin/vbetool.te 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/admin/vbetool.te 2009-03-10 08:25:54.000000000 -0400 -@@ -23,6 +23,9 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.9/policy/modules/admin/vbetool.te +--- nsaserefpolicy/policy/modules/admin/vbetool.te 2009-03-12 11:16:47.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/admin/vbetool.te 2009-03-12 11:23:09.000000000 -0400 +@@ -23,6 +23,7 @@ dev_rwx_zero(vbetool_t) dev_read_sysfs(vbetool_t) +domain_mmap_low_type(vbetool_t) -+domain_mmap_low(vbetool_t) -+ - term_use_unallocated_ttys(vbetool_t) + domain_mmap_low(vbetool_t) - miscfiles_read_localization(vbetool_t) -@@ -32,3 +35,9 @@ + term_use_unallocated_ttys(vbetool_t) +@@ -34,3 +35,9 @@ hal_write_log(vbetool_t) hal_dontaudit_append_lib_files(vbetool_t) ') @@ -1735,117 +1644,38 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_write_pid(vbetool_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.6.8/policy/modules/admin/vpn.if ---- nsaserefpolicy/policy/modules/admin/vpn.if 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/admin/vpn.if 2009-03-10 08:25:54.000000000 -0400 -@@ -47,6 +47,24 @@ - - ######################################## - ## -+## Send VPN clients the kill signal. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`vpn_kill',` -+ gen_require(` -+ type vpnc_t; -+ ') -+ -+ allow $1 vpnc_t:process sigkill; -+') -+ -+######################################## -+## - ## Send generic signals to VPN clients. - ## - ## -@@ -65,6 +83,24 @@ - - ######################################## - ## -+## Send signull to VPN clients. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`vpn_signull',` -+ gen_require(` -+ type vpnc_t; -+ ') -+ -+ allow $1 vpnc_t:process signull; -+') -+ -+######################################## -+## - ## Send and receive messages from - ## Vpnc over dbus. - ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.fc serefpolicy-3.6.8/policy/modules/apps/cdrecord.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.fc serefpolicy-3.6.9/policy/modules/apps/cdrecord.fc --- nsaserefpolicy/policy/modules/apps/cdrecord.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/apps/cdrecord.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/cdrecord.fc 2009-03-12 11:23:09.000000000 -0400 @@ -2,4 +2,5 @@ # /usr # /usr/bin/cdrecord -- gen_context(system_u:object_r:cdrecord_exec_t,s0) +/usr/bin/growisoifs -- gen_context(system_u:object_r:cdrecord_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/games.if serefpolicy-3.6.8/policy/modules/apps/games.if ---- nsaserefpolicy/policy/modules/apps/games.if 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/games.if 2009-03-10 08:25:54.000000000 -0400 -@@ -30,3 +30,22 @@ - ps_process_pattern($2, games_t) - allow $2 games_t:process signal_perms; - ') -+ -+######################################## -+## -+## Allow the specified domain to read/write -+## games data. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`games_rw_data',` -+ gen_require(` -+ type games_data_t; -+ ') -+ -+ rw_files_pattern($1, games_data_t, games_data_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/git.fc serefpolicy-3.6.8/policy/modules/apps/git.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/git.fc serefpolicy-3.6.9/policy/modules/apps/git.fc --- nsaserefpolicy/policy/modules/apps/git.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/git.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/git.fc 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,3 @@ +/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_content_rw_t,s0) +/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/git.if serefpolicy-3.6.8/policy/modules/apps/git.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/git.if serefpolicy-3.6.9/policy/modules/apps/git.if --- nsaserefpolicy/policy/modules/apps/git.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/git.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/git.if 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1 @@ +## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/git.te serefpolicy-3.6.8/policy/modules/apps/git.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/git.te serefpolicy-3.6.9/policy/modules/apps/git.te --- nsaserefpolicy/policy/modules/apps/git.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/git.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/git.te 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,4 @@ +policy_module(git, 1.0) + +apache_content_template(git) +permissive httpd_git_script_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.8/policy/modules/apps/gnome.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.9/policy/modules/apps/gnome.fc --- nsaserefpolicy/policy/modules/apps/gnome.fc 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/gnome.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/gnome.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1,8 +1,12 @@ HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) @@ -1860,9 +1690,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) +# Don't use because toolchain is broken +#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.8/policy/modules/apps/gnome.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.9/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/gnome.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/gnome.if 2009-03-12 11:23:09.000000000 -0400 @@ -89,5 +89,154 @@ allow $1 gnome_home_t:dir manage_dir_perms; @@ -2018,9 +1848,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + # Connect to pulseaudit server + stream_connect_pattern($1, gnome_home_t, gnome_home_t, $2) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.8/policy/modules/apps/gnome.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.9/policy/modules/apps/gnome.te --- nsaserefpolicy/policy/modules/apps/gnome.te 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/gnome.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/gnome.te 2009-03-12 11:23:09.000000000 -0400 @@ -9,16 +9,18 @@ attribute gnomedomain; @@ -2049,9 +1879,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_user_home_content(gnome_home_t) ############################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.6.8/policy/modules/apps/gpg.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.6.9/policy/modules/apps/gpg.fc --- nsaserefpolicy/policy/modules/apps/gpg.fc 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/gpg.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/gpg.fc 2009-03-12 11:23:09.000000000 -0400 @@ -5,5 +5,5 @@ /usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0) @@ -2060,9 +1890,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) +/usr/lib(64)?/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) +/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.6.8/policy/modules/apps/gpg.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.6.9/policy/modules/apps/gpg.if --- nsaserefpolicy/policy/modules/apps/gpg.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/gpg.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/gpg.if 2009-03-12 11:23:09.000000000 -0400 @@ -30,7 +30,7 @@ # allow ps to show gpg @@ -2090,9 +1920,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.8/policy/modules/apps/gpg.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.9/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/gpg.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/gpg.te 2009-03-12 11:23:09.000000000 -0400 @@ -60,7 +60,7 @@ allow gpg_t self:capability { ipc_lock setuid }; @@ -2190,9 +2020,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # GPG agent local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.8/policy/modules/apps/java.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.9/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/java.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/java.fc 2009-03-12 11:23:09.000000000 -0400 @@ -2,15 +2,16 @@ # /opt # @@ -2227,9 +2057,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.8/policy/modules/apps/java.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.9/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/java.if 2009-03-11 15:31:03.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/java.if 2009-03-12 11:23:09.000000000 -0400 @@ -30,6 +30,7 @@ allow java_t $2:unix_stream_socket connectto; @@ -2363,9 +2193,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_dontaudit_rw_tmpfs_files($1_java_t) + corecmd_bin_domtrans($1_java_t, $1_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.8/policy/modules/apps/java.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.9/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/java.te 2009-03-11 15:26:01.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/java.te 2009-03-12 11:23:09.000000000 -0400 @@ -20,6 +20,8 @@ typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t }; typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t }; @@ -2419,15 +2249,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + rpm_domtrans(unconfined_java_t) + ') ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.6.8/policy/modules/apps/livecd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.6.9/policy/modules/apps/livecd.fc --- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/livecd.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/livecd.fc 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,2 @@ + +/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.6.8/policy/modules/apps/livecd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.6.9/policy/modules/apps/livecd.if --- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/livecd.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/livecd.if 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,50 @@ + +## policy for livecd @@ -2479,9 +2309,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + seutil_run_setfiles_mac(livecd_t, $2) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.6.8/policy/modules/apps/livecd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.6.9/policy/modules/apps/livecd.te --- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/livecd.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/livecd.te 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,26 @@ +policy_module(livecd, 1.0.0) + @@ -2509,20 +2339,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +seutil_domtrans_setfiles_mac(livecd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.6.8/policy/modules/apps/loadkeys.te ---- nsaserefpolicy/policy/modules/apps/loadkeys.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/loadkeys.te 2009-03-10 08:25:54.000000000 -0400 -@@ -40,6 +40,7 @@ - miscfiles_read_localization(loadkeys_t) - - userdom_use_user_ttys(loadkeys_t) -+userdom_list_user_home_dirs(loadkeys_t) - - optional_policy(` - nscd_dontaudit_search_pid(loadkeys_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.8/policy/modules/apps/mono.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.9/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/apps/mono.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/mono.if 2009-03-12 11:23:09.000000000 -0400 @@ -21,6 +21,103 @@ ######################################## @@ -2636,9 +2455,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') corecmd_search_bin($1) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.8/policy/modules/apps/mono.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.9/policy/modules/apps/mono.te --- nsaserefpolicy/policy/modules/apps/mono.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/mono.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/mono.te 2009-03-12 11:23:09.000000000 -0400 @@ -15,7 +15,7 @@ # Local policy # @@ -2656,9 +2475,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + xserver_rw_shm(mono_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.8/policy/modules/apps/mozilla.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.9/policy/modules/apps/mozilla.fc --- nsaserefpolicy/policy/modules/apps/mozilla.fc 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/mozilla.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/mozilla.fc 2009-03-12 11:23:09.000000000 -0400 @@ -17,7 +17,6 @@ # # /etc @@ -2673,9 +2492,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.8/policy/modules/apps/mozilla.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.9/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/mozilla.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/mozilla.if 2009-03-12 11:23:09.000000000 -0400 @@ -82,8 +82,7 @@ type mozilla_home_t; ') @@ -2686,9 +2505,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_search_user_home_dirs($1) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.8/policy/modules/apps/mozilla.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.9/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/mozilla.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/mozilla.te 2009-03-12 11:23:09.000000000 -0400 @@ -105,6 +105,7 @@ # Should not need other ports corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t) @@ -2725,10 +2544,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` thunderbird_domtrans(mozilla_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.6.8/policy/modules/apps/mplayer.fc ---- nsaserefpolicy/policy/modules/apps/mplayer.fc 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/mplayer.fc 2009-03-10 08:25:54.000000000 -0400 -@@ -1,11 +1,7 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.6.9/policy/modules/apps/mplayer.fc +--- nsaserefpolicy/policy/modules/apps/mplayer.fc 2009-03-12 11:16:47.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/mplayer.fc 2009-03-12 11:26:15.000000000 -0400 +@@ -1,9 +1,4 @@ # -# /etc -# @@ -2737,40 +2556,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -# # /usr # -+/usr/bin/vlc -- gen_context(system_u:object_r:mplayer_exec_t,s0) /usr/bin/mplayer -- gen_context(system_u:object_r:mplayer_exec_t,s0) - /usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0) - /usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.6.8/policy/modules/apps/mplayer.if ---- nsaserefpolicy/policy/modules/apps/mplayer.if 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/mplayer.if 2009-03-10 08:25:54.000000000 -0400 -@@ -83,3 +83,23 @@ - read_files_pattern($1, mplayer_home_t, mplayer_home_t) - userdom_search_user_home_dirs($1) - ') -+ -+######################################## -+## -+## Execute mplayer in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+# -+interface(`mplayer_exec',` -+ gen_require(` -+ type mplayer_exec_t; -+ ') -+ -+ can_exec($1, mplayer_exec_t) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.8/policy/modules/apps/nsplugin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.9/policy/modules/apps/nsplugin.fc --- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/nsplugin.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/nsplugin.fc 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,12 @@ +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) @@ -2784,9 +2573,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) +/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0) +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.8/policy/modules/apps/nsplugin.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.9/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/nsplugin.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/nsplugin.if 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,272 @@ + +## policy for nsplugin @@ -3060,9 +2849,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + manage_files_pattern($1, nsplugin_home_t, nsplugin_home_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.8/policy/modules/apps/nsplugin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.9/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/nsplugin.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/nsplugin.te 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,288 @@ + +policy_module(nsplugin, 1.0.0) @@ -3352,16 +3141,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.6.8/policy/modules/apps/openoffice.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.6.9/policy/modules/apps/openoffice.fc --- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/openoffice.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/openoffice.fc 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,3 @@ +/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) +/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.8/policy/modules/apps/openoffice.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.9/policy/modules/apps/openoffice.if --- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/openoffice.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/openoffice.if 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,92 @@ +## Openoffice + @@ -3455,9 +3244,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_common_x_domain_template($1, $1_openoffice_t) + ') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.6.8/policy/modules/apps/openoffice.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.6.9/policy/modules/apps/openoffice.te --- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/openoffice.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/openoffice.te 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,14 @@ + +policy_module(openoffice, 1.0.0) @@ -3473,17 +3262,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.fc serefpolicy-3.6.8/policy/modules/apps/podsleuth.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.fc serefpolicy-3.6.9/policy/modules/apps/podsleuth.fc --- nsaserefpolicy/policy/modules/apps/podsleuth.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/apps/podsleuth.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/podsleuth.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1,2 +1,4 @@ /usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) +/usr/libexec/hal-podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) +/var/cache/podsleuth(/.*)? gen_context(system_u:object_r:podsleuth_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.if serefpolicy-3.6.8/policy/modules/apps/podsleuth.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.if serefpolicy-3.6.9/policy/modules/apps/podsleuth.if --- nsaserefpolicy/policy/modules/apps/podsleuth.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/apps/podsleuth.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/podsleuth.if 2009-03-12 11:23:09.000000000 -0400 @@ -16,4 +16,32 @@ ') @@ -3517,9 +3306,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role $2 types podsleuth_t; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.8/policy/modules/apps/podsleuth.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.9/policy/modules/apps/podsleuth.te --- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/podsleuth.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/podsleuth.te 2009-03-12 11:23:09.000000000 -0400 @@ -11,21 +11,59 @@ application_domain(podsleuth_t, podsleuth_exec_t) role system_r types podsleuth_t; @@ -3582,15 +3371,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(podsleuth_t) dbus_system_bus_client(podsleuth_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.6.8/policy/modules/apps/pulseaudio.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.6.9/policy/modules/apps/pulseaudio.fc --- nsaserefpolicy/policy/modules/apps/pulseaudio.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/pulseaudio.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/pulseaudio.fc 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,2 @@ + +/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.8/policy/modules/apps/pulseaudio.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.9/policy/modules/apps/pulseaudio.if --- nsaserefpolicy/policy/modules/apps/pulseaudio.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/pulseaudio.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/pulseaudio.if 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,86 @@ + +## policy for pulseaudio @@ -3678,9 +3467,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + userdom_manage_tmp_role($1, pulseaudio_t) + userdom_manage_tmpfs_role($1, pulseaudio_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.8/policy/modules/apps/pulseaudio.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.9/policy/modules/apps/pulseaudio.te --- nsaserefpolicy/policy/modules/apps/pulseaudio.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/pulseaudio.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/pulseaudio.te 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,88 @@ +policy_module(pulseaudio,1.0.0) + @@ -3770,17 +3559,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.8/policy/modules/apps/qemu.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.9/policy/modules/apps/qemu.fc --- nsaserefpolicy/policy/modules/apps/qemu.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/apps/qemu.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/qemu.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1,2 +1,2 @@ -/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) -/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.8/policy/modules/apps/qemu.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.9/policy/modules/apps/qemu.if --- nsaserefpolicy/policy/modules/apps/qemu.if 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/qemu.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/qemu.if 2009-03-12 11:23:09.000000000 -0400 @@ -40,6 +40,93 @@ qemu_domtrans($1) @@ -4087,9 +3876,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - ') + manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.8/policy/modules/apps/qemu.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.9/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/qemu.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/qemu.te 2009-03-12 11:23:09.000000000 -0400 @@ -13,28 +13,83 @@ ## gen_tunable(qemu_full_network, false) @@ -4182,23 +3971,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # qemu_unconfined local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.6.8/policy/modules/apps/sambagui.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.6.9/policy/modules/apps/sambagui.fc --- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/sambagui.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/sambagui.fc 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,4 @@ +/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0) + + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.6.8/policy/modules/apps/sambagui.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.6.9/policy/modules/apps/sambagui.if --- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/sambagui.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/sambagui.if 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,2 @@ +## system-config-samba policy + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.8/policy/modules/apps/sambagui.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.9/policy/modules/apps/sambagui.te --- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/sambagui.