diff --git a/modules-minimum.conf b/modules-minimum.conf
index 12ae763..421ce50 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -226,6 +226,13 @@ certmaster = module
cipe = module
# Layer: services
+# Module: chronyd
+#
+# Daemon for maintaining clock time
+#
+chronyd = module
+
+# Layer: services
# Module: comsat
#
# Comsat, a biff server.
diff --git a/modules-mls.conf b/modules-mls.conf
index 0d7ee17..c6ca21b 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -212,6 +212,13 @@ certwatch = module
certmaster = module
# Layer: services
+# Module: chronyd
+#
+# Daemon for maintaining clock time
+#
+chronyd = module
+
+q# Layer: services
# Module: cipe
#
# Encrypted tunnel daemon
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 12ae763..421ce50 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -226,6 +226,13 @@ certmaster = module
cipe = module
# Layer: services
+# Module: chronyd
+#
+# Daemon for maintaining clock time
+#
+chronyd = module
+
+# Layer: services
# Module: comsat
#
# Comsat, a biff server.
diff --git a/policy-F12.patch b/policy-F12.patch
index ade4d43..5c0b223 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -846,8 +846,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## The Fedora hardware profiler client
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.6.30/policy/modules/admin/smoltclient.te
--- nsaserefpolicy/policy/modules/admin/smoltclient.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.30/policy/modules/admin/smoltclient.te 2009-08-31 13:40:47.000000000 -0400
-@@ -0,0 +1,66 @@
++++ serefpolicy-3.6.30/policy/modules/admin/smoltclient.te 2009-09-08 18:22:33.000000000 -0400
+@@ -0,0 +1,67 @@
+policy_module(smoltclient,1.0.0)
+
+########################################
@@ -883,6 +883,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+kernel_read_network_state(smoltclient_t)
+kernel_read_kernel_sysctls(smoltclient_t)
+
++corecmd_exec_bin(smoltclient_t)
+corecmd_exec_shell(smoltclient_t)
+
+corenet_tcp_connect_http_port(smoltclient_t)
@@ -1096,8 +1097,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.30/policy/modules/admin/vbetool.te
--- nsaserefpolicy/policy/modules/admin/vbetool.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/admin/vbetool.te 2009-08-31 13:40:47.000000000 -0400
-@@ -15,15 +15,20 @@
++++ serefpolicy-3.6.30/policy/modules/admin/vbetool.te 2009-09-08 18:00:40.000000000 -0400
+@@ -15,15 +15,22 @@
# Local policy
#
@@ -1116,11 +1117,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+domain_mmap_low_type(vbetool_t)
+tunable_policy(`mmap_low_allowed',`
domain_mmap_low(vbetool_t)
++', `
++dontaudit vbetool_t self:memprotect mmap_zero;
+')
term_use_unallocated_ttys(vbetool_t)
-@@ -34,3 +39,8 @@
+@@ -34,3 +41,8 @@
hal_write_log(vbetool_t)
hal_dontaudit_append_lib_files(vbetool_t)
')
@@ -2427,7 +2430,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.30/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.30/policy/modules/apps/nsplugin.if 2009-08-31 13:40:47.000000000 -0400
++++ serefpolicy-3.6.30/policy/modules/apps/nsplugin.if 2009-09-08 18:09:33.000000000 -0400
@@ -0,0 +1,313 @@
+
+## policy for nsplugin
@@ -4546,7 +4549,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.30/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/kernel/corenetwork.te.in 2009-08-31 13:40:47.000000000 -0400
++++ serefpolicy-3.6.30/policy/modules/kernel/corenetwork.te.in 2009-09-08 18:22:33.000000000 -0400
@@ -65,6 +65,7 @@
type server_packet_t, packet_type, server_packet_type;
@@ -4555,7 +4558,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
network_port(afs_ka, udp,7004,s0)
network_port(afs_pt, udp,7002,s0)
-@@ -87,25 +88,31 @@
+@@ -87,25 +88,32 @@
network_port(comsat, udp,512,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0)
@@ -4585,10 +4588,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
+portcon tcp 10001-10010 gen_context(system_u:object_r:http_cache_port_t, s0)
++network_port(chronyd, udp,323,s0)
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-@@ -128,7 +135,7 @@
+@@ -128,7 +136,7 @@
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
network_port(lmtp, tcp,24,s0, udp,24,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
@@ -4597,7 +4601,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
-@@ -146,6 +153,12 @@
+@@ -146,6 +154,12 @@
network_port(pegasus_https, tcp,5989,s0)
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
@@ -4610,7 +4614,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
-@@ -172,27 +185,31 @@
+@@ -172,27 +186,31 @@
network_port(sap, tcp,9875,s0, udp,9875,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
@@ -4645,7 +4649,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -221,6 +238,8 @@
+@@ -221,6 +239,8 @@
type node_t, node_type;
sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
@@ -5705,8 +5709,53 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.30/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/kernel/filesystem.if 2009-09-08 07:44:43.000000000 -0400
-@@ -1537,6 +1537,24 @@
++++ serefpolicy-3.6.30/policy/modules/kernel/filesystem.if 2009-09-08 19:26:15.000000000 -0400
+@@ -1149,6 +1149,44 @@
+ domain_auto_transition_pattern($1, cifs_t, $2)
+ ')
+
++#######################################
++##
++## Create, read, write, and delete dirs
++## on a configfs filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_manage_configfs_dirs',`
++ gen_require(`
++ type configfs_t;
++ ')
++
++ manage_dirs_pattern($1,configfs_t,configfs_t)
++')
++
++#######################################
++##
++## Create, read, write, and delete files
++## on a configfs filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_manage_configfs_files',`
++ gen_require(`
++ type configfs_t;
++ ')
++
++ manage_files_pattern($1,configfs_t,configfs_t)
++')
++
+ ########################################
+ ##
+ ## Mount a DOS filesystem, such as
+@@ -1537,6 +1575,24 @@
########################################
##
@@ -5731,7 +5780,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Search inotifyfs filesystem.
##
##
-@@ -2542,6 +2560,42 @@
+@@ -2542,6 +2598,42 @@
########################################
##
@@ -5774,7 +5823,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read and write NFS server files.
