diff --git a/policy-20071130.patch b/policy-20071130.patch
index b0f80dd..e831024 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -1,6 +1,6 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.2.1/config/appconfig-mcs/default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.2.2/config/appconfig-mcs/default_contexts
--- nsaserefpolicy/config/appconfig-mcs/default_contexts 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.1/config/appconfig-mcs/default_contexts 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/config/appconfig-mcs/default_contexts 2007-12-04 11:11:03.000000000 -0500
@@ -1,15 +1,9 @@
-system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
@@ -26,23 +26,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default
+system_r:sysadm_su_t:s0 system_r:unconfined_t:s0
+system_r:unconfined_t:s0 system_r:unconfined_t:s0
+system_r:xdm_t:s0 system_r:unconfined_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.2.1/config/appconfig-mcs/failsafe_context
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.2.2/config/appconfig-mcs/failsafe_context
--- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.1/config/appconfig-mcs/failsafe_context 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/config/appconfig-mcs/failsafe_context 2007-12-04 11:11:03.000000000 -0500
@@ -1 +1 @@
-sysadm_r:sysadm_t:s0
+system_r:unconfined_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.2.1/config/appconfig-mcs/guest_u_default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.2.2/config/appconfig-mcs/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/config/appconfig-mcs/guest_u_default_contexts 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/config/appconfig-mcs/guest_u_default_contexts 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1,4 @@
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
+system_r:sshd_t:s0 guest_r:guest_t:s0
+system_r:crond_t:s0 guest_r:guest_crond_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.2.1/config/appconfig-mcs/root_default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.2.2/config/appconfig-mcs/root_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.1/config/appconfig-mcs/root_default_contexts 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/config/appconfig-mcs/root_default_contexts 2007-12-04 11:11:03.000000000 -0500
@@ -1,11 +1,10 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
-system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
@@ -62,23 +62,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_de
-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.2.1/config/appconfig-mcs/seusers
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.2.2/config/appconfig-mcs/seusers
--- nsaserefpolicy/config/appconfig-mcs/seusers 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.1/config/appconfig-mcs/seusers 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/config/appconfig-mcs/seusers 2007-12-04 11:11:03.000000000 -0500
@@ -1,3 +1,2 @@
-system_u:system_u:s0-mcs_systemhigh
root:root:s0-mcs_systemhigh
-__default__:user_u:s0
+__default__:system_u:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.2.1/config/appconfig-mcs/userhelper_context
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.2.2/config/appconfig-mcs/userhelper_context
--- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.1/config/appconfig-mcs/userhelper_context 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/config/appconfig-mcs/userhelper_context 2007-12-04 11:11:03.000000000 -0500
@@ -1 +1 @@
-system_u:sysadm_r:sysadm_t:s0
+system_u:system_r:unconfined_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.2.1/config/appconfig-mcs/user_u_default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.2.2/config/appconfig-mcs/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2007-11-05 10:28:59.000000000 -0500
-+++ serefpolicy-3.2.1/config/appconfig-mcs/user_u_default_contexts 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/config/appconfig-mcs/user_u_default_contexts 2007-12-04 11:11:03.000000000 -0500
@@ -1,8 +1,7 @@
-system_r:local_login_t:s0 user_r:user_t:s0
-system_r:remote_login_t:s0 user_r:user_t:s0
@@ -95,18 +95,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_
+system_r:xdm_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
+user_r:user_sudo_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.2.1/config/appconfig-mcs/xguest_u_default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.2.2/config/appconfig-mcs/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/config/appconfig-mcs/xguest_u_default_contexts 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/config/appconfig-mcs/xguest_u_default_contexts 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1,5 @@
+system_r:local_login_t xguest_r:xguest_t:s0
+system_r:remote_login_t xguest_r:xguest_t:s0
+system_r:sshd_t xguest_r:xguest_t:s0
+system_r:crond_t xguest_r:xguest_crond_t:s0
+system_r:xdm_t xguest_r:xguest_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.2.1/config/appconfig-mls/default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.2.2/config/appconfig-mls/default_contexts
--- nsaserefpolicy/config/appconfig-mls/default_contexts 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.1/config/appconfig-mls/default_contexts 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/config/appconfig-mls/default_contexts 2007-12-04 11:11:03.000000000 -0500
@@ -1,15 +1,12 @@
-system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
@@ -134,34 +134,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default
-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
+staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.2.1/config/appconfig-mls/guest_u_default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.2.2/config/appconfig-mls/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/config/appconfig-mls/guest_u_default_contexts 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/config/appconfig-mls/guest_u_default_contexts 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1,4 @@
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
+system_r:sshd_t:s0 guest_r:guest_t:s0
+system_r:crond_t:s0 guest_r:guest_crond_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts serefpolicy-3.2.1/config/appconfig-standard/guest_u_default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts serefpolicy-3.2.2/config/appconfig-standard/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/config/appconfig-standard/guest_u_default_contexts 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/config/appconfig-standard/guest_u_default_contexts 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1,4 @@
+system_r:local_login_t guest_r:guest_t
+system_r:remote_login_t guest_r:guest_t
+system_r:sshd_t guest_r:guest_t
+system_r:crond_t guest_r:guest_crond_t
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.2.1/config/appconfig-standard/xguest_u_default_contexts
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.2.2/config/appconfig-standard/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/config/appconfig-standard/xguest_u_default_contexts 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/config/appconfig-standard/xguest_u_default_contexts 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1,5 @@
+system_r:local_login_t xguest_r:xguest_t
+system_r:remote_login_t xguest_r:xguest_t
+system_r:sshd_t xguest_r:xguest_t
+system_r:crond_t xguest_r:xguest_crond_t
+system_r:xdm_t xguest_r:xguest_t
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.2.1/policy/flask/access_vectors
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.2.2/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2007-08-11 06:22:29.000000000 -0400
-+++ serefpolicy-3.2.1/policy/flask/access_vectors 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/flask/access_vectors 2007-12-04 11:11:03.000000000 -0500
@@ -639,6 +639,8 @@
send
recv
@@ -171,9 +171,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors
}
class key
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.2.1/policy/global_tunables
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.2.2/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.1/policy/global_tunables 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/global_tunables 2007-12-04 11:11:03.000000000 -0500
@@ -6,38 +6,35 @@
## <desc>
@@ -257,9 +257,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
+gen_tunable(allow_console_login,false)
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.2.1/policy/modules/admin/alsa.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.2.2/policy/modules/admin/alsa.fc
--- nsaserefpolicy/policy/modules/admin/alsa.fc 2007-10-29 18:02:32.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/admin/alsa.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/admin/alsa.fc 2007-12-04 11:11:03.000000000 -0500
@@ -1,8 +1,11 @@
+/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
@@ -274,9 +274,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc
+/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
+/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
+/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.2.1/policy/modules/admin/alsa.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.2.2/policy/modules/admin/alsa.if
--- nsaserefpolicy/policy/modules/admin/alsa.if 2007-01-02 12:57:51.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/admin/alsa.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/admin/alsa.if 2007-12-04 11:11:03.000000000 -0500
@@ -74,3 +74,21 @@
read_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
read_lnk_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
@@ -299,9 +299,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if
+
+ read_files_pattern($1,alsa_var_lib_t,alsa_var_lib_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.2.1/policy/modules/admin/alsa.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.2.2/policy/modules/admin/alsa.te
--- nsaserefpolicy/policy/modules/admin/alsa.te 2007-10-29 18:02:32.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/admin/alsa.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/admin/alsa.te 2007-12-04 11:11:03.000000000 -0500
@@ -8,12 +8,15 @@
type alsa_t;
@@ -346,9 +346,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
optional_policy(`
nscd_socket_use(alsa_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.2.1/policy/modules/admin/anaconda.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.2.2/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2007-01-02 12:57:51.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/admin/anaconda.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/admin/anaconda.te 2007-12-04 11:11:03.000000000 -0500
@@ -31,16 +31,13 @@
modutils_domtrans_insmod(anaconda_t)
@@ -367,18 +367,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond
kudzu_domtrans(anaconda_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.2.1/policy/modules/admin/brctl.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.2.2/policy/modules/admin/brctl.te
--- nsaserefpolicy/policy/modules/admin/brctl.te 2007-10-23 07:37:52.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/admin/brctl.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/admin/brctl.te 2007-12-04 11:11:03.000000000 -0500
@@ -40,4 +40,5 @@
optional_policy(`
xen_append_log(brctl_t)
+ xen_dontaudit_rw_unix_stream_sockets(brctl_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.2.1/policy/modules/admin/consoletype.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.2.2/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/admin/consoletype.te 2007-11-30 11:44:01.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/admin/consoletype.te 2007-12-04 11:11:03.000000000 -0500
@@ -8,9 +8,11 @@
type consoletype_t;
@@ -425,9 +425,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console
xen_dontaudit_use_fds(consoletype_t)
')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.2.1/policy/modules/admin/firstboot.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.2.2/policy/modules/admin/firstboot.te
--- nsaserefpolicy/policy/modules/admin/firstboot.te 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/admin/firstboot.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/admin/firstboot.te 2007-12-04 11:11:03.000000000 -0500
@@ -120,6 +120,10 @@
usermanage_domtrans_admin_passwd(firstboot_t)
')
@@ -447,18 +447,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo
- domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t)
-')
') dnl end TODO
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.fc serefpolicy-3.2.1/policy/modules/admin/kismet.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.fc serefpolicy-3.2.2/policy/modules/admin/kismet.fc
--- nsaserefpolicy/policy/modules/admin/kismet.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/admin/kismet.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/admin/kismet.fc 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1,5 @@
+
+/usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0)
+/var/run/kismet_server.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0)
+/var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0)
+/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.2.1/policy/modules/admin/kismet.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.2.2/policy/modules/admin/kismet.if
--- nsaserefpolicy/policy/modules/admin/kismet.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/admin/kismet.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/admin/kismet.if 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1,275 @@
+
+## <summary>policy for kismet</summary>
@@ -735,9 +735,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
+ kismet_manage_log($2)
+
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.2.1/policy/modules/admin/kismet.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.2.2/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/admin/kismet.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/admin/kismet.te 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1,58 @@
+policy_module(kismet,1.0.0)
+
@@ -797,9 +797,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
+allow kismet_t kismet_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(kismet_t,kismet_log_t,{ file dir })
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.2.1/policy/modules/admin/kudzu.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.2.2/policy/modules/admin/kudzu.te
--- nsaserefpolicy/policy/modules/admin/kudzu.te 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/admin/kudzu.te 2007-11-30 11:35:54.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/admin/kudzu.te 2007-12-04 11:11:03.000000000 -0500
@@ -21,8 +21,8 @@
# Local policy
#
@@ -859,9 +859,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.t
-')
-allow kudzu_t cupsd_rw_etc_t:dir list_dir_perms;
-')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.2.1/policy/modules/admin/logrotate.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.2.2/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/admin/logrotate.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/admin/logrotate.te 2007-12-04 11:11:03.000000000 -0500
@@ -96,6 +96,7 @@
files_read_etc_files(logrotate_t)
files_read_etc_runtime_files(logrotate_t)
@@ -870,9 +870,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
# Write to /var/spool/slrnpull - should be moved into its own type.
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.2.1/policy/modules/admin/logwatch.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.2.2/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2007-10-23 07:37:52.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/admin/logwatch.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/admin/logwatch.te 2007-12-04 11:11:03.000000000 -0500
@@ -59,10 +59,8 @@
files_read_usr_files(logwatch_t)
files_search_spool(logwatch_t)
@@ -901,9 +901,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
samba_read_log(logwatch_t)
+ samba_read_share_files(logwatch_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.2.1/policy/modules/admin/netutils.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.2.2/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/admin/netutils.te 2007-11-30 11:37:19.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/admin/netutils.te 2007-12-04 11:11:03.000000000 -0500
@@ -94,6 +94,10 @@
')
@@ -930,9 +930,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
corenet_tcp_sendrecv_all_nodes(ping_t)
corenet_tcp_sendrecv_all_ports(ping_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.2.1/policy/modules/admin/prelink.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.2.2/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/admin/prelink.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/admin/prelink.te 2007-12-04 11:11:03.000000000 -0500
@@ -26,7 +26,7 @@
# Local policy
#
@@ -990,9 +990,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
+optional_policy(`
+ unconfined_domain(prelink_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.2.1/policy/modules/admin/rpm.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.2.2/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/admin/rpm.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/admin/rpm.fc 2007-12-04 11:11:03.000000000 -0500
@@ -11,6 +11,7 @@
/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -1011,9 +1011,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
')
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.2.1/policy/modules/admin/rpm.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.2.2/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-18 11:12:44.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/admin/rpm.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/admin/rpm.if 2007-12-04 11:11:03.000000000 -0500
@@ -152,6 +152,24 @@
########################################
@@ -1207,29 +1207,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
+ read_lnk_files_pattern($1,rpm_tmpfs_t,rpm_tmpfs_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.2.1/policy/modules/admin/rpm.te
---- nsaserefpolicy/policy/modules/admin/rpm.te 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/admin/rpm.te 2007-12-03 13:19:43.000000000 -0500
-@@ -139,6 +139,7 @@
- auth_relabel_all_files_except_shadow(rpm_t)
- auth_manage_all_files_except_shadow(rpm_t)
- auth_dontaudit_read_shadow(rpm_t)
-+auth_use_nsswitch(rpm_t)
-
- # transition to rpm script:
- rpm_domtrans_script(rpm_t)
-@@ -180,11 +181,17 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.2.2/policy/modules/admin/rpm.te
+--- nsaserefpolicy/policy/modules/admin/rpm.te 2007-12-04 11:02:51.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/admin/rpm.te 2007-12-04 11:52:42.000000000 -0500
+@@ -179,7 +179,17 @@
')
optional_policy(`
- hal_dbus_chat(rpm_t)
--')
+ optional_policy(`
+ hal_dbus_chat(rpm_t)
+ ')
-
--optional_policy(`
-- nis_use_ypbind(rpm_t)
++
+ optional_policy(`
+ networkmanager_dbus_chat(rpm_t)
+ ')
@@ -1240,7 +1229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
')
optional_policy(`
-@@ -195,6 +202,7 @@
+@@ -190,6 +200,7 @@
unconfined_domain(rpm_t)
# yum-updatesd requires this
unconfined_dbus_chat(rpm_t)
@@ -1248,7 +1237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
')
ifdef(`TODO',`
-@@ -221,7 +229,7 @@
+@@ -216,7 +227,7 @@
#
allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
@@ -1257,15 +1246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
-@@ -289,6 +297,7 @@
- auth_dontaudit_getattr_shadow(rpm_script_t)
- # ideally we would not need this
- auth_manage_all_files_except_shadow(rpm_script_t)
-+auth_use_nsswitch(rpm_script_t)
-
- corecmd_exec_all_executables(rpm_script_t)
-
-@@ -321,6 +330,7 @@
+@@ -317,6 +328,7 @@
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
@@ -1273,18 +1254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
userdom_use_all_users_fds(rpm_script_t)
-@@ -339,10 +349,6 @@
- ')
-
- optional_policy(`
-- nis_use_ypbind(rpm_script_t)
--')
--
--optional_policy(`
- tzdata_domtrans(rpm_t)
- tzdata_domtrans(rpm_script_t)
- ')
-@@ -350,6 +356,7 @@
+@@ -342,6 +354,7 @@
optional_policy(`
unconfined_domain(rpm_script_t)
unconfined_domtrans(rpm_script_t)
@@ -1292,9 +1262,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
optional_policy(`
java_domtrans(rpm_script_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.2.1/policy/modules/admin/sudo.if
---- nsaserefpolicy/policy/modules/admin/sudo.if 2007-07-23 10:20:14.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/admin/sudo.if 2007-11-30 11:23:56.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.2.2/policy/modules/admin/sudo.if
+--- nsaserefpolicy/policy/modules/admin/sudo.if 2007-12-04 11:02:51.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/admin/sudo.if 2007-12-04 11:58:48.000000000 -0500
@@ -55,7 +55,7 @@
#
@@ -1304,15 +1274,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_sudo_t self:process { setexec setrlimit };
allow $1_sudo_t self:fd use;
-@@ -68,7 +68,6 @@
+@@ -68,27 +68,27 @@
allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
allow $1_sudo_t self:unix_dgram_socket sendto;
allow $1_sudo_t self:unix_stream_socket connectto;
- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
- allow $1_sudo_t self:netlink_route_socket r_netlink_socket_perms;
# Enter this derived domain from the user domain
-@@ -76,20 +75,22 @@
+ domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_sudo_t,$2)
@@ -1331,13 +1300,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
fs_getattr_xattr_fs($1_sudo_t)
- auth_domtrans_chk_passwd($1_sudo_t)
-+ auth_use_nsswitch($1_sudo_t)
+ auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
+ auth_run_upd_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
# sudo stores a token in the pam_pid directory
auth_manage_pam_pid($1_sudo_t)
-
-@@ -106,12 +107,14 @@
+ auth_use_nsswitch($1_sudo_t)
+@@ -106,12 +106,14 @@
files_getattr_usr_files($1_sudo_t)
# for some PAM modules and for cwd
files_dontaudit_search_home($1_sudo_t)
@@ -1352,18 +1320,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
logging_send_syslog_msg($1_sudo_t)
miscfiles_read_localization($1_sudo_t)
-@@ -125,21 +128,4 @@
+@@ -125,13 +127,4 @@
# for some PAM modules and for cwd
userdom_dontaudit_search_all_users_home_content($1_sudo_t)
-- optional_policy(`
-- nis_use_ypbind($1_sudo_t)
-- ')
--
-- optional_policy(`
-- nscd_socket_use($1_sudo_t)
-- ')
--
- ifdef(`TODO',`
- # for when the network connection is killed
- dontaudit unpriv_userdomain $1_sudo_t:process signal;
@@ -1374,9 +1334,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
-
- ') dnl end TODO
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.2.1/policy/modules/admin/su.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.2.2/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/admin/su.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/admin/su.if 2007-12-04 11:11:03.000000000 -0500
@@ -41,12 +41,11 @@
allow $2 $1_su_t:process signal;
@@ -1476,9 +1436,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
')
#######################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.2.1/policy/modules/admin/tmpreaper.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.2.2/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2007-10-02 09:54:52.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/admin/tmpreaper.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/admin/tmpreaper.te 2007-12-04 11:11:03.000000000 -0500
@@ -28,6 +28,7 @@
files_purge_tmp(tmpreaper_t)
# why does it need setattr?
@@ -1498,35 +1458,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap
lpd_manage_spool(tmpreaper_t)
')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.2.1/policy/modules/admin/usermanage.te
---- nsaserefpolicy/policy/modules/admin/usermanage.te 2007-10-23 07:37:52.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/admin/usermanage.te 2007-11-30 13:59:13.000000000 -0500
-@@ -92,7 +92,9 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.2.2/policy/modules/admin/usermanage.te
+--- nsaserefpolicy/policy/modules/admin/usermanage.te 2007-12-04 11:02:51.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/admin/usermanage.te 2007-12-04 11:11:03.000000000 -0500
+@@ -92,6 +92,7 @@
dev_read_urand(chfn_t)
auth_domtrans_chk_passwd(chfn_t)
+auth_domtrans_upd_passwd(chfn_t)
auth_dontaudit_read_shadow(chfn_t)
-+auth_use_nsswitch(chfn_t)
-
- # allow checking if a shell is executable
- corecmd_check_exec_shell(chfn_t)
-@@ -123,14 +125,6 @@
- # on user home dir
- userdom_dontaudit_search_all_users_home_content(chfn_t)
+ auth_use_nsswitch(chfn_t)
--optional_policy(`
-- nis_use_ypbind(chfn_t)
--')
--
--optional_policy(`
-- nscd_socket_use(chfn_t)
--')
--
- ########################################
- #
- # Crack local policy
-@@ -297,9 +291,11 @@
+@@ -290,6 +291,7 @@
term_use_all_user_ttys(passwd_t)
term_use_all_user_ptys(passwd_t)
@@ -1534,11 +1477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
auth_manage_shadow(passwd_t)
auth_relabel_shadow(passwd_t)
auth_etc_filetrans_shadow(passwd_t)
-+auth_use_nsswitch(passwd_t)
-
- # allow checking if a shell is executable
- corecmd_check_exec_shell(passwd_t)
-@@ -315,6 +311,7 @@
+@@ -309,6 +311,7 @@
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
@@ -1546,39 +1485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
libs_use_ld_so(passwd_t)
libs_use_shared_libs(passwd_t)
-@@ -335,11 +332,6 @@
- userdom_dontaudit_search_all_users_home_content(passwd_t)
-
- optional_policy(`
-- nis_use_ypbind(passwd_t)
--')
--
--optional_policy(`
-- nscd_socket_use(passwd_t)
- nscd_domtrans(passwd_t)
- ')
-
-@@ -393,6 +385,7 @@
- auth_manage_shadow(sysadm_passwd_t)
- auth_relabel_shadow(sysadm_passwd_t)
- auth_etc_filetrans_shadow(sysadm_passwd_t)
-+auth_use_nsswitch(sysadm_passwd_t)
-
- # allow vipw to exec the editor
- corecmd_exec_bin(sysadm_passwd_t)
-@@ -426,11 +419,6 @@
- userdom_dontaudit_search_all_users_home_content(sysadm_passwd_t)
-
- optional_policy(`
-- nis_use_ypbind(sysadm_passwd_t)
--')
--
--optional_policy(`
-- nscd_socket_use(sysadm_passwd_t)
- nscd_domtrans(sysadm_passwd_t)
- ')
-
-@@ -533,6 +521,12 @@
+@@ -518,6 +521,12 @@
')
optional_policy(`
@@ -1591,18 +1498,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.fc serefpolicy-3.2.1/policy/modules/admin/vpn.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.fc serefpolicy-3.2.2/policy/modules/admin/vpn.fc
--- nsaserefpolicy/policy/modules/admin/vpn.fc 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/admin/vpn.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/admin/vpn.fc 2007-12-04 11:11:03.000000000 -0500
@@ -7,3 +7,5 @@
# sbin
#
/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
+
+/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.2.1/policy/modules/admin/vpn.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.2.2/policy/modules/admin/vpn.if
--- nsaserefpolicy/policy/modules/admin/vpn.if 2007-01-02 12:57:51.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/admin/vpn.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/admin/vpn.if 2007-12-04 11:11:03.000000000 -0500
@@ -67,3 +67,25 @@
allow $1 vpnc_t:process signal;
@@ -1629,10 +1536,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if
+ allow vpnc_t $1:dbus send_msg;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.2.1/policy/modules/admin/vpn.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.2.2/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te 2007-10-29 07:52:50.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/admin/vpn.te 2007-11-30 11:23:56.000000000 -0500
-@@ -22,7 +22,7 @@
++++ serefpolicy-3.2.2/policy/modules/admin/vpn.te 2007-12-04 11:59:24.000000000 -0500
+@@ -22,10 +22,9 @@
# Local policy
#
@@ -1640,8 +1547,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te
+allow vpnc_t self:capability { dac_override net_admin ipc_lock net_raw };
allow vpnc_t self:process getsched;
allow vpnc_t self:fifo_file { getattr ioctl read write };
- allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
-@@ -38,8 +38,9 @@
+-allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
+ allow vpnc_t self:tcp_socket create_stream_socket_perms;
+ allow vpnc_t self:udp_socket create_socket_perms;
+ allow vpnc_t self:rawip_socket create_socket_perms;
+@@ -38,8 +37,9 @@
manage_files_pattern(vpnc_t,vpnc_tmp_t,vpnc_tmp_t)
files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir })
@@ -1652,7 +1562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te
kernel_read_system_state(vpnc_t)
kernel_read_network_state(vpnc_t)
-@@ -59,6 +60,7 @@
+@@ -59,6 +59,7 @@
corenet_udp_bind_all_nodes(vpnc_t)
corenet_udp_bind_generic_port(vpnc_t)
corenet_udp_bind_isakmp_port(vpnc_t)
@@ -1660,7 +1570,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te
corenet_tcp_connect_all_ports(vpnc_t)
corenet_sendrecv_all_client_packets(vpnc_t)
corenet_sendrecv_isakmp_server_packets(vpnc_t)
-@@ -90,13 +92,14 @@
+@@ -82,6 +83,8 @@
+ files_read_etc_files(vpnc_t)
+ files_dontaudit_search_home(vpnc_t)
+
++auth_use_nsswitch(vpnc_t)
++
+ libs_exec_ld_so(vpnc_t)
+ libs_exec_lib_files(vpnc_t)
+ libs_use_ld_so(vpnc_t)
+@@ -90,13 +93,14 @@
locallogin_use_fds(vpnc_t)
logging_send_syslog_msg(vpnc_t)
@@ -1676,18 +1595,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te
sysnet_etc_filetrans_config(vpnc_t)
sysnet_manage_config(vpnc_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.fc serefpolicy-3.2.1/policy/modules/apps/ethereal.fc
+@@ -111,10 +115,3 @@
+ ')
+ ')
+
+-optional_policy(`
+- nis_use_ypbind(vpnc_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(vpnc_t)
+-')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.fc serefpolicy-3.2.2/policy/modules/apps/ethereal.fc
--- nsaserefpolicy/policy/modules/apps/ethereal.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/ethereal.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/ethereal.fc 2007-12-04 11:11:03.000000000 -0500
@@ -1,4 +1,4 @@
-HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ROLE_ethereal_home_t,s0)
+HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:user_ethereal_home_t,s0)
/usr/sbin/ethereal.* -- gen_context(system_u:object_r:ethereal_exec_t,s0)
/usr/sbin/tethereal.* -- gen_context(system_u:object_r:tethereal_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.if serefpolicy-3.2.1/policy/modules/apps/ethereal.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.if serefpolicy-3.2.2/policy/modules/apps/ethereal.if
--- nsaserefpolicy/policy/modules/apps/ethereal.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/ethereal.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/ethereal.if 2007-12-04 11:11:03.000000000 -0500
@@ -48,12 +48,10 @@
application_domain($1_ethereal_t,ethereal_exec_t)
role $3 types $1_ethereal_t;
@@ -1723,9 +1653,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal
')
#######################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.te serefpolicy-3.2.1/policy/modules/apps/ethereal.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.te serefpolicy-3.2.2/policy/modules/apps/ethereal.te
--- nsaserefpolicy/policy/modules/apps/ethereal.te 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/ethereal.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/ethereal.te 2007-12-04 11:11:03.000000000 -0500
@@ -16,6 +16,13 @@
type tethereal_tmp_t;
files_tmp_file(tethereal_tmp_t)
@@ -1740,9 +1670,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal
########################################
#
# Tethereal policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/evolution.fc serefpolicy-3.2.1/policy/modules/apps/evolution.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/evolution.fc serefpolicy-3.2.2/policy/modules/apps/evolution.fc
--- nsaserefpolicy/policy/modules/apps/evolution.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/evolution.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/evolution.fc 2007-12-04 11:11:03.000000000 -0500
@@ -2,13 +2,13 @@
# HOME_DIR/
#
@@ -1760,18 +1690,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/evolutio
#
# /usr
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.fc serefpolicy-3.2.1/policy/modules/apps/gift.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.fc serefpolicy-3.2.2/policy/modules/apps/gift.fc
--- nsaserefpolicy/policy/modules/apps/gift.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/gift.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/gift.fc 2007-12-04 11:11:03.000000000 -0500
@@ -1,4 +1,4 @@
-HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:ROLE_gift_home_t,s0)
+HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:user_gift_home_t,s0)
/usr/(local/)?bin/apollon -- gen_context(system_u:object_r:gift_exec_t,s0)
/usr/(local/)?bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.if serefpolicy-3.2.1/policy/modules/apps/gift.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.if serefpolicy-3.2.2/policy/modules/apps/gift.if
--- nsaserefpolicy/policy/modules/apps/gift.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/gift.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/gift.if 2007-12-04 11:11:03.000000000 -0500
@@ -43,9 +43,9 @@
application_domain($1_gift_t,gift_exec_t)
role $3 types $1_gift_t;
@@ -1834,9 +1764,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.if
domtrans_pattern($2, giftd_exec_t, $1_giftd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.te serefpolicy-3.2.1/policy/modules/apps/gift.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.te serefpolicy-3.2.2/policy/modules/apps/gift.te
--- nsaserefpolicy/policy/modules/apps/gift.te 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/gift.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/gift.te 2007-12-04 11:11:03.000000000 -0500
@@ -11,3 +11,7 @@
type giftd_exec_t;
@@ -1845,9 +1775,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.te
+type user_gift_home_t alias user_gift_rw_t;
+userdom_user_home_content(user,user_gift_home_t)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.2.1/policy/modules/apps/gnome.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.2.2/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/gnome.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/gnome.fc 2007-12-04 11:11:03.000000000 -0500
@@ -1,8 +1,7 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:ROLE_gnome_home_t,s0)
-HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:ROLE_gconf_home_t,s0)
@@ -1861,9 +1791,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
+/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:user_gconf_tmp_t,s0)
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.2.1/policy/modules/apps/gnome.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.2.2/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/gnome.if 2007-11-30 11:28:22.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/gnome.if 2007-12-04 11:11:03.000000000 -0500
@@ -33,9 +33,56 @@
## </param>
#
@@ -2090,9 +2020,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
+ can_exec($1, gconfd_exec_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.2.1/policy/modules/apps/gnome.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.2.2/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/gnome.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/gnome.te 2007-12-04 11:11:03.000000000 -0500
@@ -8,8 +8,15 @@
attribute gnomedomain;
@@ -2112,18 +2042,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te
+
+type user_gconf_tmp_t;
+files_tmp_file(user_gconf_tmp_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.2.1/policy/modules/apps/gpg.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.2.2/policy/modules/apps/gpg.fc
--- nsaserefpolicy/policy/modules/apps/gpg.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/gpg.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/gpg.fc 2007-12-04 11:11:03.000000000 -0500
@@ -1,4 +1,4 @@
-HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0)
+HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:user_gpg_secret_t,s0)
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc serefpolicy-3.2.1/policy/modules/apps/irc.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc serefpolicy-3.2.2/policy/modules/apps/irc.fc
--- nsaserefpolicy/policy/modules/apps/irc.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/irc.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/irc.fc 2007-12-04 11:11:03.000000000 -0500
@@ -1,7 +1,7 @@
#
# /home
@@ -2133,9 +2063,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc s
#
# /usr
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.if serefpolicy-3.2.1/policy/modules/apps/irc.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.if serefpolicy-3.2.2/policy/modules/apps/irc.if
--- nsaserefpolicy/policy/modules/apps/irc.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/irc.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/irc.if 2007-12-04 11:11:03.000000000 -0500
@@ -50,12 +50,11 @@
userdom_user_home_content($1,$1_irc_exec_t)
application_domain($1_irc_t,$1_irc_exec_t)
