diff --git a/policy-F16.patch b/policy-F16.patch index 1eb543f..57b4a25 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -511,7 +511,7 @@ index 7a6f06f..e117271 100644 /usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if -index 63eb96b..17a9f6d 100644 +index 63eb96b..98307a8 100644 --- a/policy/modules/admin/bootloader.if +++ b/policy/modules/admin/bootloader.if @@ -19,6 +19,24 @@ interface(`bootloader_domtrans',` @@ -539,6 +539,29 @@ index 63eb96b..17a9f6d 100644 ######################################## ## ## Execute bootloader interactively and do +@@ -128,3 +146,22 @@ interface(`bootloader_create_runtime_file',` + allow $1 boot_runtime_t:file { create_file_perms rw_file_perms }; + files_boot_filetrans($1, boot_runtime_t, file) + ') ++ ++######################################## ++## ++## Type transition files created in /etc ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`bootloader_filetrans_config',` ++ gen_require(` ++ type bootloader_etc_t; ++ ') ++ ++ files_etc_filetrans($1,bootloader_etc_t,file, "lilo.conf") ++ files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf") ++') diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index d3da8f2..9e5a1d0 100644 --- a/policy/modules/admin/bootloader.te @@ -1861,10 +1884,10 @@ index 0000000..bd83148 +## No Interfaces diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te new file mode 100644 -index 0000000..a6beb8f +index 0000000..f0dbe88 --- /dev/null +++ b/policy/modules/admin/permissivedomains.te -@@ -0,0 +1,268 @@ +@@ -0,0 +1,276 @@ +policy_module(permissivedomains,16) + +optional_policy(` @@ -1876,6 +1899,14 @@ index 0000000..a6beb8f +') + +optional_policy(` ++ gen_require(` ++ type pptp_t; ++ ') ++ ++ permissive pptp_t; ++') ++ ++optional_policy(` + gen_require(` + type bootloader_t; + ') @@ -2218,7 +2249,7 @@ index 93ec175..0e42018 100644 ') ') diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te -index af55369..e83b341 100644 +index af55369..ec838bd 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te @@ -36,7 +36,7 @@ files_type(prelink_var_lib_t) @@ -2260,7 +2291,7 @@ index af55369..e83b341 100644 selinux_get_enforce_mode(prelink_t) libs_exec_ld_so(prelink_t) -@@ -98,7 +102,14 @@ libs_delete_lib_symlinks(prelink_t) +@@ -98,7 +102,15 @@ libs_delete_lib_symlinks(prelink_t) miscfiles_read_localization(prelink_t) @@ -2269,6 +2300,7 @@ index af55369..e83b341 100644 +userdom_manage_user_home_content(prelink_t) +userdom_relabel_user_home_files(prelink_t) +userdom_execmod_user_home_files(prelink_t) ++userdom_exec_user_home_content_files(prelink_t) + +systemd_read_unit_files(prelink_t) + @@ -2276,7 +2308,7 @@ index af55369..e83b341 100644 optional_policy(` amanda_manage_lib(prelink_t) -@@ -109,6 +120,15 @@ optional_policy(` +@@ -109,6 +121,15 @@ optional_policy(` ') optional_policy(` @@ -2292,7 +2324,7 @@ index af55369..e83b341 100644 rpm_manage_tmp_files(prelink_t) ') -@@ -129,6 +149,7 @@ optional_policy(` +@@ -129,6 +150,7 @@ optional_policy(` read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) allow prelink_cron_system_t prelink_cache_t:file unlink; @@ -2300,7 +2332,7 @@ index af55369..e83b341 100644 domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) allow prelink_cron_system_t prelink_t:process noatsecure; -@@ -148,17 +169,28 @@ optional_policy(` +@@ -148,17 +170,29 @@ optional_policy(` files_read_etc_files(prelink_cron_system_t) files_search_var_lib(prelink_cron_system_t) @@ -2329,6 +2361,7 @@ index af55369..e83b341 100644 + optional_policy(` + dbus_read_config(prelink_t) + ') ++ miscfiles_read_man_pages(prelink_t) +') diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if index bf75d99..1698e8f 100644 @@ -4624,10 +4657,10 @@ index cd70958..e8c94b1 100644 -') diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc new file mode 100644 -index 0000000..6f3570a +index 0000000..5e09952 --- /dev/null +++ b/policy/modules/apps/execmem.fc -@@ -0,0 +1,48 @@ +@@ -0,0 +1,49 @@ + +/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0) @@ -4663,6 +4696,7 @@ index 0000000..6f3570a + +/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) + ++/usr/lib/gimp/[^/]+/plug-ins/help-browser -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/lib/thunderbird-[^/]+/thunderbird-bin -- gen_context(system_u:object_r:execmem_exec_t,s0) + @@ -7504,7 +7538,7 @@ index 93ac529..35b51ab 100644 +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if -index fbb5c5a..83fc139 100644 +index fbb5c5a..6c95832 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -29,6 +29,8 @@ interface(`mozilla_role',` @@ -7550,7 +7584,7 @@ index fbb5c5a..83fc139 100644 + allow $1 mozilla_plugin_t:fd use; + + allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms; -+ allow mozilla_plugin_t $1:shm rw_shm_perms; ++ allow mozilla_plugin_t $1:shm { rw_shm_perms destroy }; + allow mozilla_plugin_t $1:sem create_sem_perms; + + ps_process_pattern($1, mozilla_plugin_t) @@ -7650,7 +7684,7 @@ index fbb5c5a..83fc139 100644 + dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write }; ') diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 2e9318b..d1b1280 100644 +index 2e9318b..8768af4 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t) @@ -7720,10 +7754,12 @@ index 2e9318b..d1b1280 100644 ') optional_policy(` -@@ -297,15 +306,18 @@ optional_policy(` +@@ -296,16 +305,19 @@ optional_policy(` + # mozilla_plugin local policy # - dontaudit mozilla_plugin_t self:capability { sys_ptrace }; +-dontaudit mozilla_plugin_t self:capability { sys_ptrace }; ++dontaudit mozilla_plugin_t self:capability { sys_ptrace sys_nice }; + allow mozilla_plugin_t self:process { setsched signal_perms execmem }; -allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms; @@ -8559,10 +8595,10 @@ index 0000000..1925bd9 +') diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te new file mode 100644 -index 0000000..008fbe3 +index 0000000..f0773b4 --- /dev/null +++ b/policy/modules/apps/nsplugin.te -@@ -0,0 +1,340 @@ +@@ -0,0 +1,335 @@ +policy_module(nsplugin, 1.0.0) + +######################################## @@ -8773,11 +8809,6 @@ index 0000000..008fbe3 +') + +optional_policy(` -+ pulseaudio_filetrans_admin_home_content(nsplugin_t) -+ pulseaudio_filetrans_home_content(nsplugin_t) -+') -+ -+optional_policy(` + unconfined_execmem_signull(nsplugin_t) +') + @@ -9080,7 +9111,7 @@ index 84f23dc..af5b87d 100644 /var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0) diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if -index f40c64d..9a5e99c 100644 +index f40c64d..a08cb82 100644 --- a/policy/modules/apps/pulseaudio.if +++ b/policy/modules/apps/pulseaudio.if @@ -35,6 +35,10 @@ interface(`pulseaudio_role',` @@ -9094,10 +9125,13 @@ index f40c64d..9a5e99c 100644 allow $2 pulseaudio_t:dbus send_msg; allow pulseaudio_t $2:dbus { acquire_svc send_msg }; ') -@@ -258,3 +262,63 @@ interface(`pulseaudio_manage_home_files',` +@@ -257,4 +261,66 @@ interface(`pulseaudio_manage_home_files',` + userdom_search_user_home_dirs($1) manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) - ') ++ pulseaudio_filetrans_home_content($1) ++ pulseaudio_filetrans_admin_home_content($1) ++') + +######################################## +## @@ -9157,7 +9191,7 @@ index f40c64d..9a5e99c 100644 + + userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse") + userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie") -+') + ') diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te index d1eace5..8522ab4 100644 --- a/policy/modules/apps/pulseaudio.te @@ -9419,7 +9453,7 @@ index 268d691..da3a26d 100644 + domain_entry_file($1, qemu_exec_t) +') diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te -index 1813e16..83f68f0 100644 +index 1813e16..50a3a34 100644 --- a/policy/modules/apps/qemu.te +++ b/policy/modules/apps/qemu.te @@ -55,6 +55,7 @@ storage_raw_read_removable_device(qemu_t) @@ -9430,7 +9464,7 @@ index 1813e16..83f68f0 100644 tunable_policy(`qemu_full_network',` allow qemu_t self:udp_socket create_socket_perms; -@@ -99,6 +100,18 @@ optional_policy(` +@@ -99,6 +100,13 @@ optional_policy(` ') optional_policy(` @@ -9440,16 +9474,11 @@ index 1813e16..83f68f0 100644 +') + +optional_policy(` -+ pulseaudio_manage_home_files(qemu_t) -+ pulseaudio_stream_connect(qemu_t) -+') -+ -+optional_policy(` + virt_manage_home_files(qemu_t) virt_manage_images(qemu_t) virt_append_log(qemu_t) ') -@@ -111,18 +124,3 @@ optional_policy(` +@@ -111,18 +119,3 @@ optional_policy(` xserver_read_xdm_pid(qemu_t) xserver_stream_connect(qemu_t) ') @@ -11299,10 +11328,10 @@ index 0000000..b78aa77 + diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te new file mode 100644 -index 0000000..cc502a0 +index 0000000..b4001f1 --- /dev/null +++ b/policy/modules/apps/thumb.te -@@ -0,0 +1,73 @@ +@@ -0,0 +1,76 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -11349,6 +11378,8 @@ index 0000000..cc502a0 +files_read_etc_files(thumb_t) +files_read_usr_files(thumb_t) + ++auth_use_nsswitch(thumb_t) ++ +miscfiles_read_fonts(thumb_t) +miscfiles_read_localization(thumb_t) + @@ -11357,6 +11388,7 @@ index 0000000..cc502a0 +userdom_read_user_tmp_files(thumb_t) +userdom_read_user_home_content_files(thumb_t) +userdom_write_user_tmp_files(thumb_t) ++userdom_read_home_audio_files(thumb_t) + +userdom_use_inherited_user_ptys(thumb_t) + @@ -11945,7 +11977,7 @@ index 223ad43..d95e720 100644 rsync_exec(yam_t) ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 3fae11a..d653b7f 100644 +index 3fae11a..7bcafea 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -97,8 +97,6 @@ ifdef(`distro_redhat',` @@ -11978,7 +12010,15 @@ index 3fae11a..d653b7f 100644 /lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -179,6 +174,8 @@ ifdef(`distro_gentoo',` +@@ -168,6 +163,7 @@ ifdef(`distro_gentoo',` + /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) + + /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/opt/google/chrome(/.*)? gen_context(system_u:object_r:bin_t,s0) + + /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) + +@@ -179,6 +175,8 @@ ifdef(`distro_gentoo',` /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -11987,7 +12027,7 @@ index 3fae11a..d653b7f 100644 # # /usr # -@@ -198,48 +195,51 @@ ifdef(`distro_gentoo',` +@@ -198,48 +196,51 @@ ifdef(`distro_gentoo',` /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/wicd/monitor\.py -- gen_context(system_u:object_r:bin_t, s0) @@ -12081,7 +12121,7 @@ index 3fae11a..d653b7f 100644 /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -247,9 +247,13 @@ ifdef(`distro_gentoo',` +@@ -247,9 +248,13 @@ ifdef(`distro_gentoo',` /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -12096,7 +12136,7 @@ index 3fae11a..d653b7f 100644 /usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -267,6 +271,10 @@ ifdef(`distro_gentoo',` +@@ -267,6 +272,10 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) @@ -12107,7 +12147,7 @@ index 3fae11a..d653b7f 100644 /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0) -@@ -286,6 +294,7 @@ ifdef(`distro_gentoo',` +@@ -286,6 +295,7 @@ ifdef(`distro_gentoo',` /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) @@ -12115,7 +12155,7 @@ index 3fae11a..d653b7f 100644 /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -293,8 +302,10 @@ ifdef(`distro_gentoo',` +@@ -293,8 +303,10 @@ ifdef(`distro_gentoo',` /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0) /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -12127,7 +12167,7 @@ index 3fae11a..d653b7f 100644 ifdef(`distro_gentoo', ` /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -306,10 +317,11 @@ ifdef(`distro_redhat', ` +@@ -306,10 +318,11 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -12141,7 +12181,7 @@ index 3fae11a..d653b7f 100644 /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -319,9 +331,11 @@ ifdef(`distro_redhat', ` +@@ -319,9 +332,11 @@ ifdef(`distro_redhat', ` /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -12153,7 +12193,7 @@ index 3fae11a..d653b7f 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -363,7 +377,7 @@ ifdef(`distro_redhat', ` +@@ -363,7 +378,7 @@ ifdef(`distro_redhat', ` ifdef(`distro_suse', ` /usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -12162,7 +12202,7 @@ index 3fae11a..d653b7f 100644 /usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0) ') -@@ -375,8 +389,9 @@ ifdef(`distro_suse', ` +@@ -375,8 +390,9 @@ ifdef(`distro_suse', ` /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -12173,13 +12213,13 @@ index 3fae11a..d653b7f 100644 /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -385,3 +400,4 @@ ifdef(`distro_suse', ` +@@ -385,3 +401,4 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') +/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if -index 9e9263a..59c2125 100644 +index 9e9263a..650e796 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -203,7 +203,7 @@ interface(`corecmd_getattr_bin_files',` @@ -12216,7 +12256,32 @@ index 9e9263a..59c2125 100644 ## Read symbolic links in bin directories. ## ## -@@ -1049,6 +1067,7 @@ interface(`corecmd_manage_all_executables',` +@@ -954,6 +972,24 @@ interface(`corecmd_exec_chroot',` + + ######################################## + ## ++## Do not audit attempts to access check executable files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`corecmd_dontaudit_access_all_executables',` ++ gen_require(` ++ attribute exec_type; ++ ') ++ ++ dontaudit $1 exec_type:file audit_access; ++') ++ ++######################################## ++## + ## Get the attributes of all executable files. + ## + ## +@@ -1049,6 +1085,7 @@ interface(`corecmd_manage_all_executables',` type bin_t; ') @@ -13386,7 +13451,7 @@ index 4f3b542..cf422f4 100644 corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 99b71cb..17d942f 100644 +index 99b71cb..740d4b1 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -11,11 +11,15 @@ attribute netif_type; @@ -13553,7 +13618,7 @@ index 99b71cb..17d942f 100644 network_port(mpd, tcp,6600,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) -@@ -152,16 +199,25 @@ network_port(mysqlmanagerd, tcp,2273,s0) +@@ -152,21 +199,31 @@ network_port(mysqlmanagerd, tcp,2273,s0) network_port(nessus, tcp,1241,s0) network_port(netport, tcp,3129,s0, udp,3129,s0) network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) @@ -13580,7 +13645,13 @@ index 99b71cb..17d942f 100644 network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) -@@ -179,30 +235,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0) + network_port(postgresql, tcp,5432,s0) + network_port(postgrey, tcp,60000,s0) ++network_port(pptp, tcp, 1723,s0, udp, 1723, s0) + network_port(prelude, tcp,4690,s0, udp,4690,s0) + network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) + network_port(printer, tcp,515,s0) +@@ -179,30 +236,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0) network_port(radius, udp,1645,s0, udp,1812,s0) network_port(radsec, tcp,2083,s0) network_port(razor, tcp,2703,s0) @@ -13620,7 +13691,7 @@ index 99b71cb..17d942f 100644 network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) -@@ -215,7 +276,7 @@ network_port(uucpd, tcp,540,s0) +@@ -215,7 +277,7 @@ network_port(uucpd, tcp,540,s0) network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -13629,7 +13700,7 @@ index 99b71cb..17d942f 100644 network_port(wccp, udp,2048,s0) network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 ) network_port(xdmcp, udp,177,s0, tcp,177,s0) -@@ -229,6 +290,7 @@ network_port(zookeeper_client, tcp,2181,s0) +@@ -229,6 +291,7 @@ network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) @@ -13637,7 +13708,7 @@ index 99b71cb..17d942f 100644 network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; -@@ -238,6 +300,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) +@@ -238,6 +301,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) @@ -13650,7 +13721,7 @@ index 99b71cb..17d942f 100644 ######################################## # -@@ -282,9 +350,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -282,9 +351,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -13714,10 +13785,16 @@ index 35fed4f..51ad69a 100644 # diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index 6cf8784..935a96c 100644 +index 6cf8784..12bd6fc 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc -@@ -20,6 +20,7 @@ +@@ -15,11 +15,13 @@ + /dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0) + /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0) ++/dev/bsr.* -c gen_context(system_u:object_r:cpu_device_t,s0) + /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0) /dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/crash -c gen_context(system_u:object_r:crash_device_t,mls_systemhigh) /dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0) @@ -13725,7 +13802,7 @@ index 6cf8784..935a96c 100644 /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) -@@ -57,8 +58,10 @@ +@@ -57,8 +59,10 @@ /dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0) /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -13736,7 +13813,7 @@ index 6cf8784..935a96c 100644 /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -126,6 +129,7 @@ ifdef(`distro_suse', ` +@@ -126,6 +130,7 @@ ifdef(`distro_suse', ` /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/watchdog -c gen_context(system_u:object_r:watchdog_device_t,s0) @@ -13744,7 +13821,7 @@ index 6cf8784..935a96c 100644 /dev/winradio. -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0) /dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) -@@ -187,8 +191,6 @@ ifdef(`distro_suse', ` +@@ -187,8 +192,6 @@ ifdef(`distro_suse', ` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -13753,7 +13830,7 @@ index 6cf8784..935a96c 100644 ifdef(`distro_redhat',` # originally from named.fc /var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0) -@@ -196,3 +198,8 @@ ifdef(`distro_redhat',` +@@ -196,3 +199,8 @@ ifdef(`distro_redhat',` /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) ') @@ -15285,7 +15362,7 @@ index 6a1e4d1..3ded83e 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index fae1ab1..db2a183 100644 +index fae1ab1..02cf550 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,21 @@ policy_module(domain, 1.9.1) @@ -15378,7 +15455,7 @@ index fae1ab1..db2a183 100644 # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -160,3 +197,118 @@ allow unconfined_domain_type domain:key *; +@@ -160,3 +197,120 @@ allow unconfined_domain_type domain:key *; # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) @@ -15497,6 +15574,8 @@ index fae1ab1..db2a183 100644 +optional_policy(` + seutil_dontaudit_read_config(domain) +') ++ ++dontaudit domain domain:process { noatsecure siginh rlimitinh } ; diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index c19518a..12e8e9c 100644 --- a/policy/modules/kernel/files.fc @@ -21628,10 +21707,10 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..e1113e0 +index 0000000..49f2c54 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,503 @@ +@@ -0,0 +1,504 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -21878,7 +21957,7 @@ index 0000000..e1113e0 +') + +optional_policy(` -+ bootloader_run(unconfined_t, unconfined_r) ++ bootloader_filetrans_config(unconfined_t) +') + +optional_policy(` @@ -22035,6 +22114,7 @@ index 0000000..e1113e0 + +optional_policy(` + pulseaudio_filetrans_admin_home_content(unconfined_usertype) ++ pulseaudio_filetrans_home_content(unconfined_usertype) +') + +optional_policy(` @@ -22723,7 +22803,7 @@ index 0b827c5..bfb68b2 100644 + dontaudit $1 abrt_t:sock_file write; +') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..bd5ff95 100644 +index 30861ec..b11c27f 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0) @@ -22982,7 +23062,7 @@ index 30861ec..bd5ff95 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +315,126 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +315,128 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -22990,7 +23070,7 @@ index 30861ec..bd5ff95 100644 + optional_policy(` + rpm_dontaudit_leaks(abrt_helper_t) + ') -+') + ') + +ifdef(`hide_broken_symptoms',` + gen_require(` @@ -23068,7 +23148,7 @@ index 30861ec..bd5ff95 100644 + +optional_policy(` + mock_domtrans(abrt_retrace_worker_t) - ') ++') + +######################################## +# @@ -23088,6 +23168,8 @@ index 30861ec..bd5ff95 100644 +read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) +read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) + ++allow abrt_dump_oops_t abrt_etc_t:file read_file_perms; ++ +kernel_read_kernel_sysctls(abrt_dump_oops_t) +kernel_read_ring_buffer(abrt_dump_oops_t) + @@ -29665,10 +29747,18 @@ index 5220c9d..a2e6830 100644 ## ## Allow the specified domain to read corosync's log files. diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te -index 04969e5..0e76440 100644 +index 04969e5..b55d7bf 100644 --- a/policy/modules/services/corosync.te +++ b/policy/modules/services/corosync.te -@@ -32,8 +32,8 @@ files_pid_file(corosync_var_run_t) +@@ -8,6 +8,7 @@ policy_module(corosync, 1.0.0) + type corosync_t; + type corosync_exec_t; + init_daemon_domain(corosync_t, corosync_exec_t) ++domain_obj_id_change_exemption(corosync_t) + + type corosync_initrc_exec_t; + init_script_file(corosync_initrc_exec_t) +@@ -32,8 +33,8 @@ files_pid_file(corosync_var_run_t) # corosync local policy # @@ -29679,7 +29769,7 @@ index 04969e5..0e76440 100644 allow corosync_t self:fifo_file rw_fifo_file_perms; allow corosync_t self:sem create_sem_perms; -@@ -41,9 +41,12 @@ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto +@@ -41,9 +42,12 @@ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto allow corosync_t self:unix_dgram_socket create_socket_perms; allow corosync_t self:udp_socket create_socket_perms; @@ -29692,7 +29782,7 @@ index 04969e5..0e76440 100644 manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t) manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t) -@@ -63,8 +66,11 @@ manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) +@@ -63,8 +67,11 @@ manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file }) kernel_read_system_state(corosync_t) @@ -29704,7 +29794,7 @@ index 04969e5..0e76440 100644 corenet_udp_bind_netsupport_port(corosync_t) -@@ -73,6 +79,7 @@ dev_read_urand(corosync_t) +@@ -73,6 +80,7 @@ dev_read_urand(corosync_t) domain_read_all_domains_state(corosync_t) files_manage_mounttab(corosync_t) @@ -29712,7 +29802,7 @@ index 04969e5..0e76440 100644 auth_use_nsswitch(corosync_t) -@@ -83,19 +90,44 @@ logging_send_syslog_msg(corosync_t) +@@ -83,19 +91,44 @@ logging_send_syslog_msg(corosync_t) miscfiles_read_localization(corosync_t) @@ -33818,10 +33908,10 @@ index 0000000..6fd8e9f +') diff --git a/policy/modules/services/dirsrv.te b/policy/modules/services/dirsrv.te new file mode 100644 -index 0000000..43c82e7 +index 0000000..a5afe38 --- /dev/null +++ b/policy/modules/services/dirsrv.te -@@ -0,0 +1,185 @@ +@@ -0,0 +1,187 @@ +policy_module(dirsrv,1.0.0) + +######################################## @@ -33938,6 +34028,8 @@ index 0000000..43c82e7 + +fs_getattr_all_fs(dirsrv_t) + ++auth_use_pam(dirsrv_t) ++ +logging_send_syslog_msg(dirsrv_t) + +miscfiles_read_localization(dirsrv_t) @@ -37541,10 +37633,10 @@ index 0000000..3b1870a + diff --git a/policy/modules/services/glance.te b/policy/modules/services/glance.te new file mode 100644 -index 0000000..3d67b98 +index 0000000..45b7469 --- /dev/null +++ b/policy/modules/services/glance.te -@@ -0,0 +1,131 @@ +@@ -0,0 +1,104 @@ +policy_module(glance, 1.0.0) + +######################################## @@ -37552,7 +37644,9 @@ index 0000000..3d67b98 +# Declarations +# + -+type glance_registry_t; ++attribute glance_domain; ++ ++type glance_registry_t, glance_domain; +type glance_registry_exec_t; +init_daemon_domain(glance_registry_t, glance_registry_exec_t) + @@ -37562,7 +37656,7 @@ index 0000000..3d67b98 +type glance_registry_tmp_t; +files_tmp_file(glance_registry_tmp_t) + -+type glance_api_t; ++type glance_api_t, glance_domain; +type glance_api_exec_t; +init_daemon_domain(glance_api_t, glance_api_exec_t) + @@ -37581,78 +37675,62 @@ index 0000000..3d67b98 +type glance_var_run_t; +files_pid_file(glance_var_run_t) + -+######################################## ++####################################### +# -+# glance-registry local policy ++# glance general domain local policy +# + -+allow glance_registry_t self:fifo_file rw_fifo_file_perms; -+allow glance_registry_t self:unix_stream_socket create_stream_socket_perms; -+allow glance_registry_t self:tcp_socket create_stream_socket_perms; ++allow glance_domain self:fifo_file rw_fifo_file_perms; ++allow glance_domain self:unix_stream_socket create_stream_socket_perms; ++allow glance_domain self:tcp_socket create_stream_socket_perms; + -+manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t) -+manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t) -+files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir }) ++manage_dirs_pattern(glance_domain, glance_log_t, glance_log_t) ++manage_files_pattern(glance_domain, glance_log_t, glance_log_t) + -+manage_dirs_pattern(glance_registry_t, glance_log_t, glance_log_t) -+manage_files_pattern(glance_registry_t, glance_log_t, glance_log_t) -+logging_log_filetrans(glance_registry_t, glance_log_t, { dir file }) ++manage_dirs_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) ++manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) + -+manage_dirs_pattern(glance_registry_t, glance_var_lib_t, glance_var_lib_t) -+manage_files_pattern(glance_registry_t, glance_var_lib_t, glance_var_lib_t) -+files_var_lib_filetrans(glance_registry_t, glance_var_lib_t, { dir file }) ++manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t) ++manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t) + -+manage_dirs_pattern(glance_registry_t, glance_var_run_t, glance_var_run_t) -+manage_files_pattern(glance_registry_t, glance_var_run_t, glance_var_run_t) -+files_pid_filetrans(glance_registry_t, glance_var_run_t, { dir file }) ++kernel_read_system_state(glance_domain) + -+kernel_read_system_state(glance_registry_t) ++corecmd_exec_bin(glance_domain) + -+corecmd_exec_bin(glance_registry_t) ++dev_read_urand(glance_domain) + -+corenet_tcp_bind_generic_node(glance_registry_t) -+corenet_tcp_bind_glance_registry_port(glance_registry_t) ++files_read_etc_files(glance_domain) ++files_read_usr_files(glance_domain) ++ ++miscfiles_read_localization(glance_domain) + -+dev_read_urand(glance_registry_t) ++optional_policy(` ++ sysnet_dns_name_resolve(glance_domain) ++') + -+domain_use_interactive_fds(glance_registry_t) ++######################################## ++# ++# glance-registry local policy ++# + -+files_read_etc_files(glance_registry_t) -+files_read_usr_files(glance_registry_t) ++manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t) ++manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t) ++files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir }) + -+miscfiles_read_localization(glance_registry_t) ++corenet_tcp_bind_generic_node(glance_registry_t) ++corenet_tcp_bind_glance_registry_port(glance_registry_t) + -+sysnet_dns_name_resolve(glance_registry_t) + +######################################## +# +# glance-api local policy +# + -+allow glance_api_t self:fifo_file rw_fifo_file_perms; -+allow glance_api_t self:unix_stream_socket create_stream_socket_perms; -+allow glance_api_t self:tcp_socket create_stream_socket_perms; -+ +manage_dirs_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) +manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) +files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file }) +can_exec(glance_api_t, glance_tmp_t) + -+manage_dirs_pattern(glance_api_t, glance_log_t, glance_log_t) -+manage_files_pattern(glance_api_t, glance_log_t, glance_log_t) -+logging_log_filetrans(glance_api_t, glance_log_t, { dir file }) -+ -+manage_dirs_pattern(glance_api_t, glance_var_lib_t, glance_var_lib_t) -+manage_files_pattern(glance_api_t, glance_var_lib_t, glance_var_lib_t) -+files_var_lib_filetrans(glance_api_t, glance_var_lib_t, { dir file }) -+ -+manage_dirs_pattern(glance_api_t, glance_var_run_t, glance_var_run_t) -+manage_files_pattern(glance_api_t, glance_var_run_t, glance_var_run_t) -+files_pid_filetrans(glance_api_t, glance_var_run_t, { dir file }) -+ -+kernel_read_system_state(glance_api_t) -+ -+corecmd_exec_bin(glance_api_t) +corecmd_exec_shell(glance_api_t) + +corenet_tcp_bind_generic_node(glance_api_t) @@ -37662,20 +37740,7 @@ index 0000000..3d67b98 + +fs_getattr_xattr_fs(glance_api_t) + -+domain_use_interactive_fds(glance_api_t) -+ -+files_read_etc_files(glance_api_t) -+files_read_usr_files(glance_api_t) -+ +libs_exec_ldconfig(glance_api_t) -+ -+miscfiles_read_localization(glance_api_t) -+ -+sysnet_read_config(glance_api_t) -+ -+sysnet_dns_name_resolve(glance_api_t) -+ -+ diff --git a/policy/modules/services/gnomeclock.fc b/policy/modules/services/gnomeclock.fc index 462de63..5df751b 100644 --- a/policy/modules/services/gnomeclock.fc @@ -41046,20 +41111,32 @@ index 0000000..5b84980 +') diff --git a/policy/modules/services/matahari.fc b/policy/modules/services/matahari.fc new file mode 100644 -index 0000000..c502d10 +index 0000000..ac84e59 --- /dev/null +++ b/policy/modules/services/matahari.fc -@@ -0,0 +1,15 @@ +@@ -0,0 +1,27 @@ +/etc/rc\.d/init\.d/matahari-host gen_context(system_u:object_r:matahari_initrc_exec_t,s0) +/etc/rc\.d/init\.d/matahari-net gen_context(system_u:object_r:matahari_initrc_exec_t,s0) +/etc/rc\.d/init\.d/matahari-service gen_context(system_u:object_r:matahari_initrc_exec_t,s0) + +/usr/sbin/matahari-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0) + ++/usr/sbin/matahari-dbus-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0) ++ ++/usr/sbin/matahari-qmf-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0) ++ +/usr/sbin/matahari-netd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0) + ++/usr/sbin/matahari-dbus-networkd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0) ++ ++/usr/sbin/matahari-qmf-networkd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0) ++ +/usr/sbin/matahari-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0) + ++/usr/sbin/matahari-dbus-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0) ++ ++/usr/sbin/matahari-qmf-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0) ++ +/var/lib/matahari(/.*)? gen_context(system_u:object_r:matahari_var_lib_t,s0) + +/var/run/matahari(/.*)? gen_context(system_u:object_r:matahari_var_run_t,s0) @@ -42881,7 +42958,7 @@ index 343cee3..fff3a52 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te -index 64268e4..142fbfb 100644 +index 64268e4..4e45f74 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -20,14 +20,16 @@ files_type(etc_aliases_t) @@ -43119,7 +43196,16 @@ index 64268e4..142fbfb 100644 # Create dead.letter in user home directories. userdom_manage_user_home_content_files(user_mail_t) userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file) -@@ -292,3 +314,44 @@ optional_policy(` +@@ -277,6 +299,8 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t) + # files in an appropriate place for mta_user_agent + userdom_read_user_tmp_files(mta_user_agent) + ++dev_read_sysfs(user_mail_t) ++ + tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_files(user_mail_t) + fs_manage_cifs_symlinks(user_mail_t) +@@ -292,3 +316,44 @@ optional_policy(` postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -48899,7 +48985,7 @@ index b524673..921a60f 100644 + ppp_systemctl($1) ') diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te -index 2af42e7..605815a 100644 +index 2af42e7..399a452 100644 --- a/policy/modules/services/ppp.te +++ b/policy/modules/services/ppp.te @@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0) @@ -49045,13 +49131,16 @@ index 2af42e7..605815a 100644 dev_read_sysfs(pptp_t) -@@ -266,6 +278,7 @@ corenet_raw_sendrecv_generic_node(pptp_t) +@@ -265,9 +277,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t) + corenet_raw_sendrecv_generic_node(pptp_t) corenet_tcp_sendrecv_all_ports(pptp_t) corenet_tcp_bind_generic_node(pptp_t) - corenet_tcp_connect_generic_port(pptp_t) -+corenet_tcp_connect_unreserved_ports(pptp_t) - corenet_tcp_connect_all_reserved_ports(pptp_t) +-corenet_tcp_connect_generic_port(pptp_t) +-corenet_tcp_connect_all_reserved_ports(pptp_t) corenet_sendrecv_generic_client_packets(pptp_t) ++corenet_tcp_connect_pptp_port(pptp_t) + + files_read_etc_files(pptp_t) diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if index 2316653..77ef768 100644 @@ -54098,7 +54187,7 @@ index 82cb169..0a29f68 100644 + samba_systemctl($1) ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..49941ec 100644 +index e30bb63..f0f6907 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -85,6 +85,9 @@ files_config_file(samba_etc_t) @@ -54331,7 +54420,7 @@ index e30bb63..49941ec 100644 allow nmbd_t swat_t:process signal; -allow swat_t smbd_var_run_t:file { lock unlink }; -+allow swat_t nmbd_var_run_t:file read_file_perms; ++read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t) allow swat_t smbd_port_t:tcp_socket name_bind; @@ -54367,6 +54456,15 @@ index e30bb63..49941ec 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) +@@ -783,7 +803,7 @@ allow winbind_t self:udp_socket create_socket_perms; + + allow winbind_t nmbd_t:process { signal signull }; + +-allow winbind_t nmbd_var_run_t:file read_file_perms; ++read_files_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t) + + allow winbind_t samba_etc_t:dir list_dir_perms; + read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) @@ -806,15 +826,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -56471,7 +56569,7 @@ index 078bcd7..2d60774 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index 22adaca..8e3e9de 100644 +index 22adaca..be6e1fa 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,10 @@ @@ -56734,7 +56832,7 @@ index 22adaca..8e3e9de 100644 - allow $1 sshd_t:fifo_file { getattr read }; + allow $1 sshd_t:fifo_file read_fifo_file_perms; -+') + ') + +###################################### +## @@ -56752,7 +56850,7 @@ index 22adaca..8e3e9de 100644 + ') + + allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms; - ') ++') + ######################################## ## @@ -56800,7 +56898,32 @@ index 22adaca..8e3e9de 100644 files_search_pids($1) ') -@@ -680,6 +758,32 @@ interface(`ssh_domtrans_keygen',` +@@ -643,6 +721,24 @@ interface(`ssh_agent_exec',` + + ######################################## + ## ++## Getattr ssh home directory ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ssh_getattr_user_home_dir',` ++ gen_require(` ++ type ssh_home_t; ++ ') ++ ++ allow $1 ssh_home_t:dir getattr; ++') ++ ++######################################## ++## + ## Read ssh home directory content + ## + ## +@@ -680,6 +776,32 @@ interface(`ssh_domtrans_keygen',` domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t) ') @@ -56833,7 +56956,7 @@ index 22adaca..8e3e9de 100644 ######################################## ## ## Read ssh server keys -@@ -695,7 +799,7 @@ interface(`ssh_dontaudit_read_server_keys',` +@@ -695,7 +817,7 @@ interface(`ssh_dontaudit_read_server_keys',` type sshd_key_t; ') @@ -56842,7 +56965,7 @@ index 22adaca..8e3e9de 100644 ') ###################################### -@@ -735,3 +839,81 @@ interface(`ssh_delete_tmp',` +@@ -735,3 +857,81 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -61971,7 +62094,7 @@ index 130ced9..b6fb17a 100644 + userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 143c893..60e0e2d 100644 +index 143c893..de08586 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -62431,7 +62554,7 @@ index 143c893..60e0e2d 100644 corecmd_exec_shell(xdm_t) corecmd_exec_bin(xdm_t) -+corecmd_dontaudit_access_check_bin(xdm_t) ++corecmd_dontaudit_access_all_executables(xdm_t) corenet_all_recvfrom_unlabeled(xdm_t) corenet_all_recvfrom_netlabel(xdm_t) @@ -63540,7 +63663,7 @@ index 28ad538..59742f4 100644 -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 73554ec..f05a80f 100644 +index 73554ec..e3720d4 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -63626,7 +63749,7 @@ index 73554ec..f05a80f 100644 auth_use_pam($1) init_rw_utmp($1) -@@ -155,9 +177,84 @@ interface(`auth_login_pgm_domain',` +@@ -155,9 +177,83 @@ interface(`auth_login_pgm_domain',` seutil_read_config($1) seutil_read_default_contexts($1) @@ -63671,7 +63794,6 @@ index 73554ec..f05a80f 100644 + optional_policy(` + ssh_agent_exec($1) + ssh_read_user_home_files($1) -+ userdom_read_user_home_content_files($1) + ') +') + @@ -63713,7 +63835,7 @@ index 73554ec..f05a80f 100644 ') ######################################## -@@ -368,13 +465,15 @@ interface(`auth_domtrans_chk_passwd',` +@@ -368,13 +464,15 @@ interface(`auth_domtrans_chk_passwd',` ') optional_policy(` @@ -63730,7 +63852,7 @@ index 73554ec..f05a80f 100644 ') ######################################## -@@ -421,6 +520,25 @@ interface(`auth_run_chk_passwd',` +@@ -421,6 +519,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -63756,7 +63878,7 @@ index 73554ec..f05a80f 100644 ') ######################################## -@@ -736,7 +854,47 @@ interface(`auth_rw_faillog',` +@@ -736,7 +853,47 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -63805,7 +63927,7 @@ index 73554ec..f05a80f 100644 ') ####################################### -@@ -932,9 +1090,30 @@ interface(`auth_manage_var_auth',` +@@ -932,9 +1089,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -63839,7 +63961,7 @@ index 73554ec..f05a80f 100644 ') ######################################## -@@ -1387,6 +1566,25 @@ interface(`auth_setattr_login_records',` +@@ -1387,6 +1565,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -63865,7 +63987,7 @@ index 73554ec..f05a80f 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1541,24 +1739,6 @@ interface(`auth_manage_login_records',` +@@ -1541,24 +1738,6 @@ interface(`auth_manage_login_records',` ######################################## ## @@ -63890,7 +64012,7 @@ index 73554ec..f05a80f 100644 ## Use nsswitch to look up user, password, group, or ## host information. ## -@@ -1578,54 +1758,11 @@ interface(`auth_relabel_login_records',` +@@ -1578,54 +1757,11 @@ interface(`auth_relabel_login_records',` ## # interface(`auth_use_nsswitch',` @@ -63948,7 +64070,7 @@ index 73554ec..f05a80f 100644 ') ######################################## -@@ -1659,3 +1796,33 @@ interface(`auth_unconfined',` +@@ -1659,3 +1795,33 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -67520,11 +67642,77 @@ index e5836d3..eae9427 100644 -optional_policy(` - unconfined_domain(ldconfig_t) -') +diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc +index be6a81b..ddae53a 100644 +--- a/policy/modules/system/locallogin.fc ++++ b/policy/modules/system/locallogin.fc +@@ -1,3 +1,5 @@ ++HOME_DIR/\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0) ++/root/.\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0) + + /sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0) + /sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) +diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if +index 0e3c2a9..3272623 100644 +--- a/policy/modules/system/locallogin.if ++++ b/policy/modules/system/locallogin.if +@@ -129,3 +129,41 @@ interface(`locallogin_domtrans_sulogin',` + + domtrans_pattern($1, sulogin_exec_t, sulogin_t) + ') ++ ++######################################## ++## ++## create local login content in the in the /root directory ++## with an correct label. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`locallogin_filetrans_admin_home_content',` ++ gen_require(` ++ type local_login_home_t; ++ ') ++ ++ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") ++') ++ ++######################################## ++## ++## Transition to local login named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`locallogin_filetrans_home_content',` ++ gen_require(` ++ type local_login_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") ++') ++ diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index a0b379d..b823395 100644 +index a0b379d..bf90918 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te -@@ -32,9 +32,8 @@ role system_r types sulogin_t; +@@ -17,6 +17,9 @@ type local_login_tmp_t; + files_tmp_file(local_login_tmp_t) + files_poly_parent(local_login_tmp_t) + ++type local_login_home_t; ++userdom_user_home_content(local_login_home_t) ++ + type sulogin_t; + type sulogin_exec_t; + domain_obj_id_change_exemption(sulogin_t) +@@ -32,9 +35,8 @@ role system_r types sulogin_t; # Local login local policy # @@ -67536,7 +67724,16 @@ index a0b379d..b823395 100644 allow local_login_t self:fd use; allow local_login_t self:fifo_file rw_fifo_file_perms; allow local_login_t self:sock_file read_sock_file_perms; -@@ -73,6 +72,8 @@ dev_getattr_power_mgmt_dev(local_login_t) +@@ -51,6 +53,8 @@ allow local_login_t self:key { search write link }; + allow local_login_t local_login_lock_t:file manage_file_perms; + files_lock_filetrans(local_login_t, local_login_lock_t, file) + ++allow local_login_t local_login_home_t:file read_file_perms; ++ + allow local_login_t local_login_tmp_t:dir manage_dir_perms; + allow local_login_t local_login_tmp_t:file manage_file_perms; + files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir }) +@@ -73,6 +77,8 @@ dev_getattr_power_mgmt_dev(local_login_t) dev_setattr_power_mgmt_dev(local_login_t) dev_getattr_sound_dev(local_login_t) dev_setattr_sound_dev(local_login_t) @@ -67545,7 +67742,7 @@ index a0b379d..b823395 100644 dev_dontaudit_getattr_apm_bios_dev(local_login_t) dev_dontaudit_setattr_apm_bios_dev(local_login_t) dev_dontaudit_read_framebuffer(local_login_t) -@@ -123,8 +124,10 @@ auth_rw_faillog(local_login_t) +@@ -123,8 +129,10 @@ auth_rw_faillog(local_login_t) auth_manage_pam_pid(local_login_t) auth_manage_pam_console_data(local_login_t) auth_domtrans_pam_console(local_login_t) @@ -67556,7 +67753,7 @@ index a0b379d..b823395 100644 miscfiles_read_localization(local_login_t) -@@ -156,6 +159,12 @@ tunable_policy(`use_samba_home_dirs',` +@@ -156,6 +164,12 @@ tunable_policy(`use_samba_home_dirs',` fs_read_cifs_symlinks(local_login_t) ') @@ -67569,7 +67766,7 @@ index a0b379d..b823395 100644 optional_policy(` alsa_domtrans(local_login_t) ') -@@ -177,14 +186,6 @@ optional_policy(` +@@ -177,14 +191,6 @@ optional_policy(` ') optional_policy(` @@ -67584,7 +67781,7 @@ index a0b379d..b823395 100644 unconfined_shell_domtrans(local_login_t) ') -@@ -215,6 +216,7 @@ allow sulogin_t self:sem create_sem_perms; +@@ -215,6 +221,7 @@ allow sulogin_t self:sem create_sem_perms; allow sulogin_t self:msgq create_msgq_perms; allow sulogin_t self:msg { send receive }; @@ -67592,7 +67789,7 @@ index a0b379d..b823395 100644 kernel_read_system_state(sulogin_t) fs_search_auto_mountpoints(sulogin_t) -@@ -223,13 +225,17 @@ fs_rw_tmpfs_chr_files(sulogin_t) +@@ -223,13 +230,17 @@ fs_rw_tmpfs_chr_files(sulogin_t) files_read_etc_files(sulogin_t) # because file systems are not mounted: files_dontaudit_search_isid_type_dirs(sulogin_t) @@ -67610,7 +67807,7 @@ index a0b379d..b823395 100644 seutil_read_config(sulogin_t) seutil_read_default_contexts(sulogin_t) -@@ -238,14 +244,24 @@ userdom_use_unpriv_users_fds(sulogin_t) +@@ -238,14 +249,24 @@ userdom_use_unpriv_users_fds(sulogin_t) userdom_search_user_home_dirs(sulogin_t) userdom_use_user_ptys(sulogin_t) @@ -67637,7 +67834,7 @@ index a0b379d..b823395 100644 init_getpgid(sulogin_t) ', ` allow sulogin_t self:process setexec; -@@ -256,11 +272,3 @@ ifdef(`sulogin_no_pam', ` +@@ -256,11 +277,3 @@ ifdef(`sulogin_no_pam', ` selinux_compute_relabel_context(sulogin_t) selinux_compute_user_contexts(sulogin_t) ') @@ -71188,10 +71385,10 @@ index 0000000..9eaa38e +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..764084e +index 0000000..f642930 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,477 @@ +@@ -0,0 +1,478 @@ +## SELinux policy for systemd components + +####################################### @@ -71240,6 +71437,7 @@ index 0000000..764084e + can_exec($1, systemd_systemctl_exec_t) + + systemd_list_unit_dirs($1) ++ init_list_pid_dirs($1) + init_read_state($1) + init_stream_send($1) +') @@ -71671,10 +71869,10 @@ index 0000000..764084e + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..3790267 +index 0000000..3e5e632 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,370 @@ +@@ -0,0 +1,371 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -71753,6 +71951,7 @@ index 0000000..3790267 +dev_read_sysfs(systemd_logind_t) +dev_setattr_input_dev(systemd_logind_t) +dev_setattr_mouse_dev(systemd_logind_t) ++dev_write_kmsg(systemd_logind_t) + +dev_getattr_all_chr_files(systemd_logind_t) +dev_getattr_all_blk_files(systemd_logind_t) @@ -77189,9 +77388,18 @@ index bdd500c..4719351 100644 define(`admin_pattern',` diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt -index 22ca011..823794e 100644 +index 22ca011..18e1b2f 100644 --- a/policy/support/misc_patterns.spt +++ b/policy/support/misc_patterns.spt +@@ -4,7 +4,7 @@ + define(`domain_transition_pattern',` + allow $1 $2:file { getattr open read execute }; + allow $1 $3:process transition; +- dontaudit $1 $3:process { noatsecure siginh rlimitinh }; ++# dontaudit $1 $3:process { noatsecure siginh rlimitinh }; + ') + + # compatibility: @@ -15,7 +15,7 @@ define(`spec_domtrans_pattern',` domain_transition_pattern($1,$2,$3) diff --git a/ptrace.patch b/ptrace.patch index ab0d753..7b71930 100644 --- a/ptrace.patch +++ b/ptrace.patch @@ -1,6 +1,6 @@ diff -up serefpolicy-3.10.0/policy/global_tunables.ptrace serefpolicy-3.10.0/policy/global_tunables ---- serefpolicy-3.10.0/policy/global_tunables.ptrace 2011-10-11 16:42:15.566761738 -0400 -+++ serefpolicy-3.10.0/policy/global_tunables 2011-10-11 16:42:16.082761591 -0400 +--- serefpolicy-3.10.0/policy/global_tunables.ptrace 2011-10-14 09:46:28.474535144 -0400 ++++ serefpolicy-3.10.0/policy/global_tunables 2011-10-14 09:46:29.088523377 -0400 @@ -6,6 +6,13 @@ ## @@ -16,8 +16,8 @@ diff -up serefpolicy-3.10.0/policy/global_tunables.ptrace serefpolicy-3.10.0/pol ##

##
diff -up serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace serefpolicy-3.10.0/policy/modules/admin/kdump.if ---- serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace 2011-10-11 16:42:15.581761733 -0400 -+++ serefpolicy-3.10.0/policy/modules/admin/kdump.if 2011-10-11 16:42:16.083761591 -0400 +--- serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace 2011-10-14 09:46:28.489534857 -0400 ++++ serefpolicy-3.10.0/policy/modules/admin/kdump.if 2011-10-14 09:46:29.089523358 -0400 @@ -140,8 +140,11 @@ interface(`kdump_admin',` type kdump_initrc_exec_t; ') @@ -33,7 +33,7 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace serefpolicy-3.1 domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/admin/kismet.if.ptrace serefpolicy-3.10.0/policy/modules/admin/kismet.if --- serefpolicy-3.10.0/policy/modules/admin/kismet.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/admin/kismet.if 2011-10-11 16:42:16.083761591 -0400 ++++ serefpolicy-3.10.0/policy/modules/admin/kismet.if 2011-10-14 09:46:29.090523338 -0400 @@ -239,7 +239,10 @@ interface(`kismet_admin',` ') @@ -47,8 +47,8 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/kismet.if.ptrace serefpolicy-3. kismet_manage_pid_files($1) kismet_manage_lib($1) diff -up serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace serefpolicy-3.10.0/policy/modules/admin/kudzu.te ---- serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace 2011-10-11 16:42:15.582761733 -0400 -+++ serefpolicy-3.10.0/policy/modules/admin/kudzu.te 2011-10-11 16:42:16.084761591 -0400 +--- serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace 2011-10-14 09:46:28.491534818 -0400 ++++ serefpolicy-3.10.0/policy/modules/admin/kudzu.te 2011-10-14 09:46:29.090523338 -0400 @@ -20,7 +20,7 @@ files_pid_file(kudzu_var_run_t) # Local policy # @@ -59,8 +59,8 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace serefpolicy-3.1 allow kudzu_t self:process { signal_perms execmem }; allow kudzu_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace serefpolicy-3.10.0/policy/modules/admin/logrotate.te ---- serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace 2011-10-11 16:42:15.583761733 -0400 -+++ serefpolicy-3.10.0/policy/modules/admin/logrotate.te 2011-10-11 16:42:16.084761591 -0400 +--- serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace 2011-10-14 09:46:28.492534798 -0400 ++++ serefpolicy-3.10.0/policy/modules/admin/logrotate.te 2011-10-14 09:46:29.091523318 -0400 @@ -30,8 +30,6 @@ files_type(logrotate_var_lib_t) # Change ownership on log files. @@ -71,8 +71,8 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace serefpolicy allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; diff -up serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace serefpolicy-3.10.0/policy/modules/admin/ncftool.te ---- serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace 2011-10-11 16:42:15.586761731 -0400 -+++ serefpolicy-3.10.0/policy/modules/admin/ncftool.te 2011-10-11 16:42:16.085761591 -0400 +--- serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace 2011-10-14 09:46:28.496534722 -0400 ++++ serefpolicy-3.10.0/policy/modules/admin/ncftool.te 2011-10-14 09:46:29.091523318 -0400 @@ -17,8 +17,7 @@ role system_r types ncftool_t; # ncftool local policy # @@ -84,8 +84,8 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace serefpolicy-3 allow ncftool_t self:fifo_file manage_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace serefpolicy-3.10.0/policy/modules/admin/rpm.te ---- serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace 2011-10-11 16:42:16.020761610 -0400 -+++ serefpolicy-3.10.0/policy/modules/admin/rpm.te 2011-10-11 16:42:16.085761591 -0400 +--- serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace 2011-10-14 09:46:29.029524505 -0400 ++++ serefpolicy-3.10.0/policy/modules/admin/rpm.te 2011-10-14 09:46:29.092523299 -0400 @@ -248,7 +248,8 @@ optional_policy(` # rpm-script Local policy # @@ -97,8 +97,8 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace serefpolicy-3.10. allow rpm_script_t self:fd use; allow rpm_script_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace serefpolicy-3.10.0/policy/modules/admin/sectoolm.te ---- serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace 2011-10-11 16:42:15.598761729 -0400 -+++ serefpolicy-3.10.0/policy/modules/admin/sectoolm.te 2011-10-11 16:42:16.086761591 -0400 +--- serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace 2011-10-14 09:46:28.510534454 -0400 ++++ serefpolicy-3.10.0/policy/modules/admin/sectoolm.te 2011-10-14 09:46:29.093523281 -0400 @@ -23,7 +23,7 @@ files_tmp_file(sectool_tmp_t) # sectool local policy # @@ -109,8 +109,8 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace serefpolicy- dontaudit