##
##
-@@ -3971,3 +4025,122 @@
+@@ -3971,3 +4063,122 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
')
@@ -9920,6 +9969,201 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow certmaster_t self:tcp_socket create_stream_socket_perms;
# config files
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.6.30/policy/modules/services/chronyd.fc
+--- nsaserefpolicy/policy/modules/services/chronyd.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.30/policy/modules/services/chronyd.fc 2009-09-08 18:22:33.000000000 -0400
+@@ -0,0 +1,11 @@
++
++/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
++
++/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
++
++/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
++
++/var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0)
++
++/var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.6.30/policy/modules/services/chronyd.if
+--- nsaserefpolicy/policy/modules/services/chronyd.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.30/policy/modules/services/chronyd.if 2009-09-08 18:22:33.000000000 -0400
+@@ -0,0 +1,105 @@
++## chrony background daemon
++
++#####################################
++##
++## Execute chronyd in the chronyd domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`chronyd_domtrans',`
++ gen_require(`
++ type chronyd_t, chronyd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, chronyd_exec_t, chronyd_t)
++')
++
++####################################
++##
++## Execute chronyd
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`chronyd_exec',`
++ gen_require(`
++ type chronyd_exec_t;
++ ')
++
++ can_exec($1, chronyd_exec_t)
++')
++
++#####################################
++##
++## Read chronyd logs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`chronyd_read_log',`
++ gen_require(`
++ type chronyd_var_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
++')
++
++####################################
++##
++## All of the rules required to administrate
++## an chronyd environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed to manage the chronyd domain.
++##
++##
++##
++#
++interface(`chronyd_admin',`
++ gen_require(`
++ type chronyd_t, chronyd_var_log_t;
++ type chronyd_var_run_t, chronyd_var_lib_t;
++ type chronyd_initrc_exec_t;
++ ')
++
++ allow $1 chronyd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, chronyd_t)
++
++ init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 chronyd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ logging_search_logs($1)
++ admin_pattern($1, chronyd_var_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, chronyd_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, chronyd_var_run_t)
++
++ files_search_tmp($1)
++ admin_pattern($1, chronyd_tmp_t)
++
++')
++
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.6.30/policy/modules/services/chronyd.te
+--- nsaserefpolicy/policy/modules/services/chronyd.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.30/policy/modules/services/chronyd.te 2009-09-08 18:22:33.000000000 -0400
+@@ -0,0 +1,67 @@
++policy_module(chronyd,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type chronyd_t;
++type chronyd_exec_t;
++init_daemon_domain(chronyd_t, chronyd_exec_t)
++
++type chronyd_initrc_exec_t;
++init_script_file(chronyd_initrc_exec_t)
++
++# var/lib files
++type chronyd_var_lib_t;
++files_type(chronyd_var_lib_t)
++
++# log files
++type chronyd_var_log_t;
++logging_log_file(chronyd_var_log_t)
++
++# pid files
++type chronyd_var_run_t;
++files_pid_file(chronyd_var_run_t)
++
++
++########################################
++#
++# chronyd local policy
++#
++
++allow chronyd_t self:capability { setuid setgid sys_time };
++allow chronyd_t self:process { getcap setcap };
++
++allow chronyd_t self:udp_socket create_socket_perms;
++allow chronyd_t self:unix_dgram_socket create_socket_perms;
++
++# chronyd var/lib files
++manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
++manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
++files_var_lib_filetrans(chronyd_t,chronyd_var_lib_t, { file dir })
++
++# chronyd log files
++manage_files_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t)
++manage_dirs_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t)
++logging_log_filetrans(chronyd_t, chronyd_var_log_t,{ file dir })
++
++# chronyd pid files
++manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
++manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
++files_pid_filetrans(chronyd_t,chronyd_var_run_t, { file })
++
++corenet_udp_bind_ntp_port(chronyd_t)
++# bind to udp/323
++corenet_udp_bind_chronyd_port(chronyd_t)
++
++# real time clock option
++dev_rw_realtime_clock(chronyd_t)
++
++auth_use_nsswitch(chronyd_t)
++
++logging_send_syslog_msg(chronyd_t)
++
++miscfiles_read_localization(chronyd_t)
++
++permissive chronyd_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.30/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/services/clamav.te 2009-08-31 13:40:47.000000000 -0400
@@ -10064,84 +10308,326 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_stream_connect(consolekit_t)
')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.30/policy/modules/services/courier.if
---- nsaserefpolicy/policy/modules/services/courier.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/services/courier.if 2009-08-31 13:40:47.000000000 -0400
-@@ -179,6 +179,24 @@
-
- ########################################
- ##
-+## Read courier spool files.
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.6.30/policy/modules/services/corosync.fc
+--- nsaserefpolicy/policy/modules/services/corosync.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.30/policy/modules/services/corosync.fc 2009-09-08 19:26:20.000000000 -0400
+@@ -0,0 +1,13 @@
++
++/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
++
++/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
++
++/usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
++
++/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
++
++/var/log/cluster/corosync\.log -- gen_context(system_u:object_r:corosync_var_log_t,s0)
++
++/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.6.30/policy/modules/services/corosync.if
+--- nsaserefpolicy/policy/modules/services/corosync.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.30/policy/modules/services/corosync.if 2009-09-08 19:26:20.000000000 -0400
+@@ -0,0 +1,108 @@
++## SELinux policy for Corosync Cluster Engine
++
++########################################
++##
++## Execute a domain transition to run corosync.
++##
++##
++##
++## Domain allowed to transition.
+##
-+##
-+##
-+## Domain allowed access.
-+##
+##
+#
-+interface(`courier_read_spool',`
-+ gen_require(`
-+ type courier_spool_t;
-+ ')
++interface(`corosync_domtrans',`
++ gen_require(`
++ type corosync_t, corosync_exec_t;
++ ')
+
-+ read_files_pattern($1, courier_spool_t, courier_spool_t)
++ domtrans_pattern($1, corosync_exec_t, corosync_t)
+')
+
-+########################################
++#####################################
+##
- ## Read and write to courier spool pipes.
