diff --git a/policy-20071130.patch b/policy-20071130.patch index b0f80dd..e831024 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -1,6 +1,6 @@ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.2.1/config/appconfig-mcs/default_contexts +diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.2.2/config/appconfig-mcs/default_contexts --- nsaserefpolicy/config/appconfig-mcs/default_contexts 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.1/config/appconfig-mcs/default_contexts 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/config/appconfig-mcs/default_contexts 2007-12-04 11:11:03.000000000 -0500 @@ -1,15 +1,9 @@ -system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0 -system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 @@ -26,23 +26,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default +system_r:sysadm_su_t:s0 system_r:unconfined_t:s0 +system_r:unconfined_t:s0 system_r:unconfined_t:s0 +system_r:xdm_t:s0 system_r:unconfined_t:s0 -diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.2.1/config/appconfig-mcs/failsafe_context +diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.2.2/config/appconfig-mcs/failsafe_context --- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.1/config/appconfig-mcs/failsafe_context 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/config/appconfig-mcs/failsafe_context 2007-12-04 11:11:03.000000000 -0500 @@ -1 +1 @@ -sysadm_r:sysadm_t:s0 +system_r:unconfined_t:s0 -diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.2.1/config/appconfig-mcs/guest_u_default_contexts +diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.2.2/config/appconfig-mcs/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/config/appconfig-mcs/guest_u_default_contexts 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/config/appconfig-mcs/guest_u_default_contexts 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1,4 @@ +system_r:local_login_t:s0 guest_r:guest_t:s0 +system_r:remote_login_t:s0 guest_r:guest_t:s0 +system_r:sshd_t:s0 guest_r:guest_t:s0 +system_r:crond_t:s0 guest_r:guest_crond_t:s0 -diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.2.1/config/appconfig-mcs/root_default_contexts +diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.2.2/config/appconfig-mcs/root_default_contexts --- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.1/config/appconfig-mcs/root_default_contexts 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/config/appconfig-mcs/root_default_contexts 2007-12-04 11:11:03.000000000 -0500 @@ -1,11 +1,10 @@ -system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0 -system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 @@ -62,23 +62,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_de -#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.2.1/config/appconfig-mcs/seusers +diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.2.2/config/appconfig-mcs/seusers --- nsaserefpolicy/config/appconfig-mcs/seusers 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.1/config/appconfig-mcs/seusers 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/config/appconfig-mcs/seusers 2007-12-04 11:11:03.000000000 -0500 @@ -1,3 +1,2 @@ -system_u:system_u:s0-mcs_systemhigh root:root:s0-mcs_systemhigh -__default__:user_u:s0 +__default__:system_u:s0 -diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.2.1/config/appconfig-mcs/userhelper_context +diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.2.2/config/appconfig-mcs/userhelper_context --- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.1/config/appconfig-mcs/userhelper_context 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/config/appconfig-mcs/userhelper_context 2007-12-04 11:11:03.000000000 -0500 @@ -1 +1 @@ -system_u:sysadm_r:sysadm_t:s0 +system_u:system_r:unconfined_t:s0 -diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.2.1/config/appconfig-mcs/user_u_default_contexts +diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.2.2/config/appconfig-mcs/user_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2007-11-05 10:28:59.000000000 -0500 -+++ serefpolicy-3.2.1/config/appconfig-mcs/user_u_default_contexts 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/config/appconfig-mcs/user_u_default_contexts 2007-12-04 11:11:03.000000000 -0500 @@ -1,8 +1,7 @@ -system_r:local_login_t:s0 user_r:user_t:s0 -system_r:remote_login_t:s0 user_r:user_t:s0 @@ -95,18 +95,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_ +system_r:xdm_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0 +user_r:user_su_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0 +user_r:user_sudo_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0 -diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.2.1/config/appconfig-mcs/xguest_u_default_contexts +diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.2.2/config/appconfig-mcs/xguest_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/config/appconfig-mcs/xguest_u_default_contexts 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/config/appconfig-mcs/xguest_u_default_contexts 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1,5 @@ +system_r:local_login_t xguest_r:xguest_t:s0 +system_r:remote_login_t xguest_r:xguest_t:s0 +system_r:sshd_t xguest_r:xguest_t:s0 +system_r:crond_t xguest_r:xguest_crond_t:s0 +system_r:xdm_t xguest_r:xguest_t:s0 -diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.2.1/config/appconfig-mls/default_contexts +diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.2.2/config/appconfig-mls/default_contexts --- nsaserefpolicy/config/appconfig-mls/default_contexts 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.1/config/appconfig-mls/default_contexts 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/config/appconfig-mls/default_contexts 2007-12-04 11:11:03.000000000 -0500 @@ -1,15 +1,12 @@ -system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0 -system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 @@ -134,34 +134,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default -user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 +staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 +user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 -diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.2.1/config/appconfig-mls/guest_u_default_contexts +diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.2.2/config/appconfig-mls/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/config/appconfig-mls/guest_u_default_contexts 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/config/appconfig-mls/guest_u_default_contexts 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1,4 @@ +system_r:local_login_t:s0 guest_r:guest_t:s0 +system_r:remote_login_t:s0 guest_r:guest_t:s0 +system_r:sshd_t:s0 guest_r:guest_t:s0 +system_r:crond_t:s0 guest_r:guest_crond_t:s0 -diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts serefpolicy-3.2.1/config/appconfig-standard/guest_u_default_contexts +diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts serefpolicy-3.2.2/config/appconfig-standard/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/config/appconfig-standard/guest_u_default_contexts 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/config/appconfig-standard/guest_u_default_contexts 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1,4 @@ +system_r:local_login_t guest_r:guest_t +system_r:remote_login_t guest_r:guest_t +system_r:sshd_t guest_r:guest_t +system_r:crond_t guest_r:guest_crond_t -diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.2.1/config/appconfig-standard/xguest_u_default_contexts +diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.2.2/config/appconfig-standard/xguest_u_default_contexts --- nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/config/appconfig-standard/xguest_u_default_contexts 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/config/appconfig-standard/xguest_u_default_contexts 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1,5 @@ +system_r:local_login_t xguest_r:xguest_t +system_r:remote_login_t xguest_r:xguest_t +system_r:sshd_t xguest_r:xguest_t +system_r:crond_t xguest_r:xguest_crond_t +system_r:xdm_t xguest_r:xguest_t -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.2.1/policy/flask/access_vectors +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.2.2/policy/flask/access_vectors --- nsaserefpolicy/policy/flask/access_vectors 2007-08-11 06:22:29.000000000 -0400 -+++ serefpolicy-3.2.1/policy/flask/access_vectors 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/flask/access_vectors 2007-12-04 11:11:03.000000000 -0500 @@ -639,6 +639,8 @@ send recv @@ -171,9 +171,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors } class key -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.2.1/policy/global_tunables +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.2.2/policy/global_tunables --- nsaserefpolicy/policy/global_tunables 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.1/policy/global_tunables 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/global_tunables 2007-12-04 11:11:03.000000000 -0500 @@ -6,38 +6,35 @@ ## @@ -257,9 +257,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref +gen_tunable(allow_console_login,false) + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.2.1/policy/modules/admin/alsa.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.2.2/policy/modules/admin/alsa.fc --- nsaserefpolicy/policy/modules/admin/alsa.fc 2007-10-29 18:02:32.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/admin/alsa.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/admin/alsa.fc 2007-12-04 11:11:03.000000000 -0500 @@ -1,8 +1,11 @@ +/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) @@ -274,9 +274,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc +/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) +/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) +/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.2.1/policy/modules/admin/alsa.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.2.2/policy/modules/admin/alsa.if --- nsaserefpolicy/policy/modules/admin/alsa.if 2007-01-02 12:57:51.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/admin/alsa.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/admin/alsa.if 2007-12-04 11:11:03.000000000 -0500 @@ -74,3 +74,21 @@ read_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t) read_lnk_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t) @@ -299,9 +299,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if + + read_files_pattern($1,alsa_var_lib_t,alsa_var_lib_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.2.1/policy/modules/admin/alsa.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.2.2/policy/modules/admin/alsa.te --- nsaserefpolicy/policy/modules/admin/alsa.te 2007-10-29 18:02:32.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/admin/alsa.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/admin/alsa.te 2007-12-04 11:11:03.000000000 -0500 @@ -8,12 +8,15 @@ type alsa_t; @@ -346,9 +346,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te optional_policy(` nscd_socket_use(alsa_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.2.1/policy/modules/admin/anaconda.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.2.2/policy/modules/admin/anaconda.te --- nsaserefpolicy/policy/modules/admin/anaconda.te 2007-01-02 12:57:51.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/admin/anaconda.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/admin/anaconda.te 2007-12-04 11:11:03.000000000 -0500 @@ -31,16 +31,13 @@ modutils_domtrans_insmod(anaconda_t) @@ -367,18 +367,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond kudzu_domtrans(anaconda_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.2.1/policy/modules/admin/brctl.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.2.2/policy/modules/admin/brctl.te --- nsaserefpolicy/policy/modules/admin/brctl.te 2007-10-23 07:37:52.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/admin/brctl.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/admin/brctl.te 2007-12-04 11:11:03.000000000 -0500 @@ -40,4 +40,5 @@ optional_policy(` xen_append_log(brctl_t) + xen_dontaudit_rw_unix_stream_sockets(brctl_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.2.1/policy/modules/admin/consoletype.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.2.2/policy/modules/admin/consoletype.te --- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/admin/consoletype.te 2007-11-30 11:44:01.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/admin/consoletype.te 2007-12-04 11:11:03.000000000 -0500 @@ -8,9 +8,11 @@ type consoletype_t; @@ -425,9 +425,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console xen_dontaudit_use_fds(consoletype_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.2.1/policy/modules/admin/firstboot.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.2.2/policy/modules/admin/firstboot.te --- nsaserefpolicy/policy/modules/admin/firstboot.te 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/admin/firstboot.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/admin/firstboot.te 2007-12-04 11:11:03.000000000 -0500 @@ -120,6 +120,10 @@ usermanage_domtrans_admin_passwd(firstboot_t) ') @@ -447,18 +447,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo - domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t) -') ') dnl end TODO -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.fc serefpolicy-3.2.1/policy/modules/admin/kismet.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.fc serefpolicy-3.2.2/policy/modules/admin/kismet.fc --- nsaserefpolicy/policy/modules/admin/kismet.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/admin/kismet.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/admin/kismet.fc 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1,5 @@ + +/usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0) +/var/run/kismet_server.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0) +/var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0) +/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.2.1/policy/modules/admin/kismet.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.2.2/policy/modules/admin/kismet.if --- nsaserefpolicy/policy/modules/admin/kismet.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/admin/kismet.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/admin/kismet.if 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1,275 @@ + +## policy for kismet @@ -735,9 +735,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. + kismet_manage_log($2) + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.2.1/policy/modules/admin/kismet.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.2.2/policy/modules/admin/kismet.te --- nsaserefpolicy/policy/modules/admin/kismet.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/admin/kismet.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/admin/kismet.te 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1,58 @@ +policy_module(kismet,1.0.0) + @@ -797,9 +797,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. +allow kismet_t kismet_log_t:dir { rw_dir_perms setattr }; +logging_log_filetrans(kismet_t,kismet_log_t,{ file dir }) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.2.1/policy/modules/admin/kudzu.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.2.2/policy/modules/admin/kudzu.te --- nsaserefpolicy/policy/modules/admin/kudzu.te 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/admin/kudzu.te 2007-11-30 11:35:54.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/admin/kudzu.te 2007-12-04 11:11:03.000000000 -0500 @@ -21,8 +21,8 @@ # Local policy # @@ -859,9 +859,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.t -') -allow kudzu_t cupsd_rw_etc_t:dir list_dir_perms; -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.2.1/policy/modules/admin/logrotate.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.2.2/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/admin/logrotate.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/admin/logrotate.te 2007-12-04 11:11:03.000000000 -0500 @@ -96,6 +96,7 @@ files_read_etc_files(logrotate_t) files_read_etc_runtime_files(logrotate_t) @@ -870,9 +870,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota # Write to /var/spool/slrnpull - should be moved into its own type. files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.2.1/policy/modules/admin/logwatch.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.2.2/policy/modules/admin/logwatch.te --- nsaserefpolicy/policy/modules/admin/logwatch.te 2007-10-23 07:37:52.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/admin/logwatch.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/admin/logwatch.te 2007-12-04 11:11:03.000000000 -0500 @@ -59,10 +59,8 @@ files_read_usr_files(logwatch_t) files_search_spool(logwatch_t) @@ -901,9 +901,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc samba_read_log(logwatch_t) + samba_read_share_files(logwatch_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.2.1/policy/modules/admin/netutils.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.2.2/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/admin/netutils.te 2007-11-30 11:37:19.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/admin/netutils.te 2007-12-04 11:11:03.000000000 -0500 @@ -94,6 +94,10 @@ ') @@ -930,9 +930,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil corenet_tcp_sendrecv_all_nodes(ping_t) corenet_tcp_sendrecv_all_ports(ping_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.2.1/policy/modules/admin/prelink.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.2.2/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/admin/prelink.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/admin/prelink.te 2007-12-04 11:11:03.000000000 -0500 @@ -26,7 +26,7 @@ # Local policy # @@ -990,9 +990,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink +optional_policy(` + unconfined_domain(prelink_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.2.1/policy/modules/admin/rpm.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.2.2/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2006-11-16 17:15:26.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/admin/rpm.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/admin/rpm.fc 2007-12-04 11:11:03.000000000 -0500 @@ -11,6 +11,7 @@ /usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -1011,9 +1011,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc ') /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.2.1/policy/modules/admin/rpm.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.2.2/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-18 11:12:44.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/admin/rpm.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/admin/rpm.if 2007-12-04 11:11:03.000000000 -0500 @@ -152,6 +152,24 @@ ######################################## @@ -1207,29 +1207,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if + read_lnk_files_pattern($1,rpm_tmpfs_t,rpm_tmpfs_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.2.1/policy/modules/admin/rpm.te ---- nsaserefpolicy/policy/modules/admin/rpm.te 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/admin/rpm.te 2007-12-03 13:19:43.000000000 -0500 -@@ -139,6 +139,7 @@ - auth_relabel_all_files_except_shadow(rpm_t) - auth_manage_all_files_except_shadow(rpm_t) - auth_dontaudit_read_shadow(rpm_t) -+auth_use_nsswitch(rpm_t) - - # transition to rpm script: - rpm_domtrans_script(rpm_t) -@@ -180,11 +181,17 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.2.2/policy/modules/admin/rpm.te +--- nsaserefpolicy/policy/modules/admin/rpm.te 2007-12-04 11:02:51.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/admin/rpm.te 2007-12-04 11:52:42.000000000 -0500 +@@ -179,7 +179,17 @@ ') optional_policy(` - hal_dbus_chat(rpm_t) --') + optional_policy(` + hal_dbus_chat(rpm_t) + ') - --optional_policy(` -- nis_use_ypbind(rpm_t) ++ + optional_policy(` + networkmanager_dbus_chat(rpm_t) + ') @@ -1240,7 +1229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te ') optional_policy(` -@@ -195,6 +202,7 @@ +@@ -190,6 +200,7 @@ unconfined_domain(rpm_t) # yum-updatesd requires this unconfined_dbus_chat(rpm_t) @@ -1248,7 +1237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te ') ifdef(`TODO',` -@@ -221,7 +229,7 @@ +@@ -216,7 +227,7 @@ # allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; @@ -1257,15 +1246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te allow rpm_script_t self:fd use; allow rpm_script_t self:fifo_file rw_fifo_file_perms; allow rpm_script_t self:unix_dgram_socket create_socket_perms; -@@ -289,6 +297,7 @@ - auth_dontaudit_getattr_shadow(rpm_script_t) - # ideally we would not need this - auth_manage_all_files_except_shadow(rpm_script_t) -+auth_use_nsswitch(rpm_script_t) - - corecmd_exec_all_executables(rpm_script_t) - -@@ -321,6 +330,7 @@ +@@ -317,6 +328,7 @@ seutil_domtrans_loadpolicy(rpm_script_t) seutil_domtrans_setfiles(rpm_script_t) seutil_domtrans_semanage(rpm_script_t) @@ -1273,18 +1254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te userdom_use_all_users_fds(rpm_script_t) -@@ -339,10 +349,6 @@ - ') - - optional_policy(` -- nis_use_ypbind(rpm_script_t) --') -- --optional_policy(` - tzdata_domtrans(rpm_t) - tzdata_domtrans(rpm_script_t) - ') -@@ -350,6 +356,7 @@ +@@ -342,6 +354,7 @@ optional_policy(` unconfined_domain(rpm_script_t) unconfined_domtrans(rpm_script_t) @@ -1292,9 +1262,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te optional_policy(` java_domtrans(rpm_script_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.2.1/policy/modules/admin/sudo.if ---- nsaserefpolicy/policy/modules/admin/sudo.if 2007-07-23 10:20:14.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/admin/sudo.if 2007-11-30 11:23:56.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.2.2/policy/modules/admin/sudo.if +--- nsaserefpolicy/policy/modules/admin/sudo.if 2007-12-04 11:02:51.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/admin/sudo.if 2007-12-04 11:58:48.000000000 -0500 @@ -55,7 +55,7 @@ # @@ -1304,15 +1274,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_sudo_t self:process { setexec setrlimit }; allow $1_sudo_t self:fd use; -@@ -68,7 +68,6 @@ +@@ -68,27 +68,27 @@ allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; allow $1_sudo_t self:unix_dgram_socket sendto; allow $1_sudo_t self:unix_stream_socket connectto; - allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read }; - allow $1_sudo_t self:netlink_route_socket r_netlink_socket_perms; # Enter this derived domain from the user domain -@@ -76,20 +75,22 @@ + domtrans_pattern($2, sudo_exec_t, $1_sudo_t) # By default, revert to the calling domain when a shell is executed. corecmd_shell_domtrans($1_sudo_t,$2) @@ -1331,13 +1300,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if fs_getattr_xattr_fs($1_sudo_t) - auth_domtrans_chk_passwd($1_sudo_t) -+ auth_use_nsswitch($1_sudo_t) + auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t }) + auth_run_upd_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t }) # sudo stores a token in the pam_pid directory auth_manage_pam_pid($1_sudo_t) - -@@ -106,12 +107,14 @@ + auth_use_nsswitch($1_sudo_t) +@@ -106,12 +106,14 @@ files_getattr_usr_files($1_sudo_t) # for some PAM modules and for cwd files_dontaudit_search_home($1_sudo_t) @@ -1352,18 +1320,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if logging_send_syslog_msg($1_sudo_t) miscfiles_read_localization($1_sudo_t) -@@ -125,21 +128,4 @@ +@@ -125,13 +127,4 @@ # for some PAM modules and for cwd userdom_dontaudit_search_all_users_home_content($1_sudo_t) -- optional_policy(` -- nis_use_ypbind($1_sudo_t) -- ') -- -- optional_policy(` -- nscd_socket_use($1_sudo_t) -- ') -- - ifdef(`TODO',` - # for when the network connection is killed - dontaudit unpriv_userdomain $1_sudo_t:process signal; @@ -1374,9 +1334,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if - - ') dnl end TODO ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.2.1/policy/modules/admin/su.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.2.2/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/admin/su.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/admin/su.if 2007-12-04 11:11:03.000000000 -0500 @@ -41,12 +41,11 @@ allow $2 $1_su_t:process signal; @@ -1476,9 +1436,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s ') ####################################### -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.2.1/policy/modules/admin/tmpreaper.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.2.2/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2007-10-02 09:54:52.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/admin/tmpreaper.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/admin/tmpreaper.te 2007-12-04 11:11:03.000000000 -0500 @@ -28,6 +28,7 @@ files_purge_tmp(tmpreaper_t) # why does it need setattr? @@ -1498,35 +1458,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap lpd_manage_spool(tmpreaper_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.2.1/policy/modules/admin/usermanage.te ---- nsaserefpolicy/policy/modules/admin/usermanage.te 2007-10-23 07:37:52.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/admin/usermanage.te 2007-11-30 13:59:13.000000000 -0500 -@@ -92,7 +92,9 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.2.2/policy/modules/admin/usermanage.te +--- nsaserefpolicy/policy/modules/admin/usermanage.te 2007-12-04 11:02:51.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/admin/usermanage.te 2007-12-04 11:11:03.000000000 -0500 +@@ -92,6 +92,7 @@ dev_read_urand(chfn_t) auth_domtrans_chk_passwd(chfn_t) +auth_domtrans_upd_passwd(chfn_t) auth_dontaudit_read_shadow(chfn_t) -+auth_use_nsswitch(chfn_t) - - # allow checking if a shell is executable - corecmd_check_exec_shell(chfn_t) -@@ -123,14 +125,6 @@ - # on user home dir - userdom_dontaudit_search_all_users_home_content(chfn_t) + auth_use_nsswitch(chfn_t) --optional_policy(` -- nis_use_ypbind(chfn_t) --') -- --optional_policy(` -- nscd_socket_use(chfn_t) --') -- - ######################################## - # - # Crack local policy -@@ -297,9 +291,11 @@ +@@ -290,6 +291,7 @@ term_use_all_user_ttys(passwd_t) term_use_all_user_ptys(passwd_t) @@ -1534,11 +1477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman auth_manage_shadow(passwd_t) auth_relabel_shadow(passwd_t) auth_etc_filetrans_shadow(passwd_t) -+auth_use_nsswitch(passwd_t) - - # allow checking if a shell is executable - corecmd_check_exec_shell(passwd_t) -@@ -315,6 +311,7 @@ +@@ -309,6 +311,7 @@ # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(passwd_t) @@ -1546,39 +1485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman libs_use_ld_so(passwd_t) libs_use_shared_libs(passwd_t) -@@ -335,11 +332,6 @@ - userdom_dontaudit_search_all_users_home_content(passwd_t) - - optional_policy(` -- nis_use_ypbind(passwd_t) --') -- --optional_policy(` -- nscd_socket_use(passwd_t) - nscd_domtrans(passwd_t) - ') - -@@ -393,6 +385,7 @@ - auth_manage_shadow(sysadm_passwd_t) - auth_relabel_shadow(sysadm_passwd_t) - auth_etc_filetrans_shadow(sysadm_passwd_t) -+auth_use_nsswitch(sysadm_passwd_t) - - # allow vipw to exec the editor - corecmd_exec_bin(sysadm_passwd_t) -@@ -426,11 +419,6 @@ - userdom_dontaudit_search_all_users_home_content(sysadm_passwd_t) - - optional_policy(` -- nis_use_ypbind(sysadm_passwd_t) --') -- --optional_policy(` -- nscd_socket_use(sysadm_passwd_t) - nscd_domtrans(sysadm_passwd_t) - ') - -@@ -533,6 +521,12 @@ +@@ -518,6 +521,12 @@ ') optional_policy(` @@ -1591,18 +1498,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.fc serefpolicy-3.2.1/policy/modules/admin/vpn.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.fc serefpolicy-3.2.2/policy/modules/admin/vpn.fc --- nsaserefpolicy/policy/modules/admin/vpn.fc 2006-11-16 17:15:26.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/admin/vpn.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/admin/vpn.fc 2007-12-04 11:11:03.000000000 -0500 @@ -7,3 +7,5 @@ # sbin # /sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) + +/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.2.1/policy/modules/admin/vpn.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.2.2/policy/modules/admin/vpn.if --- nsaserefpolicy/policy/modules/admin/vpn.if 2007-01-02 12:57:51.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/admin/vpn.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/admin/vpn.if 2007-12-04 11:11:03.000000000 -0500 @@ -67,3 +67,25 @@ allow $1 vpnc_t:process signal; @@ -1629,10 +1536,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if + allow vpnc_t $1:dbus send_msg; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.2.1/policy/modules/admin/vpn.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.2.2/policy/modules/admin/vpn.te --- nsaserefpolicy/policy/modules/admin/vpn.te 2007-10-29 07:52:50.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/admin/vpn.te 2007-11-30 11:23:56.000000000 -0500 -@@ -22,7 +22,7 @@ ++++ serefpolicy-3.2.2/policy/modules/admin/vpn.te 2007-12-04 11:59:24.000000000 -0500 +@@ -22,10 +22,9 @@ # Local policy # @@ -1640,8 +1547,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te +allow vpnc_t self:capability { dac_override net_admin ipc_lock net_raw }; allow vpnc_t self:process getsched; allow vpnc_t self:fifo_file { getattr ioctl read write }; - allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; -@@ -38,8 +38,9 @@ +-allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; + allow vpnc_t self:tcp_socket create_stream_socket_perms; + allow vpnc_t self:udp_socket create_socket_perms; + allow vpnc_t self:rawip_socket create_socket_perms; +@@ -38,8 +37,9 @@ manage_files_pattern(vpnc_t,vpnc_tmp_t,vpnc_tmp_t) files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir }) @@ -1652,7 +1562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te kernel_read_system_state(vpnc_t) kernel_read_network_state(vpnc_t) -@@ -59,6 +60,7 @@ +@@ -59,6 +59,7 @@ corenet_udp_bind_all_nodes(vpnc_t) corenet_udp_bind_generic_port(vpnc_t) corenet_udp_bind_isakmp_port(vpnc_t) @@ -1660,7 +1570,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te corenet_tcp_connect_all_ports(vpnc_t) corenet_sendrecv_all_client_packets(vpnc_t) corenet_sendrecv_isakmp_server_packets(vpnc_t) -@@ -90,13 +92,14 @@ +@@ -82,6 +83,8 @@ + files_read_etc_files(vpnc_t) + files_dontaudit_search_home(vpnc_t) + ++auth_use_nsswitch(vpnc_t) ++ + libs_exec_ld_so(vpnc_t) + libs_exec_lib_files(vpnc_t) + libs_use_ld_so(vpnc_t) +@@ -90,13 +93,14 @@ locallogin_use_fds(vpnc_t) logging_send_syslog_msg(vpnc_t) @@ -1676,18 +1595,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te sysnet_etc_filetrans_config(vpnc_t) sysnet_manage_config(vpnc_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.fc serefpolicy-3.2.1/policy/modules/apps/ethereal.fc +@@ -111,10 +115,3 @@ + ') + ') + +-optional_policy(` +- nis_use_ypbind(vpnc_t) +-') +- +-optional_policy(` +- nscd_socket_use(vpnc_t) +-') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.fc serefpolicy-3.2.2/policy/modules/apps/ethereal.fc --- nsaserefpolicy/policy/modules/apps/ethereal.