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/sambagui.te 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,59 @@ +policy_module(sambagui,1.0.0) + @@ -4259,30 +4048,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +permissive sambagui_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.6.8/policy/modules/apps/slocate.te ---- nsaserefpolicy/policy/modules/apps/slocate.te 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/slocate.te 2009-03-10 08:25:54.000000000 -0400 -@@ -22,7 +22,7 @@ - # - - allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid }; --allow locate_t self:process { execmem execheap execstack }; -+allow locate_t self:process { execmem execheap execstack signal }; - allow locate_t self:fifo_file rw_fifo_file_perms; - allow locate_t self:unix_stream_socket create_socket_perms; - -@@ -46,6 +46,8 @@ - - fs_getattr_all_fs(locate_t) - fs_getattr_all_files(locate_t) -+fs_getattr_all_pipes(locate_t) -+fs_getattr_all_symlinks(locate_t) - fs_list_all(locate_t) - fs_list_inotifyfs(locate_t) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.6.8/policy/modules/apps/wine.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.6.9/policy/modules/apps/wine.fc --- nsaserefpolicy/policy/modules/apps/wine.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/apps/wine.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/wine.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1,4 +1,12 @@ -/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) +/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) @@ -4299,9 +4067,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.8/policy/modules/apps/wine.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.9/policy/modules/apps/wine.if --- nsaserefpolicy/policy/modules/apps/wine.if 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/wine.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/wine.if 2009-03-12 11:23:09.000000000 -0400 @@ -43,3 +43,62 @@ wine_domtrans($1) role $2 types wine_t; @@ -4365,9 +4133,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + relabel_files_pattern($2, wine_home_t, wine_home_t) + relabel_lnk_files_pattern($2, wine_home_t, wine_home_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.8/policy/modules/apps/wine.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.9/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/wine.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/wine.te 2009-03-12 11:23:09.000000000 -0400 @@ -9,6 +9,7 @@ type wine_t; type wine_exec_t; @@ -4394,16 +4162,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + xserver_rw_shm(wine_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.fc serefpolicy-3.6.8/policy/modules/apps/wm.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.fc serefpolicy-3.6.9/policy/modules/apps/wm.fc --- nsaserefpolicy/policy/modules/apps/wm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/wm.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/wm.fc 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,3 @@ +/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) +/usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0) +/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.6.8/policy/modules/apps/wm.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.6.9/policy/modules/apps/wm.if --- nsaserefpolicy/policy/modules/apps/wm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/wm.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/wm.if 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,108 @@ +## Window Manager. + @@ -4513,9 +4281,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_use_xdm($1_wm_t) + ') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.te serefpolicy-3.6.8/policy/modules/apps/wm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.te serefpolicy-3.6.9/policy/modules/apps/wm.te --- nsaserefpolicy/policy/modules/apps/wm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/apps/wm.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/apps/wm.te 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,9 @@ +policy_module(wm,0.0.4) + @@ -4526,9 +4294,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +type wm_exec_t; +corecmd_executable_file(wm_exec_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.8/policy/modules/kernel/corecommands.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.9/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-03-05 10:34:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/kernel/corecommands.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/kernel/corecommands.fc 2009-03-12 11:23:09.000000000 -0400 @@ -134,6 +134,8 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -4553,9 +4321,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/wicd/monitor.py -- gen_context(system_u:object_r:bin_t, s0) + +/usr/lib(64)?/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.8/policy/modules/kernel/corecommands.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.9/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/kernel/corecommands.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/kernel/corecommands.if 2009-03-12 11:23:09.000000000 -0400 @@ -893,6 +893,7 @@ read_lnk_files_pattern($1, bin_t, bin_t) @@ -4564,9 +4332,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.6.8/policy/modules/kernel/corenetwork.if.in +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.6.9/policy/modules/kernel/corenetwork.if.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2009-02-03 22:50:50.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/kernel/corenetwork.if.in 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/kernel/corenetwork.if.in 2009-03-12 11:23:09.000000000 -0400 @@ -1612,6 +1612,24 @@ ######################################## @@ -4617,9 +4385,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write the point-to-point device. ## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.8/policy/modules/kernel/corenetwork.te.in +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.9/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-03-02 16:51:45.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/kernel/corenetwork.te.in 2009-03-11 15:16:21.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/kernel/corenetwork.te.in 2009-03-12 11:23:09.000000000 -0400 @@ -65,10 +65,12 @@ type server_packet_t, packet_type, server_packet_type; @@ -4750,9 +4518,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # network_node examples: #network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255) #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.8/policy/modules/kernel/domain.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.9/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/kernel/domain.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/kernel/domain.if 2009-03-12 11:23:09.000000000 -0400 @@ -629,6 +629,7 @@ dontaudit $1 unconfined_domain_type:dir search_dir_perms; @@ -4824,9 +4592,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Unconfined access to domains. ## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.8/policy/modules/kernel/domain.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.9/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/kernel/domain.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/kernel/domain.te 2009-03-12 11:23:09.000000000 -0400 @@ -5,6 +5,13 @@ # # Declarations @@ -4941,9 +4709,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + userdom_relabelto_user_home_dirs(polydomain) + userdom_relabelto_user_home_files(polydomain) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.8/policy/modules/kernel/files.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.9/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/kernel/files.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/kernel/files.fc 2009-03-12 11:23:09.000000000 -0400 @@ -8,6 +8,8 @@ /initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0) /vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0) @@ -4970,9 +4738,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) /var/lib/nfs/rpc_pipefs(/.*)? <> -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.8/policy/modules/kernel/files.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.9/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/kernel/files.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/kernel/files.if 2009-03-12 11:23:09.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -5288,9 +5056,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_lnk_files_pattern($1, root_t, root_t) + can_exec(kernel_t, root_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.8/policy/modules/kernel/files.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.9/policy/modules/kernel/files.te --- nsaserefpolicy/policy/modules/kernel/files.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/kernel/files.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/kernel/files.te 2009-03-12 11:23:09.000000000 -0400 @@ -52,7 +52,9 @@ # # etc_t is the type of the system etc directories. @@ -5314,15 +5082,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.8/policy/modules/kernel/filesystem.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.9/policy/modules/kernel/filesystem.fc --- nsaserefpolicy/policy/modules/kernel/filesystem.fc 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/kernel/filesystem.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/kernel/filesystem.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1 +1 @@ -# This module currently does not have any file contexts. +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.8/policy/modules/kernel/filesystem.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.9/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-03-04 16:49:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/kernel/filesystem.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/kernel/filesystem.if 2009-03-12 11:23:09.000000000 -0400 @@ -754,6 +754,7 @@ attribute noxattrfs; ') @@ -5355,9 +5123,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.8/policy/modules/kernel/kernel.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.9/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/kernel/kernel.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/kernel/kernel.if 2009-03-12 11:23:09.000000000 -0400 @@ -1197,6 +1197,26 @@ ') @@ -5481,9 +5249,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 kernel_t:unix_stream_socket connectto; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.8/policy/modules/kernel/kernel.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.9/policy/modules/kernel/kernel.te --- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-02-03 22:50:50.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/kernel/kernel.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/kernel/kernel.te 2009-03-12 11:23:09.000000000 -0400 @@ -63,6 +63,15 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) @@ -5583,9 +5351,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; + +files_boot(kernel_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.8/policy/modules/kernel/selinux.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.9/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/kernel/selinux.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/kernel/selinux.if 2009-03-12 11:23:09.000000000 -0400 @@ -40,7 +40,7 @@ # because of this statement, any module which @@ -5643,9 +5411,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_type($1) + mls_trusted_object($1) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.8/policy/modules/kernel/terminal.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.9/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/kernel/terminal.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/kernel/terminal.if 2009-03-12 11:23:09.000000000 -0400 @@ -173,7 +173,7 @@ dev_list_all_dev_nodes($1) @@ -5667,185 +5435,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.6.8/policy/modules/roles/auditadm.te ---- nsaserefpolicy/policy/modules/roles/auditadm.te 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/roles/auditadm.te 2009-03-10 08:25:54.000000000 -0400 -@@ -17,6 +17,8 @@ - - allow auditadm_t self:capability { dac_read_search dac_override }; - -+kernel_read_ring_buffer(auditadm_t) -+ - corecmd_exec_shell(auditadm_t) - - domain_kill_all_domains(auditadm_t) -@@ -32,158 +34,18 @@ - seutil_read_bin_policy(auditadm_t) - - optional_policy(` -- apache_role(auditadm_r, auditadm_t) --') -- --optional_policy(` -- auth_role(auditadm_r, auditadm_t) --') -- --optional_policy(` -- bluetooth_role(auditadm_r, auditadm_t) --') -- --optional_policy(` -- cdrecord_role(auditadm_r, auditadm_t) --') -- --optional_policy(` - consoletype_exec(auditadm_t) - ') - - optional_policy(` -- cron_role(auditadm_r, auditadm_t) --') -- --optional_policy(` -- dbus_role_template(auditadm, auditadm_r, auditadm_t) --') -- --optional_policy(` - dmesg_exec(auditadm_t) - ') - - optional_policy(` -- ethereal_role(auditadm_r, auditadm_t) --') -- --optional_policy(` -- evolution_role(auditadm_r, auditadm_t) --') -- --optional_policy(` -- games_role(auditadm_r, auditadm_t) --') -- --optional_policy(` -- gift_role(auditadm_r, auditadm_t) --') -- --optional_policy(` -- gpg_role(auditadm_r, auditadm_t) --') -- --optional_policy(` -- gnome_role(auditadm_r, auditadm_t) --') -- --optional_policy(` -- irc_role(auditadm_r, auditadm_t) --') -- --optional_policy(` -- java_role(auditadm_r, auditadm_t) --') -- --optional_policy(` -- lockdev_role(auditadm_r, auditadm_t) --') -- --optional_policy(` -- lpd_role(auditadm_r, auditadm_t) --') -- --optional_policy(` -- mozilla_role(auditadm_r, auditadm_t) --') -- --optional_policy(` -- mplayer_role(auditadm_r, auditadm_t) --') -- --optional_policy(` -- mta_role(auditadm_r, auditadm_t) --') -- --optional_policy(` -- oident_manage_user_content(auditadm_t) -- oident_relabel_user_content(auditadm_t) --') -- --optional_policy(` -- pyzor_role(auditadm_r, auditadm_t) --') -- --optional_policy(` -- razor_role(auditadm_r, auditadm_t) --') -- --optional_policy(` -- rssh_role(auditadm_r, auditadm_t) --') -- --optional_policy(` -- screen_role_template(auditadm, auditadm_r, auditadm_t) --') -- --optional_policy(` -- spamassassin_role(auditadm_r, auditadm_t) --') -- --optional_policy(` -- ssh_role_template(auditadm, auditadm_r, auditadm_t) --') -- --optional_policy(` - secadm_role_change(auditadm_r) - ') - - optional_policy(` -- su_role_template(auditadm, auditadm_r, auditadm_t) --') -- --optional_policy(` -- sudo_role_template(auditadm, auditadm_r, auditadm_t) --') -- --optional_policy(` - sysadm_role_change(auditadm_r) - ') - --optional_policy(` -- thunderbird_role(auditadm_r, auditadm_t) --') -- --optional_policy(` -- tvtime_role(auditadm_r, auditadm_t) --') -- --optional_policy(` -- userhelper_role_template(auditadm, auditadm_r, auditadm_t) --') -- --optional_policy(` -- vmware_role(auditadm_r, auditadm_t) --') -- --optional_policy(` -- wireshark_role(auditadm_r, auditadm_t) --') -- --optional_policy(` -- uml_role(auditadm_r, auditadm_t) --') -- --optional_policy(` -- xserver_role(auditadm_r, auditadm_t) --') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.fc serefpolicy-3.6.8/policy/modules/roles/guest.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.fc serefpolicy-3.6.9/policy/modules/roles/guest.fc --- nsaserefpolicy/policy/modules/roles/guest.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/roles/guest.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/roles/guest.fc 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1 @@ +# file contexts handled by userdomain and genhomedircon -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.if serefpolicy-3.6.8/policy/modules/roles/guest.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.if serefpolicy-3.6.9/policy/modules/roles/guest.if --- nsaserefpolicy/policy/modules/roles/guest.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/roles/guest.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/roles/guest.if 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,50 @@ +## Least privledge terminal user role + @@ -5897,9 +5494,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow guest_r $1; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.8/policy/modules/roles/guest.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.9/policy/modules/roles/guest.te --- nsaserefpolicy/policy/modules/roles/guest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/roles/guest.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/roles/guest.te 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,26 @@ + +policy_module(guest, 1.0.0) @@ -5927,14 +5524,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +gen_user(guest_u, user, guest_r, s0, s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.fc serefpolicy-3.6.8/policy/modules/roles/logadm.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.fc serefpolicy-3.6.9/policy/modules/roles/logadm.fc --- nsaserefpolicy/policy/modules/roles/logadm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/roles/logadm.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/roles/logadm.fc 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1 @@ +# file contexts handled by userdomain and genhomedircon -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.if serefpolicy-3.6.8/policy/modules/roles/logadm.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.if serefpolicy-3.6.9/policy/modules/roles/logadm.if --- nsaserefpolicy/policy/modules/roles/logadm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/roles/logadm.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/roles/logadm.if 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,50 @@ +## Log administrator role + @@ -5986,9 +5583,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow logadm_r $1; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.te serefpolicy-3.6.8/policy/modules/roles/logadm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.te serefpolicy-3.6.9/policy/modules/roles/logadm.te --- nsaserefpolicy/policy/modules/roles/logadm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/roles/logadm.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/roles/logadm.te 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,20 @@ + +policy_module(logadm, 1.0.0) @@ -6010,167 +5607,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; + +logging_admin(logadm_t, logadm_r) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.te serefpolicy-3.6.8/policy/modules/roles/secadm.te ---- nsaserefpolicy/policy/modules/roles/secadm.te 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/roles/secadm.te 2009-03-10 08:25:54.000000000 -0400 -@@ -45,154 +45,18 @@ - ') - - optional_policy(` -- apache_role(secadm_r, secadm_t) --') -- --optional_policy(` - auditadm_role_change(secadm_r) - ') - - optional_policy(` -- bluetooth_role(secadm_r, secadm_t) --') -- --optional_policy(` -- cdrecord_role(secadm_r, secadm_t) --') -- --optional_policy(` -- cron_role(secadm_r, secadm_t) --') -- --optional_policy(` -- dbus_role_template(secadm, secadm_r, secadm_t) --') -- --optional_policy(` - dmesg_exec(secadm_t) - ') - - optional_policy(` -- ethereal_role(secadm_r, secadm_t) --') -- --optional_policy(` -- evolution_role(secadm_r, secadm_t) --') -- --optional_policy(` -- games_role(secadm_r, secadm_t) --') -- --optional_policy(` -- gift_role(secadm_r, secadm_t) --') -- --optional_policy(` -- gnome_role(secadm_r, secadm_t) --') -- --optional_policy(` -- gpg_role(secadm_r, secadm_t) --') -- --optional_policy(` -- irc_role(secadm_r, secadm_t) --') -- --optional_policy(` -- java_role(secadm_r, secadm_t) --') -- --optional_policy(` -- lockdev_role(secadm_r, secadm_t) --') -- --optional_policy(` -- lpd_role(secadm_r, secadm_t) --') -- --optional_policy(` -- mozilla_role(secadm_r, secadm_t) --') -- --optional_policy(` -- mplayer_role(secadm_r, secadm_t) --') -- --optional_policy(` -- mta_role(secadm_r, secadm_t) --') -- --optional_policy(` - netlabel_run_mgmt(secadm_t, secadm_r) - ') - - optional_policy(` -- oident_manage_user_content(secadm_t) -- oident_relabel_user_content(secadm_t) --') -- --optional_policy(` -- pyzor_role(secadm_r, secadm_t) --') -- --optional_policy(` -- razor_role(secadm_r, secadm_t) --') -- --optional_policy(` -- rssh_role(secadm_r, secadm_t) --') -- --optional_policy(` -- screen_role_template(secadm, secadm_r, secadm_t) --') -- --optional_policy(` -- spamassassin_role(secadm_r, secadm_t) --') -- --optional_policy(` -- ssh_role_template(secadm, secadm_r, secadm_t) --') -- --optional_policy(` -- su_role_template(secadm, secadm_r, secadm_t) --') -- --optional_policy(` -- sudo_role_template(secadm, secadm_r, secadm_t) --') -- --optional_policy(` - sysadm_role_change(secadm_r) - ') - --optional_policy(` -- thunderbird_role(secadm_r, secadm_t) --') -- --optional_policy(` -- tvtime_role(secadm_r, secadm_t) --') -- --optional_policy(` -- uml_role(secadm_r, secadm_t) --') -- --optional_policy(` -- userhelper_role_template(secadm, secadm_r, secadm_t) --') -- --optional_policy(` -- vmware_role(secadm_r, secadm_t) --') -- --optional_policy(` -- wireshark_role(secadm_r, secadm_t) --') -- --optional_policy(` -- xserver_role(secadm_r, secadm_t) --') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.8/policy/modules/roles/staff.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.9/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/roles/staff.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/roles/staff.te 2009-03-12 11:23:09.000000000 -0400 @@ -15,156 +15,88 @@ # Local policy # @@ -6360,9 +5799,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - xserver_role(staff_r, staff_t) + virt_stream_connect(staff_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.6.8/policy/modules/roles/sysadm.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.6.9/policy/modules/roles/sysadm.if --- nsaserefpolicy/policy/modules/roles/sysadm.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/roles/sysadm.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/roles/sysadm.if 2009-03-12 11:23:09.000000000 -0400 @@ -116,41 +116,6 @@ ######################################## @@ -6405,9 +5844,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Allow sysadm to execute a generic bin program in ## a specified domain. This is an explicit transition, ## requiring the caller to use setexeccon(). -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.8/policy/modules/roles/sysadm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.9/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/roles/sysadm.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/roles/sysadm.te 2009-03-12 11:23:09.000000000 -0400 @@ -15,7 +15,7 @@ role sysadm_r; @@ -6694,9 +6133,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` yam_run(sysadm_t, sysadm_r) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.8/policy/modules/roles/unprivuser.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.9/policy/modules/roles/unprivuser.te --- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/roles/unprivuser.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/roles/unprivuser.te 2009-03-12 11:23:09.000000000 -0400 @@ -14,142 +14,13 @@ userdom_unpriv_user_template(user) @@ -6843,14 +6282,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - xserver_role(user_r, user_t) + setroubleshoot_dontaudit_stream_connect(user_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.fc serefpolicy-3.6.8/policy/modules/roles/webadm.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.fc serefpolicy-3.6.9/policy/modules/roles/webadm.fc --- nsaserefpolicy/policy/modules/roles/webadm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/roles/webadm.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/roles/webadm.fc 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1 @@ +# No webadm file contexts. -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.if serefpolicy-3.6.8/policy/modules/roles/webadm.