- ##
- ##
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.30/policy/modules/services/courier.te
---- nsaserefpolicy/policy/modules/services/courier.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/services/courier.te 2009-08-31 13:40:47.000000000 -0400
-@@ -10,6 +10,7 @@
-
- type courier_etc_t;
- files_config_file(courier_etc_t)
-+mta_system_content(courier_etc_t)
-
- courier_domain_template(pcp)
-
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.30/policy/modules/services/cron.fc
---- nsaserefpolicy/policy/modules/services/cron.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/services/cron.fc 2009-08-31 13:40:47.000000000 -0400
-@@ -1,3 +1,4 @@
-+/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
-
- /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
- /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
-@@ -17,9 +18,9 @@
- /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
- /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-
--/var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0)
--/var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0)
--/var/spool/at/[^/]* -- <>
-+/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
++## Connect to corosync over a unix domain
++## stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corosync_stream_connect',`
++ gen_require(`
++ type corosync_t, corosync_var_run_t;
++ ')
+
-+/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
-
- /var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
- #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-@@ -41,7 +42,11 @@
- #/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
-
- /var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
--/var/spool/fcron/[^/]* <>
-+/var/spool/fcron/.* <>
- /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
- /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
- /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
++ files_search_pids($1)
++ stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t)
++')
+
-+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
++#######################################
++##
++## Allow the specified domain to read corosync's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`corosync_read_log',`
++ gen_require(`
++ type corosync_var_log_t;
++ ')
+
-+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.30/policy/modules/services/cron.if
---- nsaserefpolicy/policy/modules/services/cron.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/services/cron.if 2009-08-31 13:40:47.000000000 -0400
-@@ -12,6 +12,10 @@
- ##
++ logging_search_logs($1)
++ list_dirs_pattern($1, corosync_var_log_t, corosync_var_log_t)
++ read_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
++')
++
++######################################
++##
++## All of the rules required to administrate
++## an corosync environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed to manage the corosyncd domain.
++##
++##
++##
++#
++interface(`corosyncd_admin',`
++ gen_require(`
++ type corosync_t, corosync_var_lib_t, corosync_var_log_t;
++ type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
++ type corosync_initrc_exec_t;
++ ')
++
++ allow $1 corosync_t:process { ptrace signal_perms };
++ ps_process_pattern($1, corosync_t)
++
++ init_labeled_script_domtrans($1, corosync_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 corosync_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_var_lib($1)
++ admin_pattern($1, corosync_var_lib_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, corosync_var_log_t)
++
++ files_search_pids($1)
++ admin_pattern($1, corosync_var_run_t)
++
++ files_search_tmp($1)
++ admin_pattern($1, corosync_tmp_t)
++
++ admin_pattern($1, corosync_tmpfs_t)
++')
++
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.6.30/policy/modules/services/corosync.te
+--- nsaserefpolicy/policy/modules/services/corosync.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.30/policy/modules/services/corosync.te 2009-09-08 19:26:20.000000000 -0400
+@@ -0,0 +1,109 @@
++
++policy_module(corosync,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type corosync_t;
++type corosync_exec_t;
++init_daemon_domain(corosync_t, corosync_exec_t)
++
++type corosync_initrc_exec_t;
++init_script_file(corosync_initrc_exec_t);
++
++# tmp files
++type corosync_tmp_t;
++files_tmp_file(corosync_tmp_t)
++
++type corosync_tmpfs_t;
++files_tmpfs_file(corosync_tmpfs_t)
++
++# log files
++type corosync_var_log_t;
++logging_log_file(corosync_var_log_t)
++
++# var/lib files
++type corosync_var_lib_t;
++files_type(corosync_var_lib_t)
++
++# pid files
++type corosync_var_run_t;
++files_pid_file(corosync_var_run_t)
++
++########################################
++#
++# corosync local policy
++#
++
++allow corosync_t self:capability { sys_nice sys_resource ipc_lock };
++allow corosync_t self:process { setsched signal };
++
++allow corosync_t self:fifo_file rw_fifo_file_perms;
++allow corosync_t self:sem create_sem_perms;
++allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto };
++allow corosync_t self:unix_dgram_socket create_socket_perms;
++allow corosync_t self:udp_socket create_socket_perms;
++
++# tmp files
++manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
++manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
++files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir })
++
++manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
++manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
++fs_tmpfs_filetrans(corosync_t, corosync_tmpfs_t,{ dir file })
++
++# var/lib files
++manage_files_pattern(corosync_t, corosync_var_lib_t,corosync_var_lib_t)
++manage_dirs_pattern(corosync_t, corosync_var_lib_t,corosync_var_lib_t)
++manage_sock_files_pattern(corosync_t, corosync_var_lib_t,corosync_var_lib_t)
++files_var_lib_filetrans(corosync_t,corosync_var_lib_t, { file dir sock_file })
++
++# log files
++manage_files_pattern(corosync_t, corosync_var_log_t,corosync_var_log_t)
++manage_sock_files_pattern(corosync_t, corosync_var_log_t,corosync_var_log_t)
++logging_log_filetrans(corosync_t,corosync_var_log_t,{ sock_file file })
++
++# pid file
++manage_files_pattern(corosync_t, corosync_var_run_t,corosync_var_run_t)
++manage_sock_files_pattern(corosync_t, corosync_var_run_t,corosync_var_run_t)
++files_pid_filetrans(corosync_t,corosync_var_run_t, { file sock_file })
++
++corenet_udp_bind_netsupport_port(corosync_t)
++
++corecmd_exec_bin(corosync_t)
++
++kernel_read_system_state(corosync_t)
++
++files_manage_mounttab(corosync_t)
++
++auth_use_nsswitch(corosync_t)
++
++dev_read_urand(corosync_t)
++
++libs_use_ld_so(corosync_t)
++libs_use_shared_libs(corosync_t)
++miscfiles_read_localization(corosync_t)
++
++init_rw_script_tmp_files(corosync_t)
++
++logging_send_syslog_msg(corosync_t)
++
++# to communication with RHCS
++dlm_controld_manage_tmpfs_files(corosync_t)
++dlm_controld_rw_semaphores(corosync_t)
++
++fenced_manage_tmpfs_files(corosync_t)
++fenced_rw_semaphores(corosync_t)
++
++gfs_controld_manage_tmpfs_files(corosync_t)
++gfs_controld_rw_semaphores(corosync_t)
++
++optional_policy(`
++ ccs_read_config(corosync_t)
++')
++
++permissive corosync_t;
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.30/policy/modules/services/courier.if
+--- nsaserefpolicy/policy/modules/services/courier.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.30/policy/modules/services/courier.if 2009-08-31 13:40:47.000000000 -0400
+@@ -179,6 +179,24 @@
+
+ ########################################
+ ##
++## Read courier spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`courier_read_spool',`
++ gen_require(`
++ type courier_spool_t;
++ ')
++
++ read_files_pattern($1, courier_spool_t, courier_spool_t)
++')
++
++########################################
++##
+ ## Read and write to courier spool pipes.