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/ethereal.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/ethereal.fc 2007-12-04 11:11:03.000000000 -0500 @@ -1,4 +1,4 @@ -HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ROLE_ethereal_home_t,s0) +HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:user_ethereal_home_t,s0) /usr/sbin/ethereal.* -- gen_context(system_u:object_r:ethereal_exec_t,s0) /usr/sbin/tethereal.* -- gen_context(system_u:object_r:tethereal_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.if serefpolicy-3.2.1/policy/modules/apps/ethereal.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.if serefpolicy-3.2.2/policy/modules/apps/ethereal.if --- nsaserefpolicy/policy/modules/apps/ethereal.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/ethereal.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/ethereal.if 2007-12-04 11:11:03.000000000 -0500 @@ -48,12 +48,10 @@ application_domain($1_ethereal_t,ethereal_exec_t) role $3 types $1_ethereal_t; @@ -1723,9 +1653,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal ') ####################################### -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.te serefpolicy-3.2.1/policy/modules/apps/ethereal.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.te serefpolicy-3.2.2/policy/modules/apps/ethereal.te --- nsaserefpolicy/policy/modules/apps/ethereal.te 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/ethereal.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/ethereal.te 2007-12-04 11:11:03.000000000 -0500 @@ -16,6 +16,13 @@ type tethereal_tmp_t; files_tmp_file(tethereal_tmp_t) @@ -1740,9 +1670,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal ######################################## # # Tethereal policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/evolution.fc serefpolicy-3.2.1/policy/modules/apps/evolution.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/evolution.fc serefpolicy-3.2.2/policy/modules/apps/evolution.fc --- nsaserefpolicy/policy/modules/apps/evolution.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/evolution.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/evolution.fc 2007-12-04 11:11:03.000000000 -0500 @@ -2,13 +2,13 @@ # HOME_DIR/ # @@ -1760,18 +1690,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/evolutio # # /usr -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.fc serefpolicy-3.2.1/policy/modules/apps/gift.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.fc serefpolicy-3.2.2/policy/modules/apps/gift.fc --- nsaserefpolicy/policy/modules/apps/gift.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/gift.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/gift.fc 2007-12-04 11:11:03.000000000 -0500 @@ -1,4 +1,4 @@ -HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:ROLE_gift_home_t,s0) +HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:user_gift_home_t,s0) /usr/(local/)?bin/apollon -- gen_context(system_u:object_r:gift_exec_t,s0) /usr/(local/)?bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.if serefpolicy-3.2.1/policy/modules/apps/gift.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.if serefpolicy-3.2.2/policy/modules/apps/gift.if --- nsaserefpolicy/policy/modules/apps/gift.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/gift.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/gift.if 2007-12-04 11:11:03.000000000 -0500 @@ -43,9 +43,9 @@ application_domain($1_gift_t,gift_exec_t) role $3 types $1_gift_t; @@ -1834,9 +1764,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.if domtrans_pattern($2, giftd_exec_t, $1_giftd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.te serefpolicy-3.2.1/policy/modules/apps/gift.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.te serefpolicy-3.2.2/policy/modules/apps/gift.te --- nsaserefpolicy/policy/modules/apps/gift.te 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/gift.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/gift.te 2007-12-04 11:11:03.000000000 -0500 @@ -11,3 +11,7 @@ type giftd_exec_t; @@ -1845,9 +1775,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.te +type user_gift_home_t alias user_gift_rw_t; +userdom_user_home_content(user,user_gift_home_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.2.1/policy/modules/apps/gnome.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.2.2/policy/modules/apps/gnome.fc --- nsaserefpolicy/policy/modules/apps/gnome.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/gnome.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/gnome.fc 2007-12-04 11:11:03.000000000 -0500 @@ -1,8 +1,7 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:ROLE_gnome_home_t,s0) -HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:ROLE_gconf_home_t,s0) @@ -1861,9 +1791,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc +/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:user_gconf_tmp_t,s0) /usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.2.1/policy/modules/apps/gnome.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.2.2/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/gnome.if 2007-11-30 11:28:22.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/gnome.if 2007-12-04 11:11:03.000000000 -0500 @@ -33,9 +33,56 @@ ## # @@ -2090,9 +2020,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if + can_exec($1, gconfd_exec_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.2.1/policy/modules/apps/gnome.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.2.2/policy/modules/apps/gnome.te --- nsaserefpolicy/policy/modules/apps/gnome.te 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/gnome.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/gnome.te 2007-12-04 11:11:03.000000000 -0500 @@ -8,8 +8,15 @@ attribute gnomedomain; @@ -2112,18 +2042,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te + +type user_gconf_tmp_t; +files_tmp_file(user_gconf_tmp_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.2.1/policy/modules/apps/gpg.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.2.2/policy/modules/apps/gpg.fc --- nsaserefpolicy/policy/modules/apps/gpg.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/gpg.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/gpg.fc 2007-12-04 11:11:03.000000000 -0500 @@ -1,4 +1,4 @@ -HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0) +HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:user_gpg_secret_t,s0) /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc serefpolicy-3.2.1/policy/modules/apps/irc.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc serefpolicy-3.2.2/policy/modules/apps/irc.fc --- nsaserefpolicy/policy/modules/apps/irc.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/irc.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/irc.fc 2007-12-04 11:11:03.000000000 -0500 @@ -1,7 +1,7 @@ # # /home @@ -2133,9 +2063,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc s # # /usr -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.if serefpolicy-3.2.1/policy/modules/apps/irc.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.if serefpolicy-3.2.2/policy/modules/apps/irc.if --- nsaserefpolicy/policy/modules/apps/irc.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/irc.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/irc.if 2007-12-04 11:11:03.000000000 -0500 @@ -50,12 +50,11 @@ userdom_user_home_content($1,$1_irc_exec_t) application_domain($1_irc_t,$1_irc_exec_t) @@ -2182,9 +2112,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.if s # Transition from the user domain to the derived domain. domtrans_pattern($2,irc_exec_t,$1_irc_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te serefpolicy-3.2.1/policy/modules/apps/irc.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te serefpolicy-3.2.2/policy/modules/apps/irc.te --- nsaserefpolicy/policy/modules/apps/irc.te 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/irc.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/irc.te 2007-12-04 11:11:03.000000000 -0500 @@ -8,3 +8,10 @@ type irc_exec_t; @@ -2196,9 +2126,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te s +type user_irc_tmp_t; +userdom_user_home_content(user,user_irc_tmp_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.2.1/policy/modules/apps/java.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.2.2/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2007-03-01 10:01:48.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/apps/java.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/java.fc 2007-12-04 11:11:03.000000000 -0500 @@ -11,6 +11,7 @@ # /usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0) @@ -2219,9 +2149,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc + +/usr/lib(64)?/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.2.1/policy/modules/apps/java.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.2.2/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/java.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/java.if 2007-12-04 11:11:03.000000000 -0500 @@ -32,7 +32,7 @@ ## ## @@ -2377,9 +2307,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if + role $2 types java_t; + allow java_t $3:chr_file rw_term_perms; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.2.1/policy/modules/apps/java.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.2.2/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/java.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/java.te 2007-12-04 11:11:03.000000000 -0500 @@ -6,13 +6,6 @@ # Declarations # @@ -2421,18 +2351,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te +optional_policy(` + xserver_xdm_rw_shm(java_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.2.1/policy/modules/apps/loadkeys.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.2.2/policy/modules/apps/loadkeys.te --- nsaserefpolicy/policy/modules/apps/loadkeys.te 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/loadkeys.te 2007-12-01 08:16:19.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/loadkeys.te 2007-12-04 11:11:03.000000000 -0500 @@ -44,3 +44,5 @@ optional_policy(` nscd_dontaudit_search_pid(loadkeys_t) ') + +userdom_dontaudit_write_unpriv_user_home_content_files(loadkeys_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.2.1/policy/modules/apps/mono.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.2.2/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2007-01-02 12:57:22.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/apps/mono.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/mono.if 2007-12-04 11:11:03.000000000 -0500 @@ -18,3 +18,105 @@ corecmd_search_bin($1) domtrans_pattern($1, mono_exec_t, mono_t) @@ -2539,9 +2469,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if + xserver_xdm_rw_shm($1_mono_t) + ') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.2.1/policy/modules/apps/mono.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.2.2/policy/modules/apps/mono.te --- nsaserefpolicy/policy/modules/apps/mono.te 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/mono.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/mono.te 2007-12-04 11:11:03.000000000 -0500 @@ -15,7 +15,7 @@ # Local policy # @@ -2559,9 +2489,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te +optional_policy(` + xserver_xdm_rw_shm(mono_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.2.1/policy/modules/apps/mozilla.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.2.2/policy/modules/apps/mozilla.fc --- nsaserefpolicy/policy/modules/apps/mozilla.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/mozilla.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/mozilla.fc 2007-12-04 11:11:03.000000000 -0500 @@ -1,8 +1,8 @@ -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) -HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) @@ -2576,9 +2506,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. # # /bin -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.2.1/policy/modules/apps/mozilla.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.2.2/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-29 07:52:48.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/mozilla.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/mozilla.if 2007-12-04 11:11:03.000000000 -0500 @@ -35,7 +35,10 @@ template(`mozilla_per_role_template',` gen_require(` @@ -2989,9 +2919,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. + + allow $2 $1_mozilla_t:unix_stream_socket connectto; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.2.1/policy/modules/apps/mozilla.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.2.2/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/mozilla.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/mozilla.te 2007-12-04 11:11:03.000000000 -0500 @@ -6,15 +6,15 @@ # Declarations # @@ -3015,18 +2945,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. + +type user_mozilla_tmp_t; +files_tmp_file(user_mozilla_tmp_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.2.1/policy/modules/apps/mplayer.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.2.2/policy/modules/apps/mplayer.fc --- nsaserefpolicy/policy/modules/apps/mplayer.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/mplayer.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/mplayer.fc 2007-12-04 11:11:03.000000000 -0500 @@ -10,4 +10,4 @@ /usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0) /usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0) -HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:ROLE_mplayer_home_t,s0) +HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:user_mplayer_home_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.2.1/policy/modules/apps/mplayer.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.2.2/policy/modules/apps/mplayer.if --- nsaserefpolicy/policy/modules/apps/mplayer.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/mplayer.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/mplayer.if 2007-12-04 11:11:03.000000000 -0500 @@ -35,6 +35,7 @@ template(`mplayer_per_role_template',` gen_require(` @@ -3104,9 +3034,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer. - read_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t) + read_files_pattern($2,user_mplayer_home_t,user_mplayer_home_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.te serefpolicy-3.2.1/policy/modules/apps/mplayer.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.te serefpolicy-3.2.2/policy/modules/apps/mplayer.te --- nsaserefpolicy/policy/modules/apps/mplayer.te 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/mplayer.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/mplayer.te 2007-12-04 11:11:03.000000000 -0500 @@ -22,3 +22,7 @@ type mplayer_exec_t; corecmd_executable_file(mplayer_exec_t) @@ -3115,9 +3045,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer. +type user_mplayer_home_t alias user_mplayer_rw_t; +userdom_user_home_content(user,user_mplayer_home_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.2.1/policy/modules/apps/screen.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.2.2/policy/modules/apps/screen.fc --- nsaserefpolicy/policy/modules/apps/screen.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/screen.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/screen.fc 2007-12-04 11:11:03.000000000 -0500 @@ -1,7 +1,7 @@ # # /home @@ -3127,9 +3057,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.f # # /usr -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.2.1/policy/modules/apps/screen.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.2.2/policy/modules/apps/screen.if --- nsaserefpolicy/policy/modules/apps/screen.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/screen.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/screen.if 2007-12-04 11:11:03.000000000 -0500 @@ -50,8 +50,9 @@ type $1_screen_tmp_t; files_tmp_file($1_screen_tmp_t) @@ -3174,9 +3104,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.i kernel_read_system_state($1_screen_t) kernel_read_kernel_sysctls($1_screen_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.te serefpolicy-3.2.1/policy/modules/apps/screen.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.te serefpolicy-3.2.2/policy/modules/apps/screen.te --- nsaserefpolicy/policy/modules/apps/screen.te 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/screen.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/screen.te 2007-12-04 11:11:03.000000000 -0500 @@ -11,3 +11,7 @@ type screen_exec_t; @@ -3185,18 +3115,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.t +type user_screen_ro_home_t; +userdom_user_home_content(user,user_screen_ro_home_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.fc serefpolicy-3.2.1/policy/modules/apps/thunderbird.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.fc serefpolicy-3.2.2/policy/modules/apps/thunderbird.fc --- nsaserefpolicy/policy/modules/apps/thunderbird.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/thunderbird.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/thunderbird.fc 2007-12-04 11:11:03.000000000 -0500 @@ -3,4 +3,4 @@ # /usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0) -HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:ROLE_thunderbird_home_t,s0) +HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:user_thunderbird_home_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-3.2.1/policy/modules/apps/thunderbird.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-3.2.2/policy/modules/apps/thunderbird.if --- nsaserefpolicy/policy/modules/apps/thunderbird.if 2007-10-29 07:52:48.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/thunderbird.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/thunderbird.if 2007-12-04 12:00:37.000000000 -0500 @@ -43,9 +43,9 @@ application_domain($1_thunderbird_t,thunderbird_exec_t) role $3 types $1_thunderbird_t; @@ -3210,8 +3140,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderb type $1_thunderbird_tmpfs_t; files_tmpfs_file($1_thunderbird_tmpfs_t) -@@ -65,9 +65,9 @@ - allow $1_thunderbird_t self:netlink_route_socket r_netlink_socket_perms; +@@ -62,12 +62,11 @@ + allow $1_thunderbird_t self:unix_stream_socket { create accept connect write getattr read listen bind }; + allow $1_thunderbird_t self:tcp_socket create_socket_perms; + allow $1_thunderbird_t self:shm { read write create destroy unix_read unix_write }; +- allow $1_thunderbird_t self:netlink_route_socket r_netlink_socket_perms; # Access ~/.thunderbird - manage_dirs_pattern($1_thunderbird_t,$1_thunderbird_home_t,$1_thunderbird_home_t) @@ -3223,7 +3156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderb userdom_search_user_home_dirs($1,$1_thunderbird_t) manage_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t) -@@ -88,13 +88,13 @@ +@@ -88,13 +87,13 @@ ps_process_pattern($2,$1_thunderbird_t) # Access ~/.thunderbird @@ -3244,9 +3177,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderb # Allow netstat kernel_read_network_state($1_thunderbird_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.te serefpolicy-3.2.1/policy/modules/apps/thunderbird.te +@@ -145,6 +144,8 @@ + fs_list_inotifyfs($1_thunderbird_t) + # Access ~/.thunderbird + fs_search_auto_mountpoints($1_thunderbird_t) ++ ++ auth_use_nsswitch($1_thunderbird_t) + + libs_use_shared_libs($1_thunderbird_t) + libs_use_ld_so($1_thunderbird_t) +@@ -341,14 +342,6 @@ + mozilla_dbus_chat($1, $1_thunderbird_t) + ') + +- optional_policy(` +- nis_use_ypbind($1_thunderbird_t) +- ') +- +- optional_policy(` +- nscd_socket_use($1_thunderbird_t) +- ') +- + ifdef(`TODO',` + # FIXME: Rules were removed to centralize policy in a gnome_app macro + # A similar thing might be necessary for mozilla compiled without GNOME +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.te serefpolicy-3.2.2/policy/modules/apps/thunderbird.te --- nsaserefpolicy/policy/modules/apps/thunderbird.te 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/thunderbird.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/thunderbird.te 2007-12-04 11:11:03.000000000 -0500 @@ -8,3 +8,7 @@ type thunderbird_exec_t; @@ -3255,9 +3212,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderb +type user_thunderbird_home_t alias user_thunderbird_rw_t; +userdom_user_home_content(user, user_thunderbird_home_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.if serefpolicy-3.2.1/policy/modules/apps/tvtime.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.if serefpolicy-3.2.2/policy/modules/apps/tvtime.if --- nsaserefpolicy/policy/modules/apps/tvtime.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/tvtime.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/tvtime.if 2007-12-04 11:11:03.000000000 -0500 @@ -46,12 +46,10 @@ application_domain($1_tvtime_t,tvtime_exec_t) role $3 types $1_tvtime_t; @@ -3317,9 +3274,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.i # Allow the user domain to signal/ps. ps_process_pattern($2,$1_tvtime_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.te serefpolicy-3.2.1/policy/modules/apps/tvtime.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.te serefpolicy-3.2.2/policy/modules/apps/tvtime.te --- nsaserefpolicy/policy/modules/apps/tvtime.te 2007-10-02 09:54:50.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/tvtime.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/tvtime.te 2007-12-04 11:11:03.000000000 -0500 @@ -11,3 +11,9 @@ type tvtime_dir_t; @@ -3330,9 +3287,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.t + +type user_tvtime_tmp_t; +files_tmp_file(user_tvtime_tmp_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.fc serefpolicy-3.2.1/policy/modules/apps/uml.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.fc serefpolicy-3.2.2/policy/modules/apps/uml.fc --- nsaserefpolicy/policy/modules/apps/uml.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/uml.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/uml.fc 2007-12-04 11:11:03.000000000 -0500 @@ -1,7 +1,7 @@ # # HOME_DIR/ @@ -3342,9 +3299,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.fc s # # /usr -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.2.1/policy/modules/apps/userhelper.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.2.2/policy/modules/apps/userhelper.if --- nsaserefpolicy/policy/modules/apps/userhelper.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/userhelper.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/userhelper.if 2007-12-04 11:11:03.000000000 -0500 @@ -130,6 +130,7 @@ term_use_all_user_ptys($1_userhelper_t) @@ -3378,9 +3335,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.2.1/policy/modules/apps/vmware.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.2.2/policy/modules/apps/vmware.fc --- nsaserefpolicy/policy/modules/apps/vmware.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/vmware.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/vmware.fc 2007-12-04 11:11:03.000000000 -0500 @@ -1,9 +1,9 @@ # # HOME_DIR/ @@ -3425,9 +3382,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.f /opt/vmware/workstation/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0) ') +/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.2.1/policy/modules/apps/vmware.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.2.2/policy/modules/apps/vmware.if --- nsaserefpolicy/policy/modules/apps/vmware.if 2007-02-19 11:32:52.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/apps/vmware.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/vmware.if 2007-12-04 11:11:03.000000000 -0500 @@ -202,3 +202,22 @@ allow $1 vmware_sys_conf_t:file append; @@ -3451,9 +3408,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.i + logging_search_logs($1) + append_files_pattern($1,vmware_log_t,vmware_log_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.2.1/policy/modules/apps/vmware.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.2.2/policy/modules/apps/vmware.te --- nsaserefpolicy/policy/modules/apps/vmware.te 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/vmware.te 2007-12-02 21:31:37.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/vmware.te 2007-12-04 11:11:03.000000000 -0500 @@ -22,17 +22,21 @@ type vmware_var_run_t; files_pid_file(vmware_var_run_t) @@ -3498,9 +3455,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t dev_rw_vmware(vmware_host_t) domain_use_interactive_fds(vmware_host_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.2.1/policy/modules/apps/wine.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.2.2/policy/modules/apps/wine.if --- nsaserefpolicy/policy/modules/apps/wine.if 2007-09-12 10:34:17.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/wine.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/wine.if 2007-12-04 11:11:03.000000000 -0500 @@ -49,3 +49,53 @@ role $2 types wine_t; allow wine_t $3:chr_file rw_term_perms; @@ -3555,9 +3512,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if + xserver_xdm_rw_shm($1_wine_t) + ') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.2.1/policy/modules/apps/wine.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.2.2/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/wine.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/apps/wine.te 2007-12-04 11:11:03.000000000 -0500 @@ -9,6 +9,7 @@ type wine_t; type wine_exec_t; @@ -3582,9 +3539,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te +optional_policy(` + xserver_xdm_rw_shm(wine_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.1/policy/modules/kernel/corecommands.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.2/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/kernel/corecommands.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/kernel/corecommands.fc 2007-12-04 11:11:03.000000000 -0500 @@ -168,8 +168,10 @@ /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -3614,9 +3571,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco +/etc/apcupsd/mastertimeout -- gen_context(system_u:object_r:bin_t,s0) +/etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0) +/etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.2.1/policy/modules/kernel/corecommands.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.2.2/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-11-14 08:17:58.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/kernel/corecommands.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/kernel/corecommands.if 2007-12-04 11:11:03.000000000 -0500 @@ -875,6 +875,7 @@ read_lnk_files_pattern($1,bin_t,bin_t) @@ -3625,9 +3582,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.1/policy/modules/kernel/corenetwork.te.in +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.2/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-11-29 13:29:34.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/kernel/corenetwork.te.in 2007-11-30 11:41:04.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/kernel/corenetwork.te.in 2007-12-04 11:11:03.000000000 -0500 @@ -133,6 +133,7 @@ network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) @@ -3636,9 +3593,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postgresql, tcp,5432,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.2.1/policy/modules/kernel/devices.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.2.2/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-11-14 16:20:13.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/kernel/devices.fc 2007-11-30 11:41:53.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/kernel/devices.fc 2007-12-04 11:11:03.000000000 -0500 @@ -4,6 +4,7 @@ /dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -3686,9 +3643,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ifdef(`distro_gentoo',` # used by init scripts to initally populate udev /dev -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.2.1/policy/modules/kernel/devices.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.2.2/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/kernel/devices.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/kernel/devices.if 2007-12-04 11:11:03.000000000 -0500 @@ -65,7 +65,7 @@ relabelfrom_dirs_pattern($1,device_t,device_node) @@ -3843,9 +3800,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device typeattribute $1 devices_unconfined_type; ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.2.1/policy/modules/kernel/devices.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.2.2/policy/modules/kernel/devices.te --- nsaserefpolicy/policy/modules/kernel/devices.te 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/kernel/devices.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/kernel/devices.te 2007-12-04 11:11:03.000000000 -0500 @@ -72,6 +72,13 @@ dev_node(kmsg_device_t) @@ -3860,9 +3817,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device # Type for /dev/mapper/control # type lvm_control_t; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.2.1/policy/modules/kernel/domain.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.2.2/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2007-11-29 13:29:34.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/kernel/domain.te 2007-11-30 11:34:23.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/kernel/domain.te 2007-12-04 11:11:03.000000000 -0500 @@ -148,3 +148,15 @@ # receive from all domains over labeled networking @@ -3879,9 +3836,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +optional_policy(` + unconfined_dontaudit_rw_pipes(domain) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.1/policy/modules/kernel/files.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.2/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/kernel/files.if 2007-12-01 06:48:16.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/kernel/files.if 2007-12-04 11:11:03.000000000 -0500 @@ -1266,6 +1266,24 @@ ######################################## @@ -3970,9 +3927,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + filetrans_pattern($1,root_t,default_t,dir) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.2.1/policy/modules/kernel/files.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.2.2/policy/modules/kernel/files.te --- nsaserefpolicy/policy/modules/kernel/files.te 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/kernel/files.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/kernel/files.te 2007-12-04 11:11:03.000000000 -0500 @@ -55,6 +55,9 @@ # compatibility aliases for removed types: typealias etc_t alias automount_etc_t; @@ -3983,9 +3940,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # # etc_runtime_t is the type of various -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.2.1/policy/modules/kernel/filesystem.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.2.2/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/kernel/filesystem.te 2007-12-01 08:42:02.