++##
++## Allow corosync to read and write generic tmpfs files.
++##
++##
++gen_tunable(allow_corosync_rw_tmpfs, false)
++
+ type corosync_t;
+ type corosync_exec_t;
+ init_daemon_domain(corosync_t, corosync_exec_t)
+@@ -32,8 +39,8 @@
# corosync local policy
#
@@ -13476,7 +13533,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
allow corosync_t self:fifo_file rw_fifo_file_perms;
allow corosync_t self:sem create_sem_perms;
-@@ -41,6 +41,8 @@
+@@ -41,6 +48,8 @@
allow corosync_t self:unix_dgram_socket create_socket_perms;
allow corosync_t self:udp_socket create_socket_perms;
@@ -13485,7 +13542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir })
-@@ -63,8 +65,10 @@
+@@ -63,8 +72,10 @@
files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file })
kernel_read_system_state(corosync_t)
@@ -13496,7 +13553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
corenet_udp_bind_netsupport_port(corosync_t)
-@@ -73,6 +77,7 @@
+@@ -73,6 +84,7 @@
domain_read_all_domains_state(corosync_t)
files_manage_mounttab(corosync_t)
@@ -13504,15 +13561,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
auth_use_nsswitch(corosync_t)
-@@ -83,6 +88,7 @@
+@@ -83,19 +95,26 @@
miscfiles_read_localization(corosync_t)
+userdom_delete_user_tmpfs_files(corosync_t)
userdom_rw_user_tmpfs_files(corosync_t)
++tunable_policy(`allow_corosync_rw_tmpfs',`
++ fs_rw_tmpfs_files(corosync_t)
++')
++
optional_policy(`
-@@ -90,12 +96,13 @@
+ ccs_read_config(corosync_t)
')
optional_policy(`
@@ -13528,12 +13589,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+ # to communication with RHCS
+ rhcs_rw_cluster_shm(corosync_t)
+ rhcs_rw_cluster_semaphores(corosync_t)
++ rhcs_stream_connect_cluster(corosync_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.8.6/policy/modules/services/cron.fc
---- nsaserefpolicy/policy/modules/services/cron.fc 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.8.6/policy/modules/services/cron.fc 2010-06-21 10:53:58.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/cron.fc 2010-06-21 16:50:51.000000000 +0200
++++ serefpolicy-3.8.6/policy/modules/services/cron.fc 2010-07-09 08:39:39.115384951 +0200
@@ -14,7 +14,7 @@
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -13552,8 +13614,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
+
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.8.6/policy/modules/services/cron.if
---- nsaserefpolicy/policy/modules/services/cron.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.8.6/policy/modules/services/cron.if 2010-06-21 10:53:58.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/cron.if 2010-06-21 16:50:51.000000000 +0200
++++ serefpolicy-3.8.6/policy/modules/services/cron.if 2010-07-09 08:39:39.116384955 +0200
@@ -12,6 +12,10 @@
##
#
@@ -13738,8 +13800,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.8.6/policy/modules/services/cron.te
---- nsaserefpolicy/policy/modules/services/cron.te 2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.6/policy/modules/services/cron.te 2010-06-21 10:53:58.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/cron.te 2010-06-21 16:50:51.000000000 +0200
++++ serefpolicy-3.8.6/policy/modules/services/cron.te 2010-07-09 08:39:39.119385246 +0200
@@ -63,9 +63,12 @@
type crond_tmp_t;
@@ -14034,8 +14096,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
tunable_policy(`fcron_crond', `
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.8.6/policy/modules/services/cups.fc
---- nsaserefpolicy/policy/modules/services/cups.fc 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.6/policy/modules/services/cups.fc 2010-06-21 10:53:58.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/cups.fc 2010-06-21 16:50:51.000000000 +0200
++++ serefpolicy-3.8.6/policy/modules/services/cups.fc 2010-07-09 08:39:39.120384970 +0200
@@ -71,3 +71,9 @@
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
@@ -14047,8 +14109,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.8.6/policy/modules/services/cups.if
---- nsaserefpolicy/policy/modules/services/cups.if 2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.8.6/policy/modules/services/cups.if 2010-06-25 13:20:18.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/cups.if 2010-06-21 16:50:51.000000000 +0200
++++ serefpolicy-3.8.6/policy/modules/services/cups.if 2010-07-09 08:39:39.121387488 +0200
@@ -314,7 +314,7 @@
interface(`cups_admin',`
gen_require(`
@@ -14069,8 +14131,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
files_list_tmp($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.8.6/policy/modules/services/cups.te
---- nsaserefpolicy/policy/modules/services/cups.te 2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.6/policy/modules/services/cups.te 2010-06-21 10:53:58.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/cups.te 2010-06-21 16:50:51.000000000 +0200