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.if serefpolicy-3.6.9/policy/modules/roles/webadm.if --- nsaserefpolicy/policy/modules/roles/webadm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/roles/webadm.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/roles/webadm.if 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,50 @@ +## Web administrator role + @@ -6902,9 +6341,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow webadm_r $1; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.te serefpolicy-3.6.8/policy/modules/roles/webadm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.te serefpolicy-3.6.9/policy/modules/roles/webadm.te --- nsaserefpolicy/policy/modules/roles/webadm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/roles/webadm.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/roles/webadm.te 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,64 @@ + +policy_module(webadm, 1.0.0) @@ -6970,14 +6409,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + userdom_write_user_tmp_files(webadm_t) +') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.fc serefpolicy-3.6.8/policy/modules/roles/xguest.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.fc serefpolicy-3.6.9/policy/modules/roles/xguest.fc --- nsaserefpolicy/policy/modules/roles/xguest.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/roles/xguest.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/roles/xguest.fc 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1 @@ +# file contexts handled by userdomain and genhomedircon -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.if serefpolicy-3.6.8/policy/modules/roles/xguest.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.if serefpolicy-3.6.9/policy/modules/roles/xguest.if --- nsaserefpolicy/policy/modules/roles/xguest.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/roles/xguest.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/roles/xguest.if 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,50 @@ +## Least privledge xwindows user role + @@ -7029,9 +6468,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow xguest_r $1; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.8/policy/modules/roles/xguest.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.9/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/roles/xguest.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/roles/xguest.te 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,87 @@ + +policy_module(xguest, 1.0.0) @@ -7120,9 +6559,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') +') +gen_user(xguest_u, user, xguest_r, s0, s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.6.8/policy/modules/services/afs.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.6.9/policy/modules/services/afs.fc --- nsaserefpolicy/policy/modules/services/afs.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/afs.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/afs.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1,3 +1,6 @@ +/etc/rc\.d/init\.d/openafs-client -- gen_context(system_u:object_r:afs_initrc_exec_t,s0) +/etc/rc\.d/init\.d/afs -- gen_context(system_u:object_r:afs_initrc_exec_t,s0) @@ -7144,9 +6583,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/vice/etc/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) + +/var/cache/afs(/.*)? gen_context(system_u:object_r:afs_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.6.8/policy/modules/services/afs.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.6.9/policy/modules/services/afs.if --- nsaserefpolicy/policy/modules/services/afs.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/afs.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/afs.if 2009-03-12 11:23:09.000000000 -0400 @@ -1 +1,110 @@ ## Andrew Filesystem server + @@ -7258,9 +6697,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $2 system_r; + +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.6.8/policy/modules/services/afs.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.6.9/policy/modules/services/afs.te --- nsaserefpolicy/policy/modules/services/afs.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/afs.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/afs.te 2009-03-12 11:23:09.000000000 -0400 @@ -6,6 +6,16 @@ # Declarations # @@ -7325,9 +6764,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +logging_send_syslog_msg(afs_t) + +permissive afs_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.8/policy/modules/services/apache.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.9/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/apache.fc 2009-03-10 16:56:25.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/apache.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1,12 +1,13 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -7416,9 +6855,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) + +/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.8/policy/modules/services/apache.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.9/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/apache.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/apache.if 2009-03-12 11:23:09.000000000 -0400 @@ -13,21 +13,16 @@ # template(`apache_content_template',` @@ -7951,9 +7390,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + typeattribute $1 httpd_rw_content; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.8/policy/modules/services/apache.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.9/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/apache.te 2009-03-11 14:44:03.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/apache.te 2009-03-12 11:23:09.000000000 -0400 @@ -19,6 +19,8 @@ # Declarations # @@ -8659,9 +8098,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t; +typealias httpd_sys_script_t alias httpd_fastcgi_script_t; +typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.6.8/policy/modules/services/apcupsd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.6.9/policy/modules/services/apcupsd.fc --- nsaserefpolicy/policy/modules/services/apcupsd.fc 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/apcupsd.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/apcupsd.fc 2009-03-12 11:23:09.000000000 -0400 @@ -5,6 +5,7 @@ ') @@ -8670,9 +8109,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) /var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.8/policy/modules/services/automount.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.9/policy/modules/services/automount.te --- nsaserefpolicy/policy/modules/services/automount.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/automount.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/automount.te 2009-03-12 11:23:09.000000000 -0400 @@ -71,6 +71,7 @@ files_mounton_all_mountpoints(automount_t) files_mount_all_file_type_fs(automount_t) @@ -8714,9 +8153,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kerberos_read_config(automount_t) kerberos_dontaudit_write_config(automount_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.6.8/policy/modules/services/avahi.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.6.9/policy/modules/services/avahi.if --- nsaserefpolicy/policy/modules/services/avahi.if 2008-11-19 11:51:44.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/avahi.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/avahi.if 2009-03-12 11:23:09.000000000 -0400 @@ -21,6 +21,25 @@ ######################################## @@ -8768,9 +8207,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send and receive messages from ## avahi over dbus. ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.8/policy/modules/services/avahi.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.9/policy/modules/services/avahi.te --- nsaserefpolicy/policy/modules/services/avahi.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/avahi.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/avahi.te 2009-03-12 11:23:09.000000000 -0400 @@ -33,6 +33,7 @@ allow avahi_t self:tcp_socket create_stream_socket_perms; allow avahi_t self:udp_socket create_socket_perms; @@ -8787,9 +8226,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.6.8/policy/modules/services/bind.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.6.9/policy/modules/services/bind.fc --- nsaserefpolicy/policy/modules/services/bind.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/bind.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/bind.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1,17 +1,22 @@ /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) @@ -8821,9 +8260,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) /var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0) /var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.8/policy/modules/services/bind.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.9/policy/modules/services/bind.if --- nsaserefpolicy/policy/modules/services/bind.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/bind.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/bind.if 2009-03-12 11:23:09.000000000 -0400 @@ -38,6 +38,42 @@ ######################################## @@ -8920,9 +8359,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_list_pids($1) admin_pattern($1, named_var_run_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.6.8/policy/modules/services/bind.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.6.9/policy/modules/services/bind.te --- nsaserefpolicy/policy/modules/services/bind.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/bind.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/bind.te 2009-03-12 11:23:09.000000000 -0400 @@ -169,7 +169,7 @@ ') @@ -8932,9 +8371,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.6.8/policy/modules/services/bluetooth.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.6.9/policy/modules/services/bluetooth.fc --- nsaserefpolicy/policy/modules/services/bluetooth.fc 2008-11-19 11:51:44.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/bluetooth.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/bluetooth.fc 2009-03-12 11:23:09.000000000 -0400 @@ -15,6 +15,7 @@ /usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) /usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0) @@ -8943,9 +8382,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0) /usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0) /usr/sbin/hid2hci -- gen_context(system_u:object_r:bluetooth_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.6.8/policy/modules/services/bluetooth.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.6.9/policy/modules/services/bluetooth.if --- nsaserefpolicy/policy/modules/services/bluetooth.if 2008-11-19 11:51:44.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/bluetooth.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/bluetooth.if 2009-03-12 11:23:09.000000000 -0400 @@ -173,7 +173,7 @@ interface(`bluetooth_admin',` gen_require(` @@ -8965,9 +8404,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_list_var_lib($1) admin_pattern($1, bluetooth_var_lib_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.8/policy/modules/services/bluetooth.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.9/policy/modules/services/bluetooth.te --- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/bluetooth.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/bluetooth.te 2009-03-12 11:23:09.000000000 -0400 @@ -93,6 +93,7 @@ kernel_read_kernel_sysctls(bluetooth_t) @@ -8989,9 +8428,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.6.8/policy/modules/services/certmaster.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.6.9/policy/modules/services/certmaster.fc --- nsaserefpolicy/policy/modules/services/certmaster.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/certmaster.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/certmaster.fc 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,9 @@ + +/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0) @@ -9002,9 +8441,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0) + +/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.if serefpolicy-3.6.8/policy/modules/services/certmaster.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.if serefpolicy-3.6.9/policy/modules/services/certmaster.if --- nsaserefpolicy/policy/modules/services/certmaster.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/certmaster.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/certmaster.if 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,123 @@ +## policy for certmaster + @@ -9129,9 +8568,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_list_var_lib($1) + admin_pattern($1, certmaster_var_lib_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.8/policy/modules/services/certmaster.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.9/policy/modules/services/certmaster.te --- nsaserefpolicy/policy/modules/services/certmaster.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/certmaster.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/certmaster.te 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,79 @@ +policy_module(certmaster,1.0.0) + @@ -9212,9 +8651,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_manage_cert_files(certmaster_t) + +permissive certmaster_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.6.8/policy/modules/services/clamav.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.6.9/policy/modules/services/clamav.fc --- nsaserefpolicy/policy/modules/services/clamav.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/clamav.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/clamav.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1,20 +1,23 @@ /etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0) +/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0) @@ -9244,9 +8683,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) +/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.6.8/policy/modules/services/clamav.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.6.9/policy/modules/services/clamav.if --- nsaserefpolicy/policy/modules/services/clamav.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/clamav.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/clamav.if 2009-03-12 11:23:09.000000000 -0400 @@ -38,6 +38,27 @@ ######################################## @@ -9363,9 +8802,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, freshclam_var_log_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.8/policy/modules/services/clamav.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.9/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/clamav.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/clamav.te 2009-03-12 11:23:09.000000000 -0400 @@ -13,7 +13,10 @@ # configuration files @@ -9451,9 +8890,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` apache_read_sys_content(clamscan_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.6.8/policy/modules/services/consolekit.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.6.9/policy/modules/services/consolekit.fc --- nsaserefpolicy/policy/modules/services/consolekit.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/consolekit.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/consolekit.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1,3 +1,6 @@ /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) @@ -9461,9 +8900,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0) + +/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.8/policy/modules/services/consolekit.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.9/policy/modules/services/consolekit.if --- nsaserefpolicy/policy/modules/services/consolekit.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/consolekit.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/consolekit.if 2009-03-12 11:23:09.000000000 -0400 @@ -38,3 +38,24 @@ allow $1 consolekit_t:dbus send_msg; allow consolekit_t $1:dbus send_msg; @@ -9489,9 +8928,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.8/policy/modules/services/consolekit.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.9/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/consolekit.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/consolekit.te 2009-03-12 11:23:09.000000000 -0400 @@ -13,6 +13,9 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -9601,9 +9040,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_dontaudit_rw_cifs_files(consolekit_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.8/policy/modules/services/courier.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.9/policy/modules/services/courier.if --- nsaserefpolicy/policy/modules/services/courier.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/courier.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/courier.if 2009-03-12 11:23:09.000000000 -0400 @@ -179,6 +179,24 @@ ######################################## @@ -9629,9 +9068,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write to courier spool pipes. ## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.8/policy/modules/services/courier.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.9/policy/modules/services/courier.te --- nsaserefpolicy/policy/modules/services/courier.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/courier.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/courier.te 2009-03-12 11:23:09.000000000 -0400 @@ -10,6 +10,7 @@ type courier_etc_t; @@ -9640,9 +9079,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol courier_domain_template(pcp) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.8/policy/modules/services/cron.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.9/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/cron.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/cron.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1,3 +1,4 @@ +/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) @@ -9674,9 +9113,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) + +/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.8/policy/modules/services/cron.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.9/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/cron.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/cron.if 2009-03-12 11:23:09.000000000 -0400 @@ -12,6 +12,10 @@ ## # @@ -9977,9 +9416,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + init_labeled_script_domtrans($1, crond_initrc_exec_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.8/policy/modules/services/cron.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.9/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/cron.te 2009-03-11 16:24:13.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/cron.te 2009-03-12 11:23:09.000000000 -0400 @@ -38,6 +38,10 @@ type cron_var_lib_t; files_type(cron_var_lib_t) @@ -10307,9 +9746,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`fcron_crond', ` allow crond_t user_cron_spool_t:file manage_file_perms; ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.8/policy/modules/services/cups.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.9/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/cups.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/cups.fc 2009-03-12 11:23:09.000000000 -0400 @@ -5,27 +5,38 @@ /etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -10383,9 +9822,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.6.8/policy/modules/services/cups.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.6.9/policy/modules/services/cups.if --- nsaserefpolicy/policy/modules/services/cups.if 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/cups.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/cups.if 2009-03-12 11:23:09.000000000 -0400 @@ -20,6 +20,30 @@ ######################################## @@ -10510,9 +9949,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + admin_pattern($1, hplip_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.8/policy/modules/services/cups.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.9/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/cups.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/cups.te 2009-03-12 11:23:09.000000000 -0400 @@ -20,9 +20,18 @@ type cupsd_etc_t; files_config_file(cupsd_etc_t) @@ -10917,9 +10356,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) +miscfiles_read_fonts(cups_pdf_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.6.8/policy/modules/services/cvs.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.6.9/policy/modules/services/cvs.if --- nsaserefpolicy/policy/modules/services/cvs.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/cvs.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/cvs.if 2009-03-12 11:23:09.000000000 -0400 @@ -15,7 +15,9 @@ type cvs_data_t; ') @@ -10931,18 +10370,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.8/policy/modules/services/cvs.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.9/policy/modules/services/cvs.te --- nsaserefpolicy/policy/modules/services/cvs.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/cvs.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/cvs.te 2009-03-12 11:23:09.000000000 -0400 @@ -112,4 +112,5 @@ read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) + files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.6.8/policy/modules/services/dbus.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.6.9/policy/modules/services/dbus.fc --- nsaserefpolicy/policy/modules/services/dbus.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/dbus.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/dbus.fc 2009-03-12 11:23:09.000000000 -0400 @@ -4,6 +4,9 @@ /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) /bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) @@ -10953,9 +10392,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.8/policy/modules/services/dbus.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.9/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/dbus.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/dbus.if 2009-03-12 11:23:09.000000000 -0400 @@ -44,6 +44,7 @@ attribute session_bus_type; @@ -11140,9 +10579,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 system_dbusd_t:tcp_socket { read write }; + allow $1 system_dbusd_t:fd use; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.8/policy/modules/services/dbus.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.9/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/dbus.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/dbus.te 2009-03-12 11:23:09.000000000 -0400 @@ -9,14 +9,15 @@ # # Delcarations @@ -11270,9 +10709,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_rw_shm(unconfined_dbusd_t) + ') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.8/policy/modules/services/dcc.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.9/policy/modules/services/dcc.te --- nsaserefpolicy/policy/modules/services/dcc.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/dcc.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/dcc.te 2009-03-12 11:23:09.000000000 -0400 @@ -137,6 +137,7 @@ corenet_all_recvfrom_unlabeled(dcc_client_t) @@ -11281,9 +10720,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_udp_sendrecv_generic_if(dcc_client_t) corenet_udp_sendrecv_generic_node(dcc_client_t) corenet_udp_sendrecv_all_ports(dcc_client_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.8/policy/modules/services/devicekit.