@@ -2182,9 +2112,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.if s
# Transition from the user domain to the derived domain.
domtrans_pattern($2,irc_exec_t,$1_irc_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te serefpolicy-3.2.1/policy/modules/apps/irc.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te serefpolicy-3.2.2/policy/modules/apps/irc.te
--- nsaserefpolicy/policy/modules/apps/irc.te 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/irc.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/irc.te 2007-12-04 11:11:03.000000000 -0500
@@ -8,3 +8,10 @@
type irc_exec_t;
@@ -2196,9 +2126,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te s
+type user_irc_tmp_t;
+userdom_user_home_content(user,user_irc_tmp_t)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.2.1/policy/modules/apps/java.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.2.2/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2007-03-01 10:01:48.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/apps/java.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/java.fc 2007-12-04 11:11:03.000000000 -0500
@@ -11,6 +11,7 @@
#
/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -2219,9 +2149,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc
+
+/usr/lib(64)?/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.2.1/policy/modules/apps/java.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.2.2/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/java.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/java.if 2007-12-04 11:11:03.000000000 -0500
@@ -32,7 +32,7 @@
## </summary>
## </param>
@@ -2377,9 +2307,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if
+ role $2 types java_t;
+ allow java_t $3:chr_file rw_term_perms;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.2.1/policy/modules/apps/java.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.2.2/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/java.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/java.te 2007-12-04 11:11:03.000000000 -0500
@@ -6,13 +6,6 @@
# Declarations
#
@@ -2421,18 +2351,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te
+optional_policy(`
+ xserver_xdm_rw_shm(java_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.2.1/policy/modules/apps/loadkeys.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.2.2/policy/modules/apps/loadkeys.te
--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/loadkeys.te 2007-12-01 08:16:19.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/loadkeys.te 2007-12-04 11:11:03.000000000 -0500
@@ -44,3 +44,5 @@
optional_policy(`
nscd_dontaudit_search_pid(loadkeys_t)
')
+
+userdom_dontaudit_write_unpriv_user_home_content_files(loadkeys_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.2.1/policy/modules/apps/mono.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.2.2/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2007-01-02 12:57:22.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/apps/mono.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/mono.if 2007-12-04 11:11:03.000000000 -0500
@@ -18,3 +18,105 @@
corecmd_search_bin($1)
domtrans_pattern($1, mono_exec_t, mono_t)
@@ -2539,9 +2469,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if
+ xserver_xdm_rw_shm($1_mono_t)
+ ')
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.2.1/policy/modules/apps/mono.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.2.2/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/mono.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/mono.te 2007-12-04 11:11:03.000000000 -0500
@@ -15,7 +15,7 @@
# Local policy
#
@@ -2559,9 +2489,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te
+optional_policy(`
+ xserver_xdm_rw_shm(mono_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.2.1/policy/modules/apps/mozilla.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.2.2/policy/modules/apps/mozilla.fc
--- nsaserefpolicy/policy/modules/apps/mozilla.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/mozilla.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/mozilla.fc 2007-12-04 11:11:03.000000000 -0500
@@ -1,8 +1,8 @@
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
@@ -2576,9 +2506,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
#
# /bin
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.2.1/policy/modules/apps/mozilla.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.2.2/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-29 07:52:48.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/mozilla.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/mozilla.if 2007-12-04 11:11:03.000000000 -0500
@@ -35,7 +35,10 @@
template(`mozilla_per_role_template',`
gen_require(`
@@ -2989,9 +2919,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
+
+ allow $2 $1_mozilla_t:unix_stream_socket connectto;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.2.1/policy/modules/apps/mozilla.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.2.2/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/mozilla.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/mozilla.te 2007-12-04 11:11:03.000000000 -0500
@@ -6,15 +6,15 @@
# Declarations
#
@@ -3015,18 +2945,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
+
+type user_mozilla_tmp_t;
+files_tmp_file(user_mozilla_tmp_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.2.1/policy/modules/apps/mplayer.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.2.2/policy/modules/apps/mplayer.fc
--- nsaserefpolicy/policy/modules/apps/mplayer.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/mplayer.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/mplayer.fc 2007-12-04 11:11:03.000000000 -0500
@@ -10,4 +10,4 @@
/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0)
/usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0)
-HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:ROLE_mplayer_home_t,s0)
+HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:user_mplayer_home_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.2.1/policy/modules/apps/mplayer.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.2.2/policy/modules/apps/mplayer.if
--- nsaserefpolicy/policy/modules/apps/mplayer.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/mplayer.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/mplayer.if 2007-12-04 11:11:03.000000000 -0500
@@ -35,6 +35,7 @@
template(`mplayer_per_role_template',`
gen_require(`
@@ -3104,9 +3034,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.
- read_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
+ read_files_pattern($2,user_mplayer_home_t,user_mplayer_home_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.te serefpolicy-3.2.1/policy/modules/apps/mplayer.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.te serefpolicy-3.2.2/policy/modules/apps/mplayer.te
--- nsaserefpolicy/policy/modules/apps/mplayer.te 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/mplayer.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/mplayer.te 2007-12-04 11:11:03.000000000 -0500
@@ -22,3 +22,7 @@
type mplayer_exec_t;
corecmd_executable_file(mplayer_exec_t)
@@ -3115,9 +3045,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.
+type user_mplayer_home_t alias user_mplayer_rw_t;
+userdom_user_home_content(user,user_mplayer_home_t)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.2.1/policy/modules/apps/screen.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.2.2/policy/modules/apps/screen.fc
--- nsaserefpolicy/policy/modules/apps/screen.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/screen.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/screen.fc 2007-12-04 11:11:03.000000000 -0500
@@ -1,7 +1,7 @@
#
# /home
@@ -3127,9 +3057,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.f
#
# /usr
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.2.1/policy/modules/apps/screen.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.2.2/policy/modules/apps/screen.if
--- nsaserefpolicy/policy/modules/apps/screen.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/screen.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/screen.if 2007-12-04 11:11:03.000000000 -0500
@@ -50,8 +50,9 @@
type $1_screen_tmp_t;
files_tmp_file($1_screen_tmp_t)
@@ -3174,9 +3104,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.i
kernel_read_system_state($1_screen_t)
kernel_read_kernel_sysctls($1_screen_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.te serefpolicy-3.2.1/policy/modules/apps/screen.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.te serefpolicy-3.2.2/policy/modules/apps/screen.te
--- nsaserefpolicy/policy/modules/apps/screen.te 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/screen.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/screen.te 2007-12-04 11:11:03.000000000 -0500
@@ -11,3 +11,7 @@
type screen_exec_t;
@@ -3185,18 +3115,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.t
+type user_screen_ro_home_t;
+userdom_user_home_content(user,user_screen_ro_home_t)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.fc serefpolicy-3.2.1/policy/modules/apps/thunderbird.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.fc serefpolicy-3.2.2/policy/modules/apps/thunderbird.fc
--- nsaserefpolicy/policy/modules/apps/thunderbird.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/thunderbird.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/thunderbird.fc 2007-12-04 11:11:03.000000000 -0500
@@ -3,4 +3,4 @@
#
/usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
-HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:ROLE_thunderbird_home_t,s0)
+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:user_thunderbird_home_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-3.2.1/policy/modules/apps/thunderbird.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-3.2.2/policy/modules/apps/thunderbird.if
--- nsaserefpolicy/policy/modules/apps/thunderbird.if 2007-10-29 07:52:48.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/thunderbird.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/thunderbird.if 2007-12-04 12:00:37.000000000 -0500
@@ -43,9 +43,9 @@
application_domain($1_thunderbird_t,thunderbird_exec_t)
role $3 types $1_thunderbird_t;
@@ -3210,8 +3140,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderb
type $1_thunderbird_tmpfs_t;
files_tmpfs_file($1_thunderbird_tmpfs_t)
-@@ -65,9 +65,9 @@
- allow $1_thunderbird_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -62,12 +62,11 @@
+ allow $1_thunderbird_t self:unix_stream_socket { create accept connect write getattr read listen bind };
+ allow $1_thunderbird_t self:tcp_socket create_socket_perms;
+ allow $1_thunderbird_t self:shm { read write create destroy unix_read unix_write };
+- allow $1_thunderbird_t self:netlink_route_socket r_netlink_socket_perms;
# Access ~/.thunderbird
- manage_dirs_pattern($1_thunderbird_t,$1_thunderbird_home_t,$1_thunderbird_home_t)
@@ -3223,7 +3156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderb
userdom_search_user_home_dirs($1,$1_thunderbird_t)
manage_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t)
-@@ -88,13 +88,13 @@
+@@ -88,13 +87,13 @@
ps_process_pattern($2,$1_thunderbird_t)
# Access ~/.thunderbird
@@ -3244,9 +3177,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderb
# Allow netstat
kernel_read_network_state($1_thunderbird_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.te serefpolicy-3.2.1/policy/modules/apps/thunderbird.te
+@@ -145,6 +144,8 @@
+ fs_list_inotifyfs($1_thunderbird_t)
+ # Access ~/.thunderbird
+ fs_search_auto_mountpoints($1_thunderbird_t)
++
++ auth_use_nsswitch($1_thunderbird_t)
+
+ libs_use_shared_libs($1_thunderbird_t)
+ libs_use_ld_so($1_thunderbird_t)
+@@ -341,14 +342,6 @@
+ mozilla_dbus_chat($1, $1_thunderbird_t)
+ ')
+
+- optional_policy(`
+- nis_use_ypbind($1_thunderbird_t)
+- ')
+-
+- optional_policy(`
+- nscd_socket_use($1_thunderbird_t)
+- ')
+-
+ ifdef(`TODO',`
+ # FIXME: Rules were removed to centralize policy in a gnome_app macro
+ # A similar thing might be necessary for mozilla compiled without GNOME
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.te serefpolicy-3.2.2/policy/modules/apps/thunderbird.te
--- nsaserefpolicy/policy/modules/apps/thunderbird.te 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/thunderbird.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/thunderbird.te 2007-12-04 11:11:03.000000000 -0500
@@ -8,3 +8,7 @@
type thunderbird_exec_t;
@@ -3255,9 +3212,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderb
+type user_thunderbird_home_t alias user_thunderbird_rw_t;
+userdom_user_home_content(user, user_thunderbird_home_t)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.if serefpolicy-3.2.1/policy/modules/apps/tvtime.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.if serefpolicy-3.2.2/policy/modules/apps/tvtime.if
--- nsaserefpolicy/policy/modules/apps/tvtime.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/tvtime.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/tvtime.if 2007-12-04 11:11:03.000000000 -0500
@@ -46,12 +46,10 @@
application_domain($1_tvtime_t,tvtime_exec_t)
role $3 types $1_tvtime_t;
@@ -3317,9 +3274,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.i
# Allow the user domain to signal/ps.
ps_process_pattern($2,$1_tvtime_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.te serefpolicy-3.2.1/policy/modules/apps/tvtime.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.te serefpolicy-3.2.2/policy/modules/apps/tvtime.te
--- nsaserefpolicy/policy/modules/apps/tvtime.te 2007-10-02 09:54:50.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/tvtime.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/tvtime.te 2007-12-04 11:11:03.000000000 -0500
@@ -11,3 +11,9 @@
type tvtime_dir_t;
@@ -3330,9 +3287,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.t
+
+type user_tvtime_tmp_t;
+files_tmp_file(user_tvtime_tmp_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.fc serefpolicy-3.2.1/policy/modules/apps/uml.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.fc serefpolicy-3.2.2/policy/modules/apps/uml.fc
--- nsaserefpolicy/policy/modules/apps/uml.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/uml.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/uml.fc 2007-12-04 11:11:03.000000000 -0500
@@ -1,7 +1,7 @@
#
# HOME_DIR/
@@ -3342,9 +3299,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.fc s
#
# /usr
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.2.1/policy/modules/apps/userhelper.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.2.2/policy/modules/apps/userhelper.if
--- nsaserefpolicy/policy/modules/apps/userhelper.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/userhelper.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/userhelper.if 2007-12-04 11:11:03.000000000 -0500
@@ -130,6 +130,7 @@
term_use_all_user_ptys($1_userhelper_t)
@@ -3378,9 +3335,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.2.1/policy/modules/apps/vmware.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.2.2/policy/modules/apps/vmware.fc
--- nsaserefpolicy/policy/modules/apps/vmware.fc 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/vmware.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/vmware.fc 2007-12-04 11:11:03.000000000 -0500
@@ -1,9 +1,9 @@
#
# HOME_DIR/
@@ -3425,9 +3382,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.f
/opt/vmware/workstation/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
')
+/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.2.1/policy/modules/apps/vmware.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.2.2/policy/modules/apps/vmware.if
--- nsaserefpolicy/policy/modules/apps/vmware.if 2007-02-19 11:32:52.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/apps/vmware.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/vmware.if 2007-12-04 11:11:03.000000000 -0500
@@ -202,3 +202,22 @@
allow $1 vmware_sys_conf_t:file append;
@@ -3451,9 +3408,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.i
+ logging_search_logs($1)
+ append_files_pattern($1,vmware_log_t,vmware_log_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.2.1/policy/modules/apps/vmware.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.2.2/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/vmware.te 2007-12-02 21:31:37.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/vmware.te 2007-12-04 11:11:03.000000000 -0500
@@ -22,17 +22,21 @@
type vmware_var_run_t;
files_pid_file(vmware_var_run_t)
@@ -3498,9 +3455,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t
dev_rw_vmware(vmware_host_t)
domain_use_interactive_fds(vmware_host_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.2.1/policy/modules/apps/wine.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.2.2/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2007-09-12 10:34:17.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/wine.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/wine.if 2007-12-04 11:11:03.000000000 -0500
@@ -49,3 +49,53 @@
role $2 types wine_t;
allow wine_t $3:chr_file rw_term_perms;
@@ -3555,9 +3512,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if
+ xserver_xdm_rw_shm($1_wine_t)
+ ')
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.2.1/policy/modules/apps/wine.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.2.2/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/apps/wine.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/apps/wine.te 2007-12-04 11:11:03.000000000 -0500
@@ -9,6 +9,7 @@
type wine_t;
type wine_exec_t;
@@ -3582,9 +3539,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
+optional_policy(`
+ xserver_xdm_rw_shm(wine_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.1/policy/modules/kernel/corecommands.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.2/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/kernel/corecommands.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/kernel/corecommands.fc 2007-12-04 11:11:03.000000000 -0500
@@ -168,8 +168,10 @@
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -3614,9 +3571,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
+/etc/apcupsd/mastertimeout -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.2.1/policy/modules/kernel/corecommands.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.2.2/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-11-14 08:17:58.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/kernel/corecommands.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/kernel/corecommands.if 2007-12-04 11:11:03.000000000 -0500
@@ -875,6 +875,7 @@
read_lnk_files_pattern($1,bin_t,bin_t)
@@ -3625,9 +3582,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.1/policy/modules/kernel/corenetwork.te.in
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.2/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-11-29 13:29:34.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/kernel/corenetwork.te.in 2007-11-30 11:41:04.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/kernel/corenetwork.te.in 2007-12-04 11:11:03.000000000 -0500
@@ -133,6 +133,7 @@
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
@@ -3636,9 +3593,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postgresql, tcp,5432,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.2.1/policy/modules/kernel/devices.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.2.2/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-11-14 16:20:13.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/kernel/devices.fc 2007-11-30 11:41:53.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/kernel/devices.fc 2007-12-04 11:11:03.000000000 -0500
@@ -4,6 +4,7 @@
/dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -3686,9 +3643,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
ifdef(`distro_gentoo',`
# used by init scripts to initally populate udev /dev
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.2.1/policy/modules/kernel/devices.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.2.2/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/kernel/devices.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/kernel/devices.if 2007-12-04 11:11:03.000000000 -0500
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1,device_t,device_node)
@@ -3843,9 +3800,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
typeattribute $1 devices_unconfined_type;
')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.2.1/policy/modules/kernel/devices.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.2.2/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/kernel/devices.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/kernel/devices.te 2007-12-04 11:11:03.000000000 -0500
@@ -72,6 +72,13 @@
dev_node(kmsg_device_t)
@@ -3860,9 +3817,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
# Type for /dev/mapper/control
#
type lvm_control_t;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.2.1/policy/modules/kernel/domain.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.2.2/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-11-29 13:29:34.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/kernel/domain.te 2007-11-30 11:34:23.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/kernel/domain.te 2007-12-04 11:11:03.000000000 -0500
@@ -148,3 +148,15 @@
# receive from all domains over labeled networking
@@ -3879,9 +3836,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(domain)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.1/policy/modules/kernel/files.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.2/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/kernel/files.if 2007-12-01 06:48:16.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/kernel/files.if 2007-12-04 11:11:03.000000000 -0500
@@ -1266,6 +1266,24 @@
########################################
@@ -3970,9 +3927,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+ filetrans_pattern($1,root_t,default_t,dir)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.2.1/policy/modules/kernel/files.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.2.2/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/kernel/files.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/kernel/files.te 2007-12-04 11:11:03.000000000 -0500
@@ -55,6 +55,9 @@
# compatibility aliases for removed types:
typealias etc_t alias automount_etc_t;
@@ -3983,9 +3940,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
#
# etc_runtime_t is the type of various
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.2.1/policy/modules/kernel/filesystem.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.2.2/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/kernel/filesystem.te 2007-12-01 08:42:02.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/kernel/filesystem.te 2007-12-04 11:11:03.000000000 -0500
@@ -25,6 +25,8 @@
fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
@@ -4007,9 +3964,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
type vxfs_t;
fs_noxattr_type(vxfs_t)
files_mountpoint(vxfs_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.2.1/policy/modules/kernel/kernel.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.2.2/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/kernel/kernel.if 2007-11-30 11:30:39.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/kernel/kernel.if 2007-12-04 11:11:03.000000000 -0500
@@ -1194,6 +1194,7 @@
')
@@ -4026,9 +3983,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.2.1/policy/modules/kernel/selinux.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.2.2/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-11-16 13:45:14.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/kernel/selinux.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/kernel/selinux.if 2007-12-04 11:11:03.000000000 -0500
@@ -164,6 +164,7 @@
type security_t;