sectoolm_t self:process { execstack execmem }; allow sectoolm_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace serefpolicy-3.10.0/policy/modules/admin/shorewall.if ---- serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace 2011-10-11 16:42:15.598761729 -0400 -+++ serefpolicy-3.10.0/policy/modules/admin/shorewall.if 2011-10-11 16:42:16.087761591 -0400 +--- serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace 2011-10-14 09:46:28.511534435 -0400 ++++ serefpolicy-3.10.0/policy/modules/admin/shorewall.if 2011-10-14 09:46:29.093523281 -0400 @@ -139,8 +139,11 @@ interface(`shorewall_admin',` type shorewall_tmp_t, shorewall_etc_t; ') @@ -125,8 +125,8 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace serefpolicy init_labeled_script_domtrans($1, shorewall_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace serefpolicy-3.10.0/policy/modules/admin/shorewall.te ---- serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace 2011-10-11 16:42:15.599761728 -0400 -+++ serefpolicy-3.10.0/policy/modules/admin/shorewall.te 2011-10-11 16:42:16.087761591 -0400 +--- serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace 2011-10-14 09:46:28.511534435 -0400 ++++ serefpolicy-3.10.0/policy/modules/admin/shorewall.te 2011-10-14 09:46:29.094523262 -0400 @@ -37,7 +37,7 @@ logging_log_file(shorewall_log_t) # shorewall local policy # @@ -137,8 +137,8 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace serefpolicy allow shorewall_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace serefpolicy-3.10.0/policy/modules/admin/sosreport.te ---- serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace 2011-10-11 16:42:15.602761727 -0400 -+++ serefpolicy-3.10.0/policy/modules/admin/sosreport.te 2011-10-11 16:42:16.088761590 -0400 +--- serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace 2011-10-14 09:46:28.514534377 -0400 ++++ serefpolicy-3.10.0/policy/modules/admin/sosreport.te 2011-10-14 09:46:29.095523243 -0400 @@ -21,7 +21,7 @@ files_tmpfs_file(sosreport_tmpfs_t) # sosreport local policy # @@ -149,8 +149,8 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace serefpolicy allow sosreport_t self:fifo_file rw_fifo_file_perms; allow sosreport_t self:tcp_socket create_stream_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace serefpolicy-3.10.0/policy/modules/admin/usermanage.te ---- serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace 2011-10-11 16:42:16.044761602 -0400 -+++ serefpolicy-3.10.0/policy/modules/admin/usermanage.te 2011-10-11 16:42:16.088761590 -0400 +--- serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace 2011-10-14 09:46:29.055524007 -0400 ++++ serefpolicy-3.10.0/policy/modules/admin/usermanage.te 2011-10-14 09:46:29.095523243 -0400 @@ -435,7 +435,8 @@ optional_policy(` # Useradd local policy # @@ -162,8 +162,8 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace serefpolic allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; diff -up serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace serefpolicy-3.10.0/policy/modules/apps/chrome.te ---- serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace 2011-10-11 16:42:15.612761725 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/chrome.te 2011-10-11 16:42:16.089761589 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace 2011-10-14 09:46:28.528534108 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/chrome.te 2011-10-14 09:46:29.096523224 -0400 @@ -21,7 +21,7 @@ ubac_constrained(chrome_sandbox_tmpfs_t) # # chrome_sandbox local policy @@ -174,8 +174,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace serefpolicy-3.1 allow chrome_sandbox_t self:process setsched; allow chrome_sandbox_t self:fifo_file manage_file_perms; diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.if.ptrace serefpolicy-3.10.0/policy/modules/apps/execmem.if ---- serefpolicy-3.10.0/policy/modules/apps/execmem.if.ptrace 2011-10-11 16:42:16.044761602 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/execmem.if 2011-10-11 16:42:16.089761589 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/execmem.if.ptrace 2011-10-14 09:46:29.056523988 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/execmem.if 2011-10-14 09:46:29.097523205 -0400 @@ -59,7 +59,7 @@ template(`execmem_role_template',` userdom_unpriv_usertype($1, $1_execmem_t) @@ -186,8 +186,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.if.ptrace serefpolicy-3. files_execmod_tmp($1_execmem_t) diff -up serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace serefpolicy-3.10.0/policy/modules/apps/gnome.if ---- serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace 2011-10-11 16:42:15.617761723 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/gnome.if 2011-10-11 16:42:16.090761589 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace 2011-10-14 09:46:28.534533994 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/gnome.if 2011-10-14 09:46:29.098523186 -0400 @@ -91,8 +91,7 @@ interface(`gnome_role_gkeyringd',` auth_use_nsswitch($1_gkeyringd_t) @@ -199,8 +199,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace serefpolicy-3.10 stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t) diff -up serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace serefpolicy-3.10.0/policy/modules/apps/irc.if ---- serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace 2011-10-11 16:42:15.620761723 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/irc.if 2011-10-11 16:42:16.091761589 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace 2011-10-14 09:46:28.538533917 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/irc.if 2011-10-14 09:46:29.099523167 -0400 @@ -33,7 +33,7 @@ interface(`irc_role',` domtrans_pattern($2, irssi_exec_t, irssi_t) @@ -211,8 +211,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace serefpolicy-3.10.0 manage_dirs_pattern($2, irssi_home_t, irssi_home_t) diff -up serefpolicy-3.10.0/policy/modules/apps/java.if.ptrace serefpolicy-3.10.0/policy/modules/apps/java.if ---- serefpolicy-3.10.0/policy/modules/apps/java.if.ptrace 2011-10-11 16:42:16.045761602 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/java.if 2011-10-11 16:42:16.091761589 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/java.if.ptrace 2011-10-14 09:46:29.056523988 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/java.if 2011-10-14 09:46:29.099523167 -0400 @@ -76,11 +76,11 @@ template(`java_role_template',` userdom_manage_tmpfs_role($2) userdom_manage_tmpfs($1_java_t) @@ -228,8 +228,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/java.if.ptrace serefpolicy-3.10. domtrans_pattern($3, java_exec_t, $1_java_t) diff -up serefpolicy-3.10.0/policy/modules/apps/kde.te.ptrace serefpolicy-3.10.0/policy/modules/apps/kde.te ---- serefpolicy-3.10.0/policy/modules/apps/kde.te.ptrace 2011-10-11 16:42:15.624761721 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/kde.te 2011-10-11 16:42:16.092761589 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/kde.te.ptrace 2011-10-14 09:46:28.542533840 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/kde.te 2011-10-14 09:46:29.100523148 -0400 @@ -13,9 +13,6 @@ dbus_system_domain(kdebacklighthelper_t, # # backlighthelper local policy @@ -241,8 +241,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/kde.te.ptrace serefpolicy-3.10.0 kernel_read_system_state(kdebacklighthelper_t) diff -up serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace serefpolicy-3.10.0/policy/modules/apps/livecd.te ---- serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace 2011-10-11 16:42:15.626761720 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/livecd.te 2011-10-11 16:42:16.092761589 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace 2011-10-14 09:46:28.543533821 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/livecd.te 2011-10-14 09:46:29.100523148 -0400 @@ -20,7 +20,10 @@ files_tmp_file(livecd_tmp_t) dontaudit livecd_t self:capability2 mac_admin; @@ -256,8 +256,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace serefpolicy-3.1 manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) diff -up serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace serefpolicy-3.10.0/policy/modules/apps/mono.if ---- serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace 2011-10-11 16:42:16.045761602 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/mono.if 2011-10-11 16:42:16.093761589 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace 2011-10-14 09:46:29.057523969 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/mono.if 2011-10-14 09:46:29.101523129 -0400 @@ -40,8 +40,8 @@ template(`mono_role_template',` domain_interactive_fd($1_mono_t) application_type($1_mono_t) @@ -271,7 +271,7 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace serefpolicy-3.10. diff -up serefpolicy-3.10.0/policy/modules/apps/mono.te.ptrace serefpolicy-3.10.0/policy/modules/apps/mono.te --- serefpolicy-3.10.0/policy/modules/apps/mono.te.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/mono.te 2011-10-11 16:42:16.093761589 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/mono.te 2011-10-14 09:46:29.101523129 -0400 @@ -15,7 +15,7 @@ init_system_domain(mono_t, mono_exec_t) # Local policy # @@ -282,8 +282,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/mono.te.ptrace serefpolicy-3.10. init_dbus_chat_script(mono_t) diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace serefpolicy-3.10.0/policy/modules/apps/mozilla.if ---- serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace 2011-10-11 16:42:16.046761602 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/mozilla.if 2011-10-11 16:42:16.094761589 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace 2011-10-14 09:46:29.058523950 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/mozilla.if 2011-10-14 09:46:29.102523109 -0400 @@ -221,7 +221,7 @@ interface(`mozilla_domtrans_plugin',` allow mozilla_plugin_t $1:sem create_sem_perms; @@ -294,21 +294,20 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace serefpolicy-3. ######################################## diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.te.ptrace serefpolicy-3.10.0/policy/modules/apps/mozilla.te ---- serefpolicy-3.10.0/policy/modules/apps/mozilla.te.ptrace 2011-10-11 16:42:16.023761608 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/mozilla.te 2011-10-11 16:42:16.094761589 -0400 -@@ -300,9 +300,6 @@ optional_policy(` - # +--- serefpolicy-3.10.0/policy/modules/apps/mozilla.te.ptrace 2011-10-14 09:46:29.000000000 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/mozilla.te 2011-10-14 09:47:46.696136674 -0400 +@@ -301,7 +301,7 @@ optional_policy(` # mozilla_plugin local policy # -- --dontaudit mozilla_plugin_t self:capability { sys_ptrace }; -- + +-dontaudit mozilla_plugin_t self:capability { sys_ptrace sys_nice }; ++dontaudit mozilla_plugin_t self:capability sys_nice; + allow mozilla_plugin_t self:process { setsched signal_perms execmem }; allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms; - allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace serefpolicy-3.10.0/policy/modules/apps/nsplugin.if ---- serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace 2011-10-11 16:42:16.047761602 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.if 2011-10-11 16:42:16.095761589 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace 2011-10-14 09:46:29.058523950 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.if 2011-10-14 09:46:29.104523070 -0400 @@ -93,7 +93,7 @@ ifdef(`hide_broken_symptoms', ` dontaudit nsplugin_t $2:shm destroy; allow $2 nsplugin_t:sem rw_sem_perms; @@ -319,8 +318,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace serefpolicy-3 # Connect to pulseaudit server diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace serefpolicy-3.10.0/policy/modules/apps/nsplugin.te ---- serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace 2011-10-11 16:42:16.047761602 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.te 2011-10-11 16:42:16.096761589 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace 2011-10-14 09:46:29.059523931 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.te 2011-10-14 09:46:29.105523050 -0400 @@ -54,7 +54,7 @@ application_executable_file(nsplugin_con # dontaudit nsplugin_t self:capability { sys_nice sys_tty_config }; @@ -331,8 +330,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace serefpolicy-3 allow nsplugin_t self:sem create_sem_perms; allow nsplugin_t self:shm create_shm_perms; diff -up serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace serefpolicy-3.10.0/policy/modules/apps/openoffice.if ---- serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace 2011-10-11 16:42:15.634761718 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/openoffice.if 2011-10-11 16:42:16.096761589 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace 2011-10-14 09:46:28.555533591 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/openoffice.if 2011-10-14 09:46:29.105523050 -0400 @@ -69,7 +69,7 @@ interface(`openoffice_role_template',` allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack }; @@ -343,8 +342,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace serefpolicy domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t) diff -up serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace serefpolicy-3.10.0/policy/modules/apps/podsleuth.te ---- serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace 2011-10-11 16:42:16.023761608 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/podsleuth.te 2011-10-11 16:42:16.097761589 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace 2011-10-14 09:46:29.035524391 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/podsleuth.te 2011-10-14 09:46:29.106523031 -0400 @@ -27,7 +27,8 @@ ubac_constrained(podsleuth_tmpfs_t) # podsleuth local policy # @@ -357,7 +356,7 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace serefpolicy- allow podsleuth_t self:sem create_sem_perms; diff -up serefpolicy-3.10.0/policy/modules/apps/uml.if.ptrace serefpolicy-3.10.0/policy/modules/apps/uml.if --- serefpolicy-3.10.0/policy/modules/apps/uml.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/uml.if 2011-10-11 16:42:16.098761588 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/uml.if 2011-10-14 09:46:29.107523012 -0400 @@ -31,9 +31,9 @@ interface(`uml_role',` allow $2 uml_t:unix_dgram_socket sendto; allow uml_t $2:unix_dgram_socket sendto; @@ -371,8 +370,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/uml.if.ptrace serefpolicy-3.10.0 allow $2 uml_ro_t:dir list_dir_perms; read_files_pattern($2, uml_ro_t, uml_ro_t) diff -up serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace serefpolicy-3.10.0/policy/modules/apps/uml.te ---- serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace 2011-10-11 16:42:15.645761715 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/uml.te 2011-10-11 16:42:16.098761588 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace 2011-10-14 09:46:28.569533323 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/uml.te 2011-10-14 09:46:29.107523012 -0400 @@ -53,7 +53,7 @@ files_pid_file(uml_switch_var_run_t) # @@ -383,8 +382,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace serefpolicy-3.10.0 allow uml_t self:unix_dgram_socket create_socket_perms; # Use the network. diff -up serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace serefpolicy-3.10.0/policy/modules/apps/wine.if ---- serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace 2011-10-11 16:42:16.050761600 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/wine.if 2011-10-11 16:42:16.099761587 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace 2011-10-14 09:46:29.062523874 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/wine.if 2011-10-14 09:46:29.109522974 -0400 @@ -100,7 +100,7 @@ template(`wine_role_template',` role $2 types $1_wine_t; @@ -395,8 +394,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace serefpolicy-3.10. corecmd_bin_domtrans($1_wine_t, $1_t) diff -up serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace serefpolicy-3.10.0/policy/modules/kernel/domain.te ---- serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace 2011-10-11 16:42:15.662761711 -0400 -+++ serefpolicy-3.10.0/policy/modules/kernel/domain.te 2011-10-11 16:42:16.225761551 -0400 +--- serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace 2011-10-14 09:46:28.592532882 -0400 ++++ serefpolicy-3.10.0/policy/modules/kernel/domain.te 2011-10-14 09:48:15.824664136 -0400 @@ -181,7 +181,10 @@ allow unconfined_domain_type domain:fifo allow unconfined_domain_type unconfined_domain_type:dbus send_msg; @@ -409,15 +408,14 @@ diff -up serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace serefpolicy-3 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -312,3 +315,5 @@ optional_policy(` - optional_policy(` - seutil_dontaudit_read_config(domain) +@@ -314,3 +317,4 @@ optional_policy(` ') -+ -+dontaudit domain domain:process { noatsecure siginh rlimitinh } ; + + dontaudit domain domain:process { noatsecure siginh rlimitinh } ; ++dontaudit domain self:capability sys_ptrace; diff -up serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace serefpolicy-3.10.0/policy/modules/kernel/kernel.te ---- serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace 2011-10-11 16:42:15.670761708 -0400 -+++ serefpolicy-3.10.0/policy/modules/kernel/kernel.te 2011-10-11 16:42:16.101761586 -0400 +--- serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace 2011-10-14 09:46:28.603532671 -0400 ++++ serefpolicy-3.10.0/policy/modules/kernel/kernel.te 2011-10-14 09:46:29.111522936 -0400 @@ -191,7 +191,11 @@ sid tcp_socket gen_context(system_u:obj # kernel local policy # @@ -441,8 +439,8 @@ diff -up serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace serefpolicy-3 gen_require(` bool secure_mode_insmod; diff -up serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/dbadm.te ---- serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace 2011-10-11 16:42:15.678761705 -0400 -+++ serefpolicy-3.10.0/policy/modules/roles/dbadm.te 2011-10-11 16:42:16.102761586 -0400 +--- serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace 2011-10-14 09:46:28.612532498 -0400 ++++ serefpolicy-3.10.0/policy/modules/roles/dbadm.te 2011-10-14 09:46:29.112522917 -0400 @@ -28,7 +28,7 @@ userdom_base_user_template(dbadm) # database admin local policy # @@ -454,7 +452,7 @@ diff -up serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace serefpolicy-3.1 files_delete_generic_locks(dbadm_t) diff -up serefpolicy-3.10.0/policy/modules/roles/logadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/logadm.te --- serefpolicy-3.10.0/policy/modules/roles/logadm.te.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/roles/logadm.te 2011-10-11 16:42:16.103761586 -0400 ++++ serefpolicy-3.10.0/policy/modules/roles/logadm.te 2011-10-14 09:46:29.113522898 -0400 @@ -14,6 +14,5 @@ userdom_base_user_template(logadm) # logadmin local policy # @@ -464,8 +462,8 @@ diff -up serefpolicy-3.10.0/policy/modules/roles/logadm.te.ptrace serefpolicy-3. +allow logadm_t self:capability { dac_override dac_read_search kill sys_nice }; logging_admin(logadm_t, logadm_r) diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/sysadm.te ---- serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace 2011-10-11 16:42:16.051761600 -0400 -+++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te 2011-10-11 16:42:16.104761586 -0400 +--- serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace 2011-10-14 09:46:29.064523836 -0400 ++++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te 2011-10-14 09:46:29.114522879 -0400 @@ -5,13 +5,6 @@ policy_module(sysadm, 2.2.1) # Declarations # @@ -490,8 +488,8 @@ diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace serefpolicy-3. ') diff -up serefpolicy-3.10.0/policy/modules/roles/webadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/webadm.te ---- serefpolicy-3.10.0/policy/modules/roles/webadm.te.ptrace 2011-10-11 16:42:15.683761705 -0400 -+++ serefpolicy-3.10.0/policy/modules/roles/webadm.te 2011-10-11 16:42:16.104761586 -0400 +--- serefpolicy-3.10.0/policy/modules/roles/webadm.te.ptrace 2011-10-14 09:46:28.618532384 -0400 ++++ serefpolicy-3.10.0/policy/modules/roles/webadm.te 2011-10-14 09:46:29.115522860 -0400 @@ -28,7 +28,7 @@ userdom_base_user_template(webadm) # webadmin local policy # @@ -502,8 +500,8 @@ diff -up serefpolicy-3.10.0/policy/modules/roles/webadm.te.ptrace serefpolicy-3. files_dontaudit_search_all_dirs(webadm_t) files_manage_generic_locks(webadm_t) diff -up serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace serefpolicy-3.10.0/policy/modules/services/abrt.if ---- serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace 2011-10-11 16:42:15.684761704 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/abrt.if 2011-10-11 16:42:16.106761585 -0400 +--- serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace 2011-10-14 09:46:28.620532345 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/abrt.if 2011-10-14 09:46:29.115522860 -0400 @@ -333,9 +333,13 @@ interface(`abrt_admin',` type abrt_initrc_exec_t; ') @@ -520,8 +518,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace serefpolicy-3 domain_system_change_exemption($1) role_transition $2 abrt_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/accountsd.if.ptrace serefpolicy-3.10.0/policy/modules/services/accountsd.if ---- serefpolicy-3.10.0/policy/modules/services/accountsd.if.ptrace 2011-10-11 16:42:15.686761703 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/accountsd.if 2011-10-11 16:42:16.106761585 -0400 +--- serefpolicy-3.10.0/policy/modules/services/accountsd.if.ptrace 2011-10-14 09:46:28.622532306 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/accountsd.if 2011-10-14 09:46:29.116522841 -0400 @@ -138,8 +138,12 @@ interface(`accountsd_admin',` type accountsd_t; ') @@ -537,8 +535,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/accountsd.if.ptrace serefpol accountsd_manage_lib_files($1) ') diff -up serefpolicy-3.10.0/policy/modules/services/accountsd.te.ptrace serefpolicy-3.10.0/policy/modules/services/accountsd.te ---- serefpolicy-3.10.0/policy/modules/services/accountsd.te.ptrace 2011-10-11 16:42:15.686761703 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/accountsd.te 2011-10-11 16:42:16.107761584 -0400 +--- serefpolicy-3.10.0/policy/modules/services/accountsd.te.ptrace 2011-10-14 09:46:28.623532287 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/accountsd.te 2011-10-14 09:46:29.117522822 -0400 @@ -19,7 +19,7 @@ files_type(accountsd_var_lib_t) # accountsd local policy # @@ -549,8 +547,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/accountsd.te.ptrace serefpol allow accountsd_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace serefpolicy-3.10.0/policy/modules/services/afs.if ---- serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace 2011-10-11 16:42:15.686761703 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/afs.if 2011-10-11 16:42:16.107761584 -0400 +--- serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace 2011-10-14 09:46:28.623532287 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/afs.if 2011-10-14 09:46:29.117522822 -0400 @@ -97,9 +97,13 @@ interface(`afs_admin',` type afs_t, afs_initrc_exec_t; ') @@ -568,7 +566,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace serefpolicy-3. domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/aiccu.if.ptrace serefpolicy-3.10.0/policy/modules/services/aiccu.if --- serefpolicy-3.10.0/policy/modules/services/aiccu.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/aiccu.if 2011-10-11 16:42:16.108761584 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/aiccu.if 2011-10-14 09:46:29.118522803 -0400 @@ -79,9 +79,13 @@ interface(`aiccu_admin',` type aiccu_var_run_t; ') @@ -585,8 +583,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/aiccu.if.ptrace serefpolicy- domain_system_change_exemption($1) role_transition $2 aiccu_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace serefpolicy-3.10.0/policy/modules/services/aide.if ---- serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace 2011-10-11 16:42:15.689761703 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/aide.if 2011-10-11 16:42:16.108761584 -0400 +--- serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace 2011-10-14 09:46:28.626532230 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/aide.if 2011-10-14 09:46:29.119522783 -0400 @@ -61,9 +61,13 @@ interface(`aide_admin',` type aide_t, aide_db_t, aide_log_t; ') @@ -603,8 +601,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace serefpolicy-3 admin_pattern($1, aide_db_t) diff -up serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace serefpolicy-3.10.0/policy/modules/services/aisexec.if ---- serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace 2011-10-11 16:42:15.690761703 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/aisexec.if 2011-10-11 16:42:16.109761584 -0400 +--- serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace 2011-10-14 09:46:28.627532211 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/aisexec.if 2011-10-14 09:46:29.119522783 -0400 @@ -82,9 +82,13 @@ interface(`aisexecd_admin',` type aisexec_initrc_exec_t; ') @@ -621,8 +619,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace serefpolic domain_system_change_exemption($1) role_transition $2 aisexec_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace serefpolicy-3.10.0/policy/modules/services/ajaxterm.if ---- serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace 2011-10-11 16:42:15.691761702 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ajaxterm.if 2011-10-11 16:42:16.109761584 -0400 +--- serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace 2011-10-14 09:46:28.628532192 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ajaxterm.if 2011-10-14 09:46:29.120522763 -0400 @@ -76,9 +76,13 @@ interface(`ajaxterm_admin',` type ajaxterm_t, ajaxterm_initrc_exec_t; ') @@ -640,7 +638,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace serefpoli role_transition $2 ajaxterm_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/amavis.if.ptrace serefpolicy-3.10.0/policy/modules/services/amavis.if --- serefpolicy-3.10.0/policy/modules/services/amavis.