+ ##
+ ##
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.30/policy/modules/services/courier.te
+--- nsaserefpolicy/policy/modules/services/courier.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.6.30/policy/modules/services/courier.te 2009-08-31 13:40:47.000000000 -0400
+@@ -10,6 +10,7 @@
+
+ type courier_etc_t;
+ files_config_file(courier_etc_t)
++mta_system_content(courier_etc_t)
+
+ courier_domain_template(pcp)
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.30/policy/modules/services/cron.fc
+--- nsaserefpolicy/policy/modules/services/cron.fc 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.30/policy/modules/services/cron.fc 2009-08-31 13:40:47.000000000 -0400
+@@ -1,3 +1,4 @@
++/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
+
+ /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+ /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+@@ -17,9 +18,9 @@
+ /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
+ /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+
+-/var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0)
+-/var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0)
+-/var/spool/at/[^/]* -- <>
++/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
++
++/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
+
+ /var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
+ #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+@@ -41,7 +42,11 @@
+ #/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+
+ /var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
+-/var/spool/fcron/[^/]* <>
++/var/spool/fcron/.* <>
+ /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+ /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+ /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
++
++/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
++
++/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.30/policy/modules/services/cron.if
+--- nsaserefpolicy/policy/modules/services/cron.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.30/policy/modules/services/cron.if 2009-08-31 13:40:47.000000000 -0400
+@@ -12,6 +12,10 @@
+ ##
#
template(`cron_common_crontab_template',`
+ gen_require(`
@@ -10443,7 +10929,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.30/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/services/cron.te 2009-09-04 10:32:17.000000000 -0400
++++ serefpolicy-3.6.30/policy/modules/services/cron.te 2009-09-08 18:12:58.000000000 -0400
@@ -38,6 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -10768,17 +11254,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -461,8 +551,7 @@
+@@ -461,8 +551,8 @@
')
optional_policy(`
- # cjp: why?
- squid_domtrans(system_cronjob_t)
+ spamassassin_manage_lib_files(system_cronjob_t)
++ spamassassin_manage_home_client(system_cronjob_t)
')
optional_policy(`
-@@ -470,24 +559,17 @@
+@@ -470,24 +560,17 @@
')
optional_policy(`
@@ -10806,7 +11293,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow cronjob_t self:process { signal_perms setsched };
allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
-@@ -571,6 +653,9 @@
+@@ -571,6 +654,9 @@
userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
@@ -10816,7 +11303,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`fcron_crond', `
allow crond_t user_cron_spool_t:file manage_file_perms;
')
-@@ -590,13 +675,5 @@
+@@ -590,13 +676,5 @@
#
optional_policy(`
@@ -11824,7 +12311,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.te serefpolicy-3.6.30/policy/modules/services/gpm.te
--- nsaserefpolicy/policy/modules/services/gpm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/services/gpm.te 2009-08-31 13:40:47.000000000 -0400
++++ serefpolicy-3.6.30/policy/modules/services/gpm.te 2009-09-08 10:45:28.000000000 -0400
@@ -27,7 +27,8 @@
# Local policy
#
@@ -15376,88 +15863,784 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.30/policy/modules/services/ricci.te
---- nsaserefpolicy/policy/modules/services/ricci.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/services/ricci.te 2009-08-31 13:40:47.000000000 -0400
-@@ -264,6 +264,7 @@
- allow ricci_modclusterd_t self:socket create_socket_perms;
-
- allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
-+allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
-
- # log files
- allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
-@@ -440,6 +441,10 @@
- files_read_usr_files(ricci_modstorage_t)
- files_read_kernel_modules(ricci_modstorage_t)
-
-+files_create_default_dir(ricci_modstorage_t)
-+files_mounton_default(ricci_modstorage_t)
-+files_manage_default(ricci_modstorage_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.6.30/policy/modules/services/rgmanager.fc
+--- nsaserefpolicy/policy/modules/services/rgmanager.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.30/policy/modules/services/rgmanager.fc 2009-09-08 19:26:25.000000000 -0400
+@@ -0,0 +1,6 @@
+
- storage_raw_read_fixed_disk(ricci_modstorage_t)
-
- term_dontaudit_use_console(ricci_modstorage_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.6.30/policy/modules/services/rpcbind.if
---- nsaserefpolicy/policy/modules/services/rpcbind.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/services/rpcbind.if 2009-08-31 13:40:47.000000000 -0400
-@@ -97,6 +97,26 @@
-
- ########################################
- ##
-+## Connect to rpcbindd over an unix stream socket.
++/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
++
++/var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
++
++/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.6.30/policy/modules/services/rgmanager.if
+--- nsaserefpolicy/policy/modules/services/rgmanager.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.30/policy/modules/services/rgmanager.if 2009-09-08 19:26:25.000000000 -0400
+@@ -0,0 +1,40 @@
++## SELinux policy for rgmanager
++
++#######################################
++##
++## Execute a domain transition to run rgmanager.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed to transition.