')
@@ -4119,9 +4076,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
+ fs_type($1)
+ mls_trusted_object($1)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-3.2.1/policy/modules/kernel/selinux.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-3.2.2/policy/modules/kernel/selinux.te
--- nsaserefpolicy/policy/modules/kernel/selinux.te 2007-11-16 13:45:14.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/kernel/selinux.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/kernel/selinux.te 2007-12-04 11:11:03.000000000 -0500
@@ -10,6 +10,7 @@
attribute can_setenforce;
attribute can_setsecparam;
@@ -4142,9 +4099,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.2.1/policy/modules/kernel/terminal.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.2.2/policy/modules/kernel/terminal.fc
--- nsaserefpolicy/policy/modules/kernel/terminal.fc 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/kernel/terminal.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/kernel/terminal.fc 2007-12-04 11:11:03.000000000 -0500
@@ -14,6 +14,7 @@
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
@@ -4153,9 +4110,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.2.1/policy/modules/services/amavis.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.2.2/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/amavis.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/amavis.te 2007-12-04 11:11:03.000000000 -0500
@@ -65,6 +65,7 @@
# Spool Files
manage_dirs_pattern(amavis_t,amavis_spool_t,amavis_spool_t)
@@ -4172,9 +4129,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
corenet_tcp_connect_razor_port(amavis_t)
dev_read_rand(amavis_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.2.1/policy/modules/services/apache.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.2.2/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/apache.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/apache.fc 2007-12-04 11:11:03.000000000 -0500
@@ -16,7 +16,6 @@
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -4200,9 +4157,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.2.1/policy/modules/services/apache.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.2.2/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/apache.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/apache.if 2007-12-04 11:11:03.000000000 -0500
@@ -18,10 +18,6 @@
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
@@ -4291,7 +4248,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
optional_policy(`
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
nis_use_ypbind_uncond(httpd_$1_script_t)
-@@ -352,12 +301,11 @@
+@@ -267,7 +216,7 @@
+ attribute httpdcontent, httpd_script_domains;
+ attribute httpd_exec_scripts, httpd_user_content_type;
+ attribute httpd_user_script_exec_type;
+- type httpd_t, httpd_suexec_t, httpd_log_t;
++ type httpd_t, httpd_suexec_t, httpd_log_t, httpd_sys_script_t;
+ ')
+
+ apache_content_template($1)
+@@ -331,6 +280,7 @@
+ userdom_search_user_home_dirs($1,httpd_t)
+ userdom_search_user_home_dirs($1,httpd_suexec_t)
+ userdom_search_user_home_dirs($1,httpd_$1_script_t)
++ userdom_search_user_home_dirs($1,httpd_sys_script_t)
+ ')
+ ')
+
+@@ -352,12 +302,11 @@
#
template(`apache_read_user_scripts',`
gen_require(`
@@ -4308,7 +4282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -378,12 +326,12 @@
+@@ -378,12 +327,12 @@
#
template(`apache_read_user_content',`
gen_require(`
@@ -4325,7 +4299,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -761,6 +709,7 @@
+@@ -761,6 +710,7 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -4333,7 +4307,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -845,6 +794,10 @@
+@@ -845,6 +795,10 @@
type httpd_sys_script_t;
')
@@ -4344,7 +4318,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
')
-@@ -932,7 +885,7 @@
+@@ -932,7 +886,7 @@
type httpd_squirrelmail_t;
')
@@ -4353,7 +4327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -1088,3 +1041,138 @@
+@@ -1088,3 +1042,138 @@
allow httpd_t $1:process signal;
')
@@ -4492,9 +4466,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+# allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
+# allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.2.1/policy/modules/services/apache.te
---- nsaserefpolicy/policy/modules/services/apache.te 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/apache.te 2007-11-30 11:55:41.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.2.2/policy/modules/services/apache.te
+--- nsaserefpolicy/policy/modules/services/apache.te 2007-12-04 11:02:50.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/apache.te 2007-12-04 11:32:34.000000000 -0500
@@ -20,20 +20,22 @@
# Declarations
#
@@ -4641,12 +4615,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -346,12 +385,8 @@
-
- seutil_dontaudit_search_config(httpd_t)
+@@ -348,8 +387,6 @@
--sysnet_read_config(httpd_t)
--
userdom_use_unpriv_users_fds(httpd_t)
-mta_send_mail(httpd_t)
@@ -4654,7 +4624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
')
-@@ -360,8 +395,16 @@
+@@ -358,8 +395,16 @@
#
# We need optionals to be able to be within booleans to make this work
#
@@ -4671,7 +4641,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -369,6 +412,16 @@
+@@ -367,6 +412,16 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -4688,7 +4658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_can_network_relay',`
# allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
-@@ -381,6 +434,10 @@
+@@ -379,6 +434,10 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
@@ -4699,7 +4669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
-@@ -398,11 +455,21 @@
+@@ -396,11 +455,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -4721,7 +4691,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -436,8 +503,14 @@
+@@ -434,8 +503,14 @@
')
optional_policy(`
@@ -4737,7 +4707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -449,19 +522,13 @@
+@@ -447,19 +522,13 @@
')
optional_policy(`
@@ -4758,7 +4728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -471,13 +538,14 @@
+@@ -469,13 +538,14 @@
openca_kill(httpd_t)
')
@@ -4777,7 +4747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -485,6 +553,7 @@
+@@ -483,6 +553,7 @@
')
optional_policy(`
@@ -4785,7 +4755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -520,6 +589,13 @@
+@@ -518,6 +589,13 @@
userdom_use_sysadm_terms(httpd_helper_t)
')
@@ -4799,7 +4769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -549,18 +625,24 @@
+@@ -547,18 +625,24 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -4827,35 +4797,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -571,7 +653,6 @@
- allow httpd_suexec_t self:capability { setuid setgid };
- allow httpd_suexec_t self:process signal_perms;
- allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
--allow httpd_suexec_t self:netlink_route_socket r_netlink_socket_perms;
-
- domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-
-@@ -585,6 +666,10 @@
+@@ -582,6 +666,8 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
-+auth_use_nsswitch(httpd_suexec_t)
-+
+can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
+
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -624,8 +709,6 @@
- corenet_udp_sendrecv_all_ports(httpd_suexec_t)
- corenet_tcp_connect_all_ports(httpd_suexec_t)
- corenet_sendrecv_all_client_packets(httpd_suexec_t)
--
-- sysnet_read_config(httpd_suexec_t)
- ')
-
- tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -638,6 +721,12 @@
+@@ -635,6 +721,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -4868,7 +4819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -655,18 +744,6 @@
+@@ -652,10 +744,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -4876,18 +4827,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
- nagios_domtrans_cgi(httpd_suexec_t)
-')
-
--optional_policy(`
-- nis_use_ypbind(httpd_suexec_t)
--')
--
--optional_policy(`
-- nscd_socket_use(httpd_suexec_t)
--')
--
########################################
#
# Apache system script local policy
-@@ -676,7 +753,8 @@
+@@ -665,7 +753,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -4897,7 +4840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -690,15 +768,44 @@
+@@ -679,15 +768,44 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -4909,15 +4852,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+tunable_policy(`httpd_use_nfs', `
- fs_read_nfs_files(httpd_sys_script_t)
- fs_read_nfs_symlinks(httpd_sys_script_t)
- ')
-
-+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+')
+
++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+ ')
+
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
@@ -4943,7 +4886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -708,9 +815,15 @@
+@@ -697,9 +815,15 @@
clamav_domtrans_clamscan(httpd_sys_script_t)
')
@@ -4959,7 +4902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -732,3 +845,46 @@
+@@ -721,3 +845,46 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -5006,9 +4949,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+optional_policy(`
+ postgresql_stream_connect(httpd_bugzilla_script_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.2.1/policy/modules/services/apcupsd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.2.2/policy/modules/services/apcupsd.if
--- nsaserefpolicy/policy/modules/services/apcupsd.if 2007-09-12 10:34:18.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/apcupsd.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/apcupsd.if 2007-12-04 11:11:03.000000000 -0500
@@ -90,10 +90,29 @@
## </summary>
## </param>
@@ -5040,9 +4983,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
+ allow $1 apcupsd_tmp_t:file read_file_perms;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.2.1/policy/modules/services/apcupsd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.2.2/policy/modules/services/apcupsd.te
--- nsaserefpolicy/policy/modules/services/apcupsd.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/apcupsd.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/apcupsd.te 2007-12-04 11:11:03.000000000 -0500
@@ -86,6 +86,11 @@
miscfiles_read_localization(apcupsd_t)
@@ -5055,18 +4998,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
optional_policy(`
hostname_exec(apcupsd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.fc serefpolicy-3.2.1/policy/modules/services/automount.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.fc serefpolicy-3.2.2/policy/modules/services/automount.fc
--- nsaserefpolicy/policy/modules/services/automount.fc 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/automount.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/automount.fc 2007-12-04 11:11:03.000000000 -0500
@@ -12,4 +12,4 @@
# /var
#
-/var/run/autofs(/.*)? gen_context(system_u:object_r:automount_var_run_t,s0)
+/var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.2.1/policy/modules/services/automount.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.2.2/policy/modules/services/automount.if
--- nsaserefpolicy/policy/modules/services/automount.if 2007-03-26 10:39:04.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/automount.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/automount.if 2007-12-04 11:11:03.000000000 -0500
@@ -74,3 +74,21 @@
dontaudit $1 automount_tmp_t:dir getattr;
@@ -5089,9 +5032,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
+
+ dontaudit $1 automount_t:fd use;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.2.1/policy/modules/services/automount.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.2.2/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/automount.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/automount.te 2007-12-04 11:11:03.000000000 -0500
@@ -52,7 +52,8 @@
files_root_filetrans(automount_t,automount_tmp_t,dir)
@@ -5131,9 +5074,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
seutil_sigchld_newrole(automount_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.2.1/policy/modules/services/avahi.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.2.2/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/avahi.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/avahi.te 2007-12-04 11:11:03.000000000 -0500
@@ -85,6 +85,7 @@
dbus_connect_system_bus(avahi_t)
@@ -5142,9 +5085,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.2.1/policy/modules/services/bind.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.2.2/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/bind.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/bind.te 2007-12-04 11:11:03.000000000 -0500
@@ -9,7 +9,7 @@
## <desc>
## <p>
@@ -5154,17 +5097,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
## </p>
## </desc>
gen_tunable(named_write_master_zones,false)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.2.1/policy/modules/services/bluetooth.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.2.2/policy/modules/services/bluetooth.fc
--- nsaserefpolicy/policy/modules/services/bluetooth.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/bluetooth.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/bluetooth.fc 2007-12-04 11:11:03.000000000 -0500
@@ -22,3 +22,4 @@
#
/var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0)
/var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0)
+/var/run/bluetoothd_address gen_context(system_u:object_r:bluetooth_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.2.1/policy/modules/services/bluetooth.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.2.2/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/bluetooth.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/bluetooth.te 2007-12-04 11:11:03.000000000 -0500
@@ -44,7 +44,7 @@
allow bluetooth_t self:shm create_shm_perms;
allow bluetooth_t self:socket create_stream_socket_perms;
@@ -5182,9 +5125,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.2.1/policy/modules/services/clamav.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.2.2/policy/modules/services/clamav.fc
--- nsaserefpolicy/policy/modules/services/clamav.fc 2007-09-05 15:24:44.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/clamav.fc 2007-12-01 07:49:02.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/clamav.fc 2007-12-04 11:11:03.000000000 -0500
@@ -5,16 +5,18 @@
/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
@@ -5206,9 +5149,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
+/var/log/clamav.milter -- gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.2.1/policy/modules/services/clamav.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.2.2/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/clamav.te 2007-12-01 08:04:25.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/clamav.te 2007-12-04 11:11:03.000000000 -0500
@@ -87,6 +87,7 @@
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
@@ -5245,60 +5188,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
+optional_policy(`
+ mailscanner_manage_spool(clamscan_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/comsat.te serefpolicy-3.2.1/policy/modules/services/comsat.te
---- nsaserefpolicy/policy/modules/services/comsat.te 2007-07-16 14:09:46.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/comsat.te 2007-11-30 11:23:56.000000000 -0500
-@@ -57,6 +57,8 @@
- files_search_spool(comsat_t)
- files_search_home(comsat_t)
-
-+auth_use_nsswitch(comsat_t)
-+
- init_read_utmp(comsat_t)
- init_dontaudit_write_utmp(comsat_t)
-
-@@ -67,8 +69,6 @@
-
- miscfiles_read_localization(comsat_t)
-
--sysnet_read_config(comsat_t)
--
- userdom_dontaudit_getattr_sysadm_ttys(comsat_t)
-
- mta_getattr_spool(comsat_t)
-@@ -77,10 +77,3 @@
- kerberos_use(comsat_t)
- ')
-
--optional_policy(`
-- nis_use_ypbind(comsat_t)
--')
--
--optional_policy(`
-- nscd_socket_use(comsat_t)
--')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.2.1/policy/modules/services/consolekit.te
---- nsaserefpolicy/policy/modules/services/consolekit.te 2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/consolekit.te 2007-11-30 11:23:56.000000000 -0500
-@@ -10,7 +10,6 @@
- type consolekit_exec_t;
- init_daemon_domain(consolekit_t, consolekit_exec_t)
-
--# pid files
- type consolekit_var_run_t;
- files_pid_file(consolekit_var_run_t)
-
-@@ -25,7 +24,8 @@
- allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
- allow consolekit_t self:unix_dgram_socket create_socket_perms;
-
--# pid file
-+auth_use_nsswitch(consolekit_t)
-+
- manage_files_pattern(consolekit_t,consolekit_var_run_t,consolekit_var_run_t)
- files_pid_filetrans(consolekit_t,consolekit_var_run_t, file)
-
-@@ -38,6 +38,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.2.2/policy/modules/services/consolekit.te
+--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-04 11:02:50.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/consolekit.te 2007-12-04 11:32:56.000000000 -0500
+@@ -36,6 +36,7 @@
domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
@@ -5332,9 +5225,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
+ #reading .Xauthity
+ unconfined_ptrace(consolekit_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.2.1/policy/modules/services/courier.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.2.2/policy/modules/services/courier.te
--- nsaserefpolicy/policy/modules/services/courier.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/courier.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/courier.te 2007-12-04 11:11:03.000000000 -0500
@@ -58,6 +58,7 @@
files_getattr_tmp_dirs(courier_authdaemon_t)
@@ -5343,9 +5236,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cour
libs_read_lib_files(courier_authdaemon_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.2.1/policy/modules/services/cron.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.2.2/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/cron.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/cron.fc 2007-12-04 11:11:03.000000000 -0500
@@ -17,6 +17,8 @@
/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -5360,9 +5253,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.2.1/policy/modules/services/cron.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.2.2/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/cron.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/cron.if 2007-12-04 11:11:03.000000000 -0500
@@ -35,38 +35,23 @@
#
template(`cron_per_role_template',`
@@ -5612,9 +5505,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
## Read, and write cron daemon TCP sockets.
## </summary>
## <param name="domain">
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.2.1/policy/modules/services/cron.te
---- nsaserefpolicy/policy/modules/services/cron.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/cron.te 2007-11-30 11:23:56.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.2.2/policy/modules/services/cron.te
+--- nsaserefpolicy/policy/modules/services/cron.te 2007-12-04 11:02:50.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/cron.te 2007-12-04 12:03:47.000000000 -0500
@@ -50,6 +50,7 @@
type crond_tmp_t;
@@ -5645,7 +5538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
-@@ -99,18 +106,20 @@
+@@ -99,18 +106,18 @@
allow crond_t crond_var_run_t:file manage_file_perms;
files_pid_filetrans(crond_t,crond_var_run_t,file)
@@ -5661,8 +5554,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
-allow crond_t system_cron_spool_t:file read_file_perms;
+list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
-+
-+auth_use_nsswitch(crond_t)
kernel_read_kernel_sysctls(crond_t)
kernel_search_key(crond_t)
@@ -5670,7 +5561,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
dev_read_sysfs(crond_t)
selinux_get_fs_mount(crond_t)
-@@ -127,6 +136,7 @@
+@@ -127,6 +134,7 @@
# need auth_chkpwd to check for locked accounts.
auth_domtrans_chk_passwd(crond_t)
@@ -5678,7 +5569,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
corecmd_exec_shell(crond_t)
corecmd_list_bin(crond_t)
-@@ -146,7 +156,9 @@
+@@ -148,7 +156,9 @@
libs_use_ld_so(crond_t)
libs_use_shared_libs(crond_t)
@@ -5688,7 +5579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
-@@ -160,6 +172,16 @@
+@@ -162,6 +172,16 @@
mta_send_mail(crond_t)
@@ -5705,50 +5596,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
ifdef(`distro_debian',`
optional_policy(`
# Debian logcheck has the home dir set to its cache
-@@ -180,29 +202,34 @@
+@@ -182,11 +202,24 @@
locallogin_link_keys(crond_t)
')
--tunable_policy(`fcron_crond', `
-- allow crond_t system_cron_spool_t:file manage_file_perms;
+optional_policy(`
+ # these should probably be unconfined_crond_t
+ init_dbus_send_script(crond_t)
- ')
-
- optional_policy(`
-- amavis_search_lib(crond_t)
++')
++
++optional_policy(`
+ mono_domtrans(crond_t)
+')
+
-+tunable_policy(`fcron_crond', `
-+ allow crond_t system_cron_spool_t:file manage_file_perms;
+ tunable_policy(`fcron_crond', `
+ allow crond_t system_cron_spool_t:file manage_file_perms;
')
optional_policy(`
-- hal_dbus_send(crond_t)
+ amanda_search_var_lib(crond_t)
++')
++
++optional_policy(`
+ amavis_search_lib(crond_t)
')
- optional_policy(`
-- # cjp: why?
-- munin_search_lib(crond_t)
-+ amavis_search_lib(crond_t)
- ')
-
- optional_policy(`
-- nis_use_ypbind(crond_t)
-+ hal_dbus_send(crond_t)
- ')
-
- optional_policy(`
-- nscd_socket_use(crond_t)
-+ # cjp: why?
-+ munin_search_lib(crond_t)
- ')
-
- optional_policy(`
-@@ -270,9 +297,16 @@
+@@ -264,9 +297,16 @@
filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file })
files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
@@ -5766,16 +5639,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
kernel_read_kernel_sysctls(system_crond_t)
kernel_read_system_state(system_crond_t)
-@@ -326,7 +360,7 @@
+@@ -320,7 +360,7 @@
init_read_utmp(system_crond_t)
init_dontaudit_rw_utmp(system_crond_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
-init_write_initctl(system_crond_t)
+init_telinit(system_crond_t)
- libs_use_ld_so(system_crond_t)
- libs_use_shared_libs(system_crond_t)
-@@ -334,6 +368,7 @@
+ auth_use_nsswitch(system_crond_t)
+
+@@ -330,6 +370,7 @@
libs_exec_ld_so(system_crond_t)
logging_read_generic_logs(system_crond_t)
@@ -5783,7 +5656,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
logging_send_syslog_msg(system_crond_t)
miscfiles_read_localization(system_crond_t)
-@@ -384,6 +419,14 @@
+@@ -380,6 +421,14 @@
')
optional_policy(`
@@ -5798,7 +5671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
mrtg_append_create_logs(system_crond_t)
')
-@@ -424,8 +467,7 @@
+@@ -412,8 +461,7 @@
')
optional_policy(`
@@ -5808,7 +5681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -433,9 +475,13 @@
+@@ -421,9 +469,13 @@
')
optional_policy(`
@@ -5823,9 +5696,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
ifdef(`TODO',`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.2.1/policy/modules/services/cups.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.2.2/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/cups.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/cups.fc 2007-12-04 11:11:03.000000000 -0500
@@ -8,17 +8,15 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -5874,16 +5747,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+
+/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.2.1/policy/modules/services/cups.te
---- nsaserefpolicy/policy/modules/services/cups.te 2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/cups.te 2007-12-02 19:07:25.000000000 -0500
-@@ -1,5 +1,5 @@
-
--policy_module(cups,1.8.2)
-+policy_module(cups,1.4.1)
-
- ########################################
- #
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.2.2/policy/modules/services/cups.te
+--- nsaserefpolicy/policy/modules/services/cups.te 2007-12-04 11:02:50.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/cups.te 2007-12-04 12:01:17.000000000 -0500
@@ -43,14 +43,12 @@
type cupsd_var_run_t;
@@ -5910,7 +5776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
')