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/kernel/filesystem.te 2007-12-04 11:11:03.000000000 -0500 @@ -25,6 +25,8 @@ fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); @@ -4007,9 +3964,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy type vxfs_t; fs_noxattr_type(vxfs_t) files_mountpoint(vxfs_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.2.1/policy/modules/kernel/kernel.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.2.2/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/kernel/kernel.if 2007-11-30 11:30:39.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/kernel/kernel.if 2007-12-04 11:11:03.000000000 -0500 @@ -1194,6 +1194,7 @@ ') @@ -4026,9 +3983,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.2.1/policy/modules/kernel/selinux.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.2.2/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-11-16 13:45:14.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/kernel/selinux.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/kernel/selinux.if 2007-12-04 11:11:03.000000000 -0500 @@ -164,6 +164,7 @@ type security_t; ') @@ -4119,9 +4076,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu + fs_type($1) + mls_trusted_object($1) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-3.2.1/policy/modules/kernel/selinux.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-3.2.2/policy/modules/kernel/selinux.te --- nsaserefpolicy/policy/modules/kernel/selinux.te 2007-11-16 13:45:14.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/kernel/selinux.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/kernel/selinux.te 2007-12-04 11:11:03.000000000 -0500 @@ -10,6 +10,7 @@ attribute can_setenforce; attribute can_setsecparam; @@ -4142,9 +4099,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy; neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce; neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.2.1/policy/modules/kernel/terminal.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.2.2/policy/modules/kernel/terminal.fc --- nsaserefpolicy/policy/modules/kernel/terminal.fc 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/kernel/terminal.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/kernel/terminal.fc 2007-12-04 11:11:03.000000000 -0500 @@ -14,6 +14,7 @@ /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) @@ -4153,9 +4110,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.2.1/policy/modules/services/amavis.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.2.2/policy/modules/services/amavis.te --- nsaserefpolicy/policy/modules/services/amavis.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/amavis.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/amavis.te 2007-12-04 11:11:03.000000000 -0500 @@ -65,6 +65,7 @@ # Spool Files manage_dirs_pattern(amavis_t,amavis_spool_t,amavis_spool_t) @@ -4172,9 +4129,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav corenet_tcp_connect_razor_port(amavis_t) dev_read_rand(amavis_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.2.1/policy/modules/services/apache.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.2.2/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/apache.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/apache.fc 2007-12-04 11:11:03.000000000 -0500 @@ -16,7 +16,6 @@ /usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) @@ -4200,9 +4157,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.2.1/policy/modules/services/apache.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.2.2/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/apache.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/apache.if 2007-12-04 11:11:03.000000000 -0500 @@ -18,10 +18,6 @@ attribute httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; @@ -4291,7 +4248,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac optional_policy(` tunable_policy(`httpd_enable_cgi && allow_ypbind',` nis_use_ypbind_uncond(httpd_$1_script_t) -@@ -352,12 +301,11 @@ +@@ -267,7 +216,7 @@ + attribute httpdcontent, httpd_script_domains; + attribute httpd_exec_scripts, httpd_user_content_type; + attribute httpd_user_script_exec_type; +- type httpd_t, httpd_suexec_t, httpd_log_t; ++ type httpd_t, httpd_suexec_t, httpd_log_t, httpd_sys_script_t; + ') + + apache_content_template($1) +@@ -331,6 +280,7 @@ + userdom_search_user_home_dirs($1,httpd_t) + userdom_search_user_home_dirs($1,httpd_suexec_t) + userdom_search_user_home_dirs($1,httpd_$1_script_t) ++ userdom_search_user_home_dirs($1,httpd_sys_script_t) + ') + ') + +@@ -352,12 +302,11 @@ # template(`apache_read_user_scripts',` gen_require(` @@ -4308,7 +4282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -378,12 +326,12 @@ +@@ -378,12 +327,12 @@ # template(`apache_read_user_content',` gen_require(` @@ -4325,7 +4299,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -761,6 +709,7 @@ +@@ -761,6 +710,7 @@ ') allow $1 httpd_modules_t:dir list_dir_perms; @@ -4333,7 +4307,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -845,6 +794,10 @@ +@@ -845,6 +795,10 @@ type httpd_sys_script_t; ') @@ -4344,7 +4318,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern($1, httpdcontent, httpd_sys_script_t) ') -@@ -932,7 +885,7 @@ +@@ -932,7 +886,7 @@ type httpd_squirrelmail_t; ') @@ -4353,7 +4327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -1088,3 +1041,138 @@ +@@ -1088,3 +1042,138 @@ allow httpd_t $1:process signal; ') @@ -4492,9 +4466,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +# allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms; +# allow httpd_setsebool_t httpd_bool_t:file rw_file_perms; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.2.1/policy/modules/services/apache.te ---- nsaserefpolicy/policy/modules/services/apache.te 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/apache.te 2007-11-30 11:55:41.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.2.2/policy/modules/services/apache.te +--- nsaserefpolicy/policy/modules/services/apache.te 2007-12-04 11:02:50.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/apache.te 2007-12-04 11:32:34.000000000 -0500 @@ -20,20 +20,22 @@ # Declarations # @@ -4641,12 +4615,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac libs_use_ld_so(httpd_t) libs_use_shared_libs(httpd_t) -@@ -346,12 +385,8 @@ - - seutil_dontaudit_search_config(httpd_t) +@@ -348,8 +387,6 @@ --sysnet_read_config(httpd_t) -- userdom_use_unpriv_users_fds(httpd_t) -mta_send_mail(httpd_t) @@ -4654,7 +4624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`allow_httpd_anon_write',` miscfiles_manage_public_files(httpd_t) ') -@@ -360,8 +395,16 @@ +@@ -358,8 +395,16 @@ # # We need optionals to be able to be within booleans to make this work # @@ -4671,7 +4641,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -369,6 +412,16 @@ +@@ -367,6 +412,16 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -4688,7 +4658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_relay',` # allow httpd to work as a relay corenet_tcp_connect_gopher_port(httpd_t) -@@ -381,6 +434,10 @@ +@@ -379,6 +434,10 @@ corenet_sendrecv_http_cache_client_packets(httpd_t) ') @@ -4699,7 +4669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) -@@ -398,11 +455,21 @@ +@@ -396,11 +455,21 @@ fs_read_nfs_symlinks(httpd_t) ') @@ -4721,7 +4691,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -436,8 +503,14 @@ +@@ -434,8 +503,14 @@ ') optional_policy(` @@ -4737,7 +4707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -449,19 +522,13 @@ +@@ -447,19 +522,13 @@ ') optional_policy(` @@ -4758,7 +4728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -471,13 +538,14 @@ +@@ -469,13 +538,14 @@ openca_kill(httpd_t) ') @@ -4777,7 +4747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -485,6 +553,7 @@ +@@ -483,6 +553,7 @@ ') optional_policy(` @@ -4785,7 +4755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -520,6 +589,13 @@ +@@ -518,6 +589,13 @@ userdom_use_sysadm_terms(httpd_helper_t) ') @@ -4799,7 +4769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -549,18 +625,24 @@ +@@ -547,18 +625,24 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -4827,35 +4797,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -571,7 +653,6 @@ - allow httpd_suexec_t self:capability { setuid setgid }; - allow httpd_suexec_t self:process signal_perms; - allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; --allow httpd_suexec_t self:netlink_route_socket r_netlink_socket_perms; - - domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) - -@@ -585,6 +666,10 @@ +@@ -582,6 +666,8 @@ manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) -+auth_use_nsswitch(httpd_suexec_t) -+ +can_exec(httpd_suexec_t, httpd_sys_script_exec_t) + kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -624,8 +709,6 @@ - corenet_udp_sendrecv_all_ports(httpd_suexec_t) - corenet_tcp_connect_all_ports(httpd_suexec_t) - corenet_sendrecv_all_client_packets(httpd_suexec_t) -- -- sysnet_read_config(httpd_suexec_t) - ') - - tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -638,6 +721,12 @@ +@@ -635,6 +721,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -4868,7 +4819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -655,18 +744,6 @@ +@@ -652,10 +744,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -4876,18 +4827,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac - nagios_domtrans_cgi(httpd_suexec_t) -') - --optional_policy(` -- nis_use_ypbind(httpd_suexec_t) --') -- --optional_policy(` -- nscd_socket_use(httpd_suexec_t) --') -- ######################################## # # Apache system script local policy -@@ -676,7 +753,8 @@ +@@ -665,7 +753,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -4897,7 +4840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -690,15 +768,44 @@ +@@ -679,15 +768,44 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -4909,15 +4852,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +tunable_policy(`httpd_use_nfs', ` - fs_read_nfs_files(httpd_sys_script_t) - fs_read_nfs_symlinks(httpd_sys_script_t) - ') - -+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', ` + fs_read_nfs_files(httpd_sys_script_t) + fs_read_nfs_symlinks(httpd_sys_script_t) +') + ++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', ` + fs_read_nfs_files(httpd_sys_script_t) + fs_read_nfs_symlinks(httpd_sys_script_t) + ') + +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` + allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; + allow httpd_sys_script_t self:udp_socket create_socket_perms; @@ -4943,7 +4886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -708,9 +815,15 @@ +@@ -697,9 +815,15 @@ clamav_domtrans_clamscan(httpd_sys_script_t) ') @@ -4959,7 +4902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -732,3 +845,46 @@ +@@ -721,3 +845,46 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -5006,9 +4949,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +optional_policy(` + postgresql_stream_connect(httpd_bugzilla_script_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.2.1/policy/modules/services/apcupsd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.2.2/policy/modules/services/apcupsd.if --- nsaserefpolicy/policy/modules/services/apcupsd.if 2007-09-12 10:34:18.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/apcupsd.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/apcupsd.if 2007-12-04 11:11:03.000000000 -0500 @@ -90,10 +90,29 @@ ## ## @@ -5040,9 +4983,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu + allow $1 apcupsd_tmp_t:file read_file_perms; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.2.1/policy/modules/services/apcupsd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.2.2/policy/modules/services/apcupsd.te --- nsaserefpolicy/policy/modules/services/apcupsd.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/apcupsd.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/apcupsd.te 2007-12-04 11:11:03.000000000 -0500 @@ -86,6 +86,11 @@ miscfiles_read_localization(apcupsd_t) @@ -5055,18 +4998,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu optional_policy(` hostname_exec(apcupsd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.fc serefpolicy-3.2.1/policy/modules/services/automount.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.fc serefpolicy-3.2.2/policy/modules/services/automount.fc --- nsaserefpolicy/policy/modules/services/automount.fc 2007-02-19 11:32:53.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/automount.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/automount.fc 2007-12-04 11:11:03.000000000 -0500 @@ -12,4 +12,4 @@ # /var # -/var/run/autofs(/.*)? gen_context(system_u:object_r:automount_var_run_t,s0) +/var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.2.1/policy/modules/services/automount.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.2.2/policy/modules/services/automount.if --- nsaserefpolicy/policy/modules/services/automount.if 2007-03-26 10:39:04.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/automount.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/automount.if 2007-12-04 11:11:03.000000000 -0500 @@ -74,3 +74,21 @@ dontaudit $1 automount_tmp_t:dir getattr; @@ -5089,9 +5032,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto + + dontaudit $1 automount_t:fd use; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.2.1/policy/modules/services/automount.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.2.2/policy/modules/services/automount.te --- nsaserefpolicy/policy/modules/services/automount.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/automount.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/automount.te 2007-12-04 11:11:03.000000000 -0500 @@ -52,7 +52,8 @@ files_root_filetrans(automount_t,automount_tmp_t,dir) @@ -5131,9 +5074,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto seutil_sigchld_newrole(automount_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.2.1/policy/modules/services/avahi.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.2.2/policy/modules/services/avahi.te --- nsaserefpolicy/policy/modules/services/avahi.te 2007-10-29 07:52:49.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/avahi.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/avahi.te 2007-12-04 11:11:03.000000000 -0500 @@ -85,6 +85,7 @@ dbus_connect_system_bus(avahi_t) @@ -5142,9 +5085,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.2.1/policy/modules/services/bind.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.2.2/policy/modules/services/bind.te --- nsaserefpolicy/policy/modules/services/bind.te 2007-10-29 07:52:49.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/bind.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/bind.te 2007-12-04 11:11:03.000000000 -0500 @@ -9,7 +9,7 @@ ## ##

@@ -5154,17 +5097,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind ##

## gen_tunable(named_write_master_zones,false) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.2.1/policy/modules/services/bluetooth.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.2.2/policy/modules/services/bluetooth.fc --- nsaserefpolicy/policy/modules/services/bluetooth.fc 2006-11-16 17:15:20.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/bluetooth.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/bluetooth.fc 2007-12-04 11:11:03.000000000 -0500 @@ -22,3 +22,4 @@ # /var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0) /var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0) +/var/run/bluetoothd_address gen_context(system_u:object_r:bluetooth_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.2.1/policy/modules/services/bluetooth.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.2.2/policy/modules/services/bluetooth.te --- nsaserefpolicy/policy/modules/services/bluetooth.te 2007-10-29 07:52:49.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/bluetooth.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/bluetooth.te 2007-12-04 11:11:03.000000000 -0500 @@ -44,7 +44,7 @@ allow bluetooth_t self:shm create_shm_perms; allow bluetooth_t self:socket create_stream_socket_perms; @@ -5182,9 +5125,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.2.1/policy/modules/services/clamav.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.2.2/policy/modules/services/clamav.fc --- nsaserefpolicy/policy/modules/services/clamav.fc 2007-09-05 15:24:44.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/clamav.fc 2007-12-01 07:49:02.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/clamav.fc 2007-12-04 11:11:03.000000000 -0500 @@ -5,16 +5,18 @@ /usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0) @@ -5206,9 +5149,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam +/var/log/clamav.milter -- gen_context(system_u:object_r:clamd_var_log_t,s0) /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.2.1/policy/modules/services/clamav.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.2.2/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/clamav.te 2007-12-01 08:04:25.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/clamav.te 2007-12-04 11:11:03.000000000 -0500 @@ -87,6 +87,7 @@ kernel_dontaudit_list_proc(clamd_t) kernel_read_sysctl(clamd_t) @@ -5245,60 +5188,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam +optional_policy(` + mailscanner_manage_spool(clamscan_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/comsat.te serefpolicy-3.2.1/policy/modules/services/comsat.te ---- nsaserefpolicy/policy/modules/services/comsat.te 2007-07-16 14:09:46.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/comsat.te 2007-11-30 11:23:56.000000000 -0500 -@@ -57,6 +57,8 @@ - files_search_spool(comsat_t) - files_search_home(comsat_t) - -+auth_use_nsswitch(comsat_t) -+ - init_read_utmp(comsat_t) - init_dontaudit_write_utmp(comsat_t) - -@@ -67,8 +69,6 @@ - - miscfiles_read_localization(comsat_t) - --sysnet_read_config(comsat_t) -- - userdom_dontaudit_getattr_sysadm_ttys(comsat_t) - - mta_getattr_spool(comsat_t) -@@ -77,10 +77,3 @@ - kerberos_use(comsat_t) - ') - --optional_policy(` -- nis_use_ypbind(comsat_t) --') -- --optional_policy(` -- nscd_socket_use(comsat_t) --') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.2.1/policy/modules/services/consolekit.te ---- nsaserefpolicy/policy/modules/services/consolekit.te 2007-10-29 07:52:49.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/consolekit.te 2007-11-30 11:23:56.000000000 -0500 -@@ -10,7 +10,6 @@ - type consolekit_exec_t; - init_daemon_domain(consolekit_t, consolekit_exec_t) - --# pid files - type consolekit_var_run_t; - files_pid_file(consolekit_var_run_t) - -@@ -25,7 +24,8 @@ - allow consolekit_t self:unix_stream_socket create_stream_socket_perms; - allow consolekit_t self:unix_dgram_socket create_socket_perms; - --# pid file -+auth_use_nsswitch(consolekit_t) -+ - manage_files_pattern(consolekit_t,consolekit_var_run_t,consolekit_var_run_t) - files_pid_filetrans(consolekit_t,consolekit_var_run_t, file) - -@@ -38,6 +38,7 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.2.2/policy/modules/services/consolekit.te +--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-04 11:02:50.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/consolekit.te 2007-12-04 11:32:56.000000000 -0500 +@@ -36,6 +36,7 @@ domain_read_all_domains_state(consolekit_t) domain_use_interactive_fds(consolekit_t) @@ -5332,9 +5225,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons + #reading .Xauthity + unconfined_ptrace(consolekit_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.2.1/policy/modules/services/courier.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.2.2/policy/modules/services/courier.te --- nsaserefpolicy/policy/modules/services/courier.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/courier.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/courier.te 2007-12-04 11:11:03.000000000 -0500 @@ -58,6 +58,7 @@ files_getattr_tmp_dirs(courier_authdaemon_t) @@ -5343,9 +5236,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cour libs_read_lib_files(courier_authdaemon_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.2.1/policy/modules/services/cron.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.2.2/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2006-11-16 17:15:21.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/cron.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/cron.fc 2007-12-04 11:11:03.000000000 -0500 @@ -17,6 +17,8 @@ /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) @@ -5360,9 +5253,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) +/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.2.1/policy/modules/services/cron.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.2.2/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/cron.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/cron.if 2007-12-04 11:11:03.000000000 -0500 @@ -35,38 +35,23 @@ # template(`cron_per_role_template',` @@ -5612,9 +5505,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ## Read, and write cron daemon TCP sockets. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.2.1/policy/modules/services/cron.te ---- nsaserefpolicy/policy/modules/services/cron.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/cron.te 2007-11-30 11:23:56.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.2.2/policy/modules/services/cron.te +--- nsaserefpolicy/policy/modules/services/cron.te 2007-12-04 11:02:50.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/cron.te 2007-12-04 12:03:47.000000000 -0500 @@ -50,6 +50,7 @@ type crond_tmp_t; @@ -5645,7 +5538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron dontaudit crond_t self:capability { sys_resource sys_tty_config }; allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow crond_t self:process { setexec setfscreate }; -@@ -99,18 +106,20 @@ +@@ -99,18 +106,18 @@ allow crond_t crond_var_run_t:file manage_file_perms; files_pid_filetrans(crond_t,crond_var_run_t,file) @@ -5661,8 +5554,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron -allow crond_t system_cron_spool_t:file read_file_perms; +list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) +read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) -+ -+auth_use_nsswitch(crond_t) kernel_read_kernel_sysctls(crond_t) kernel_search_key(crond_t) @@ -5670,7 +5561,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron dev_read_sysfs(crond_t) selinux_get_fs_mount(crond_t) -@@ -127,6 +136,7 @@ +@@ -127,6 +134,7 @@ # need auth_chkpwd to check for locked accounts. auth_domtrans_chk_passwd(crond_t) @@ -5678,7 +5569,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron corecmd_exec_shell(crond_t) corecmd_list_bin(crond_t) -@@ -146,7 +156,9 @@ +@@ -148,7 +156,9 @@ libs_use_ld_so(crond_t) libs_use_shared_libs(crond_t) @@ -5688,7 +5579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) -@@ -160,6 +172,16 @@ +@@ -162,6 +172,16 @@ mta_send_mail(crond_t) @@ -5705,50 +5596,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ifdef(`distro_debian',` optional_policy(` # Debian logcheck has the home dir set to its cache -@@ -180,29 +202,34 @@ +@@ -182,11 +202,24 @@ locallogin_link_keys(crond_t) ') --tunable_policy(`fcron_crond', ` -- allow crond_t system_cron_spool_t:file manage_file_perms; +optional_policy(` + # these should probably be unconfined_crond_t + init_dbus_send_script(crond_t) - ') - - optional_policy(` -- amavis_search_lib(crond_t) ++') ++ ++optional_policy(` + mono_domtrans(crond_t) +') + -+tunable_policy(`fcron_crond', ` -+ allow crond_t system_cron_spool_t:file manage_file_perms; + tunable_policy(`fcron_crond', ` + allow crond_t system_cron_spool_t:file manage_file_perms; ') optional_policy(` -- hal_dbus_send(crond_t) + amanda_search_var_lib(crond_t) ++') ++ ++optional_policy(` + amavis_search_lib(crond_t) ') - optional_policy(` -- # cjp: why? -- munin_search_lib(crond_t) -+ amavis_search_lib(crond_t) - ') - - optional_policy(` -- nis_use_ypbind(crond_t) -+ hal_dbus_send(crond_t) - ') - - optional_policy(` -- nscd_socket_use(crond_t) -+ # cjp: why? -+ munin_search_lib(crond_t) - ') - - optional_policy(` -@@ -270,9 +297,16 @@ +@@ -264,9 +297,16 @@ filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file }) files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file) @@ -5766,16 +5639,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron kernel_read_kernel_sysctls(system_crond_t) kernel_read_system_state(system_crond_t) -@@ -326,7 +360,7 @@ +@@ -320,7 +360,7 @@ init_read_utmp(system_crond_t) init_dontaudit_rw_utmp(system_crond_t) # prelink tells init to restart it self, we either need to allow or dontaudit -init_write_initctl(system_crond_t) +init_telinit(system_crond_t) - libs_use_ld_so(system_crond_t) - libs_use_shared_libs(system_crond_t) -@@ -334,6 +368,7 @@ + auth_use_nsswitch(system_crond_t) + +@@ -330,6 +370,7 @@ libs_exec_ld_so(system_crond_t) logging_read_generic_logs(system_crond_t) @@ -5783,7 +5656,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron logging_send_syslog_msg(system_crond_t) miscfiles_read_localization(system_crond_t) -@@ -384,6 +419,14 @@ +@@ -380,6 +421,14 @@ ') optional_policy(` @@ -5798,7 +5671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron mrtg_append_create_logs(system_crond_t) ') -@@ -424,8 +467,7 @@ +@@ -412,8 +461,7 @@ ') optional_policy(` @@ -5808,7 +5681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -433,9 +475,13 @@ +@@ -421,9 +469,13 @@ ') optional_policy(` @@ -5823,9 +5696,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') ifdef(`TODO',` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.2.1/policy/modules/services/cups.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.2.2/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2007-11-16 15:30:49.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/cups.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/cups.fc 2007-12-04 11:11:03.000000000 -0500 @@ -8,17 +8,15 @@ /etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -5874,16 +5747,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups + +/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/usr/local/Printer/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.2.1/policy/modules/services/cups.te ---- nsaserefpolicy/policy/modules/services/cups.te 2007-11-16 15:30:49.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/cups.te 2007-12-02 19:07:25.000000000 -0500 -@@ -1,5 +1,5 @@ - --policy_module(cups,1.8.2) -+policy_module(cups,1.4.1) - - ######################################## - # +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.2.2/policy/modules/services/cups.te +--- nsaserefpolicy/policy/modules/services/cups.te 2007-12-04 11:02:50.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/cups.te 2007-12-04 12:01:17.000000000 -0500 @@ -43,14 +43,12 @@ type cupsd_var_run_t; @@ -5910,7 +5776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') ######################################## -@@ -81,12 +81,12 @@ +@@ -81,11 +81,12 @@ # /usr/lib/cups/backend/serial needs sys_admin(?!) allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config }; dontaudit cupsd_t self:capability { sys_tty_config net_admin }; @@ -5921,12 +5787,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow cupsd_t self:unix_dgram_socket create_socket_perms; allow cupsd_t self:netlink_selinux_socket create_socket_perms; --allow cupsd_t self:netlink_route_socket r_netlink_socket_perms; +allow cupsd_t self:shm create_shm_perms; allow cupsd_t self:tcp_socket create_stream_socket_perms; allow cupsd_t self:udp_socket create_socket_perms; allow cupsd_t self:appletalk_socket create_socket_perms; -@@ -105,7 +105,7 @@ +@@ -104,7 +105,7 @@ # allow cups to execute its backend scripts can_exec(cupsd_t, cupsd_exec_t) @@ -5935,7 +5800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups allow cupsd_t cupsd_exec_t:lnk_file read; manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t) -@@ -117,13 +117,19 @@ +@@ -116,13 +117,19 @@ manage_fifo_files_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t) files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) @@ -5957,7 +5822,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups allow cupsd_t hplip_var_run_t:file { read getattr }; stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t) -@@ -150,31 +156,39 @@ +@@ -149,31 +156,39 @@ corenet_tcp_bind_reserved_port(cupsd_t) corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) @@ -6000,7 +5865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp corecmd_exec_shell(cupsd_t) -@@ -187,7 +201,7 @@ +@@ -186,7 +201,7 @@ # read python modules files_read_usr_files(cupsd_t) # for /var/lib/defoma @@ -6009,7 +5874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups files_list_world_readable(cupsd_t) files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) -@@ -196,15 +210,14 @@ +@@ -195,12 +210,9 @@ files_read_var_symlinks(cupsd_t) # for /etc/printcap files_dontaudit_write_etc_files(cupsd_t) @@ -6023,15 +5888,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups init_exec_script_files(cupsd_t) -+auth_use_nsswitch(cupsd_t) -+ - libs_use_ld_so(cupsd_t) - libs_use_shared_libs(cupsd_t) - # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.* -@@ -221,14 +234,37 @@ +@@ -220,16 +232,37 @@ - sysnet_read_config(cupsd_t) + seutil_read_config(cupsd_t) +-sysnet_read_config(cupsd_t) +- +files_dontaudit_list_home(cupsd_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_t) userdom_dontaudit_search_all_users_home_content(cupsd_t) @@ -6066,7 +5928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -241,6 +277,7 @@ +@@ -242,6 +275,7 @@ optional_policy(` dbus_system_bus_client_template(cupsd,cupsd_t) @@ -6074,16 +5936,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups userdom_dbus_send_all_users(cupsd_t) -@@ -262,7 +299,7 @@ +@@ -263,6 +297,10 @@ ') optional_policy(` -- nscd_socket_use(cupsd_t) + mta_send_mail(cupsd_t) - ') - - optional_policy(` -@@ -330,11 +367,13 @@ ++') ++ ++optional_policy(` + # cups execs smbtool which reads samba_etc_t files + samba_read_config(cupsd_t) + samba_rw_var_files(cupsd_t) +@@ -326,11 +364,13 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) @@ -6097,7 +5961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups corecmd_exec_shell(cupsd_config_t) domain_use_interactive_fds(cupsd_config_t) -@@ -376,12 +415,17 @@ +@@ -372,12 +412,17 @@ ') optional_policy(` @@ -6115,7 +5979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups optional_policy(` hal_dbus_chat(cupsd_config_t) -@@ -391,6 +435,7 @@ +@@ -387,6 +432,7 @@ optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) @@ -6123,39 +5987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -480,6 +525,8 @@ - - files_read_etc_files(cupsd_lpd_t) - -+auth_use_nsswitch(cupsd_lpd_t) -+ - libs_use_ld_so(cupsd_lpd_t) - libs_use_shared_libs(cupsd_lpd_t) - -@@ -487,22 +534,12 @@ - - miscfiles_read_localization(cupsd_lpd_t) - --sysnet_read_config(cupsd_lpd_t) -- - cups_stream_connect(cupsd_lpd_t) - - optional_policy(` - inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t) - ') - --optional_policy(` -- nis_use_ypbind(cupsd_lpd_t) --') -- --optional_policy(` -- nscd_socket_use(cupsd_lpd_t) --') -- - ######################################## - # - # HPLIP local policy -@@ -520,14 +557,12 @@ +@@ -499,14 +545,12 @@ allow hplip_t self:udp_socket create_socket_perms; allow hplip_t self:rawip_socket create_socket_perms; @@ -6174,7 +6006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t) files_pid_filetrans(hplip_t,hplip_var_run_t,file) -@@ -558,13 +593,15 @@ +@@ -537,13 +581,15 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -6191,7 +6023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups domain_use_interactive_fds(hplip_t) -@@ -586,6 +623,7 @@ +@@ -565,6 +611,7 @@ userdom_dontaudit_search_all_users_home_content(hplip_t) lpd_read_config(cupsd_t) @@ -6199,9 +6031,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups optional_policy(` seutil_sigchld_newrole(hplip_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.2.1/policy/modules/services/cvs.