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.9/policy/modules/services/devicekit.fc --- nsaserefpolicy/policy/modules/services/devicekit.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/devicekit.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/devicekit.fc 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,7 @@ + +/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) @@ -11292,9 +10731,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/DeviceKit-power(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) + +/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.8/policy/modules/services/devicekit.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.9/policy/modules/services/devicekit.if --- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/devicekit.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/devicekit.if 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,177 @@ + +## policy for devicekit @@ -11473,9 +10912,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 devicekit_t:unix_dgram_socket sendto; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.8/policy/modules/services/devicekit.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.9/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/devicekit.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/devicekit.te 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,138 @@ +policy_module(devicekit,1.0.0) + @@ -11615,9 +11054,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + vbetool_domtrans(devicekit_power_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.8/policy/modules/services/dhcp.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.9/policy/modules/services/dhcp.if --- nsaserefpolicy/policy/modules/services/dhcp.if 2008-11-18 18:57:20.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/dhcp.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/dhcp.if 2009-03-12 11:23:09.000000000 -0400 @@ -22,6 +22,25 @@ ######################################## @@ -11644,17 +11083,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an dhcp environment ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.6.8/policy/modules/services/dnsmasq.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.6.9/policy/modules/services/dnsmasq.fc --- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2008-11-18 18:57:20.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/dnsmasq.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/dnsmasq.fc 2009-03-12 11:23:09.000000000 -0400 @@ -5,3 +5,4 @@ /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) /var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) +/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.6.8/policy/modules/services/dnsmasq.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.6.9/policy/modules/services/dnsmasq.if --- nsaserefpolicy/policy/modules/services/dnsmasq.if 2008-11-18 18:57:21.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/dnsmasq.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/dnsmasq.if 2009-03-12 11:23:09.000000000 -0400 @@ -22,6 +22,25 @@ ######################################## @@ -11753,9 +11192,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an dnsmasq environment ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.8/policy/modules/services/dnsmasq.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.9/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/dnsmasq.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/dnsmasq.te 2009-03-12 11:23:09.000000000 -0400 @@ -69,21 +69,22 @@ # allow access to dnsmasq.conf @@ -11788,9 +11227,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol virt_manage_lib_files(dnsmasq_t) + virt_read_pid_files(dnsmasq_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.6.8/policy/modules/services/dovecot.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.6.9/policy/modules/services/dovecot.fc --- nsaserefpolicy/policy/modules/services/dovecot.fc 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/dovecot.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/dovecot.fc 2009-03-12 11:23:09.000000000 -0400 @@ -6,6 +6,7 @@ /etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) @@ -11824,9 +11263,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) + /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.6.8/policy/modules/services/dovecot.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.6.9/policy/modules/services/dovecot.if --- nsaserefpolicy/policy/modules/services/dovecot.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/dovecot.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/dovecot.if 2009-03-12 11:23:09.000000000 -0400 @@ -21,7 +21,46 @@ ######################################## @@ -11936,9 +11375,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.8/policy/modules/services/dovecot.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.9/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/dovecot.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/dovecot.te 2009-03-12 11:23:09.000000000 -0400 @@ -15,12 +15,21 @@ domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t) role system_r types dovecot_auth_t; @@ -12121,9 +11560,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + mta_manage_spool(dovecot_deliver_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.6.8/policy/modules/services/exim.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.6.9/policy/modules/services/exim.if --- nsaserefpolicy/policy/modules/services/exim.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/exim.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/exim.if 2009-03-12 11:23:09.000000000 -0400 @@ -97,6 +97,26 @@ ######################################## @@ -12175,9 +11614,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_dirs_pattern($1, exim_spool_t, exim_spool_t) + files_search_spool($1) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.8/policy/modules/services/exim.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.9/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/exim.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/exim.te 2009-03-12 11:23:09.000000000 -0400 @@ -21,9 +21,20 @@ ## gen_tunable(exim_manage_user_files, false) @@ -12332,9 +11771,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + spamassassin_exec(exim_t) + spamassassin_exec_client(exim_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.8/policy/modules/services/ftp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.9/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/ftp.te 2009-03-10 11:53:44.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/ftp.te 2009-03-12 11:23:09.000000000 -0400 @@ -26,7 +26,7 @@ ## ##

@@ -12442,16 +11881,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(ftpd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.6.8/policy/modules/services/gnomeclock.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.6.9/policy/modules/services/gnomeclock.fc --- nsaserefpolicy/policy/modules/services/gnomeclock.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/gnomeclock.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/gnomeclock.fc 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,3 @@ + +/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.6.8/policy/modules/services/gnomeclock.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.6.9/policy/modules/services/gnomeclock.if --- nsaserefpolicy/policy/modules/services/gnomeclock.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/gnomeclock.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/gnomeclock.if 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,69 @@ + +##

policy for gnomeclock @@ -12522,9 +11961,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 gnomeclock_t:dbus send_msg; + allow gnomeclock_t $1:dbus send_msg; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.8/policy/modules/services/gnomeclock.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.9/policy/modules/services/gnomeclock.te --- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/gnomeclock.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/gnomeclock.te 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,51 @@ +policy_module(gnomeclock, 1.0.0) +######################################## @@ -12577,16 +12016,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + polkit_read_reload(gnomeclock_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.8/policy/modules/services/gpsd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.9/policy/modules/services/gpsd.fc --- nsaserefpolicy/policy/modules/services/gpsd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/gpsd.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/gpsd.fc 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,3 @@ + +/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.6.8/policy/modules/services/gpsd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.6.9/policy/modules/services/gpsd.if --- nsaserefpolicy/policy/modules/services/gpsd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/gpsd.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/gpsd.if 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,83 @@ +## gpsd monitor daemon + @@ -12671,9 +12110,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) + read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.8/policy/modules/services/gpsd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.9/policy/modules/services/gpsd.te --- nsaserefpolicy/policy/modules/services/gpsd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/gpsd.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/gpsd.te 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,52 @@ +policy_module(gpsd,1.0.0) + @@ -12727,9 +12166,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.6.8/policy/modules/services/hal.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.6.9/policy/modules/services/hal.fc --- nsaserefpolicy/policy/modules/services/hal.fc 2008-11-19 11:51:44.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/hal.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/hal.fc 2009-03-12 11:23:09.000000000 -0400 @@ -5,6 +5,7 @@ /usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0) @@ -12738,9 +12177,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0) /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.8/policy/modules/services/hal.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.9/policy/modules/services/hal.if --- nsaserefpolicy/policy/modules/services/hal.if 2008-11-19 11:51:44.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/hal.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/hal.if 2009-03-12 11:23:09.000000000 -0400 @@ -20,6 +20,24 @@ ######################################## @@ -12841,9 +12280,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + logging_log_filetrans($1, hald_log_t, file) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.8/policy/modules/services/hal.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.9/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/hal.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/hal.te 2009-03-12 11:23:09.000000000 -0400 @@ -49,6 +49,15 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -13013,9 +12452,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_localization(hald_dccm_t) + +permissive hald_dccm_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.fc serefpolicy-3.6.8/policy/modules/services/ifplugd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.fc serefpolicy-3.6.9/policy/modules/services/ifplugd.fc --- nsaserefpolicy/policy/modules/services/ifplugd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/ifplugd.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/ifplugd.fc 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,9 @@ + +/etc/ifplugd(/.*)? gen_context(system_u:object_r:ifplugd_etc_t,s0) @@ -13026,9 +12465,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/var/run/ifplugd.* gen_context(system_u:object_r:ifplugd_var_run_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.if serefpolicy-3.6.8/policy/modules/services/ifplugd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.if serefpolicy-3.6.9/policy/modules/services/ifplugd.if --- nsaserefpolicy/policy/modules/services/ifplugd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/ifplugd.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/ifplugd.if 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,194 @@ +## policy for ifplugd + @@ -13224,9 +12663,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, ifplugd_var_run_t) + +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.te serefpolicy-3.6.8/policy/modules/services/ifplugd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.te serefpolicy-3.6.9/policy/modules/services/ifplugd.te --- nsaserefpolicy/policy/modules/services/ifplugd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/ifplugd.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/ifplugd.te 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,89 @@ +policy_module(ifplugd,1.0.0) + @@ -13317,9 +12756,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +permissive ifplugd_t; + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.6.8/policy/modules/services/kerberos.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.6.9/policy/modules/services/kerberos.fc --- nsaserefpolicy/policy/modules/services/kerberos.fc 2008-10-10 15:53:03.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/kerberos.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/kerberos.fc 2009-03-12 11:23:09.000000000 -0400 @@ -21,6 +21,7 @@ /var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) @@ -13328,9 +12767,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0) /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.8/policy/modules/services/kerberos.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.9/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/kerberos.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/kerberos.te 2009-03-12 11:23:09.000000000 -0400 @@ -290,6 +290,7 @@ corenet_tcp_sendrecv_generic_node(kpropd_t) corenet_tcp_sendrecv_all_ports(kpropd_t) @@ -13339,9 +12778,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_urand(kpropd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.6.8/policy/modules/services/kerneloops.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.6.9/policy/modules/services/kerneloops.if --- nsaserefpolicy/policy/modules/services/kerneloops.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/kerneloops.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/kerneloops.if 2009-03-12 11:23:09.000000000 -0400 @@ -63,6 +63,25 @@ ######################################## @@ -13384,9 +12823,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, kerneloops_tmp_t) ') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.8/policy/modules/services/kerneloops.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.9/policy/modules/services/kerneloops.te --- nsaserefpolicy/policy/modules/services/kerneloops.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/kerneloops.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/kerneloops.te 2009-03-12 11:23:09.000000000 -0400 @@ -13,6 +13,9 @@ type kerneloops_initrc_exec_t; init_script_file(kerneloops_initrc_exec_t) @@ -13419,9 +12858,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - dbus_connect_system_bus(kerneloops_t) + dbus_system_domain(kerneloops_t, kerneloops_exec_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.8/policy/modules/services/ktalk.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.9/policy/modules/services/ktalk.te --- nsaserefpolicy/policy/modules/services/ktalk.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/ktalk.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/ktalk.te 2009-03-12 11:23:09.000000000 -0400 @@ -69,6 +69,7 @@ files_read_etc_files(ktalkd_t) @@ -13430,17 +12869,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(ktalkd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.6.8/policy/modules/services/mailman.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.6.9/policy/modules/services/mailman.fc --- nsaserefpolicy/policy/modules/services/mailman.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/mailman.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/mailman.fc 2009-03-12 11:23:09.000000000 -0400 @@ -31,3 +31,4 @@ /var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) /var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) ') +/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.6.8/policy/modules/services/mailman.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.6.9/policy/modules/services/mailman.if --- nsaserefpolicy/policy/modules/services/mailman.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/mailman.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/mailman.if 2009-03-12 11:23:09.000000000 -0400 @@ -31,6 +31,12 @@ allow mailman_$1_t self:tcp_socket create_stream_socket_perms; allow mailman_$1_t self:udp_socket create_socket_perms; @@ -13504,9 +12943,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Append to mailman logs. ## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.8/policy/modules/services/mailman.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.9/policy/modules/services/mailman.te --- nsaserefpolicy/policy/modules/services/mailman.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/mailman.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/mailman.te 2009-03-12 11:23:09.000000000 -0400 @@ -53,10 +53,8 @@ apache_use_fds(mailman_cgi_t) apache_dontaudit_append_log(mailman_cgi_t) @@ -13573,9 +13012,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` cron_system_entry(mailman_queue_t, mailman_queue_exec_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.8/policy/modules/services/mta.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.9/policy/modules/services/mta.fc --- nsaserefpolicy/policy/modules/services/mta.fc 2008-09-12 10:48:05.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/mta.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/mta.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1,4 +1,4 @@ -/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) @@ -13604,9 +13043,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -#ifdef(`postfix.te', `', ` -#/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) -#') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.8/policy/modules/services/mta.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.9/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/mta.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/mta.if 2009-03-12 11:23:09.000000000 -0400 @@ -130,6 +130,15 @@ sendmail_create_log($1_mail_t) ') @@ -13674,9 +13113,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.8/policy/modules/services/mta.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.9/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/mta.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/mta.te 2009-03-12 11:23:09.000000000 -0400 @@ -47,34 +47,49 @@ # @@ -13819,9 +13258,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # User send mail local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.8/policy/modules/services/munin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.9/policy/modules/services/munin.fc --- nsaserefpolicy/policy/modules/services/munin.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/munin.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/munin.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1,4 +1,5 @@ /etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0) +/etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0) @@ -13839,34 +13278,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) +/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.6.8/policy/modules/services/munin.if ---- nsaserefpolicy/policy/modules/services/munin.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/munin.if 2009-03-10 08:25:54.000000000 -0400 -@@ -80,3 +80,76 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.6.9/policy/modules/services/munin.if +--- nsaserefpolicy/policy/modules/services/munin.if 2009-03-12 11:16:47.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/munin.if 2009-03-12 11:25:27.000000000 -0400 +@@ -59,8 +59,9 @@ + type munin_log_t; + ') - dontaudit $1 munin_var_lib_t:dir search_dir_perms; - ') -+ -+######################################## -+## -+## Allow the specified domain to append -+## to munin log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`munin_append_log',` -+ gen_require(` -+ type munin_log_t; -+ ') -+ -+ logging_search_logs($1) +- allow $1 munin_log_t:file append_file_perms; + logging_search_logs($1) + allow $1 munin_log_t:dir list_dir_perms; + append_files_pattern($1, munin_log_t, munin_log_t) -+') + ') + + ####################################### +@@ -100,3 +101,55 @@ + + dontaudit $1 munin_var_lib_t:dir search_dir_perms; + ') + +######################################## +## @@ -13919,9 +13348,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, httpd_munin_content_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.8/policy/modules/services/munin.te ---- nsaserefpolicy/policy/modules/services/munin.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/munin.te 2009-03-10 08:25:54.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.9/policy/modules/services/munin.te +--- nsaserefpolicy/policy/modules/services/munin.te 2009-03-12 11:16:47.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/munin.te 2009-03-12 11:23:09.000000000 -0400 @@ -13,6 +13,9 @@ type munin_etc_t alias lrrd_etc_t; files_config_file(munin_etc_t) @@ -14056,9 +13485,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) +manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.6.8/policy/modules/services/mysql.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.6.9/policy/modules/services/mysql.fc --- nsaserefpolicy/policy/modules/services/mysql.fc 2008-11-18 18:57:20.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/mysql.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/mysql.fc 2009-03-12 11:23:09.000000000 -0400 @@ -12,6 +12,8 @@ # /usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0) @@ -14068,9 +13497,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.6.8/policy/modules/services/mysql.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.6.9/policy/modules/services/mysql.if --- nsaserefpolicy/policy/modules/services/mysql.if 2008-11-18 18:57:20.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/mysql.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/mysql.if 2009-03-12 11:23:09.000000000 -0400 @@ -161,6 +161,25 @@ allow $1 mysqld_db_t:sock_file rw_sock_file_perms; ') @@ -14106,9 +13535,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.8/policy/modules/services/mysql.te ---- nsaserefpolicy/policy/modules/services/mysql.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/mysql.te 2009-03-10 08:25:54.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.9/policy/modules/services/mysql.te +--- nsaserefpolicy/policy/modules/services/mysql.te 2009-03-12 11:16:47.