########################################
-@@ -81,12 +81,12 @@
+@@ -81,11 +81,12 @@
# /usr/lib/cups/backend/serial needs sys_admin(?!)
allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
@@ -5921,12 +5787,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow cupsd_t self:unix_dgram_socket create_socket_perms;
allow cupsd_t self:netlink_selinux_socket create_socket_perms;
--allow cupsd_t self:netlink_route_socket r_netlink_socket_perms;
+allow cupsd_t self:shm create_shm_perms;
allow cupsd_t self:tcp_socket create_stream_socket_perms;
allow cupsd_t self:udp_socket create_socket_perms;
allow cupsd_t self:appletalk_socket create_socket_perms;
-@@ -105,7 +105,7 @@
+@@ -104,7 +105,7 @@
# allow cups to execute its backend scripts
can_exec(cupsd_t, cupsd_exec_t)
@@ -5935,7 +5800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
allow cupsd_t cupsd_exec_t:lnk_file read;
manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t)
-@@ -117,13 +117,19 @@
+@@ -116,13 +117,19 @@
manage_fifo_files_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
@@ -5957,7 +5822,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
allow cupsd_t hplip_var_run_t:file { read getattr };
stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t)
-@@ -150,31 +156,39 @@
+@@ -149,31 +156,39 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -6000,7 +5865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
corecmd_exec_shell(cupsd_t)
-@@ -187,7 +201,7 @@
+@@ -186,7 +201,7 @@
# read python modules
files_read_usr_files(cupsd_t)
# for /var/lib/defoma
@@ -6009,7 +5874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
-@@ -196,15 +210,14 @@
+@@ -195,12 +210,9 @@
files_read_var_symlinks(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
@@ -6023,15 +5888,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
init_exec_script_files(cupsd_t)
-+auth_use_nsswitch(cupsd_t)
-+
- libs_use_ld_so(cupsd_t)
- libs_use_shared_libs(cupsd_t)
- # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
-@@ -221,14 +234,37 @@
+@@ -220,16 +232,37 @@
- sysnet_read_config(cupsd_t)
+ seutil_read_config(cupsd_t)
+-sysnet_read_config(cupsd_t)
+-
+files_dontaudit_list_home(cupsd_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_all_users_home_content(cupsd_t)
@@ -6066,7 +5928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
')
optional_policy(`
-@@ -241,6 +277,7 @@
+@@ -242,6 +275,7 @@
optional_policy(`
dbus_system_bus_client_template(cupsd,cupsd_t)
@@ -6074,16 +5936,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
userdom_dbus_send_all_users(cupsd_t)
-@@ -262,7 +299,7 @@
+@@ -263,6 +297,10 @@
')
optional_policy(`
-- nscd_socket_use(cupsd_t)
+ mta_send_mail(cupsd_t)
- ')
-
- optional_policy(`
-@@ -330,11 +367,13 @@
++')
++
++optional_policy(`
+ # cups execs smbtool which reads samba_etc_t files
+ samba_read_config(cupsd_t)
+ samba_rw_var_files(cupsd_t)
+@@ -326,11 +364,13 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
@@ -6097,7 +5961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
corecmd_exec_shell(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -376,12 +415,17 @@
+@@ -372,12 +412,17 @@
')
optional_policy(`
@@ -6115,7 +5979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
optional_policy(`
hal_dbus_chat(cupsd_config_t)
-@@ -391,6 +435,7 @@
+@@ -387,6 +432,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
@@ -6123,39 +5987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
')
optional_policy(`
-@@ -480,6 +525,8 @@
-
- files_read_etc_files(cupsd_lpd_t)
-
-+auth_use_nsswitch(cupsd_lpd_t)
-+
- libs_use_ld_so(cupsd_lpd_t)
- libs_use_shared_libs(cupsd_lpd_t)
-
-@@ -487,22 +534,12 @@
-
- miscfiles_read_localization(cupsd_lpd_t)
-
--sysnet_read_config(cupsd_lpd_t)
--
- cups_stream_connect(cupsd_lpd_t)
-
- optional_policy(`
- inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
- ')
-
--optional_policy(`
-- nis_use_ypbind(cupsd_lpd_t)
--')
--
--optional_policy(`
-- nscd_socket_use(cupsd_lpd_t)
--')
--
- ########################################
- #
- # HPLIP local policy
-@@ -520,14 +557,12 @@
+@@ -499,14 +545,12 @@
allow hplip_t self:udp_socket create_socket_perms;
allow hplip_t self:rawip_socket create_socket_perms;
@@ -6174,7 +6006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-@@ -558,13 +593,15 @@
+@@ -537,13 +581,15 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -6191,7 +6023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
domain_use_interactive_fds(hplip_t)
-@@ -586,6 +623,7 @@
+@@ -565,6 +611,7 @@
userdom_dontaudit_search_all_users_home_content(hplip_t)
lpd_read_config(cupsd_t)
@@ -6199,9 +6031,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
optional_policy(`
seutil_sigchld_newrole(hplip_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.2.1/policy/modules/services/cvs.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.2.2/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2007-11-15 13:40:14.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/cvs.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/cvs.te 2007-12-04 11:11:03.000000000 -0500
@@ -68,7 +68,9 @@
fs_getattr_xattr_fs(cvs_t)
@@ -6212,69 +6044,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
corecmd_exec_bin(cvs_t)
corecmd_exec_shell(cvs_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.2.1/policy/modules/services/cyrus.te
---- nsaserefpolicy/policy/modules/services/cyrus.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/cyrus.te 2007-11-30 11:23:56.000000000 -0500
-@@ -41,7 +41,6 @@
- allow cyrus_t self:unix_stream_socket connectto;
- allow cyrus_t self:tcp_socket create_stream_socket_perms;
- allow cyrus_t self:udp_socket create_socket_perms;
--allow cyrus_t self:netlink_route_socket r_netlink_socket_perms;
-
- manage_dirs_pattern(cyrus_t,cyrus_tmp_t,cyrus_tmp_t)
- manage_files_pattern(cyrus_t,cyrus_tmp_t,cyrus_tmp_t)
-@@ -95,6 +94,8 @@
- files_read_etc_runtime_files(cyrus_t)
- files_read_usr_files(cyrus_t)
-
-+auth_use_nsswitch(cyrus_t)
-+
- libs_use_ld_so(cyrus_t)
- libs_use_shared_libs(cyrus_t)
- libs_exec_lib_files(cyrus_t)
-@@ -122,14 +123,6 @@
- ')
-
- optional_policy(`
-- ldap_stream_connect(cyrus_t)
--')
--
--optional_policy(`
-- nis_use_ypbind(cyrus_t)
--')
--
--optional_policy(`
- sasl_connect(cyrus_t)
- ')
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbskk.te serefpolicy-3.2.1/policy/modules/services/dbskk.te
---- nsaserefpolicy/policy/modules/services/dbskk.te 2007-07-16 14:09:46.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/dbskk.te 2007-11-30 11:23:56.000000000 -0500
-@@ -63,6 +63,8 @@
-
- files_read_etc_files(dbskkd_t)
-
-+auth_use_nsswitch(dbskkd_t)
-+
- libs_use_ld_so(dbskkd_t)
- libs_use_shared_libs(dbskkd_t)
-
-@@ -70,12 +72,3 @@
-
- miscfiles_read_localization(dbskkd_t)
-
--sysnet_read_config(dbskkd_t)
--
--optional_policy(`
-- nis_use_ypbind(dbskkd_t)
--')
--
--optional_policy(`
-- nscd_socket_use(dbskkd_t)
--')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.1/policy/modules/services/dbus.if
---- nsaserefpolicy/policy/modules/services/dbus.if 2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/dbus.if 2007-11-30 11:23:56.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.2/policy/modules/services/dbus.if
+--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/dbus.if 2007-12-04 11:11:03.000000000 -0500
@@ -91,7 +91,7 @@
# SE-DBus specific permissions
allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
@@ -6294,24 +6066,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
allow $1_dbusd_t $2:process sigkill;
allow $2 $1_dbusd_t:fd use;
allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
-@@ -148,6 +147,7 @@
- selinux_compute_user_contexts($1_dbusd_t)
-
- auth_read_pam_console_data($1_dbusd_t)
-+ auth_use_nsswitch($1_dbusd_t)
-
- libs_use_ld_so($1_dbusd_t)
- libs_use_shared_libs($1_dbusd_t)
-@@ -160,8 +160,6 @@
- seutil_read_config($1_dbusd_t)
- seutil_read_default_contexts($1_dbusd_t)
-
-- sysnet_read_config($1_dbusd_t)
--
- userdom_read_user_home_content_files($1, $1_dbusd_t)
+@@ -180,6 +179,10 @@
+ ')
- ifdef(`hide_broken_symptoms', `
-@@ -219,7 +217,7 @@
+ optional_policy(`
++ nscd_socket_use($1_dbusd_t)
++ ')
++
++ optional_policy(`
+ xserver_use_xdm_fds($1_dbusd_t)
+ xserver_rw_xdm_pipes($1_dbusd_t)
+ ')
+@@ -214,7 +217,7 @@
# SE-DBus specific permissions
# allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
@@ -6320,7 +6086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($2)
-@@ -371,3 +369,35 @@
+@@ -366,3 +369,35 @@
allow $1 system_dbusd_t:dbus *;
')
@@ -6356,17 +6122,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.fc serefpolicy-3.2.1/policy/modules/services/dictd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.fc serefpolicy-3.2.2/policy/modules/services/dictd.fc
--- nsaserefpolicy/policy/modules/services/dictd.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/dictd.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/dictd.fc 2007-12-04 11:11:03.000000000 -0500
@@ -4,3 +4,4 @@
/usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0)
/var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0)
+/var/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.te serefpolicy-3.2.1/policy/modules/services/dictd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.te serefpolicy-3.2.2/policy/modules/services/dictd.te
--- nsaserefpolicy/policy/modules/services/dictd.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/dictd.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/dictd.te 2007-12-04 11:11:03.000000000 -0500
@@ -16,6 +16,9 @@
type dictd_var_lib_t alias var_lib_dictd_t;
files_type(dictd_var_lib_t)
@@ -6387,9 +6153,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dict
kernel_read_system_state(dictd_t)
kernel_read_kernel_sysctls(dictd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.2.1/policy/modules/services/dnsmasq.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.2.2/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/dnsmasq.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/dnsmasq.te 2007-12-04 11:11:03.000000000 -0500
@@ -94,3 +94,7 @@
optional_policy(`
udev_read_db(dnsmasq_t)
@@ -6398,9 +6164,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
+optional_policy(`
+ virt_manage_lib_files(dnsmasq_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.2.1/policy/modules/services/dovecot.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.2.2/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/dovecot.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/dovecot.fc 2007-12-04 11:11:03.000000000 -0500
@@ -17,19 +17,24 @@
ifdef(`distro_debian', `
@@ -6426,9 +6192,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.2.1/policy/modules/services/dovecot.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.2.2/policy/modules/services/dovecot.if
--- nsaserefpolicy/policy/modules/services/dovecot.if 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/dovecot.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/dovecot.if 2007-12-04 11:11:03.000000000 -0500
@@ -18,3 +18,43 @@
manage_files_pattern($1,dovecot_spool_t,dovecot_spool_t)
manage_lnk_files_pattern($1,dovecot_spool_t,dovecot_spool_t)
@@ -6473,9 +6239,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+ domtrans_pattern($1,dovecot_deliver_exec_t,dovecot_deliver_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.2.1/policy/modules/services/dovecot.te
---- nsaserefpolicy/policy/modules/services/dovecot.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/dovecot.te 2007-11-30 11:23:56.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.2.2/policy/modules/services/dovecot.te
+--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-12-04 11:02:50.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/dovecot.te 2007-12-04 11:36:54.000000000 -0500
@@ -15,6 +15,12 @@
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -6499,25 +6265,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
type dovecot_var_run_t;
files_pid_file(dovecot_var_run_t)
-@@ -46,8 +55,6 @@
+@@ -46,7 +55,6 @@
allow dovecot_t self:tcp_socket create_stream_socket_perms;
allow dovecot_t self:unix_dgram_socket create_socket_perms;
allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
--allow dovecot_t self:netlink_route_socket r_netlink_socket_perms;
-
domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
allow dovecot_t dovecot_cert_t:dir list_dir_perms;
-@@ -67,6 +74,8 @@
- manage_sock_files_pattern(dovecot_t,dovecot_var_run_t,dovecot_var_run_t)
- files_pid_filetrans(dovecot_t,dovecot_var_run_t,file)
-
-+auth_use_nsswitch(dovecot_t)
-+
- kernel_read_kernel_sysctls(dovecot_t)
- kernel_read_system_state(dovecot_t)
-
-@@ -99,7 +108,7 @@
+@@ -98,7 +106,7 @@
files_dontaudit_list_default(dovecot_t)
# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
files_read_etc_runtime_files(dovecot_t)
@@ -6526,28 +6282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
init_getattr_utmp(dovecot_t)
-@@ -111,9 +120,6 @@
- miscfiles_read_certs(dovecot_t)
- miscfiles_read_localization(dovecot_t)
-
--sysnet_read_config(dovecot_t)
--sysnet_use_ldap(dovecot_auth_t)
--
- userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
- userdom_dontaudit_search_sysadm_home_dirs(dovecot_t)
- userdom_priveleged_home_dir_manager(dovecot_t)
-@@ -125,10 +131,6 @@
- ')
-
- optional_policy(`
-- nis_use_ypbind(dovecot_t)
--')
--
--optional_policy(`
- seutil_sigchld_newrole(dovecot_t)
- ')
-
-@@ -145,33 +147,44 @@
+@@ -139,33 +147,44 @@
# dovecot auth local policy
#
@@ -6594,25 +6329,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
files_read_usr_symlinks(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
-@@ -185,12 +198,50 @@
-
- seutil_dontaudit_search_config(dovecot_auth_t)
-
--sysnet_dns_name_resolve(dovecot_auth_t)
--
- optional_policy(`
- kerberos_use(dovecot_auth_t)
+@@ -184,5 +203,45 @@
')
optional_policy(`
- logging_send_syslog_msg(dovecot_auth_t)
+ mysql_search_db(dovecot_auth_t)
+ mysql_stream_connect(dovecot_auth_t)
-+')
+ ')
+
+optional_policy(`
+ nis_authenticate(dovecot_auth_t)
- ')
++')
+
+optional_policy(`
+ postfix_manage_pivate_sockets(dovecot_auth_t)
@@ -6648,9 +6376,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+ mta_manage_spool(dovecot_deliver_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.2.1/policy/modules/services/exim.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.2.2/policy/modules/services/exim.if
--- nsaserefpolicy/policy/modules/services/exim.if 2007-10-24 15:00:24.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/exim.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/exim.if 2007-12-04 11:11:03.000000000 -0500
@@ -117,6 +117,27 @@
########################################
@@ -6679,9 +6407,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
## Read exim spool files.
## </summary>
## <param name="domain">
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.2.1/policy/modules/services/exim.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.2.2/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2007-10-24 15:17:31.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/exim.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/exim.te 2007-12-04 11:11:03.000000000 -0500
@@ -21,9 +21,20 @@
## </desc>
gen_tunable(exim_manage_user_files,false)
@@ -6858,9 +6586,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
+ exim_manage_var_lib(exim_lib_update_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.2.1/policy/modules/services/ftp.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.2.2/policy/modules/services/ftp.if
--- nsaserefpolicy/policy/modules/services/ftp.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/ftp.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/ftp.if 2007-12-04 11:11:03.000000000 -0500
@@ -28,11 +28,13 @@
type ftpd_t;
')
@@ -6880,9 +6608,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.2.1/policy/modules/services/ftp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.2.2/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/ftp.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/ftp.te 2007-12-04 11:11:03.000000000 -0500
@@ -8,8 +8,8 @@
## <desc>
@@ -6963,9 +6691,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.2.1/policy/modules/services/hal.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.2.2/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2007-11-14 08:17:58.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/hal.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/hal.fc 2007-12-04 11:11:03.000000000 -0500
@@ -8,18 +8,21 @@
/usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0)
/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
@@ -6990,9 +6718,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
ifdef(`distro_gentoo',`
/var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.2.1/policy/modules/services/hal.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.2.2/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-11-14 08:17:58.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/hal.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/hal.te 2007-12-04 11:11:03.000000000 -0500
@@ -49,6 +49,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -7052,9 +6780,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
libs_use_ld_so(hald_mac_t)
libs_use_shared_libs(hald_mac_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.2.1/policy/modules/services/inetd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.2.2/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/inetd.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/inetd.te 2007-12-04 11:11:03.000000000 -0500
@@ -30,6 +30,10 @@
type inetd_child_var_run_t;
files_pid_file(inetd_child_var_run_t)
@@ -7108,17 +6836,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
+optional_policy(`
+ inetd_service_domain(inetd_child_t,bin_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.2.1/policy/modules/services/kerberos.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.2.2/policy/modules/services/kerberos.fc
--- nsaserefpolicy/policy/modules/services/kerberos.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/kerberos.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/kerberos.fc 2007-12-04 11:11:03.000000000 -0500
@@ -16,3 +16,4 @@
/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.2.1/policy/modules/services/kerberos.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.2.2/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2007-07-16 14:09:46.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/kerberos.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/kerberos.if 2007-12-04 11:11:03.000000000 -0500
@@ -43,7 +43,13 @@
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
@@ -7197,9 +6925,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
+ corenet_udp_bind_all_nodes($1)
+ ')
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.2.1/policy/modules/services/kerberos.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.2.2/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/kerberos.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/kerberos.te 2007-12-04 11:11:03.000000000 -0500
@@ -8,7 +8,7 @@
## <desc>
@@ -7287,50 +7015,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.2.1/policy/modules/services/ldap.te
---- nsaserefpolicy/policy/modules/services/ldap.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/ldap.te 2007-11-30 11:23:56.000000000 -0500
-@@ -42,7 +42,6 @@
- dontaudit slapd_t self:capability sys_tty_config;
- allow slapd_t self:process setsched;
- allow slapd_t self:fifo_file { read write };
--allow slapd_t self:netlink_route_socket r_netlink_socket_perms;
- allow slapd_t self:udp_socket create_socket_perms;
- #slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach)
- allow slapd_t self:tcp_socket create_stream_socket_perms;
-@@ -104,6 +103,8 @@
- files_read_usr_files(slapd_t)
- files_list_var_lib(slapd_t)
-
-+auth_use_nsswitch(slapd_t)
-+
- libs_use_ld_so(slapd_t)
- libs_use_shared_libs(slapd_t)
-
-@@ -112,8 +113,6 @@
- miscfiles_read_certs(slapd_t)
- miscfiles_read_localization(slapd_t)
-
--sysnet_read_config(slapd_t)
--
- userdom_dontaudit_use_unpriv_user_fds(slapd_t)
- userdom_dontaudit_search_sysadm_home_dirs(slapd_t)
-
-@@ -122,10 +121,6 @@
- ')
-
- optional_policy(`
-- nis_use_ypbind(slapd_t)
--')
--
--optional_policy(`
- seutil_sigchld_newrole(slapd_t)
- ')
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.2.1/policy/modules/services/mailman.te
---- nsaserefpolicy/policy/modules/services/mailman.te 2007-07-10 13:21:26.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/mailman.te 2007-11-30 11:23:56.000000000 -0500
-@@ -55,6 +55,8 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.2.2/policy/modules/services/mailman.te
+--- nsaserefpolicy/policy/modules/services/mailman.te 2007-12-04 11:02:50.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/mailman.te 2007-12-04 12:01:44.000000000 -0500
+@@ -53,6 +53,8 @@
apache_use_fds(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t)
apache_search_sys_script_state(mailman_cgi_t)
@@ -7339,20 +7027,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
optional_policy(`
nscd_socket_use(mailman_cgi_t)
-@@ -67,6 +69,12 @@
+@@ -65,6 +67,10 @@
#
allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
+allow mailman_mail_t initrc_t:process signal;
+allow mailman_mail_t self:capability { setuid setgid };
+
-+auth_use_nsswitch(mailman_mail_t)
-+
+files_search_spool(mailman_mail_t)
mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
-@@ -96,6 +104,7 @@
+@@ -93,6 +99,7 @@
kernel_read_proc_symlinks(mailman_queue_t)
auth_domtrans_chk_passwd(mailman_queue_t)
@@ -7360,15 +7046,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
files_dontaudit_search_pids(mailman_queue_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.2.1/policy/modules/services/mailscanner.fc
+@@ -109,3 +116,7 @@
+ optional_policy(`
+ cron_system_entry(mailman_queue_t,mailman_queue_exec_t)
+ ')
++
++optional_policy(`
++ nscd_socket_use(mailman_queue_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.2.2/policy/modules/services/mailscanner.fc
--- nsaserefpolicy/policy/modules/services/mailscanner.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/mailscanner.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/mailscanner.fc 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1,2 @@
+/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mailscanner_spool_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.2.1/policy/modules/services/mailscanner.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.2.2/policy/modules/services/mailscanner.if
--- nsaserefpolicy/policy/modules/services/mailscanner.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/mailscanner.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/mailscanner.if 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1,59 @@
+## <summary>Anti-Virus and Anti-Spam Filter</summary>
+
@@ -7429,18 +7123,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
+ files_search_spool($1)
+ manage_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.2.1/policy/modules/services/mailscanner.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.2.2/policy/modules/services/mailscanner.te
--- nsaserefpolicy/policy/modules/services/mailscanner.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/mailscanner.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/mailscanner.te 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1,5 @@
+
+policy_module(mailscanner,1.0.0)
+
+type mailscanner_spool_t;
+files_type(mailscanner_spool_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.1/policy/modules/services/mta.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.2/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/mta.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/mta.if 2007-12-04 11:11:03.000000000 -0500
@@ -87,6 +87,8 @@
# It wants to check for nscd
files_dontaudit_search_pids($1_mail_t)
@@ -7601,9 +7295,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
#######################################
## <summary>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.1/policy/modules/services/mta.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.2/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/mta.te 2007-12-01 07:56:06.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/mta.te 2007-12-04 11:11:03.000000000 -0500
@@ -6,6 +6,8 @@
# Declarations
#
@@ -7697,18 +7391,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
smartmon_read_tmp_files(system_mail_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.2.1/policy/modules/services/mysql.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.2.2/policy/modules/services/mysql.fc
--- nsaserefpolicy/policy/modules/services/mysql.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/mysql.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/mysql.fc 2007-12-04 11:11:03.000000000 -0500
@@ -22,3 +22,5 @@
/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
+
+/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.2.1/policy/modules/services/mysql.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.2.2/policy/modules/services/mysql.if
--- nsaserefpolicy/policy/modules/services/mysql.if 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/mysql.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/mysql.if 2007-12-04 11:11:03.000000000 -0500
@@ -157,3 +157,79 @@
logging_search_logs($1)
allow $1 mysqld_log_t:file { write append setattr ioctl };
@@ -7789,9 +7483,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
+ manage_dirs_pattern($1,mysqld_tmp_t,mysqld_tmp_t)
+ manage_files_pattern($1,mysqld_tmp_t,mysqld_tmp_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.2.1/policy/modules/services/mysql.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.2.2/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/mysql.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/mysql.te 2007-12-04 11:11:03.000000000 -0500
@@ -25,6 +25,9 @@
type mysqld_tmp_t;
files_tmp_file(mysqld_tmp_t)
@@ -7802,9 +7496,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
########################################
#
# Local policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.2.1/policy/modules/services/nagios.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.2.2/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/nagios.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/nagios.fc 2007-12-04 11:11:03.000000000 -0500
@@ -4,13 +4,15 @@
/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
@@ -7824,9 +7518,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
-/usr/lib/cgi-bin/nagios/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
')
+/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.2.1/policy/modules/services/nagios.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.2.2/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/nagios.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/nagios.if 2007-12-04 11:11:03.000000000 -0500
@@ -44,25 +44,6 @@
########################################
@@ -7853,9 +7547,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
## Execute the nagios NRPE with
## a domain transition.
## </summary>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.2.1/policy/modules/services/nagios.te
---- nsaserefpolicy/policy/modules/services/nagios.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/nagios.te 2007-11-30 11:23:56.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.2.2/policy/modules/services/nagios.te
+--- nsaserefpolicy/policy/modules/services/nagios.te 2007-12-04 11:02:50.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/nagios.te 2007-12-04 11:38:52.000000000 -0500
@@ -8,11 +8,7 @@
type nagios_t;
@@ -7883,29 +7577,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
type nrpe_etc_t;
files_config_file(nrpe_etc_t)
-@@ -60,6 +59,10 @@
+@@ -60,6 +59,8 @@
manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
files_pid_filetrans(nagios_t, nagios_var_run_t, file)
+rw_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+
-+auth_use_nsswitch(nagios_t)
-+
kernel_read_system_state(nagios_t)
kernel_read_kernel_sysctls(nagios_t)
-@@ -106,10 +109,6 @@
- mta_send_mail(nagios_t)
-
- optional_policy(`
-- auth_use_nsswitch(nagios_t)
--')
--
--optional_policy(`
- netutils_domtrans_ping(nagios_t)
- netutils_signal_ping(nagios_t)
- netutils_kill_ping(nagios_t)
-@@ -132,42 +131,31 @@
+@@ -130,42 +131,31 @@
#
# Nagios CGI local policy
#
@@ -7915,44 +7596,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
-allow nagios_cgi_t self:process signal_perms;
-allow nagios_cgi_t self:fifo_file rw_fifo_file_perms;
-+allow httpd_nagios_script_t self:process signal_perms;
-
+-
-read_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
-+read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
-+read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
-
+-
-allow nagios_cgi_t nagios_etc_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
-+allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
-+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
-+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
++allow httpd_nagios_script_t self:process signal_perms;
-allow nagios_cgi_t nagios_log_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
-+allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
-+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
-+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
++read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
++read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
-kernel_read_system_state(nagios_cgi_t)
-+kernel_read_system_state(httpd_nagios_script_t)
++allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
++read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
++read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
-corecmd_exec_bin(nagios_cgi_t)
-+domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
++allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
++read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
++read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
-domain_dontaudit_read_all_domains_state(nagios_cgi_t)
-+files_read_etc_runtime_files(httpd_nagios_script_t)
-+files_read_kernel_symbol_table(httpd_nagios_script_t)
++kernel_read_system_state(httpd_nagios_script_t)
-files_read_etc_files(nagios_cgi_t)
-files_read_etc_runtime_files(nagios_cgi_t)
-files_read_kernel_symbol_table(nagios_cgi_t)
--
++domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
+
-libs_use_ld_so(nagios_cgi_t)
-libs_use_shared_libs(nagios_cgi_t)
--
++files_read_etc_runtime_files(httpd_nagios_script_t)
++files_read_kernel_symbol_table(httpd_nagios_script_t)
+
-logging_send_syslog_msg(nagios_cgi_t)
-logging_search_logs(nagios_cgi_t)
-
@@ -7965,17 +7646,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
########################################
#
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.2.1/policy/modules/services/networkmanager.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.2.2/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-09-12 10:34:18.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/networkmanager.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/networkmanager.fc 2007-12-04 11:11:03.000000000 -0500
@@ -5,3 +5,4 @@
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/log/wpa_supplicant\.log -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.1/policy/modules/services/networkmanager.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.2/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/networkmanager.te 2007-12-02 21:09:24.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/networkmanager.te 2007-12-04 11:11:03.000000000 -0500
@@ -13,6 +13,9 @@
type NetworkManager_var_run_t;
files_pid_file(NetworkManager_var_run_t)
@@ -8045,9 +7726,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.2.1/policy/modules/services/nis.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.2.2/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/nis.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/nis.fc 2007-12-04 11:11:03.000000000 -0500
@@ -4,6 +4,7 @@
/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
@@ -8056,9 +7737,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.2.1/policy/modules/services/nis.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.2.2/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2007-07-16 14:09:46.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/nis.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/nis.if 2007-12-04 11:11:03.000000000 -0500
@@ -49,8 +49,8 @@
corenet_udp_bind_all_nodes($1)
corenet_tcp_bind_generic_port($1)