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/amavis.if 2011-10-11 16:42:16.110761584 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/amavis.if 2011-10-14 09:46:29.121522744 -0400 @@ -231,9 +231,13 @@ interface(`amavis_admin',` type amavis_initrc_exec_t; ') @@ -657,8 +655,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/amavis.if.ptrace serefpolicy domain_system_change_exemption($1) role_transition $2 amavis_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace serefpolicy-3.10.0/policy/modules/services/apache.if ---- serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace 2011-10-11 16:42:16.076761593 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/apache.if 2011-10-11 16:42:16.111761584 -0400 +--- serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace 2011-10-14 09:46:29.079523549 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/apache.if 2011-10-14 09:46:29.122522725 -0400 @@ -1297,9 +1297,13 @@ interface(`apache_admin',` type httpd_unit_file_t; ') @@ -676,7 +674,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace serefpolicy role_transition $2 httpd_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/apcupsd.if.ptrace serefpolicy-3.10.0/policy/modules/services/apcupsd.if --- serefpolicy-3.10.0/policy/modules/services/apcupsd.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/apcupsd.if 2011-10-11 16:42:16.111761584 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/apcupsd.if 2011-10-14 09:46:29.123522706 -0400 @@ -146,9 +146,13 @@ interface(`apcupsd_admin',` type apcupsd_initrc_exec_t; ') @@ -693,8 +691,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/apcupsd.if.ptrace serefpolic domain_system_change_exemption($1) role_transition $2 apcupsd_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/apm.te.ptrace serefpolicy-3.10.0/policy/modules/services/apm.te ---- serefpolicy-3.10.0/policy/modules/services/apm.te.ptrace 2011-10-11 16:42:15.697761701 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/apm.te 2011-10-11 16:42:16.112761584 -0400 +--- serefpolicy-3.10.0/policy/modules/services/apm.te.ptrace 2011-10-14 09:46:28.636532038 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/apm.te 2011-10-14 09:46:29.123522706 -0400 @@ -60,7 +60,7 @@ logging_send_syslog_msg(apm_t) # mknod: controlling an orderly resume of PCMCIA requires creating device # nodes 254,{0,1,2} for some reason. @@ -705,8 +703,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/apm.te.ptrace serefpolicy-3. allow apmd_t self:fifo_file rw_fifo_file_perms; allow apmd_t self:netlink_socket create_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace serefpolicy-3.10.0/policy/modules/services/arpwatch.if ---- serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace 2011-10-11 16:42:15.698761701 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/arpwatch.if 2011-10-11 16:42:16.113761583 -0400 +--- serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace 2011-10-14 09:46:28.636532038 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/arpwatch.if 2011-10-14 09:46:29.124522687 -0400 @@ -137,9 +137,13 @@ interface(`arpwatch_admin',` type arpwatch_initrc_exec_t; ') @@ -723,8 +721,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace serefpoli domain_system_change_exemption($1) role_transition $2 arpwatch_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace serefpolicy-3.10.0/policy/modules/services/asterisk.if ---- serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace 2011-10-11 16:42:15.699761701 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/asterisk.if 2011-10-11 16:42:16.113761583 -0400 +--- serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace 2011-10-14 09:46:28.638532000 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/asterisk.if 2011-10-14 09:46:29.125522668 -0400 @@ -64,9 +64,13 @@ interface(`asterisk_admin',` type asterisk_initrc_exec_t; ') @@ -741,8 +739,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace serefpoli domain_system_change_exemption($1) role_transition $2 asterisk_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace serefpolicy-3.10.0/policy/modules/services/automount.if ---- serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace 2011-10-11 16:42:15.700761701 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/automount.if 2011-10-11 16:42:16.114761582 -0400 +--- serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace 2011-10-14 09:46:28.640531962 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/automount.if 2011-10-14 09:46:29.125522668 -0400 @@ -150,9 +150,13 @@ interface(`automount_admin',` type automount_var_run_t, automount_initrc_exec_t; ') @@ -759,8 +757,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace serefpol domain_system_change_exemption($1) role_transition $2 automount_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace serefpolicy-3.10.0/policy/modules/services/avahi.if ---- serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace 2011-10-11 16:42:15.701761700 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/avahi.if 2011-10-11 16:42:16.114761582 -0400 +--- serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace 2011-10-14 09:46:28.641531943 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/avahi.if 2011-10-14 09:46:29.126522649 -0400 @@ -154,9 +154,13 @@ interface(`avahi_admin',` type avahi_t, avahi_var_run_t, avahi_initrc_exec_t; ') @@ -777,8 +775,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace serefpolicy- domain_system_change_exemption($1) role_transition $2 avahi_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace serefpolicy-3.10.0/policy/modules/services/bind.if ---- serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace 2011-10-11 16:42:15.702761699 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/bind.if 2011-10-11 16:42:16.115761582 -0400 +--- serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace 2011-10-14 09:46:28.643531904 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/bind.if 2011-10-14 09:46:29.127522630 -0400 @@ -408,12 +408,20 @@ interface(`bind_admin',` type dnssec_t, ndc_t, named_keytab_t; ') @@ -804,7 +802,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace serefpolicy-3 init_labeled_script_domtrans($1, named_initrc_exec_t) diff -up serefpolicy-3.10.0/policy/modules/services/bitlbee.if.ptrace serefpolicy-3.10.0/policy/modules/services/bitlbee.if --- serefpolicy-3.10.0/policy/modules/services/bitlbee.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/bitlbee.if 2011-10-11 16:42:16.116761582 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/bitlbee.if 2011-10-14 09:46:29.127522630 -0400 @@ -43,9 +43,13 @@ interface(`bitlbee_admin',` type bitlbee_initrc_exec_t; ') @@ -821,8 +819,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/bitlbee.if.ptrace serefpolic domain_system_change_exemption($1) role_transition $2 bitlbee_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace serefpolicy-3.10.0/policy/modules/services/bluetooth.if ---- serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace 2011-10-11 16:42:15.705761698 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/bluetooth.if 2011-10-11 16:42:16.116761582 -0400 +--- serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace 2011-10-14 09:46:28.645531865 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/bluetooth.if 2011-10-14 09:46:29.128522611 -0400 @@ -28,7 +28,11 @@ interface(`bluetooth_role',` # allow ps to show cdrecord and allow the user to kill it @@ -852,8 +850,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace serefpol domain_system_change_exemption($1) role_transition $2 bluetooth_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace serefpolicy-3.10.0/policy/modules/services/boinc.if ---- serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace 2011-10-11 16:42:15.706761698 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/boinc.if 2011-10-11 16:42:16.117761582 -0400 +--- serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace 2011-10-14 09:46:28.648531808 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/boinc.if 2011-10-14 09:46:29.129522592 -0400 @@ -137,9 +137,13 @@ interface(`boinc_admin',` type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t; ') @@ -870,8 +868,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace serefpolicy- domain_system_change_exemption($1) role_transition $2 boinc_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace serefpolicy-3.10.0/policy/modules/services/boinc.te ---- serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace 2011-10-11 16:42:16.027761608 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/boinc.te 2011-10-11 16:42:16.117761582 -0400 +--- serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace 2011-10-14 09:46:29.039524313 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/boinc.te 2011-10-14 09:46:29.130522573 -0400 @@ -121,9 +121,13 @@ mta_send_mail(boinc_t) domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t) allow boinc_t boinc_project_t:process sigkill; @@ -888,8 +886,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace serefpolicy- allow boinc_project_t self:sem create_sem_perms; diff -up serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace serefpolicy-3.10.0/policy/modules/services/bugzilla.if ---- serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace 2011-10-11 16:42:15.707761698 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/bugzilla.if 2011-10-11 16:42:16.118761582 -0400 +--- serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace 2011-10-14 09:46:28.649531789 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/bugzilla.if 2011-10-14 09:46:29.130522573 -0400 @@ -62,9 +62,13 @@ interface(`bugzilla_admin',` type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t; ') @@ -906,8 +904,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace serefpoli admin_pattern($1, httpd_bugzilla_tmp_t) diff -up serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace serefpolicy-3.10.0/policy/modules/services/callweaver.if ---- serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace 2011-10-11 16:42:15.710761696 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/callweaver.if 2011-10-11 16:42:16.119761582 -0400 +--- serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace 2011-10-14 09:46:28.652531732 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/callweaver.if 2011-10-14 09:46:29.131522554 -0400 @@ -336,9 +336,13 @@ interface(`callweaver_admin',` type callweaver_spool_t; ') @@ -925,7 +923,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace serefpo role_transition $2 callweaver_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/canna.if.ptrace serefpolicy-3.10.0/policy/modules/services/canna.if --- serefpolicy-3.10.0/policy/modules/services/canna.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/canna.if 2011-10-11 16:42:16.119761582 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/canna.if 2011-10-14 09:46:29.132522535 -0400 @@ -42,9 +42,13 @@ interface(`canna_admin',` type canna_var_run_t, canna_initrc_exec_t; ') @@ -942,8 +940,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/canna.if.ptrace serefpolicy- domain_system_change_exemption($1) role_transition $2 canna_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace serefpolicy-3.10.0/policy/modules/services/certmaster.if ---- serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace 2011-10-11 16:42:15.713761696 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/certmaster.if 2011-10-11 16:42:16.120761581 -0400 +--- serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace 2011-10-14 09:46:28.656531654 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/certmaster.if 2011-10-14 09:46:29.132522535 -0400 @@ -119,9 +119,13 @@ interface(`certmaster_admin',` type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t; ') @@ -960,8 +958,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace serefpo domain_system_change_exemption($1) role_transition $2 certmaster_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/certmonger.if.ptrace serefpolicy-3.10.0/policy/modules/services/certmonger.if ---- serefpolicy-3.10.0/policy/modules/services/certmonger.if.ptrace 2011-10-11 16:42:15.714761696 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/certmonger.if 2011-10-11 16:42:16.120761581 -0400 +--- serefpolicy-3.10.0/policy/modules/services/certmonger.if.ptrace 2011-10-14 09:46:28.657531635 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/certmonger.if 2011-10-14 09:46:29.133522515 -0400 @@ -158,7 +158,11 @@ interface(`certmonger_admin',` ') @@ -976,8 +974,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/certmonger.if.ptrace serefpo # Allow certmonger_t to restart the apache service certmonger_initrc_domtrans($1) diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace serefpolicy-3.10.0/policy/modules/services/cgroup.if ---- serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace 2011-10-11 16:42:15.716761695 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/cgroup.if 2011-10-11 16:42:16.121761580 -0400 +--- serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace 2011-10-14 09:46:28.660531578 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/cgroup.if 2011-10-14 09:46:29.134522495 -0400 @@ -171,15 +171,27 @@ interface(`cgroup_admin',` type cgrules_etc_t, cgclear_t; ') @@ -1010,8 +1008,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace serefpolicy admin_pattern($1, cgrules_etc_t) files_list_etc($1) diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.te.ptrace serefpolicy-3.10.0/policy/modules/services/cgroup.te ---- serefpolicy-3.10.0/policy/modules/services/cgroup.te.ptrace 2011-10-11 16:42:15.717761694 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/cgroup.te 2011-10-11 16:42:16.121761580 -0400 +--- serefpolicy-3.10.0/policy/modules/services/cgroup.te.ptrace 2011-10-14 09:46:28.660531578 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/cgroup.te 2011-10-14 09:46:29.134522495 -0400 @@ -76,7 +76,8 @@ fs_unmount_cgroup(cgconfig_t) # cgred personal policy. # @@ -1023,8 +1021,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.te.ptrace serefpolicy allow cgred_t self:unix_dgram_socket { write create connect }; diff -up serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace serefpolicy-3.10.0/policy/modules/services/chronyd.if ---- serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace 2011-10-11 16:42:15.718761694 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/chronyd.if 2011-10-11 16:42:16.122761580 -0400 +--- serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace 2011-10-14 09:46:28.661531559 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/chronyd.if 2011-10-14 09:46:29.135522476 -0400 @@ -217,9 +217,13 @@ interface(`chronyd_admin',` type chronyd_keys_t; ') @@ -1041,8 +1039,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace serefpolic domain_system_change_exemption($1) role_transition $2 chronyd_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace serefpolicy-3.10.0/policy/modules/services/clamav.if ---- serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace 2011-10-11 16:42:15.720761694 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/clamav.if 2011-10-11 16:42:16.123761580 -0400 +--- serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace 2011-10-14 09:46:28.664531502 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/clamav.if 2011-10-14 09:46:29.135522476 -0400 @@ -176,13 +176,19 @@ interface(`clamav_admin',` type freshclam_t, freshclam_var_log_t; ') @@ -1067,8 +1065,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace serefpolicy init_labeled_script_domtrans($1, clamd_initrc_exec_t) diff -up serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace serefpolicy-3.10.0/policy/modules/services/cmirrord.if ---- serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace 2011-10-11 16:42:15.723761693 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/cmirrord.if 2011-10-11 16:42:16.123761580 -0400 +--- serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace 2011-10-14 09:46:28.668531424 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/cmirrord.if 2011-10-14 09:46:29.136522457 -0400 @@ -101,9 +101,13 @@ interface(`cmirrord_admin',` type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t; ') @@ -1085,8 +1083,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace serefpoli domain_system_change_exemption($1) role_transition $2 cmirrord_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/cobbler.if.ptrace serefpolicy-3.10.0/policy/modules/services/cobbler.if ---- serefpolicy-3.10.0/policy/modules/services/cobbler.if.ptrace 2011-10-11 16:42:15.724761692 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/cobbler.if 2011-10-11 16:42:16.124761580 -0400 +--- serefpolicy-3.10.0/policy/modules/services/cobbler.if.ptrace 2011-10-14 09:46:28.669531405 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/cobbler.if 2011-10-14 09:46:29.137522438 -0400 @@ -189,9 +189,13 @@ interface(`cobblerd_admin',` type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t; ') @@ -1103,8 +1101,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cobbler.if.ptrace serefpolic admin_pattern($1, cobbler_etc_t) diff -up serefpolicy-3.10.0/policy/modules/services/cobbler.te.ptrace serefpolicy-3.10.0/policy/modules/services/cobbler.te ---- serefpolicy-3.10.0/policy/modules/services/cobbler.te.ptrace 2011-10-11 16:42:15.724761692 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/cobbler.te 2011-10-11 16:42:16.124761580 -0400 +--- serefpolicy-3.10.0/policy/modules/services/cobbler.te.ptrace 2011-10-14 09:46:28.670531386 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/cobbler.te 2011-10-14 09:46:29.138522419 -0400 @@ -60,7 +60,7 @@ files_tmp_file(cobbler_tmp_t) # @@ -1115,8 +1113,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cobbler.te.ptrace serefpolic allow cobblerd_t self:process { getsched setsched signal }; allow cobblerd_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace serefpolicy-3.10.0/policy/modules/services/collectd.if ---- serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace 2011-10-11 16:42:15.725761692 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/collectd.if 2011-10-11 16:42:16.125761580 -0400 +--- serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace 2011-10-14 09:46:28.671531367 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/collectd.if 2011-10-14 09:46:29.139522400 -0400 @@ -142,9 +142,13 @@ interface(`collectd_admin',` type collectd_var_lib_t; ') @@ -1133,8 +1131,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace serefpoli domain_system_change_exemption($1) role_transition $2 collectd_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/consolekit.te.ptrace serefpolicy-3.10.0/policy/modules/services/consolekit.te ---- serefpolicy-3.10.0/policy/modules/services/consolekit.te.ptrace 2011-10-11 16:42:15.727761692 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/consolekit.te 2011-10-11 16:42:16.125761580 -0400 +--- serefpolicy-3.10.0/policy/modules/services/consolekit.te.ptrace 2011-10-14 09:46:28.673531329 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/consolekit.te 2011-10-14 09:46:29.140522381 -0400 @@ -23,7 +23,8 @@ files_tmpfs_file(consolekit_tmpfs_t) # consolekit local policy # @@ -1156,8 +1154,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/consolekit.te.ptrace serefpo unconfined_stream_connect(consolekit_t) ') diff -up serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace serefpolicy-3.10.0/policy/modules/services/corosync.if ---- serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace 2011-10-11 16:42:15.728761692 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/corosync.if 2011-10-11 16:42:16.126761580 -0400 +--- serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace 2011-10-14 09:46:28.674531310 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/corosync.if 2011-10-14 09:46:29.141522362 -0400 @@ -101,9 +101,13 @@ interface(`corosyncd_admin',` type corosync_initrc_exec_t; ') @@ -1174,9 +1172,9 @@ diff -up serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace serefpoli domain_system_change_exemption($1) role_transition $2 corosync_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/corosync.te.ptrace serefpolicy-3.10.0/policy/modules/services/corosync.te ---- serefpolicy-3.10.0/policy/modules/services/corosync.te.ptrace 2011-10-11 16:42:15.729761692 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/corosync.te 2011-10-11 16:42:16.126761580 -0400 -@@ -32,7 +32,7 @@ files_pid_file(corosync_var_run_t) +--- serefpolicy-3.10.0/policy/modules/services/corosync.te.ptrace 2011-10-14 09:46:28.675531291 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/corosync.te 2011-10-14 09:46:29.142522343 -0400 +@@ -33,7 +33,7 @@ files_pid_file(corosync_var_run_t) # corosync local policy # @@ -1186,8 +1184,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/corosync.te.ptrace serefpoli allow corosync_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace serefpolicy-3.10.0/policy/modules/services/cron.if ---- serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace 2011-10-11 16:42:15.732761690 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/cron.if 2011-10-11 16:42:16.127761579 -0400 +--- serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace 2011-10-14 09:46:28.679531213 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/cron.if 2011-10-14 09:46:29.143522324 -0400 @@ -140,7 +140,11 @@ interface(`cron_role',` # crontab shows up in user ps @@ -1226,8 +1224,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace serefpolicy-3 # Run helper programs as the user domain #corecmd_bin_domtrans(admin_crontab_t, $2) diff -up serefpolicy-3.10.0/policy/modules/services/cron.te.ptrace serefpolicy-3.10.0/policy/modules/services/cron.te ---- serefpolicy-3.10.0/policy/modules/services/cron.te.ptrace 2011-10-11 16:42:16.027761608 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/cron.te 2011-10-11 16:42:16.128761578 -0400 +--- serefpolicy-3.10.0/policy/modules/services/cron.te.ptrace 2011-10-14 09:46:29.040524294 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/cron.te 2011-10-14 09:46:29.145522286 -0400 @@ -350,7 +350,6 @@ optional_policy(` # @@ -1237,8 +1235,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cron.te.ptrace serefpolicy-3 allow system_cronjob_t self:process { signal_perms getsched setsched }; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/services/ctdbd.if.ptrace serefpolicy-3.10.0/policy/modules/services/ctdbd.if ---- serefpolicy-3.10.0/policy/modules/services/ctdbd.if.ptrace 2011-10-11 16:42:15.734761690 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ctdbd.if 2011-10-11 16:42:16.128761578 -0400 +--- serefpolicy-3.10.0/policy/modules/services/ctdbd.if.ptrace 2011-10-14 09:46:28.681531175 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ctdbd.if 2011-10-14 09:46:29.146522267 -0400 @@ -236,8 +236,11 @@ interface(`ctdbd_admin',` type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t; ') @@ -1253,8 +1251,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ctdbd.if.ptrace serefpolicy- ctdbd_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/ctdbd.te.ptrace serefpolicy-3.10.0/policy/modules/services/ctdbd.te ---- serefpolicy-3.10.0/policy/modules/services/ctdbd.te.ptrace 2011-10-11 16:42:15.734761690 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ctdbd.te 2011-10-11 16:42:16.129761578 -0400 +--- serefpolicy-3.10.0/policy/modules/services/ctdbd.te.ptrace 2011-10-14 09:46:28.682531156 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ctdbd.te 2011-10-14 09:46:29.146522267 -0400 @@ -33,7 +33,7 @@ files_pid_file(ctdbd_var_run_t) # ctdbd local policy # @@ -1265,8 +1263,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ctdbd.te.ptrace serefpolicy- allow ctdbd_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace serefpolicy-3.10.0/policy/modules/services/cups.if ---- serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace 2011-10-11 16:42:15.735761690 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/cups.if 2011-10-11 16:42:16.130761578 -0400 +--- serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace 2011-10-14 09:46:28.683531137 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/cups.if 2011-10-14 09:46:29.147522248 -0400 @@ -327,9 +327,13 @@ interface(`cups_admin',` type ptal_var_run_t; ') @@ -1283,8 +1281,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace serefpolicy-3 domain_system_change_exemption($1) role_transition $2 cupsd_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace serefpolicy-3.10.0/policy/modules/services/cvs.if ---- serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace 2011-10-11 16:42:15.737761690 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/cvs.if 2011-10-11 16:42:16.131761578 -0400 +--- serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace 2011-10-14 09:46:28.685531099 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/cvs.if 2011-10-14 09:46:29.148522228 -0400 @@ -80,9 +80,13 @@ interface(`cvs_admin',` type cvs_data_t, cvs_var_run_t; ') @@ -1302,7 +1300,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace serefpolicy-3. domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/cyrus.if.ptrace serefpolicy-3.10.0/policy/modules/services/cyrus.if --- serefpolicy-3.10.0/policy/modules/services/cyrus.