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.2.2/policy/modules/services/cvs.te --- nsaserefpolicy/policy/modules/services/cvs.te 2007-11-15 13:40:14.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/cvs.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/cvs.te 2007-12-04 11:11:03.000000000 -0500 @@ -68,7 +68,9 @@ fs_getattr_xattr_fs(cvs_t) @@ -6212,69 +6044,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs. corecmd_exec_bin(cvs_t) corecmd_exec_shell(cvs_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.2.1/policy/modules/services/cyrus.te ---- nsaserefpolicy/policy/modules/services/cyrus.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/cyrus.te 2007-11-30 11:23:56.000000000 -0500 -@@ -41,7 +41,6 @@ - allow cyrus_t self:unix_stream_socket connectto; - allow cyrus_t self:tcp_socket create_stream_socket_perms; - allow cyrus_t self:udp_socket create_socket_perms; --allow cyrus_t self:netlink_route_socket r_netlink_socket_perms; - - manage_dirs_pattern(cyrus_t,cyrus_tmp_t,cyrus_tmp_t) - manage_files_pattern(cyrus_t,cyrus_tmp_t,cyrus_tmp_t) -@@ -95,6 +94,8 @@ - files_read_etc_runtime_files(cyrus_t) - files_read_usr_files(cyrus_t) - -+auth_use_nsswitch(cyrus_t) -+ - libs_use_ld_so(cyrus_t) - libs_use_shared_libs(cyrus_t) - libs_exec_lib_files(cyrus_t) -@@ -122,14 +123,6 @@ - ') - - optional_policy(` -- ldap_stream_connect(cyrus_t) --') -- --optional_policy(` -- nis_use_ypbind(cyrus_t) --') -- --optional_policy(` - sasl_connect(cyrus_t) - ') - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbskk.te serefpolicy-3.2.1/policy/modules/services/dbskk.te ---- nsaserefpolicy/policy/modules/services/dbskk.te 2007-07-16 14:09:46.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/dbskk.te 2007-11-30 11:23:56.000000000 -0500 -@@ -63,6 +63,8 @@ - - files_read_etc_files(dbskkd_t) - -+auth_use_nsswitch(dbskkd_t) -+ - libs_use_ld_so(dbskkd_t) - libs_use_shared_libs(dbskkd_t) - -@@ -70,12 +72,3 @@ - - miscfiles_read_localization(dbskkd_t) - --sysnet_read_config(dbskkd_t) -- --optional_policy(` -- nis_use_ypbind(dbskkd_t) --') -- --optional_policy(` -- nscd_socket_use(dbskkd_t) --') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.1/policy/modules/services/dbus.if ---- nsaserefpolicy/policy/modules/services/dbus.if 2007-10-29 07:52:49.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/dbus.if 2007-11-30 11:23:56.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.2/policy/modules/services/dbus.if +--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/dbus.if 2007-12-04 11:11:03.000000000 -0500 @@ -91,7 +91,7 @@ # SE-DBus specific permissions allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg; @@ -6294,24 +6066,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus allow $1_dbusd_t $2:process sigkill; allow $2 $1_dbusd_t:fd use; allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms; -@@ -148,6 +147,7 @@ - selinux_compute_user_contexts($1_dbusd_t) - - auth_read_pam_console_data($1_dbusd_t) -+ auth_use_nsswitch($1_dbusd_t) - - libs_use_ld_so($1_dbusd_t) - libs_use_shared_libs($1_dbusd_t) -@@ -160,8 +160,6 @@ - seutil_read_config($1_dbusd_t) - seutil_read_default_contexts($1_dbusd_t) - -- sysnet_read_config($1_dbusd_t) -- - userdom_read_user_home_content_files($1, $1_dbusd_t) +@@ -180,6 +179,10 @@ + ') - ifdef(`hide_broken_symptoms', ` -@@ -219,7 +217,7 @@ + optional_policy(` ++ nscd_socket_use($1_dbusd_t) ++ ') ++ ++ optional_policy(` + xserver_use_xdm_fds($1_dbusd_t) + xserver_rw_xdm_pipes($1_dbusd_t) + ') +@@ -214,7 +217,7 @@ # SE-DBus specific permissions # allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg; @@ -6320,7 +6086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($2) -@@ -371,3 +369,35 @@ +@@ -366,3 +369,35 @@ allow $1 system_dbusd_t:dbus *; ') @@ -6356,17 +6122,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.fc serefpolicy-3.2.1/policy/modules/services/dictd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.fc serefpolicy-3.2.2/policy/modules/services/dictd.fc --- nsaserefpolicy/policy/modules/services/dictd.fc 2006-11-16 17:15:20.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/dictd.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/dictd.fc 2007-12-04 11:11:03.000000000 -0500 @@ -4,3 +4,4 @@ /usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0) /var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0) +/var/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.te serefpolicy-3.2.1/policy/modules/services/dictd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.te serefpolicy-3.2.2/policy/modules/services/dictd.te --- nsaserefpolicy/policy/modules/services/dictd.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/dictd.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/dictd.te 2007-12-04 11:11:03.000000000 -0500 @@ -16,6 +16,9 @@ type dictd_var_lib_t alias var_lib_dictd_t; files_type(dictd_var_lib_t) @@ -6387,9 +6153,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dict kernel_read_system_state(dictd_t) kernel_read_kernel_sysctls(dictd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.2.1/policy/modules/services/dnsmasq.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.2.2/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/dnsmasq.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/dnsmasq.te 2007-12-04 11:11:03.000000000 -0500 @@ -94,3 +94,7 @@ optional_policy(` udev_read_db(dnsmasq_t) @@ -6398,9 +6164,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm +optional_policy(` + virt_manage_lib_files(dnsmasq_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.2.1/policy/modules/services/dovecot.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.2.2/policy/modules/services/dovecot.fc --- nsaserefpolicy/policy/modules/services/dovecot.fc 2006-11-16 17:15:21.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/dovecot.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/dovecot.fc 2007-12-04 11:11:03.000000000 -0500 @@ -17,19 +17,24 @@ ifdef(`distro_debian', ` @@ -6426,9 +6192,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.2.1/policy/modules/services/dovecot.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.2.2/policy/modules/services/dovecot.if --- nsaserefpolicy/policy/modules/services/dovecot.if 2007-01-02 12:57:43.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/dovecot.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/dovecot.if 2007-12-04 11:11:03.000000000 -0500 @@ -18,3 +18,43 @@ manage_files_pattern($1,dovecot_spool_t,dovecot_spool_t) manage_lnk_files_pattern($1,dovecot_spool_t,dovecot_spool_t) @@ -6473,9 +6239,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove + domtrans_pattern($1,dovecot_deliver_exec_t,dovecot_deliver_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.2.1/policy/modules/services/dovecot.te ---- nsaserefpolicy/policy/modules/services/dovecot.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/dovecot.te 2007-11-30 11:23:56.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.2.2/policy/modules/services/dovecot.te +--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-12-04 11:02:50.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/dovecot.te 2007-12-04 11:36:54.000000000 -0500 @@ -15,6 +15,12 @@ domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t) role system_r types dovecot_auth_t; @@ -6499,25 +6265,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove type dovecot_var_run_t; files_pid_file(dovecot_var_run_t) -@@ -46,8 +55,6 @@ +@@ -46,7 +55,6 @@ allow dovecot_t self:tcp_socket create_stream_socket_perms; allow dovecot_t self:unix_dgram_socket create_socket_perms; allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto }; --allow dovecot_t self:netlink_route_socket r_netlink_socket_perms; - domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) allow dovecot_t dovecot_cert_t:dir list_dir_perms; -@@ -67,6 +74,8 @@ - manage_sock_files_pattern(dovecot_t,dovecot_var_run_t,dovecot_var_run_t) - files_pid_filetrans(dovecot_t,dovecot_var_run_t,file) - -+auth_use_nsswitch(dovecot_t) -+ - kernel_read_kernel_sysctls(dovecot_t) - kernel_read_system_state(dovecot_t) - -@@ -99,7 +108,7 @@ +@@ -98,7 +106,7 @@ files_dontaudit_list_default(dovecot_t) # Dovecot now has quota support and it uses getmntent() to find the mountpoints. files_read_etc_runtime_files(dovecot_t) @@ -6526,28 +6282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove init_getattr_utmp(dovecot_t) -@@ -111,9 +120,6 @@ - miscfiles_read_certs(dovecot_t) - miscfiles_read_localization(dovecot_t) - --sysnet_read_config(dovecot_t) --sysnet_use_ldap(dovecot_auth_t) -- - userdom_dontaudit_use_unpriv_user_fds(dovecot_t) - userdom_dontaudit_search_sysadm_home_dirs(dovecot_t) - userdom_priveleged_home_dir_manager(dovecot_t) -@@ -125,10 +131,6 @@ - ') - - optional_policy(` -- nis_use_ypbind(dovecot_t) --') -- --optional_policy(` - seutil_sigchld_newrole(dovecot_t) - ') - -@@ -145,33 +147,44 @@ +@@ -139,33 +147,44 @@ # dovecot auth local policy # @@ -6594,25 +6329,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove files_read_usr_symlinks(dovecot_auth_t) files_search_tmp(dovecot_auth_t) files_read_var_lib_files(dovecot_t) -@@ -185,12 +198,50 @@ - - seutil_dontaudit_search_config(dovecot_auth_t) - --sysnet_dns_name_resolve(dovecot_auth_t) -- - optional_policy(` - kerberos_use(dovecot_auth_t) +@@ -184,5 +203,45 @@ ') optional_policy(` - logging_send_syslog_msg(dovecot_auth_t) + mysql_search_db(dovecot_auth_t) + mysql_stream_connect(dovecot_auth_t) -+') + ') + +optional_policy(` + nis_authenticate(dovecot_auth_t) - ') ++') + +optional_policy(` + postfix_manage_pivate_sockets(dovecot_auth_t) @@ -6648,9 +6376,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove + mta_manage_spool(dovecot_deliver_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.2.1/policy/modules/services/exim.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.2.2/policy/modules/services/exim.if --- nsaserefpolicy/policy/modules/services/exim.if 2007-10-24 15:00:24.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/exim.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/exim.if 2007-12-04 11:11:03.000000000 -0500 @@ -117,6 +117,27 @@ ######################################## @@ -6679,9 +6407,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim ## Read exim spool files. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.2.1/policy/modules/services/exim.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.2.2/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 2007-10-24 15:17:31.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/exim.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/exim.te 2007-12-04 11:11:03.000000000 -0500 @@ -21,9 +21,20 @@ ## gen_tunable(exim_manage_user_files,false) @@ -6858,9 +6586,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim + exim_manage_var_lib(exim_lib_update_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.2.1/policy/modules/services/ftp.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.2.2/policy/modules/services/ftp.if --- nsaserefpolicy/policy/modules/services/ftp.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/ftp.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/ftp.if 2007-12-04 11:11:03.000000000 -0500 @@ -28,11 +28,13 @@ type ftpd_t; ') @@ -6880,9 +6608,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.2.1/policy/modules/services/ftp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.2.2/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/ftp.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/ftp.te 2007-12-04 11:11:03.000000000 -0500 @@ -8,8 +8,8 @@ ## @@ -6963,9 +6691,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.2.1/policy/modules/services/hal.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.2.2/policy/modules/services/hal.fc --- nsaserefpolicy/policy/modules/services/hal.fc 2007-11-14 08:17:58.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/hal.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/hal.fc 2007-12-04 11:11:03.000000000 -0500 @@ -8,18 +8,21 @@ /usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0) /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) @@ -6990,9 +6718,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. ifdef(`distro_gentoo',` /var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.2.1/policy/modules/services/hal.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.2.2/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2007-11-14 08:17:58.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/hal.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/hal.te 2007-12-04 11:11:03.000000000 -0500 @@ -49,6 +49,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -7052,9 +6780,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. libs_use_ld_so(hald_mac_t) libs_use_shared_libs(hald_mac_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.2.1/policy/modules/services/inetd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.2.2/policy/modules/services/inetd.te --- nsaserefpolicy/policy/modules/services/inetd.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/inetd.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/inetd.te 2007-12-04 11:11:03.000000000 -0500 @@ -30,6 +30,10 @@ type inetd_child_var_run_t; files_pid_file(inetd_child_var_run_t) @@ -7108,17 +6836,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet +optional_policy(` + inetd_service_domain(inetd_child_t,bin_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.2.1/policy/modules/services/kerberos.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.2.2/policy/modules/services/kerberos.fc --- nsaserefpolicy/policy/modules/services/kerberos.fc 2006-11-16 17:15:21.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/kerberos.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/kerberos.fc 2007-12-04 11:11:03.000000000 -0500 @@ -16,3 +16,4 @@ /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0) /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) +/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.2.1/policy/modules/services/kerberos.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.2.2/policy/modules/services/kerberos.if --- nsaserefpolicy/policy/modules/services/kerberos.if 2007-07-16 14:09:46.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/kerberos.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/kerberos.if 2007-12-04 11:11:03.000000000 -0500 @@ -43,7 +43,13 @@ dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; dontaudit $1 krb5kdc_conf_t:file rw_file_perms; @@ -7197,9 +6925,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb + corenet_udp_bind_all_nodes($1) + ') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.2.1/policy/modules/services/kerberos.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.2.2/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/kerberos.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/kerberos.te 2007-12-04 11:11:03.000000000 -0500 @@ -8,7 +8,7 @@ ## @@ -7287,50 +7015,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.2.1/policy/modules/services/ldap.te ---- nsaserefpolicy/policy/modules/services/ldap.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/ldap.te 2007-11-30 11:23:56.000000000 -0500 -@@ -42,7 +42,6 @@ - dontaudit slapd_t self:capability sys_tty_config; - allow slapd_t self:process setsched; - allow slapd_t self:fifo_file { read write }; --allow slapd_t self:netlink_route_socket r_netlink_socket_perms; - allow slapd_t self:udp_socket create_socket_perms; - #slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach) - allow slapd_t self:tcp_socket create_stream_socket_perms; -@@ -104,6 +103,8 @@ - files_read_usr_files(slapd_t) - files_list_var_lib(slapd_t) - -+auth_use_nsswitch(slapd_t) -+ - libs_use_ld_so(slapd_t) - libs_use_shared_libs(slapd_t) - -@@ -112,8 +113,6 @@ - miscfiles_read_certs(slapd_t) - miscfiles_read_localization(slapd_t) - --sysnet_read_config(slapd_t) -- - userdom_dontaudit_use_unpriv_user_fds(slapd_t) - userdom_dontaudit_search_sysadm_home_dirs(slapd_t) - -@@ -122,10 +121,6 @@ - ') - - optional_policy(` -- nis_use_ypbind(slapd_t) --') -- --optional_policy(` - seutil_sigchld_newrole(slapd_t) - ') - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.2.1/policy/modules/services/mailman.te ---- nsaserefpolicy/policy/modules/services/mailman.te 2007-07-10 13:21:26.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/mailman.te 2007-11-30 11:23:56.000000000 -0500 -@@ -55,6 +55,8 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.2.2/policy/modules/services/mailman.te +--- nsaserefpolicy/policy/modules/services/mailman.te 2007-12-04 11:02:50.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/mailman.te 2007-12-04 12:01:44.000000000 -0500 +@@ -53,6 +53,8 @@ apache_use_fds(mailman_cgi_t) apache_dontaudit_append_log(mailman_cgi_t) apache_search_sys_script_state(mailman_cgi_t) @@ -7339,20 +7027,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail optional_policy(` nscd_socket_use(mailman_cgi_t) -@@ -67,6 +69,12 @@ +@@ -65,6 +67,10 @@ # allow mailman_mail_t self:unix_dgram_socket create_socket_perms; +allow mailman_mail_t initrc_t:process signal; +allow mailman_mail_t self:capability { setuid setgid }; + -+auth_use_nsswitch(mailman_mail_t) -+ +files_search_spool(mailman_mail_t) mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) -@@ -96,6 +104,7 @@ +@@ -93,6 +99,7 @@ kernel_read_proc_symlinks(mailman_queue_t) auth_domtrans_chk_passwd(mailman_queue_t) @@ -7360,15 +7046,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail files_dontaudit_search_pids(mailman_queue_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.2.1/policy/modules/services/mailscanner.fc +@@ -109,3 +116,7 @@ + optional_policy(` + cron_system_entry(mailman_queue_t,mailman_queue_exec_t) + ') ++ ++optional_policy(` ++ nscd_socket_use(mailman_queue_t) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.2.2/policy/modules/services/mailscanner.fc --- nsaserefpolicy/policy/modules/services/mailscanner.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/mailscanner.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/mailscanner.fc 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1,2 @@ +/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mailscanner_spool_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.2.1/policy/modules/services/mailscanner.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.2.2/policy/modules/services/mailscanner.if --- nsaserefpolicy/policy/modules/services/mailscanner.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/mailscanner.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/mailscanner.if 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1,59 @@ +## Anti-Virus and Anti-Spam Filter + @@ -7429,18 +7123,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail + files_search_spool($1) + manage_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.2.1/policy/modules/services/mailscanner.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.2.2/policy/modules/services/mailscanner.te --- nsaserefpolicy/policy/modules/services/mailscanner.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/mailscanner.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/mailscanner.te 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1,5 @@ + +policy_module(mailscanner,1.0.0) + +type mailscanner_spool_t; +files_type(mailscanner_spool_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.1/policy/modules/services/mta.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.2/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/mta.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/mta.if 2007-12-04 11:11:03.000000000 -0500 @@ -87,6 +87,8 @@ # It wants to check for nscd files_dontaudit_search_pids($1_mail_t) @@ -7601,9 +7295,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ####################################### ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.1/policy/modules/services/mta.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.2/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/mta.te 2007-12-01 07:56:06.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/mta.te 2007-12-04 11:11:03.000000000 -0500 @@ -6,6 +6,8 @@ # Declarations # @@ -7697,18 +7391,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. smartmon_read_tmp_files(system_mail_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.2.1/policy/modules/services/mysql.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.2.2/policy/modules/services/mysql.fc --- nsaserefpolicy/policy/modules/services/mysql.fc 2006-11-16 17:15:20.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/mysql.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/mysql.fc 2007-12-04 11:11:03.000000000 -0500 @@ -22,3 +22,5 @@ /var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) /var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0) + +/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.2.1/policy/modules/services/mysql.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.2.2/policy/modules/services/mysql.if --- nsaserefpolicy/policy/modules/services/mysql.if 2007-01-02 12:57:43.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/mysql.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/mysql.if 2007-12-04 11:11:03.000000000 -0500 @@ -157,3 +157,79 @@ logging_search_logs($1) allow $1 mysqld_log_t:file { write append setattr ioctl }; @@ -7789,9 +7483,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq + manage_dirs_pattern($1,mysqld_tmp_t,mysqld_tmp_t) + manage_files_pattern($1,mysqld_tmp_t,mysqld_tmp_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.2.1/policy/modules/services/mysql.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.2.2/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/mysql.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/mysql.te 2007-12-04 11:11:03.000000000 -0500 @@ -25,6 +25,9 @@ type mysqld_tmp_t; files_tmp_file(mysqld_tmp_t) @@ -7802,9 +7496,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq ######################################## # # Local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.2.1/policy/modules/services/nagios.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.2.2/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2006-11-16 17:15:20.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/nagios.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/nagios.fc 2007-12-04 11:11:03.000000000 -0500 @@ -4,13 +4,15 @@ /usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) /usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) @@ -7824,9 +7518,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi -/usr/lib/cgi-bin/nagios/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) ') +/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.2.1/policy/modules/services/nagios.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.2.2/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2007-01-02 12:57:43.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/nagios.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/nagios.if 2007-12-04 11:11:03.000000000 -0500 @@ -44,25 +44,6 @@ ######################################## @@ -7853,9 +7547,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi ## Execute the nagios NRPE with ## a domain transition. ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.2.1/policy/modules/services/nagios.te ---- nsaserefpolicy/policy/modules/services/nagios.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/nagios.te 2007-11-30 11:23:56.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.2.2/policy/modules/services/nagios.te +--- nsaserefpolicy/policy/modules/services/nagios.te 2007-12-04 11:02:50.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/nagios.te 2007-12-04 11:38:52.000000000 -0500 @@ -8,11 +8,7 @@ type nagios_t; @@ -7883,29 +7577,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi type nrpe_etc_t; files_config_file(nrpe_etc_t) -@@ -60,6 +59,10 @@ +@@ -60,6 +59,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) files_pid_filetrans(nagios_t, nagios_var_run_t, file) +rw_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) + -+auth_use_nsswitch(nagios_t) -+ kernel_read_system_state(nagios_t) kernel_read_kernel_sysctls(nagios_t) -@@ -106,10 +109,6 @@ - mta_send_mail(nagios_t) - - optional_policy(` -- auth_use_nsswitch(nagios_t) --') -- --optional_policy(` - netutils_domtrans_ping(nagios_t) - netutils_signal_ping(nagios_t) - netutils_kill_ping(nagios_t) -@@ -132,42 +131,31 @@ +@@ -130,42 +131,31 @@ # # Nagios CGI local policy # @@ -7915,44 +7596,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi -allow nagios_cgi_t self:process signal_perms; -allow nagios_cgi_t self:fifo_file rw_fifo_file_perms; -+allow httpd_nagios_script_t self:process signal_perms; - +- -read_files_pattern(nagios_cgi_t, nagios_t, nagios_t) -read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t) -+read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) -+read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) - +- -allow nagios_cgi_t nagios_etc_t:dir list_dir_perms; -read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) -read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) -+allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms; -+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) -+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) ++allow httpd_nagios_script_t self:process signal_perms; -allow nagios_cgi_t nagios_log_t:dir list_dir_perms; -read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) -read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) -+allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; -+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) -+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) ++read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) ++read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) -kernel_read_system_state(nagios_cgi_t) -+kernel_read_system_state(httpd_nagios_script_t) ++allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms; ++read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) ++read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) -corecmd_exec_bin(nagios_cgi_t) -+domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) ++allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; ++read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) ++read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) -domain_dontaudit_read_all_domains_state(nagios_cgi_t) -+files_read_etc_runtime_files(httpd_nagios_script_t) -+files_read_kernel_symbol_table(httpd_nagios_script_t) ++kernel_read_system_state(httpd_nagios_script_t) -files_read_etc_files(nagios_cgi_t) -files_read_etc_runtime_files(nagios_cgi_t) -files_read_kernel_symbol_table(nagios_cgi_t) -- ++domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) + -libs_use_ld_so(nagios_cgi_t) -libs_use_shared_libs(nagios_cgi_t) -- ++files_read_etc_runtime_files(httpd_nagios_script_t) ++files_read_kernel_symbol_table(httpd_nagios_script_t) + -logging_send_syslog_msg(nagios_cgi_t) -logging_search_logs(nagios_cgi_t) - @@ -7965,17 +7646,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi ######################################## # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.2.1/policy/modules/services/networkmanager.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.2.2/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-09-12 10:34:18.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/networkmanager.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/networkmanager.fc 2007-12-04 11:11:03.000000000 -0500 @@ -5,3 +5,4 @@ /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/log/wpa_supplicant\.log -- gen_context(system_u:object_r:NetworkManager_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.1/policy/modules/services/networkmanager.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.2/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-10-29 07:52:49.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/networkmanager.te 2007-12-02 21:09:24.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/networkmanager.te 2007-12-04 11:11:03.000000000 -0500 @@ -13,6 +13,9 @@ type NetworkManager_var_run_t; files_pid_file(NetworkManager_var_run_t) @@ -8045,9 +7726,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.2.1/policy/modules/services/nis.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.2.2/policy/modules/services/nis.fc --- nsaserefpolicy/policy/modules/services/nis.fc 2007-02-19 11:32:53.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/nis.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/nis.fc 2007-12-04 11:11:03.000000000 -0500 @@ -4,6 +4,7 @@ /sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) @@ -8056,9 +7737,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. /usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.2.1/policy/modules/services/nis.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.2.2/policy/modules/services/nis.if --- nsaserefpolicy/policy/modules/services/nis.if 2007-07-16 14:09:46.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/nis.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/nis.if 2007-12-04 11:11:03.000000000 -0500 @@ -49,8 +49,8 @@ corenet_udp_bind_all_nodes($1) corenet_tcp_bind_generic_port($1) @@ -8096,9 +7777,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. ## Execute ypbind in the ypbind domain. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.2.1/policy/modules/services/nis.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.2.2/policy/modules/services/nis.te --- nsaserefpolicy/policy/modules/services/nis.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/nis.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/nis.te 2007-12-04 11:11:03.000000000 -0500 @@ -113,6 +113,17 @@ userdom_dontaudit_use_unpriv_user_fds(ypbind_t) userdom_dontaudit_search_sysadm_home_dirs(ypbind_t) @@ -8154,18 +7835,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) corenet_tcp_connect_all_ports(ypxfr_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.2.1/policy/modules/services/nscd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.2.2/policy/modules/services/nscd.fc --- nsaserefpolicy/policy/modules/services/nscd.fc 2006-11-16 17:15:20.