++##
+##
+#
-+interface(`rpcbind_stream_connect',`
-+ gen_require(`
-+ type rpcbind_t, rpcbind_var_run_t;
-+ ')
++interface(`rgmanager_domtrans',`
++ gen_require(`
++ type rgmanager_t, rgmanager_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domrans_pattern($1,rgmanager_exec_t,rgmanager_t)
+
-+ files_search_pids($1)
-+ allow $1 rpcbind_var_run_t:sock_file write;
-+ allow $1 rpcbind_t:unix_stream_socket connectto;
+')
+
-+########################################
++#######################################
+##
- ## All of the rules required to administrate
- ## an rpcbind environment
- ##
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.30/policy/modules/services/rpc.if
---- nsaserefpolicy/policy/modules/services/rpc.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/services/rpc.if 2009-08-31 13:40:47.000000000 -0400
-@@ -54,7 +54,7 @@
- allow $1_t self:unix_dgram_socket create_socket_perms;
- allow $1_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_t self:tcp_socket create_stream_socket_perms;
-- allow $1_t self:udp_socket create_socket_perms;
-+ allow $1_t self:udp_socket create_stream_socket_perms;
-
- manage_dirs_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
- manage_files_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
-@@ -109,6 +109,10 @@
- userdom_dontaudit_use_unpriv_user_fds($1_t)
-
- optional_policy(`
-+ rpcbind_stream_connect($1_t)
-+ ')
++## Allow read and write access to rgmanager semaphores.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rgmanager_rw_semaphores',`
++ gen_require(`
++ type rgmanager_t;
++ ')
+
-+ optional_policy(`
- seutil_sigchld_newrole($1_t)
- ')
-
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.30/policy/modules/services/rpc.te
---- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/services/rpc.te 2009-08-31 13:40:47.000000000 -0400
-@@ -91,6 +91,8 @@
-
- seutil_dontaudit_search_config(rpcd_t)
-
++ allow $1 rgmanager_t:sem { unix_read unix_write associate read write };
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.6.30/policy/modules/services/rgmanager.te
+--- nsaserefpolicy/policy/modules/services/rgmanager.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.30/policy/modules/services/rgmanager.te 2009-09-08 19:26:25.000000000 -0400
+@@ -0,0 +1,54 @@
++
++policy_module(rgmanager,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type rgmanager_t;
++type rgmanager_exec_t;
++domain_type(rgmanager_t)
++init_daemon_domain(rgmanager_t, rgmanager_exec_t)
++
++# log files
++type rgmanager_var_log_t;
++logging_log_file(rgmanager_var_log_t)
++
++# pid files
++type rgmanager_var_run_t;
++files_pid_file(rgmanager_var_run_t)
++
++########################################
++#
++# rgmanager local policy
++#
++
++allow rgmanager_t self:capability { sys_nice ipc_lock };
++allow rgmanager_t self:process setsched;
++
++allow rgmanager_t self:fifo_file rw_fifo_file_perms;
++allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
++allow rgmanager_t self:unix_dgram_socket create_socket_perms;
++allow rgmanager_t self:tcp_socket create_stream_socket_perms;
++
++# log files
++manage_files_pattern(rgmanager_t, rgmanager_var_log_t,rgmanager_var_log_t)
++logging_log_filetrans(rgmanager_t,rgmanager_var_log_t,{ file })
++
++# pid file
++manage_files_pattern(rgmanager_t, rgmanager_var_run_t,rgmanager_var_run_t)
++manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
++files_pid_filetrans(rgmanager_t,rgmanager_var_run_t, { file })
++
++auth_use_nsswitch(rgmanager_t)
++
++libs_use_ld_so(rgmanager_t)
++libs_use_shared_libs(rgmanager_t)
++
++logging_send_syslog_msg(rgmanager_t)
++
++miscfiles_read_localization(rgmanager_t)
++
++permissive rgmanager_t;
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.6.30/policy/modules/services/rhcs.fc
+--- nsaserefpolicy/policy/modules/services/rhcs.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.30/policy/modules/services/rhcs.fc 2009-09-08 19:26:15.000000000 -0400
+@@ -0,0 +1,22 @@
++
++/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
++/var/log/cluster/dlm_controld\.log -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
++/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
++
++/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
++/var/log/cluster/fenced\.log -- gen_context(system_u:object_r:fenced_var_log_t,s0)
++/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
++
++/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
++/var/log/cluster/gfs_controld\.log -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
++/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
++
++/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
++/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
++
++/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
++/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
++/var/log/cluster/qdiskd\.log -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
++/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.6.30/policy/modules/services/rhcs.if
+--- nsaserefpolicy/policy/modules/services/rhcs.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.30/policy/modules/services/rhcs.if 2009-09-08 19:26:15.000000000 -0400
+@@ -0,0 +1,214 @@
++## SELinux policy for RHCS - Red Hat Cluster Suite
++
++######################################
++##
++## Execute a domain transition to run dlm_controld.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`dlm_controld_domtrans',`
++ gen_require(`
++ type dlm_controld_t, dlm_controld_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domain_trans_pattern($1,dlm_controld_exec_t,dlm_controld_t)
++
++')
++
++#####################################
++##
++## Connect to dlm_controld over a unix domain
++## stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dlm_controld_stream_connect',`
++ gen_require(`
++ type dlm_controld_t, dlm_controld_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
++')
++
++#####################################
++##
++## Manage dlm_controld tmpfs files.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`dlm_controld_manage_tmpfs_files',`
++ gen_require(`
++ type dlm_controld_tmpfs_t;
++ ')
++
++ fs_search_tmpfs($1)
++ manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
++ manage_lnk_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
++')
++
++#####################################