++++ serefpolicy-3.8.6/policy/modules/services/cups.te 2010-07-09 08:39:39.122385118 +0200
@@ -15,6 +15,7 @@
type cupsd_t;
type cupsd_exec_t;
@@ -14145,8 +14207,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
tunable_policy(`use_nfs_home_dirs',`
fs_search_auto_mountpoints(cups_pdf_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.8.6/policy/modules/services/cvs.te
---- nsaserefpolicy/policy/modules/services/cvs.te 2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.6/policy/modules/services/cvs.te 2010-06-21 10:53:58.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/cvs.te 2010-06-21 16:50:51.000000000 +0200
++++ serefpolicy-3.8.6/policy/modules/services/cvs.te 2010-07-09 08:39:39.123411801 +0200
@@ -112,4 +112,5 @@
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
@@ -14154,8 +14216,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.8.6/policy/modules/services/cyrus.te
---- nsaserefpolicy/policy/modules/services/cyrus.te 2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.6/policy/modules/services/cyrus.te 2010-06-21 10:53:58.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/cyrus.te 2010-06-21 16:50:51.000000000 +0200
++++ serefpolicy-3.8.6/policy/modules/services/cyrus.te 2010-07-09 08:39:39.124411596 +0200
@@ -135,6 +135,7 @@
')
@@ -14165,8 +14227,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.8.6/policy/modules/services/dbus.if
---- nsaserefpolicy/policy/modules/services/dbus.if 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.6/policy/modules/services/dbus.if 2010-06-21 10:53:58.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/dbus.if 2010-06-21 16:50:51.000000000 +0200
++++ serefpolicy-3.8.6/policy/modules/services/dbus.if 2010-07-09 08:39:39.125432971 +0200
@@ -42,8 +42,10 @@
gen_require(`
class dbus { send_msg acquire_svc };
@@ -14250,8 +14312,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.8.6/policy/modules/services/dbus.te
---- nsaserefpolicy/policy/modules/services/dbus.te 2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.6/policy/modules/services/dbus.te 2010-06-21 10:53:58.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/dbus.te 2010-06-21 16:50:51.000000000 +0200
++++ serefpolicy-3.8.6/policy/modules/services/dbus.te 2010-07-09 08:39:39.127385207 +0200
@@ -121,6 +121,7 @@
init_use_fds(system_dbusd_t)
@@ -14292,8 +14354,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+ xserver_append_xdm_home_files(session_bus_type)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.8.6/policy/modules/services/denyhosts.te
---- nsaserefpolicy/policy/modules/services/denyhosts.te 2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.6/policy/modules/services/denyhosts.te 2010-06-21 10:53:58.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/denyhosts.te 2010-06-21 16:50:51.000000000 +0200
++++ serefpolicy-3.8.6/policy/modules/services/denyhosts.te 2010-07-09 08:39:39.128385141 +0200
@@ -25,7 +25,8 @@
#
# DenyHosts personal policy.
@@ -14325,8 +14387,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
sysnet_etc_filetrans_config(denyhosts_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.8.6/policy/modules/services/devicekit.te
---- nsaserefpolicy/policy/modules/services/devicekit.te 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.6/policy/modules/services/devicekit.te 2010-06-21 10:53:58.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/devicekit.te 2010-06-21 16:50:51.000000000 +0200
++++ serefpolicy-3.8.6/policy/modules/services/devicekit.te 2010-07-09 08:39:39.129384935 +0200
@@ -75,10 +75,12 @@
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
@@ -14374,8 +14436,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.8.6/policy/modules/services/dhcp.te
---- nsaserefpolicy/policy/modules/services/dhcp.te 2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.6/policy/modules/services/dhcp.te 2010-06-22 15:20:41.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/dhcp.te 2010-06-21 16:50:51.000000000 +0200
++++ serefpolicy-3.8.6/policy/modules/services/dhcp.te 2010-07-09 08:39:39.130385079 +0200
@@ -111,6 +111,11 @@
')
@@ -14389,8 +14451,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
dbus_connect_system_bus(dhcpd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.8.6/policy/modules/services/dnsmasq.te
---- nsaserefpolicy/policy/modules/services/dnsmasq.te 2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.6/policy/modules/services/dnsmasq.te 2010-06-22 15:20:41.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2010-06-21 16:50:51.000000000 +0200
++++ serefpolicy-3.8.6/policy/modules/services/dnsmasq.te 2010-07-09 08:39:39.131385082 +0200
@@ -92,7 +92,11 @@
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
@@ -14404,9 +14466,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.8.6/policy/modules/services/dovecot.fc