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/nscd.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/nscd.fc 2007-12-04 11:11:03.000000000 -0500 @@ -9,3 +9,5 @@ /var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0) /var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) + +/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.2.1/policy/modules/services/nscd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.2.2/policy/modules/services/nscd.if --- nsaserefpolicy/policy/modules/services/nscd.if 2007-03-26 10:39:04.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/nscd.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/nscd.if 2007-12-04 11:11:03.000000000 -0500 @@ -70,15 +70,14 @@ interface(`nscd_socket_use',` gen_require(` @@ -8207,9 +7888,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd + init_script_domtrans_spec($1,nscd_script_exec_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.2.1/policy/modules/services/nscd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.2.2/policy/modules/services/nscd.te --- nsaserefpolicy/policy/modules/services/nscd.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/nscd.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/nscd.te 2007-12-04 11:11:03.000000000 -0500 @@ -23,19 +23,22 @@ type nscd_log_t; logging_log_file(nscd_log_t) @@ -8275,9 +7956,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd + samba_read_config(nscd_t) + samba_read_var_files(nscd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.fc serefpolicy-3.2.1/policy/modules/services/ntp.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.fc serefpolicy-3.2.2/policy/modules/services/ntp.fc --- nsaserefpolicy/policy/modules/services/ntp.fc 2006-11-16 17:15:21.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/ntp.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/ntp.fc 2007-12-04 11:11:03.000000000 -0500 @@ -17,3 +17,8 @@ /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) @@ -8287,9 +7968,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. +/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0) + +/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.2.1/policy/modules/services/ntp.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.2.2/policy/modules/services/ntp.if --- nsaserefpolicy/policy/modules/services/ntp.if 2007-03-26 10:39:05.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/ntp.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/ntp.if 2007-12-04 11:11:03.000000000 -0500 @@ -53,3 +53,22 @@ corecmd_search_bin($1) domtrans_pattern($1,ntpdate_exec_t,ntpd_t) @@ -8313,9 +7994,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. + init_script_domtrans_spec($1,ntpd_script_exec_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.2.1/policy/modules/services/ntp.te ---- nsaserefpolicy/policy/modules/services/ntp.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/ntp.te 2007-11-30 11:23:56.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.2.2/policy/modules/services/ntp.te +--- nsaserefpolicy/policy/modules/services/ntp.te 2007-12-04 11:02:50.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/ntp.te 2007-12-04 11:56:38.000000000 -0500 @@ -25,6 +25,12 @@ type ntpdate_exec_t; init_system_domain(ntpd_t,ntpdate_exec_t) @@ -8355,17 +8036,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. auth_use_nsswitch(ntpd_t) -@@ -106,6 +117,9 @@ +@@ -105,6 +116,10 @@ + miscfiles_read_localization(ntpd_t) - sysnet_read_config(ntpd_t) +sysnet_dontaudit_dhcpc_use_fds(ntpd_t) + +term_use_ptmx(ntpd_t) - ++ userdom_dontaudit_use_unpriv_user_fds(ntpd_t) userdom_list_sysadm_home_dirs(ntpd_t) -@@ -122,6 +136,10 @@ + userdom_dontaudit_list_sysadm_home_dirs(ntpd_t) +@@ -120,6 +135,10 @@ ') optional_policy(` @@ -8376,9 +8058,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. logrotate_exec(ntpd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.2.1/policy/modules/services/openct.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.2.2/policy/modules/services/openct.te --- nsaserefpolicy/policy/modules/services/openct.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/openct.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/openct.te 2007-12-04 11:11:03.000000000 -0500 @@ -22,6 +22,7 @@ allow openct_t self:process signal_perms; @@ -8387,9 +8069,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open files_pid_filetrans(openct_t,openct_var_run_t,file) kernel_read_kernel_sysctls(openct_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.2.1/policy/modules/services/openvpn.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-3.2.2/policy/modules/services/openvpn.fc +--- nsaserefpolicy/policy/modules/services/openvpn.fc 2007-06-11 16:05:22.000000000 -0400 ++++ serefpolicy-3.2.2/policy/modules/services/openvpn.fc 2007-12-04 11:27:49.000000000 -0500 +@@ -11,5 +11,5 @@ + # + # /var + # +-/var/log/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_log_t,s0) ++/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) + /var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.2.2/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2007-10-29 07:52:49.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/openvpn.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/openvpn.te 2007-12-04 11:11:03.000000000 -0500 @@ -8,7 +8,7 @@ ## @@ -8412,9 +8104,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open + unconfined_use_terminals(openvpn_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.2.1/policy/modules/services/pcscd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.2.2/policy/modules/services/pcscd.te --- nsaserefpolicy/policy/modules/services/pcscd.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/pcscd.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/pcscd.te 2007-12-04 11:11:03.000000000 -0500 @@ -45,6 +45,7 @@ files_read_etc_files(pcscd_t) files_read_etc_runtime_files(pcscd_t) @@ -8423,9 +8115,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcsc term_dontaudit_getattr_pty_dirs(pcscd_t) libs_use_ld_so(pcscd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.2.1/policy/modules/services/pegasus.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.2.2/policy/modules/services/pegasus.te --- nsaserefpolicy/policy/modules/services/pegasus.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/pegasus.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/pegasus.te 2007-12-04 11:57:04.000000000 -0500 @@ -42,6 +42,7 @@ allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink }; allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; @@ -8451,7 +8143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega files_read_var_lib_symlinks(pegasus_t) hostname_exec(pegasus_t) -@@ -113,19 +114,17 @@ +@@ -113,19 +114,16 @@ libs_use_shared_libs(pegasus_t) logging_send_audit_msgs(pegasus_t) @@ -8459,7 +8151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega miscfiles_read_localization(pegasus_t) - sysnet_read_config(pegasus_t) +-sysnet_read_config(pegasus_t) +sysnet_domtrans_ifconfig(pegasus_t) userdom_dontaudit_use_unpriv_user_fds(pegasus_t) @@ -8473,9 +8165,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega rpm_exec(pegasus_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portslave.te serefpolicy-3.2.1/policy/modules/services/portslave.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portslave.te serefpolicy-3.2.2/policy/modules/services/portslave.te --- nsaserefpolicy/policy/modules/services/portslave.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/portslave.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/portslave.te 2007-12-04 11:11:03.000000000 -0500 @@ -85,6 +85,7 @@ auth_rw_login_records(portslave_t) @@ -8484,9 +8176,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port init_rw_utmp(portslave_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.2.1/policy/modules/services/postfix.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.2.2/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2007-09-12 10:34:18.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/postfix.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/postfix.fc 2007-12-04 11:11:03.000000000 -0500 @@ -29,12 +29,10 @@ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) @@ -8500,29 +8192,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.2.1/policy/modules/services/postfix.if ---- nsaserefpolicy/policy/modules/services/postfix.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/postfix.if 2007-11-30 11:23:56.000000000 -0500 -@@ -83,6 +83,8 @@ - init_dontaudit_use_fds(postfix_$1_t) - init_sigchld(postfix_$1_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.2.2/policy/modules/services/postfix.if +--- nsaserefpolicy/policy/modules/services/postfix.if 2007-12-04 11:02:50.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/postfix.if 2007-12-04 11:11:03.000000000 -0500 +@@ -96,6 +96,10 @@ + userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t) -+ auth_use_nsswitch(postfix_$1_t) + optional_policy(` ++ nscd_socket_use(postfix_$1_t) ++ ') + - libs_use_ld_so(postfix_$1_t) - libs_use_shared_libs(postfix_$1_t) - -@@ -135,9 +137,6 @@ ++ optional_policy(` + udev_read_db(postfix_$1_t) + ') + ') +@@ -132,6 +136,7 @@ + corenet_udp_bind_all_nodes(postfix_$1_t) corenet_tcp_connect_all_ports(postfix_$1_t) corenet_sendrecv_all_client_packets(postfix_$1_t) - -- optional_policy(` -- auth_use_nsswitch(postfix_$1_t) -- ') ++ ') ######################################## -@@ -433,6 +432,26 @@ +@@ -427,6 +432,26 @@ ######################################## ## @@ -8549,10 +8241,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## Execute the master postfix program in the ## postfix_master domain. ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.2.1/policy/modules/services/postfix.te ---- nsaserefpolicy/policy/modules/services/postfix.te 2007-11-08 09:29:27.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/postfix.te 2007-11-30 11:23:56.000000000 -0500 -@@ -6,6 +6,14 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.2.2/policy/modules/services/postfix.te +--- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-04 11:02:50.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/postfix.te 2007-12-04 11:11:03.000000000 -0500 +@@ -1,11 +1,19 @@ + +-policy_module(postfix,1.7.2) ++policy_module(postfix,1.7.1) + + ######################################## + # # Declarations # @@ -8594,24 +8292,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post allow postfix_master_t postfix_etc_t:file rw_file_perms; -@@ -172,15 +186,11 @@ - # postfix does a "find" on startup for some reason - keep it quiet - seutil_dontaudit_search_config(postfix_master_t) +@@ -174,6 +188,7 @@ --sysnet_read_config(postfix_master_t) -- mta_rw_aliases(postfix_master_t) mta_read_sendmail_bin(postfix_master_t) +mta_getattr_spool(postfix_master_t) optional_policy(` -- auth_use_nsswitch(postfix_master_t) --') --optional_policy(` cyrus_stream_connect(postfix_master_t) - ') - -@@ -278,6 +288,8 @@ +@@ -273,6 +288,8 @@ files_read_etc_files(postfix_local_t) @@ -8620,7 +8309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post mta_read_aliases(postfix_local_t) mta_delete_spool(postfix_local_t) # For reading spamassasin -@@ -290,6 +302,7 @@ +@@ -285,6 +302,7 @@ optional_policy(` # for postalias mailman_manage_data_files(postfix_local_t) @@ -8628,38 +8317,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') optional_policy(` -@@ -342,6 +355,8 @@ - files_read_etc_runtime_files(postfix_map_t) - files_dontaudit_search_var(postfix_map_t) - -+auth_use_nsswitch(postfix_map_t) -+ - libs_use_ld_so(postfix_map_t) - libs_use_shared_libs(postfix_map_t) - -@@ -349,10 +364,6 @@ +@@ -346,8 +364,6 @@ miscfiles_read_localization(postfix_map_t) -seutil_read_config(postfix_map_t) - --sysnet_read_config(postfix_map_t) -- tunable_policy(`read_default_t',` files_list_default(postfix_map_t) files_read_default_files(postfix_map_t) -@@ -365,10 +376,6 @@ - locallogin_dontaudit_use_fds(postfix_map_t) - ') - --optional_policy(` -- nscd_socket_use(postfix_map_t) --') -- - ######################################## - # - # Postfix pickup local policy -@@ -401,6 +408,10 @@ +@@ -392,6 +408,10 @@ rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t) optional_policy(` @@ -8670,7 +8337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post procmail_domtrans(postfix_pipe_t) ') -@@ -409,6 +420,10 @@ +@@ -400,6 +420,10 @@ ') optional_policy(` @@ -8681,34 +8348,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post uucp_domtrans_uux(postfix_pipe_t) ') -@@ -433,8 +448,6 @@ - term_dontaudit_use_all_user_ptys(postfix_postdrop_t) - term_dontaudit_use_all_user_ttys(postfix_postdrop_t) - --sysnet_dns_name_resolve(postfix_postdrop_t) -- - mta_rw_user_mail_stream_sockets(postfix_postdrop_t) - - optional_policy(` -@@ -474,8 +487,6 @@ - init_sigchld_script(postfix_postqueue_t) - init_use_script_fds(postfix_postqueue_t) - --sysnet_dontaudit_read_config(postfix_postqueue_t) -- - ######################################## - # - # Postfix qmgr local policy -@@ -518,8 +529,6 @@ - term_use_all_user_ptys(postfix_showq_t) - term_use_all_user_ttys(postfix_showq_t) - --sysnet_dns_name_resolve(postfix_showq_t) -- - ######################################## - # - # Postfix smtp delivery local policy -@@ -547,9 +556,6 @@ +@@ -532,9 +556,6 @@ # connect to master process stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t) @@ -8718,7 +8358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post # for prng_exch allow postfix_smtpd_t postfix_spool_t:file rw_file_perms; allow postfix_smtpd_t postfix_prng_t:file rw_file_perms; -@@ -572,6 +578,10 @@ +@@ -557,6 +578,10 @@ sasl_connect(postfix_smtpd_t) ') @@ -8729,18 +8369,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix virtual local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.2.1/policy/modules/services/postgresql.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.2.2/policy/modules/services/postgresql.fc --- nsaserefpolicy/policy/modules/services/postgresql.fc 2006-11-16 17:15:21.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/postgresql.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/postgresql.fc 2007-12-04 11:11:03.000000000 -0500 @@ -38,3 +38,5 @@ ') /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) + +/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.2.1/policy/modules/services/postgresql.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.2.2/policy/modules/services/postgresql.if --- nsaserefpolicy/policy/modules/services/postgresql.if 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/postgresql.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/postgresql.if 2007-12-04 11:11:03.000000000 -0500 @@ -120,3 +120,77 @@ # Some versions of postgresql put the sock file in /tmp allow $1 postgresql_tmp_t:sock_file write; @@ -8819,9 +8459,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + manage_dirs_pattern($1,postgresql_tmp_t,postgresql_tmp_t) + manage_files_pattern($1,postgresql_tmp_t,postgresql_tmp_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.2.1/policy/modules/services/postgresql.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.2.2/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/postgresql.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/postgresql.te 2007-12-04 11:11:03.000000000 -0500 @@ -27,6 +27,9 @@ type postgresql_var_run_t; files_pid_file(postgresql_var_run_t) @@ -8870,9 +8510,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post seutil_sigchld_newrole(postgresql_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.2.1/policy/modules/services/ppp.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.2.2/policy/modules/services/ppp.fc --- nsaserefpolicy/policy/modules/services/ppp.fc 2006-11-16 17:15:20.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/ppp.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/ppp.fc 2007-12-04 11:11:03.000000000 -0500 @@ -25,7 +25,7 @@ # # /var @@ -8882,9 +8522,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. /var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0) /var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0) # Fix pptp sockets -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.2.1/policy/modules/services/ppp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.2.2/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2007-11-16 13:45:14.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/ppp.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/ppp.te 2007-12-04 11:11:03.000000000 -0500 @@ -194,6 +194,8 @@ optional_policy(` @@ -8894,9 +8534,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.1/policy/modules/services/procmail.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.2/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2007-11-16 13:45:14.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/procmail.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/procmail.te 2007-12-04 11:11:03.000000000 -0500 @@ -133,3 +133,7 @@ spamassassin_exec_client(procmail_t) spamassassin_read_lib_files(procmail_t) @@ -8905,9 +8545,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc +optional_policy(` + mailscanner_read_spool(procmail_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.2.1/policy/modules/services/pyzor.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.2.2/policy/modules/services/pyzor.fc --- nsaserefpolicy/policy/modules/services/pyzor.fc 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/pyzor.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/pyzor.fc 2007-12-04 11:11:03.000000000 -0500 @@ -1,6 +1,6 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) @@ -8916,9 +8556,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.2.1/policy/modules/services/pyzor.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.2.2/policy/modules/services/pyzor.if --- nsaserefpolicy/policy/modules/services/pyzor.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/pyzor.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/pyzor.if 2007-12-04 11:11:03.000000000 -0500 @@ -25,16 +25,18 @@ # template(`pyzor_per_role_template',` @@ -8945,9 +8585,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.2.1/policy/modules/services/pyzor.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.2.2/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/pyzor.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/pyzor.te 2007-12-04 11:11:03.000000000 -0500 @@ -28,6 +28,9 @@ type pyzor_var_lib_t; files_type(pyzor_var_lib_t) @@ -8958,9 +8598,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo ######################################## # # Pyzor local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.2.1/policy/modules/services/radius.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.2.2/policy/modules/services/radius.te --- nsaserefpolicy/policy/modules/services/radius.te 2007-11-16 13:45:14.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/radius.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/radius.te 2007-12-04 11:11:03.000000000 -0500 @@ -88,6 +88,7 @@ auth_read_shadow(radiusd_t) @@ -8969,18 +8609,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi corecmd_exec_bin(radiusd_t) corecmd_exec_shell(radiusd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.2.1/policy/modules/services/razor.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.2.2/policy/modules/services/razor.fc --- nsaserefpolicy/policy/modules/services/razor.fc 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/razor.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/razor.fc 2007-12-04 11:11:03.000000000 -0500 @@ -1,4 +1,4 @@ -HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:ROLE_razor_home_t,s0) +HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:user_razor_home_t,s0) /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.2.1/policy/modules/services/razor.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.2.2/policy/modules/services/razor.if --- nsaserefpolicy/policy/modules/services/razor.if 2007-07-16 14:09:46.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/razor.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/razor.if 2007-12-04 11:11:03.000000000 -0500 @@ -137,6 +137,7 @@ template(`razor_per_role_template',` gen_require(` @@ -9006,9 +8646,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo ############################## # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.2.1/policy/modules/services/razor.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.2.2/policy/modules/services/razor.te --- nsaserefpolicy/policy/modules/services/razor.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/razor.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/razor.te 2007-12-04 11:11:03.000000000 -0500 @@ -23,6 +23,12 @@ razor_common_domain_template(razor) @@ -9022,9 +8662,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo ######################################## # # Local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.if serefpolicy-3.2.1/policy/modules/services/remotelogin.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.if serefpolicy-3.2.2/policy/modules/services/remotelogin.if --- nsaserefpolicy/policy/modules/services/remotelogin.if 2006-11-16 17:15:21.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/remotelogin.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/remotelogin.if 2007-12-04 11:11:03.000000000 -0500 @@ -18,3 +18,20 @@ auth_domtrans_login_program($1,remote_login_t) ') @@ -9046,9 +8686,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remo + + allow $1 remote_login_t:process signal; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.2.1/policy/modules/services/remotelogin.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.2.2/policy/modules/services/remotelogin.te --- nsaserefpolicy/policy/modules/services/remotelogin.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/remotelogin.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/remotelogin.te 2007-12-04 11:11:03.000000000 -0500 @@ -85,6 +85,7 @@ miscfiles_read_localization(remote_login_t) @@ -9057,9 +8697,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remo userdom_use_unpriv_users_fds(remote_login_t) userdom_search_all_users_home_content(remote_login_t) # Only permit unprivileged user domains to be entered via rlogin, -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.2.1/policy/modules/services/ricci.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.2.2/policy/modules/services/ricci.te --- nsaserefpolicy/policy/modules/services/ricci.te 2007-11-16 13:45:14.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/ricci.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/ricci.te 2007-12-04 11:11:03.000000000 -0500 @@ -138,6 +138,7 @@ files_create_boot_flag(ricci_t) @@ -9079,9 +8719,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc unconfined_use_fds(ricci_modclusterd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.2.1/policy/modules/services/rlogin.te ---- nsaserefpolicy/policy/modules/services/rlogin.te 2007-10-02 09:54:52.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/rlogin.te 2007-11-30 11:23:56.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.2.2/policy/modules/services/rlogin.te +--- nsaserefpolicy/policy/modules/services/rlogin.te 2007-12-04 11:02:50.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/rlogin.te 2007-12-04 11:11:03.000000000 -0500 @@ -36,6 +36,8 @@ allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr }; term_create_pty(rlogind_t,rlogind_devpts_t) @@ -9099,13 +8739,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog auth_rw_login_records(rlogind_t) auth_use_nsswitch(rlogind_t) -@@ -82,25 +85,21 @@ +@@ -82,23 +85,21 @@ miscfiles_read_localization(rlogind_t) -seutil_dontaudit_search_config(rlogind_t) -- --sysnet_read_config(rlogind_t) +seutil_read_config(rlogind_t) userdom_setattr_unpriv_users_ptys(rlogind_t) @@ -9129,9 +8767,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog -# Allow krb5 rlogind to use fork and open /dev/tty for use -allow rlogind_t userpty_type:chr_file setattr; -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.2.1/policy/modules/services/rpcbind.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.2.2/policy/modules/services/rpcbind.te --- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/rpcbind.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/rpcbind.te 2007-12-04 11:11:03.000000000 -0500 @@ -21,11 +21,13 @@ # rpcbind local policy # @@ -9147,10 +8785,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcb allow rpcbind_t self:tcp_socket create_stream_socket_perms; manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.2.1/policy/modules/services/rpc.if ---- nsaserefpolicy/policy/modules/services/rpc.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/rpc.if 2007-11-30 11:23:56.000000000 -0500 -@@ -89,8 +89,11 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.2.2/policy/modules/services/rpc.if +--- nsaserefpolicy/policy/modules/services/rpc.if 2007-12-04 11:02:50.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/rpc.if 2007-12-04 11:40:28.000000000 -0500 +@@ -88,8 +88,11 @@ # bind to arbitary unused ports corenet_tcp_bind_generic_port($1_t) corenet_udp_bind_generic_port($1_t) @@ -9163,7 +8801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. fs_rw_rpc_named_pipes($1_t) fs_search_auto_mountpoints($1_t) -@@ -214,6 +217,24 @@ +@@ -208,6 +211,24 @@ ######################################## ## @@ -9188,9 +8826,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ## Read NFS exported content. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.2.1/policy/modules/services/rpc.te ---- nsaserefpolicy/policy/modules/services/rpc.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/rpc.te 2007-11-30 11:23:56.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.2.2/policy/modules/services/rpc.te +--- nsaserefpolicy/policy/modules/services/rpc.te 2007-12-04 11:02:50.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/rpc.te 2007-12-04 11:41:53.000000000 -0500 @@ -8,7 +8,7 @@ ## @@ -9225,7 +8863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. fs_list_rpc(rpcd_t) fs_read_rpc_files(rpcd_t) -@@ -76,9 +80,16 @@ +@@ -76,11 +80,17 @@ miscfiles_read_certs(rpcd_t) seutil_dontaudit_search_config(rpcd_t) @@ -9233,16 +8871,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. optional_policy(` nis_read_ypserv_config(rpcd_t) -+ nis_use_ypbind(rpcd_t) -+') -+ + ') + +# automount -> mount -> rpcd +optional_policy(` + automount_dontaudit_use_fds(rpcd_t) - ') - ++') ++ ######################################## -@@ -91,9 +102,13 @@ + # + # NFSD local policy +@@ -91,9 +101,13 @@ allow nfsd_t exports_t:file { getattr read }; allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; @@ -9256,7 +8895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. corenet_tcp_bind_all_rpc_ports(nfsd_t) corenet_udp_bind_all_rpc_ports(nfsd_t) -@@ -123,6 +138,7 @@ +@@ -123,6 +137,7 @@ tunable_policy(`nfs_export_all_rw',` fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) @@ -9264,7 +8903,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ') tunable_policy(`nfs_export_all_ro',` -@@ -143,6 +159,7 @@ +@@ -143,6 +158,7 @@ manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) @@ -9272,12 +8911,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_search_network_sysctl(gssd_t) -@@ -156,8 +173,14 @@ +@@ -156,8 +172,13 @@ files_list_tmp(gssd_t) files_read_usr_symlinks(gssd_t) +auth_read_cache(gssd_t) -+auth_use_nsswitch(gssd_t) + miscfiles_read_certs(gssd_t) @@ -9287,9 +8925,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. tunable_policy(`allow_gssd_read_tmp',` userdom_list_unpriv_users_tmp(gssd_t) userdom_read_unpriv_users_tmp_files(gssd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.2.1/policy/modules/services/rshd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.2.2/policy/modules/services/rshd.te --- nsaserefpolicy/policy/modules/services/rshd.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/rshd.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/rshd.te 2007-12-04 11:11:03.000000000 -0500 @@ -16,7 +16,7 @@ # # Local policy @@ -9361,17 +8999,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd unconfined_shell_domtrans(rshd_t) + unconfined_signal(rshd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.2.1/policy/modules/services/rsync.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.2.2/policy/modules/services/rsync.fc --- nsaserefpolicy/policy/modules/services/rsync.fc 2006-11-16 17:15:21.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/rsync.fc 2007-12-01 08:07:48.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/rsync.fc 2007-12-04 11:11:03.000000000 -0500 @@ -1,2 +1,4 @@ /usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) + +/var/log/rsync.log -- gen_context(system_u:object_r:rsync_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.2.1/policy/modules/services/rsync.te ---- nsaserefpolicy/policy/modules/services/rsync.te 2007-11-16 13:45:14.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/rsync.te 2007-12-01 08:08:40.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.2.2/policy/modules/services/rsync.te +--- nsaserefpolicy/policy/modules/services/rsync.te 2007-12-04 11:02:50.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/rsync.te 2007-12-04 11:11:03.000000000 -0500 @@ -8,7 +8,7 @@ ## @@ -9417,22 +9055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn #end for identd allow rsync_t rsync_data_t:dir list_dir_perms; -@@ -65,8 +67,6 @@ - manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t) - files_pid_filetrans(rsync_t,rsync_var_run_t,file) - --auth_use_nsswitch(rsync_t) -- - kernel_read_kernel_sysctls(rsync_t) - kernel_read_system_state(rsync_t) - kernel_read_network_state(rsync_t) -@@ -90,11 +90,14 @@ - files_read_etc_files(rsync_t) - files_search_home(rsync_t) - -+auth_use_nsswitch(rsync_t) -+ - libs_use_ld_so(rsync_t) +@@ -94,7 +96,8 @@ libs_use_shared_libs(rsync_t) logging_send_syslog_msg(rsync_t) @@ -9450,9 +9073,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn fs_read_noxattr_fs_files(rsync_t) auth_read_all_files_except_shadow(rsync_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.2.1/policy/modules/services/samba.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.2.2/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/samba.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/samba.fc 2007-12-04 11:11:03.000000000 -0500 @@ -15,6 +15,7 @@ /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) /usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0) @@ -9470,9 +9093,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb /var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0) /var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.2.1/policy/modules/services/samba.