@@ -8096,9 +7777,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
## Execute ypbind in the ypbind domain.
## </summary>
## <param name="domain">
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.2.1/policy/modules/services/nis.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.2.2/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/nis.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/nis.te 2007-12-04 11:11:03.000000000 -0500
@@ -113,6 +113,17 @@
userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
userdom_dontaudit_search_sysadm_home_dirs(ypbind_t)
@@ -8154,18 +7835,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
corenet_tcp_connect_all_ports(ypxfr_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.2.1/policy/modules/services/nscd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.2.2/policy/modules/services/nscd.fc
--- nsaserefpolicy/policy/modules/services/nscd.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/nscd.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/nscd.fc 2007-12-04 11:11:03.000000000 -0500
@@ -9,3 +9,5 @@
/var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0)
/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
+
+/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.2.1/policy/modules/services/nscd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.2.2/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2007-03-26 10:39:04.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/nscd.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/nscd.if 2007-12-04 11:11:03.000000000 -0500
@@ -70,15 +70,14 @@
interface(`nscd_socket_use',`
gen_require(`
@@ -8207,9 +7888,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
+ init_script_domtrans_spec($1,nscd_script_exec_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.2.1/policy/modules/services/nscd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.2.2/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/nscd.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/nscd.te 2007-12-04 11:11:03.000000000 -0500
@@ -23,19 +23,22 @@
type nscd_log_t;
logging_log_file(nscd_log_t)
@@ -8275,9 +7956,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.fc serefpolicy-3.2.1/policy/modules/services/ntp.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.fc serefpolicy-3.2.2/policy/modules/services/ntp.fc
--- nsaserefpolicy/policy/modules/services/ntp.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/ntp.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/ntp.fc 2007-12-04 11:11:03.000000000 -0500
@@ -17,3 +17,8 @@
/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
@@ -8287,9 +7968,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
+/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
+
+/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.2.1/policy/modules/services/ntp.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.2.2/policy/modules/services/ntp.if
--- nsaserefpolicy/policy/modules/services/ntp.if 2007-03-26 10:39:05.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/ntp.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/ntp.if 2007-12-04 11:11:03.000000000 -0500
@@ -53,3 +53,22 @@
corecmd_search_bin($1)
domtrans_pattern($1,ntpdate_exec_t,ntpd_t)
@@ -8313,9 +7994,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
+ init_script_domtrans_spec($1,ntpd_script_exec_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.2.1/policy/modules/services/ntp.te
---- nsaserefpolicy/policy/modules/services/ntp.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/ntp.te 2007-11-30 11:23:56.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.2.2/policy/modules/services/ntp.te
+--- nsaserefpolicy/policy/modules/services/ntp.te 2007-12-04 11:02:50.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/ntp.te 2007-12-04 11:56:38.000000000 -0500
@@ -25,6 +25,12 @@
type ntpdate_exec_t;
init_system_domain(ntpd_t,ntpdate_exec_t)
@@ -8355,17 +8036,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
auth_use_nsswitch(ntpd_t)
-@@ -106,6 +117,9 @@
+@@ -105,6 +116,10 @@
+
miscfiles_read_localization(ntpd_t)
- sysnet_read_config(ntpd_t)
+sysnet_dontaudit_dhcpc_use_fds(ntpd_t)
+
+term_use_ptmx(ntpd_t)
-
++
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
userdom_list_sysadm_home_dirs(ntpd_t)
-@@ -122,6 +136,10 @@
+ userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
+@@ -120,6 +135,10 @@
')
optional_policy(`
@@ -8376,9 +8058,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
logrotate_exec(ntpd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.2.1/policy/modules/services/openct.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.2.2/policy/modules/services/openct.te
--- nsaserefpolicy/policy/modules/services/openct.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/openct.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/openct.te 2007-12-04 11:11:03.000000000 -0500
@@ -22,6 +22,7 @@
allow openct_t self:process signal_perms;
@@ -8387,9 +8069,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
files_pid_filetrans(openct_t,openct_var_run_t,file)
kernel_read_kernel_sysctls(openct_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.2.1/policy/modules/services/openvpn.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-3.2.2/policy/modules/services/openvpn.fc
+--- nsaserefpolicy/policy/modules/services/openvpn.fc 2007-06-11 16:05:22.000000000 -0400
++++ serefpolicy-3.2.2/policy/modules/services/openvpn.fc 2007-12-04 11:27:49.000000000 -0500
+@@ -11,5 +11,5 @@
+ #
+ # /var
+ #
+-/var/log/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_log_t,s0)
++/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0)
+ /var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.2.2/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/openvpn.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/openvpn.te 2007-12-04 11:11:03.000000000 -0500
@@ -8,7 +8,7 @@
## <desc>
@@ -8412,9 +8104,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
+ unconfined_use_terminals(openvpn_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.2.1/policy/modules/services/pcscd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.2.2/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/pcscd.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/pcscd.te 2007-12-04 11:11:03.000000000 -0500
@@ -45,6 +45,7 @@
files_read_etc_files(pcscd_t)
files_read_etc_runtime_files(pcscd_t)
@@ -8423,9 +8115,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcsc
term_dontaudit_getattr_pty_dirs(pcscd_t)
libs_use_ld_so(pcscd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.2.1/policy/modules/services/pegasus.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.2.2/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/pegasus.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/pegasus.te 2007-12-04 11:57:04.000000000 -0500
@@ -42,6 +42,7 @@
allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
@@ -8451,7 +8143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
files_read_var_lib_symlinks(pegasus_t)
hostname_exec(pegasus_t)
-@@ -113,19 +114,17 @@
+@@ -113,19 +114,16 @@
libs_use_shared_libs(pegasus_t)
logging_send_audit_msgs(pegasus_t)
@@ -8459,7 +8151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
miscfiles_read_localization(pegasus_t)
- sysnet_read_config(pegasus_t)
+-sysnet_read_config(pegasus_t)
+sysnet_domtrans_ifconfig(pegasus_t)
userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
@@ -8473,9 +8165,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
rpm_exec(pegasus_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portslave.te serefpolicy-3.2.1/policy/modules/services/portslave.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portslave.te serefpolicy-3.2.2/policy/modules/services/portslave.te
--- nsaserefpolicy/policy/modules/services/portslave.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/portslave.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/portslave.te 2007-12-04 11:11:03.000000000 -0500
@@ -85,6 +85,7 @@
auth_rw_login_records(portslave_t)
@@ -8484,9 +8176,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port
init_rw_utmp(portslave_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.2.1/policy/modules/services/postfix.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.2.2/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2007-09-12 10:34:18.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/postfix.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/postfix.fc 2007-12-04 11:11:03.000000000 -0500
@@ -29,12 +29,10 @@
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
@@ -8500,29 +8192,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.2.1/policy/modules/services/postfix.if
---- nsaserefpolicy/policy/modules/services/postfix.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/postfix.if 2007-11-30 11:23:56.000000000 -0500
-@@ -83,6 +83,8 @@
- init_dontaudit_use_fds(postfix_$1_t)
- init_sigchld(postfix_$1_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.2.2/policy/modules/services/postfix.if
+--- nsaserefpolicy/policy/modules/services/postfix.if 2007-12-04 11:02:50.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/postfix.if 2007-12-04 11:11:03.000000000 -0500
+@@ -96,6 +96,10 @@
+ userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t)
-+ auth_use_nsswitch(postfix_$1_t)
+ optional_policy(`
++ nscd_socket_use(postfix_$1_t)
++ ')
+
- libs_use_ld_so(postfix_$1_t)
- libs_use_shared_libs(postfix_$1_t)
-
-@@ -135,9 +137,6 @@
++ optional_policy(`
+ udev_read_db(postfix_$1_t)
+ ')
+ ')
+@@ -132,6 +136,7 @@
+ corenet_udp_bind_all_nodes(postfix_$1_t)
corenet_tcp_connect_all_ports(postfix_$1_t)
corenet_sendrecv_all_client_packets(postfix_$1_t)
-
-- optional_policy(`
-- auth_use_nsswitch(postfix_$1_t)
-- ')
++
')
########################################
-@@ -433,6 +432,26 @@
+@@ -427,6 +432,26 @@
########################################
## <summary>
@@ -8549,10 +8241,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
## Execute the master postfix program in the
## postfix_master domain.
## </summary>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.2.1/policy/modules/services/postfix.te
---- nsaserefpolicy/policy/modules/services/postfix.te 2007-11-08 09:29:27.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/postfix.te 2007-11-30 11:23:56.000000000 -0500
-@@ -6,6 +6,14 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.2.2/policy/modules/services/postfix.te
+--- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-04 11:02:50.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/postfix.te 2007-12-04 11:11:03.000000000 -0500
+@@ -1,11 +1,19 @@
+
+-policy_module(postfix,1.7.2)
++policy_module(postfix,1.7.1)
+
+ ########################################
+ #
# Declarations
#
@@ -8594,24 +8292,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
allow postfix_master_t postfix_etc_t:file rw_file_perms;
-@@ -172,15 +186,11 @@
- # postfix does a "find" on startup for some reason - keep it quiet
- seutil_dontaudit_search_config(postfix_master_t)
+@@ -174,6 +188,7 @@
--sysnet_read_config(postfix_master_t)
--
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
+mta_getattr_spool(postfix_master_t)
optional_policy(`
-- auth_use_nsswitch(postfix_master_t)
--')
--optional_policy(`
cyrus_stream_connect(postfix_master_t)
- ')
-
-@@ -278,6 +288,8 @@
+@@ -273,6 +288,8 @@
files_read_etc_files(postfix_local_t)
@@ -8620,7 +8309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
-@@ -290,6 +302,7 @@
+@@ -285,6 +302,7 @@
optional_policy(`
# for postalias
mailman_manage_data_files(postfix_local_t)
@@ -8628,38 +8317,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
optional_policy(`
-@@ -342,6 +355,8 @@
- files_read_etc_runtime_files(postfix_map_t)
- files_dontaudit_search_var(postfix_map_t)
-
-+auth_use_nsswitch(postfix_map_t)
-+
- libs_use_ld_so(postfix_map_t)
- libs_use_shared_libs(postfix_map_t)
-
-@@ -349,10 +364,6 @@
+@@ -346,8 +364,6 @@
miscfiles_read_localization(postfix_map_t)
-seutil_read_config(postfix_map_t)
-
--sysnet_read_config(postfix_map_t)
--
tunable_policy(`read_default_t',`
files_list_default(postfix_map_t)
files_read_default_files(postfix_map_t)
-@@ -365,10 +376,6 @@
- locallogin_dontaudit_use_fds(postfix_map_t)
- ')
-
--optional_policy(`
-- nscd_socket_use(postfix_map_t)
--')
--
- ########################################
- #
- # Postfix pickup local policy
-@@ -401,6 +408,10 @@
+@@ -392,6 +408,10 @@
rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
optional_policy(`
@@ -8670,7 +8337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
procmail_domtrans(postfix_pipe_t)
')
-@@ -409,6 +420,10 @@
+@@ -400,6 +420,10 @@
')
optional_policy(`
@@ -8681,34 +8348,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
uucp_domtrans_uux(postfix_pipe_t)
')
-@@ -433,8 +448,6 @@
- term_dontaudit_use_all_user_ptys(postfix_postdrop_t)
- term_dontaudit_use_all_user_ttys(postfix_postdrop_t)
-
--sysnet_dns_name_resolve(postfix_postdrop_t)
--
- mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
-
- optional_policy(`
-@@ -474,8 +487,6 @@
- init_sigchld_script(postfix_postqueue_t)
- init_use_script_fds(postfix_postqueue_t)
-
--sysnet_dontaudit_read_config(postfix_postqueue_t)
--
- ########################################
- #
- # Postfix qmgr local policy
-@@ -518,8 +529,6 @@
- term_use_all_user_ptys(postfix_showq_t)
- term_use_all_user_ttys(postfix_showq_t)
-
--sysnet_dns_name_resolve(postfix_showq_t)
--
- ########################################
- #
- # Postfix smtp delivery local policy
-@@ -547,9 +556,6 @@
+@@ -532,9 +556,6 @@
# connect to master process
stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
@@ -8718,7 +8358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
# for prng_exch
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
-@@ -572,6 +578,10 @@
+@@ -557,6 +578,10 @@
sasl_connect(postfix_smtpd_t)
')
@@ -8729,18 +8369,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix virtual local policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.2.1/policy/modules/services/postgresql.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.2.2/policy/modules/services/postgresql.fc
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/postgresql.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/postgresql.fc 2007-12-04 11:11:03.000000000 -0500
@@ -38,3 +38,5 @@
')
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
+
+/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.2.1/policy/modules/services/postgresql.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.2.2/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/postgresql.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/postgresql.if 2007-12-04 11:11:03.000000000 -0500
@@ -120,3 +120,77 @@
# Some versions of postgresql put the sock file in /tmp
allow $1 postgresql_tmp_t:sock_file write;
@@ -8819,9 +8459,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+ manage_dirs_pattern($1,postgresql_tmp_t,postgresql_tmp_t)
+ manage_files_pattern($1,postgresql_tmp_t,postgresql_tmp_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.2.1/policy/modules/services/postgresql.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.2.2/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/postgresql.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/postgresql.te 2007-12-04 11:11:03.000000000 -0500
@@ -27,6 +27,9 @@
type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)
@@ -8870,9 +8510,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
seutil_sigchld_newrole(postgresql_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.2.1/policy/modules/services/ppp.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.2.2/policy/modules/services/ppp.fc
--- nsaserefpolicy/policy/modules/services/ppp.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/ppp.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/ppp.fc 2007-12-04 11:11:03.000000000 -0500
@@ -25,7 +25,7 @@
#
# /var
@@ -8882,9 +8522,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
/var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0)
/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
# Fix pptp sockets
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.2.1/policy/modules/services/ppp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.2.2/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2007-11-16 13:45:14.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/ppp.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/ppp.te 2007-12-04 11:11:03.000000000 -0500
@@ -194,6 +194,8 @@
optional_policy(`
@@ -8894,9 +8534,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.1/policy/modules/services/procmail.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.2/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2007-11-16 13:45:14.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/procmail.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/procmail.te 2007-12-04 11:11:03.000000000 -0500
@@ -133,3 +133,7 @@
spamassassin_exec_client(procmail_t)
spamassassin_read_lib_files(procmail_t)
@@ -8905,9 +8545,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
+optional_policy(`
+ mailscanner_read_spool(procmail_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.2.1/policy/modules/services/pyzor.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.2.2/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/pyzor.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/pyzor.fc 2007-12-04 11:11:03.000000000 -0500
@@ -1,6 +1,6 @@
/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
@@ -8916,9 +8556,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.2.1/policy/modules/services/pyzor.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.2.2/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/pyzor.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/pyzor.if 2007-12-04 11:11:03.000000000 -0500
@@ -25,16 +25,18 @@
#
template(`pyzor_per_role_template',`
@@ -8945,9 +8585,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.2.1/policy/modules/services/pyzor.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.2.2/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/pyzor.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/pyzor.te 2007-12-04 11:11:03.000000000 -0500
@@ -28,6 +28,9 @@
type pyzor_var_lib_t;
files_type(pyzor_var_lib_t)
@@ -8958,9 +8598,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
########################################
#
# Pyzor local policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.2.1/policy/modules/services/radius.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.2.2/policy/modules/services/radius.te
--- nsaserefpolicy/policy/modules/services/radius.te 2007-11-16 13:45:14.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/radius.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/radius.te 2007-12-04 11:11:03.000000000 -0500
@@ -88,6 +88,7 @@
auth_read_shadow(radiusd_t)
@@ -8969,18 +8609,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi
corecmd_exec_bin(radiusd_t)
corecmd_exec_shell(radiusd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.2.1/policy/modules/services/razor.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.2.2/policy/modules/services/razor.fc
--- nsaserefpolicy/policy/modules/services/razor.fc 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/razor.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/razor.fc 2007-12-04 11:11:03.000000000 -0500
@@ -1,4 +1,4 @@
-HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:ROLE_razor_home_t,s0)
+HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:user_razor_home_t,s0)
/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.2.1/policy/modules/services/razor.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.2.2/policy/modules/services/razor.if
--- nsaserefpolicy/policy/modules/services/razor.if 2007-07-16 14:09:46.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/razor.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/razor.if 2007-12-04 11:11:03.000000000 -0500
@@ -137,6 +137,7 @@
template(`razor_per_role_template',`
gen_require(`
@@ -9006,9 +8646,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
##############################
#
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.2.1/policy/modules/services/razor.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.2.2/policy/modules/services/razor.te
--- nsaserefpolicy/policy/modules/services/razor.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/razor.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/razor.te 2007-12-04 11:11:03.000000000 -0500
@@ -23,6 +23,12 @@
razor_common_domain_template(razor)
@@ -9022,9 +8662,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
########################################
#
# Local policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.if serefpolicy-3.2.1/policy/modules/services/remotelogin.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.if serefpolicy-3.2.2/policy/modules/services/remotelogin.if
--- nsaserefpolicy/policy/modules/services/remotelogin.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/remotelogin.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/remotelogin.if 2007-12-04 11:11:03.000000000 -0500
@@ -18,3 +18,20 @@
auth_domtrans_login_program($1,remote_login_t)
')
@@ -9046,9 +8686,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remo
+
+ allow $1 remote_login_t:process signal;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.2.1/policy/modules/services/remotelogin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.2.2/policy/modules/services/remotelogin.te
--- nsaserefpolicy/policy/modules/services/remotelogin.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/remotelogin.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/remotelogin.te 2007-12-04 11:11:03.000000000 -0500
@@ -85,6 +85,7 @@
miscfiles_read_localization(remote_login_t)
@@ -9057,9 +8697,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remo
userdom_use_unpriv_users_fds(remote_login_t)
userdom_search_all_users_home_content(remote_login_t)
# Only permit unprivileged user domains to be entered via rlogin,
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.2.1/policy/modules/services/ricci.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.2.2/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2007-11-16 13:45:14.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/ricci.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/ricci.te 2007-12-04 11:11:03.000000000 -0500
@@ -138,6 +138,7 @@
files_create_boot_flag(ricci_t)
@@ -9079,9 +8719,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
unconfined_use_fds(ricci_modclusterd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.2.1/policy/modules/services/rlogin.te
---- nsaserefpolicy/policy/modules/services/rlogin.te 2007-10-02 09:54:52.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/rlogin.te 2007-11-30 11:23:56.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.2.2/policy/modules/services/rlogin.te
+--- nsaserefpolicy/policy/modules/services/rlogin.te 2007-12-04 11:02:50.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/rlogin.te 2007-12-04 11:11:03.000000000 -0500
@@ -36,6 +36,8 @@
allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty(rlogind_t,rlogind_devpts_t)
@@ -9099,13 +8739,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog
auth_rw_login_records(rlogind_t)
auth_use_nsswitch(rlogind_t)
-@@ -82,25 +85,21 @@
+@@ -82,23 +85,21 @@
miscfiles_read_localization(rlogind_t)
-seutil_dontaudit_search_config(rlogind_t)
--
--sysnet_read_config(rlogind_t)
+seutil_read_config(rlogind_t)
userdom_setattr_unpriv_users_ptys(rlogind_t)
@@ -9129,9 +8767,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog
-# Allow krb5 rlogind to use fork and open /dev/tty for use
-allow rlogind_t userpty_type:chr_file setattr;
-')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.2.1/policy/modules/services/rpcbind.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.2.2/policy/modules/services/rpcbind.te
--- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/rpcbind.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/rpcbind.te 2007-12-04 11:11:03.000000000 -0500
@@ -21,11 +21,13 @@
# rpcbind local policy
#
@@ -9147,10 +8785,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcb
allow rpcbind_t self:tcp_socket create_stream_socket_perms;
manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.2.1/policy/modules/services/rpc.if
---- nsaserefpolicy/policy/modules/services/rpc.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/rpc.if 2007-11-30 11:23:56.000000000 -0500
-@@ -89,8 +89,11 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.2.2/policy/modules/services/rpc.if
+--- nsaserefpolicy/policy/modules/services/rpc.if 2007-12-04 11:02:50.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/rpc.if 2007-12-04 11:40:28.000000000 -0500
+@@ -88,8 +88,11 @@
# bind to arbitary unused ports
corenet_tcp_bind_generic_port($1_t)
corenet_udp_bind_generic_port($1_t)
@@ -9163,7 +8801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
fs_rw_rpc_named_pipes($1_t)
fs_search_auto_mountpoints($1_t)