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/mysql.te 2009-03-12 11:23:09.000000000 -0400 @@ -10,6 +10,10 @@ type mysqld_exec_t; init_daemon_domain(mysqld_t, mysqld_exec_t) @@ -14120,55 +13549,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type mysqld_var_run_t; files_pid_file(mysqld_var_run_t) -@@ -30,7 +34,7 @@ - - ######################################## - # --# Local policy -+# Local mysqld policy - # - - allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service }; -@@ -121,3 +125,36 @@ - optional_policy(` - udev_read_db(mysqld_t) - ') -+ -+####################################### -+# -+# Local mysqld_safe policy -+# -+ -+domtrans_pattern(mysqld_safe_t,mysqld_exec_t,mysqld_t) -+ -+allow mysqld_safe_t self:capability { dac_override fowner chown }; -+allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; -+ -+append_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) -+ -+mysql_read_config(mysqld_safe_t) -+mysql_search_pid_files(mysqld_safe_t) -+mysql_write_log(mysqld_safe_t) -+ -+kernel_read_system_state(mysqld_safe_t) -+ -+files_read_etc_files(mysqld_safe_t) -+files_read_usr_files(mysqld_safe_t) -+ -+dev_list_sysfs(mysqld_safe_t) -+ -+corecmd_exec_bin(mysqld_safe_t) -+ -+libs_use_ld_so(mysqld_safe_t) -+libs_use_shared_libs(mysqld_safe_t) -+ -+miscfiles_read_localization(mysqld_safe_t) -+ -+permissive mysqld_safe_t; -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.8/policy/modules/services/nagios.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.9/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/nagios.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/nagios.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1,16 +1,19 @@ /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) /etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) @@ -14193,9 +13576,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') +/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.8/policy/modules/services/nagios.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.9/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/nagios.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/nagios.if 2009-03-12 11:23:09.000000000 -0400 @@ -44,7 +44,7 @@ ######################################## @@ -14315,9 +13698,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + admin_pattern($1, nrpe_etc_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.8/policy/modules/services/nagios.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.9/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/nagios.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/nagios.te 2009-03-12 11:23:09.000000000 -0400 @@ -10,13 +10,12 @@ type nagios_exec_t; init_daemon_domain(nagios_t, nagios_exec_t) @@ -14413,9 +13796,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.8/policy/modules/services/networkmanager.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.9/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/networkmanager.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/networkmanager.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1,12 +1,25 @@ +/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0) +/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) @@ -14442,9 +13825,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.8/policy/modules/services/networkmanager.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.9/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-09-11 11:28:34.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/networkmanager.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/networkmanager.if 2009-03-12 11:23:09.000000000 -0400 @@ -118,6 +118,24 @@ ######################################## @@ -14501,9 +13884,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role $2 types NetworkManager_t; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.8/policy/modules/services/networkmanager.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.9/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/networkmanager.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/networkmanager.te 2009-03-12 11:23:09.000000000 -0400 @@ -19,6 +19,9 @@ type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) @@ -14733,9 +14116,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.8/policy/modules/services/nis.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.9/policy/modules/services/nis.fc --- nsaserefpolicy/policy/modules/services/nis.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/nis.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/nis.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1,9 +1,13 @@ - +/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) @@ -14751,9 +14134,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.6.8/policy/modules/services/nis.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.6.9/policy/modules/services/nis.if --- nsaserefpolicy/policy/modules/services/nis.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/nis.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/nis.if 2009-03-12 11:23:09.000000000 -0400 @@ -28,7 +28,7 @@ type var_yp_t; ') @@ -14931,9 +14314,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role $2 types ypbind_t; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.8/policy/modules/services/nis.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.9/policy/modules/services/nis.te --- nsaserefpolicy/policy/modules/services/nis.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/nis.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/nis.te 2009-03-12 11:23:09.000000000 -0400 @@ -13,6 +13,9 @@ type ypbind_exec_t; init_daemon_domain(ypbind_t, ypbind_exec_t) @@ -15008,17 +14391,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) corenet_tcp_connect_all_ports(ypxfr_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.6.8/policy/modules/services/nscd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.6.9/policy/modules/services/nscd.fc --- nsaserefpolicy/policy/modules/services/nscd.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/nscd.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/nscd.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1,3 +1,4 @@ +/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) /usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.8/policy/modules/services/nscd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.9/policy/modules/services/nscd.if --- nsaserefpolicy/policy/modules/services/nscd.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/nscd.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/nscd.if 2009-03-12 11:23:09.000000000 -0400 @@ -58,6 +58,42 @@ ######################################## @@ -15141,9 +14524,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, nscd_var_run_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.8/policy/modules/services/nscd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.9/policy/modules/services/nscd.te --- nsaserefpolicy/policy/modules/services/nscd.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/nscd.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/nscd.te 2009-03-12 11:23:09.000000000 -0400 @@ -20,6 +20,9 @@ type nscd_exec_t; init_daemon_domain(nscd_t, nscd_exec_t) @@ -15240,9 +14623,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + samba_read_config(nscd_t) + samba_read_var_files(nscd_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.8/policy/modules/services/ntp.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.9/policy/modules/services/ntp.if --- nsaserefpolicy/policy/modules/services/ntp.if 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/ntp.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/ntp.if 2009-03-12 11:23:09.000000000 -0400 @@ -37,6 +37,32 @@ ######################################## @@ -15340,9 +14723,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an ntp environment ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.8/policy/modules/services/ntp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.9/policy/modules/services/ntp.te --- nsaserefpolicy/policy/modules/services/ntp.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/ntp.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/ntp.te 2009-03-12 11:23:09.000000000 -0400 @@ -25,6 +25,9 @@ type ntpd_tmp_t; files_tmp_file(ntpd_tmp_t) @@ -15407,9 +14790,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol firstboot_dontaudit_use_fds(ntpd_t) firstboot_dontaudit_rw_pipes(ntpd_t) firstboot_dontaudit_rw_stream_sockets(ntpd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.8/policy/modules/services/nx.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.9/policy/modules/services/nx.te --- nsaserefpolicy/policy/modules/services/nx.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/nx.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/nx.te 2009-03-12 11:23:09.000000000 -0400 @@ -25,6 +25,9 @@ type nx_server_var_run_t; files_pid_file(nx_server_var_run_t) @@ -15430,18 +14813,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(nx_server_t) kernel_read_kernel_sysctls(nx_server_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.6.8/policy/modules/services/oddjob.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.6.9/policy/modules/services/oddjob.fc --- nsaserefpolicy/policy/modules/services/oddjob.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/oddjob.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/oddjob.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1,4 +1,4 @@ -/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) +/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.8/policy/modules/services/oddjob.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.9/policy/modules/services/oddjob.if --- nsaserefpolicy/policy/modules/services/oddjob.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/oddjob.if 2009-03-11 15:20:43.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/oddjob.if 2009-03-12 11:23:09.000000000 -0400 @@ -44,6 +44,7 @@ ') @@ -15479,9 +14862,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + oddjob_domtrans_mkhomedir($1) + role $2 types oddjob_mkhomedir_t; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.6.8/policy/modules/services/oddjob.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.6.9/policy/modules/services/oddjob.te --- nsaserefpolicy/policy/modules/services/oddjob.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/oddjob.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/oddjob.te 2009-03-12 11:23:09.000000000 -0400 @@ -10,14 +10,21 @@ type oddjob_exec_t; domain_type(oddjob_t) @@ -15538,9 +14921,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Add/remove user home directories userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-3.6.8/policy/modules/services/openvpn.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-3.6.9/policy/modules/services/openvpn.fc --- nsaserefpolicy/policy/modules/services/openvpn.fc 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/openvpn.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/openvpn.fc 2009-03-12 11:23:09.000000000 -0400 @@ -2,6 +2,7 @@ # /etc # @@ -15549,9 +14932,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0) # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.if serefpolicy-3.6.8/policy/modules/services/openvpn.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.if serefpolicy-3.6.9/policy/modules/services/openvpn.if --- nsaserefpolicy/policy/modules/services/openvpn.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/openvpn.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/openvpn.if 2009-03-12 11:23:09.000000000 -0400 @@ -46,6 +46,24 @@ ######################################## @@ -15602,9 +14985,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Allow the specified domain to read ## OpenVPN configuration files. ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.8/policy/modules/services/openvpn.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.9/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/openvpn.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/openvpn.te 2009-03-12 11:23:09.000000000 -0400 @@ -22,6 +22,9 @@ type openvpn_etc_t; files_config_file(openvpn_etc_t) @@ -15646,9 +15029,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_use_user_terminals(openvpn_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.fc serefpolicy-3.6.8/policy/modules/services/pads.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.fc serefpolicy-3.6.9/policy/modules/services/pads.fc --- nsaserefpolicy/policy/modules/services/pads.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/pads.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/pads.fc 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,12 @@ + +/etc/pads-ether-codes -- gen_context(system_u:object_r:pads_config_t, s0) @@ -15662,9 +15045,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/var/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.if serefpolicy-3.6.8/policy/modules/services/pads.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.if serefpolicy-3.6.9/policy/modules/services/pads.if --- nsaserefpolicy/policy/modules/services/pads.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/pads.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/pads.if 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,10 @@ +## SELinux policy for PADS daemon. +## @@ -15676,9 +15059,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +##

+## + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.6.8/policy/modules/services/pads.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.6.9/policy/modules/services/pads.te --- nsaserefpolicy/policy/modules/services/pads.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/pads.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/pads.te 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,65 @@ + +policy_module(pads, 0.0.1) @@ -15745,9 +15128,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + prelude_manage_spool(pads_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.fc serefpolicy-3.6.8/policy/modules/services/pcscd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.fc serefpolicy-3.6.9/policy/modules/services/pcscd.fc --- nsaserefpolicy/policy/modules/services/pcscd.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/pcscd.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/pcscd.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1,5 +1,6 @@ /var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0) /var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0) @@ -15755,9 +15138,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0) /usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.8/policy/modules/services/pcscd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.9/policy/modules/services/pcscd.te --- nsaserefpolicy/policy/modules/services/pcscd.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/pcscd.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/pcscd.te 2009-03-12 11:23:09.000000000 -0400 @@ -27,9 +27,10 @@ allow pcscd_t self:unix_dgram_socket create_socket_perms; allow pcscd_t self:tcp_socket create_stream_socket_perms; @@ -15785,9 +15168,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol openct_stream_connect(pcscd_t) openct_read_pid_files(pcscd_t) openct_signull(pcscd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.8/policy/modules/services/pegasus.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.9/policy/modules/services/pegasus.te --- nsaserefpolicy/policy/modules/services/pegasus.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/pegasus.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/pegasus.te 2009-03-12 11:23:09.000000000 -0400 @@ -30,7 +30,7 @@ # Local policy # @@ -15859,9 +15242,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xen_stream_connect(pegasus_t) + xen_stream_connect_xenstore(pegasus_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.fc serefpolicy-3.6.8/policy/modules/services/pingd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.fc serefpolicy-3.6.9/policy/modules/services/pingd.fc --- nsaserefpolicy/policy/modules/services/pingd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/pingd.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/pingd.fc 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,11 @@ + +/etc/pingd.conf -- gen_context(system_u:object_r:pingd_etc_t,s0) @@ -15874,9 +15257,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.if serefpolicy-3.6.8/policy/modules/services/pingd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.if serefpolicy-3.6.9/policy/modules/services/pingd.if --- nsaserefpolicy/policy/modules/services/pingd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/pingd.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/pingd.if 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,99 @@ +## policy for pingd + @@ -15977,9 +15360,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.te serefpolicy-3.6.8/policy/modules/services/pingd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.te serefpolicy-3.6.9/policy/modules/services/pingd.te --- nsaserefpolicy/policy/modules/services/pingd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/pingd.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/pingd.te 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,54 @@ +policy_module(pingd,1.0.0) + @@ -16035,9 +15418,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.6.8/policy/modules/services/polkit.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.6.9/policy/modules/services/polkit.fc --- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/polkit.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/polkit.fc 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,11 @@ + +/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0) @@ -16050,9 +15433,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) + +/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:polkit_reload_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.8/policy/modules/services/polkit.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.9/policy/modules/services/polkit.if --- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/polkit.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/polkit.if 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,241 @@ + +## policy for polkit_auth @@ -16295,9 +15678,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 polkit_t:dbus send_msg; + allow polkit_t $1:dbus send_msg; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.8/policy/modules/services/polkit.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.9/policy/modules/services/polkit.te --- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/polkit.te 2009-03-11 15:59:49.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/polkit.te 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,237 @@ +policy_module(polkit_auth, 1.0.0) + @@ -16536,9 +15919,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + unconfined_ptrace(polkit_resolve_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.fc serefpolicy-3.6.8/policy/modules/services/portreserve.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.fc serefpolicy-3.6.9/policy/modules/services/portreserve.fc --- nsaserefpolicy/policy/modules/services/portreserve.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/portreserve.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/portreserve.fc 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,12 @@ +# portreserve executable will have: +# label: system_u:object_r:portreserve_exec_t @@ -16552,9 +15935,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.if serefpolicy-3.6.8/policy/modules/services/portreserve.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.if serefpolicy-3.6.9/policy/modules/services/portreserve.if --- nsaserefpolicy/policy/modules/services/portreserve.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/portreserve.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/portreserve.if 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,66 @@ +## policy for portreserve + @@ -16622,9 +16005,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t) + read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.6.8/policy/modules/services/portreserve.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.6.9/policy/modules/services/portreserve.te --- nsaserefpolicy/policy/modules/services/portreserve.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/portreserve.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/portreserve.te 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,51 @@ +policy_module(portreserve,1.0.0) + @@ -16677,9 +16060,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +#init_use_fds(portreserve_t) +#init_use_script_ptys(portreserve_t) +#domain_use_interactive_fds(portreserve_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.8/policy/modules/services/postfix.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.9/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/postfix.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/postfix.fc 2009-03-12 11:23:09.000000000 -0400 @@ -29,12 +29,10 @@ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) @@ -16693,9 +16076,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.8/policy/modules/services/postfix.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.9/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/postfix.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/postfix.if 2009-03-12 11:23:09.000000000 -0400 @@ -46,6 +46,7 @@ allow postfix_$1_t postfix_etc_t:dir list_dir_perms; @@ -16889,9 +16272,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.8/policy/modules/services/postfix.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.9/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/postfix.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/postfix.te 2009-03-12 11:23:09.000000000 -0400 @@ -6,6 +6,15 @@ # Declarations # @@ -17239,9 +16622,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +userdom_manage_user_home_content(postfix_virtual_t) +userdom_home_filetrans_user_home_dir(postfix_virtual_t) +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.8/policy/modules/services/postgresql.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.9/policy/modules/services/postgresql.fc --- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-08-14 13:08:27.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/postgresql.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/postgresql.fc 2009-03-12 11:23:09.000000000 -0400 @@ -2,6 +2,7 @@ # /etc # @@ -17250,9 +16633,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /usr -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.8/policy/modules/services/postgresql.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.9/policy/modules/services/postgresql.if --- nsaserefpolicy/policy/modules/services/postgresql.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/postgresql.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/postgresql.if 2009-03-12 11:23:09.000000000 -0400 @@ -351,3 +351,46 @@ typeattribute $1 sepgsql_unconfined_type; @@ -17300,9 +16683,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + admin_pattern($1, postgresql_tmp_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.8/policy/modules/services/postgresql.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.9/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2009-02-03 22:50:50.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/postgresql.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/postgresql.te 2009-03-12 11:23:09.000000000 -0400 @@ -32,6 +32,9 @@ type postgresql_etc_t; files_config_file(postgresql_etc_t) @@ -17356,9 +16739,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto }; allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.6.8/policy/modules/services/ppp.