+--- nsaserefpolicy/policy/modules/services/dovecot.fc 2010-06-21 16:50:51.000000000 +0200
++++ serefpolicy-3.8.6/policy/modules/services/dovecot.fc 2010-07-09 08:49:36.123135184 +0200
+@@ -25,7 +25,7 @@
+ ifdef(`distro_redhat', `
+ /usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+ /usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+-/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
++/usr/libexec/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+ /usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.8.6/policy/modules/services/dovecot.if
---- nsaserefpolicy/policy/modules/services/dovecot.if 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.6/policy/modules/services/dovecot.if 2010-06-25 13:20:06.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/dovecot.if 2010-06-21 16:50:51.000000000 +0200
++++ serefpolicy-3.8.6/policy/modules/services/dovecot.if 2010-07-09 08:39:39.132385086 +0200
@@ -93,12 +93,14 @@
#
interface(`dovecot_admin',`
@@ -14449,8 +14523,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
admin_pattern($1, dovecot_var_run_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.8.6/policy/modules/services/dovecot.te
---- nsaserefpolicy/policy/modules/services/dovecot.te 2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.6/policy/modules/services/dovecot.te 2010-06-21 10:53:58.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-06-21 16:50:51.000000000 +0200
++++ serefpolicy-3.8.6/policy/modules/services/dovecot.te 2010-07-09 16:23:37.808134293 +0200
@@ -58,7 +58,7 @@
allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
@@ -14476,15 +14550,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
postfix_search_spool(dovecot_auth_t)
')
-@@ -302,4 +304,5 @@
+@@ -256,9 +258,15 @@
+ allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
+ allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+
++allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
++
++can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
++
+ kernel_read_all_sysctls(dovecot_deliver_t)
+ kernel_read_system_state(dovecot_deliver_t)
+
++corecmd_exec_bin(dovecot_deliver_t)
++
+ files_read_etc_files(dovecot_deliver_t)
+ files_read_etc_runtime_files(dovecot_deliver_t)
+
+@@ -302,4 +310,5 @@
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
+ mta_read_queue(dovecot_deliver_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.8.6/policy/modules/services/exim.fc
---- nsaserefpolicy/policy/modules/services/exim.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.8.6/policy/modules/services/exim.fc 2010-06-21 10:53:58.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/exim.fc 2010-06-21 16:50:51.000000000 +0200
++++ serefpolicy-3.8.6/policy/modules/services/exim.fc 2010-07-09 08:39:39.134385024 +0200
@@ -1,3 +1,6 @@
+
+/etc/rc\.d/init\.d/exim -- gen_context(system_u:object_r:exim_initrc_exec_t,s0)
@@ -14493,8 +14583,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.8.6/policy/modules/services/exim.if
---- nsaserefpolicy/policy/modules/services/exim.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.8.6/policy/modules/services/exim.if 2010-06-21 10:53:58.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/exim.if 2010-06-21 16:50:51.000000000 +0200
++++ serefpolicy-3.8.6/policy/modules/services/exim.if 2010-07-09 08:39:39.135385098 +0200
@@ -20,6 +20,24 @@
########################################
@@ -14568,8 +14658,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
+ admin_pattern($1, exim_var_run_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.8.6/policy/modules/services/exim.te
---- nsaserefpolicy/policy/modules/services/exim.te 2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.6/policy/modules/services/exim.te 2010-06-21 10:53:58.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/exim.te 2010-06-21 16:50:51.000000000 +0200
++++ serefpolicy-3.8.6/policy/modules/services/exim.te 2010-07-09 08:39:39.136384822 +0200
@@ -35,6 +35,9 @@
application_executable_file(exim_exec_t)
mta_agent_executable(exim_exec_t)
@@ -14592,8 +14682,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
mysql_stream_connect(exim_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.8.6/policy/modules/services/fail2ban.if
---- nsaserefpolicy/policy/modules/services/fail2ban.if 2010-03-18 06:48:09.000000000 -0400
-+++ serefpolicy-3.8.6/policy/modules/services/fail2ban.if 2010-06-21 10:53:58.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/fail2ban.if 2010-06-21 16:50:51.000000000 +0200
++++ serefpolicy-3.8.6/policy/modules/services/fail2ban.if 2010-07-09 08:39:39.137384686 +0200
@@ -138,6 +138,26 @@
########################################
@@ -14622,8 +14712,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
## an fail2ban environment
##