-@@ -214,6 +217,24 @@
+@@ -208,6 +211,24 @@
########################################
## <summary>
@@ -9188,9 +8826,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
## Read NFS exported content.
## </summary>
## <param name="domain">
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.2.1/policy/modules/services/rpc.te
---- nsaserefpolicy/policy/modules/services/rpc.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/rpc.te 2007-11-30 11:23:56.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.2.2/policy/modules/services/rpc.te
+--- nsaserefpolicy/policy/modules/services/rpc.te 2007-12-04 11:02:50.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/rpc.te 2007-12-04 11:41:53.000000000 -0500
@@ -8,7 +8,7 @@
## <desc>
@@ -9225,7 +8863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
fs_list_rpc(rpcd_t)
fs_read_rpc_files(rpcd_t)
-@@ -76,9 +80,16 @@
+@@ -76,11 +80,17 @@
miscfiles_read_certs(rpcd_t)
seutil_dontaudit_search_config(rpcd_t)
@@ -9233,16 +8871,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
optional_policy(`
nis_read_ypserv_config(rpcd_t)
-+ nis_use_ypbind(rpcd_t)
-+')
-+
+ ')
+
+# automount -> mount -> rpcd
+optional_policy(`
+ automount_dontaudit_use_fds(rpcd_t)
- ')
-
++')
++
########################################
-@@ -91,9 +102,13 @@
+ #
+ # NFSD local policy
+@@ -91,9 +101,13 @@
allow nfsd_t exports_t:file { getattr read };
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
@@ -9256,7 +8895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
-@@ -123,6 +138,7 @@
+@@ -123,6 +137,7 @@
tunable_policy(`nfs_export_all_rw',`
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
@@ -9264,7 +8903,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
')
tunable_policy(`nfs_export_all_ro',`
-@@ -143,6 +159,7 @@
+@@ -143,6 +158,7 @@
manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@@ -9272,12 +8911,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
-@@ -156,8 +173,14 @@
+@@ -156,8 +172,13 @@
files_list_tmp(gssd_t)
files_read_usr_symlinks(gssd_t)
+auth_read_cache(gssd_t)
-+auth_use_nsswitch(gssd_t)
+
miscfiles_read_certs(gssd_t)
@@ -9287,9 +8925,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_unpriv_users_tmp(gssd_t)
userdom_read_unpriv_users_tmp_files(gssd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.2.1/policy/modules/services/rshd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.2.2/policy/modules/services/rshd.te
--- nsaserefpolicy/policy/modules/services/rshd.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/rshd.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/rshd.te 2007-12-04 11:11:03.000000000 -0500
@@ -16,7 +16,7 @@
#
# Local policy
@@ -9361,17 +8999,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
unconfined_shell_domtrans(rshd_t)
+ unconfined_signal(rshd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.2.1/policy/modules/services/rsync.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.2.2/policy/modules/services/rsync.fc
--- nsaserefpolicy/policy/modules/services/rsync.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/rsync.fc 2007-12-01 08:07:48.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/rsync.fc 2007-12-04 11:11:03.000000000 -0500
@@ -1,2 +1,4 @@
/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
+
+/var/log/rsync.log -- gen_context(system_u:object_r:rsync_log_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.2.1/policy/modules/services/rsync.te
---- nsaserefpolicy/policy/modules/services/rsync.te 2007-11-16 13:45:14.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/rsync.te 2007-12-01 08:08:40.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.2.2/policy/modules/services/rsync.te
+--- nsaserefpolicy/policy/modules/services/rsync.te 2007-12-04 11:02:50.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/rsync.te 2007-12-04 11:11:03.000000000 -0500
@@ -8,7 +8,7 @@
## <desc>
@@ -9417,22 +9055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
#end for identd
allow rsync_t rsync_data_t:dir list_dir_perms;
-@@ -65,8 +67,6 @@
- manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t)
- files_pid_filetrans(rsync_t,rsync_var_run_t,file)
-
--auth_use_nsswitch(rsync_t)
--
- kernel_read_kernel_sysctls(rsync_t)
- kernel_read_system_state(rsync_t)
- kernel_read_network_state(rsync_t)
-@@ -90,11 +90,14 @@
- files_read_etc_files(rsync_t)
- files_search_home(rsync_t)
-
-+auth_use_nsswitch(rsync_t)
-+
- libs_use_ld_so(rsync_t)
+@@ -94,7 +96,8 @@
libs_use_shared_libs(rsync_t)
logging_send_syslog_msg(rsync_t)
@@ -9450,9 +9073,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
fs_read_noxattr_fs_files(rsync_t)
auth_read_all_files_except_shadow(rsync_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.2.1/policy/modules/services/samba.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.2.2/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/samba.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/samba.fc 2007-12-04 11:11:03.000000000 -0500
@@ -15,6 +15,7 @@
/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
@@ -9470,9 +9093,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.2.1/policy/modules/services/samba.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.2.2/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/samba.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/samba.if 2007-12-04 11:11:03.000000000 -0500
@@ -331,6 +331,25 @@
########################################
@@ -9610,9 +9233,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+ role $2 types smbcontrol_t;
+ dontaudit smbcontrol_t $3:chr_file rw_term_perms;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.2.1/policy/modules/services/samba.te
---- nsaserefpolicy/policy/modules/services/samba.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/samba.te 2007-11-30 11:23:56.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.2.2/policy/modules/services/samba.te
+--- nsaserefpolicy/policy/modules/services/samba.te 2007-12-04 11:02:50.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/samba.te 2007-12-04 11:51:04.000000000 -0500
@@ -9,14 +9,14 @@
## <desc>
## <p>
@@ -9675,34 +9298,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
########################################
#
# Samba net local policy
-@@ -146,7 +151,6 @@
- allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
- allow samba_net_t self:udp_socket create_socket_perms;
- allow samba_net_t self:tcp_socket create_socket_perms;
--allow samba_net_t self:netlink_route_socket r_netlink_socket_perms;
-
- allow samba_net_t samba_etc_t:file read_file_perms;
-
-@@ -183,6 +187,8 @@
-
- files_read_etc_files(samba_net_t)
-
-+auth_use_nsswitch(samba_net_t)
-+
- libs_use_ld_so(samba_net_t)
- libs_use_shared_libs(samba_net_t)
-
-@@ -190,8 +196,7 @@
+@@ -191,16 +196,14 @@
miscfiles_read_localization(samba_net_t)
--sysnet_read_config(samba_net_t)
--sysnet_use_ldap(samba_net_t)
+samba_read_var_files(samba_net_t)
-
++
userdom_dontaudit_search_sysadm_home_dirs(samba_net_t)
-@@ -199,10 +204,6 @@
+ optional_policy(`
kerberos_use(samba_net_t)
')
@@ -9713,7 +9317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
########################################
#
# smbd Local policy
-@@ -217,19 +218,16 @@
+@@ -215,7 +218,7 @@
allow smbd_t self:msgq create_msgq_perms;
allow smbd_t self:sem create_sem_perms;
allow smbd_t self:shm create_shm_perms;
@@ -9722,8 +9326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow smbd_t self:tcp_socket create_stream_socket_perms;
allow smbd_t self:udp_socket create_socket_perms;
allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
- allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
--allow smbd_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -223,10 +226,8 @@
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
@@ -9736,7 +9339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow smbd_t samba_net_tmp_t:file getattr;
-@@ -256,7 +254,7 @@
+@@ -253,7 +254,7 @@
manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t)
files_pid_filetrans(smbd_t,smbd_var_run_t,file)
@@ -9745,7 +9348,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
-@@ -298,6 +296,7 @@
+@@ -295,6 +296,7 @@
auth_use_nsswitch(smbd_t)
auth_domtrans_chk_passwd(smbd_t)
@@ -9753,16 +9356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -321,8 +320,6 @@
- miscfiles_read_localization(smbd_t)
- miscfiles_read_public_files(smbd_t)
-
--sysnet_read_config(smbd_t)
--
- userdom_dontaudit_search_sysadm_home_dirs(smbd_t)
- userdom_dontaudit_use_unpriv_user_fds(smbd_t)
- userdom_use_unpriv_users_fds(smbd_t)
-@@ -347,6 +344,17 @@
+@@ -342,6 +344,17 @@
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
@@ -9780,7 +9374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
optional_policy(`
-@@ -398,7 +406,7 @@
+@@ -393,7 +406,7 @@
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -9789,7 +9383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow nmbd_t self:tcp_socket create_stream_socket_perms;
allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -410,8 +418,7 @@
+@@ -405,8 +418,7 @@
read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
@@ -9799,7 +9393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
-@@ -446,6 +453,7 @@
+@@ -441,6 +453,7 @@
dev_getattr_mtrr_dev(nmbd_t)
fs_getattr_all_fs(nmbd_t)
@@ -9807,34 +9401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
-@@ -454,6 +462,8 @@
- files_read_etc_files(nmbd_t)
- files_list_var_lib(nmbd_t)
-
-+auth_use_nsswitch(nmbd_t)
-+
- libs_use_ld_so(nmbd_t)
- libs_use_shared_libs(nmbd_t)
-
-@@ -462,17 +472,11 @@
-
- miscfiles_read_localization(nmbd_t)
-
--sysnet_read_config(nmbd_t)
--
- userdom_dontaudit_search_sysadm_home_dirs(nmbd_t)
- userdom_dontaudit_use_unpriv_user_fds(nmbd_t)
- userdom_use_unpriv_users_fds(nmbd_t)
-
- optional_policy(`
-- nis_use_ypbind(nmbd_t)
--')
--
--optional_policy(`
- seutil_sigchld_newrole(nmbd_t)
- ')
-
-@@ -533,6 +537,7 @@
+@@ -524,6 +537,7 @@
storage_raw_write_fixed_disk(smbmount_t)
term_list_ptys(smbmount_t)
@@ -9842,34 +9409,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
corecmd_list_bin(smbmount_t)
-@@ -542,6 +547,8 @@
- files_etc_filetrans_etc_runtime(smbmount_t,file)
- files_read_etc_files(smbmount_t)
+@@ -548,28 +562,37 @@
-+auth_use_nsswitch(smbmount_t)
-+
- miscfiles_read_localization(smbmount_t)
-
- mount_use_fds(smbmount_t)
-@@ -553,16 +560,10 @@
-
- logging_search_logs(smbmount_t)
-
--sysnet_read_config(smbmount_t)
--
userdom_use_all_users_fds(smbmount_t)
- optional_policy(`
-- nis_use_ypbind(smbmount_t)
--')
--
--optional_policy(`
-- nscd_socket_use(smbmount_t)
++optional_policy(`
+ cups_read_rw_config(smbmount_t)
- ')
-
++')
++
########################################
-@@ -570,24 +571,28 @@
+ #
# SWAT Local policy
#
@@ -9881,7 +9430,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow swat_t self:tcp_socket create_stream_socket_perms;
allow swat_t self:udp_socket create_socket_perms;
--allow swat_t self:netlink_route_socket r_netlink_socket_perms;
-allow swat_t nmbd_exec_t:file { execute read };
+allow swat_t self:unix_stream_socket connectto;
@@ -9906,7 +9454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t smbd_var_run_t:file read;
manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t)
-@@ -597,7 +602,9 @@
+@@ -579,7 +602,9 @@
manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
files_pid_filetrans(swat_t,swat_var_run_t,file)
@@ -9917,7 +9465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -622,23 +629,25 @@
+@@ -604,18 +629,21 @@
dev_read_urand(swat_t)
@@ -9929,7 +9477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
auth_domtrans_chk_passwd(swat_t)
+auth_domtrans_upd_passwd(swat_t)
-+auth_use_nsswitch(swat_t)
+ auth_use_nsswitch(swat_t)
libs_use_ld_so(swat_t)
libs_use_shared_libs(swat_t)
@@ -9939,25 +9487,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
-
--sysnet_read_config(swat_t)
--
- optional_policy(`
- cups_read_rw_config(swat_t)
- cups_stream_connect(swat_t)
-@@ -652,13 +661,16 @@
+@@ -633,6 +661,17 @@
kerberos_use(swat_t)
')
--optional_policy(`
-- nis_use_ypbind(swat_t)
--')
+init_read_utmp(swat_t)
+init_dontaudit_write_utmp(swat_t)
-
--optional_policy(`
-- nscd_socket_use(swat_t)
--')
++
+manage_dirs_pattern(swat_t,samba_log_t,samba_log_t)
+create_files_pattern(swat_t,samba_log_t,samba_log_t)
+
@@ -9965,18 +9501,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+
+manage_files_pattern(swat_t,samba_var_t,samba_var_t)
+files_list_var_lib(swat_t)
-
++
########################################
#
-@@ -672,7 +684,6 @@
- allow winbind_t self:fifo_file { read write };
- allow winbind_t self:unix_dgram_socket create_socket_perms;
- allow winbind_t self:unix_stream_socket create_stream_socket_perms;
--allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
- allow winbind_t self:tcp_socket create_stream_socket_perms;
- allow winbind_t self:udp_socket create_socket_perms;
-
-@@ -709,6 +720,8 @@
+ # Winbind local policy
+@@ -681,6 +720,8 @@
manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
files_pid_filetrans(winbind_t,winbind_var_run_t,file)
@@ -9985,27 +9514,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
kernel_read_kernel_sysctls(winbind_t)
kernel_list_proc(winbind_t)
kernel_read_proc_symlinks(winbind_t)
-@@ -733,7 +746,9 @@
- fs_getattr_all_fs(winbind_t)
+@@ -706,6 +747,7 @@
fs_search_auto_mountpoints(winbind_t)
-+auth_use_nsswitch(winbind_t)
auth_domtrans_chk_passwd(winbind_t)
+auth_domtrans_upd_passwd(winbind_t)
+ auth_use_nsswitch(winbind_t)
domain_use_interactive_fds(winbind_t)
-
-@@ -746,9 +761,6 @@
-
- miscfiles_read_localization(winbind_t)
-
--sysnet_read_config(winbind_t)
--sysnet_dns_name_resolve(winbind_t)
--
- userdom_dontaudit_use_unpriv_user_fds(winbind_t)
- userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
- userdom_priveleged_home_dir_manager(winbind_t)
-@@ -758,10 +770,6 @@
+@@ -728,10 +770,6 @@
')
optional_policy(`
@@ -10016,7 +9533,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
seutil_sigchld_newrole(winbind_t)
')
-@@ -790,6 +798,8 @@
+@@ -760,6 +798,8 @@
domain_use_interactive_fds(winbind_helper_t)
@@ -10025,15 +9542,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
libs_use_ld_so(winbind_helper_t)
libs_use_shared_libs(winbind_helper_t)
-@@ -804,6 +814,7 @@
+@@ -768,12 +808,9 @@
+ miscfiles_read_localization(winbind_helper_t)
+
optional_policy(`
+- nscd_socket_use(winbind_helper_t)
+-')
+-
+-optional_policy(`
squid_read_log(winbind_helper_t)
squid_append_log(winbind_helper_t)
+ squid_rw_stream_sockets(winbind_helper_t)
')
########################################
-@@ -828,3 +839,37 @@
+@@ -798,3 +835,37 @@
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
')
')
@@ -10071,9 +9594,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+allow winbind_t smbcontrol_t:process signal;
+
+allow smbcontrol_t nmbd_var_run_t:file { read lock };
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.2.1/policy/modules/services/sasl.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.2.2/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/sasl.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/sasl.te 2007-12-04 11:11:03.000000000 -0500
@@ -64,6 +64,7 @@
selinux_compute_access_vector(saslauthd_t)
@@ -10093,9 +9616,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl
seutil_sigchld_newrole(saslauthd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.2.1/policy/modules/services/sendmail.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.2.2/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2007-08-27 13:57:20.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/sendmail.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/sendmail.if 2007-12-04 11:11:03.000000000 -0500
@@ -149,3 +149,85 @@
logging_log_filetrans($1,sendmail_log_t,file)
@@ -10182,9 +9705,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
+ role $2 types unconfined_sendmail_t;
+ allow unconfined_sendmail_t $3:chr_file rw_file_perms;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.1/policy/modules/services/sendmail.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.2/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/sendmail.te 2007-12-01 07:43:47.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/sendmail.te 2007-12-04 11:11:03.000000000 -0500
@@ -20,19 +20,22 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -10302,9 +9825,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
-dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
-') dnl end TODO
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.2.1/policy/modules/services/setroubleshoot.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.2.2/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/setroubleshoot.te 2007-12-02 19:04:59.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/setroubleshoot.te 2007-12-04 11:11:03.000000000 -0500
@@ -27,8 +27,8 @@
# setroubleshootd local policy
#
@@ -10343,9 +9866,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.2.1/policy/modules/services/snmp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.2.2/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/snmp.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/snmp.te 2007-12-04 11:11:03.000000000 -0500
@@ -81,8 +81,7 @@
files_read_usr_files(snmpd_t)
files_read_etc_runtime_files(snmpd_t)
@@ -10356,9 +9879,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp
fs_getattr_all_dirs(snmpd_t)
fs_getattr_all_fs(snmpd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.fc serefpolicy-3.2.1/policy/modules/services/soundserver.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.fc serefpolicy-3.2.2/policy/modules/services/soundserver.fc
--- nsaserefpolicy/policy/modules/services/soundserver.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/soundserver.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/soundserver.fc 2007-12-04 11:11:03.000000000 -0500
@@ -1,5 +1,3 @@
-/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
-/etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
@@ -10372,9 +9895,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
+/var/run/nasd(/.*)? gen_context(system_u:object_r:soundd_var_run_t,s0)
+
/var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.2.1/policy/modules/services/soundserver.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.2.2/policy/modules/services/soundserver.te
--- nsaserefpolicy/policy/modules/services/soundserver.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/soundserver.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/soundserver.te 2007-12-04 11:11:03.000000000 -0500
@@ -10,9 +10,6 @@
type soundd_exec_t;
init_daemon_domain(soundd_t,soundd_exec_t)
@@ -10435,18 +9958,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
seutil_sigchld_newrole(soundd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.2.1/policy/modules/services/spamassassin.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.2.2/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/spamassassin.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/spamassassin.fc 2007-12-04 11:11:03.000000000 -0500
@@ -1,4 +1,4 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:user_spamassassin_home_t,s0)
/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.1/policy/modules/services/spamassassin.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.2/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/spamassassin.if 2007-12-01 07:44:50.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/spamassassin.if 2007-12-04 11:11:03.000000000 -0500
@@ -38,6 +38,8 @@
gen_require(`
type spamc_exec_t, spamassassin_exec_t;
@@ -10572,9 +10095,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+
+ stream_connect_pattern($1,spamd_var_run_t,spamd_var_run_t,spamd_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.1/policy/modules/services/spamassassin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.2/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/spamassassin.te 2007-12-01 07:44:33.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/spamassassin.te 2007-12-04 11:11:03.000000000 -0500
@@ -44,6 +44,15 @@
type spamassassin_exec_t;
application_executable_file(spamassassin_exec_t)
@@ -10617,18 +10140,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
fs_manage_cifs_files(spamd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.2.1/policy/modules/services/squid.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.2.2/policy/modules/services/squid.fc
--- nsaserefpolicy/policy/modules/services/squid.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/squid.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/squid.fc 2007-12-04 11:11:03.000000000 -0500
@@ -12,3 +12,5 @@
/var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
+/usr/lib64/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.2.1/policy/modules/services/squid.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.2.2/policy/modules/services/squid.if
--- nsaserefpolicy/policy/modules/services/squid.if 2007-05-07 10:32:44.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/squid.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/squid.if 2007-12-04 11:11:03.000000000 -0500
@@ -131,3 +131,22 @@
interface(`squid_use',`
refpolicywarn(`$0($*) has been deprecated.')
@@ -10652,9 +10175,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
+
+ allow $1 squid_t:unix_stream_socket { getattr read write };
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.2.1/policy/modules/services/squid.te
---- nsaserefpolicy/policy/modules/services/squid.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/squid.te 2007-11-30 11:23:56.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.2.2/policy/modules/services/squid.te
+--- nsaserefpolicy/policy/modules/services/squid.te 2007-12-04 11:02:50.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/squid.te 2007-12-04 11:51:47.000000000 -0500
@@ -36,7 +36,7 @@
# Local policy
#
@@ -10681,7 +10204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
selinux_dontaudit_getattr_dir(squid_t)
-@@ -149,11 +152,7 @@
+@@ -148,11 +151,7 @@
')
optional_policy(`
@@ -10694,7 +10217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
')
optional_policy(`
-@@ -176,7 +175,12 @@
+@@ -167,7 +166,12 @@
udev_read_db(squid_t)
')
@@ -10711,18 +10234,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
+ corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
+ corenet_all_recvfrom_netlabel(httpd_squid_script_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.2.1/policy/modules/services/ssh.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.2.2/policy/modules/services/ssh.fc
--- nsaserefpolicy/policy/modules/services/ssh.fc 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/ssh.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/ssh.fc 2007-12-04 11:11:03.000000000 -0500
@@ -1,4 +1,4 @@
-HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ROLE_home_ssh_t,s0)
+HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:user_ssh_home_t,s0)
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.2.1/policy/modules/services/ssh.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.2.2/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2007-07-23 10:20:13.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/ssh.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/ssh.if 2007-12-04 11:11:03.000000000 -0500
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -10882,9 +10405,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
dontaudit $1 sshd_key_t:file { getattr read };
')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.2.1/policy/modules/services/ssh.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.2.2/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/ssh.te 2007-11-30 11:38:23.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/ssh.te 2007-12-04 11:11:03.000000000 -0500
@@ -24,7 +24,7 @@
# Type for the ssh-agent executable.
@@ -10941,43 +10464,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
unconfined_shell_domtrans(sshd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.2.1/policy/modules/services/stunnel.te
---- nsaserefpolicy/policy/modules/services/stunnel.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/stunnel.te 2007-11-30 11:23:56.000000000 -0500
-@@ -68,6 +68,8 @@
-
- fs_getattr_all_fs(stunnel_t)
-
-+auth_use_nsswitch(stunnel_t)
-+
- libs_use_ld_so(stunnel_t)
- libs_use_shared_libs(stunnel_t)
-
-@@ -112,14 +114,6 @@
- optional_policy(`
- kerberos_use(stunnel_t)
- ')
--
-- optional_policy(`
-- nis_use_ypbind(stunnel_t)
-- ')
--
-- optional_policy(`
-- nscd_socket_use(stunnel_t)
-- ')
- ')
-
- # hack since this port has no interfaces since it doesnt
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.2.1/policy/modules/services/telnet.te
---- nsaserefpolicy/policy/modules/services/telnet.te 2007-07-16 14:09:46.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/telnet.te 2007-11-30 11:23:56.000000000 -0500
-@@ -32,12 +32,13 @@
- allow telnetd_t self:udp_socket create_socket_perms;
- # for identd; cjp: this should probably only be inetd_child rules?
- allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
--allow telnetd_t self:netlink_route_socket r_netlink_socket_perms;
- allow telnetd_t self:capability { setuid setgid };
-
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.2.2/policy/modules/services/telnet.te
+--- nsaserefpolicy/policy/modules/services/telnet.te 2007-12-04 11:02:50.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/telnet.te 2007-12-04 11:44:45.000000000 -0500
+@@ -37,6 +37,8 @@
allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty(telnetd_t,telnetd_devpts_t)
@@ -10986,12 +10476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln
manage_dirs_pattern(telnetd_t,telnetd_tmp_t,telnetd_tmp_t)
manage_files_pattern(telnetd_t,telnetd_tmp_t,telnetd_tmp_t)
files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })
-@@ -62,10 +63,12 @@
-
- fs_getattr_xattr_fs(telnetd_t)
-
-+auth_use_nsswitch(telnetd_t)
- auth_rw_login_records(telnetd_t)
+@@ -66,6 +68,7 @@
corecmd_search_bin(telnetd_t)
@@ -10999,13 +10484,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln
files_read_etc_files(telnetd_t)
files_read_etc_runtime_files(telnetd_t)
# for identd; cjp: this should probably only be inetd_child rules?
-@@ -80,27 +83,26 @@
+@@ -80,17 +83,26 @@
miscfiles_read_localization(telnetd_t)
-seutil_dontaudit_search_config(telnetd_t)
--
--sysnet_read_config(telnetd_t)
+seutil_read_config(telnetd_t)
remotelogin_domtrans(telnetd_t)
@@ -11019,68 +10502,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln
+ kerberos_manage_host_rcache(telnetd_t)
')
--optional_policy(`
-- nis_use_ypbind(telnetd_t)
+-ifdef(`TODO',`
+-# Allow krb5 telnetd to use fork and open /dev/tty for use
+-allow telnetd_t userpty_type:chr_file setattr;
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(telnetd_t)
+ fs_manage_nfs_files(telnetd_t)
')
-
--optional_policy(`
-- nscd_socket_use(telnetd_t)
++
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(telnetd_t)
+ fs_manage_cifs_files(telnetd_t)
- ')
-
--ifdef(`TODO',`
--# Allow krb5 telnetd to use fork and open /dev/tty for use
--allow telnetd_t userpty_type:chr_file setattr;
--')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-3.2.1/policy/modules/services/tftp.fc
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-3.2.2/policy/modules/services/tftp.fc
--- nsaserefpolicy/policy/modules/services/tftp.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/tftp.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/tftp.fc 2007-12-04 11:11:03.000000000 -0500
@@ -4,3 +4,4 @@
/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0)
+/var/lib/tftp(/.*)? gen_context(system_u:object_r:tftpdir_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.2.1/policy/modules/services/uucp.te
---- nsaserefpolicy/policy/modules/services/uucp.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/uucp.te 2007-11-30 11:23:56.000000000 -0500
-@@ -88,6 +88,8 @@
- files_search_home(uucpd_t)
- files_search_spool(uucpd_t)
-
-+auth_use_nsswitch(uucpd_t)
-+
- libs_use_ld_so(uucpd_t)
- libs_use_shared_libs(uucpd_t)
-
-@@ -95,20 +97,10 @@
-
- miscfiles_read_localization(uucpd_t)
-
--sysnet_read_config(uucpd_t)
--
- optional_policy(`
- kerberos_use(uucpd_t)
- ')
-
--optional_policy(`
-- nis_use_ypbind(uucpd_t)
--')
--
--optional_policy(`
-- nscd_socket_use(uucpd_t)
--')
--
- ########################################
- #
- # UUX Local policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwimap.te serefpolicy-3.2.1/policy/modules/services/uwimap.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwimap.te serefpolicy-3.2.2/policy/modules/services/uwimap.te
--- nsaserefpolicy/policy/modules/services/uwimap.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/uwimap.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/uwimap.te 2007-12-04 11:11:03.000000000 -0500
@@ -64,6 +64,7 @@
fs_search_auto_mountpoints(imapd_t)
@@ -11089,20 +10534,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwim
libs_use_ld_so(imapd_t)
libs_use_shared_libs(imapd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.fc serefpolicy-3.2.1/policy/modules/services/w3c.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.fc serefpolicy-3.2.2/policy/modules/services/w3c.fc
--- nsaserefpolicy/policy/modules/services/w3c.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/w3c.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/w3c.fc 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1,2 @@
+/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0)
+/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.if serefpolicy-3.2.1/policy/modules/services/w3c.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.if serefpolicy-3.2.2/policy/modules/services/w3c.if
--- nsaserefpolicy/policy/modules/services/w3c.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/w3c.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/w3c.if 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1 @@
+## <summary>W3C</summary>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.2.1/policy/modules/services/w3c.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.2.2/policy/modules/services/w3c.te
--- nsaserefpolicy/policy/modules/services/w3c.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/services/w3c.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/w3c.te 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1,14 @@
+policy_module(w3c,1.2.1)
+
@@ -11118,9 +10563,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.
+corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
+
+miscfiles_read_certs(httpd_w3c_validator_script_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.2.1/policy/modules/services/xserver.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.2.2/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2007-10-15 16:11:05.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/xserver.fc 2007-11-30 11:27:15.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/xserver.fc 2007-12-04 11:11:03.000000000 -0500
@@ -1,13 +1,13 @@
#
# HOME_DIR
@@ -11187,18 +10632,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifdef(`distro_suse',`
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.1/policy/modules/services/xserver.if
---- nsaserefpolicy/policy/modules/services/xserver.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/xserver.if 2007-11-30 11:23:56.000000000 -0500
-@@ -58,7 +58,6 @@
- allow $1_xserver_t self:msg { send receive };
- allow $1_xserver_t self:unix_dgram_socket { create_socket_perms sendto };
- allow $1_xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
-- allow $1_xserver_t self:netlink_route_socket r_netlink_socket_perms;
- allow $1_xserver_t self:tcp_socket create_stream_socket_perms;
- allow $1_xserver_t self:udp_socket create_socket_perms;
-
-@@ -116,8 +115,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.2/policy/modules/services/xserver.if
+--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/xserver.if 2007-12-04 12:04:16.000000000 -0500
+@@ -115,8 +115,7 @@
dev_rw_agp($1_xserver_t)
dev_rw_framebuffer($1_xserver_t)
dev_manage_dri_dev($1_xserver_t)
@@ -11208,7 +10645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# raw memory access is needed if not using the frame buffer
dev_read_raw_memory($1_xserver_t)
dev_wx_raw_memory($1_xserver_t)
-@@ -126,8 +124,12 @@
+@@ -125,8 +124,12 @@
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev($1_xserver_t)
dev_rwx_zero($1_xserver_t)
@@ -11221,15 +10658,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files($1_xserver_t)
files_read_etc_runtime_files($1_xserver_t)
-@@ -141,10 +143,16 @@
+@@ -140,12 +143,16 @@
fs_getattr_xattr_fs($1_xserver_t)
fs_search_nfs($1_xserver_t)
fs_search_auto_mountpoints($1_xserver_t)
- fs_search_ramfs($1_xserver_t)
+ fs_manage_ramfs_files($1_xserver_t)
+ fs_list_inotifyfs($1_xserver_t)
-+
-+ auth_use_nsswitch($1_xserver_t)
+
+ auth_use_nsswitch($1_xserver_t)
init_getpgid($1_xserver_t)
@@ -11239,31 +10676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
term_setattr_unallocated_ttys($1_xserver_t)
term_use_unallocated_ttys($1_xserver_t)
-@@ -160,8 +168,6 @@
-
- seutil_dontaudit_search_config($1_xserver_t)
-
-- sysnet_read_config($1_xserver_t)
--
- ifndef(`distro_redhat',`
- allow $1_xserver_t self:process { execmem execheap execstack };
- ')
-@@ -179,14 +185,6 @@
- ')
-
- optional_policy(`
-- nis_use_ypbind($1_xserver_t)
-- ')
--
-- optional_policy(`
-- nscd_socket_use($1_xserver_t)
-- ')
--
-- optional_policy(`
- rhgb_getpgid($1_xserver_t)
- rhgb_signal($1_xserver_t)
- ')
-@@ -241,39 +239,26 @@
+@@ -232,39 +239,26 @@
# Declarations
#
@@ -11310,7 +10723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
##############################
#
# $1_xserver_t Local policy
-@@ -281,12 +266,15 @@
+@@ -272,12 +266,15 @@
domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
@@ -11327,7 +10740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
manage_files_pattern($2,$1_fonts_t,$1_fonts_t)
-@@ -316,6 +304,7 @@
+@@ -307,6 +304,7 @@
userdom_use_user_ttys($1,$1_xserver_t)
userdom_setattr_user_ttys($1,$1_xserver_t)
userdom_rw_user_tmpfs_files($1,$1_xserver_t)
@@ -11335,7 +10748,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_use_user_fonts($1,$1_xserver_t)
xserver_rw_xdm_tmp_files($1_xauth_t)
-@@ -339,12 +328,12 @@
+@@ -330,12 +328,12 @@
allow $1_xauth_t self:process signal;
allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
@@ -11353,7 +10766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
-@@ -353,12 +342,6 @@
+@@ -344,12 +342,6 @@
# allow ps to show xauth
ps_process_pattern($2,$1_xauth_t)
@@ -11366,7 +10779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
domain_use_interactive_fds($1_xauth_t)
files_read_etc_files($1_xauth_t)
-@@ -387,6 +370,14 @@
+@@ -378,6 +370,14 @@
')
optional_policy(`
@@ -11378,10 +10791,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ ')
+
+ optional_policy(`
- nis_use_ypbind($1_xauth_t)
- ')
-
-@@ -403,16 +394,16 @@
+ ssh_sigchld($1_xauth_t)
+ ssh_read_pipes($1_xauth_t)
+ ssh_dontaudit_rw_tcp_sockets($1_xauth_t)
+@@ -390,16 +390,16 @@
domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t)
@@ -11403,7 +10816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
fs_search_auto_mountpoints($1_iceauth_t)
-@@ -536,17 +527,15 @@
+@@ -523,17 +523,15 @@
template(`xserver_user_client_template',`
gen_require(`
@@ -11427,7 +10840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -555,25 +544,51 @@
+@@ -542,25 +540,51 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@@ -11487,7 +10900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
')
-@@ -626,6 +641,24 @@
+@@ -613,6 +637,24 @@
########################################
## <summary>
@@ -11512,7 +10925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -659,6 +692,73 @@
+@@ -646,6 +688,73 @@
########################################
## <summary>
@@ -11586,7 +10999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -684,10 +784,10 @@
+@@ -671,10 +780,10 @@
#
template(`xserver_user_home_dir_filetrans_user_xauth',`
gen_require(`
@@ -11599,7 +11012,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -873,6 +973,25 @@
+@@ -760,7 +869,7 @@
+ type xconsole_device_t;
+ ')
+
+- allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms;
++ allow $1 xconsole_device_t:fifo_file { getattr read write };
+ ')
+
+ ########################################
+@@ -860,6 +969,25 @@
########################################
## <summary>
@@ -11625,7 +11047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Read xdm-writable configuration files.
## </summary>
## <param name="domain">
-@@ -927,6 +1046,7 @@
+@@ -914,6 +1042,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -11633,7 +11055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -987,6 +1107,37 @@
+@@ -974,6 +1103,37 @@
########################################
## <summary>
@@ -11671,7 +11093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1136,7 +1287,7 @@
+@@ -1123,7 +1283,7 @@
type xdm_xserver_tmp_t;
')
@@ -11680,7 +11102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1325,3 +1476,45 @@
+@@ -1312,3 +1472,45 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -11726,9 +11148,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.1/policy/modules/services/xserver.te
---- nsaserefpolicy/policy/modules/services/xserver.te 2007-10-15 16:11:05.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/services/xserver.te 2007-12-03 19:02:05.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.2/policy/modules/services/xserver.te
+--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-04 11:02:50.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/services/xserver.te 2007-12-04 11:11:03.000000000 -0500
@@ -16,6 +16,13 @@
## <desc>
@@ -12059,9 +11481,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
-#
-allow pam_t xdm_t:fifo_file { getattr ioctl write };
-') dnl end TODO
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.2.1/policy/modules/system/authlogin.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.2.2/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/authlogin.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/authlogin.fc 2007-12-04 11:11:03.000000000 -0500
@@ -41,3 +41,6 @@
/var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
@@ -12069,9 +11491,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.2.1/policy/modules/system/authlogin.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.2.2/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/system/authlogin.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/authlogin.if 2007-12-04 11:11:03.000000000 -0500
@@ -169,6 +169,7 @@
interface(`auth_login_pgm_domain',`
gen_require(`
@@ -12250,9 +11672,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+ read_files_pattern($1, auth_cache_t, auth_cache_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.2.1/policy/modules/system/authlogin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.2.2/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/authlogin.te 2007-12-03 18:47:11.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/authlogin.te 2007-12-04 11:11:03.000000000 -0500
@@ -59,6 +59,9 @@
type utempter_exec_t;
application_domain(utempter_t,utempter_exec_t)
@@ -12320,9 +11742,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.2.1/policy/modules/system/fstools.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.2.2/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2007-09-26 12:15:01.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/fstools.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/fstools.fc 2007-12-04 11:11:03.000000000 -0500
@@ -1,4 +1,3 @@
-/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -12336,9 +11758,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.2.1/policy/modules/system/fstools.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.2.2/policy/modules/system/fstools.if
--- nsaserefpolicy/policy/modules/system/fstools.if 2007-08-22 17:33:53.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/fstools.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/fstools.if 2007-12-04 11:11:03.000000000 -0500
@@ -142,3 +142,20 @@
allow $1 swapfile_t:file getattr;
@@ -12360,9 +11782,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
+ ')
+ fs_manage_nfs_files(fsadm_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.2.1/policy/modules/system/fstools.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.2.2/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/fstools.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/fstools.te 2007-12-04 11:11:03.000000000 -0500
@@ -109,8 +109,7 @@
term_use_console(fsadm_t)
@@ -12379,9 +11801,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
xen_append_log(fsadm_t)
+ xen_rw_image_files(fsadm_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.2.1/policy/modules/system/getty.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.2.2/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/getty.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/getty.te 2007-12-04 11:11:03.000000000 -0500
@@ -33,7 +33,8 @@
#
@@ -12392,9 +11814,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.
dontaudit getty_t self:capability sys_tty_config;
allow getty_t self:process { getpgid setpgid getsession signal_perms };
allow getty_t self:fifo_file rw_fifo_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.2.1/policy/modules/system/hostname.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.2.2/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2007-01-02 12:57:49.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/system/hostname.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/hostname.te 2007-12-04 11:11:03.000000000 -0500
@@ -8,7 +8,9 @@
type hostname_t;
@@ -12418,9 +11840,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(hostname_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.2.1/policy/modules/system/hotplug.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.2.2/policy/modules/system/hotplug.te
--- nsaserefpolicy/policy/modules/system/hotplug.te 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/hotplug.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/hotplug.te 2007-12-04 11:11:03.000000000 -0500
@@ -179,6 +179,7 @@
sysnet_read_dhcpc_pid(hotplug_t)
sysnet_rw_dhcp_config(hotplug_t)
@@ -12429,9 +11851,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.2.1/policy/modules/system/init.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.2.2/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/init.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/init.if 2007-12-04 11:11:03.000000000 -0500
@@ -211,6 +211,13 @@
kernel_dontaudit_use_fds($1)
')
@@ -12673,9 +12095,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+ domain_entry_file(initrc_t,$1)
+
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.2.1/policy/modules/system/init.te
---- nsaserefpolicy/policy/modules/system/init.te 2007-10-29 07:52:50.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/init.te 2007-11-30 15:05:52.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.2.2/policy/modules/system/init.te
+--- nsaserefpolicy/policy/modules/system/init.te 2007-12-04 11:02:50.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/init.te 2007-12-04 11:46:20.000000000 -0500
@@ -10,6 +10,20 @@
# Declarations
#
@@ -12753,12 +12175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
-@@ -196,15 +212,13 @@
- allow initrc_t self:tcp_socket create_stream_socket_perms;
- allow initrc_t self:udp_socket create_socket_perms;
- allow initrc_t self:fifo_file rw_file_perms;
--allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
-
+@@ -200,10 +216,9 @@
allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
term_create_pty(initrc_t,initrc_devpts_t)
@@ -12771,7 +12188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
-@@ -283,7 +297,6 @@
+@@ -282,7 +297,6 @@
mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
@@ -12779,16 +12196,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
selinux_get_enforce_mode(initrc_t)
-@@ -365,7 +378,7 @@
-
- seutil_read_config(initrc_t)
-
--sysnet_read_config(initrc_t)
-+auth_use_nsswitch(initrc_t)
-
- userdom_read_all_users_home_content_files(initrc_t)
- # Allow access to the sysadm TTYs. Note that this will give access to the
-@@ -496,6 +509,31 @@
+@@ -495,6 +509,31 @@
')
')
@@ -12820,7 +12228,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -631,12 +669,6 @@
+@@ -630,12 +669,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -12833,23 +12241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ifdef(`distro_redhat',`
-@@ -648,15 +680,10 @@
- ')
-
- optional_policy(`
-- nis_use_ypbind(initrc_t)
- nis_list_var_yp(initrc_t)
- ')
-
- optional_policy(`
-- nscd_socket_use(initrc_t)
--')
--
--optional_policy(`
- openvpn_read_config(initrc_t)
- ')
-
-@@ -702,6 +729,9 @@
+@@ -696,6 +729,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -12859,7 +12251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -749,6 +779,10 @@
+@@ -743,6 +779,10 @@
')
optional_policy(`
@@ -12870,9 +12262,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.1/policy/modules/system/libraries.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.2/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/libraries.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/libraries.fc 2007-12-04 11:11:03.000000000 -0500
@@ -65,11 +65,15 @@
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -12949,9 +12341,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/Adobe/Reader8/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.2.1/policy/modules/system/libraries.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.2.2/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/libraries.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/libraries.te 2007-12-04 11:11:03.000000000 -0500
@@ -23,6 +23,9 @@
init_system_domain(ldconfig_t,ldconfig_exec_t)
role system_r types ldconfig_t;
@@ -13004,9 +12396,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+ # smart package manager needs the following for the same reason
+ rpm_rw_tmp_files(ldconfig_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.2.1/policy/modules/system/locallogin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.2.2/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2007-10-29 07:52:50.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/locallogin.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/locallogin.te 2007-12-04 11:11:03.000000000 -0500
@@ -25,7 +25,6 @@
domain_role_change_exemption(sulogin_t)
domain_interactive_fd(sulogin_t)
@@ -13044,9 +12436,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.2.1/policy/modules/system/logging.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.2.2/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2007-11-06 09:18:37.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/system/logging.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/logging.fc 2007-12-04 11:11:03.000000000 -0500
@@ -29,6 +29,11 @@
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
@@ -13075,9 +12467,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+
+/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_script_exec_t,s0)
+/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.2.1/policy/modules/system/logging.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.2.2/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2007-11-06 09:51:43.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/system/logging.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/logging.if 2007-12-04 11:11:03.000000000 -0500
@@ -577,6 +577,8 @@
files_search_var($1)
manage_files_pattern($1,logfile,logfile)
@@ -13174,9 +12566,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+ init_script_domtrans_spec($1,auditd_script_exec_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.2.1/policy/modules/system/logging.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.2.2/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2007-11-06 09:18:37.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/system/logging.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/logging.te 2007-12-04 11:11:03.000000000 -0500
@@ -61,6 +61,12 @@
logging_log_file(var_log_t)
files_mountpoint(var_log_t)
@@ -13198,9 +12590,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
domain_use_interactive_fds(klogd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.2.1/policy/modules/system/lvm.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.2.2/policy/modules/system/lvm.fc
--- nsaserefpolicy/policy/modules/system/lvm.fc 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/lvm.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/lvm.fc 2007-12-04 11:11:03.000000000 -0500
@@ -15,6 +15,7 @@
#
/etc/lvm(/.*)? gen_context(system_u:object_r:lvm_etc_t,s0)
@@ -13209,9 +12601,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc
/etc/lvm/archive(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/etc/lvm/backup(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/etc/lvm/lock(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.2.1/policy/modules/system/lvm.te
---- nsaserefpolicy/policy/modules/system/lvm.te 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/lvm.te 2007-11-30 11:23:56.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.2.2/policy/modules/system/lvm.te
+--- nsaserefpolicy/policy/modules/system/lvm.te 2007-12-04 11:02:50.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/lvm.te 2007-12-04 11:46:49.000000000 -0500
@@ -44,9 +44,9 @@
# Cluster LVM daemon local policy
#
@@ -13224,7 +12616,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
dontaudit clvmd_t self:process ptrace;
allow clvmd_t self:socket create_socket_perms;
allow clvmd_t self:fifo_file rw_fifo_file_perms;
-@@ -54,11 +54,15 @@
+@@ -54,6 +54,8 @@
allow clvmd_t self:tcp_socket create_stream_socket_perms;
allow clvmd_t self:udp_socket create_socket_perms;
@@ -13233,14 +12625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
manage_files_pattern(clvmd_t,clvmd_var_run_t,clvmd_var_run_t)
files_pid_filetrans(clvmd_t,clvmd_var_run_t,file)
- read_files_pattern(clvmd_t,lvm_metadata_t,lvm_metadata_t)
-
-+auth_use_nsswitch(clvmd_t)
-+
- kernel_read_kernel_sysctls(clvmd_t)
- kernel_read_system_state(clvmd_t)
- kernel_list_proc(clvmd_t)
-@@ -85,10 +89,15 @@
+@@ -85,10 +87,15 @@
corenet_sendrecv_generic_server_packets(clvmd_t)
dev_read_sysfs(clvmd_t)
@@ -13256,7 +12641,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
files_read_etc_files(clvmd_t)
files_list_usr(clvmd_t)
-@@ -99,9 +108,12 @@
+@@ -99,9 +106,12 @@
fs_dontaudit_read_removable_files(clvmd_t)
storage_dontaudit_getattr_removable_dev(clvmd_t)
@@ -13268,31 +12653,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
+storage_relabel_fixed_disk(clvmd_t)
storage_raw_read_fixed_disk(clvmd_t)
- libs_use_ld_so(clvmd_t)
-@@ -113,8 +125,9 @@
+ auth_use_nsswitch(clvmd_t)
+@@ -115,6 +125,9 @@
seutil_dontaudit_search_config(clvmd_t)
seutil_sigchld_newrole(clvmd_t)
--
--sysnet_read_config(clvmd_t)
+seutil_read_config(clvmd_t)
+seutil_read_file_contexts(clvmd_t)
+seutil_search_default_contexts(clvmd_t)
userdom_dontaudit_use_unpriv_user_fds(clvmd_t)
userdom_dontaudit_search_sysadm_home_dirs(clvmd_t)
-@@ -131,10 +144,6 @@
- ')
-
- optional_policy(`
-- nis_use_ypbind(clvmd_t)
--')
--
--optional_policy(`
- ricci_dontaudit_rw_modcluster_pipes(clvmd_t)
- ricci_dontaudit_use_modcluster_fds(clvmd_t)
- ')
-@@ -150,7 +159,8 @@
+@@ -146,7 +159,8 @@
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
# rawio needed for dmraid
@@ -13302,7 +12674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
-@@ -160,7 +170,8 @@
+@@ -156,7 +170,8 @@
allow lvm_t self:unix_dgram_socket create_socket_perms;
allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -13312,7 +12684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
manage_files_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
-@@ -192,6 +203,7 @@
+@@ -188,6 +203,7 @@
manage_files_pattern(lvm_t,lvm_metadata_t,lvm_metadata_t)
filetrans_pattern(lvm_t,lvm_etc_t,lvm_metadata_t,file)
files_etc_filetrans(lvm_t,lvm_metadata_t,file)
@@ -13320,7 +12692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
kernel_read_system_state(lvm_t)
kernel_read_kernel_sysctls(lvm_t)
-@@ -208,7 +220,6 @@
+@@ -204,7 +220,6 @@
selinux_compute_user_contexts(lvm_t)
dev_create_generic_chr_files(lvm_t)
@@ -13328,7 +12700,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
dev_read_rand(lvm_t)
dev_read_urand(lvm_t)
dev_rw_lvm_control(lvm_t)
-@@ -228,6 +239,8 @@
+@@ -224,6 +239,8 @@
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -13337,7 +12709,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
fs_getattr_xattr_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
-@@ -246,6 +259,7 @@
+@@ -242,6 +259,7 @@
storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
@@ -13345,7 +12717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
term_getattr_all_user_ttys(lvm_t)
term_list_ptys(lvm_t)
-@@ -254,6 +268,7 @@
+@@ -250,6 +268,7 @@
domain_use_interactive_fds(lvm_t)
@@ -13353,7 +12725,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
-@@ -275,6 +290,8 @@
+@@ -271,6 +290,8 @@
seutil_search_default_contexts(lvm_t)
seutil_sigchld_newrole(lvm_t)
@@ -13362,7 +12734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
ifdef(`distro_redhat',`
# this is from the initrd:
files_rw_isid_type_dirs(lvm_t)
-@@ -293,5 +310,14 @@
+@@ -289,5 +310,14 @@
')
optional_policy(`
@@ -13377,9 +12749,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
+ xen_append_log(lvm_t)
+ xen_dontaudit_rw_unix_stream_sockets(lvm_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.2.1/policy/modules/system/modutils.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.2.2/policy/modules/system/modutils.if
--- nsaserefpolicy/policy/modules/system/modutils.if 2007-03-26 10:39:07.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/modutils.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/modutils.if 2007-12-04 11:11:03.000000000 -0500