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.6.9/policy/modules/services/ppp.fc --- nsaserefpolicy/policy/modules/services/ppp.fc 2008-09-11 11:28:34.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/ppp.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/ppp.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1,7 +1,7 @@ # # /etc @@ -17379,9 +16762,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /sbin -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.8/policy/modules/services/ppp.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.9/policy/modules/services/ppp.if --- nsaserefpolicy/policy/modules/services/ppp.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/ppp.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/ppp.if 2009-03-12 11:23:09.000000000 -0400 @@ -58,6 +58,25 @@ ######################################## @@ -17482,9 +16865,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - manage_files_pattern($1, pptp_var_run_t, pptp_var_run_t) + admin_pattern($1, pptp_var_run_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.8/policy/modules/services/ppp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.9/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/ppp.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/ppp.te 2009-03-12 11:23:09.000000000 -0400 @@ -37,8 +37,8 @@ type pppd_etc_rw_t; files_type(pppd_etc_rw_t) @@ -17620,9 +17003,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - -# FIXME: -domtrans_pattern(pppd_t, pppd_script_exec_t, initrc_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.6.8/policy/modules/services/prelude.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.6.9/policy/modules/services/prelude.fc --- nsaserefpolicy/policy/modules/services/prelude.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/prelude.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/prelude.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1,3 +1,9 @@ +/etc/prelude-correlator(/.*)? gen_context(system_u:object_r:prelude_correlator_config_t, s0) + @@ -17649,9 +17032,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t, s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.6.8/policy/modules/services/prelude.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.6.9/policy/modules/services/prelude.if --- nsaserefpolicy/policy/modules/services/prelude.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/prelude.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/prelude.if 2009-03-12 11:23:09.000000000 -0400 @@ -6,7 +6,7 @@ ## ## @@ -17764,9 +17147,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, prelude_lml_tmp_t) + admin_pattern($1, prelude_lml_var_run_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.8/policy/modules/services/prelude.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.9/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/prelude.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/prelude.te 2009-03-12 11:23:09.000000000 -0400 @@ -13,25 +13,57 @@ type prelude_spool_t; files_type(prelude_spool_t) @@ -18036,9 +17419,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` mysql_search_db(httpd_prewikka_script_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.8/policy/modules/services/procmail.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.9/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/procmail.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/procmail.te 2009-03-12 11:23:09.000000000 -0400 @@ -77,6 +77,7 @@ files_read_usr_files(procmail_t) @@ -18066,9 +17449,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol pyzor_domtrans(procmail_t) pyzor_signal(procmail_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.fc serefpolicy-3.6.8/policy/modules/services/psad.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.fc serefpolicy-3.6.9/policy/modules/services/psad.fc --- nsaserefpolicy/policy/modules/services/psad.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/psad.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/psad.fc 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,17 @@ + + @@ -18087,9 +17470,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/psad(/.*)? gen_context(system_u:object_r:psad_var_lib_t,s0) + +/var/log/psad(/.*)? gen_context(system_u:object_r:psad_var_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.if serefpolicy-3.6.8/policy/modules/services/psad.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.if serefpolicy-3.6.9/policy/modules/services/psad.if --- nsaserefpolicy/policy/modules/services/psad.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/psad.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/psad.if 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,304 @@ +## Psad SELinux policy + @@ -18395,9 +17778,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_search_tmp($1) + admin_pattern($1, psad_tmp_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.te serefpolicy-3.6.8/policy/modules/services/psad.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.te serefpolicy-3.6.9/policy/modules/services/psad.te --- nsaserefpolicy/policy/modules/services/psad.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/psad.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/psad.te 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,107 @@ +policy_module(psad,1.0.0) + @@ -18506,9 +17889,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +permissive psad_t; + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.8/policy/modules/services/pyzor.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.9/policy/modules/services/pyzor.fc --- nsaserefpolicy/policy/modules/services/pyzor.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/pyzor.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/pyzor.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1,6 +1,8 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) +/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) @@ -18518,9 +17901,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.8/policy/modules/services/pyzor.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.9/policy/modules/services/pyzor.if --- nsaserefpolicy/policy/modules/services/pyzor.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/pyzor.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/pyzor.if 2009-03-12 11:23:09.000000000 -0400 @@ -88,3 +88,50 @@ corecmd_search_bin($1) can_exec($1, pyzor_exec_t) @@ -18572,9 +17955,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.8/policy/modules/services/pyzor.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.9/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/pyzor.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/pyzor.te 2009-03-12 11:23:09.000000000 -0400 @@ -6,6 +6,38 @@ # Declarations # @@ -18631,9 +18014,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_search_user_home_dirs(pyzor_t) optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.6.8/policy/modules/services/radvd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.6.9/policy/modules/services/radvd.te --- nsaserefpolicy/policy/modules/services/radvd.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/radvd.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/radvd.te 2009-03-12 11:23:09.000000000 -0400 @@ -22,7 +22,7 @@ # # Local policy @@ -18643,9 +18026,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit radvd_t self:capability sys_tty_config; allow radvd_t self:process signal_perms; allow radvd_t self:unix_dgram_socket create_socket_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.8/policy/modules/services/razor.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.9/policy/modules/services/razor.if --- nsaserefpolicy/policy/modules/services/razor.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/razor.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/razor.if 2009-03-12 11:23:09.000000000 -0400 @@ -157,3 +157,45 @@ domtrans_pattern($1, razor_exec_t, razor_t) @@ -18692,9 +18075,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.8/policy/modules/services/razor.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.9/policy/modules/services/razor.te --- nsaserefpolicy/policy/modules/services/razor.te 2009-01-19 11:07:32.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/razor.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/razor.te 2009-03-12 11:23:09.000000000 -0400 @@ -6,6 +6,32 @@ # Declarations # @@ -18734,9 +18117,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') + +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.8/policy/modules/services/ricci.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.9/policy/modules/services/ricci.te --- nsaserefpolicy/policy/modules/services/ricci.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/ricci.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/ricci.te 2009-03-12 11:23:09.000000000 -0400 @@ -133,6 +133,8 @@ dev_read_urand(ricci_t) @@ -18841,9 +18224,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ccs_stream_connect(ricci_modstorage_t) ccs_read_config(ricci_modstorage_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.6.8/policy/modules/services/rlogin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.6.9/policy/modules/services/rlogin.te --- nsaserefpolicy/policy/modules/services/rlogin.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/rlogin.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/rlogin.te 2009-03-12 11:23:09.000000000 -0400 @@ -91,10 +91,22 @@ remotelogin_signal(rlogind_t) @@ -18869,9 +18252,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_read_cifs_files(rlogind_t) + fs_read_cifs_symlinks(rlogind_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.6.8/policy/modules/services/rpc.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.6.9/policy/modules/services/rpc.fc --- nsaserefpolicy/policy/modules/services/rpc.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/rpc.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/rpc.fc 2009-03-12 11:23:09.000000000 -0400 @@ -13,6 +13,7 @@ # /usr # @@ -18880,9 +18263,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0) /usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0) /usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.8/policy/modules/services/rpc.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.9/policy/modules/services/rpc.if --- nsaserefpolicy/policy/modules/services/rpc.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/rpc.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/rpc.if 2009-03-12 11:23:09.000000000 -0400 @@ -88,8 +88,11 @@ # bind to arbitary unused ports corenet_tcp_bind_generic_port($1_t) @@ -18945,9 +18328,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_search_var_lib($1) + manage_files_pattern($1,var_lib_nfs_t,var_lib_nfs_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.8/policy/modules/services/rpc.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.9/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2009-03-02 16:51:45.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/rpc.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/rpc.te 2009-03-12 11:23:09.000000000 -0400 @@ -23,7 +23,7 @@ gen_tunable(allow_nfsd_anon_write, false) @@ -19011,9 +18394,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.6.8/policy/modules/services/rshd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.6.9/policy/modules/services/rshd.te --- nsaserefpolicy/policy/modules/services/rshd.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/rshd.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/rshd.te 2009-03-12 11:23:09.000000000 -0400 @@ -51,7 +51,7 @@ files_list_home(rshd_t) @@ -19023,9 +18406,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_login_pgm_domain(rshd_t) auth_write_login_records(rshd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.8/policy/modules/services/rsync.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.9/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/rsync.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/rsync.te 2009-03-12 11:23:09.000000000 -0400 @@ -119,5 +119,9 @@ tunable_policy(`rsync_export_all_ro',` @@ -19036,9 +18419,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + auth_tunable_read_shadow(rsync_t) ') +auth_can_read_shadow_passwords(rsync_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.8/policy/modules/services/samba.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.9/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/samba.fc 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/samba.fc 2009-03-12 11:23:09.000000000 -0400 @@ -2,6 +2,9 @@ # # /etc @@ -19065,9 +18448,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +ifndef(`enable_mls',` +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.8/policy/modules/services/samba.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.9/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/samba.if 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/samba.if 2009-03-12 11:23:09.000000000 -0400 @@ -4,6 +4,45 @@ ## from Windows NT servers. ## @@ -19465,9 +18848,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, samba_unconfined_script_exec_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.8/policy/modules/services/samba.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.9/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/samba.te 2009-03-10 08:25:54.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/samba.te 2009-03-12 11:23:09.000000000 -0400 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -19927,9 +19310,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow winbind_t smbcontrol_t:process signal; + +allow smbcontrol_t nmbd_var_run_t:file { read lock }; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.8/policy/modules/services/sasl.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.9/policy/modules/services/sasl.te --- nsaserefpolicy/policy/modules/services/sasl.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/sasl.te 2009-03-10 11:54:49.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/sasl.te 2009-03-12 11:23:09.000000000 -0400 @@ -99,6 +99,7 @@ optional_policy(` @@ -19949,9 +19332,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(saslauthd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.8/policy/modules/services/sendmail.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.9/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/sendmail.if 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/sendmail.if 2009-03-12 11:23:09.000000000 -0400 @@ -149,3 +149,92 @@ logging_log_filetrans($1, sendmail_log_t, file) @@ -20045,9 +19428,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 sendmail_t:fifo_file rw_fifo_file_perms; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.8/policy/modules/services/sendmail.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.9/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/sendmail.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/sendmail.te 2009-03-12 11:23:09.000000000 -0400 @@ -20,13 +20,17 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -20215,18 +19598,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; -') dnl end TODO -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.6.8/policy/modules/services/setroubleshoot.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.6.9/policy/modules/services/setroubleshoot.fc --- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/setroubleshoot.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/setroubleshoot.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1,3 +1,5 @@ +/etc/rc\.d/init\.d/setroubleshoot -- gen_context(system_u:object_r:setroubleshoot_initrc_exec_t,s0) + /usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0) /var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.8/policy/modules/services/setroubleshoot.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.9/policy/modules/services/setroubleshoot.if --- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/setroubleshoot.if 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/setroubleshoot.if 2009-03-12 11:23:09.000000000 -0400 @@ -16,8 +16,8 @@ ') @@ -20309,9 +19692,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_list_pids($1) + admin_pattern($1, setroubleshoot_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.8/policy/modules/services/setroubleshoot.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.9/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/setroubleshoot.te 2009-03-10 16:10:06.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/setroubleshoot.te 2009-03-12 11:23:09.000000000 -0400 @@ -11,6 +11,9 @@ domain_type(setroubleshootd_t) init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) @@ -20397,9 +19780,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpm_read_db(setroubleshootd_t) rpm_dontaudit_manage_db(setroubleshootd_t) rpm_use_script_fds(setroubleshootd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.8/policy/modules/services/smartmon.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.9/policy/modules/services/smartmon.te --- nsaserefpolicy/policy/modules/services/smartmon.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/smartmon.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/smartmon.te 2009-03-12 11:23:09.000000000 -0400 @@ -19,6 +19,10 @@ type fsdaemon_tmp_t; files_tmp_file(fsdaemon_tmp_t) @@ -20457,9 +19840,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.6.8/policy/modules/services/snmp.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.6.9/policy/modules/services/snmp.fc --- nsaserefpolicy/policy/modules/services/snmp.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/snmp.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/snmp.fc 2009-03-12 11:23:09.000000000 -0400 @@ -20,5 +20,5 @@ /var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0) @@ -20467,9 +19850,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/var/run/snmpd -d gen_context(system_u:object_r:snmpd_var_run_t,s0) +/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.8/policy/modules/services/snmp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.9/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/snmp.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/snmp.te 2009-03-12 11:23:09.000000000 -0400 @@ -71,6 +71,7 @@ corenet_tcp_bind_snmp_port(snmpd_t) corenet_udp_bind_snmp_port(snmpd_t) @@ -20478,9 +19861,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_list_sysfs(snmpd_t) dev_read_sysfs(snmpd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.6.8/policy/modules/services/snort.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.6.9/policy/modules/services/snort.te --- nsaserefpolicy/policy/modules/services/snort.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/snort.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/snort.te 2009-03-12 11:23:09.000000000 -0400 @@ -56,6 +56,7 @@ files_pid_filetrans(snort_t, snort_var_run_t, file) @@ -20511,9 +19894,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` seutil_sigchld_newrole(snort_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.8/policy/modules/services/spamassassin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.9/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2008-11-25 09:01:08.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/spamassassin.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/spamassassin.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1,15 +1,24 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) @@ -20542,9 +19925,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.8/policy/modules/services/spamassassin.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.9/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/spamassassin.if 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/spamassassin.if 2009-03-12 11:23:09.000000000 -0400 @@ -111,6 +111,7 @@ ') @@ -20631,9 +20014,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_list_pids($1) + admin_pattern($1, spamd_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.8/policy/modules/services/spamassassin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.9/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/spamassassin.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/spamassassin.te 2009-03-12 11:23:09.000000000 -0400 @@ -20,6 +20,35 @@ ## gen_tunable(spamd_enable_home_dirs, true) @@ -20892,9 +20275,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.6.8/policy/modules/services/squid.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.6.9/policy/modules/services/squid.fc --- nsaserefpolicy/policy/modules/services/squid.fc 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/squid.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/squid.fc 2009-03-12 11:23:09.000000000 -0400 @@ -6,7 +6,11 @@ /usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0) /usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) @@ -20907,9 +20290,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + /var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0) /var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.6.8/policy/modules/services/squid.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.6.9/policy/modules/services/squid.if --- nsaserefpolicy/policy/modules/services/squid.if 2008-11-11 16:13:45.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/squid.if 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/squid.if 2009-03-12 11:23:09.000000000 -0400 @@ -21,6 +21,25 @@ ######################################## @@ -20936,9 +20319,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send generic signals to squid. ## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.8/policy/modules/services/squid.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.9/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/squid.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/squid.te 2009-03-12 11:23:09.000000000 -0400 @@ -118,6 +118,9 @@ fs_getattr_all_fs(squid_t) @@ -20958,18 +20341,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -#squid requires the following when run in diskd mode, the recommended setting -allow squid_t tmpfs_t:file { read write }; -') dnl end TODO -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.8/policy/modules/services/ssh.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.9/policy/modules/services/ssh.fc --- nsaserefpolicy/policy/modules/services/ssh.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/ssh.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/ssh.fc 2009-03-12 11:23:09.000000000 -0400 @@ -14,3 +14,5 @@ /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) + +/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.8/policy/modules/services/ssh.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.9/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/ssh.if 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/ssh.if 2009-03-12 11:23:09.000000000 -0400 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -21198,9 +20581,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + can_exec($1, ssh_agent_exec_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.8/policy/modules/services/ssh.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.9/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/ssh.te 2009-03-11 14:25:03.