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/cyrus.if 2011-10-11 16:42:16.131761578 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/cyrus.if 2011-10-14 09:46:29.148522228 -0400 @@ -62,9 +62,13 @@ interface(`cyrus_admin',` type cyrus_var_run_t, cyrus_initrc_exec_t; ') @@ -1319,8 +1317,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cyrus.if.ptrace serefpolicy- domain_system_change_exemption($1) role_transition $2 cyrus_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/dbus.if.ptrace serefpolicy-3.10.0/policy/modules/services/dbus.if ---- serefpolicy-3.10.0/policy/modules/services/dbus.if.ptrace 2011-10-11 16:42:15.740761689 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/dbus.if 2011-10-11 16:42:16.132761578 -0400 +--- serefpolicy-3.10.0/policy/modules/services/dbus.if.ptrace 2011-10-14 09:46:28.690531003 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/dbus.if 2011-10-14 09:46:29.149522208 -0400 @@ -71,7 +71,11 @@ template(`dbus_role_template',` domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) @@ -1335,8 +1333,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/dbus.if.ptrace serefpolicy-3 # cjp: this seems very broken corecmd_bin_domtrans($1_dbusd_t, $1_t) diff -up serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace serefpolicy-3.10.0/policy/modules/services/ddclient.if ---- serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace 2011-10-11 16:42:15.742761687 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ddclient.if 2011-10-11 16:42:16.132761578 -0400 +--- serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace 2011-10-14 09:46:28.693530945 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ddclient.if 2011-10-14 09:46:29.150522189 -0400 @@ -68,9 +68,13 @@ interface(`ddclient_admin',` type ddclient_var_run_t; ') @@ -1353,8 +1351,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace serefpoli domain_system_change_exemption($1) role_transition $2 ddclient_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace serefpolicy-3.10.0/policy/modules/services/denyhosts.if ---- serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace 2011-10-11 16:42:15.744761687 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/denyhosts.if 2011-10-11 16:42:16.133761578 -0400 +--- serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace 2011-10-14 09:46:28.694530926 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/denyhosts.if 2011-10-14 09:46:29.151522170 -0400 @@ -67,9 +67,13 @@ interface(`denyhosts_admin',` type denyhosts_var_log_t, denyhosts_initrc_exec_t; ') @@ -1371,8 +1369,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace serefpol domain_system_change_exemption($1) role_transition $2 denyhosts_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace serefpolicy-3.10.0/policy/modules/services/devicekit.if ---- serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace 2011-10-11 16:42:15.745761687 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/devicekit.if 2011-10-11 16:42:16.133761578 -0400 +--- serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace 2011-10-14 09:46:28.696530888 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/devicekit.if 2011-10-14 09:46:29.151522170 -0400 @@ -308,13 +308,18 @@ interface(`devicekit_admin',` type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; ') @@ -1396,8 +1394,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace serefpol admin_pattern($1, devicekit_tmp_t) diff -up serefpolicy-3.10.0/policy/modules/services/devicekit.te.ptrace serefpolicy-3.10.0/policy/modules/services/devicekit.te ---- serefpolicy-3.10.0/policy/modules/services/devicekit.te.ptrace 2011-10-11 16:42:15.746761687 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/devicekit.te 2011-10-11 16:42:16.134761577 -0400 +--- serefpolicy-3.10.0/policy/modules/services/devicekit.te.ptrace 2011-10-14 09:46:28.697530869 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/devicekit.te 2011-10-14 09:46:29.152522151 -0400 @@ -65,7 +65,8 @@ optional_policy(` # DeviceKit disk local policy # @@ -1418,8 +1416,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/devicekit.te.ptrace serefpol allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace serefpolicy-3.10.0/policy/modules/services/dhcp.if ---- serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace 2011-10-11 16:42:15.747761687 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/dhcp.if 2011-10-11 16:42:16.135761576 -0400 +--- serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace 2011-10-14 09:46:28.698530850 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/dhcp.if 2011-10-14 09:46:29.153522132 -0400 @@ -105,8 +105,11 @@ interface(`dhcpd_admin',` type dhcpd_var_run_t, dhcpd_initrc_exec_t; ') @@ -1435,7 +1433,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace serefpolicy-3 domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/dictd.if.ptrace serefpolicy-3.10.0/policy/modules/services/dictd.if --- serefpolicy-3.10.0/policy/modules/services/dictd.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/dictd.if 2011-10-11 16:42:16.135761576 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/dictd.if 2011-10-14 09:46:29.153522132 -0400 @@ -38,8 +38,11 @@ interface(`dictd_admin',` type dictd_var_run_t, dictd_initrc_exec_t; ') @@ -1450,8 +1448,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/dictd.if.ptrace serefpolicy- init_labeled_script_domtrans($1, dictd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/dnsmasq.if.ptrace serefpolicy-3.10.0/policy/modules/services/dnsmasq.if ---- serefpolicy-3.10.0/policy/modules/services/dnsmasq.if.ptrace 2011-10-11 16:42:15.752761685 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/dnsmasq.if 2011-10-11 16:42:16.136761576 -0400 +--- serefpolicy-3.10.0/policy/modules/services/dnsmasq.if.ptrace 2011-10-14 09:46:28.704530734 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/dnsmasq.if 2011-10-14 09:46:29.154522113 -0400 @@ -281,8 +281,11 @@ interface(`dnsmasq_admin',` type dnsmasq_initrc_exec_t; ') @@ -1466,8 +1464,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/dnsmasq.if.ptrace serefpolic init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/dovecot.if.ptrace serefpolicy-3.10.0/policy/modules/services/dovecot.if ---- serefpolicy-3.10.0/policy/modules/services/dovecot.if.ptrace 2011-10-11 16:42:15.754761685 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/dovecot.if 2011-10-11 16:42:16.136761576 -0400 +--- serefpolicy-3.10.0/policy/modules/services/dovecot.if.ptrace 2011-10-14 09:46:28.706530696 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/dovecot.if 2011-10-14 09:46:29.155522094 -0400 @@ -119,8 +119,11 @@ interface(`dovecot_admin',` type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t; ') @@ -1482,8 +1480,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/dovecot.if.ptrace serefpolic init_labeled_script_domtrans($1, dovecot_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/drbd.if.ptrace serefpolicy-3.10.0/policy/modules/services/drbd.if ---- serefpolicy-3.10.0/policy/modules/services/drbd.if.ptrace 2011-10-11 16:42:15.755761684 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/drbd.if 2011-10-11 16:42:16.137761576 -0400 +--- serefpolicy-3.10.0/policy/modules/services/drbd.if.ptrace 2011-10-14 09:46:28.709530639 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/drbd.if 2011-10-14 09:46:29.155522094 -0400 @@ -120,8 +120,11 @@ interface(`drbd_admin',` type drbd_var_lib_t; ') @@ -1498,8 +1496,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/drbd.if.ptrace serefpolicy-3 files_search_var_lib($1) admin_pattern($1, drbd_var_lib_t) diff -up serefpolicy-3.10.0/policy/modules/services/dspam.if.ptrace serefpolicy-3.10.0/policy/modules/services/dspam.if ---- serefpolicy-3.10.0/policy/modules/services/dspam.if.ptrace 2011-10-11 16:42:15.756761683 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/dspam.if 2011-10-11 16:42:16.138761576 -0400 +--- serefpolicy-3.10.0/policy/modules/services/dspam.if.ptrace 2011-10-14 09:46:28.711530601 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/dspam.if 2011-10-14 09:46:29.156522075 -0400 @@ -244,8 +244,11 @@ interface(`dspam_admin',` type dspam_var_run_t; ') @@ -1514,8 +1512,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/dspam.if.ptrace serefpolicy- dspam_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/exim.if.ptrace serefpolicy-3.10.0/policy/modules/services/exim.if ---- serefpolicy-3.10.0/policy/modules/services/exim.if.ptrace 2011-10-11 16:42:15.758761683 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/exim.if 2011-10-11 16:42:16.139761576 -0400 +--- serefpolicy-3.10.0/policy/modules/services/exim.if.ptrace 2011-10-14 09:46:28.712530582 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/exim.if 2011-10-14 09:46:29.157522056 -0400 @@ -260,8 +260,11 @@ interface(`exim_admin',` type exim_tmp_t, exim_spool_t, exim_var_run_t; ') @@ -1530,8 +1528,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/exim.if.ptrace serefpolicy-3 exim_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/fail2ban.if.ptrace serefpolicy-3.10.0/policy/modules/services/fail2ban.if ---- serefpolicy-3.10.0/policy/modules/services/fail2ban.if.ptrace 2011-10-11 16:42:15.760761683 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/fail2ban.if 2011-10-11 16:42:16.139761576 -0400 +--- serefpolicy-3.10.0/policy/modules/services/fail2ban.if.ptrace 2011-10-14 09:46:28.714530543 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/fail2ban.if 2011-10-14 09:46:29.158522037 -0400 @@ -199,8 +199,11 @@ interface(`fail2ban_admin',` type fail2ban_client_t; ') @@ -1546,8 +1544,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/fail2ban.if.ptrace serefpoli init_labeled_script_domtrans($1, fail2ban_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/fcoemon.if.ptrace serefpolicy-3.10.0/policy/modules/services/fcoemon.if ---- serefpolicy-3.10.0/policy/modules/services/fcoemon.if.ptrace 2011-10-11 16:42:15.761761683 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/fcoemon.if 2011-10-11 16:42:16.140761576 -0400 +--- serefpolicy-3.10.0/policy/modules/services/fcoemon.if.ptrace 2011-10-14 09:46:28.716530504 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/fcoemon.if 2011-10-14 09:46:29.158522037 -0400 @@ -81,8 +81,11 @@ interface(`fcoemon_admin',` type fcoemon_var_run_t; ') @@ -1562,8 +1560,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/fcoemon.if.ptrace serefpolic files_search_pids($1) admin_pattern($1, fcoemon_var_run_t) diff -up serefpolicy-3.10.0/policy/modules/services/fetchmail.if.ptrace serefpolicy-3.10.0/policy/modules/services/fetchmail.if ---- serefpolicy-3.10.0/policy/modules/services/fetchmail.if.ptrace 2011-10-11 16:42:15.762761682 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/fetchmail.if 2011-10-11 16:42:16.140761576 -0400 +--- serefpolicy-3.10.0/policy/modules/services/fetchmail.if.ptrace 2011-10-14 09:46:28.717530485 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/fetchmail.if 2011-10-14 09:46:29.159522018 -0400 @@ -18,8 +18,11 @@ interface(`fetchmail_admin',` type fetchmail_var_run_t; ') @@ -1578,8 +1576,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/fetchmail.if.ptrace serefpol files_list_etc($1) admin_pattern($1, fetchmail_etc_t) diff -up serefpolicy-3.10.0/policy/modules/services/firewalld.if.ptrace serefpolicy-3.10.0/policy/modules/services/firewalld.if ---- serefpolicy-3.10.0/policy/modules/services/firewalld.if.ptrace 2011-10-11 16:42:15.763761681 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/firewalld.if 2011-10-11 16:42:16.141761575 -0400 +--- serefpolicy-3.10.0/policy/modules/services/firewalld.if.ptrace 2011-10-14 09:46:28.719530447 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/firewalld.if 2011-10-14 09:46:29.159522018 -0400 @@ -62,8 +62,11 @@ interface(`firewalld_admin',` type firewalld_initrc_exec_t; ') @@ -1594,8 +1592,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/firewalld.if.ptrace serefpol firewalld_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/fprintd.te.ptrace serefpolicy-3.10.0/policy/modules/services/fprintd.te ---- serefpolicy-3.10.0/policy/modules/services/fprintd.te.ptrace 2011-10-11 16:42:15.765761681 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/fprintd.te 2011-10-11 16:42:16.141761575 -0400 +--- serefpolicy-3.10.0/policy/modules/services/fprintd.te.ptrace 2011-10-14 09:46:28.721530409 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/fprintd.te 2011-10-14 09:46:29.160521999 -0400 @@ -17,7 +17,8 @@ files_type(fprintd_var_lib_t) # Local policy # @@ -1607,8 +1605,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/fprintd.te.ptrace serefpolic allow fprintd_t self:process { getsched setsched signal }; diff -up serefpolicy-3.10.0/policy/modules/services/ftp.if.ptrace serefpolicy-3.10.0/policy/modules/services/ftp.if ---- serefpolicy-3.10.0/policy/modules/services/ftp.if.ptrace 2011-10-11 16:42:15.766761681 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ftp.if 2011-10-11 16:42:16.142761574 -0400 +--- serefpolicy-3.10.0/policy/modules/services/ftp.if.ptrace 2011-10-14 09:46:28.722530390 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ftp.if 2011-10-14 09:46:29.161521980 -0400 @@ -237,8 +237,11 @@ interface(`ftp_admin',` type ftpd_initrc_exec_t; ') @@ -1623,8 +1621,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ftp.if.ptrace serefpolicy-3. init_labeled_script_domtrans($1, ftpd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/git.if.ptrace serefpolicy-3.10.0/policy/modules/services/git.if ---- serefpolicy-3.10.0/policy/modules/services/git.if.ptrace 2011-10-11 16:42:15.768761681 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/git.if 2011-10-11 16:42:16.142761574 -0400 +--- serefpolicy-3.10.0/policy/modules/services/git.if.ptrace 2011-10-14 09:46:28.725530332 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/git.if 2011-10-14 09:46:29.162521961 -0400 @@ -42,8 +42,11 @@ interface(`git_session_role',` domtrans_pattern($2, gitd_exec_t, git_session_t) @@ -1639,8 +1637,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/git.if.ptrace serefpolicy-3. ######################################## diff -up serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace serefpolicy-3.10.0/policy/modules/services/glance.if ---- serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace 2011-10-11 16:42:15.770761679 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/glance.if 2011-10-11 16:42:16.143761574 -0400 +--- serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace 2011-10-14 09:46:28.727530293 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/glance.if 2011-10-14 09:46:29.163521941 -0400 @@ -245,10 +245,14 @@ interface(`glance_admin',` type glance_api_initrc_exec_t; ') @@ -1659,8 +1657,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace serefpolicy init_labeled_script_domtrans($1, glance_registry_initrc_exec_t) diff -up serefpolicy-3.10.0/policy/modules/services/gnomeclock.te.ptrace serefpolicy-3.10.0/policy/modules/services/gnomeclock.te ---- serefpolicy-3.10.0/policy/modules/services/gnomeclock.te.ptrace 2011-10-11 16:42:15.771761679 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/gnomeclock.te 2011-10-11 16:42:16.144761574 -0400 +--- serefpolicy-3.10.0/policy/modules/services/gnomeclock.te.ptrace 2011-10-14 09:46:28.729530255 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/gnomeclock.te 2011-10-14 09:46:29.163521941 -0400 @@ -14,7 +14,7 @@ dbus_system_domain(gnomeclock_t, gnomecl # gnomeclock local policy # @@ -1671,8 +1669,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/gnomeclock.te.ptrace serefpo allow gnomeclock_t self:fifo_file rw_fifo_file_perms; allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/services/gpsd.te.ptrace serefpolicy-3.10.0/policy/modules/services/gpsd.te ---- serefpolicy-3.10.0/policy/modules/services/gpsd.te.ptrace 2011-10-11 16:42:15.773761679 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/gpsd.te 2011-10-11 16:42:16.144761574 -0400 +--- serefpolicy-3.10.0/policy/modules/services/gpsd.te.ptrace 2011-10-14 09:46:28.731530217 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/gpsd.te 2011-10-14 09:46:29.164521921 -0400 @@ -25,7 +25,7 @@ files_pid_file(gpsd_var_run_t) # @@ -1683,8 +1681,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/gpsd.te.ptrace serefpolicy-3 allow gpsd_t self:shm create_shm_perms; allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto }; diff -up serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace serefpolicy-3.10.0/policy/modules/services/hadoop.if ---- serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace 2011-10-11 16:42:16.028761607 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/hadoop.if 2011-10-11 16:42:16.145761574 -0400 +--- serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace 2011-10-14 09:46:29.040524294 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/hadoop.if 2011-10-14 09:46:29.165521902 -0400 @@ -222,14 +222,21 @@ interface(`hadoop_role',` hadoop_domtrans($2) role $1 types hadoop_t; @@ -1710,8 +1708,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace serefpolicy ######################################## diff -up serefpolicy-3.10.0/policy/modules/services/hal.if.ptrace serefpolicy-3.10.0/policy/modules/services/hal.if ---- serefpolicy-3.10.0/policy/modules/services/hal.if.ptrace 2011-10-11 16:42:15.776761679 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/hal.if 2011-10-11 16:42:16.146761574 -0400 +--- serefpolicy-3.10.0/policy/modules/services/hal.if.ptrace 2011-10-14 09:46:28.735530141 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/hal.if 2011-10-14 09:46:29.166521883 -0400 @@ -70,7 +70,9 @@ interface(`hal_ptrace',` type hald_t; ') @@ -1724,8 +1722,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/hal.if.ptrace serefpolicy-3. ######################################## diff -up serefpolicy-3.10.0/policy/modules/services/hal.te.ptrace serefpolicy-3.10.0/policy/modules/services/hal.te ---- serefpolicy-3.10.0/policy/modules/services/hal.te.ptrace 2011-10-11 16:42:15.776761679 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/hal.te 2011-10-11 16:42:16.146761574 -0400 +--- serefpolicy-3.10.0/policy/modules/services/hal.te.ptrace 2011-10-14 09:46:28.735530141 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/hal.te 2011-10-14 09:46:29.167521864 -0400 @@ -64,7 +64,7 @@ typealias hald_var_run_t alias pmtools_v # execute openvt which needs setuid @@ -1736,8 +1734,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/hal.te.ptrace serefpolicy-3. allow hald_t self:fifo_file rw_fifo_file_perms; allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto }; diff -up serefpolicy-3.10.0/policy/modules/services/hddtemp.if.ptrace serefpolicy-3.10.0/policy/modules/services/hddtemp.if ---- serefpolicy-3.10.0/policy/modules/services/hddtemp.if.ptrace 2011-10-11 16:42:15.777761679 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/hddtemp.if 2011-10-11 16:42:16.147761574 -0400 +--- serefpolicy-3.10.0/policy/modules/services/hddtemp.if.ptrace 2011-10-14 09:46:28.736530122 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/hddtemp.if 2011-10-14 09:46:29.167521864 -0400 @@ -60,8 +60,11 @@ interface(`hddtemp_admin',` type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t; ') @@ -1752,8 +1750,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/hddtemp.if.ptrace serefpolic init_labeled_script_domtrans($1, hddtemp_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/icecast.if.ptrace serefpolicy-3.10.0/policy/modules/services/icecast.if ---- serefpolicy-3.10.0/policy/modules/services/icecast.if.ptrace 2011-10-11 16:42:15.778761679 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/icecast.if 2011-10-11 16:42:16.148761574 -0400 +--- serefpolicy-3.10.0/policy/modules/services/icecast.if.ptrace 2011-10-14 09:46:28.737530102 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/icecast.if 2011-10-14 09:46:29.168521845 -0400 @@ -173,8 +173,11 @@ interface(`icecast_admin',` type icecast_t, icecast_initrc_exec_t; ') @@ -1768,8 +1766,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/icecast.if.ptrace serefpolic # Allow icecast_t to restart the apache service icecast_initrc_domtrans($1) diff -up serefpolicy-3.10.0/policy/modules/services/ifplugd.if.ptrace serefpolicy-3.10.0/policy/modules/services/ifplugd.if ---- serefpolicy-3.10.0/policy/modules/services/ifplugd.if.ptrace 2011-10-11 16:42:15.779761678 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ifplugd.if 2011-10-11 16:42:16.148761574 -0400 +--- serefpolicy-3.10.0/policy/modules/services/ifplugd.if.ptrace 2011-10-14 09:46:28.738530082 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ifplugd.if 2011-10-14 09:46:29.169521826 -0400 @@ -117,7 +117,7 @@ interface(`ifplugd_admin',` type ifplugd_initrc_exec_t; ') @@ -1780,8 +1778,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ifplugd.if.ptrace serefpolic init_labeled_script_domtrans($1, ifplugd_initrc_exec_t) diff -up serefpolicy-3.10.0/policy/modules/services/ifplugd.te.ptrace serefpolicy-3.10.0/policy/modules/services/ifplugd.te ---- serefpolicy-3.10.0/policy/modules/services/ifplugd.te.ptrace 2011-10-11 16:42:15.779761678 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ifplugd.te 2011-10-11 16:42:16.149761574 -0400 +--- serefpolicy-3.10.0/policy/modules/services/ifplugd.te.ptrace 2011-10-14 09:46:28.739530063 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ifplugd.te 2011-10-14 09:46:29.170521807 -0400 @@ -26,7 +26,7 @@ files_pid_file(ifplugd_var_run_t) # @@ -1792,8 +1790,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ifplugd.te.ptrace serefpolic allow ifplugd_t self:fifo_file rw_fifo_file_perms; allow ifplugd_t self:tcp_socket create_stream_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/services/inn.if.ptrace serefpolicy-3.10.0/policy/modules/services/inn.if ---- serefpolicy-3.10.0/policy/modules/services/inn.if.ptrace 2011-10-11 16:42:15.781761676 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/inn.if 2011-10-11 16:42:16.149761574 -0400 +--- serefpolicy-3.10.0/policy/modules/services/inn.if.ptrace 2011-10-14 09:46:28.741530025 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/inn.if 2011-10-14 09:46:29.170521807 -0400 @@ -202,8 +202,11 @@ interface(`inn_admin',` type innd_initrc_exec_t; ') @@ -1808,8 +1806,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/inn.if.ptrace serefpolicy-3. init_labeled_script_domtrans($1, innd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace serefpolicy-3.10.0/policy/modules/services/jabber.if ---- serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace 2011-10-11 16:42:15.784761676 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/jabber.if 2011-10-11 16:42:16.150761573 -0400 +--- serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace 2011-10-14 09:46:28.744529968 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/jabber.if 2011-10-14 09:46:29.171521788 -0400 @@ -143,10 +143,14 @@ interface(`jabber_admin',` type jabberd_initrc_exec_t, jabberd_router_t; ') @@ -1828,8 +1826,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace serefpolicy init_labeled_script_domtrans($1, jabberd_initrc_exec_t) diff -up serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace serefpolicy-3.10.0/policy/modules/services/kerberos.if ---- serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace 2011-10-11 16:42:15.785761676 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/kerberos.if 2011-10-11 16:42:16.150761573 -0400 +--- serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace 2011-10-14 09:46:28.746529930 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/kerberos.if 2011-10-14 09:46:29.172521769 -0400 @@ -340,13 +340,18 @@ interface(`kerberos_admin',` type krb5kdc_var_run_t, krb5_host_rcache_t; ') @@ -1853,8 +1851,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace serefpoli init_labeled_script_domtrans($1, kerberos_initrc_exec_t) diff -up serefpolicy-3.10.0/policy/modules/services/kerneloops.if.ptrace serefpolicy-3.10.0/policy/modules/services/kerneloops.if ---- serefpolicy-3.10.0/policy/modules/services/kerneloops.if.ptrace 2011-10-11 16:42:15.786761676 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/kerneloops.if 2011-10-11 16:42:16.151761573 -0400 +--- serefpolicy-3.10.0/policy/modules/services/kerneloops.if.ptrace 2011-10-14 09:46:28.747529911 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/kerneloops.if 2011-10-14 09:46:29.172521769 -0400 @@ -101,8 +101,11 @@ interface(`kerneloops_admin',` type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t; ') @@ -1869,8 +1867,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/kerneloops.if.ptrace serefpo init_labeled_script_domtrans($1, kerneloops_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/ksmtuned.if.ptrace serefpolicy-3.10.0/policy/modules/services/ksmtuned.if ---- serefpolicy-3.10.0/policy/modules/services/ksmtuned.if.ptrace 2011-10-11 16:42:15.788761674 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ksmtuned.if 2011-10-11 16:42:16.151761573 -0400 +--- serefpolicy-3.10.0/policy/modules/services/ksmtuned.if.ptrace 2011-10-14 09:46:28.750529852 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ksmtuned.if 2011-10-14 09:46:29.173521750 -0400 @@ -58,8 +58,11 @@ interface(`ksmtuned_admin',` type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t; ') @@ -1885,8 +1883,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ksmtuned.if.ptrace serefpoli files_list_pids($1) admin_pattern($1, ksmtuned_var_run_t) diff -up serefpolicy-3.10.0/policy/modules/services/ksmtuned.te.ptrace serefpolicy-3.10.0/policy/modules/services/ksmtuned.te ---- serefpolicy-3.10.0/policy/modules/services/ksmtuned.te.ptrace 2011-10-11 16:42:15.789761674 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ksmtuned.te 2011-10-11 16:42:16.152761572 -0400 +--- serefpolicy-3.10.0/policy/modules/services/ksmtuned.te.ptrace 2011-10-14 09:46:28.751529833 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ksmtuned.te 2011-10-14 09:46:29.174521731 -0400 @@ -23,7 +23,7 @@ files_pid_file(ksmtuned_var_run_t) # ksmtuned local policy # @@ -1897,8 +1895,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ksmtuned.te.ptrace serefpoli manage_dirs_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t) diff -up serefpolicy-3.10.0/policy/modules/services/l2tpd.if.ptrace serefpolicy-3.10.0/policy/modules/services/l2tpd.if ---- serefpolicy-3.10.0/policy/modules/services/l2tpd.if.ptrace 2011-10-11 16:42:15.790761674 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/l2tpd.if 2011-10-11 16:42:16.152761572 -0400 +--- serefpolicy-3.10.0/policy/modules/services/l2tpd.if.ptrace 2011-10-14 09:46:28.752529814 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/l2tpd.if 2011-10-14 09:46:29.174521731 -0400 @@ -101,8 +101,11 @@ interface(`l2tpd_admin',` type l2tpd_var_run_t; ') @@ -1913,8 +1911,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/l2tpd.if.ptrace serefpolicy- l2tpd_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/ldap.if.ptrace serefpolicy-3.10.0/policy/modules/services/ldap.if ---- serefpolicy-3.10.0/policy/modules/services/ldap.if.ptrace 2011-10-11 16:42:15.792761674 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ldap.if 2011-10-11 16:42:16.153761571 -0400 +--- serefpolicy-3.10.0/policy/modules/services/ldap.if.ptrace 2011-10-14 09:46:28.754529776 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ldap.if 2011-10-14 09:46:29.175521712 -0400 @@ -174,8 +174,11 @@ interface(`ldap_admin',` type slapd_initrc_exec_t; ') @@ -1930,7 +1928,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ldap.if.ptrace serefpolicy-3 domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/lircd.if.ptrace serefpolicy-3.10.0/policy/modules/services/lircd.if --- serefpolicy-3.10.0/policy/modules/services/lircd.