@@ -66,6 +66,25 @@
########################################
@@ -13406,9 +12778,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
## Unconditionally execute insmod in the insmod domain.
## </summary>
## <param name="domain">
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.2.1/policy/modules/system/modutils.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.2.2/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/modutils.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/modutils.te 2007-12-04 11:11:03.000000000 -0500
@@ -42,7 +42,7 @@
# insmod local policy
#
@@ -13511,17 +12883,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.2.1/policy/modules/system/mount.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.2.2/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/system/mount.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/mount.fc 2007-12-04 11:11:03.000000000 -0500
@@ -1,4 +1,2 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.2.1/policy/modules/system/mount.te
---- nsaserefpolicy/policy/modules/system/mount.te 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/mount.te 2007-11-30 11:24:14.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.2.2/policy/modules/system/mount.te
+--- nsaserefpolicy/policy/modules/system/mount.te 2007-12-04 11:02:50.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/mount.te 2007-12-04 11:47:14.000000000 -0500
@@ -8,7 +8,7 @@
## <desc>
@@ -13553,7 +12925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
########################################
#
-@@ -36,21 +37,24 @@
+@@ -36,20 +37,22 @@
#
# setuid/setgid needed to mount cifs
@@ -13561,18 +12933,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+allow mount_t self:capability { fsetid ipc_lock sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid };
allow mount_t mount_loopback_t:file read_file_perms;
--allow mount_t self:netlink_route_socket r_netlink_socket_perms;
allow mount_t mount_tmp_t:file manage_file_perms;
allow mount_t mount_tmp_t:dir manage_dir_perms;
+files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
--can_exec(mount_t, mount_exec_t)
-+auth_use_nsswitch(mount_t)
+ can_exec(mount_t, mount_exec_t)
-files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
-+can_exec(mount_t, mount_exec_t)
-
+-
+# In order to mount reiserfs_t
+kernel_list_unlabeled(mount_t)
kernel_read_system_state(mount_t)
@@ -13582,7 +12951,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
-@@ -63,6 +67,7 @@
+@@ -62,6 +65,7 @@
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@@ -13590,31 +12959,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
fs_getattr_xattr_fs(mount_t)
fs_getattr_cifs(mount_t)
-@@ -101,6 +106,8 @@
+@@ -100,6 +104,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
+init_stream_connect_script(mount_t)
+init_rw_script_stream_sockets(mount_t)
- libs_use_ld_so(mount_t)
- libs_use_shared_libs(mount_t)
-@@ -159,13 +166,9 @@
+ auth_use_nsswitch(mount_t)
+@@ -161,6 +167,8 @@
fs_search_rpc(mount_t)
-- sysnet_dns_name_resolve(mount_t)
--
rpc_stub(mount_t)
-
-- optional_policy(`
-- nis_use_ypbind(mount_t)
-- ')
++
+ rpc_domtrans_rpcd(mount_t)
')
optional_policy(`
-@@ -189,10 +192,6 @@
+@@ -184,10 +192,6 @@
samba_domtrans_smbmount(mount_t)
')
@@ -13625,7 +12988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
########################################
#
# Unconfined mount local policy
-@@ -201,4 +200,26 @@
+@@ -196,4 +200,26 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
@@ -13652,9 +13015,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+ hal_rw_pipes(mount_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.2.1/policy/modules/system/raid.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.2.2/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/raid.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/raid.te 2007-12-04 11:11:03.000000000 -0500
@@ -19,7 +19,7 @@
# Local policy
#
@@ -13680,9 +13043,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t
+optional_policy(`
+ unconfined_domain(mdadm_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.2.1/policy/modules/system/selinuxutil.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.2.2/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2007-05-18 11:12:44.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/selinuxutil.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/selinuxutil.fc 2007-12-04 11:11:03.000000000 -0500
@@ -38,7 +38,7 @@
/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
@@ -13692,9 +13055,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.2.1/policy/modules/system/selinuxutil.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.2.2/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/system/selinuxutil.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/selinuxutil.if 2007-12-04 11:11:03.000000000 -0500
@@ -215,8 +215,6 @@
seutil_domtrans_newrole($1)
role $2 types newrole_t;
@@ -13976,9 +13339,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+ rpm_dontaudit_rw_pipes($1)
+ ')
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.2.1/policy/modules/system/selinuxutil.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.2.2/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/system/selinuxutil.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/selinuxutil.te 2007-12-04 11:47:51.000000000 -0500
@@ -75,7 +75,6 @@
type restorecond_exec_t;
init_daemon_domain(restorecond_t,restorecond_exec_t)
@@ -14051,15 +13414,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
logging_send_syslog_msg(newrole_t)
miscfiles_read_localization(newrole_t)
-@@ -299,6 +300,8 @@
- allow restorecond_t restorecond_var_run_t:file manage_file_perms;
- files_pid_filetrans(restorecond_t,restorecond_var_run_t, file)
+@@ -318,6 +319,8 @@
+ auth_read_all_files_except_shadow(restorecond_t)
+ auth_use_nsswitch(restorecond_t)
+auth_use_nsswitch(restorecond_t)
+
- kernel_use_fds(restorecond_t)
- kernel_rw_pipes(restorecond_t)
- kernel_read_system_state(restorecond_t)
+ libs_use_ld_so(restorecond_t)
+ libs_use_shared_libs(restorecond_t)
+
@@ -329,6 +332,8 @@
seutil_libselinux_linked(restorecond_t)
@@ -14267,9 +13630,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
optional_policy(`
hotplug_use_fds(setfiles_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.2.1/policy/modules/system/sysnetwork.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.2.2/policy/modules/system/sysnetwork.fc
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/system/sysnetwork.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/sysnetwork.fc 2007-12-04 11:11:03.000000000 -0500
@@ -52,8 +52,7 @@
/var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
@@ -14280,9 +13643,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
ifdef(`distro_gentoo',`
/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.2.1/policy/modules/system/sysnetwork.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.2.2/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-07-16 14:09:49.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/sysnetwork.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/sysnetwork.if 2007-12-04 11:11:03.000000000 -0500
@@ -145,6 +145,25 @@
########################################
@@ -14353,9 +13716,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+ dontaudit $1 dhcpc_t:fd use;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.2.1/policy/modules/system/sysnetwork.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.2.2/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2007-10-29 07:52:50.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/sysnetwork.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/sysnetwork.te 2007-12-04 11:11:03.000000000 -0500
@@ -45,7 +45,7 @@
dontaudit dhcpc_t self:capability sys_tty_config;
# for access("/etc/bashrc", X_OK) on Red Hat
@@ -14486,10 +13849,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
kernel_read_xen_state(ifconfig_t)
kernel_write_xen_state(ifconfig_t)
xen_append_log(ifconfig_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.2.1/policy/modules/system/udev.te
---- nsaserefpolicy/policy/modules/system/udev.te 2007-11-15 13:40:14.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/system/udev.te 2007-11-30 11:23:56.000000000 -0500
-@@ -186,6 +186,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.2.2/policy/modules/system/udev.te
+--- nsaserefpolicy/policy/modules/system/udev.te 2007-12-04 11:02:50.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/udev.te 2007-12-04 11:11:03.000000000 -0500
+@@ -96,9 +96,6 @@
+ dev_delete_generic_files(udev_t)
+ dev_search_usbfs(udev_t)
+ dev_relabel_all_dev_nodes(udev_t)
+-# udev_node.c/node_symlink() symlink labels are explicitly
+-# preserved, instead of short circuiting the relabel
+-dev_relabel_generic_symlinks(udev_t)
+
+ domain_read_all_domains_state(udev_t)
+ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
+@@ -189,6 +186,7 @@
optional_policy(`
alsa_domtrans(udev_t)
@@ -14497,19 +13870,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
alsa_read_rw_config(udev_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.2.1/policy/modules/system/unconfined.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.2.2/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/unconfined.fc 2007-12-03 13:36:12.000000000 -0500
-@@ -10,3 +10,6 @@
++++ serefpolicy-3.2.2/policy/modules/system/unconfined.fc 2007-12-04 11:30:32.000000000 -0500
+@@ -10,3 +10,7 @@
/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/rhythmbox -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.2.1/policy/modules/system/unconfined.if
++/usr/bin/livecd-creator -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.2.2/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/system/unconfined.if 2007-12-03 13:19:33.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/unconfined.if 2007-12-04 11:11:03.000000000 -0500
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -14757,9 +14131,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
- allow $1 unconfined_tmp_t:file { getattr write append };
+ allow $1 unconfined_t:process getpgid;
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.1/policy/modules/system/unconfined.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.2/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/system/unconfined.te 2007-12-03 13:35:11.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/unconfined.te 2007-12-04 11:11:03.000000000 -0500
@@ -9,32 +9,46 @@
# usage in this module of types created by these
# calls is not correct, however we dont currently
@@ -14986,9 +14360,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+allow unconfined_notrans_t self:process { execstack execmem };
+unconfined_domain_noaudit(unconfined_notrans_t)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.2.1/policy/modules/system/userdomain.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.2.2/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/system/userdomain.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/userdomain.fc 2007-12-04 11:11:03.000000000 -0500
@@ -1,4 +1,5 @@
-HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
-HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0)
@@ -14999,9 +14373,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
+/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0)
+/root(/.*) gen_context(system_u:object_r:admin_home_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.1/policy/modules/system/userdomain.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.2/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/system/userdomain.if 2007-12-01 08:14:44.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/userdomain.if 2007-12-04 11:57:51.000000000 -0500
@@ -29,8 +29,9 @@
')
@@ -15013,7 +14387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
domain_type($1_t)
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
-@@ -45,66 +46,72 @@
+@@ -45,66 +46,70 @@
type $1_tty_device_t;
term_user_tty($1_t,$1_tty_device_t)
@@ -15113,6 +14487,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- libs_use_ld_so($1_t)
- libs_use_shared_libs($1_t)
- libs_exec_ld_so($1_t)
+-
+- miscfiles_read_localization($1_t)
+- miscfiles_read_certs($1_t)
+ files_dontaudit_list_non_security($1_usertype)
+ files_dontaudit_getattr_non_security_files($1_usertype)
+ files_dontaudit_getattr_non_security_symlinks($1_usertype)
@@ -15128,17 +14505,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ libs_use_shared_libs($1_usertype)
+ libs_exec_ld_so($1_usertype)
-- miscfiles_read_localization($1_t)
-- miscfiles_read_certs($1_t)
+- sysnet_read_config($1_t)
+ miscfiles_read_localization($1_usertype)
+ miscfiles_read_certs($1_usertype)
-- sysnet_read_config($1_t)
-+ sysnet_read_config($1_usertype)
-
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
-@@ -115,6 +122,10 @@
+@@ -115,6 +120,10 @@
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
@@ -15149,7 +14522,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -141,33 +152,13 @@
+@@ -141,33 +150,13 @@
#
template(`userdom_ro_home_template',`
gen_require(`
@@ -15188,7 +14561,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##############################
#
-@@ -175,13 +166,13 @@
+@@ -175,13 +164,13 @@
#
# read-only home directory
@@ -15209,7 +14582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_list_home($1_t)
tunable_policy(`use_nfs_home_dirs',`
-@@ -231,30 +222,14 @@
+@@ -231,30 +220,14 @@
#
template(`userdom_manage_home_template',`
gen_require(`
@@ -15246,7 +14619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##############################
#
-@@ -262,43 +237,43 @@
+@@ -262,43 +235,43 @@
#
# full control of the home directory
@@ -15318,7 +14691,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -316,14 +291,20 @@
+@@ -316,14 +289,20 @@
## <rolebase/>
#
template(`userdom_exec_home_template',`
@@ -15344,7 +14717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -341,11 +322,10 @@
+@@ -341,11 +320,10 @@
## <rolebase/>
#
template(`userdom_poly_home_template',`
@@ -15360,7 +14733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -369,18 +349,18 @@
+@@ -369,18 +347,18 @@
#
template(`userdom_manage_tmp_template',`
gen_require(`
@@ -15389,7 +14762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -396,7 +376,13 @@
+@@ -396,7 +374,13 @@
## <rolebase/>
#
template(`userdom_exec_tmp_template',`
@@ -15404,7 +14777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -510,10 +496,6 @@
+@@ -510,10 +494,6 @@
## <rolebase/>
#
template(`userdom_exec_generic_pgms_template',`
@@ -15415,7 +14788,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
corecmd_exec_bin($1_t)
')
-@@ -531,9 +513,6 @@
+@@ -531,9 +511,6 @@
## <rolebase/>
#
template(`userdom_basic_networking_template',`
@@ -15425,7 +14798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
-@@ -548,10 +527,6 @@
+@@ -548,10 +525,6 @@
corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_all_client_packets($1_t)
@@ -15436,7 +14809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -568,30 +543,29 @@
+@@ -568,30 +541,29 @@
#
template(`userdom_xwindows_client_template',`
gen_require(`
@@ -15483,7 +14856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -728,7 +702,6 @@
+@@ -728,7 +700,6 @@
# for eject
storage_getattr_fixed_disk_dev($1_t)
@@ -15491,7 +14864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
auth_read_login_records($1_t)
auth_search_pam_console_data($1_t)
auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
-@@ -758,10 +731,6 @@
+@@ -758,10 +729,6 @@
dev_read_mouse($1_t)
')
@@ -15502,7 +14875,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
alsa_read_rw_config($1_t)
')
-@@ -783,20 +752,20 @@
+@@ -783,20 +750,20 @@
')
optional_policy(`
@@ -15528,7 +14901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -824,11 +793,18 @@
+@@ -824,11 +791,18 @@
mta_rw_spool($1_t)
')
@@ -15551,7 +14924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
optional_policy(`
-@@ -842,13 +818,6 @@
+@@ -842,13 +816,6 @@
')
optional_policy(`
@@ -15565,7 +14938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
resmgr_stream_connect($1_t)
')
-@@ -889,6 +858,8 @@
+@@ -889,6 +856,8 @@
## </param>
#
template(`userdom_login_user_template', `
@@ -15574,7 +14947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_base_user_template($1)
userdom_manage_home_template($1)
-@@ -917,26 +888,26 @@
+@@ -917,26 +886,26 @@
allow $1_t self:context contains;
@@ -15615,7 +14988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
auth_dontaudit_write_login_records($1_t)
-@@ -944,43 +915,43 @@
+@@ -944,43 +913,43 @@
# The library functions always try to open read-write first,
# then fall back to read-only if it fails.
@@ -15677,7 +15050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -1014,9 +985,6 @@
+@@ -1014,9 +983,6 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
@@ -15687,7 +15060,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
typeattribute $1_tty_device_t user_ttynode;
##############################
-@@ -1025,12 +993,12 @@
+@@ -1025,12 +991,12 @@
#
# privileged home directory writers
@@ -15706,7 +15079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
loadkeys_run($1_t,$1_r,$1_tty_device_t)
-@@ -1070,14 +1038,14 @@
+@@ -1070,14 +1036,14 @@
#
authlogin_per_role_template($1, $1_t, $1_r)
@@ -15726,7 +15099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -1085,19 +1053,18 @@
+@@ -1085,19 +1051,18 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -15751,7 +15124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -1109,9 +1076,11 @@
+@@ -1109,9 +1074,11 @@
mono_per_role_template($1, $1_t, $1_r)
')
@@ -15766,7 +15139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -1121,10 +1090,10 @@
+@@ -1121,10 +1088,10 @@
## </summary>
## <desc>
## <p>
@@ -15781,7 +15154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
-@@ -1187,12 +1156,11 @@
+@@ -1187,12 +1154,11 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
@@ -15796,7 +15169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
# Run pppd in pppd_t by default for user
-@@ -1278,8 +1246,6 @@
+@@ -1278,8 +1244,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -15805,7 +15178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1416,6 +1382,7 @@
+@@ -1416,6 +1380,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -15813,7 +15186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1781,10 +1748,14 @@
+@@ -1781,10 +1746,14 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -15829,7 +15202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1880,11 +1851,11 @@
+@@ -1880,11 +1849,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -15843,7 +15216,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1914,11 +1885,11 @@
+@@ -1914,11 +1883,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -15857,7 +15230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1962,12 +1933,12 @@
+@@ -1962,12 +1931,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -15873,7 +15246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1997,10 +1968,10 @@
+@@ -1997,10 +1966,10 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -15886,7 +15259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2032,11 +2003,47 @@
+@@ -2032,11 +2001,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -15936,7 +15309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2068,10 +2075,10 @@
+@@ -2068,10 +2073,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -15949,7 +15322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2101,11 +2108,11 @@
+@@ -2101,11 +2106,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -15963,7 +15336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2135,11 +2142,11 @@
+@@ -2135,11 +2140,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -15978,7 +15351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2169,10 +2176,10 @@
+@@ -2169,10 +2174,10 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -15991,7 +15364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2202,11 +2209,11 @@
+@@ -2202,11 +2207,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -16005,7 +15378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2236,11 +2243,11 @@
+@@ -2236,11 +2241,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -16019,7 +15392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2270,10 +2277,10 @@
+@@ -2270,10 +2275,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -16032,7 +15405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2305,12 +2312,12 @@
+@@ -2305,12 +2310,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -16048,7 +15421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2342,10 +2349,10 @@
+@@ -2342,10 +2347,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -16061,7 +15434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2377,12 +2384,12 @@
+@@ -2377,12 +2382,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -16077,7 +15450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2414,12 +2421,12 @@
+@@ -2414,12 +2419,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -16093,7 +15466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2451,12 +2458,12 @@
+@@ -2451,12 +2456,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -16109,7 +15482,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2501,11 +2508,11 @@
+@@ -2501,11 +2506,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -16123,7 +15496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2550,11 +2557,11 @@
+@@ -2550,11 +2555,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -16137,7 +15510,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2594,11 +2601,11 @@
+@@ -2594,11 +2599,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -16151,7 +15524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2628,11 +2635,11 @@
+@@ -2628,11 +2633,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -16165,7 +15538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2662,11 +2669,11 @@
+@@ -2662,11 +2667,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -16179,7 +15552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2698,10 +2705,10 @@
+@@ -2698,10 +2703,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -16192,7 +15565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2733,10 +2740,10 @@
+@@ -2733,10 +2738,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -16205,7 +15578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2766,12 +2773,12 @@
+@@ -2766,12 +2771,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -16221,7 +15594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2803,10 +2810,10 @@
+@@ -2803,10 +2808,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -16234,14 +15607,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2838,10 +2845,48 @@
+@@ -2838,10 +2843,48 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
- type $1_tmp_t;
+ type user_tmp_t;
-+ ')
-+
+ ')
+
+- dontaudit $2 $1_tmp_t:file append;
+ dontaudit $2 user_tmp_t:file append;
+')
+
@@ -16258,9 +15632,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+interface(`userdom_unlink_unpriv_users_tmp_files',`
+ gen_require(`
+ attribute user_tmpfile;
- ')
-
-- dontaudit $2 $1_tmp_t:file append;
++ ')
++
+ files_delete_tmp_dir_entry($1)
+ allow $1 user_tmpfile:file unlink;
+')
@@ -16285,7 +15658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2871,12 +2916,12 @@
+@@ -2871,12 +2914,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -16301,7 +15674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2908,10 +2953,10 @@
+@@ -2908,10 +2951,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -16314,7 +15687,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2943,12 +2988,12 @@
+@@ -2943,12 +2986,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -16330,7 +15703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2980,11 +3025,11 @@
+@@ -2980,11 +3023,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -16344,7 +15717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3016,11 +3061,11 @@
+@@ -3016,11 +3059,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -16358,7 +15731,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3052,11 +3097,11 @@
+@@ -3052,11 +3095,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -16372,7 +15745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3088,11 +3133,11 @@
+@@ -3088,11 +3131,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -16386,7 +15759,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3124,11 +3169,11 @@
+@@ -3124,11 +3167,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -16400,7 +15773,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3173,10 +3218,10 @@
+@@ -3173,10 +3216,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -16413,7 +15786,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_tmp($2)
')
-@@ -3217,10 +3262,10 @@
+@@ -3217,10 +3260,10 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -16426,7 +15799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4225,11 +4270,11 @@
+@@ -4225,11 +4268,11 @@
#
interface(`userdom_search_staff_home_dirs',`
gen_require(`
@@ -16440,7 +15813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4245,10 +4290,10 @@
+@@ -4245,10 +4288,10 @@
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(`
@@ -16453,7 +15826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4264,11 +4309,11 @@
+@@ -4264,11 +4307,11 @@
#
interface(`userdom_manage_staff_home_dirs',`
gen_require(`
@@ -16467,7 +15840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4283,11 +4328,11 @@
+@@ -4283,11 +4326,11 @@
#
interface(`userdom_relabelto_staff_home_dirs',`
gen_require(`
@@ -16481,7 +15854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4303,10 +4348,10 @@
+@@ -4303,10 +4346,10 @@
#
interface(`userdom_dontaudit_append_staff_home_content_files',`
gen_require(`
@@ -16494,7 +15867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4321,13 +4366,13 @@
+@@ -4321,13 +4364,13 @@
#
interface(`userdom_read_staff_home_content_files',`
gen_require(`
@@ -16512,7 +15885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4525,10 +4570,10 @@
+@@ -4525,10 +4568,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@@ -16525,7 +15898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4545,10 +4590,10 @@
+@@ -4545,10 +4588,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@@ -16538,7 +15911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4563,10 +4608,10 @@
+@@ -4563,10 +4606,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@@ -16551,7 +15924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4582,10 +4627,10 @@
+@@ -4582,10 +4625,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@@ -16564,7 +15937,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4600,10 +4645,10 @@
+@@ -4600,10 +4643,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@@ -16577,7 +15950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4619,10 +4664,10 @@
+@@ -4619,10 +4662,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@@ -16590,7 +15963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4638,12 +4683,11 @@
+@@ -4638,12 +4681,11 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
@@ -16606,7 +15979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4670,10 +4714,10 @@
+@@ -4670,10 +4712,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -16619,7 +15992,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4688,10 +4732,10 @@
+@@ -4688,10 +4730,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -16632,7 +16005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4706,13 +4750,13 @@
+@@ -4706,13 +4748,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -16650,7 +16023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4748,11 +4792,29 @@
+@@ -4748,11 +4790,29 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -16681,7 +16054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4772,6 +4834,14 @@
+@@ -4772,6 +4832,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -16696,7 +16069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -5109,7 +5179,7 @@
+@@ -5109,7 +5177,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -16705,7 +16078,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
files_search_home($1)
-@@ -5298,6 +5368,28 @@
+@@ -5298,6 +5366,28 @@
########################################
## <summary>
@@ -16734,7 +16107,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete directories in
## unprivileged users home directories.
## </summary>
-@@ -5503,6 +5595,24 @@
+@@ -5503,6 +5593,24 @@
########################################
## <summary>
@@ -16759,7 +16132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
-@@ -5668,6 +5778,24 @@
+@@ -5668,6 +5776,24 @@
########################################
## <summary>
@@ -16784,7 +16157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5698,3 +5826,277 @@
+@@ -5698,3 +5824,277 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -17062,9 +16435,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ files_tmp_filetrans($2, user_tmp_t, $3)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.2.1/policy/modules/system/userdomain.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.2.2/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/system/userdomain.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/userdomain.te 2007-12-04 11:11:03.000000000 -0500
@@ -17,20 +17,13 @@
## <desc>
@@ -17238,14 +16611,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ netutils_run_traceroute_cond(staff_t,staff_r,{ staff_tty_device_t staff_devpts_t })
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.fc serefpolicy-3.2.1/policy/modules/system/virt.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.fc serefpolicy-3.2.2/policy/modules/system/virt.fc
--- nsaserefpolicy/policy/modules/system/virt.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/system/virt.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/virt.fc 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1 @@
+/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.2.1/policy/modules/system/virt.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.2.2/policy/modules/system/virt.if
--- nsaserefpolicy/policy/modules/system/virt.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/system/virt.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/virt.if 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1,78 @@
+## <summary>Virtualization </summary>
+
@@ -17325,16 +16698,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
+ files_list_var_lib($1)
+ manage_files_pattern($1,virt_var_lib_t,virt_var_lib_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.2.1/policy/modules/system/virt.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.2.2/policy/modules/system/virt.te
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/system/virt.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/virt.te 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1,3 @@
+# var/lib files
+type virt_var_lib_t;
+files_type(virt_var_lib_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.2.1/policy/modules/system/xen.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.2.2/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2007-06-21 09:32:04.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/xen.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/xen.if 2007-12-04 11:11:03.000000000 -0500
@@ -191,3 +191,24 @@
domtrans_pattern($1,xm_exec_t,xm_t)
@@ -17360,9 +16733,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
+ allow $1 xend_var_lib_t:dir search_dir_perms;
+ rw_files_pattern($1,xen_image_t,xen_image_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.2.1/policy/modules/system/xen.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.2.2/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.2.1/policy/modules/system/xen.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/system/xen.te 2007-12-04 11:11:03.000000000 -0500
@@ -6,6 +6,13 @@
# Declarations
#
@@ -17547,37 +16920,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
+ fs_read_nfs_symlinks(xend_t)
+ fstools_manage_nfs(xend_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.fc serefpolicy-3.2.1/policy/modules/users/guest.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.fc serefpolicy-3.2.2/policy/modules/users/guest.fc
--- nsaserefpolicy/policy/modules/users/guest.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/users/guest.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/users/guest.fc 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1 @@
+# No guest file contexts.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.if serefpolicy-3.2.1/policy/modules/users/guest.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.if serefpolicy-3.2.2/policy/modules/users/guest.if
--- nsaserefpolicy/policy/modules/users/guest.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/users/guest.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/users/guest.if 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1 @@
+## <summary>Policy for guest user</summary>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.2.1/policy/modules/users/guest.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.2.2/policy/modules/users/guest.te
--- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/users/guest.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/users/guest.te 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1,4 @@
+policy_module(guest,1.0.1)
+userdom_restricted_user_template(guest)
+userdom_restricted_user_template(gadmin)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.2.1/policy/modules/users/logadm.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.2.2/policy/modules/users/logadm.fc
--- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/users/logadm.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/users/logadm.fc 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1 @@
+# No logadm file contexts.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.if serefpolicy-3.2.1/policy/modules/users/logadm.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.if serefpolicy-3.2.2/policy/modules/users/logadm.if
--- nsaserefpolicy/policy/modules/users/logadm.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/users/logadm.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/users/logadm.if 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1 @@
+## <summary>Policy for logadm user</summary>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.te serefpolicy-3.2.1/policy/modules/users/logadm.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.te serefpolicy-3.2.2/policy/modules/users/logadm.te
--- nsaserefpolicy/policy/modules/users/logadm.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/users/logadm.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/users/logadm.te 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1,11 @@
+policy_module(logadm,1.0.0)
+
@@ -17590,24 +16963,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.
+allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+
+logging_admin(logadm_t, logadm_r, { logadm_devpts_t logadm_tty_device_t })
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/metadata.xml serefpolicy-3.2.1/policy/modules/users/metadata.xml
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/metadata.xml serefpolicy-3.2.2/policy/modules/users/metadata.xml
--- nsaserefpolicy/policy/modules/users/metadata.xml 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/users/metadata.xml 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/users/metadata.xml 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1 @@
+<summary>Policy modules for users</summary>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.fc serefpolicy-3.2.1/policy/modules/users/webadm.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.fc serefpolicy-3.2.2/policy/modules/users/webadm.fc
--- nsaserefpolicy/policy/modules/users/webadm.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/users/webadm.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/users/webadm.fc 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1 @@
+# No webadm file contexts.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.if serefpolicy-3.2.1/policy/modules/users/webadm.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.if serefpolicy-3.2.2/policy/modules/users/webadm.if
--- nsaserefpolicy/policy/modules/users/webadm.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/users/webadm.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/users/webadm.if 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1 @@
+## <summary>Policy for webadm user</summary>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.2.1/policy/modules/users/webadm.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.2.2/policy/modules/users/webadm.te
--- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/users/webadm.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/users/webadm.te 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1,42 @@
+policy_module(webadm,1.0.0)
+
@@ -17651,19 +17024,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.
+')
+allow gadmin_t webadm_t:process transition;
+allow webadm_t gadmin_t:dir getattr;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.fc serefpolicy-3.2.1/policy/modules/users/xguest.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.fc serefpolicy-3.2.2/policy/modules/users/xguest.fc
--- nsaserefpolicy/policy/modules/users/xguest.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/users/xguest.fc 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/users/xguest.fc 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1 @@
+# No xguest file contexts.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.if serefpolicy-3.2.1/policy/modules/users/xguest.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.if serefpolicy-3.2.2/policy/modules/users/xguest.if
--- nsaserefpolicy/policy/modules/users/xguest.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/users/xguest.if 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/users/xguest.if 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1 @@
+## <summary>Policy for xguest user</summary>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.te serefpolicy-3.2.1/policy/modules/users/xguest.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.te serefpolicy-3.2.2/policy/modules/users/xguest.te
--- nsaserefpolicy/policy/modules/users/xguest.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.1/policy/modules/users/xguest.te 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/modules/users/xguest.te 2007-12-04 11:11:03.000000000 -0500
@@ -0,0 +1,55 @@
+policy_module(xguest,1.0.1)
+
@@ -17720,9 +17093,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.
+ bluetooth_dbus_chat(xguest_t)
+ ')
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.2.1/policy/support/obj_perm_sets.spt
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.2.2/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.1/policy/support/obj_perm_sets.spt 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/support/obj_perm_sets.spt 2007-12-04 11:11:03.000000000 -0500
@@ -204,7 +204,7 @@
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
@@ -17746,9 +17119,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets
+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
+
+define(`manage_key_perms', `{ create link read search setattr view write } ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.2.1/policy/users
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.2.2/policy/users
--- nsaserefpolicy/policy/users 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.1/policy/users 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/policy/users 2007-12-04 11:11:03.000000000 -0500
@@ -16,7 +16,7 @@
# and a user process should never be assigned the system user
# identity.
@@ -17783,9 +17156,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.2
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
+gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.2.1/Rules.monolithic
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.2.2/Rules.monolithic
--- nsaserefpolicy/Rules.monolithic 2007-11-20 06:55:20.000000000 -0500
-+++ serefpolicy-3.2.1/Rules.monolithic 2007-11-30 11:23:56.000000000 -0500
++++ serefpolicy-3.2.2/Rules.monolithic 2007-12-04 11:11:03.000000000 -0500
@@ -96,7 +96,7 @@
#
# Load the binary policy
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 49c7b42..0396173 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -16,8 +16,8 @@
%define CHECKPOLICYVER 2.0.3-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.2.1
-Release: 3%{?dist}
+Version: 3.2.2
+Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -167,7 +167,7 @@ fi;
%description
SELinux Reference Policy - modular.
-Based off of reference policy: Checked out revision 2530.
+Based off of reference policy: Checked out revision 2541.
%build
@@ -379,6 +379,10 @@ exit 0
%endif
%changelog
+* Tue Dec 4 2007 Dan Walsh <dwalsh@redhat.com> 3.2.2-1
+- Update to upstreamddddddddddddd
+- Allow httpd_sys_script_t to search users homedirs
+
* Mon Dec 3 2007 Dan Walsh <dwalsh@redhat.com> 3.2.1-3
- Allow rpm_script to transition to unconfined_execmem_t
@@ -388,7 +392,7 @@ exit 0
* Wed Nov 28 2007 Dan Walsh <dwalsh@redhat.com> 3.1.2-2
- Remove user specific crond_t
-* Mon Nov 19 2007 Dan Walsh <dwalsh@redhat.com> 3.1.2-1
+* Mon Nov 19 2007 Dan Walsh <dwaldddddddddddddddddddddddddddddddddddddddddddddsh@redhat.com> 3.1.2-1
- Merge with upstream
- Allow xsever to read hwdata_t
- Allow login programs to setkeycreate