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.2.2/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/samba.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/samba.if 2007-12-04 11:11:03.000000000 -0500 @@ -331,6 +331,25 @@ ######################################## @@ -9610,9 +9233,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb + role $2 types smbcontrol_t; + dontaudit smbcontrol_t $3:chr_file rw_term_perms; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.2.1/policy/modules/services/samba.te ---- nsaserefpolicy/policy/modules/services/samba.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/samba.te 2007-11-30 11:23:56.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.2.2/policy/modules/services/samba.te +--- nsaserefpolicy/policy/modules/services/samba.te 2007-12-04 11:02:50.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/samba.te 2007-12-04 11:51:04.000000000 -0500 @@ -9,14 +9,14 @@ ## ##

@@ -9675,34 +9298,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # # Samba net local policy -@@ -146,7 +151,6 @@ - allow samba_net_t self:unix_stream_socket create_stream_socket_perms; - allow samba_net_t self:udp_socket create_socket_perms; - allow samba_net_t self:tcp_socket create_socket_perms; --allow samba_net_t self:netlink_route_socket r_netlink_socket_perms; - - allow samba_net_t samba_etc_t:file read_file_perms; - -@@ -183,6 +187,8 @@ - - files_read_etc_files(samba_net_t) - -+auth_use_nsswitch(samba_net_t) -+ - libs_use_ld_so(samba_net_t) - libs_use_shared_libs(samba_net_t) - -@@ -190,8 +196,7 @@ +@@ -191,16 +196,14 @@ miscfiles_read_localization(samba_net_t) --sysnet_read_config(samba_net_t) --sysnet_use_ldap(samba_net_t) +samba_read_var_files(samba_net_t) - ++ userdom_dontaudit_search_sysadm_home_dirs(samba_net_t) -@@ -199,10 +204,6 @@ + optional_policy(` kerberos_use(samba_net_t) ') @@ -9713,7 +9317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # # smbd Local policy -@@ -217,19 +218,16 @@ +@@ -215,7 +218,7 @@ allow smbd_t self:msgq create_msgq_perms; allow smbd_t self:sem create_sem_perms; allow smbd_t self:shm create_shm_perms; @@ -9722,8 +9326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow smbd_t self:tcp_socket create_stream_socket_perms; allow smbd_t self:udp_socket create_socket_perms; allow smbd_t self:unix_dgram_socket { create_socket_perms sendto }; - allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; --allow smbd_t self:netlink_route_socket r_netlink_socket_perms; +@@ -223,10 +226,8 @@ allow smbd_t samba_etc_t:file { rw_file_perms setattr }; @@ -9736,7 +9339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow smbd_t samba_net_tmp_t:file getattr; -@@ -256,7 +254,7 @@ +@@ -253,7 +254,7 @@ manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t) files_pid_filetrans(smbd_t,smbd_var_run_t,file) @@ -9745,7 +9348,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) -@@ -298,6 +296,7 @@ +@@ -295,6 +296,7 @@ auth_use_nsswitch(smbd_t) auth_domtrans_chk_passwd(smbd_t) @@ -9753,16 +9356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb domain_use_interactive_fds(smbd_t) domain_dontaudit_list_all_domains_state(smbd_t) -@@ -321,8 +320,6 @@ - miscfiles_read_localization(smbd_t) - miscfiles_read_public_files(smbd_t) - --sysnet_read_config(smbd_t) -- - userdom_dontaudit_search_sysadm_home_dirs(smbd_t) - userdom_dontaudit_use_unpriv_user_fds(smbd_t) - userdom_use_unpriv_users_fds(smbd_t) -@@ -347,6 +344,17 @@ +@@ -342,6 +344,17 @@ tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) @@ -9780,7 +9374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') optional_policy(` -@@ -398,7 +406,7 @@ +@@ -393,7 +406,7 @@ allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -9789,7 +9383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow nmbd_t self:tcp_socket create_stream_socket_perms; allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; -@@ -410,8 +418,7 @@ +@@ -405,8 +418,7 @@ read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t) manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t) @@ -9799,7 +9393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb read_files_pattern(nmbd_t,samba_log_t,samba_log_t) create_files_pattern(nmbd_t,samba_log_t,samba_log_t) -@@ -446,6 +453,7 @@ +@@ -441,6 +453,7 @@ dev_getattr_mtrr_dev(nmbd_t) fs_getattr_all_fs(nmbd_t) @@ -9807,34 +9401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb fs_search_auto_mountpoints(nmbd_t) domain_use_interactive_fds(nmbd_t) -@@ -454,6 +462,8 @@ - files_read_etc_files(nmbd_t) - files_list_var_lib(nmbd_t) - -+auth_use_nsswitch(nmbd_t) -+ - libs_use_ld_so(nmbd_t) - libs_use_shared_libs(nmbd_t) - -@@ -462,17 +472,11 @@ - - miscfiles_read_localization(nmbd_t) - --sysnet_read_config(nmbd_t) -- - userdom_dontaudit_search_sysadm_home_dirs(nmbd_t) - userdom_dontaudit_use_unpriv_user_fds(nmbd_t) - userdom_use_unpriv_users_fds(nmbd_t) - - optional_policy(` -- nis_use_ypbind(nmbd_t) --') -- --optional_policy(` - seutil_sigchld_newrole(nmbd_t) - ') - -@@ -533,6 +537,7 @@ +@@ -524,6 +537,7 @@ storage_raw_write_fixed_disk(smbmount_t) term_list_ptys(smbmount_t) @@ -9842,34 +9409,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb corecmd_list_bin(smbmount_t) -@@ -542,6 +547,8 @@ - files_etc_filetrans_etc_runtime(smbmount_t,file) - files_read_etc_files(smbmount_t) +@@ -548,28 +562,37 @@ -+auth_use_nsswitch(smbmount_t) -+ - miscfiles_read_localization(smbmount_t) - - mount_use_fds(smbmount_t) -@@ -553,16 +560,10 @@ - - logging_search_logs(smbmount_t) - --sysnet_read_config(smbmount_t) -- userdom_use_all_users_fds(smbmount_t) - optional_policy(` -- nis_use_ypbind(smbmount_t) --') -- --optional_policy(` -- nscd_socket_use(smbmount_t) ++optional_policy(` + cups_read_rw_config(smbmount_t) - ') - ++') ++ ######################################## -@@ -570,24 +571,28 @@ + # # SWAT Local policy # @@ -9881,7 +9430,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow swat_t self:tcp_socket create_stream_socket_perms; allow swat_t self:udp_socket create_socket_perms; --allow swat_t self:netlink_route_socket r_netlink_socket_perms; -allow swat_t nmbd_exec_t:file { execute read }; +allow swat_t self:unix_stream_socket connectto; @@ -9906,7 +9454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t smbd_var_run_t:file read; manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t) -@@ -597,7 +602,9 @@ +@@ -579,7 +602,9 @@ manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t) files_pid_filetrans(swat_t,swat_var_run_t,file) @@ -9917,7 +9465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -622,23 +629,25 @@ +@@ -604,18 +629,21 @@ dev_read_urand(swat_t) @@ -9929,7 +9477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb auth_domtrans_chk_passwd(swat_t) +auth_domtrans_upd_passwd(swat_t) -+auth_use_nsswitch(swat_t) + auth_use_nsswitch(swat_t) libs_use_ld_so(swat_t) libs_use_shared_libs(swat_t) @@ -9939,25 +9487,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb logging_search_logs(swat_t) miscfiles_read_localization(swat_t) - --sysnet_read_config(swat_t) -- - optional_policy(` - cups_read_rw_config(swat_t) - cups_stream_connect(swat_t) -@@ -652,13 +661,16 @@ +@@ -633,6 +661,17 @@ kerberos_use(swat_t) ') --optional_policy(` -- nis_use_ypbind(swat_t) --') +init_read_utmp(swat_t) +init_dontaudit_write_utmp(swat_t) - --optional_policy(` -- nscd_socket_use(swat_t) --') ++ +manage_dirs_pattern(swat_t,samba_log_t,samba_log_t) +create_files_pattern(swat_t,samba_log_t,samba_log_t) + @@ -9965,18 +9501,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb + +manage_files_pattern(swat_t,samba_var_t,samba_var_t) +files_list_var_lib(swat_t) - ++ ######################################## # -@@ -672,7 +684,6 @@ - allow winbind_t self:fifo_file { read write }; - allow winbind_t self:unix_dgram_socket create_socket_perms; - allow winbind_t self:unix_stream_socket create_stream_socket_perms; --allow winbind_t self:netlink_route_socket r_netlink_socket_perms; - allow winbind_t self:tcp_socket create_stream_socket_perms; - allow winbind_t self:udp_socket create_socket_perms; - -@@ -709,6 +720,8 @@ + # Winbind local policy +@@ -681,6 +720,8 @@ manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t) files_pid_filetrans(winbind_t,winbind_var_run_t,file) @@ -9985,27 +9514,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(winbind_t) kernel_list_proc(winbind_t) kernel_read_proc_symlinks(winbind_t) -@@ -733,7 +746,9 @@ - fs_getattr_all_fs(winbind_t) +@@ -706,6 +747,7 @@ fs_search_auto_mountpoints(winbind_t) -+auth_use_nsswitch(winbind_t) auth_domtrans_chk_passwd(winbind_t) +auth_domtrans_upd_passwd(winbind_t) + auth_use_nsswitch(winbind_t) domain_use_interactive_fds(winbind_t) - -@@ -746,9 +761,6 @@ - - miscfiles_read_localization(winbind_t) - --sysnet_read_config(winbind_t) --sysnet_dns_name_resolve(winbind_t) -- - userdom_dontaudit_use_unpriv_user_fds(winbind_t) - userdom_dontaudit_search_sysadm_home_dirs(winbind_t) - userdom_priveleged_home_dir_manager(winbind_t) -@@ -758,10 +770,6 @@ +@@ -728,10 +770,6 @@ ') optional_policy(` @@ -10016,7 +9533,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb seutil_sigchld_newrole(winbind_t) ') -@@ -790,6 +798,8 @@ +@@ -760,6 +798,8 @@ domain_use_interactive_fds(winbind_helper_t) @@ -10025,15 +9542,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb libs_use_ld_so(winbind_helper_t) libs_use_shared_libs(winbind_helper_t) -@@ -804,6 +814,7 @@ +@@ -768,12 +808,9 @@ + miscfiles_read_localization(winbind_helper_t) + optional_policy(` +- nscd_socket_use(winbind_helper_t) +-') +- +-optional_policy(` squid_read_log(winbind_helper_t) squid_append_log(winbind_helper_t) + squid_rw_stream_sockets(winbind_helper_t) ') ######################################## -@@ -828,3 +839,37 @@ +@@ -798,3 +835,37 @@ domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) ') ') @@ -10071,9 +9594,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +allow winbind_t smbcontrol_t:process signal; + +allow smbcontrol_t nmbd_var_run_t:file { read lock }; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.2.1/policy/modules/services/sasl.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.2.2/policy/modules/services/sasl.te --- nsaserefpolicy/policy/modules/services/sasl.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/sasl.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/sasl.te 2007-12-04 11:11:03.000000000 -0500 @@ -64,6 +64,7 @@ selinux_compute_access_vector(saslauthd_t) @@ -10093,9 +9616,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl seutil_sigchld_newrole(saslauthd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.2.1/policy/modules/services/sendmail.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.2.2/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2007-08-27 13:57:20.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/sendmail.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/sendmail.if 2007-12-04 11:11:03.000000000 -0500 @@ -149,3 +149,85 @@ logging_log_filetrans($1,sendmail_log_t,file) @@ -10182,9 +9705,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send + role $2 types unconfined_sendmail_t; + allow unconfined_sendmail_t $3:chr_file rw_file_perms; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.1/policy/modules/services/sendmail.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.2/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/sendmail.te 2007-12-01 07:43:47.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/sendmail.te 2007-12-04 11:11:03.000000000 -0500 @@ -20,19 +20,22 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -10302,9 +9825,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send -dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; -') dnl end TODO -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.2.1/policy/modules/services/setroubleshoot.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.2.2/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-10-29 07:52:49.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/setroubleshoot.te 2007-12-02 19:04:59.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/setroubleshoot.te 2007-12-04 11:11:03.000000000 -0500 @@ -27,8 +27,8 @@ # setroubleshootd local policy # @@ -10343,9 +9866,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.2.1/policy/modules/services/snmp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.2.2/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/snmp.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/snmp.te 2007-12-04 11:11:03.000000000 -0500 @@ -81,8 +81,7 @@ files_read_usr_files(snmpd_t) files_read_etc_runtime_files(snmpd_t) @@ -10356,9 +9879,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp fs_getattr_all_dirs(snmpd_t) fs_getattr_all_fs(snmpd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.fc serefpolicy-3.2.1/policy/modules/services/soundserver.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.fc serefpolicy-3.2.2/policy/modules/services/soundserver.fc --- nsaserefpolicy/policy/modules/services/soundserver.fc 2006-11-16 17:15:20.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/soundserver.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/soundserver.fc 2007-12-04 11:11:03.000000000 -0500 @@ -1,5 +1,3 @@ -/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) -/etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) @@ -10372,9 +9895,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun +/var/run/nasd(/.*)? gen_context(system_u:object_r:soundd_var_run_t,s0) + /var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.2.1/policy/modules/services/soundserver.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.2.2/policy/modules/services/soundserver.te --- nsaserefpolicy/policy/modules/services/soundserver.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/soundserver.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/soundserver.te 2007-12-04 11:11:03.000000000 -0500 @@ -10,9 +10,6 @@ type soundd_exec_t; init_daemon_domain(soundd_t,soundd_exec_t) @@ -10435,18 +9958,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun seutil_sigchld_newrole(soundd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.2.1/policy/modules/services/spamassassin.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.2.2/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/spamassassin.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/spamassassin.fc 2007-12-04 11:11:03.000000000 -0500 @@ -1,4 +1,4 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:user_spamassassin_home_t,s0) /usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0) /usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.1/policy/modules/services/spamassassin.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.2/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/spamassassin.if 2007-12-01 07:44:50.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/spamassassin.if 2007-12-04 11:11:03.000000000 -0500 @@ -38,6 +38,8 @@ gen_require(` type spamc_exec_t, spamassassin_exec_t; @@ -10572,9 +10095,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + + stream_connect_pattern($1,spamd_var_run_t,spamd_var_run_t,spamd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.1/policy/modules/services/spamassassin.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.2/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/spamassassin.te 2007-12-01 07:44:33.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/spamassassin.te 2007-12-04 11:11:03.000000000 -0500 @@ -44,6 +44,15 @@ type spamassassin_exec_t; application_executable_file(spamassassin_exec_t) @@ -10617,18 +10140,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam fs_manage_cifs_files(spamd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.2.1/policy/modules/services/squid.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.2.2/policy/modules/services/squid.fc --- nsaserefpolicy/policy/modules/services/squid.fc 2006-11-16 17:15:21.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/squid.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/squid.fc 2007-12-04 11:11:03.000000000 -0500 @@ -12,3 +12,5 @@ /var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0) /var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) +/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) +/usr/lib64/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.2.1/policy/modules/services/squid.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.2.2/policy/modules/services/squid.if --- nsaserefpolicy/policy/modules/services/squid.if 2007-05-07 10:32:44.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/squid.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/squid.if 2007-12-04 11:11:03.000000000 -0500 @@ -131,3 +131,22 @@ interface(`squid_use',` refpolicywarn(`$0($*) has been deprecated.') @@ -10652,9 +10175,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi + + allow $1 squid_t:unix_stream_socket { getattr read write }; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.2.1/policy/modules/services/squid.te ---- nsaserefpolicy/policy/modules/services/squid.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/squid.te 2007-11-30 11:23:56.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.2.2/policy/modules/services/squid.te +--- nsaserefpolicy/policy/modules/services/squid.te 2007-12-04 11:02:50.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/squid.te 2007-12-04 11:51:47.000000000 -0500 @@ -36,7 +36,7 @@ # Local policy # @@ -10681,7 +10204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi selinux_dontaudit_getattr_dir(squid_t) -@@ -149,11 +152,7 @@ +@@ -148,11 +151,7 @@ ') optional_policy(` @@ -10694,7 +10217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi ') optional_policy(` -@@ -176,7 +175,12 @@ +@@ -167,7 +166,12 @@ udev_read_db(squid_t) ') @@ -10711,18 +10234,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi + corenet_all_recvfrom_unlabeled(httpd_squid_script_t) + corenet_all_recvfrom_netlabel(httpd_squid_script_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.2.1/policy/modules/services/ssh.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.2.2/policy/modules/services/ssh.fc --- nsaserefpolicy/policy/modules/services/ssh.fc 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/ssh.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/ssh.fc 2007-12-04 11:11:03.000000000 -0500 @@ -1,4 +1,4 @@ -HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ROLE_home_ssh_t,s0) +HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:user_ssh_home_t,s0) /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.2.1/policy/modules/services/ssh.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.2.2/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2007-07-23 10:20:13.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/ssh.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/ssh.if 2007-12-04 11:11:03.000000000 -0500 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -10882,9 +10405,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. dontaudit $1 sshd_key_t:file { getattr read }; ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.2.1/policy/modules/services/ssh.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.2.2/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/ssh.te 2007-11-30 11:38:23.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/ssh.te 2007-12-04 11:11:03.000000000 -0500 @@ -24,7 +24,7 @@ # Type for the ssh-agent executable. @@ -10941,43 +10464,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. unconfined_shell_domtrans(sshd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.2.1/policy/modules/services/stunnel.te ---- nsaserefpolicy/policy/modules/services/stunnel.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/stunnel.te 2007-11-30 11:23:56.000000000 -0500 -@@ -68,6 +68,8 @@ - - fs_getattr_all_fs(stunnel_t) - -+auth_use_nsswitch(stunnel_t) -+ - libs_use_ld_so(stunnel_t) - libs_use_shared_libs(stunnel_t) - -@@ -112,14 +114,6 @@ - optional_policy(` - kerberos_use(stunnel_t) - ') -- -- optional_policy(` -- nis_use_ypbind(stunnel_t) -- ') -- -- optional_policy(` -- nscd_socket_use(stunnel_t) -- ') - ') - - # hack since this port has no interfaces since it doesnt -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.2.1/policy/modules/services/telnet.te ---- nsaserefpolicy/policy/modules/services/telnet.te 2007-07-16 14:09:46.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/telnet.te 2007-11-30 11:23:56.000000000 -0500 -@@ -32,12 +32,13 @@ - allow telnetd_t self:udp_socket create_socket_perms; - # for identd; cjp: this should probably only be inetd_child rules? - allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; --allow telnetd_t self:netlink_route_socket r_netlink_socket_perms; - allow telnetd_t self:capability { setuid setgid }; - +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.2.2/policy/modules/services/telnet.te +--- nsaserefpolicy/policy/modules/services/telnet.te 2007-12-04 11:02:50.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/telnet.te 2007-12-04 11:44:45.000000000 -0500 +@@ -37,6 +37,8 @@ allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr }; term_create_pty(telnetd_t,telnetd_devpts_t) @@ -10986,12 +10476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln manage_dirs_pattern(telnetd_t,telnetd_tmp_t,telnetd_tmp_t) manage_files_pattern(telnetd_t,telnetd_tmp_t,telnetd_tmp_t) files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir }) -@@ -62,10 +63,12 @@ - - fs_getattr_xattr_fs(telnetd_t) - -+auth_use_nsswitch(telnetd_t) - auth_rw_login_records(telnetd_t) +@@ -66,6 +68,7 @@ corecmd_search_bin(telnetd_t) @@ -10999,13 +10484,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln files_read_etc_files(telnetd_t) files_read_etc_runtime_files(telnetd_t) # for identd; cjp: this should probably only be inetd_child rules? -@@ -80,27 +83,26 @@ +@@ -80,17 +83,26 @@ miscfiles_read_localization(telnetd_t) -seutil_dontaudit_search_config(telnetd_t) -- --sysnet_read_config(telnetd_t) +seutil_read_config(telnetd_t) remotelogin_domtrans(telnetd_t) @@ -11019,68 +10502,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln + kerberos_manage_host_rcache(telnetd_t) ') --optional_policy(` -- nis_use_ypbind(telnetd_t) +-ifdef(`TODO',` +-# Allow krb5 telnetd to use fork and open /dev/tty for use +-allow telnetd_t userpty_type:chr_file setattr; +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(telnetd_t) + fs_manage_nfs_files(telnetd_t) ') - --optional_policy(` -- nscd_socket_use(telnetd_t) ++ +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(telnetd_t) + fs_manage_cifs_files(telnetd_t) - ') - --ifdef(`TODO',` --# Allow krb5 telnetd to use fork and open /dev/tty for use --allow telnetd_t userpty_type:chr_file setattr; --') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-3.2.1/policy/modules/services/tftp.fc ++') ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-3.2.2/policy/modules/services/tftp.fc --- nsaserefpolicy/policy/modules/services/tftp.fc 2006-11-16 17:15:21.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/tftp.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/tftp.fc 2007-12-04 11:11:03.000000000 -0500 @@ -4,3 +4,4 @@ /tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0) /tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0) +/var/lib/tftp(/.*)? gen_context(system_u:object_r:tftpdir_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.2.1/policy/modules/services/uucp.te ---- nsaserefpolicy/policy/modules/services/uucp.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/uucp.te 2007-11-30 11:23:56.000000000 -0500 -@@ -88,6 +88,8 @@ - files_search_home(uucpd_t) - files_search_spool(uucpd_t) - -+auth_use_nsswitch(uucpd_t) -+ - libs_use_ld_so(uucpd_t) - libs_use_shared_libs(uucpd_t) - -@@ -95,20 +97,10 @@ - - miscfiles_read_localization(uucpd_t) - --sysnet_read_config(uucpd_t) -- - optional_policy(` - kerberos_use(uucpd_t) - ') - --optional_policy(` -- nis_use_ypbind(uucpd_t) --') -- --optional_policy(` -- nscd_socket_use(uucpd_t) --') -- - ######################################## - # - # UUX Local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwimap.te serefpolicy-3.2.1/policy/modules/services/uwimap.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwimap.te serefpolicy-3.2.2/policy/modules/services/uwimap.te --- nsaserefpolicy/policy/modules/services/uwimap.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/uwimap.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/uwimap.te 2007-12-04 11:11:03.000000000 -0500 @@ -64,6 +64,7 @@ fs_search_auto_mountpoints(imapd_t) @@ -11089,20 +10534,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwim libs_use_ld_so(imapd_t) libs_use_shared_libs(imapd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.fc serefpolicy-3.2.1/policy/modules/services/w3c.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.fc serefpolicy-3.2.2/policy/modules/services/w3c.fc --- nsaserefpolicy/policy/modules/services/w3c.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/w3c.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/w3c.fc 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1,2 @@ +/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0) +/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.if serefpolicy-3.2.1/policy/modules/services/w3c.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.if serefpolicy-3.2.2/policy/modules/services/w3c.if --- nsaserefpolicy/policy/modules/services/w3c.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/w3c.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/w3c.if 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1 @@ +##

W3C -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.2.1/policy/modules/services/w3c.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.2.2/policy/modules/services/w3c.te --- nsaserefpolicy/policy/modules/services/w3c.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/w3c.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/w3c.te 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1,14 @@ +policy_module(w3c,1.2.1) + @@ -11118,9 +10563,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c. +corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t) + +miscfiles_read_certs(httpd_w3c_validator_script_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.2.1/policy/modules/services/xserver.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.2.2/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2007-10-15 16:11:05.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/xserver.fc 2007-11-30 11:27:15.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/xserver.fc 2007-12-04 11:11:03.000000000 -0500 @@ -1,13 +1,13 @@ # # HOME_DIR @@ -11187,18 +10632,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifdef(`distro_suse',` /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.1/policy/modules/services/xserver.if ---- nsaserefpolicy/policy/modules/services/xserver.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/xserver.if 2007-11-30 11:23:56.000000000 -0500 -@@ -58,7 +58,6 @@ - allow $1_xserver_t self:msg { send receive }; - allow $1_xserver_t self:unix_dgram_socket { create_socket_perms sendto }; - allow $1_xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; -- allow $1_xserver_t self:netlink_route_socket r_netlink_socket_perms; - allow $1_xserver_t self:tcp_socket create_stream_socket_perms; - allow $1_xserver_t self:udp_socket create_socket_perms; - -@@ -116,8 +115,7 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.2/policy/modules/services/xserver.if +--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/xserver.if 2007-12-04 12:04:16.000000000 -0500 +@@ -115,8 +115,7 @@ dev_rw_agp($1_xserver_t) dev_rw_framebuffer($1_xserver_t) dev_manage_dri_dev($1_xserver_t) @@ -11208,7 +10645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # raw memory access is needed if not using the frame buffer dev_read_raw_memory($1_xserver_t) dev_wx_raw_memory($1_xserver_t) -@@ -126,8 +124,12 @@ +@@ -125,8 +124,12 @@ # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev($1_xserver_t) dev_rwx_zero($1_xserver_t) @@ -11221,15 +10658,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files($1_xserver_t) files_read_etc_runtime_files($1_xserver_t) -@@ -141,10 +143,16 @@ +@@ -140,12 +143,16 @@ fs_getattr_xattr_fs($1_xserver_t) fs_search_nfs($1_xserver_t) fs_search_auto_mountpoints($1_xserver_t) - fs_search_ramfs($1_xserver_t) + fs_manage_ramfs_files($1_xserver_t) + fs_list_inotifyfs($1_xserver_t) -+ -+ auth_use_nsswitch($1_xserver_t) + + auth_use_nsswitch($1_xserver_t) init_getpgid($1_xserver_t) @@ -11239,31 +10676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser term_setattr_unallocated_ttys($1_xserver_t) term_use_unallocated_ttys($1_xserver_t) -@@ -160,8 +168,6 @@ - - seutil_dontaudit_search_config($1_xserver_t) - -- sysnet_read_config($1_xserver_t) -- - ifndef(`distro_redhat',` - allow $1_xserver_t self:process { execmem execheap execstack }; - ') -@@ -179,14 +185,6 @@ - ') - - optional_policy(` -- nis_use_ypbind($1_xserver_t) -- ') -- -- optional_policy(` -- nscd_socket_use($1_xserver_t) -- ') -- -- optional_policy(` - rhgb_getpgid($1_xserver_t) - rhgb_signal($1_xserver_t) - ') -@@ -241,39 +239,26 @@ +@@ -232,39 +239,26 @@ # Declarations # @@ -11310,7 +10723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ############################## # # $1_xserver_t Local policy -@@ -281,12 +266,15 @@ +@@ -272,12 +266,15 @@ domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t) @@ -11327,7 +10740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t) manage_files_pattern($2,$1_fonts_t,$1_fonts_t) -@@ -316,6 +304,7 @@ +@@ -307,6 +304,7 @@ userdom_use_user_ttys($1,$1_xserver_t) userdom_setattr_user_ttys($1,$1_xserver_t) userdom_rw_user_tmpfs_files($1,$1_xserver_t) @@ -11335,7 +10748,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_use_user_fonts($1,$1_xserver_t) xserver_rw_xdm_tmp_files($1_xauth_t) -@@ -339,12 +328,12 @@ +@@ -330,12 +328,12 @@ allow $1_xauth_t self:process signal; allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms; @@ -11353,7 +10766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser domtrans_pattern($2, xauth_exec_t, $1_xauth_t) -@@ -353,12 +342,6 @@ +@@ -344,12 +342,6 @@ # allow ps to show xauth ps_process_pattern($2,$1_xauth_t) @@ -11366,7 +10779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser domain_use_interactive_fds($1_xauth_t) files_read_etc_files($1_xauth_t) -@@ -387,6 +370,14 @@ +@@ -378,6 +370,14 @@ ') optional_policy(` @@ -11378,10 +10791,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + ') + + optional_policy(` - nis_use_ypbind($1_xauth_t) - ') - -@@ -403,16 +394,16 @@ + ssh_sigchld($1_xauth_t) + ssh_read_pipes($1_xauth_t) + ssh_dontaudit_rw_tcp_sockets($1_xauth_t) +@@ -390,16 +390,16 @@ domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t) @@ -11403,7 +10816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser fs_search_auto_mountpoints($1_iceauth_t) -@@ -536,17 +527,15 @@ +@@ -523,17 +523,15 @@ template(`xserver_user_client_template',` gen_require(` @@ -11427,7 +10840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -555,25 +544,51 @@ +@@ -542,25 +540,51 @@ allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; @@ -11487,7 +10900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ') -@@ -626,6 +641,24 @@ +@@ -613,6 +637,24 @@ ######################################## ## @@ -11512,7 +10925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -659,6 +692,73 @@ +@@ -646,6 +688,73 @@ ######################################## ## @@ -11586,7 +10999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -684,10 +784,10 @@ +@@ -671,10 +780,10 @@ # template(`xserver_user_home_dir_filetrans_user_xauth',` gen_require(` @@ -11599,7 +11012,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -873,6 +973,25 @@ +@@ -760,7 +869,7 @@ + type xconsole_device_t; + ') + +- allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms; ++ allow $1 xconsole_device_t:fifo_file { getattr read write }; + ') + + ######################################## +@@ -860,6 +969,25 @@ ######################################## ## @@ -11625,7 +11047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Read xdm-writable configuration files. ## ## -@@ -927,6 +1046,7 @@ +@@ -914,6 +1042,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t) @@ -11633,7 +11055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -987,6 +1107,37 @@ +@@ -974,6 +1103,37 @@ ######################################## ## @@ -11671,7 +11093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1136,7 +1287,7 @@ +@@ -1123,7 +1283,7 @@ type xdm_xserver_tmp_t; ') @@ -11680,7 +11102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1325,3 +1476,45 @@ +@@ -1312,3 +1472,45 @@ files_search_tmp($1) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') @@ -11726,9 +11148,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.1/policy/modules/services/xserver.te ---- nsaserefpolicy/policy/modules/services/xserver.te 2007-10-15 16:11:05.