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/ssh.te 2009-03-12 11:23:09.000000000 -0400 @@ -41,6 +41,9 @@ files_tmp_file(sshd_tmp_t) files_poly_parent(sshd_tmp_t) @@ -21368,9 +20751,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.8/policy/modules/services/sssd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.9/policy/modules/services/sssd.fc --- nsaserefpolicy/policy/modules/services/sssd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/sssd.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/sssd.fc 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,6 @@ + +/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) @@ -21378,9 +20761,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) +/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) +/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.8/policy/modules/services/sssd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.9/policy/modules/services/sssd.if --- nsaserefpolicy/policy/modules/services/sssd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/sssd.if 2009-03-10 09:54:45.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/sssd.if 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,249 @@ + +## policy for sssd @@ -21631,9 +21014,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.8/policy/modules/services/sssd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.9/policy/modules/services/sssd.te --- nsaserefpolicy/policy/modules/services/sssd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/sssd.te 2009-03-10 19:51:47.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/sssd.te 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,63 @@ +policy_module(sssd,1.0.0) + @@ -21698,9 +21081,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dbus_system_bus_client(sssd_t) + dbus_connect_system_bus(sssd_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.fc serefpolicy-3.6.8/policy/modules/services/stunnel.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.fc serefpolicy-3.6.9/policy/modules/services/stunnel.fc --- nsaserefpolicy/policy/modules/services/stunnel.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/stunnel.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/stunnel.fc 2009-03-12 11:23:09.000000000 -0400 @@ -2,5 +2,6 @@ /etc/stunnel(/.*)? gen_context(system_u:object_r:stunnel_etc_t,s0) @@ -21708,9 +21091,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/bin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0) /var/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.6.8/policy/modules/services/stunnel.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.6.9/policy/modules/services/stunnel.te --- nsaserefpolicy/policy/modules/services/stunnel.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/stunnel.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/stunnel.te 2009-03-12 11:23:09.000000000 -0400 @@ -54,6 +54,8 @@ kernel_read_system_state(stunnel_t) kernel_read_network_state(stunnel_t) @@ -21728,9 +21111,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_home(stunnel_t) optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.fc serefpolicy-3.6.8/policy/modules/services/sysstat.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.fc serefpolicy-3.6.9/policy/modules/services/sysstat.fc --- nsaserefpolicy/policy/modules/services/sysstat.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/sysstat.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/sysstat.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1,6 +1,6 @@ /usr/lib(64)?/atsar/atsa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) @@ -21739,9 +21122,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/sysstat/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) /var/log/atsar(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.6.8/policy/modules/services/sysstat.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.6.9/policy/modules/services/sysstat.te --- nsaserefpolicy/policy/modules/services/sysstat.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/sysstat.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/sysstat.te 2009-03-12 11:23:09.000000000 -0400 @@ -19,13 +19,14 @@ # Local policy # @@ -21758,9 +21141,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir }) # get info from /proc -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.6.8/policy/modules/services/tor.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.6.9/policy/modules/services/tor.te --- nsaserefpolicy/policy/modules/services/tor.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/tor.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/tor.te 2009-03-12 11:23:09.000000000 -0400 @@ -34,7 +34,7 @@ # tor local policy # @@ -21770,9 +21153,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow tor_t self:fifo_file rw_fifo_file_perms; allow tor_t self:unix_stream_socket create_stream_socket_perms; allow tor_t self:netlink_route_socket r_netlink_socket_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.fc serefpolicy-3.6.8/policy/modules/services/ulogd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.fc serefpolicy-3.6.9/policy/modules/services/ulogd.fc --- nsaserefpolicy/policy/modules/services/ulogd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/ulogd.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/ulogd.fc 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,10 @@ + +/etc/rc\.d/init\.d/ulogd -- gen_context(system_u:object_r:ulogd_initrc_exec_t,s0) @@ -21784,9 +21167,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0) + +/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.if serefpolicy-3.6.8/policy/modules/services/ulogd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.if serefpolicy-3.6.9/policy/modules/services/ulogd.if --- nsaserefpolicy/policy/modules/services/ulogd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/ulogd.if 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/ulogd.if 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,127 @@ +## policy for ulogd + @@ -21915,9 +21298,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_search_usr($1) + admin_pattern($1, ulogd_modules_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.6.8/policy/modules/services/ulogd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.6.9/policy/modules/services/ulogd.te --- nsaserefpolicy/policy/modules/services/ulogd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/ulogd.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/ulogd.te 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,51 @@ +policy_module(ulogd,1.0.0) + @@ -21970,18 +21353,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_localization(ulogd_t) + +permissive ulogd_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.fc serefpolicy-3.6.8/policy/modules/services/uucp.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.fc serefpolicy-3.6.9/policy/modules/services/uucp.fc --- nsaserefpolicy/policy/modules/services/uucp.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/uucp.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/uucp.fc 2009-03-12 11:23:09.000000000 -0400 @@ -7,3 +7,5 @@ /var/spool/uucppublic(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0) /var/log/uucp(/.*)? gen_context(system_u:object_r:uucpd_log_t,s0) + +/var/lock/uucp(/.*)? gen_context(system_u:object_r:uucpd_lock_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.8/policy/modules/services/uucp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.9/policy/modules/services/uucp.te --- nsaserefpolicy/policy/modules/services/uucp.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/uucp.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/uucp.te 2009-03-12 11:23:09.000000000 -0400 @@ -10,6 +10,9 @@ inetd_tcp_service_domain(uucpd_t, uucpd_exec_t) role system_r types uucpd_t; @@ -22011,9 +21394,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.8/policy/modules/services/virt.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.9/policy/modules/services/virt.fc --- nsaserefpolicy/policy/modules/services/virt.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/virt.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/virt.fc 2009-03-12 11:23:09.000000000 -0400 @@ -8,5 +8,14 @@ /var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) @@ -22029,9 +21412,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0) + +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.8/policy/modules/services/virt.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.9/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/virt.if 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/virt.if 2009-03-12 11:23:09.000000000 -0400 @@ -2,28 +2,6 @@ ######################################## @@ -22177,9 +21560,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.8/policy/modules/services/virt.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.9/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/virt.te 2009-03-11 14:44:45.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/virt.te 2009-03-12 11:23:09.000000000 -0400 @@ -8,20 +8,18 @@ ## @@ -22340,7 +21723,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -167,22 +215,33 @@ +@@ -167,22 +215,34 @@ dnsmasq_domtrans(virtd_t) dnsmasq_signal(virtd_t) dnsmasq_kill(virtd_t) @@ -22359,15 +21742,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + kerberos_keytab_template(virtd, virtd_t) +') -+ -+optional_policy(` -+ lvm_domtrans(virtd_t) -+') optional_policy(` - qemu_domtrans(virtd_t) ++ lvm_domtrans(virtd_t) ++') ++ ++optional_policy(` + polkit_domtrans_auth(virtd_t) + polkit_domtrans_resolve(virtd_t) ++ polkit_read_lib(virtd_t) +') + +optional_policy(` @@ -22379,7 +21763,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -198,5 +257,72 @@ +@@ -198,5 +258,73 @@ ') optional_policy(` @@ -22416,6 +21800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +storage_raw_read_removable_device(svirt_t) + +userdom_search_user_home_content(svirt_t) ++userdom_read_all_users_state(svirt_t) + +append_files_pattern(svirt_t, virt_log_t, virt_log_t) + @@ -22453,9 +21838,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + xen_rw_image_files(svirt_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.8/policy/modules/services/w3c.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.9/policy/modules/services/w3c.te --- nsaserefpolicy/policy/modules/services/w3c.te 2008-08-25 09:12:31.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/services/w3c.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/w3c.te 2009-03-12 11:23:09.000000000 -0400 @@ -8,11 +8,18 @@ apache_content_template(w3c_validator) @@ -22475,9 +21860,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.8/policy/modules/services/xserver.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.9/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/xserver.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/xserver.fc 2009-03-12 11:23:09.000000000 -0400 @@ -3,12 +3,16 @@ # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) @@ -22545,9 +21930,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_suse',` /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.8/policy/modules/services/xserver.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.9/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/xserver.if 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/xserver.if 2009-03-12 11:23:09.000000000 -0400 @@ -90,7 +90,7 @@ allow $2 xauth_home_t:file manage_file_perms; allow $2 xauth_home_t:file { relabelfrom relabelto }; @@ -23173,9 +22558,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow xdm_t $1:dbus send_msg; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.8/policy/modules/services/xserver.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.9/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/xserver.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/xserver.te 2009-03-12 11:23:09.000000000 -0400 @@ -34,6 +34,13 @@ ## @@ -23886,15 +23271,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -# -allow xdm_t user_home_type:file unlink; -') dnl end TODO -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.fc serefpolicy-3.6.8/policy/modules/services/zosremote.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.fc serefpolicy-3.6.9/policy/modules/services/zosremote.fc --- nsaserefpolicy/policy/modules/services/zosremote.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/zosremote.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/zosremote.fc 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,2 @@ + +/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.if serefpolicy-3.6.8/policy/modules/services/zosremote.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.if serefpolicy-3.6.9/policy/modules/services/zosremote.if --- nsaserefpolicy/policy/modules/services/zosremote.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/zosremote.if 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/zosremote.if 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,46 @@ +## policy for z/OS Remote-services Audit dispatcher plugin + @@ -23942,9 +23327,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + zos_remote_domtrans($1) + role $2 types zos_remote_t; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.te serefpolicy-3.6.8/policy/modules/services/zosremote.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.te serefpolicy-3.6.9/policy/modules/services/zosremote.te --- nsaserefpolicy/policy/modules/services/zosremote.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/services/zosremote.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/services/zosremote.te 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,33 @@ +policy_module(zosremote,1.0.0) + @@ -23979,9 +23364,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_localization(zos_remote_t) + +logging_send_syslog_msg(zos_remote_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.8/policy/modules/system/application.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.9/policy/modules/system/application.te --- nsaserefpolicy/policy/modules/system/application.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/system/application.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/application.te 2009-03-12 11:23:09.000000000 -0400 @@ -7,8 +7,18 @@ # Executables to be run by user attribute application_exec_type; @@ -24001,9 +23386,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + sudo_sigchld(application_domain_type) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.8/policy/modules/system/authlogin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.9/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/system/authlogin.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/authlogin.fc 2009-03-12 11:23:09.000000000 -0400 @@ -7,12 +7,10 @@ /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) @@ -24030,9 +23415,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.8/policy/modules/system/authlogin.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.9/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/authlogin.if 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/authlogin.if 2009-03-12 11:23:09.000000000 -0400 @@ -43,20 +43,38 @@ interface(`auth_login_pgm_domain',` gen_require(` @@ -24369,9 +23754,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_var_filetrans($1,auth_cache_t,{ file dir } ) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.8/policy/modules/system/authlogin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.9/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/authlogin.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/authlogin.te 2009-03-12 11:23:09.000000000 -0400 @@ -12,7 +12,7 @@ type chkpwd_t, can_read_shadow_passwords; @@ -24451,9 +23836,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_urand(pam_console_t) mls_file_read_all_levels(pam_console_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.8/policy/modules/system/fstools.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.9/policy/modules/system/fstools.fc --- nsaserefpolicy/policy/modules/system/fstools.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/system/fstools.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/fstools.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1,4 +1,3 @@ -/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -24467,9 +23852,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.8/policy/modules/system/fstools.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.9/policy/modules/system/fstools.te --- nsaserefpolicy/policy/modules/system/fstools.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/fstools.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/fstools.te 2009-03-12 11:23:09.000000000 -0400 @@ -97,6 +97,10 @@ fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) @@ -24501,9 +23886,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + unconfined_domain(fsadm_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.8/policy/modules/system/hostname.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.9/policy/modules/system/hostname.te --- nsaserefpolicy/policy/modules/system/hostname.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/hostname.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/hostname.te 2009-03-12 11:23:09.000000000 -0400 @@ -8,7 +8,9 @@ type hostname_t; @@ -24515,9 +23900,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol role system_r types hostname_t; ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.8/policy/modules/system/init.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.9/policy/modules/system/init.fc --- nsaserefpolicy/policy/modules/system/init.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/init.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/init.fc 2009-03-12 11:23:09.000000000 -0400 @@ -4,8 +4,7 @@ /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -24537,9 +23922,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /var # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.8/policy/modules/system/init.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.9/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/init.if 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/init.if 2009-03-12 11:23:09.000000000 -0400 @@ -280,6 +280,27 @@ kernel_dontaudit_use_fds($1) ') @@ -24727,9 +24112,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 init_t:unix_dgram_socket sendto; + allow init_t $1:unix_dgram_socket sendto; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.8/policy/modules/system/init.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.9/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/init.te 2009-03-11 11:57:43.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/init.te 2009-03-12 11:23:09.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart,false) @@ -25024,9 +24409,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + xserver_rw_xdm_home_files(daemon) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.6.8/policy/modules/system/ipsec.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.6.9/policy/modules/system/ipsec.fc --- nsaserefpolicy/policy/modules/system/ipsec.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/system/ipsec.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/ipsec.fc 2009-03-12 11:23:09.000000000 -0400 @@ -16,6 +16,8 @@ /usr/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) @@ -25044,9 +24429,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.8/policy/modules/system/ipsec.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.9/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/ipsec.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/ipsec.te 2009-03-12 11:23:09.000000000 -0400 @@ -55,11 +55,12 @@ allow ipsec_t self:capability { net_admin dac_override dac_read_search }; @@ -25163,17 +24548,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow setkey_t self:netlink_route_socket create_netlink_socket_perms; allow setkey_t ipsec_conf_file_t:dir list_dir_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.8/policy/modules/system/iptables.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.9/policy/modules/system/iptables.fc --- nsaserefpolicy/policy/modules/system/iptables.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/system/iptables.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/iptables.fc 2009-03-12 11:23:09.000000000 -0400 @@ -6,3 +6,4 @@ /usr/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) +/var/lib/shorewall(/.*)? -- gen_context(system_u:object_r:iptables_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.8/policy/modules/system/iptables.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.9/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/iptables.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/iptables.te 2009-03-12 11:23:09.000000000 -0400 @@ -22,12 +22,12 @@ # Iptables local policy # @@ -25197,9 +24582,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(iptables_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.8/policy/modules/system/iscsi.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.9/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/iscsi.te 2009-03-10 15:47:16.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/iscsi.te 2009-03-12 11:23:09.000000000 -0400 @@ -28,7 +28,7 @@ # iscsid local policy # @@ -25235,9 +24620,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -sysnet_dns_name_resolve(iscsid_t) +miscfiles_read_localization(iscsid_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.8/policy/modules/system/libraries.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.9/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/libraries.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/libraries.fc 2009-03-12 11:23:09.000000000 -0400 @@ -60,12 +60,15 @@ # # /opt @@ -25417,9 +24802,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.8/policy/modules/system/libraries.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.9/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/libraries.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/libraries.te 2009-03-12 11:23:09.000000000 -0400 @@ -52,11 +52,11 @@ # ldconfig local policy # @@ -25476,9 +24861,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + unconfined_domain(ldconfig_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.8/policy/modules/system/locallogin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.9/policy/modules/system/locallogin.te --- nsaserefpolicy/policy/modules/system/locallogin.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/locallogin.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/locallogin.te 2009-03-12 11:23:09.000000000 -0400 @@ -67,6 +67,7 @@ dev_setattr_power_mgmt_dev(local_login_t) dev_getattr_sound_dev(local_login_t) @@ -25553,9 +24938,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - nscd_socket_use(sulogin_t) -') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.8/policy/modules/system/logging.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.9/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/system/logging.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/logging.fc 2009-03-12 11:23:09.000000000 -0400 @@ -53,15 +53,18 @@ /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0) ') @@ -25579,9 +24964,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.8/policy/modules/system/logging.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.9/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/logging.if 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/logging.if 2009-03-12 11:23:09.000000000 -0400 @@ -623,7 +623,7 @@ ') @@ -25600,9 +24985,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.8/policy/modules/system/logging.