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/lircd.if 2011-10-11 16:42:16.154761571 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/lircd.if 2011-10-14 09:46:29.176521693 -0400 @@ -80,8 +80,11 @@ interface(`lircd_admin',` type lircd_initrc_exec_t, lircd_etc_t; ') @@ -1945,8 +1943,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/lircd.if.ptrace serefpolicy- init_labeled_script_domtrans($1, lircd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/lldpad.if.ptrace serefpolicy-3.10.0/policy/modules/services/lldpad.if ---- serefpolicy-3.10.0/policy/modules/services/lldpad.if.ptrace 2011-10-11 16:42:15.795761672 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/lldpad.if 2011-10-11 16:42:16.154761571 -0400 +--- serefpolicy-3.10.0/policy/modules/services/lldpad.if.ptrace 2011-10-14 09:46:28.759529681 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/lldpad.if 2011-10-14 09:46:29.176521693 -0400 @@ -180,8 +180,11 @@ interface(`lldpad_admin',` type lldpad_var_run_t; ') @@ -1961,8 +1959,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/lldpad.if.ptrace serefpolicy lldpad_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/lpd.if.ptrace serefpolicy-3.10.0/policy/modules/services/lpd.if ---- serefpolicy-3.10.0/policy/modules/services/lpd.if.ptrace 2011-10-11 16:42:15.796761672 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/lpd.if 2011-10-11 16:42:16.155761571 -0400 +--- serefpolicy-3.10.0/policy/modules/services/lpd.if.ptrace 2011-10-14 09:46:28.760529661 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/lpd.if 2011-10-14 09:46:29.178521654 -0400 @@ -28,7 +28,10 @@ interface(`lpd_role',` dontaudit lpr_t $2:unix_stream_socket { read write }; @@ -1976,8 +1974,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/lpd.if.ptrace serefpolicy-3. optional_policy(` cups_read_config($2) diff -up serefpolicy-3.10.0/policy/modules/services/mailscanner.if.ptrace serefpolicy-3.10.0/policy/modules/services/mailscanner.if ---- serefpolicy-3.10.0/policy/modules/services/mailscanner.if.ptrace 2011-10-11 16:42:15.799761672 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/mailscanner.if 2011-10-11 16:42:16.155761571 -0400 +--- serefpolicy-3.10.0/policy/modules/services/mailscanner.if.ptrace 2011-10-14 09:46:28.763529603 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/mailscanner.if 2011-10-14 09:46:29.178521654 -0400 @@ -47,8 +47,11 @@ interface(`mailscanner_admin',` role_transition $2 mscan_initrc_exec_t system_r; allow $2 system_r; @@ -1992,8 +1990,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mailscanner.if.ptrace serefp admin_pattern($1, mscan_etc_t) files_list_etc($1) diff -up serefpolicy-3.10.0/policy/modules/services/matahari.if.ptrace serefpolicy-3.10.0/policy/modules/services/matahari.if ---- serefpolicy-3.10.0/policy/modules/services/matahari.if.ptrace 2011-10-11 16:42:15.800761672 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/matahari.if 2011-10-11 16:42:16.156761571 -0400 +--- serefpolicy-3.10.0/policy/modules/services/matahari.if.ptrace 2011-10-14 09:46:28.765529565 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/matahari.if 2011-10-14 09:46:29.179521635 -0400 @@ -229,13 +229,18 @@ interface(`matahari_admin',` role_transition $2 matahari_initrc_exec_t system_r; allow $2 system_r; @@ -2017,8 +2015,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/matahari.if.ptrace serefpoli files_search_var_lib($1) diff -up serefpolicy-3.10.0/policy/modules/services/matahari.te.ptrace serefpolicy-3.10.0/policy/modules/services/matahari.te ---- serefpolicy-3.10.0/policy/modules/services/matahari.te.ptrace 2011-10-11 16:42:15.800761672 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/matahari.te 2011-10-11 16:42:16.156761571 -0400 +--- serefpolicy-3.10.0/policy/modules/services/matahari.te.ptrace 2011-10-14 09:46:28.765529565 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/matahari.te 2011-10-14 09:46:29.180521616 -0400 @@ -24,9 +24,6 @@ files_pid_file(matahari_var_run_t) # # matahari_hostd local policy @@ -2030,8 +2028,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/matahari.te.ptrace serefpoli dev_read_sysfs(matahari_hostd_t) diff -up serefpolicy-3.10.0/policy/modules/services/memcached.if.ptrace serefpolicy-3.10.0/policy/modules/services/memcached.if ---- serefpolicy-3.10.0/policy/modules/services/memcached.if.ptrace 2011-10-11 16:42:15.801761671 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/memcached.if 2011-10-11 16:42:16.157761571 -0400 +--- serefpolicy-3.10.0/policy/modules/services/memcached.if.ptrace 2011-10-14 09:46:28.767529527 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/memcached.if 2011-10-14 09:46:29.180521616 -0400 @@ -59,8 +59,11 @@ interface(`memcached_admin',` type memcached_t, memcached_initrc_exec_t, memcached_var_run_t; ') @@ -2046,8 +2044,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/memcached.if.ptrace serefpol init_labeled_script_domtrans($1, memcached_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace serefpolicy-3.10.0/policy/modules/services/mock.if ---- serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace 2011-10-11 16:42:15.804761670 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/mock.if 2011-10-11 16:42:16.158761571 -0400 +--- serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace 2011-10-14 09:46:28.770529470 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/mock.if 2011-10-14 09:46:29.181521597 -0400 @@ -245,7 +245,10 @@ interface(`mock_role',` mock_run($2, $1) @@ -2078,8 +2076,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace serefpolicy-3 files_list_var_lib($1) diff -up serefpolicy-3.10.0/policy/modules/services/mock.te.ptrace serefpolicy-3.10.0/policy/modules/services/mock.te ---- serefpolicy-3.10.0/policy/modules/services/mock.te.ptrace 2011-10-11 16:42:15.805761670 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/mock.te 2011-10-11 16:42:16.158761571 -0400 +--- serefpolicy-3.10.0/policy/modules/services/mock.te.ptrace 2011-10-14 09:46:28.771529451 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/mock.te 2011-10-14 09:46:29.182521578 -0400 @@ -41,7 +41,7 @@ files_config_file(mock_etc_t) # mock local policy # @@ -2099,8 +2097,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mock.te.ptrace serefpolicy-3 allow mock_build_t self:process { fork setsched setpgid signal_perms }; allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; diff -up serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace serefpolicy-3.10.0/policy/modules/services/mojomojo.if ---- serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace 2011-10-11 16:42:15.806761670 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/mojomojo.if 2011-10-11 16:42:16.159761570 -0400 +--- serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace 2011-10-14 09:46:28.772529431 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/mojomojo.if 2011-10-14 09:46:29.182521578 -0400 @@ -24,8 +24,11 @@ interface(`mojomojo_admin',` type httpd_mojomojo_script_exec_t; ') @@ -2116,7 +2114,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace serefpoli admin_pattern($1, httpd_mojomojo_tmp_t) diff -up serefpolicy-3.10.0/policy/modules/services/mpd.if.ptrace serefpolicy-3.10.0/policy/modules/services/mpd.if --- serefpolicy-3.10.0/policy/modules/services/mpd.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/mpd.if 2011-10-11 16:42:16.159761570 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/mpd.if 2011-10-14 09:46:29.183521559 -0400 @@ -244,8 +244,11 @@ interface(`mpd_admin',` type mpd_tmpfs_t; ') @@ -2131,8 +2129,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mpd.if.ptrace serefpolicy-3. mpd_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/munin.if.ptrace serefpolicy-3.10.0/policy/modules/services/munin.if ---- serefpolicy-3.10.0/policy/modules/services/munin.if.ptrace 2011-10-11 16:42:15.811761668 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/munin.if 2011-10-11 16:42:16.160761569 -0400 +--- serefpolicy-3.10.0/policy/modules/services/munin.if.ptrace 2011-10-14 09:46:28.779529297 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/munin.if 2011-10-14 09:46:29.184521540 -0400 @@ -183,8 +183,11 @@ interface(`munin_admin',` type httpd_munin_content_t, munin_initrc_exec_t; ') @@ -2147,8 +2145,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/munin.if.ptrace serefpolicy- init_labeled_script_domtrans($1, munin_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/mysql.if.ptrace serefpolicy-3.10.0/policy/modules/services/mysql.if ---- serefpolicy-3.10.0/policy/modules/services/mysql.if.ptrace 2011-10-11 16:42:15.812761668 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/mysql.if 2011-10-11 16:42:16.160761569 -0400 +--- serefpolicy-3.10.0/policy/modules/services/mysql.if.ptrace 2011-10-14 09:46:28.780529278 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/mysql.if 2011-10-14 09:46:29.185521521 -0400 @@ -389,8 +389,11 @@ interface(`mysql_admin',` type mysqld_etc_t; ') @@ -2163,8 +2161,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mysql.if.ptrace serefpolicy- init_labeled_script_domtrans($1, mysqld_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/mysql.te.ptrace serefpolicy-3.10.0/policy/modules/services/mysql.te ---- serefpolicy-3.10.0/policy/modules/services/mysql.te.ptrace 2011-10-11 16:42:15.813761668 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/mysql.te 2011-10-11 16:42:16.161761569 -0400 +--- serefpolicy-3.10.0/policy/modules/services/mysql.te.ptrace 2011-10-14 09:46:28.781529259 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/mysql.te 2011-10-14 09:46:29.186521502 -0400 @@ -158,7 +158,6 @@ optional_policy(` # @@ -2174,8 +2172,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mysql.te.ptrace serefpolicy- allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/services/nagios.if.ptrace serefpolicy-3.10.0/policy/modules/services/nagios.if ---- serefpolicy-3.10.0/policy/modules/services/nagios.if.ptrace 2011-10-11 16:42:15.814761668 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/nagios.if 2011-10-11 16:42:16.162761569 -0400 +--- serefpolicy-3.10.0/policy/modules/services/nagios.if.ptrace 2011-10-14 09:46:28.782529240 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/nagios.if 2011-10-14 09:46:29.186521502 -0400 @@ -225,8 +225,11 @@ interface(`nagios_admin',` type nagios_etc_t, nrpe_etc_t, nagios_spool_t; ') @@ -2190,8 +2188,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/nagios.if.ptrace serefpolicy init_labeled_script_domtrans($1, nagios_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/networkmanager.te.ptrace serefpolicy-3.10.0/policy/modules/services/networkmanager.te ---- serefpolicy-3.10.0/policy/modules/services/networkmanager.te.ptrace 2011-10-11 16:42:15.817761668 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/networkmanager.te 2011-10-11 16:42:16.162761569 -0400 +--- serefpolicy-3.10.0/policy/modules/services/networkmanager.te.ptrace 2011-10-14 09:46:28.786529162 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/networkmanager.te 2011-10-14 09:46:29.187521483 -0400 @@ -44,13 +44,17 @@ init_system_domain(wpa_cli_t, wpa_cli_ex # networkmanager will ptrace itself if gdb is installed @@ -2214,8 +2212,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/networkmanager.te.ptrace ser allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/services/nis.if.ptrace serefpolicy-3.10.0/policy/modules/services/nis.if ---- serefpolicy-3.10.0/policy/modules/services/nis.if.ptrace 2011-10-11 16:42:15.818761667 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/nis.if 2011-10-11 16:42:16.163761569 -0400 +--- serefpolicy-3.10.0/policy/modules/services/nis.if.ptrace 2011-10-14 09:46:28.787529143 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/nis.if 2011-10-14 09:46:29.188521464 -0400 @@ -390,16 +390,22 @@ interface(`nis_admin',` type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t; ') @@ -2244,8 +2242,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/nis.if.ptrace serefpolicy-3. nis_initrc_domtrans($1) diff -up serefpolicy-3.10.0/policy/modules/services/nscd.if.ptrace serefpolicy-3.10.0/policy/modules/services/nscd.if ---- serefpolicy-3.10.0/policy/modules/services/nscd.if.ptrace 2011-10-11 16:42:15.819761666 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/nscd.if 2011-10-11 16:42:16.164761569 -0400 +--- serefpolicy-3.10.0/policy/modules/services/nscd.if.ptrace 2011-10-14 09:46:28.788529124 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/nscd.if 2011-10-14 09:46:29.189521445 -0400 @@ -321,8 +321,11 @@ interface(`nscd_admin',` type nscd_initrc_exec_t; ') @@ -2260,8 +2258,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/nscd.if.ptrace serefpolicy-3 init_labeled_script_domtrans($1, nscd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/nscd.te.ptrace serefpolicy-3.10.0/policy/modules/services/nscd.te ---- serefpolicy-3.10.0/policy/modules/services/nscd.te.ptrace 2011-10-11 16:42:15.820761665 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/nscd.te 2011-10-11 16:42:16.164761569 -0400 +--- serefpolicy-3.10.0/policy/modules/services/nscd.te.ptrace 2011-10-14 09:46:28.789529105 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/nscd.te 2011-10-14 09:46:29.190521426 -0400 @@ -40,7 +40,7 @@ logging_log_file(nscd_log_t) # Local policy # @@ -2272,8 +2270,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/nscd.te.ptrace serefpolicy-3 allow nscd_t self:process { getattr getcap setcap setsched signal_perms }; allow nscd_t self:fifo_file read_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/services/nslcd.if.ptrace serefpolicy-3.10.0/policy/modules/services/nslcd.if ---- serefpolicy-3.10.0/policy/modules/services/nslcd.if.ptrace 2011-10-11 16:42:15.820761665 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/nslcd.if 2011-10-11 16:42:16.165761569 -0400 +--- serefpolicy-3.10.0/policy/modules/services/nslcd.if.ptrace 2011-10-14 09:46:28.790529086 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/nslcd.if 2011-10-14 09:46:29.190521426 -0400 @@ -98,7 +98,10 @@ interface(`nslcd_admin',` ') @@ -2287,8 +2285,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/nslcd.if.ptrace serefpolicy- # Allow nslcd_t to restart the apache service nslcd_initrc_domtrans($1) diff -up serefpolicy-3.10.0/policy/modules/services/ntp.if.ptrace serefpolicy-3.10.0/policy/modules/services/ntp.if ---- serefpolicy-3.10.0/policy/modules/services/ntp.if.ptrace 2011-10-11 16:42:15.822761665 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ntp.if 2011-10-11 16:42:16.165761569 -0400 +--- serefpolicy-3.10.0/policy/modules/services/ntp.if.ptrace 2011-10-14 09:46:28.792529048 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ntp.if 2011-10-14 09:46:29.191521406 -0400 @@ -204,8 +204,11 @@ interface(`ntp_admin',` type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t; ') @@ -2303,8 +2301,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ntp.if.ptrace serefpolicy-3. init_labeled_script_domtrans($1, ntpd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace serefpolicy-3.10.0/policy/modules/services/oident.if ---- serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace 2011-10-11 16:42:15.827761663 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/oident.if 2011-10-11 16:42:16.166761568 -0400 +--- serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace 2011-10-14 09:46:28.797528951 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/oident.if 2011-10-14 09:46:29.192521387 -0400 @@ -89,8 +89,11 @@ interface(`oident_admin',` type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t; ') @@ -2320,7 +2318,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace serefpolicy domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/openvpn.if.ptrace serefpolicy-3.10.0/policy/modules/services/openvpn.if --- serefpolicy-3.10.0/policy/modules/services/openvpn.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/openvpn.if 2011-10-11 16:42:16.167761567 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/openvpn.if 2011-10-14 09:46:29.192521387 -0400 @@ -144,8 +144,11 @@ interface(`openvpn_admin',` type openvpn_var_run_t, openvpn_initrc_exec_t; ') @@ -2335,8 +2333,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/openvpn.if.ptrace serefpolic init_labeled_script_domtrans($1, openvpn_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/pads.if.ptrace serefpolicy-3.10.0/policy/modules/services/pads.if ---- serefpolicy-3.10.0/policy/modules/services/pads.if.ptrace 2011-10-11 16:42:15.830761663 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/pads.if 2011-10-11 16:42:16.167761567 -0400 +--- serefpolicy-3.10.0/policy/modules/services/pads.if.ptrace 2011-10-14 09:46:28.801528875 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/pads.if 2011-10-14 09:46:29.193521367 -0400 @@ -31,8 +31,11 @@ interface(`pads_admin',` type pads_var_run_t; ') @@ -2351,8 +2349,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/pads.if.ptrace serefpolicy-3 init_labeled_script_domtrans($1, pads_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/pingd.if.ptrace serefpolicy-3.10.0/policy/modules/services/pingd.if ---- serefpolicy-3.10.0/policy/modules/services/pingd.if.ptrace 2011-10-11 16:42:15.833761662 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/pingd.if 2011-10-11 16:42:16.168761567 -0400 +--- serefpolicy-3.10.0/policy/modules/services/pingd.if.ptrace 2011-10-14 09:46:28.805528799 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/pingd.if 2011-10-14 09:46:29.194521347 -0400 @@ -80,8 +80,11 @@ interface(`pingd_admin',` type pingd_initrc_exec_t; ') @@ -2367,8 +2365,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/pingd.if.ptrace serefpolicy- init_labeled_script_domtrans($1, pingd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/piranha.te.ptrace serefpolicy-3.10.0/policy/modules/services/piranha.te ---- serefpolicy-3.10.0/policy/modules/services/piranha.te.ptrace 2011-10-11 16:42:15.835761661 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/piranha.te 2011-10-11 16:42:16.168761567 -0400 +--- serefpolicy-3.10.0/policy/modules/services/piranha.te.ptrace 2011-10-14 09:46:28.807528760 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/piranha.te 2011-10-14 09:46:29.195521328 -0400 @@ -65,7 +65,11 @@ init_domtrans_script(piranha_fos_t) # @@ -2383,8 +2381,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/piranha.te.ptrace serefpolic allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms; allow piranha_web_t self:sem create_sem_perms; diff -up serefpolicy-3.10.0/policy/modules/services/plymouthd.if.ptrace serefpolicy-3.10.0/policy/modules/services/plymouthd.if ---- serefpolicy-3.10.0/policy/modules/services/plymouthd.if.ptrace 2011-10-11 16:42:15.836761661 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/plymouthd.if 2011-10-11 16:42:16.169761567 -0400 +--- serefpolicy-3.10.0/policy/modules/services/plymouthd.if.ptrace 2011-10-14 09:46:28.808528740 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/plymouthd.if 2011-10-14 09:46:29.196521310 -0400 @@ -291,8 +291,11 @@ interface(`plymouthd_admin',` type plymouthd_var_run_t; ') @@ -2399,8 +2397,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/plymouthd.if.ptrace serefpol files_list_var_lib($1) admin_pattern($1, plymouthd_spool_t) diff -up serefpolicy-3.10.0/policy/modules/services/policykit.te.ptrace serefpolicy-3.10.0/policy/modules/services/policykit.te ---- serefpolicy-3.10.0/policy/modules/services/policykit.te.ptrace 2011-10-11 16:42:15.838761661 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/policykit.te 2011-10-11 16:42:16.170761567 -0400 +--- serefpolicy-3.10.0/policy/modules/services/policykit.te.ptrace 2011-10-14 09:46:28.811528683 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/policykit.te 2011-10-14 09:46:29.197521291 -0400 @@ -38,7 +38,7 @@ files_pid_file(policykit_var_run_t) # policykit local policy # @@ -2420,8 +2418,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/policykit.te.ptrace serefpol allow policykit_resolve_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace serefpolicy-3.10.0/policy/modules/services/polipo.if ---- serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace 2011-10-11 16:42:15.839761661 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/polipo.if 2011-10-11 16:42:16.171761567 -0400 +--- serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace 2011-10-14 09:46:28.812528664 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/polipo.if 2011-10-14 09:46:29.197521291 -0400 @@ -32,8 +32,11 @@ template(`polipo_role',` # Policy # @@ -2450,7 +2448,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace serefpolicy domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/portreserve.if.ptrace serefpolicy-3.10.0/policy/modules/services/portreserve.if --- serefpolicy-3.10.0/policy/modules/services/portreserve.