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/xserver.te 2007-12-03 19:02:05.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.2/policy/modules/services/xserver.te +--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-04 11:02:50.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/services/xserver.te 2007-12-04 11:11:03.000000000 -0500 @@ -16,6 +16,13 @@ ## @@ -12059,9 +11481,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser -# -allow pam_t xdm_t:fifo_file { getattr ioctl write }; -') dnl end TODO -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.2.1/policy/modules/system/authlogin.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.2.2/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/system/authlogin.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/authlogin.fc 2007-12-04 11:11:03.000000000 -0500 @@ -41,3 +41,6 @@ /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0) @@ -12069,9 +11491,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.2.1/policy/modules/system/authlogin.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.2.2/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/system/authlogin.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/authlogin.if 2007-12-04 11:11:03.000000000 -0500 @@ -169,6 +169,7 @@ interface(`auth_login_pgm_domain',` gen_require(` @@ -12250,9 +11672,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + read_files_pattern($1, auth_cache_t, auth_cache_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.2.1/policy/modules/system/authlogin.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.2.2/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/system/authlogin.te 2007-12-03 18:47:11.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/authlogin.te 2007-12-04 11:11:03.000000000 -0500 @@ -59,6 +59,9 @@ type utempter_exec_t; application_domain(utempter_t,utempter_exec_t) @@ -12320,9 +11742,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo xserver_use_xdm_fds(utempter_t) xserver_rw_xdm_pipes(utempter_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.2.1/policy/modules/system/fstools.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.2.2/policy/modules/system/fstools.fc --- nsaserefpolicy/policy/modules/system/fstools.fc 2007-09-26 12:15:01.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/system/fstools.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/fstools.fc 2007-12-04 11:11:03.000000000 -0500 @@ -1,4 +1,3 @@ -/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -12336,9 +11758,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.2.1/policy/modules/system/fstools.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.2.2/policy/modules/system/fstools.if --- nsaserefpolicy/policy/modules/system/fstools.if 2007-08-22 17:33:53.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/system/fstools.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/fstools.if 2007-12-04 11:11:03.000000000 -0500 @@ -142,3 +142,20 @@ allow $1 swapfile_t:file getattr; @@ -12360,9 +11782,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool + ') + fs_manage_nfs_files(fsadm_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.2.1/policy/modules/system/fstools.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.2.2/policy/modules/system/fstools.te --- nsaserefpolicy/policy/modules/system/fstools.te 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/system/fstools.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/fstools.te 2007-12-04 11:11:03.000000000 -0500 @@ -109,8 +109,7 @@ term_use_console(fsadm_t) @@ -12379,9 +11801,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool xen_append_log(fsadm_t) + xen_rw_image_files(fsadm_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.2.1/policy/modules/system/getty.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.2.2/policy/modules/system/getty.te --- nsaserefpolicy/policy/modules/system/getty.te 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/system/getty.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/getty.te 2007-12-04 11:11:03.000000000 -0500 @@ -33,7 +33,8 @@ # @@ -12392,9 +11814,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty. dontaudit getty_t self:capability sys_tty_config; allow getty_t self:process { getpgid setpgid getsession signal_perms }; allow getty_t self:fifo_file rw_fifo_file_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.2.1/policy/modules/system/hostname.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.2.2/policy/modules/system/hostname.te --- nsaserefpolicy/policy/modules/system/hostname.te 2007-01-02 12:57:49.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/system/hostname.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/hostname.te 2007-12-04 11:11:03.000000000 -0500 @@ -8,7 +8,9 @@ type hostname_t; @@ -12418,9 +11840,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna +optional_policy(` + unconfined_dontaudit_rw_pipes(hostname_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.2.1/policy/modules/system/hotplug.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.2.2/policy/modules/system/hotplug.te --- nsaserefpolicy/policy/modules/system/hotplug.te 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/system/hotplug.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/hotplug.te 2007-12-04 11:11:03.000000000 -0500 @@ -179,6 +179,7 @@ sysnet_read_dhcpc_pid(hotplug_t) sysnet_rw_dhcp_config(hotplug_t) @@ -12429,9 +11851,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.2.1/policy/modules/system/init.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.2.2/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/system/init.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/init.if 2007-12-04 11:11:03.000000000 -0500 @@ -211,6 +211,13 @@ kernel_dontaudit_use_fds($1) ') @@ -12673,9 +12095,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + domain_entry_file(initrc_t,$1) + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.2.1/policy/modules/system/init.te ---- nsaserefpolicy/policy/modules/system/init.te 2007-10-29 07:52:50.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/system/init.te 2007-11-30 15:05:52.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.2.2/policy/modules/system/init.te +--- nsaserefpolicy/policy/modules/system/init.te 2007-12-04 11:02:50.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/init.te 2007-12-04 11:46:20.000000000 -0500 @@ -10,6 +10,20 @@ # Declarations # @@ -12753,12 +12175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; -@@ -196,15 +212,13 @@ - allow initrc_t self:tcp_socket create_stream_socket_perms; - allow initrc_t self:udp_socket create_socket_perms; - allow initrc_t self:fifo_file rw_file_perms; --allow initrc_t self:netlink_route_socket r_netlink_socket_perms; - +@@ -200,10 +216,9 @@ allow initrc_t initrc_devpts_t:chr_file rw_term_perms; term_create_pty(initrc_t,initrc_devpts_t) @@ -12771,7 +12188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t) manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t) -@@ -283,7 +297,6 @@ +@@ -282,7 +297,6 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) @@ -12779,16 +12196,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t selinux_get_enforce_mode(initrc_t) -@@ -365,7 +378,7 @@ - - seutil_read_config(initrc_t) - --sysnet_read_config(initrc_t) -+auth_use_nsswitch(initrc_t) - - userdom_read_all_users_home_content_files(initrc_t) - # Allow access to the sysadm TTYs. Note that this will give access to the -@@ -496,6 +509,31 @@ +@@ -495,6 +509,31 @@ ') ') @@ -12820,7 +12228,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -631,12 +669,6 @@ +@@ -630,12 +669,6 @@ mta_read_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') @@ -12833,23 +12241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ifdef(`distro_redhat',` -@@ -648,15 +680,10 @@ - ') - - optional_policy(` -- nis_use_ypbind(initrc_t) - nis_list_var_yp(initrc_t) - ') - - optional_policy(` -- nscd_socket_use(initrc_t) --') -- --optional_policy(` - openvpn_read_config(initrc_t) - ') - -@@ -702,6 +729,9 @@ +@@ -696,6 +729,9 @@ # why is this needed: rpm_manage_db(initrc_t) @@ -12859,7 +12251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -749,6 +779,10 @@ +@@ -743,6 +779,10 @@ ') optional_policy(` @@ -12870,9 +12262,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t vmware_read_system_config(initrc_t) vmware_append_system_config(initrc_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.1/policy/modules/system/libraries.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.2/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/system/libraries.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/libraries.fc 2007-12-04 11:11:03.000000000 -0500 @@ -65,11 +65,15 @@ /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -12949,9 +12341,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/Adobe/Reader8/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.2.1/policy/modules/system/libraries.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.2.2/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/system/libraries.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/libraries.te 2007-12-04 11:11:03.000000000 -0500 @@ -23,6 +23,9 @@ init_system_domain(ldconfig_t,ldconfig_exec_t) role system_r types ldconfig_t; @@ -13004,9 +12396,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar + # smart package manager needs the following for the same reason + rpm_rw_tmp_files(ldconfig_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.2.1/policy/modules/system/locallogin.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.2.2/policy/modules/system/locallogin.te --- nsaserefpolicy/policy/modules/system/locallogin.te 2007-10-29 07:52:50.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/system/locallogin.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/locallogin.te 2007-12-04 11:11:03.000000000 -0500 @@ -25,7 +25,6 @@ domain_role_change_exemption(sulogin_t) domain_interactive_fd(sulogin_t) @@ -13044,9 +12436,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.2.1/policy/modules/system/logging.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.2.2/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2007-11-06 09:18:37.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/system/logging.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/logging.fc 2007-12-04 11:11:03.000000000 -0500 @@ -29,6 +29,11 @@ /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) @@ -13075,9 +12467,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin + +/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_script_exec_t,s0) +/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.2.1/policy/modules/system/logging.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.2.2/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2007-11-06 09:51:43.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/system/logging.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/logging.if 2007-12-04 11:11:03.000000000 -0500 @@ -577,6 +577,8 @@ files_search_var($1) manage_files_pattern($1,logfile,logfile) @@ -13174,9 +12566,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin + init_script_domtrans_spec($1,auditd_script_exec_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.2.1/policy/modules/system/logging.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.2.2/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2007-11-06 09:18:37.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/system/logging.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/logging.te 2007-12-04 11:11:03.000000000 -0500 @@ -61,6 +61,12 @@ logging_log_file(var_log_t) files_mountpoint(var_log_t) @@ -13198,9 +12590,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin domain_use_interactive_fds(klogd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.2.1/policy/modules/system/lvm.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.2.2/policy/modules/system/lvm.fc --- nsaserefpolicy/policy/modules/system/lvm.fc 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/system/lvm.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/lvm.fc 2007-12-04 11:11:03.000000000 -0500 @@ -15,6 +15,7 @@ # /etc/lvm(/.*)? gen_context(system_u:object_r:lvm_etc_t,s0) @@ -13209,9 +12601,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc /etc/lvm/archive(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) /etc/lvm/backup(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) /etc/lvm/lock(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.2.1/policy/modules/system/lvm.te ---- nsaserefpolicy/policy/modules/system/lvm.te 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/system/lvm.te 2007-11-30 11:23:56.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.2.2/policy/modules/system/lvm.te +--- nsaserefpolicy/policy/modules/system/lvm.te 2007-12-04 11:02:50.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/lvm.te 2007-12-04 11:46:49.000000000 -0500 @@ -44,9 +44,9 @@ # Cluster LVM daemon local policy # @@ -13224,7 +12616,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te dontaudit clvmd_t self:process ptrace; allow clvmd_t self:socket create_socket_perms; allow clvmd_t self:fifo_file rw_fifo_file_perms; -@@ -54,11 +54,15 @@ +@@ -54,6 +54,8 @@ allow clvmd_t self:tcp_socket create_stream_socket_perms; allow clvmd_t self:udp_socket create_socket_perms; @@ -13233,14 +12625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te manage_files_pattern(clvmd_t,clvmd_var_run_t,clvmd_var_run_t) files_pid_filetrans(clvmd_t,clvmd_var_run_t,file) - read_files_pattern(clvmd_t,lvm_metadata_t,lvm_metadata_t) - -+auth_use_nsswitch(clvmd_t) -+ - kernel_read_kernel_sysctls(clvmd_t) - kernel_read_system_state(clvmd_t) - kernel_list_proc(clvmd_t) -@@ -85,10 +89,15 @@ +@@ -85,10 +87,15 @@ corenet_sendrecv_generic_server_packets(clvmd_t) dev_read_sysfs(clvmd_t) @@ -13256,7 +12641,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te files_read_etc_files(clvmd_t) files_list_usr(clvmd_t) -@@ -99,9 +108,12 @@ +@@ -99,9 +106,12 @@ fs_dontaudit_read_removable_files(clvmd_t) storage_dontaudit_getattr_removable_dev(clvmd_t) @@ -13268,31 +12653,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te +storage_relabel_fixed_disk(clvmd_t) storage_raw_read_fixed_disk(clvmd_t) - libs_use_ld_so(clvmd_t) -@@ -113,8 +125,9 @@ + auth_use_nsswitch(clvmd_t) +@@ -115,6 +125,9 @@ seutil_dontaudit_search_config(clvmd_t) seutil_sigchld_newrole(clvmd_t) -- --sysnet_read_config(clvmd_t) +seutil_read_config(clvmd_t) +seutil_read_file_contexts(clvmd_t) +seutil_search_default_contexts(clvmd_t) userdom_dontaudit_use_unpriv_user_fds(clvmd_t) userdom_dontaudit_search_sysadm_home_dirs(clvmd_t) -@@ -131,10 +144,6 @@ - ') - - optional_policy(` -- nis_use_ypbind(clvmd_t) --') -- --optional_policy(` - ricci_dontaudit_rw_modcluster_pipes(clvmd_t) - ricci_dontaudit_use_modcluster_fds(clvmd_t) - ') -@@ -150,7 +159,8 @@ +@@ -146,7 +159,8 @@ # DAC overrides and mknod for modifying /dev entries (vgmknodes) # rawio needed for dmraid @@ -13302,7 +12674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te dontaudit lvm_t self:capability sys_tty_config; allow lvm_t self:process { sigchld sigkill sigstop signull signal }; # LVM will complain a lot if it cannot set its priority. -@@ -160,7 +170,8 @@ +@@ -156,7 +170,8 @@ allow lvm_t self:unix_dgram_socket create_socket_perms; allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -13312,7 +12684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t) manage_files_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t) -@@ -192,6 +203,7 @@ +@@ -188,6 +203,7 @@ manage_files_pattern(lvm_t,lvm_metadata_t,lvm_metadata_t) filetrans_pattern(lvm_t,lvm_etc_t,lvm_metadata_t,file) files_etc_filetrans(lvm_t,lvm_metadata_t,file) @@ -13320,7 +12692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te kernel_read_system_state(lvm_t) kernel_read_kernel_sysctls(lvm_t) -@@ -208,7 +220,6 @@ +@@ -204,7 +220,6 @@ selinux_compute_user_contexts(lvm_t) dev_create_generic_chr_files(lvm_t) @@ -13328,7 +12700,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te dev_read_rand(lvm_t) dev_read_urand(lvm_t) dev_rw_lvm_control(lvm_t) -@@ -228,6 +239,8 @@ +@@ -224,6 +239,8 @@ dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -13337,7 +12709,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te fs_getattr_xattr_fs(lvm_t) fs_search_auto_mountpoints(lvm_t) -@@ -246,6 +259,7 @@ +@@ -242,6 +259,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) @@ -13345,7 +12717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te term_getattr_all_user_ttys(lvm_t) term_list_ptys(lvm_t) -@@ -254,6 +268,7 @@ +@@ -250,6 +268,7 @@ domain_use_interactive_fds(lvm_t) @@ -13353,7 +12725,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: -@@ -275,6 +290,8 @@ +@@ -271,6 +290,8 @@ seutil_search_default_contexts(lvm_t) seutil_sigchld_newrole(lvm_t) @@ -13362,7 +12734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te ifdef(`distro_redhat',` # this is from the initrd: files_rw_isid_type_dirs(lvm_t) -@@ -293,5 +310,14 @@ +@@ -289,5 +310,14 @@ ') optional_policy(` @@ -13377,9 +12749,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te + xen_append_log(lvm_t) + xen_dontaudit_rw_unix_stream_sockets(lvm_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.2.1/policy/modules/system/modutils.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.2.2/policy/modules/system/modutils.if --- nsaserefpolicy/policy/modules/system/modutils.if 2007-03-26 10:39:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/system/modutils.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/modutils.if 2007-12-04 11:11:03.000000000 -0500 @@ -66,6 +66,25 @@ ######################################## @@ -13406,9 +12778,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ## Unconditionally execute insmod in the insmod domain. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.2.1/policy/modules/system/modutils.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.2.2/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/system/modutils.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/modutils.te 2007-12-04 11:11:03.000000000 -0500 @@ -42,7 +42,7 @@ # insmod local policy # @@ -13511,17 +12883,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.2.1/policy/modules/system/mount.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.2.2/policy/modules/system/mount.fc --- nsaserefpolicy/policy/modules/system/mount.fc 2006-11-16 17:15:24.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/system/mount.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/mount.fc 2007-12-04 11:11:03.000000000 -0500 @@ -1,4 +1,2 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) - -/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.2.1/policy/modules/system/mount.te ---- nsaserefpolicy/policy/modules/system/mount.te 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/system/mount.te 2007-11-30 11:24:14.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.2.2/policy/modules/system/mount.te +--- nsaserefpolicy/policy/modules/system/mount.te 2007-12-04 11:02:50.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/mount.te 2007-12-04 11:47:14.000000000 -0500 @@ -8,7 +8,7 @@ ## @@ -13553,7 +12925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ######################################## # -@@ -36,21 +37,24 @@ +@@ -36,20 +37,22 @@ # # setuid/setgid needed to mount cifs @@ -13561,18 +12933,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +allow mount_t self:capability { fsetid ipc_lock sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid }; allow mount_t mount_loopback_t:file read_file_perms; --allow mount_t self:netlink_route_socket r_netlink_socket_perms; allow mount_t mount_tmp_t:file manage_file_perms; allow mount_t mount_tmp_t:dir manage_dir_perms; +files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir }) --can_exec(mount_t, mount_exec_t) -+auth_use_nsswitch(mount_t) + can_exec(mount_t, mount_exec_t) -files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir }) -+can_exec(mount_t, mount_exec_t) - +- +# In order to mount reiserfs_t +kernel_list_unlabeled(mount_t) kernel_read_system_state(mount_t) @@ -13582,7 +12951,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. dev_getattr_all_blk_files(mount_t) dev_list_all_dev_nodes(mount_t) -@@ -63,6 +67,7 @@ +@@ -62,6 +65,7 @@ storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) @@ -13590,31 +12959,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. fs_getattr_xattr_fs(mount_t) fs_getattr_cifs(mount_t) -@@ -101,6 +106,8 @@ +@@ -100,6 +104,8 @@ init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) +init_stream_connect_script(mount_t) +init_rw_script_stream_sockets(mount_t) - libs_use_ld_so(mount_t) - libs_use_shared_libs(mount_t) -@@ -159,13 +166,9 @@ + auth_use_nsswitch(mount_t) +@@ -161,6 +167,8 @@ fs_search_rpc(mount_t) -- sysnet_dns_name_resolve(mount_t) -- rpc_stub(mount_t) - -- optional_policy(` -- nis_use_ypbind(mount_t) -- ') ++ + rpc_domtrans_rpcd(mount_t) ') optional_policy(` -@@ -189,10 +192,6 @@ +@@ -184,10 +192,6 @@ samba_domtrans_smbmount(mount_t) ') @@ -13625,7 +12988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ######################################## # # Unconfined mount local policy -@@ -201,4 +200,26 @@ +@@ -196,4 +200,26 @@ optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t,file) unconfined_domain(unconfined_mount_t) @@ -13652,9 +13015,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. + hal_rw_pipes(mount_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.2.1/policy/modules/system/raid.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.2.2/policy/modules/system/raid.te --- nsaserefpolicy/policy/modules/system/raid.te 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/system/raid.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/raid.te 2007-12-04 11:11:03.000000000 -0500 @@ -19,7 +19,7 @@ # Local policy # @@ -13680,9 +13043,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t +optional_policy(` + unconfined_domain(mdadm_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.2.1/policy/modules/system/selinuxutil.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.2.2/policy/modules/system/selinuxutil.fc --- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2007-05-18 11:12:44.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/system/selinuxutil.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/selinuxutil.fc 2007-12-04 11:11:03.000000000 -0500 @@ -38,7 +38,7 @@ /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0) /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0) @@ -13692,9 +13055,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu /usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0) /usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.2.1/policy/modules/system/selinuxutil.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.2.2/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/system/selinuxutil.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/selinuxutil.if 2007-12-04 11:11:03.000000000 -0500 @@ -215,8 +215,6 @@ seutil_domtrans_newrole($1) role $2 types newrole_t; @@ -13976,9 +13339,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + rpm_dontaudit_rw_pipes($1) + ') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.2.1/policy/modules/system/selinuxutil.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.2.2/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/system/selinuxutil.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/selinuxutil.te 2007-12-04 11:47:51.000000000 -0500 @@ -75,7 +75,6 @@ type restorecond_exec_t; init_daemon_domain(restorecond_t,restorecond_exec_t) @@ -14051,15 +13414,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu logging_send_syslog_msg(newrole_t) miscfiles_read_localization(newrole_t) -@@ -299,6 +300,8 @@ - allow restorecond_t restorecond_var_run_t:file manage_file_perms; - files_pid_filetrans(restorecond_t,restorecond_var_run_t, file) +@@ -318,6 +319,8 @@ + auth_read_all_files_except_shadow(restorecond_t) + auth_use_nsswitch(restorecond_t) +auth_use_nsswitch(restorecond_t) + - kernel_use_fds(restorecond_t) - kernel_rw_pipes(restorecond_t) - kernel_read_system_state(restorecond_t) + libs_use_ld_so(restorecond_t) + libs_use_shared_libs(restorecond_t) + @@ -329,6 +332,8 @@ seutil_libselinux_linked(restorecond_t) @@ -14267,9 +13630,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu optional_policy(` hotplug_use_fds(setfiles_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.2.1/policy/modules/system/sysnetwork.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.2.2/policy/modules/system/sysnetwork.fc --- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2006-11-16 17:15:24.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/system/sysnetwork.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/sysnetwork.fc 2007-12-04 11:11:03.000000000 -0500 @@ -52,8 +52,7 @@ /var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) /var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) @@ -14280,9 +13643,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ifdef(`distro_gentoo',` /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.2.1/policy/modules/system/sysnetwork.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.2.2/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-07-16 14:09:49.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/system/sysnetwork.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/sysnetwork.if 2007-12-04 11:11:03.000000000 -0500 @@ -145,6 +145,25 @@ ######################################## @@ -14353,9 +13716,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet + dontaudit $1 dhcpc_t:fd use; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.2.1/policy/modules/system/sysnetwork.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.2.2/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2007-10-29 07:52:50.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/system/sysnetwork.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/sysnetwork.te 2007-12-04 11:11:03.000000000 -0500 @@ -45,7 +45,7 @@ dontaudit dhcpc_t self:capability sys_tty_config; # for access("/etc/bashrc", X_OK) on Red Hat @@ -14486,10 +13849,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet kernel_read_xen_state(ifconfig_t) kernel_write_xen_state(ifconfig_t) xen_append_log(ifconfig_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.2.1/policy/modules/system/udev.te ---- nsaserefpolicy/policy/modules/system/udev.te 2007-11-15 13:40:14.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/system/udev.te 2007-11-30 11:23:56.000000000 -0500 -@@ -186,6 +186,7 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.2.2/policy/modules/system/udev.te +--- nsaserefpolicy/policy/modules/system/udev.te 2007-12-04 11:02:50.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/udev.te 2007-12-04 11:11:03.000000000 -0500 +@@ -96,9 +96,6 @@ + dev_delete_generic_files(udev_t) + dev_search_usbfs(udev_t) + dev_relabel_all_dev_nodes(udev_t) +-# udev_node.c/node_symlink() symlink labels are explicitly +-# preserved, instead of short circuiting the relabel +-dev_relabel_generic_symlinks(udev_t) + + domain_read_all_domains_state(udev_t) + domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these +@@ -189,6 +186,7 @@ optional_policy(` alsa_domtrans(udev_t) @@ -14497,19 +13870,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t alsa_read_rw_config(udev_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.2.1/policy/modules/system/unconfined.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.2.2/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/system/unconfined.fc 2007-12-03 13:36:12.000000000 -0500 -@@ -10,3 +10,6 @@ ++++ serefpolicy-3.2.2/policy/modules/system/unconfined.fc 2007-12-04 11:30:32.000000000 -0500 +@@ -10,3 +10,7 @@ /usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/bin/rhythmbox -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/bin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.2.1/policy/modules/system/unconfined.if ++/usr/bin/livecd-creator -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.2.2/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2007-11-16 15:30:49.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/system/unconfined.if 2007-12-03 13:19:33.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/unconfined.if 2007-12-04 11:11:03.000000000 -0500 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -14757,9 +14131,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf - allow $1 unconfined_tmp_t:file { getattr write append }; + allow $1 unconfined_t:process getpgid; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.1/policy/modules/system/unconfined.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.2/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2007-11-16 15:30:49.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/system/unconfined.te 2007-12-03 13:35:11.