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.9/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/logging.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/logging.te 2009-03-12 11:23:09.000000000 -0400 @@ -126,7 +126,7 @@ allow auditd_t self:process { signal_perms setpgid setsched }; allow auditd_t self:file rw_file_perms; @@ -25695,9 +25080,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.6.8/policy/modules/system/lvm.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.6.9/policy/modules/system/lvm.fc --- nsaserefpolicy/policy/modules/system/lvm.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/system/lvm.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/lvm.fc 2009-03-12 11:23:09.000000000 -0400 @@ -55,6 +55,7 @@ /sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0) @@ -25711,9 +25096,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0) /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) +/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.8/policy/modules/system/lvm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.9/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/lvm.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/lvm.te 2009-03-12 11:23:09.000000000 -0400 @@ -10,6 +10,9 @@ type clvmd_exec_t; init_daemon_domain(clvmd_t,clvmd_exec_t) @@ -25920,9 +25305,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xen_append_log(lvm_t) + xen_dontaudit_rw_unix_stream_sockets(lvm_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.6.8/policy/modules/system/miscfiles.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.6.9/policy/modules/system/miscfiles.fc --- nsaserefpolicy/policy/modules/system/miscfiles.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/system/miscfiles.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/miscfiles.fc 2009-03-12 11:23:09.000000000 -0400 @@ -35,6 +35,7 @@ /usr/lib(64)?/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0) @@ -25931,9 +25316,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.8/policy/modules/system/miscfiles.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.9/policy/modules/system/miscfiles.if --- nsaserefpolicy/policy/modules/system/miscfiles.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/system/miscfiles.if 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/miscfiles.if 2009-03-12 11:23:09.000000000 -0400 @@ -23,6 +23,45 @@ ######################################## @@ -25989,9 +25374,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit $1 fonts_t:file write; ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.8/policy/modules/system/modutils.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.9/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/modutils.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/modutils.te 2009-03-12 11:23:09.000000000 -0400 @@ -42,7 +42,7 @@ # insmod local policy # @@ -26104,9 +25489,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ################################# -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.6.8/policy/modules/system/mount.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.6.9/policy/modules/system/mount.fc --- nsaserefpolicy/policy/modules/system/mount.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/system/mount.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/mount.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1,4 +1,6 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) @@ -26115,9 +25500,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) /usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.8/policy/modules/system/mount.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.9/policy/modules/system/mount.if --- nsaserefpolicy/policy/modules/system/mount.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/mount.if 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/mount.if 2009-03-12 11:23:09.000000000 -0400 @@ -43,9 +43,11 @@ mount_domtrans($1) @@ -26153,9 +25538,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 mount_t:process signal; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.8/policy/modules/system/mount.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.9/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/mount.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/mount.te 2009-03-12 11:23:09.000000000 -0400 @@ -18,17 +18,18 @@ init_system_domain(mount_t,mount_exec_t) role system_r types mount_t; @@ -26375,9 +25760,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + hal_rw_pipes(mount_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.6.8/policy/modules/system/raid.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.6.9/policy/modules/system/raid.te --- nsaserefpolicy/policy/modules/system/raid.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/raid.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/raid.te 2009-03-12 11:23:09.000000000 -0400 @@ -39,6 +39,7 @@ dev_dontaudit_getattr_generic_files(mdadm_t) dev_dontaudit_getattr_generic_chr_files(mdadm_t) @@ -26386,9 +25771,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_auto_mountpoints(mdadm_t) fs_dontaudit_list_tmpfs(mdadm_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.8/policy/modules/system/selinuxutil.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.9/policy/modules/system/selinuxutil.fc --- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/system/selinuxutil.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/selinuxutil.fc 2009-03-12 11:23:09.000000000 -0400 @@ -6,13 +6,13 @@ /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) @@ -26427,9 +25812,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.8/policy/modules/system/selinuxutil.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.9/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/selinuxutil.if 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/selinuxutil.if 2009-03-12 11:23:09.000000000 -0400 @@ -535,6 +535,53 @@ ######################################## @@ -26818,9 +26203,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + hotplug_use_fds($1) +') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.8/policy/modules/system/selinuxutil.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.9/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/selinuxutil.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/selinuxutil.te 2009-03-12 11:23:09.000000000 -0400 @@ -23,6 +23,9 @@ type selinux_config_t; files_type(selinux_config_t) @@ -27192,9 +26577,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - hotplug_use_fds(setfiles_t) + unconfined_domain(setfiles_mac_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.6.8/policy/modules/system/setrans.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.6.9/policy/modules/system/setrans.if --- nsaserefpolicy/policy/modules/system/setrans.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/system/setrans.if 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/setrans.if 2009-03-12 11:23:09.000000000 -0400 @@ -21,3 +21,23 @@ stream_connect_pattern($1,setrans_var_run_t,setrans_var_run_t,setrans_t) files_list_pids($1) @@ -27219,9 +26604,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + init_labeled_script_domtrans($1, setrans_initrc_exec_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.8/policy/modules/system/sysnetwork.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.9/policy/modules/system/sysnetwork.fc --- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/system/sysnetwork.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/sysnetwork.fc 2009-03-12 11:23:09.000000000 -0400 @@ -11,8 +11,12 @@ /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) @@ -27250,9 +26635,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.8/policy/modules/system/sysnetwork.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.9/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/sysnetwork.if 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/sysnetwork.if 2009-03-12 11:23:09.000000000 -0400 @@ -43,6 +43,39 @@ sysnet_domtrans_dhcpc($1) @@ -27421,9 +26806,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + role_transition $1 dhcpc_exec_t system_r; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.8/policy/modules/system/sysnetwork.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.9/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/sysnetwork.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/sysnetwork.te 2009-03-12 11:23:09.000000000 -0400 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpc_t,dhcpc_exec_t) role system_r types dhcpc_t; @@ -27607,18 +26992,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_xen_state(ifconfig_t) kernel_write_xen_state(ifconfig_t) xen_append_log(ifconfig_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.6.8/policy/modules/system/udev.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.6.9/policy/modules/system/udev.fc --- nsaserefpolicy/policy/modules/system/udev.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/udev.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/udev.fc 2009-03-12 11:23:09.000000000 -0400 @@ -17,3 +17,5 @@ /sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0) /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) + +/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.6.8/policy/modules/system/udev.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.6.9/policy/modules/system/udev.if --- nsaserefpolicy/policy/modules/system/udev.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/system/udev.if 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/udev.if 2009-03-12 11:23:09.000000000 -0400 @@ -20,6 +20,24 @@ ######################################## @@ -27697,9 +27082,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - allow $1 udev_tdb_t:file rw_file_perms; + allow $1 udev_tbl_t:file rw_file_perms; ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.8/policy/modules/system/udev.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.9/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2009-03-02 16:51:45.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/udev.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/udev.te 2009-03-12 11:23:09.000000000 -0400 @@ -55,6 +55,7 @@ can_exec(udev_t, udev_exec_t) @@ -27784,9 +27169,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` xserver_read_xdm_pid(udev_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.6.8/policy/modules/system/unconfined.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.6.9/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-09-11 16:42:49.000000000 -0400 -+++ serefpolicy-3.6.8/policy/modules/system/unconfined.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/unconfined.fc 2009-03-12 11:23:09.000000000 -0400 @@ -2,15 +2,28 @@ # e.g.: # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) @@ -27825,9 +27210,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.8/policy/modules/system/unconfined.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.9/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/unconfined.if 2009-03-10 16:09:06.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/unconfined.if 2009-03-12 11:23:09.000000000 -0400 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -28105,9 +27490,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 unconfined_r; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.8/policy/modules/system/unconfined.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.9/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/unconfined.te 2009-03-11 16:24:23.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/unconfined.te 2009-03-12 11:23:09.000000000 -0400 @@ -5,6 +5,35 @@ # # Declarations @@ -28470,9 +27855,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.8/policy/modules/system/userdomain.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.9/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/userdomain.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/userdomain.fc 2009-03-12 11:23:09.000000000 -0400 @@ -1,4 +1,7 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) @@ -28482,9 +27867,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) +/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0) +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.8/policy/modules/system/userdomain.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.9/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/userdomain.if 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/userdomain.if 2009-03-12 11:23:09.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -30331,9 +29716,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 userdomain:key manage_key_perms; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.8/policy/modules/system/userdomain.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.9/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/userdomain.te 2009-03-10 15:58:19.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/userdomain.te 2009-03-12 11:23:09.000000000 -0400 @@ -8,13 +8,6 @@ ## @@ -30417,14 +29802,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_read_cifs_named_sockets(userhomereader) + fs_read_cifs_named_pipes(userhomereader) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.fc serefpolicy-3.6.8/policy/modules/system/virtual.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.fc serefpolicy-3.6.9/policy/modules/system/virtual.fc --- nsaserefpolicy/policy/modules/system/virtual.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/virtual.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/virtual.fc 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1 @@ +# No application file contexts. -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.8/policy/modules/system/virtual.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.9/policy/modules/system/virtual.if --- nsaserefpolicy/policy/modules/system/virtual.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/virtual.if 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/virtual.if 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,99 @@ +## Virtual machine emulator and virtualizer + @@ -30525,9 +29910,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_lnk_files_pattern($1, virtual_image_type, virtual_image_type) + rw_blk_files_pattern($1, virtual_image_type, virtual_image_type) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.8/policy/modules/system/virtual.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.9/policy/modules/system/virtual.te --- nsaserefpolicy/policy/modules/system/virtual.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/virtual.te 2009-03-11 14:43:06.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/virtual.te 2009-03-12 11:23:09.000000000 -0400 @@ -0,0 +1,80 @@ + +policy_module(virtualization, 1.1.2) @@ -30609,9 +29994,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_read_xdm_pid(virtualdomain) + xserver_rw_shm(virtualdomain) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.6.8/policy/modules/system/xen.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.6.9/policy/modules/system/xen.fc --- nsaserefpolicy/policy/modules/system/xen.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/xen.fc 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/xen.fc 2009-03-12 11:23:09.000000000 -0400 @@ -2,17 +2,10 @@ /usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0) @@ -30638,9 +30023,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) /var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.8/policy/modules/system/xen.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.9/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/xen.if 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/xen.if 2009-03-12 11:23:09.000000000 -0400 @@ -167,11 +167,14 @@ # interface(`xen_stream_connect',` @@ -30682,9 +30067,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 xend_var_lib_t:dir search_dir_perms; + rw_files_pattern($1, xen_image_t, xen_image_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.8/policy/modules/system/xen.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.9/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.8/policy/modules/system/xen.te 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/modules/system/xen.te 2009-03-12 11:23:09.000000000 -0400 @@ -6,6 +6,13 @@ # Declarations # @@ -30906,39 +30291,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + unconfined_domain(xend_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.8/policy/support/obj_perm_sets.spt ---- nsaserefpolicy/policy/support/obj_perm_sets.spt 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.6.8/policy/support/obj_perm_sets.spt 2009-03-10 08:25:55.000000000 -0400 -@@ -179,20 +179,20 @@ - # - # Directory (dir) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/ipc_patterns.spt serefpolicy-3.6.9/policy/support/ipc_patterns.spt +--- nsaserefpolicy/policy/support/ipc_patterns.spt 2009-03-12 11:16:47.000000000 -0400 ++++ serefpolicy-3.6.9/policy/support/ipc_patterns.spt 2009-03-12 11:23:09.000000000 -0400 +@@ -3,12 +3,12 @@ # --define(`getattr_dir_perms',`{ getattr }') --define(`setattr_dir_perms',`{ setattr }') --define(`search_dir_perms',`{ getattr search }') -+define(`getattr_dir_perms',`{ getattr open }') -+define(`setattr_dir_perms',`{ setattr open }') -+define(`search_dir_perms',`{ getattr search open }') - define(`list_dir_perms',`{ getattr search open read lock ioctl }') - define(`add_entry_dir_perms',`{ getattr search open lock ioctl write add_name }') - define(`del_entry_dir_perms',`{ getattr search open lock ioctl write remove_name }') - define(`rw_dir_perms', `{ open read getattr lock search ioctl add_name remove_name write }') --define(`create_dir_perms',`{ getattr create }') --define(`rename_dir_perms',`{ getattr rename }') --define(`delete_dir_perms',`{ getattr rmdir }') -+define(`create_dir_perms',`{ getattr create open }') -+define(`rename_dir_perms',`{ getattr rename open }') -+define(`delete_dir_perms',`{ getattr rmdir open }') - define(`manage_dir_perms',`{ create open getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }') --define(`relabelfrom_dir_perms',`{ getattr relabelfrom }') --define(`relabelto_dir_perms',`{ getattr relabelto }') --define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') -+define(`relabelfrom_dir_perms',`{ getattr open relabelfrom }') -+define(`relabelto_dir_perms',`{ getattr open relabelto }') -+define(`relabel_dir_perms',`{ getattr open relabelfrom relabelto }') - - # - # Regular file (file) + define(`stream_connect_pattern',` + allow $1 $2:dir search_dir_perms; +- allow $1 $3:sock_file write_sock_file_perms; ++ allow $1 $3:sock_file { getattr write }; + allow $1 $4:unix_stream_socket connectto; + ') + + define(`dgram_send_pattern',` + allow $1 $2:dir search_dir_perms; +- allow $1 $3:sock_file write_sock_file_perms; ++ allow $1 $3:sock_file { getattr write }; + allow $1 $4:unix_dgram_socket sendto; + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.9/policy/support/obj_perm_sets.spt +--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-03-12 11:16:47.000000000 -0400 ++++ serefpolicy-3.6.9/policy/support/obj_perm_sets.spt 2009-03-12 11:23:09.000000000 -0400 @@ -225,7 +225,7 @@ define(`create_lnk_file_perms',`{ create getattr }') define(`rename_lnk_file_perms',`{ getattr rename }') @@ -30948,25 +30321,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') define(`relabelto_lnk_file_perms',`{ getattr relabelto }') define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }') -@@ -252,13 +252,13 @@ - # - define(`getattr_sock_file_perms',`{ getattr }') - define(`setattr_sock_file_perms',`{ setattr }') --define(`read_sock_file_perms',`{ getattr read }') --define(`write_sock_file_perms',`{ getattr write append }') --define(`rw_sock_file_perms',`{ getattr read write append }') --define(`create_sock_file_perms',`{ getattr create }') -+define(`read_sock_file_perms',`{ getattr open read }') -+define(`write_sock_file_perms',`{ getattr write open append }') -+define(`rw_sock_file_perms',`{ getattr open read write append }') -+define(`create_sock_file_perms',`{ getattr create open }') - define(`rename_sock_file_perms',`{ getattr rename }') - define(`delete_sock_file_perms',`{ getattr unlink }') --define(`manage_sock_file_perms',`{ create getattr setattr read write rename link unlink ioctl lock append }') -+define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }') - define(`relabelfrom_sock_file_perms',`{ getattr relabelfrom }') - define(`relabelto_sock_file_perms',`{ getattr relabelto }') - define(`relabel_sock_file_perms',`{ getattr relabelfrom relabelto }') @@ -312,3 +312,13 @@ # define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') @@ -30981,9 +30335,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') + +define(`manage_key_perms', `{ create link read search setattr view write } ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.8/policy/users +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.9/policy/users --- nsaserefpolicy/policy/users 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.6.8/policy/users 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/policy/users 2009-03-12 11:23:09.000000000 -0400 @@ -25,11 +25,8 @@ # permit any access to such users, then remove this entry. # @@ -31008,9 +30362,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -') +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.6.8/Rules.modular +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.6.9/Rules.modular --- nsaserefpolicy/Rules.modular 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.8/Rules.modular 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/Rules.modular 2009-03-12 11:23:09.000000000 -0400 @@ -73,8 +73,8 @@ $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te @echo "Compliling $(NAME) $(@F) module" @@ -31040,9 +30394,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rul $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.6.8/support/Makefile.devel +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.6.9/support/Makefile.devel --- nsaserefpolicy/support/Makefile.devel 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.8/support/Makefile.devel 2009-03-10 08:25:55.000000000 -0400 ++++ serefpolicy-3.6.9/support/Makefile.devel 2009-03-12 11:23:09.000000000 -0400 @@ -185,8 +185,7 @@ tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te @$(EINFO) "Compiling $(NAME) $(basename $(@F)) module" diff --git a/selinux-policy.spec b/selinux-policy.spec index 0243b94..d9e6174 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,8 +19,8 @@ %define CHECKPOLICYVER 2.0.16-3 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.6.8 -Release: 4%{?dist} +Version: 3.6.9 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -186,7 +186,7 @@ fi; %description SELinux Reference Policy - modular. -Based off of reference policy: Checked out revision 2920. +Based off of reference policy: Checked out revision 2925. %build @@ -444,6 +444,9 @@ exit 0 %endif %changelog +* Thu Mar 12 2009 Dan Walsh 3.6.9-1 +- Upgrade to latest upstream + * Tue Mar 10 2009 Dan Walsh 3.6.8-4 - Fixes for iscsid and sssd - More cleanups for upgrade from F10 to Rawhide. diff --git a/sources b/sources index ea29897..ef2f6ed 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -d68d01d807cbfcdf83ace30919af3172 serefpolicy-3.6.8.tgz +42687aff1e3a70d6bae553beae727d95 serefpolicy-3.6.9.tgz