++##
++## Allow read and write access to dlm_controld semaphores.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dlm_controld_rw_semaphores',`
++ gen_require(`
++ type dlm_controld_t;
++ ')
++
++ allow $1 dlm_controld_t:sem { rw_sem_perms destroy };
++')
++
++######################################
++##
++## Execute a domain transition to run fenced.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`fenced_domtrans',`
++ gen_require(`
++ type fenced_t, fenced_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domain_trans_pattern($1,fenced_exec_t,fenced_t)
++
++')
++
++######################################
++##
++## Connect to fenced over an unix domain stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fenced_stream_connect',`
++ gen_require(`
++ type fenced_var_run_t, fenced_t;
++ ')
++
++ allow $1 fenced_t:unix_stream_socket connectto;
++ allow $1 fenced_var_run_t:sock_file { getattr write };
++ files_search_pids($1)
++')
++
++#####################################
++##
++## Managed fenced tmpfs files.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`fenced_manage_tmpfs_files',`
++ gen_require(`
++ type fenced_tmpfs_t;
++ ')
++
++ fs_search_tmpfs($1)
++ manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
++ manage_lnk_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
++')
++
++######################################
++##
++## Allow read and write access to fenced semaphores.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fenced_rw_semaphores',`
++ gen_require(`
++ type fenced_t;
++ ')
++
++ allow $1 fenced_t:sem { rw_sem_perms destroy };
++')
++
++#####################################
++##
++## Execute a domain transition to run gfs_controld.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`gfs_controld_domtrans',`
++ gen_require(`
++ type gfs_controld_t, gfs_controld_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domain_trans_pattern($1,gfs_controld_exec_t,gfs_controld_t)
++')
++
++###################################
++##
++## Manage gfs_controld tmpfs files.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`gfs_controld_manage_tmpfs_files',`
++ gen_require(`
++ type gfs_controld_tmpfs_t;
++ ')
++
++ fs_search_tmpfs($1)
++ manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
++ manage_lnk_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
++')
++
++####################################
++##
++## Allow read and write access to gfs_controld semaphores.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gfs_controld_rw_semaphores',`
++ gen_require(`
++ type gfs_controld_t;
++ ')
++
++ allow $1 gfs_controld_t:sem { rw_sem_perms destroy };
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.6.30/policy/modules/services/rhcs.te
+--- nsaserefpolicy/policy/modules/services/rhcs.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.30/policy/modules/services/rhcs.te 2009-09-08 19:26:15.000000000 -0400
+@@ -0,0 +1,336 @@
++
++policy_module(rhcs,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type dlm_controld_t;
++type dlm_controld_exec_t;
++init_daemon_domain(dlm_controld_t, dlm_controld_exec_t)
++
++# log files
++type dlm_controld_var_log_t;
++logging_log_file(dlm_controld_var_log_t)
++
++# pid files
++type dlm_controld_var_run_t;
++files_pid_file(dlm_controld_var_run_t)
++
++type dlm_controld_tmpfs_t;
++files_tmpfs_file(dlm_controld_tmpfs_t)
++
++
++type fenced_t;
++type fenced_exec_t;
++init_daemon_domain(fenced_t, fenced_exec_t)
++
++# tmp files
++type fenced_tmp_t;
++files_tmp_file(fenced_tmp_t)
++
++type fenced_tmpfs_t;
++files_tmpfs_file(fenced_tmpfs_t)
++
++# log files
++type fenced_var_log_t;
++logging_log_file(fenced_var_log_t)
++
++# pid files
++type fenced_var_run_t;
++files_pid_file(fenced_var_run_t)
++
++
++type gfs_controld_t;
++type gfs_controld_exec_t;
++init_daemon_domain(gfs_controld_t, gfs_controld_exec_t)
++
++# log files
++type gfs_controld_var_log_t;
++logging_log_file(gfs_controld_var_log_t)
++
++# pid files
++type gfs_controld_var_run_t;
++files_pid_file(gfs_controld_var_run_t)
++
++type gfs_controld_tmpfs_t;
++files_tmpfs_file(gfs_controld_tmpfs_t)
++
++
++type groupd_t;
++type groupd_exec_t;
++init_daemon_domain(groupd_t, groupd_exec_t)
++
++# log files
++type groupd_var_log_t;
++logging_log_file(groupd_var_log_t)
++
++# pid files
++type groupd_var_run_t;
++files_pid_file(groupd_var_run_t)
++
++type groupd_tmpfs_t;
++files_tmpfs_file(groupd_tmpfs_t)
++
++
++type qdiskd_t;
++type qdiskd_exec_t;
++init_daemon_domain(qdiskd_t, qdiskd_exec_t)
++
++type qdiskd_tmpfs_t;
++files_tmpfs_file(qdiskd_tmpfs_t)
++
++# var/lib files
++type qdiskd_var_lib_t;
++files_type(qdiskd_var_lib_t)
++
++# log files
++type qdiskd_var_log_t;
++logging_log_file(qdiskd_var_log_t)
++
++# pid files
++type qdiskd_var_run_t;
++files_pid_file(qdiskd_var_run_t)
++
++#####################################
++#
++# dlm_controld local policy
++#
++
++allow dlm_controld_t self:capability { net_admin sys_nice sys_resource };
++allow dlm_controld_t self:process setsched;
++
++allow dlm_controld_t self:sem create_sem_perms;
++allow dlm_controld_t self:fifo_file rw_fifo_file_perms;
++allow dlm_controld_t self:unix_stream_socket { create_stream_socket_perms };
++allow dlm_controld_t self:unix_dgram_socket { create_socket_perms };
++allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
++
++manage_dirs_pattern(dlm_controld_t, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
++manage_files_pattern(dlm_controld_t, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
++fs_tmpfs_filetrans(dlm_controld_t, dlm_controld_tmpfs_t,{ dir file })
++
++# log files
++manage_files_pattern(dlm_controld_t, dlm_controld_var_log_t,dlm_controld_var_log_t)
++logging_log_filetrans(dlm_controld_t,dlm_controld_var_log_t,{ file })
++
++# pid files
++manage_files_pattern(dlm_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t)
++manage_sock_files_pattern(dlm_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t)
++files_pid_filetrans(dlm_controld_t,dlm_controld_var_run_t, { file })
++
++stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
++corosync_stream_connect(dlm_controld_t)
++
++kernel_read_system_state(dlm_controld_t)
++
++dev_rw_sysfs(dlm_controld_t)
++
++fs_manage_configfs_files(dlm_controld_t)
++fs_manage_configfs_dirs(dlm_controld_t)
++
++init_rw_script_tmp_files(dlm_controld_t)