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/unconfined.te 2007-12-04 11:11:03.000000000 -0500 @@ -9,32 +9,46 @@ # usage in this module of types created by these # calls is not correct, however we dont currently @@ -14986,9 +14360,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +allow unconfined_notrans_t self:process { execstack execmem }; +unconfined_domain_noaudit(unconfined_notrans_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.2.1/policy/modules/system/userdomain.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.2.2/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2007-02-19 11:32:53.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/system/userdomain.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/userdomain.fc 2007-12-04 11:11:03.000000000 -0500 @@ -1,4 +1,5 @@ -HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh) -HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0) @@ -14999,9 +14373,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) +/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) +/root(/.*) gen_context(system_u:object_r:admin_home_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.1/policy/modules/system/userdomain.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.2/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/system/userdomain.if 2007-12-01 08:14:44.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/userdomain.if 2007-12-04 11:57:51.000000000 -0500 @@ -29,8 +29,9 @@ ') @@ -15013,7 +14387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo domain_type($1_t) corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) -@@ -45,66 +46,72 @@ +@@ -45,66 +46,70 @@ type $1_tty_device_t; term_user_tty($1_t,$1_tty_device_t) @@ -15113,6 +14487,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - libs_use_ld_so($1_t) - libs_use_shared_libs($1_t) - libs_exec_ld_so($1_t) +- +- miscfiles_read_localization($1_t) +- miscfiles_read_certs($1_t) + files_dontaudit_list_non_security($1_usertype) + files_dontaudit_getattr_non_security_files($1_usertype) + files_dontaudit_getattr_non_security_symlinks($1_usertype) @@ -15128,17 +14505,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + libs_use_shared_libs($1_usertype) + libs_exec_ld_so($1_usertype) -- miscfiles_read_localization($1_t) -- miscfiles_read_certs($1_t) +- sysnet_read_config($1_t) + miscfiles_read_localization($1_usertype) + miscfiles_read_certs($1_usertype) -- sysnet_read_config($1_t) -+ sysnet_read_config($1_usertype) - tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. -@@ -115,6 +122,10 @@ +@@ -115,6 +120,10 @@ # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') @@ -15149,7 +14522,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -141,33 +152,13 @@ +@@ -141,33 +150,13 @@ # template(`userdom_ro_home_template',` gen_require(` @@ -15188,7 +14561,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # -@@ -175,13 +166,13 @@ +@@ -175,13 +164,13 @@ # # read-only home directory @@ -15209,7 +14582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_list_home($1_t) tunable_policy(`use_nfs_home_dirs',` -@@ -231,30 +222,14 @@ +@@ -231,30 +220,14 @@ # template(`userdom_manage_home_template',` gen_require(` @@ -15246,7 +14619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # -@@ -262,43 +237,43 @@ +@@ -262,43 +235,43 @@ # # full control of the home directory @@ -15318,7 +14691,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -316,14 +291,20 @@ +@@ -316,14 +289,20 @@ ## # template(`userdom_exec_home_template',` @@ -15344,7 +14717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -341,11 +322,10 @@ +@@ -341,11 +320,10 @@ ## # template(`userdom_poly_home_template',` @@ -15360,7 +14733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -369,18 +349,18 @@ +@@ -369,18 +347,18 @@ # template(`userdom_manage_tmp_template',` gen_require(` @@ -15389,7 +14762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -396,7 +376,13 @@ +@@ -396,7 +374,13 @@ ## # template(`userdom_exec_tmp_template',` @@ -15404,7 +14777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -510,10 +496,6 @@ +@@ -510,10 +494,6 @@ ## # template(`userdom_exec_generic_pgms_template',` @@ -15415,7 +14788,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo corecmd_exec_bin($1_t) ') -@@ -531,9 +513,6 @@ +@@ -531,9 +511,6 @@ ## # template(`userdom_basic_networking_template',` @@ -15425,7 +14798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; -@@ -548,10 +527,6 @@ +@@ -548,10 +525,6 @@ corenet_udp_sendrecv_all_ports($1_t) corenet_tcp_connect_all_ports($1_t) corenet_sendrecv_all_client_packets($1_t) @@ -15436,7 +14809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -568,30 +543,29 @@ +@@ -568,30 +541,29 @@ # template(`userdom_xwindows_client_template',` gen_require(` @@ -15483,7 +14856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -728,7 +702,6 @@ +@@ -728,7 +700,6 @@ # for eject storage_getattr_fixed_disk_dev($1_t) @@ -15491,7 +14864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo auth_read_login_records($1_t) auth_search_pam_console_data($1_t) auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) -@@ -758,10 +731,6 @@ +@@ -758,10 +729,6 @@ dev_read_mouse($1_t) ') @@ -15502,7 +14875,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` alsa_read_rw_config($1_t) ') -@@ -783,20 +752,20 @@ +@@ -783,20 +750,20 @@ ') optional_policy(` @@ -15528,7 +14901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -824,11 +793,18 @@ +@@ -824,11 +791,18 @@ mta_rw_spool($1_t) ') @@ -15551,7 +14924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') optional_policy(` -@@ -842,13 +818,6 @@ +@@ -842,13 +816,6 @@ ') optional_policy(` @@ -15565,7 +14938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo resmgr_stream_connect($1_t) ') -@@ -889,6 +858,8 @@ +@@ -889,6 +856,8 @@ ## # template(`userdom_login_user_template', ` @@ -15574,7 +14947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_base_user_template($1) userdom_manage_home_template($1) -@@ -917,26 +888,26 @@ +@@ -917,26 +886,26 @@ allow $1_t self:context contains; @@ -15615,7 +14988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo auth_dontaudit_write_login_records($1_t) -@@ -944,43 +915,43 @@ +@@ -944,43 +913,43 @@ # The library functions always try to open read-write first, # then fall back to read-only if it fails. @@ -15677,7 +15050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1014,9 +985,6 @@ +@@ -1014,9 +983,6 @@ domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; @@ -15687,7 +15060,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo typeattribute $1_tty_device_t user_ttynode; ############################## -@@ -1025,12 +993,12 @@ +@@ -1025,12 +991,12 @@ # # privileged home directory writers @@ -15706,7 +15079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` loadkeys_run($1_t,$1_r,$1_tty_device_t) -@@ -1070,14 +1038,14 @@ +@@ -1070,14 +1036,14 @@ # authlogin_per_role_template($1, $1_t, $1_r) @@ -15726,7 +15099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1085,19 +1053,18 @@ +@@ -1085,19 +1051,18 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -15751,7 +15124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1109,9 +1076,11 @@ +@@ -1109,9 +1074,11 @@ mono_per_role_template($1, $1_t, $1_r) ') @@ -15766,7 +15139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1121,10 +1090,10 @@ +@@ -1121,10 +1088,10 @@ ## ## ##

@@ -15781,7 +15154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. -@@ -1187,12 +1156,11 @@ +@@ -1187,12 +1154,11 @@ # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_all_nodes($1_t) @@ -15796,7 +15169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') # Run pppd in pppd_t by default for user -@@ -1278,8 +1246,6 @@ +@@ -1278,8 +1244,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -15805,7 +15178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1416,6 +1382,7 @@ +@@ -1416,6 +1380,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -15813,7 +15186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1781,10 +1748,14 @@ +@@ -1781,10 +1746,14 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -15829,7 +15202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1880,11 +1851,11 @@ +@@ -1880,11 +1849,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -15843,7 +15216,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1914,11 +1885,11 @@ +@@ -1914,11 +1883,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -15857,7 +15230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1962,12 +1933,12 @@ +@@ -1962,12 +1931,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -15873,7 +15246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1997,10 +1968,10 @@ +@@ -1997,10 +1966,10 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -15886,7 +15259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2032,11 +2003,47 @@ +@@ -2032,11 +2001,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -15936,7 +15309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2068,10 +2075,10 @@ +@@ -2068,10 +2073,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -15949,7 +15322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2101,11 +2108,11 @@ +@@ -2101,11 +2106,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -15963,7 +15336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2135,11 +2142,11 @@ +@@ -2135,11 +2140,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -15978,7 +15351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2169,10 +2176,10 @@ +@@ -2169,10 +2174,10 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -15991,7 +15364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2202,11 +2209,11 @@ +@@ -2202,11 +2207,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -16005,7 +15378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2236,11 +2243,11 @@ +@@ -2236,11 +2241,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -16019,7 +15392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2270,10 +2277,10 @@ +@@ -2270,10 +2275,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -16032,7 +15405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2305,12 +2312,12 @@ +@@ -2305,12 +2310,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -16048,7 +15421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2342,10 +2349,10 @@ +@@ -2342,10 +2347,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -16061,7 +15434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2377,12 +2384,12 @@ +@@ -2377,12 +2382,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -16077,7 +15450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2414,12 +2421,12 @@ +@@ -2414,12 +2419,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -16093,7 +15466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2451,12 +2458,12 @@ +@@ -2451,12 +2456,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -16109,7 +15482,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2501,11 +2508,11 @@ +@@ -2501,11 +2506,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -16123,7 +15496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2550,11 +2557,11 @@ +@@ -2550,11 +2555,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -16137,7 +15510,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2594,11 +2601,11 @@ +@@ -2594,11 +2599,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -16151,7 +15524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2628,11 +2635,11 @@ +@@ -2628,11 +2633,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -16165,7 +15538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2662,11 +2669,11 @@ +@@ -2662,11 +2667,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -16179,7 +15552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2698,10 +2705,10 @@ +@@ -2698,10 +2703,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -16192,7 +15565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2733,10 +2740,10 @@ +@@ -2733,10 +2738,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -16205,7 +15578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2766,12 +2773,12 @@ +@@ -2766,12 +2771,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -16221,7 +15594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2803,10 +2810,10 @@ +@@ -2803,10 +2808,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -16234,14 +15607,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2838,10 +2845,48 @@ +@@ -2838,10 +2843,48 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` - type $1_tmp_t; + type user_tmp_t; -+ ') -+ + ') + +- dontaudit $2 $1_tmp_t:file append; + dontaudit $2 user_tmp_t:file append; +') + @@ -16258,9 +15632,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +interface(`userdom_unlink_unpriv_users_tmp_files',` + gen_require(` + attribute user_tmpfile; - ') - -- dontaudit $2 $1_tmp_t:file append; ++ ') ++ + files_delete_tmp_dir_entry($1) + allow $1 user_tmpfile:file unlink; +') @@ -16285,7 +15658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2871,12 +2916,12 @@ +@@ -2871,12 +2914,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -16301,7 +15674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2908,10 +2953,10 @@ +@@ -2908,10 +2951,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -16314,7 +15687,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2943,12 +2988,12 @@ +@@ -2943,12 +2986,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -16330,7 +15703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2980,11 +3025,11 @@ +@@ -2980,11 +3023,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -16344,7 +15717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3016,11 +3061,11 @@ +@@ -3016,11 +3059,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -16358,7 +15731,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3052,11 +3097,11 @@ +@@ -3052,11 +3095,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -16372,7 +15745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3088,11 +3133,11 @@ +@@ -3088,11 +3131,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -16386,7 +15759,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3124,11 +3169,11 @@ +@@ -3124,11 +3167,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -16400,7 +15773,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3173,10 +3218,10 @@ +@@ -3173,10 +3216,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -16413,7 +15786,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) ') -@@ -3217,10 +3262,10 @@ +@@ -3217,10 +3260,10 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -16426,7 +15799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4225,11 +4270,11 @@ +@@ -4225,11 +4268,11 @@ # interface(`userdom_search_staff_home_dirs',` gen_require(` @@ -16440,7 +15813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4245,10 +4290,10 @@ +@@ -4245,10 +4288,10 @@ # interface(`userdom_dontaudit_search_staff_home_dirs',` gen_require(` @@ -16453,7 +15826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4264,11 +4309,11 @@ +@@ -4264,11 +4307,11 @@ # interface(`userdom_manage_staff_home_dirs',` gen_require(` @@ -16467,7 +15840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4283,11 +4328,11 @@ +@@ -4283,11 +4326,11 @@ # interface(`userdom_relabelto_staff_home_dirs',` gen_require(` @@ -16481,7 +15854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4303,10 +4348,10 @@ +@@ -4303,10 +4346,10 @@ # interface(`userdom_dontaudit_append_staff_home_content_files',` gen_require(` @@ -16494,7 +15867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4321,13 +4366,13 @@ +@@ -4321,13 +4364,13 @@ # interface(`userdom_read_staff_home_content_files',` gen_require(` @@ -16512,7 +15885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4525,10 +4570,10 @@ +@@ -4525,10 +4568,10 @@ # interface(`userdom_getattr_sysadm_home_dirs',` gen_require(` @@ -16525,7 +15898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4545,10 +4590,10 @@ +@@ -4545,10 +4588,10 @@ # interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` gen_require(` @@ -16538,7 +15911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4563,10 +4608,10 @@ +@@ -4563,10 +4606,10 @@ # interface(`userdom_search_sysadm_home_dirs',` gen_require(` @@ -16551,7 +15924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4582,10 +4627,10 @@ +@@ -4582,10 +4625,10 @@ # interface(`userdom_dontaudit_search_sysadm_home_dirs',` gen_require(` @@ -16564,7 +15937,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4600,10 +4645,10 @@ +@@ -4600,10 +4643,10 @@ # interface(`userdom_list_sysadm_home_dirs',` gen_require(` @@ -16577,7 +15950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4619,10 +4664,10 @@ +@@ -4619,10 +4662,10 @@ # interface(`userdom_dontaudit_list_sysadm_home_dirs',` gen_require(` @@ -16590,7 +15963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4638,12 +4683,11 @@ +@@ -4638,12 +4681,11 @@ # interface(`userdom_dontaudit_read_sysadm_home_content_files',` gen_require(` @@ -16606,7 +15979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4670,10 +4714,10 @@ +@@ -4670,10 +4712,10 @@ # interface(`userdom_sysadm_home_dir_filetrans',` gen_require(` @@ -16619,7 +15992,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4688,10 +4732,10 @@ +@@ -4688,10 +4730,10 @@ # interface(`userdom_search_sysadm_home_content_dirs',` gen_require(` @@ -16632,7 +16005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4706,13 +4750,13 @@ +@@ -4706,13 +4748,13 @@ # interface(`userdom_read_sysadm_home_content_files',` gen_require(` @@ -16650,7 +16023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4748,11 +4792,29 @@ +@@ -4748,11 +4790,29 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -16681,7 +16054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4772,6 +4834,14 @@ +@@ -4772,6 +4832,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -16696,7 +16069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5109,7 +5179,7 @@ +@@ -5109,7 +5177,7 @@ # interface(`userdom_relabelto_generic_user_home_dirs',` gen_require(` @@ -16705,7 +16078,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5298,6 +5368,28 @@ +@@ -5298,6 +5366,28 @@ ######################################## ##

@@ -16734,7 +16107,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete directories in ## unprivileged users home directories. ## -@@ -5503,6 +5595,24 @@ +@@ -5503,6 +5593,24 @@ ######################################## ## @@ -16759,7 +16132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Read and write unprivileged user ttys. ## ## -@@ -5668,6 +5778,24 @@ +@@ -5668,6 +5776,24 @@ ######################################## ## @@ -16784,7 +16157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5698,3 +5826,277 @@ +@@ -5698,3 +5824,277 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -17062,9 +16435,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + files_tmp_filetrans($2, user_tmp_t, $3) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.2.1/policy/modules/system/userdomain.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.2.2/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/system/userdomain.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/userdomain.te 2007-12-04 11:11:03.000000000 -0500 @@ -17,20 +17,13 @@ ## @@ -17238,14 +16611,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + netutils_run_traceroute_cond(staff_t,staff_r,{ staff_tty_device_t staff_devpts_t }) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.fc serefpolicy-3.2.1/policy/modules/system/virt.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.fc serefpolicy-3.2.2/policy/modules/system/virt.fc --- nsaserefpolicy/policy/modules/system/virt.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/system/virt.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/virt.fc 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1 @@ +/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.2.1/policy/modules/system/virt.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.2.2/policy/modules/system/virt.if --- nsaserefpolicy/policy/modules/system/virt.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/system/virt.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/virt.if 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1,78 @@ +## Virtualization + @@ -17325,16 +16698,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i + files_list_var_lib($1) + manage_files_pattern($1,virt_var_lib_t,virt_var_lib_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.2.1/policy/modules/system/virt.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.2.2/policy/modules/system/virt.te --- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/system/virt.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/virt.te 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1,3 @@ +# var/lib files +type virt_var_lib_t; +files_type(virt_var_lib_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.2.1/policy/modules/system/xen.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.2.2/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2007-06-21 09:32:04.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/system/xen.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/xen.if 2007-12-04 11:11:03.000000000 -0500 @@ -191,3 +191,24 @@ domtrans_pattern($1,xm_exec_t,xm_t) @@ -17360,9 +16733,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if + allow $1 xend_var_lib_t:dir search_dir_perms; + rw_files_pattern($1,xen_image_t,xen_image_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.2.1/policy/modules/system/xen.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.2.2/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/system/xen.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/system/xen.te 2007-12-04 11:11:03.000000000 -0500 @@ -6,6 +6,13 @@ # Declarations # @@ -17547,37 +16920,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te + fs_read_nfs_symlinks(xend_t) + fstools_manage_nfs(xend_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.fc serefpolicy-3.2.1/policy/modules/users/guest.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.fc serefpolicy-3.2.2/policy/modules/users/guest.fc --- nsaserefpolicy/policy/modules/users/guest.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/users/guest.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/users/guest.fc 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1 @@ +# No guest file contexts. -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.if serefpolicy-3.2.1/policy/modules/users/guest.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.if serefpolicy-3.2.2/policy/modules/users/guest.if --- nsaserefpolicy/policy/modules/users/guest.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/users/guest.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/users/guest.if 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1 @@ +## Policy for guest user -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.2.1/policy/modules/users/guest.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.2.2/policy/modules/users/guest.te --- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/users/guest.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/users/guest.te 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1,4 @@ +policy_module(guest,1.0.1) +userdom_restricted_user_template(guest) +userdom_restricted_user_template(gadmin) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.2.1/policy/modules/users/logadm.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.2.2/policy/modules/users/logadm.fc --- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/users/logadm.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/users/logadm.fc 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1 @@ +# No logadm file contexts. -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.if serefpolicy-3.2.1/policy/modules/users/logadm.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.if serefpolicy-3.2.2/policy/modules/users/logadm.if --- nsaserefpolicy/policy/modules/users/logadm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/users/logadm.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/users/logadm.if 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1 @@ +## Policy for logadm user -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.te serefpolicy-3.2.1/policy/modules/users/logadm.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.te serefpolicy-3.2.2/policy/modules/users/logadm.te --- nsaserefpolicy/policy/modules/users/logadm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/users/logadm.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/users/logadm.te 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1,11 @@ +policy_module(logadm,1.0.0) + @@ -17590,24 +16963,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm. +allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; + +logging_admin(logadm_t, logadm_r, { logadm_devpts_t logadm_tty_device_t }) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/metadata.xml serefpolicy-3.2.1/policy/modules/users/metadata.xml +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/metadata.xml serefpolicy-3.2.2/policy/modules/users/metadata.xml --- nsaserefpolicy/policy/modules/users/metadata.xml 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/users/metadata.xml 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/users/metadata.xml 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1 @@ +Policy modules for users -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.fc serefpolicy-3.2.1/policy/modules/users/webadm.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.fc serefpolicy-3.2.2/policy/modules/users/webadm.fc --- nsaserefpolicy/policy/modules/users/webadm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/users/webadm.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/users/webadm.fc 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1 @@ +# No webadm file contexts. -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.if serefpolicy-3.2.1/policy/modules/users/webadm.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.if serefpolicy-3.2.2/policy/modules/users/webadm.if --- nsaserefpolicy/policy/modules/users/webadm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/users/webadm.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/users/webadm.if 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1 @@ +## Policy for webadm user -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.2.1/policy/modules/users/webadm.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.2.2/policy/modules/users/webadm.te --- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/users/webadm.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/users/webadm.te 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1,42 @@ +policy_module(webadm,1.0.0) + @@ -17651,19 +17024,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm. +') +allow gadmin_t webadm_t:process transition; +allow webadm_t gadmin_t:dir getattr; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.fc serefpolicy-3.2.1/policy/modules/users/xguest.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.fc serefpolicy-3.2.2/policy/modules/users/xguest.fc --- nsaserefpolicy/policy/modules/users/xguest.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/users/xguest.fc 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/users/xguest.fc 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1 @@ +# No xguest file contexts. -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.if serefpolicy-3.2.1/policy/modules/users/xguest.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.if serefpolicy-3.2.2/policy/modules/users/xguest.if --- nsaserefpolicy/policy/modules/users/xguest.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/users/xguest.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/users/xguest.if 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1 @@ +## Policy for xguest user -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.te serefpolicy-3.2.1/policy/modules/users/xguest.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.te serefpolicy-3.2.2/policy/modules/users/xguest.te --- nsaserefpolicy/policy/modules/users/xguest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/users/xguest.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/modules/users/xguest.te 2007-12-04 11:11:03.000000000 -0500 @@ -0,0 +1,55 @@ +policy_module(xguest,1.0.1) + @@ -17720,9 +17093,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest. + bluetooth_dbus_chat(xguest_t) + ') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.2.1/policy/support/obj_perm_sets.spt +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.2.2/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.1/policy/support/obj_perm_sets.spt 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/support/obj_perm_sets.spt 2007-12-04 11:11:03.000000000 -0500 @@ -204,7 +204,7 @@ define(`getattr_file_perms',`{ getattr }') define(`setattr_file_perms',`{ setattr }') @@ -17746,9 +17119,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') + +define(`manage_key_perms', `{ create link read search setattr view write } ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.2.1/policy/users +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.2.2/policy/users --- nsaserefpolicy/policy/users 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.1/policy/users 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/policy/users 2007-12-04 11:11:03.000000000 -0500 @@ -16,7 +16,7 @@ # and a user process should never be assigned the system user # identity. @@ -17783,9 +17156,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.2 - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -') +gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.2.1/Rules.monolithic +diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.2.2/Rules.monolithic --- nsaserefpolicy/Rules.monolithic 2007-11-20 06:55:20.000000000 -0500 -+++ serefpolicy-3.2.1/Rules.monolithic 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.2/Rules.monolithic 2007-12-04 11:11:03.000000000 -0500 @@ -96,7 +96,7 @@ # # Load the binary policy diff --git a/selinux-policy.spec b/selinux-policy.spec index 49c7b42..0396173 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -16,8 +16,8 @@ %define CHECKPOLICYVER 2.0.3-1 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.2.1 -Release: 3%{?dist} +Version: 3.2.2 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -167,7 +167,7 @@ fi; %description SELinux Reference Policy - modular. -Based off of reference policy: Checked out revision 2530. +Based off of reference policy: Checked out revision 2541. %build @@ -379,6 +379,10 @@ exit 0 %endif %changelog +* Tue Dec 4 2007 Dan Walsh 3.2.2-1 +- Update to upstreamddddddddddddd +- Allow httpd_sys_script_t to search users homedirs + * Mon Dec 3 2007 Dan Walsh 3.2.1-3 - Allow rpm_script to transition to unconfined_execmem_t @@ -388,7 +392,7 @@ exit 0 * Wed Nov 28 2007 Dan Walsh 3.1.2-2 - Remove user specific crond_t -* Mon Nov 19 2007 Dan Walsh 3.1.2-1 +* Mon Nov 19 2007 Dan Walsh 3.1.2-1 - Merge with upstream - Allow xsever to read hwdata_t - Allow login programs to setkeycreate