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/portreserve.if 2011-10-11 16:42:16.171761567 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/portreserve.if 2011-10-14 09:46:29.198521272 -0400 @@ -104,8 +104,11 @@ interface(`portreserve_admin',` type portreserve_initrc_exec_t; ') @@ -2465,8 +2463,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/portreserve.if.ptrace serefp portreserve_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace serefpolicy-3.10.0/policy/modules/services/postfix.if ---- serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace 2011-10-11 16:42:15.843761659 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/postfix.if 2011-10-11 16:42:16.172761567 -0400 +--- serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace 2011-10-14 09:46:28.817528569 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/postfix.if 2011-10-14 09:46:29.199521253 -0400 @@ -729,25 +729,36 @@ interface(`postfix_admin',` type postfix_smtpd_t, postfix_var_run_t; ') @@ -2512,8 +2510,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace serefpolic postfix_run_map($1, $2) diff -up serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if.ptrace serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if ---- serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if.ptrace 2011-10-11 16:42:15.844761659 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if 2011-10-11 16:42:16.172761567 -0400 +--- serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if.ptrace 2011-10-14 09:46:28.818528550 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if 2011-10-14 09:46:29.200521234 -0400 @@ -23,8 +23,11 @@ interface(`postfixpolicyd_admin',` type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t; ') @@ -2528,8 +2526,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if.ptrace ser init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/postgresql.if.ptrace serefpolicy-3.10.0/policy/modules/services/postgresql.if ---- serefpolicy-3.10.0/policy/modules/services/postgresql.if.ptrace 2011-10-11 16:42:15.846761659 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/postgresql.if 2011-10-11 16:42:16.173761566 -0400 +--- serefpolicy-3.10.0/policy/modules/services/postgresql.if.ptrace 2011-10-14 09:46:28.820528510 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/postgresql.if 2011-10-14 09:46:29.200521234 -0400 @@ -541,8 +541,11 @@ interface(`postgresql_admin',` typeattribute $1 sepgsql_admin_type; @@ -2544,8 +2542,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/postgresql.if.ptrace serefpo init_labeled_script_domtrans($1, postgresql_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/postgrey.if.ptrace serefpolicy-3.10.0/policy/modules/services/postgrey.if ---- serefpolicy-3.10.0/policy/modules/services/postgrey.if.ptrace 2011-10-11 16:42:15.848761657 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/postgrey.if 2011-10-11 16:42:16.174761565 -0400 +--- serefpolicy-3.10.0/policy/modules/services/postgrey.if.ptrace 2011-10-14 09:46:28.823528453 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/postgrey.if 2011-10-14 09:46:29.202521196 -0400 @@ -62,8 +62,11 @@ interface(`postgrey_admin',` type postgrey_var_lib_t, postgrey_var_run_t; ') @@ -2560,8 +2558,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/postgrey.if.ptrace serefpoli init_labeled_script_domtrans($1, postgrey_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/ppp.if.ptrace serefpolicy-3.10.0/policy/modules/services/ppp.if ---- serefpolicy-3.10.0/policy/modules/services/ppp.if.ptrace 2011-10-11 16:42:15.849761657 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ppp.if 2011-10-11 16:42:16.174761565 -0400 +--- serefpolicy-3.10.0/policy/modules/services/ppp.if.ptrace 2011-10-14 09:46:28.825528415 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ppp.if 2011-10-14 09:46:29.202521196 -0400 @@ -386,10 +386,14 @@ interface(`ppp_admin',` type pppd_initrc_exec_t, pppd_etc_rw_t; ') @@ -2580,8 +2578,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ppp.if.ptrace serefpolicy-3. ppp_initrc_domtrans($1) diff -up serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace serefpolicy-3.10.0/policy/modules/services/prelude.if ---- serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace 2011-10-11 16:42:15.850761657 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/prelude.if 2011-10-11 16:42:16.175761565 -0400 +--- serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace 2011-10-14 09:46:28.826528396 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/prelude.if 2011-10-14 09:46:29.203521177 -0400 @@ -118,13 +118,18 @@ interface(`prelude_admin',` type prelude_lml_t; ') @@ -2606,7 +2604,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace serefpolic init_labeled_script_domtrans($1, prelude_initrc_exec_t) diff -up serefpolicy-3.10.0/policy/modules/services/privoxy.if.ptrace serefpolicy-3.10.0/policy/modules/services/privoxy.if --- serefpolicy-3.10.0/policy/modules/services/privoxy.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/privoxy.if 2011-10-11 16:42:16.175761565 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/privoxy.if 2011-10-14 09:46:29.204521158 -0400 @@ -23,8 +23,11 @@ interface(`privoxy_admin',` type privoxy_etc_rw_t, privoxy_var_run_t; ') @@ -2621,8 +2619,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/privoxy.if.ptrace serefpolic init_labeled_script_domtrans($1, privoxy_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/psad.if.ptrace serefpolicy-3.10.0/policy/modules/services/psad.if ---- serefpolicy-3.10.0/policy/modules/services/psad.if.ptrace 2011-10-11 16:42:15.853761657 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/psad.if 2011-10-11 16:42:16.176761565 -0400 +--- serefpolicy-3.10.0/policy/modules/services/psad.if.ptrace 2011-10-14 09:46:28.830528320 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/psad.if 2011-10-14 09:46:29.204521158 -0400 @@ -295,8 +295,11 @@ interface(`psad_admin',` type psad_tmp_t; ') @@ -2637,8 +2635,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/psad.if.ptrace serefpolicy-3 init_labeled_script_domtrans($1, psad_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/puppet.te.ptrace serefpolicy-3.10.0/policy/modules/services/puppet.te ---- serefpolicy-3.10.0/policy/modules/services/puppet.te.ptrace 2011-10-11 16:42:15.856761655 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/puppet.te 2011-10-11 16:42:16.177761565 -0400 +--- serefpolicy-3.10.0/policy/modules/services/puppet.te.ptrace 2011-10-14 09:46:28.833528261 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/puppet.te 2011-10-14 09:46:29.205521138 -0400 @@ -62,7 +62,7 @@ files_tmp_file(puppetmaster_tmp_t) # Puppet personal policy # @@ -2649,8 +2647,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/puppet.te.ptrace serefpolicy allow puppet_t self:fifo_file rw_fifo_file_perms; allow puppet_t self:netlink_route_socket create_netlink_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/services/pyzor.if.ptrace serefpolicy-3.10.0/policy/modules/services/pyzor.if ---- serefpolicy-3.10.0/policy/modules/services/pyzor.if.ptrace 2011-10-11 16:42:15.857761655 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/pyzor.if 2011-10-11 16:42:16.178761565 -0400 +--- serefpolicy-3.10.0/policy/modules/services/pyzor.if.ptrace 2011-10-14 09:46:28.834528242 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/pyzor.if 2011-10-14 09:46:29.206521119 -0400 @@ -29,7 +29,10 @@ interface(`pyzor_role',` # allow ps to show pyzor and allow the user to kill it @@ -2677,8 +2675,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/pyzor.if.ptrace serefpolicy- init_labeled_script_domtrans($1, pyzord_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace serefpolicy-3.10.0/policy/modules/services/qpid.if ---- serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace 2011-10-11 16:42:15.860761655 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/qpid.if 2011-10-11 16:42:16.178761565 -0400 +--- serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace 2011-10-14 09:46:28.839528147 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/qpid.if 2011-10-14 09:46:29.207521099 -0400 @@ -177,8 +177,11 @@ interface(`qpidd_admin',` type qpidd_t, qpidd_initrc_exec_t; ') @@ -2694,7 +2692,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace serefpolicy-3 qpidd_initrc_domtrans($1) diff -up serefpolicy-3.10.0/policy/modules/services/radius.if.ptrace serefpolicy-3.10.0/policy/modules/services/radius.if --- serefpolicy-3.10.0/policy/modules/services/radius.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/radius.if 2011-10-11 16:42:16.179761565 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/radius.if 2011-10-14 09:46:29.207521099 -0400 @@ -38,8 +38,11 @@ interface(`radius_admin',` type radiusd_initrc_exec_t; ') @@ -2709,8 +2707,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/radius.if.ptrace serefpolicy init_labeled_script_domtrans($1, radiusd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/radvd.if.ptrace serefpolicy-3.10.0/policy/modules/services/radvd.if ---- serefpolicy-3.10.0/policy/modules/services/radvd.if.ptrace 2011-10-11 16:42:15.862761655 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/radvd.if 2011-10-11 16:42:16.179761565 -0400 +--- serefpolicy-3.10.0/policy/modules/services/radvd.if.ptrace 2011-10-14 09:46:28.840528128 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/radvd.if 2011-10-14 09:46:29.208521079 -0400 @@ -23,8 +23,11 @@ interface(`radvd_admin',` type radvd_var_run_t; ') @@ -2725,8 +2723,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/radvd.if.ptrace serefpolicy- init_labeled_script_domtrans($1, radvd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/razor.if.ptrace serefpolicy-3.10.0/policy/modules/services/razor.if ---- serefpolicy-3.10.0/policy/modules/services/razor.if.ptrace 2011-10-11 16:42:15.863761655 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/razor.if 2011-10-11 16:42:16.180761564 -0400 +--- serefpolicy-3.10.0/policy/modules/services/razor.if.ptrace 2011-10-14 09:46:28.842528089 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/razor.if 2011-10-14 09:46:29.209521060 -0400 @@ -132,7 +132,10 @@ interface(`razor_role',` # allow ps to show razor and allow the user to kill it @@ -2740,8 +2738,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/razor.if.ptrace serefpolicy- manage_dirs_pattern($2, razor_home_t, razor_home_t) manage_files_pattern($2, razor_home_t, razor_home_t) diff -up serefpolicy-3.10.0/policy/modules/services/rgmanager.if.ptrace serefpolicy-3.10.0/policy/modules/services/rgmanager.if ---- serefpolicy-3.10.0/policy/modules/services/rgmanager.if.ptrace 2011-10-11 16:42:15.866761652 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/rgmanager.if 2011-10-11 16:42:16.181761563 -0400 +--- serefpolicy-3.10.0/policy/modules/services/rgmanager.if.ptrace 2011-10-14 09:46:28.845528031 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/rgmanager.if 2011-10-14 09:46:29.210521041 -0400 @@ -117,8 +117,11 @@ interface(`rgmanager_admin',` type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t; ') @@ -2756,8 +2754,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/rgmanager.if.ptrace serefpol init_labeled_script_domtrans($1, rgmanager_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/rgmanager.te.ptrace serefpolicy-3.10.0/policy/modules/services/rgmanager.te ---- serefpolicy-3.10.0/policy/modules/services/rgmanager.te.ptrace 2011-10-11 16:42:15.866761652 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/rgmanager.te 2011-10-11 16:42:16.181761563 -0400 +--- serefpolicy-3.10.0/policy/modules/services/rgmanager.te.ptrace 2011-10-14 09:46:28.847527993 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/rgmanager.te 2011-10-14 09:46:29.211521022 -0400 @@ -37,7 +37,6 @@ files_pid_file(rgmanager_var_run_t) # @@ -2767,8 +2765,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/rgmanager.te.ptrace serefpol dontaudit rgmanager_t self:process ptrace; diff -up serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if.ptrace serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if ---- serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if.ptrace 2011-10-11 16:42:15.871761652 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if 2011-10-11 16:42:16.182761563 -0400 +--- serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if.ptrace 2011-10-14 09:46:28.852527898 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if 2011-10-14 09:46:29.212521003 -0400 @@ -284,8 +284,11 @@ interface(`rhsmcertd_admin',` type rhsmcertd_var_run_t; ') @@ -2783,8 +2781,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if.ptrace serefpol rhsmcertd_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace serefpolicy-3.10.0/policy/modules/services/ricci.if ---- serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace 2011-10-11 16:42:15.873761650 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ricci.if 2011-10-11 16:42:16.182761563 -0400 +--- serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace 2011-10-14 09:46:28.854527859 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ricci.if 2011-10-14 09:46:29.213520984 -0400 @@ -245,8 +245,11 @@ interface(`ricci_admin',` type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t; ') @@ -2800,7 +2798,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace serefpolicy- domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/roundup.if.ptrace serefpolicy-3.10.0/policy/modules/services/roundup.if --- serefpolicy-3.10.0/policy/modules/services/roundup.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/roundup.if 2011-10-11 16:42:16.183761563 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/roundup.if 2011-10-14 09:46:29.213520984 -0400 @@ -23,8 +23,11 @@ interface(`roundup_admin',` type roundup_initrc_exec_t; ') @@ -2815,8 +2813,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/roundup.if.ptrace serefpolic init_labeled_script_domtrans($1, roundup_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/rpcbind.if.ptrace serefpolicy-3.10.0/policy/modules/services/rpcbind.if ---- serefpolicy-3.10.0/policy/modules/services/rpcbind.if.ptrace 2011-10-11 16:42:15.878761650 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/rpcbind.if 2011-10-11 16:42:16.184761563 -0400 +--- serefpolicy-3.10.0/policy/modules/services/rpcbind.if.ptrace 2011-10-14 09:46:28.860527744 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/rpcbind.if 2011-10-14 09:46:29.214520965 -0400 @@ -155,8 +155,11 @@ interface(`rpcbind_admin',` type rpcbind_initrc_exec_t; ') @@ -2831,8 +2829,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/rpcbind.if.ptrace serefpolic init_labeled_script_domtrans($1, rpcbind_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/rtkit.te.ptrace serefpolicy-3.10.0/policy/modules/services/rtkit.te ---- serefpolicy-3.10.0/policy/modules/services/rtkit.te.ptrace 2011-10-11 16:42:15.881761648 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/rtkit.te 2011-10-11 16:42:16.184761563 -0400 +--- serefpolicy-3.10.0/policy/modules/services/rtkit.te.ptrace 2011-10-14 09:46:28.864527668 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/rtkit.te 2011-10-14 09:46:29.215520946 -0400 @@ -15,7 +15,7 @@ init_system_domain(rtkit_daemon_t, rtkit # rtkit_daemon local policy # @@ -2843,8 +2841,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/rtkit.te.ptrace serefpolicy- kernel_read_system_state(rtkit_daemon_t) diff -up serefpolicy-3.10.0/policy/modules/services/rwho.if.ptrace serefpolicy-3.10.0/policy/modules/services/rwho.if ---- serefpolicy-3.10.0/policy/modules/services/rwho.if.ptrace 2011-10-11 16:42:15.881761648 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/rwho.if 2011-10-11 16:42:16.185761563 -0400 +--- serefpolicy-3.10.0/policy/modules/services/rwho.if.ptrace 2011-10-14 09:46:28.864527668 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/rwho.if 2011-10-14 09:46:29.216520927 -0400 @@ -138,8 +138,11 @@ interface(`rwho_admin',` type rwho_initrc_exec_t; ') @@ -2859,8 +2857,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/rwho.if.ptrace serefpolicy-3 init_labeled_script_domtrans($1, rwho_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/samba.if.ptrace serefpolicy-3.10.0/policy/modules/services/samba.if ---- serefpolicy-3.10.0/policy/modules/services/samba.if.ptrace 2011-10-11 16:42:15.883761648 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/samba.if 2011-10-11 16:42:16.186761563 -0400 +--- serefpolicy-3.10.0/policy/modules/services/samba.if.ptrace 2011-10-14 09:46:28.866527629 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/samba.if 2011-10-14 09:46:29.216520927 -0400 @@ -784,13 +784,18 @@ interface(`samba_admin',` type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t; ') @@ -2885,7 +2883,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/samba.if.ptrace serefpolicy- samba_run_smbcontrol($1, $2, $3) diff -up serefpolicy-3.10.0/policy/modules/services/samhain.if.ptrace serefpolicy-3.10.0/policy/modules/services/samhain.if --- serefpolicy-3.10.0/policy/modules/services/samhain.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/samhain.if 2011-10-11 16:42:16.187761563 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/samhain.if 2011-10-14 09:46:29.218520889 -0400 @@ -271,10 +271,14 @@ interface(`samhain_admin',` type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t; ') @@ -2904,8 +2902,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/samhain.if.ptrace serefpolic files_list_var_lib($1) diff -up serefpolicy-3.10.0/policy/modules/services/sanlock.if.ptrace serefpolicy-3.10.0/policy/modules/services/sanlock.if ---- serefpolicy-3.10.0/policy/modules/services/sanlock.if.ptrace 2011-10-11 16:42:15.885761648 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/sanlock.if 2011-10-11 16:42:16.187761563 -0400 +--- serefpolicy-3.10.0/policy/modules/services/sanlock.if.ptrace 2011-10-14 09:46:28.870527552 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/sanlock.if 2011-10-14 09:46:29.218520889 -0400 @@ -99,8 +99,11 @@ interface(`sanlock_admin',` type sanlock_initrc_exec_t; ') @@ -2920,8 +2918,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/sanlock.if.ptrace serefpolic sanlock_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/sasl.if.ptrace serefpolicy-3.10.0/policy/modules/services/sasl.if ---- serefpolicy-3.10.0/policy/modules/services/sasl.if.ptrace 2011-10-11 16:42:15.886761647 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/sasl.if 2011-10-11 16:42:16.188761563 -0400 +--- serefpolicy-3.10.0/policy/modules/services/sasl.if.ptrace 2011-10-14 09:46:28.871527533 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/sasl.if 2011-10-14 09:46:29.219520870 -0400 @@ -42,8 +42,11 @@ interface(`sasl_admin',` type saslauthd_initrc_exec_t; ') @@ -2936,8 +2934,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/sasl.if.ptrace serefpolicy-3 init_labeled_script_domtrans($1, saslauthd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace serefpolicy-3.10.0/policy/modules/services/sblim.if ---- serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace 2011-10-11 16:42:15.888761646 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/sblim.if 2011-10-11 16:42:16.188761563 -0400 +--- serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace 2011-10-14 09:46:28.873527495 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/sblim.if 2011-10-14 09:46:29.220520851 -0400 @@ -65,11 +65,15 @@ interface(`sblim_admin',` type sblim_var_run_t; ') @@ -2958,8 +2956,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace serefpolicy- files_search_pids($1) admin_pattern($1, sblim_var_run_t) diff -up serefpolicy-3.10.0/policy/modules/services/sblim.te.ptrace serefpolicy-3.10.0/policy/modules/services/sblim.te ---- serefpolicy-3.10.0/policy/modules/services/sblim.te.ptrace 2011-10-11 16:42:15.888761646 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/sblim.te 2011-10-11 16:42:16.189761562 -0400 +--- serefpolicy-3.10.0/policy/modules/services/sblim.te.ptrace 2011-10-14 09:46:28.873527495 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/sblim.te 2011-10-14 09:46:29.221520832 -0400 @@ -24,7 +24,7 @@ files_pid_file(sblim_var_run_t) # @@ -2970,8 +2968,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/sblim.te.ptrace serefpolicy- allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace serefpolicy-3.10.0/policy/modules/services/sendmail.if ---- serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace 2011-10-11 16:42:15.889761646 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/sendmail.if 2011-10-11 16:42:16.189761562 -0400 +--- serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace 2011-10-14 09:46:28.874527476 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/sendmail.if 2011-10-14 09:46:29.221520832 -0400 @@ -334,10 +334,14 @@ interface(`sendmail_admin',` type mail_spool_t; ') @@ -2990,8 +2988,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace serefpoli sendmail_initrc_domtrans($1) diff -up serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if.ptrace serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if ---- serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if.ptrace 2011-10-11 16:42:15.890761646 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if 2011-10-11 16:42:16.190761562 -0400 +--- serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if.ptrace 2011-10-14 09:46:28.875527457 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if 2011-10-14 09:46:29.222520812 -0400 @@ -140,8 +140,11 @@ interface(`setroubleshoot_admin',` type setroubleshoot_var_lib_t; ') @@ -3006,8 +3004,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if.ptrace ser logging_list_logs($1) admin_pattern($1, setroubleshoot_var_log_t) diff -up serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace serefpolicy-3.10.0/policy/modules/services/smartmon.if ---- serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace 2011-10-11 16:42:15.892761646 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/smartmon.if 2011-10-11 16:42:16.190761562 -0400 +--- serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace 2011-10-14 09:46:28.877527419 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/smartmon.if 2011-10-14 09:46:29.223520792 -0400 @@ -42,8 +42,11 @@ interface(`smartmon_admin',` type fsdaemon_initrc_exec_t; ') @@ -3023,7 +3021,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace serefpoli domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/smokeping.if.ptrace serefpolicy-3.10.0/policy/modules/services/smokeping.if --- serefpolicy-3.10.0/policy/modules/services/smokeping.