++
++libs_use_ld_so(dlm_controld_t)
++libs_use_shared_libs(dlm_controld_t)
++
++logging_send_syslog_msg(dlm_controld_t)
++
++miscfiles_read_localization(dlm_controld_t)
++
++permissive dlm_controld_t;
++
++#######################################
++#
++# fenced local policy
++#
++
++allow fenced_t self:capability { sys_nice sys_resource };
++allow fenced_t self:process { setsched getsched };
++
++allow fenced_t self:fifo_file rw_fifo_file_perms;
++allow fenced_t self:sem create_sem_perms;
++allow fenced_t self:unix_stream_socket { create_stream_socket_perms connectto };
++allow fenced_t self:unix_dgram_socket create_socket_perms;
++allow fenced_t self:tcp_socket create_stream_socket_perms;
++allow fenced_t self:udp_socket create_socket_perms;
++
++can_exec(fenced_t,fenced_exec_t)
++
++# tmp files
++manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
++manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
++files_tmp_filetrans(fenced_t, fenced_tmp_t, { file dir })
++
++manage_dirs_pattern(fenced_t, fenced_tmpfs_t, fenced_tmpfs_t)
++manage_files_pattern(fenced_t, fenced_tmpfs_t, fenced_tmpfs_t)
++fs_tmpfs_filetrans(fenced_t, fenced_tmpfs_t,{ dir file })
++
++# log files
++manage_files_pattern(fenced_t, fenced_var_log_t,fenced_var_log_t)
++logging_log_filetrans(fenced_t,fenced_var_log_t,{ file })
++
++# pid file
++manage_files_pattern(fenced_t, fenced_var_run_t,fenced_var_run_t)
++manage_sock_files_pattern(fenced_t, fenced_var_run_t, fenced_var_run_t)
++manage_fifo_files_pattern(fenced_t, fenced_var_run_t, fenced_var_run_t)
++files_pid_filetrans(fenced_t,fenced_var_run_t, { file })
++
++corosync_stream_connect(fenced_t)
++
++corecmd_exec_bin(fenced_t)
++
++dev_list_sysfs(fenced_t)
++dev_read_urand(fenced_t)
++
++auth_use_nsswitch(fenced_t)
++
++files_read_usr_symlinks(fenced_t)
++
++libs_use_ld_so(fenced_t)
++libs_use_shared_libs(fenced_t)
++
++logging_send_syslog_msg(fenced_t)
++
++miscfiles_read_localization(fenced_t)
++
++permissive fenced_t;
++
++######################################
++#
++# gfs_controld local policy
++#
++allow gfs_controld_t self:capability { sys_nice sys_resource };
++allow gfs_controld_t self:process setsched;
++
++allow gfs_controld_t self:sem create_sem_perms;
++allow gfs_controld_t self:fifo_file rw_fifo_file_perms;
++allow gfs_controld_t self:unix_stream_socket { create_stream_socket_perms };
++allow gfs_controld_t self:unix_dgram_socket { create_socket_perms };
++allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
++
++manage_dirs_pattern(gfs_controld_t, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
++manage_files_pattern(gfs_controld_t, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
++fs_tmpfs_filetrans(gfs_controld_t, gfs_controld_tmpfs_t,{ dir file })
++
++# log files
++manage_files_pattern(gfs_controld_t, gfs_controld_var_log_t,gfs_controld_var_log_t)
++logging_log_filetrans(gfs_controld_t,gfs_controld_var_log_t,{ file })
++
++# pid files
++manage_files_pattern(gfs_controld_t, gfs_controld_var_run_t, gfs_controld_var_run_t)
++manage_sock_files_pattern(gfs_controld_t, gfs_controld_var_run_t, gfs_controld_var_run_t)
++files_pid_filetrans(gfs_controld_t,gfs_controld_var_run_t, { file })
++
++stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
++stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
++corosync_stream_connect(gfs_controld_t)
++
++kernel_read_system_state(gfs_controld_t)
++
++dev_manage_generic_chr_files(gfs_controld_t)
++dev_read_sysfs(gfs_controld_t)
++
++init_rw_script_tmp_files(gfs_controld_t)
++
++libs_use_ld_so(gfs_controld_t)
++libs_use_shared_libs(gfs_controld_t)
++
++logging_send_syslog_msg(gfs_controld_t)
++
++miscfiles_read_localization(gfs_controld_t)
++
++permissive gfs_controld_t;
++
++#######################################
++#
++# groupd local policy
++#
++
++allow groupd_t self:capability { sys_nice sys_resource };
++allow groupd_t self:process setsched;
++
++allow groupd_t self:sem create_sem_perms;
++allow groupd_t self:fifo_file rw_fifo_file_perms;
++allow groupd_t self:unix_stream_socket create_stream_socket_perms;
++allow groupd_t self:unix_dgram_socket create_socket_perms;
++
++manage_dirs_pattern(groupd_t, groupd_tmpfs_t, groupd_tmpfs_t)
++manage_files_pattern(groupd_t, groupd_tmpfs_t, groupd_tmpfs_t)
++fs_tmpfs_filetrans(groupd_t, groupd_tmpfs_t,{ dir file })
++
++# log files
++manage_files_pattern(groupd_t, groupd_var_log_t,groupd_var_log_t)
++logging_log_filetrans(groupd_t,groupd_var_log_t,{ file })
++
++# pid files
++manage_files_pattern(groupd_t, groupd_var_run_t,groupd_var_run_t)
++manage_sock_files_pattern(groupd_t, groupd_var_run_t,groupd_var_run_t)
++files_pid_filetrans(groupd_t, groupd_var_run_t, { file })
++
++corosync_stream_connect(groupd_t)
++
++files_read_etc_files(groupd_t)
++
++libs_use_ld_so(groupd_t)
++libs_use_shared_libs(groupd_t)
++
++logging_send_syslog_msg(groupd_t)
++
++miscfiles_read_localization(groupd_t)
++
++init_rw_script_tmp_files(groupd_t)
++
++logging_send_syslog_msg(groupd_t)
++
++permissive groupd_t;
++
++######################################
++#
++# qdiskd local policy
++#
++
++allow qdiskd_t self:capability { sys_nice ipc_lock };
++allow qdiskd_t self:process setsched;
++
++allow qdiskd_t self:sem create_sem_perms;
++allow qdiskd_t self:unix_dgram_socket create_socket_perms;
++allow qdiskd_t self:fifo_file rw_fifo_file_perms;
++allow qdiskd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t)
++manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t)
++manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t)
++files_var_lib_filetrans(qdiskd_t,qdiskd_var_lib_t, { file dir sock_file })
++
++# log files
++manage_files_pattern(qdiskd_t, qdiskd_var_log_t,qdiskd_var_log_t)
++manage_sock_files_pattern(qdiskd_t, qdiskd_var_log_t,qdiskd_var_log_t)
++logging_log_filetrans(qdiskd_t,qdiskd_var_log_t,{ sock_file file })
++
++manage_dirs_pattern(qdiskd_t, qdiskd_tmpfs_t, qdiskd_tmpfs_t)
++manage_files_pattern(qdiskd_t, qdiskd_tmpfs_t, qdiskd_tmpfs_t)
++fs_tmpfs_filetrans(qdiskd_t, qdiskd_tmpfs_t,{ dir file })
++
++# pid files
++manage_files_pattern(qdiskd_t, qdiskd_var_run_t,qdiskd_var_run_t)
++manage_sock_files_pattern(qdiskd_t, qdiskd_var_run_t,qdiskd_var_run_t)
++files_pid_filetrans(qdiskd_t,qdiskd_var_run_t, { file })
++
++corosync_stream_connect(qdiskd_t)
++