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/smokeping.if 2011-10-11 16:42:16.191761561 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/smokeping.if 2011-10-14 09:46:29.224520773 -0400 @@ -153,8 +153,11 @@ interface(`smokeping_admin',` type smokeping_t, smokeping_initrc_exec_t; ') @@ -3038,8 +3036,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/smokeping.if.ptrace serefpol smokeping_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/snmp.if.ptrace serefpolicy-3.10.0/policy/modules/services/snmp.if ---- serefpolicy-3.10.0/policy/modules/services/snmp.if.ptrace 2011-10-11 16:42:15.893761645 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/snmp.if 2011-10-11 16:42:16.192761560 -0400 +--- serefpolicy-3.10.0/policy/modules/services/snmp.if.ptrace 2011-10-14 09:46:28.880527360 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/snmp.if 2011-10-14 09:46:29.225520754 -0400 @@ -168,8 +168,11 @@ interface(`snmp_admin',` type snmpd_var_lib_t, snmpd_var_run_t; ') @@ -3054,8 +3052,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/snmp.if.ptrace serefpolicy-3 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/snmp.te.ptrace serefpolicy-3.10.0/policy/modules/services/snmp.te ---- serefpolicy-3.10.0/policy/modules/services/snmp.te.ptrace 2011-10-11 16:42:15.894761644 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/snmp.te 2011-10-11 16:42:16.192761560 -0400 +--- serefpolicy-3.10.0/policy/modules/services/snmp.te.ptrace 2011-10-14 09:46:28.880527360 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/snmp.te 2011-10-14 09:46:29.225520754 -0400 @@ -26,7 +26,8 @@ files_type(snmpd_var_lib_t) # Local policy # @@ -3067,8 +3065,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/snmp.te.ptrace serefpolicy-3 allow snmpd_t self:process { signal_perms getsched setsched }; allow snmpd_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/services/snort.if.ptrace serefpolicy-3.10.0/policy/modules/services/snort.if ---- serefpolicy-3.10.0/policy/modules/services/snort.if.ptrace 2011-10-11 16:42:15.894761644 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/snort.if 2011-10-11 16:42:16.193761560 -0400 +--- serefpolicy-3.10.0/policy/modules/services/snort.if.ptrace 2011-10-14 09:46:28.881527341 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/snort.if 2011-10-14 09:46:29.226520735 -0400 @@ -41,8 +41,11 @@ interface(`snort_admin',` type snort_etc_t, snort_initrc_exec_t; ') @@ -3083,8 +3081,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/snort.if.ptrace serefpolicy- init_labeled_script_domtrans($1, snort_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/soundserver.if.ptrace serefpolicy-3.10.0/policy/modules/services/soundserver.if ---- serefpolicy-3.10.0/policy/modules/services/soundserver.if.ptrace 2011-10-11 16:42:15.896761644 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/soundserver.if 2011-10-11 16:42:16.194761560 -0400 +--- serefpolicy-3.10.0/policy/modules/services/soundserver.if.ptrace 2011-10-14 09:46:28.882527322 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/soundserver.if 2011-10-14 09:46:29.227520716 -0400 @@ -37,8 +37,11 @@ interface(`soundserver_admin',` type soundd_tmp_t, soundd_var_run_t; ') @@ -3099,8 +3097,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/soundserver.if.ptrace serefp init_labeled_script_domtrans($1, soundd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/spamassassin.if.ptrace serefpolicy-3.10.0/policy/modules/services/spamassassin.if ---- serefpolicy-3.10.0/policy/modules/services/spamassassin.if.ptrace 2011-10-11 16:42:15.897761644 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/spamassassin.if 2011-10-11 16:42:16.194761560 -0400 +--- serefpolicy-3.10.0/policy/modules/services/spamassassin.if.ptrace 2011-10-14 09:46:28.883527303 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/spamassassin.if 2011-10-14 09:46:29.228520697 -0400 @@ -27,12 +27,12 @@ interface(`spamassassin_role',` domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) @@ -3130,8 +3128,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/spamassassin.if.ptrace seref init_labeled_script_domtrans($1, spamd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/squid.if.ptrace serefpolicy-3.10.0/policy/modules/services/squid.if ---- serefpolicy-3.10.0/policy/modules/services/squid.if.ptrace 2011-10-11 16:42:15.899761644 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/squid.if 2011-10-11 16:42:16.195761560 -0400 +--- serefpolicy-3.10.0/policy/modules/services/squid.if.ptrace 2011-10-14 09:46:28.885527265 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/squid.if 2011-10-14 09:46:29.228520697 -0400 @@ -209,8 +209,11 @@ interface(`squid_admin',` type squid_log_t, squid_var_run_t, squid_initrc_exec_t; ') @@ -3146,8 +3144,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/squid.if.ptrace serefpolicy- init_labeled_script_domtrans($1, squid_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/ssh.if.ptrace serefpolicy-3.10.0/policy/modules/services/ssh.if ---- serefpolicy-3.10.0/policy/modules/services/ssh.if.ptrace 2011-10-11 16:42:16.055761600 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ssh.if 2011-10-11 16:42:16.196761560 -0400 +--- serefpolicy-3.10.0/policy/modules/services/ssh.if.ptrace 2011-10-14 09:46:29.066523798 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ssh.if 2011-10-14 09:46:29.229520678 -0400 @@ -367,7 +367,7 @@ template(`ssh_role_template',` # allow ps to show ssh @@ -3167,8 +3165,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ssh.if.ptrace serefpolicy-3. # allow ps to show ssh ps_process_pattern($3, $1_ssh_agent_t) diff -up serefpolicy-3.10.0/policy/modules/services/sssd.if.ptrace serefpolicy-3.10.0/policy/modules/services/sssd.if ---- serefpolicy-3.10.0/policy/modules/services/sssd.if.ptrace 2011-10-11 16:42:15.902761644 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/sssd.if 2011-10-11 16:42:16.196761560 -0400 +--- serefpolicy-3.10.0/policy/modules/services/sssd.if.ptrace 2011-10-14 09:46:28.890527168 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/sssd.if 2011-10-14 09:46:29.230520659 -0400 @@ -232,8 +232,11 @@ interface(`sssd_admin',` type sssd_t, sssd_public_t, sssd_initrc_exec_t; ') @@ -3183,8 +3181,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/sssd.if.ptrace serefpolicy-3 # Allow sssd_t to restart the apache service sssd_initrc_domtrans($1) diff -up serefpolicy-3.10.0/policy/modules/services/tcsd.if.ptrace serefpolicy-3.10.0/policy/modules/services/tcsd.if ---- serefpolicy-3.10.0/policy/modules/services/tcsd.if.ptrace 2011-10-11 16:42:15.905761641 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/tcsd.if 2011-10-11 16:42:16.197761560 -0400 +--- serefpolicy-3.10.0/policy/modules/services/tcsd.if.ptrace 2011-10-14 09:46:28.895527073 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/tcsd.if 2011-10-14 09:46:29.231520640 -0400 @@ -137,8 +137,11 @@ interface(`tcsd_admin',` type tcsd_var_lib_t; ') @@ -3199,8 +3197,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/tcsd.if.ptrace serefpolicy-3 tcsd_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/tftp.if.ptrace serefpolicy-3.10.0/policy/modules/services/tftp.if ---- serefpolicy-3.10.0/policy/modules/services/tftp.if.ptrace 2011-10-11 16:42:15.907761641 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/tftp.if 2011-10-11 16:42:16.197761560 -0400 +--- serefpolicy-3.10.0/policy/modules/services/tftp.if.ptrace 2011-10-14 09:46:28.897527035 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/tftp.if 2011-10-14 09:46:29.231520640 -0400 @@ -109,8 +109,11 @@ interface(`tftp_admin',` type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t; ') @@ -3215,8 +3213,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/tftp.if.ptrace serefpolicy-3 files_list_var_lib($1) admin_pattern($1, tftpdir_rw_t) diff -up serefpolicy-3.10.0/policy/modules/services/tor.if.ptrace serefpolicy-3.10.0/policy/modules/services/tor.if ---- serefpolicy-3.10.0/policy/modules/services/tor.if.ptrace 2011-10-11 16:42:15.909761641 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/tor.if 2011-10-11 16:42:16.198761559 -0400 +--- serefpolicy-3.10.0/policy/modules/services/tor.if.ptrace 2011-10-14 09:46:28.899526997 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/tor.if 2011-10-14 09:46:29.232520621 -0400 @@ -42,8 +42,11 @@ interface(`tor_admin',` type tor_initrc_exec_t; ') @@ -3231,8 +3229,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/tor.if.ptrace serefpolicy-3. init_labeled_script_domtrans($1, tor_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace serefpolicy-3.10.0/policy/modules/services/tuned.if ---- serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace 2011-10-11 16:42:15.910761641 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/tuned.if 2011-10-11 16:42:16.198761559 -0400 +--- serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace 2011-10-14 09:46:28.900526978 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/tuned.if 2011-10-14 09:46:29.233520602 -0400 @@ -115,8 +115,11 @@ interface(`tuned_admin',` type tuned_t, tuned_var_run_t, tuned_initrc_exec_t; ') @@ -3248,7 +3246,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace serefpolicy- domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/ulogd.if.ptrace serefpolicy-3.10.0/policy/modules/services/ulogd.if --- serefpolicy-3.10.0/policy/modules/services/ulogd.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ulogd.if 2011-10-11 16:42:16.199761558 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ulogd.if 2011-10-14 09:46:29.234520583 -0400 @@ -123,8 +123,11 @@ interface(`ulogd_admin',` type ulogd_var_log_t, ulogd_initrc_exec_t; ') @@ -3264,7 +3262,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ulogd.if.ptrace serefpolicy- domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/uucp.if.ptrace serefpolicy-3.10.0/policy/modules/services/uucp.if --- serefpolicy-3.10.0/policy/modules/services/uucp.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/uucp.if 2011-10-11 16:42:16.200761558 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/uucp.if 2011-10-14 09:46:29.234520583 -0400 @@ -99,8 +99,11 @@ interface(`uucp_admin',` type uucpd_var_run_t; ') @@ -3279,8 +3277,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/uucp.if.ptrace serefpolicy-3 logging_list_logs($1) admin_pattern($1, uucpd_log_t) diff -up serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace serefpolicy-3.10.0/policy/modules/services/uuidd.if ---- serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace 2011-10-11 16:42:15.915761639 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/uuidd.if 2011-10-11 16:42:16.200761558 -0400 +--- serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace 2011-10-14 09:46:28.906526862 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/uuidd.if 2011-10-14 09:46:29.235520564 -0400 @@ -177,8 +177,11 @@ interface(`uuidd_admin',` type uuidd_var_run_t; ') @@ -3296,7 +3294,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace serefpolicy- domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/varnishd.if.ptrace serefpolicy-3.10.0/policy/modules/services/varnishd.if --- serefpolicy-3.10.0/policy/modules/services/varnishd.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/varnishd.if 2011-10-11 16:42:16.201761558 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/varnishd.if 2011-10-14 09:46:29.236520544 -0400 @@ -155,8 +155,11 @@ interface(`varnishd_admin_varnishlog',` type varnishlog_var_run_t; ') @@ -3324,8 +3322,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/varnishd.if.ptrace serefpoli init_labeled_script_domtrans($1, varnishd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/vdagent.if.ptrace serefpolicy-3.10.0/policy/modules/services/vdagent.if ---- serefpolicy-3.10.0/policy/modules/services/vdagent.if.ptrace 2011-10-11 16:42:15.917761639 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/vdagent.if 2011-10-11 16:42:16.202761558 -0400 +--- serefpolicy-3.10.0/policy/modules/services/vdagent.if.ptrace 2011-10-14 09:46:28.908526824 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/vdagent.if 2011-10-14 09:46:29.236520544 -0400 @@ -118,8 +118,11 @@ interface(`vdagent_admin',` type vdagent_var_run_t; ') @@ -3340,8 +3338,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/vdagent.if.ptrace serefpolic files_search_pids($1) admin_pattern($1, vdagent_var_run_t) diff -up serefpolicy-3.10.0/policy/modules/services/vhostmd.if.ptrace serefpolicy-3.10.0/policy/modules/services/vhostmd.if ---- serefpolicy-3.10.0/policy/modules/services/vhostmd.if.ptrace 2011-10-11 16:42:15.918761638 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/vhostmd.if 2011-10-11 16:42:16.202761558 -0400 +--- serefpolicy-3.10.0/policy/modules/services/vhostmd.if.ptrace 2011-10-14 09:46:28.909526805 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/vhostmd.if 2011-10-14 09:46:29.237520524 -0400 @@ -210,8 +210,11 @@ interface(`vhostmd_admin',` type vhostmd_t, vhostmd_initrc_exec_t; ') @@ -3356,8 +3354,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/vhostmd.if.ptrace serefpolic vhostmd_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace serefpolicy-3.10.0/policy/modules/services/virt.if ---- serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace 2011-10-11 16:42:15.920761637 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/virt.if 2011-10-11 16:42:16.203761558 -0400 +--- serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace 2011-10-14 09:46:28.911526767 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/virt.if 2011-10-14 09:46:29.238520505 -0400 @@ -618,10 +618,14 @@ interface(`virt_admin',` type virt_lxc_t; ') @@ -3385,8 +3383,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace serefpolicy-3 ######################################## diff -up serefpolicy-3.10.0/policy/modules/services/virt.te.ptrace serefpolicy-3.10.0/policy/modules/services/virt.te ---- serefpolicy-3.10.0/policy/modules/services/virt.te.ptrace 2011-10-11 16:42:16.006761613 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/virt.te 2011-10-11 16:42:16.204761558 -0400 +--- serefpolicy-3.10.0/policy/modules/services/virt.te.ptrace 2011-10-14 09:46:29.010524870 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/virt.te 2011-10-14 09:46:29.239520486 -0400 @@ -247,7 +247,7 @@ optional_policy(` # virtd local policy # @@ -3405,8 +3403,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/virt.te.ptrace serefpolicy-3 allow virtd_t svirt_lxc_domain:process { signal_perms }; allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill }; diff -up serefpolicy-3.10.0/policy/modules/services/vnstatd.if.ptrace serefpolicy-3.10.0/policy/modules/services/vnstatd.if ---- serefpolicy-3.10.0/policy/modules/services/vnstatd.if.ptrace 2011-10-11 16:42:15.922761637 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/vnstatd.if 2011-10-11 16:42:16.204761558 -0400 +--- serefpolicy-3.10.0/policy/modules/services/vnstatd.if.ptrace 2011-10-14 09:46:28.915526689 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/vnstatd.if 2011-10-14 09:46:29.240520467 -0400 @@ -136,8 +136,11 @@ interface(`vnstatd_admin',` type vnstatd_t, vnstatd_var_lib_t; ') @@ -3421,8 +3419,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/vnstatd.if.ptrace serefpolic files_list_var_lib($1) admin_pattern($1, vnstatd_var_lib_t) diff -up serefpolicy-3.10.0/policy/modules/services/wdmd.if.ptrace serefpolicy-3.10.0/policy/modules/services/wdmd.if ---- serefpolicy-3.10.0/policy/modules/services/wdmd.if.ptrace 2011-10-11 16:42:15.924761637 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/wdmd.if 2011-10-11 16:42:16.205761557 -0400 +--- serefpolicy-3.10.0/policy/modules/services/wdmd.if.ptrace 2011-10-14 09:46:28.917526651 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/wdmd.if 2011-10-14 09:46:29.241520448 -0400 @@ -62,8 +62,11 @@ interface(`wdmd_admin',` type wdmd_initrc_exec_t; ') @@ -3437,8 +3435,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/wdmd.if.ptrace serefpolicy-3 wdmd_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/xserver.te.ptrace serefpolicy-3.10.0/policy/modules/services/xserver.te ---- serefpolicy-3.10.0/policy/modules/services/xserver.te.ptrace 2011-10-11 16:42:16.063761597 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/xserver.te 2011-10-11 16:42:16.206761556 -0400 +--- serefpolicy-3.10.0/policy/modules/services/xserver.te.ptrace 2011-10-14 09:46:29.069523739 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/xserver.te 2011-10-14 09:46:29.242520429 -0400 @@ -417,8 +417,13 @@ optional_policy(` # XDM Local policy # @@ -3466,8 +3464,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/xserver.te.ptrace serefpolic allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; diff -up serefpolicy-3.10.0/policy/modules/services/zabbix.if.ptrace serefpolicy-3.10.0/policy/modules/services/zabbix.if ---- serefpolicy-3.10.0/policy/modules/services/zabbix.if.ptrace 2011-10-11 16:42:15.929761635 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/zabbix.if 2011-10-11 16:42:16.207761556 -0400 +--- serefpolicy-3.10.0/policy/modules/services/zabbix.if.ptrace 2011-10-14 09:46:28.923526537 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/zabbix.if 2011-10-14 09:46:29.243520410 -0400 @@ -142,8 +142,11 @@ interface(`zabbix_admin',` type zabbix_initrc_exec_t; ') @@ -3482,8 +3480,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/zabbix.if.ptrace serefpolicy init_labeled_script_domtrans($1, zabbix_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/zebra.if.ptrace serefpolicy-3.10.0/policy/modules/services/zebra.if ---- serefpolicy-3.10.0/policy/modules/services/zebra.if.ptrace 2011-10-11 16:42:15.931761635 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/zebra.if 2011-10-11 16:42:16.207761556 -0400 +--- serefpolicy-3.10.0/policy/modules/services/zebra.if.ptrace 2011-10-14 09:46:28.926526478 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/zebra.if 2011-10-14 09:46:29.244520391 -0400 @@ -64,8 +64,11 @@ interface(`zebra_admin',` type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t; ') @@ -3498,8 +3496,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/zebra.if.ptrace serefpolicy- init_labeled_script_domtrans($1, zebra_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/system/hotplug.te.ptrace serefpolicy-3.10.0/policy/modules/system/hotplug.te ---- serefpolicy-3.10.0/policy/modules/system/hotplug.te.ptrace 2011-10-11 16:42:15.941761633 -0400 -+++ serefpolicy-3.10.0/policy/modules/system/hotplug.te 2011-10-11 16:42:16.208761556 -0400 +--- serefpolicy-3.10.0/policy/modules/system/hotplug.te.ptrace 2011-10-14 09:46:28.938526248 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/hotplug.te 2011-10-14 09:46:29.245520372 -0400 @@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t) # @@ -3510,8 +3508,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/hotplug.te.ptrace serefpolicy- dontaudit hotplug_t self:capability { dac_override dac_read_search }; allow hotplug_t self:process { setpgid getsession getattr signal_perms }; diff -up serefpolicy-3.10.0/policy/modules/system/init.if.ptrace serefpolicy-3.10.0/policy/modules/system/init.if ---- serefpolicy-3.10.0/policy/modules/system/init.if.ptrace 2011-10-11 16:42:15.942761632 -0400 -+++ serefpolicy-3.10.0/policy/modules/system/init.if 2011-10-11 16:42:16.209761556 -0400 +--- serefpolicy-3.10.0/policy/modules/system/init.if.ptrace 2011-10-14 09:46:28.940526210 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/init.if 2011-10-14 09:46:29.246520353 -0400 @@ -1123,7 +1123,9 @@ interface(`init_ptrace',` type init_t; ') @@ -3524,8 +3522,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/init.if.ptrace serefpolicy-3.1 ######################################## diff -up serefpolicy-3.10.0/policy/modules/system/init.te.ptrace serefpolicy-3.10.0/policy/modules/system/init.te ---- serefpolicy-3.10.0/policy/modules/system/init.te.ptrace 2011-10-11 16:42:16.031761606 -0400 -+++ serefpolicy-3.10.0/policy/modules/system/init.te 2011-10-11 16:42:16.209761556 -0400 +--- serefpolicy-3.10.0/policy/modules/system/init.te.ptrace 2011-10-14 09:46:29.044524218 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/init.te 2011-10-14 09:46:29.247520334 -0400 @@ -121,7 +121,7 @@ ifdef(`enable_mls',` # @@ -3546,8 +3544,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/init.te.ptrace serefpolicy-3.1 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; diff -up serefpolicy-3.10.0/policy/modules/system/ipsec.te.ptrace serefpolicy-3.10.0/policy/modules/system/ipsec.te ---- serefpolicy-3.10.0/policy/modules/system/ipsec.te.ptrace 2011-10-11 16:42:15.946761630 -0400 -+++ serefpolicy-3.10.0/policy/modules/system/ipsec.te 2011-10-11 16:42:16.210761556 -0400 +--- serefpolicy-3.10.0/policy/modules/system/ipsec.te.ptrace 2011-10-14 09:46:28.944526134 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/ipsec.te 2011-10-14 09:46:29.248520315 -0400 @@ -73,7 +73,7 @@ role system_r types setkey_t; # @@ -3579,8 +3577,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/ipsec.te.ptrace serefpolicy-3. domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t) diff -up serefpolicy-3.10.0/policy/modules/system/iscsi.te.ptrace serefpolicy-3.10.0/policy/modules/system/iscsi.te ---- serefpolicy-3.10.0/policy/modules/system/iscsi.te.ptrace 2011-10-11 16:42:15.948761630 -0400 -+++ serefpolicy-3.10.0/policy/modules/system/iscsi.te 2011-10-11 16:42:16.211761556 -0400 +--- serefpolicy-3.10.0/policy/modules/system/iscsi.te.ptrace 2011-10-14 09:46:28.946526096 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/iscsi.te 2011-10-14 09:46:29.249520296 -0400 @@ -31,7 +31,6 @@ files_pid_file(iscsi_var_run_t) # @@ -3590,9 +3588,9 @@ diff -up serefpolicy-3.10.0/policy/modules/system/iscsi.te.ptrace serefpolicy-3. allow iscsid_t self:fifo_file rw_fifo_file_perms; allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto }; diff -up serefpolicy-3.10.0/policy/modules/system/locallogin.te.ptrace serefpolicy-3.10.0/policy/modules/system/locallogin.te ---- serefpolicy-3.10.0/policy/modules/system/locallogin.te.ptrace 2011-10-11 16:42:15.950761629 -0400 -+++ serefpolicy-3.10.0/policy/modules/system/locallogin.te 2011-10-11 16:42:16.211761556 -0400 -@@ -32,7 +32,7 @@ role system_r types sulogin_t; +--- serefpolicy-3.10.0/policy/modules/system/locallogin.te.ptrace 2011-10-14 09:46:28.951525999 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/locallogin.te 2011-10-14 09:46:29.249520296 -0400 +@@ -35,7 +35,7 @@ role system_r types sulogin_t; # Local login local policy # @@ -3602,8 +3600,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/locallogin.te.ptrace serefpoli allow local_login_t self:fd use; allow local_login_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace serefpolicy-3.10.0/policy/modules/system/logging.if ---- serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace 2011-10-11 16:42:15.952761628 -0400 -+++ serefpolicy-3.10.0/policy/modules/system/logging.if 2011-10-11 16:42:16.212761555 -0400 +--- serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace 2011-10-14 09:46:28.952525980 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/logging.if 2011-10-14 09:46:29.250520277 -0400 @@ -1095,9 +1095,13 @@ interface(`logging_admin_audit',` type auditd_initrc_exec_t; ') @@ -3637,8 +3635,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace serefpolicy- manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) diff -up serefpolicy-3.10.0/policy/modules/system/mount.te.ptrace serefpolicy-3.10.0/policy/modules/system/mount.te ---- serefpolicy-3.10.0/policy/modules/system/mount.te.ptrace 2011-10-11 16:42:15.959761626 -0400 -+++ serefpolicy-3.10.0/policy/modules/system/mount.te 2011-10-11 16:42:16.212761555 -0400 +--- serefpolicy-3.10.0/policy/modules/system/mount.te.ptrace 2011-10-14 09:46:28.962525788 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/mount.te 2011-10-14 09:46:29.251520257 -0400 @@ -48,7 +48,11 @@ role system_r types showmount_t; # setuid/setgid needed to mount cifs @@ -3653,8 +3651,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/mount.te.ptrace serefpolicy-3. allow mount_t self:unix_stream_socket create_stream_socket_perms; allow mount_t self:unix_dgram_socket create_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.ptrace serefpolicy-3.10.0/policy/modules/system/sysnetwork.te ---- serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.ptrace 2011-10-11 16:42:15.966761624 -0400 -+++ serefpolicy-3.10.0/policy/modules/system/sysnetwork.te 2011-10-11 16:42:16.213761554 -0400 +--- serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.ptrace 2011-10-14 09:46:28.970525636 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/sysnetwork.te 2011-10-14 09:46:29.252520237 -0400 @@ -51,10 +51,13 @@ files_config_file(net_conf_t) # DHCP client local policy # @@ -3672,8 +3670,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.ptrace serefpoli allow dhcpc_t self:fifo_file rw_fifo_file_perms; allow dhcpc_t self:tcp_socket create_stream_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/system/udev.te.ptrace serefpolicy-3.10.0/policy/modules/system/udev.te ---- serefpolicy-3.10.0/policy/modules/system/udev.te.ptrace 2011-10-11 16:42:15.970761624 -0400 -+++ serefpolicy-3.10.0/policy/modules/system/udev.te 2011-10-11 16:42:16.214761554 -0400 +--- serefpolicy-3.10.0/policy/modules/system/udev.te.ptrace 2011-10-14 09:46:28.974525558 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/udev.te 2011-10-14 09:46:29.252520237 -0400 @@ -34,7 +34,7 @@ ifdef(`enable_mcs',` # Local policy # @@ -3697,8 +3695,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/udev.te.ptrace serefpolicy-3.1 allow udev_t self:fd use; allow udev_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace serefpolicy-3.10.0/policy/modules/system/unconfined.if ---- serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace 2011-10-11 16:42:15.988761619 -0400 -+++ serefpolicy-3.10.0/policy/modules/system/unconfined.if 2011-10-11 16:42:16.214761554 -0400 +--- serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace 2011-10-14 09:46:28.992525214 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/unconfined.if 2011-10-14 09:46:29.253520218 -0400 @@ -18,7 +18,12 @@ interface(`unconfined_domain_noaudit',` ') @@ -3714,8 +3712,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace serefpoli allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace serefpolicy-3.10.0/policy/modules/system/userdomain.if ---- serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace 2011-10-11 16:42:16.065761597 -0400 -+++ serefpolicy-3.10.0/policy/modules/system/userdomain.if 2011-10-11 16:42:16.216761554 -0400 +--- serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace 2011-10-14 09:46:29.071523701 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/userdomain.if 2011-10-14 09:46:29.255520180 -0400 @@ -40,7 +40,10 @@ template(`userdom_base_user_template',` role $1_r types $1_t; allow system_r $1_r; @@ -3761,8 +3759,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace serefpoli ######################################## diff -up serefpolicy-3.10.0/policy/modules/system/xen.te.ptrace serefpolicy-3.10.0/policy/modules/system/xen.te ---- serefpolicy-3.10.0/policy/modules/system/xen.te.ptrace 2011-10-11 16:42:15.977761622 -0400 -+++ serefpolicy-3.10.0/policy/modules/system/xen.te 2011-10-11 16:42:16.217761554 -0400 +--- serefpolicy-3.10.0/policy/modules/system/xen.te.ptrace 2011-10-14 09:46:28.984525366 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/xen.te 2011-10-14 09:46:29.256520161 -0400 @@ -206,7 +206,6 @@ tunable_policy(`xend_run_qemu',` # diff --git a/selinux-policy.spec b/selinux-policy.spec index 6dc825a..e67752e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 39.3%{?dist} +Release: 40%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -480,6 +480,17 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Oct 14 2011 Miroslav Grepl 3.10.0-40 +- Dontaudit access checks for all executables, gnome-shell is doing access(EXEC, X_OK) +- Make corosync to be able to relabelto cluster lib fies +- Allow samba domains to search /var/run/nmbd +- Allow dirsrv to use pam +- Allow thumb to call getuid +- chrome less likely to get mmap_zero bug so removing dontaudit +- gimp help-browser has built in javascript +- Best guess is that devices named /dev/bsr4096 should be labeled as cpu_device_t +- Re-write glance policy + * Thu Oct 13 2011 Dan Walsh 3.10.0-39.3 - Move dontaudit sys_ptrace line from permissive.te to domain.te - Remove policy for hal, it no longer exists