++kernel_read_system_state(qdiskd_t)
++
++storage_raw_rw_fixed_disk(qdiskd_t)
++
++files_read_etc_files(qdiskd_t)
++
++libs_use_ld_so(qdiskd_t)
++libs_use_shared_libs(qdiskd_t)
++
++logging_send_syslog_msg(qdiskd_t)
++
++miscfiles_read_localization(qdiskd_t)
++
++permissive qdiskd_t;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.30/policy/modules/services/ricci.te
+--- nsaserefpolicy/policy/modules/services/ricci.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.6.30/policy/modules/services/ricci.te 2009-08-31 13:40:47.000000000 -0400
+@@ -264,6 +264,7 @@
+ allow ricci_modclusterd_t self:socket create_socket_perms;
+
+ allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
++allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
+
+ # log files
+ allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
+@@ -440,6 +441,10 @@
+ files_read_usr_files(ricci_modstorage_t)
+ files_read_kernel_modules(ricci_modstorage_t)
+
++files_create_default_dir(ricci_modstorage_t)
++files_mounton_default(ricci_modstorage_t)
++files_manage_default(ricci_modstorage_t)
++
+ storage_raw_read_fixed_disk(ricci_modstorage_t)
+
+ term_dontaudit_use_console(ricci_modstorage_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.6.30/policy/modules/services/rpcbind.if
+--- nsaserefpolicy/policy/modules/services/rpcbind.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.30/policy/modules/services/rpcbind.if 2009-08-31 13:40:47.000000000 -0400
+@@ -97,6 +97,26 @@
+
+ ########################################
+ ##
++## Connect to rpcbindd over an unix stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rpcbind_stream_connect',`
++ gen_require(`
++ type rpcbind_t, rpcbind_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 rpcbind_var_run_t:sock_file write;
++ allow $1 rpcbind_t:unix_stream_socket connectto;
++')
++
++########################################
++##
+ ## All of the rules required to administrate
+ ## an rpcbind environment
+ ##
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.30/policy/modules/services/rpc.if
+--- nsaserefpolicy/policy/modules/services/rpc.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.30/policy/modules/services/rpc.if 2009-08-31 13:40:47.000000000 -0400
+@@ -54,7 +54,7 @@
+ allow $1_t self:unix_dgram_socket create_socket_perms;
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:tcp_socket create_stream_socket_perms;
+- allow $1_t self:udp_socket create_socket_perms;
++ allow $1_t self:udp_socket create_stream_socket_perms;
+
+ manage_dirs_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
+ manage_files_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
+@@ -109,6 +109,10 @@
+ userdom_dontaudit_use_unpriv_user_fds($1_t)
+
+ optional_policy(`
++ rpcbind_stream_connect($1_t)
++ ')
++
++ optional_policy(`
+ seutil_sigchld_newrole($1_t)
+ ')
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.30/policy/modules/services/rpc.te
+--- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.6.30/policy/modules/services/rpc.te 2009-09-08 19:48:58.000000000 -0400
+@@ -91,6 +91,8 @@
+
+ seutil_dontaudit_search_config(rpcd_t)
+
+userdom_signal_unpriv_users(rpcd_t)
+
optional_policy(`
@@ -15474,7 +16657,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# NFSD local policy
-@@ -135,6 +141,7 @@
+@@ -127,6 +133,7 @@
+ files_getattr_tmp_dirs(nfsd_t)
+ # cjp: this should really have its own type
+ files_manage_mounttab(nfsd_t)
++files_read_etc_runtime_files(nfsd_t)
+
+ fs_mount_nfsd_fs(nfsd_t)
+ fs_search_nfsd_fs(nfsd_t)
+@@ -135,6 +142,7 @@
fs_rw_nfsd_fs(nfsd_t)
storage_dontaudit_read_fixed_disk(nfsd_t)
@@ -15482,7 +16673,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
-@@ -151,6 +158,7 @@
+@@ -151,6 +159,7 @@
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
')
@@ -15490,7 +16681,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`nfs_export_all_ro',`
dev_getattr_all_blk_files(nfsd_t)
-@@ -189,8 +197,10 @@
+@@ -182,6 +191,7 @@
+ kernel_read_network_state(gssd_t)
+ kernel_read_network_state_symlinks(gssd_t)
+ kernel_search_network_sysctl(gssd_t)
++kernel_signal(gssd_t)
+
+ corecmd_exec_bin(gssd_t)
+
+@@ -189,8 +199,10 @@
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
@@ -15501,7 +16700,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(gssd_t)
auth_manage_cache(gssd_t)
-@@ -199,6 +209,8 @@
+@@ -199,6 +211,8 @@
mount_signal(gssd_t)
@@ -17129,16 +18328,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.30/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/services/spamassassin.if 2009-08-31 13:40:47.000000000 -0400
-@@ -111,6 +111,7 @@
++++ serefpolicy-3.6.30/policy/modules/services/spamassassin.if 2009-09-08 18:13:29.000000000 -0400
+@@ -111,6 +111,27 @@
')
domtrans_pattern($1, spamc_exec_t, spamc_t)
+ allow $1 spamc_exec_t:file ioctl;
++')
++
++########################################
++##
++## Manage spamc home files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`spamassassin_manage_home_client',`
++ gen_require(`
++ type spamc_home_t;
++ ')
++
++ manage_dirs_pattern($1, spamc_home_t, spamc_home_t)
++ manage_files_pattern($1, spamc_home_t, spamc_home_t)
++ manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
')
########################################
-@@ -166,6 +167,7 @@
+@@ -166,6 +187,7 @@
')
files_search_var_lib($1)
@@ -17146,7 +18365,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
')
-@@ -225,3 +227,69 @@
+@@ -225,3 +247,69 @@
dontaudit $1 spamd_tmp_t:sock_file getattr;
')
@@ -18178,13 +19397,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.30/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/services/virt.fc 2009-08-31 13:40:47.000000000 -0400
-@@ -8,5 +8,16 @@
++++ serefpolicy-3.6.30/policy/modules/services/virt.fc 2009-09-08 18:45:04.000000000 -0400
+@@ -8,5 +8,17 @@
/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
+/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
++/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
+
/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7e3aba7..2983fa1 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.30
-Release: 5%{?dist}
+Release: 6%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -443,6 +443,9 @@ exit 0
%endif
%changelog
+* Tue Sep 8 2009 Dan Walsh 3.6.30-6
+- More fixes
+
* Tue Sep 8 2009 Dan Walsh 3.6.30-5
- Lots of fixes for initrc and other unconfined domains