diff --git a/.cvsignore b/.cvsignore
index 45ac984..107ca45 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -192,3 +192,4 @@ serefpolicy-3.6.31.tgz
serefpolicy-3.6.32.tgz
serefpolicy-3.6.33.tgz
serefpolicy-3.7.1.tgz
+serefpolicy-3.7.2.tgz
diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index 8662f82..1c43a96 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -24,7 +24,7 @@ allow_ftpd_anon_write = false
# Allow gssd to read temp directory.
#
-allow_gssd_read_tmp = true
+allow_gssd_read_tmp = false
# Allow Apache to modify public filesused for public file transfer services.
#
@@ -72,7 +72,7 @@ httpd_can_network_connect_db = false
#
# allow httpd to send dbus messages to avahi
-httpd_dbus_avahi = true
+httpd_dbus_avahi = false
#
# allow httpd to network relay
@@ -144,7 +144,7 @@ squid_connect_any = false
# Support NFS home directories
#
-use_nfs_home_dirs = true
+use_nfs_home_dirs = false
# Support SAMBA home directories
#
diff --git a/modules-minimum.conf b/modules-minimum.conf
index f691dbb..22ee2d8 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -39,6 +39,13 @@ ada = module
#
cpufreqselector = module
+# Layer: apps
+# Module: chrome
+#
+# chrome sandbox
+#
+chrome = module
+
# Layer: modules
# Module: awstats
#
@@ -125,6 +132,13 @@ audioentropy = module
authlogin = base
# Layer: services
+# Module: asterisk
+#
+# Asterisk IP telephony server
+#
+asterisk = module
+
+# Layer: services
# Module: automount
#
# Filesystem automounter service.
@@ -721,6 +735,13 @@ jabber = module
#
java = module
+# Layer: apps
+# Module: execmem
+#
+# execmem executable
+#
+execmem = module
+
# Layer: system
# Module: kdump
#
@@ -1008,6 +1029,13 @@ nscd = base
ntp = module
# Layer: services
+# Module: nut
+#
+# nut - Network UPS Tools
+#
+nut = module
+
+# Layer: services
# Module: nx
#
# NX Remote Desktop
@@ -1221,6 +1249,13 @@ aisexec = module
rgmanager = module
# Layer: services
+# Module: clogd
+#
+# clogd - clustered mirror log server
+#
+clogd = module
+
+# Layer: services
# Module: rhgb
#
# X windows login display manager
@@ -1378,6 +1413,13 @@ seunshare = module
#
shorewall = base
+# Layer: apps
+# Module: sectoolm
+#
+# Policy for sectool-mechanism
+#
+sectoolm = module
+
# Layer: system
# Module: setrans
# Required in base
@@ -1647,6 +1689,13 @@ timidity = off
tftp = module
# Layer: services
+# Module: tuned
+#
+# Dynamic adaptive system tuning daemon
+#
+tuned = module
+
+# Layer: services
# Module: uucp
#
# Unix to Unix Copy
diff --git a/modules-targeted.conf b/modules-targeted.conf
index f691dbb..22ee2d8 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -39,6 +39,13 @@ ada = module
#
cpufreqselector = module
+# Layer: apps
+# Module: chrome
+#
+# chrome sandbox
+#
+chrome = module
+
# Layer: modules
# Module: awstats
#
@@ -125,6 +132,13 @@ audioentropy = module
authlogin = base
# Layer: services
+# Module: asterisk
+#
+# Asterisk IP telephony server
+#
+asterisk = module
+
+# Layer: services
# Module: automount
#
# Filesystem automounter service.
@@ -721,6 +735,13 @@ jabber = module
#
java = module
+# Layer: apps
+# Module: execmem
+#
+# execmem executable
+#
+execmem = module
+
# Layer: system
# Module: kdump
#
@@ -1008,6 +1029,13 @@ nscd = base
ntp = module
# Layer: services
+# Module: nut
+#
+# nut - Network UPS Tools
+#
+nut = module
+
+# Layer: services
# Module: nx
#
# NX Remote Desktop
@@ -1221,6 +1249,13 @@ aisexec = module
rgmanager = module
# Layer: services
+# Module: clogd
+#
+# clogd - clustered mirror log server
+#
+clogd = module
+
+# Layer: services
# Module: rhgb
#
# X windows login display manager
@@ -1378,6 +1413,13 @@ seunshare = module
#
shorewall = base
+# Layer: apps
+# Module: sectoolm
+#
+# Policy for sectool-mechanism
+#
+sectoolm = module
+
# Layer: system
# Module: setrans
# Required in base
@@ -1647,6 +1689,13 @@ timidity = off
tftp = module
# Layer: services
+# Module: tuned
+#
+# Dynamic adaptive system tuning daemon
+#
+tuned = module
+
+# Layer: services
# Module: uucp
#
# Unix to Unix Copy
diff --git a/policy-F13.patch b/policy-F13.patch
index c3a256e..a2e0042 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -10,17 +10,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Mak
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.7.1/policy/flask/access_vectors
---- nsaserefpolicy/policy/flask/access_vectors 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.1/policy/flask/access_vectors 2009-11-17 11:06:58.000000000 -0500
-@@ -376,6 +376,7 @@
- syslog_read
- syslog_mod
- syslog_console
-+ module_request
- }
-
- #
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.1/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2009-07-23 14:11:04.000000000 -0400
+++ serefpolicy-3.7.1/policy/global_tunables 2009-11-17 11:06:58.000000000 -0500
@@ -2457,8 +2446,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.1/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/apps/gnome.if 2009-11-17 11:06:58.000000000 -0500
-@@ -84,10 +84,180 @@
++++ serefpolicy-3.7.1/policy/modules/apps/gnome.if 2009-11-19 15:02:40.000000000 -0500
+@@ -84,10 +84,183 @@
#
interface(`gnome_manage_config',`
gen_require(`
@@ -2594,10 +2583,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+interface(`gnome_read_gconf_home_files',`
+ gen_require(`
+ type gconf_home_t;
++ type data_home_t;
+ ')
+
+ allow $1 gconf_home_t:dir list_dir_perms;
++ allow $1 data_home_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_home_t, gconf_home_t)
++ read_files_pattern($1, data_home_t, data_home_t)
+')
+
+########################################
@@ -2835,7 +2827,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.7.1/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/apps/java.fc 2009-11-18 10:21:24.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/apps/java.fc 2009-11-19 09:59:58.000000000 -0500
@@ -2,15 +2,17 @@
# /opt
#
@@ -2857,7 +2849,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
-@@ -20,5 +22,14 @@
+@@ -20,5 +22,16 @@
/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -2874,6 +2866,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
++
++/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.7.1/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2009-08-18 11:41:14.000000000 -0400
+++ serefpolicy-3.7.1/policy/modules/apps/java.if 2009-11-17 11:06:58.000000000 -0500
@@ -3518,7 +3512,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.1/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/apps/mozilla.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/apps/mozilla.te 2009-11-20 08:13:05.000000000 -0500
@@ -59,6 +59,7 @@
manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
@@ -3527,7 +3521,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Mozpluggerrc
allow mozilla_t mozilla_conf_t:file read_file_perms;
-@@ -97,6 +98,7 @@
+@@ -90,6 +91,7 @@
+ corenet_raw_sendrecv_generic_node(mozilla_t)
+ corenet_tcp_sendrecv_http_port(mozilla_t)
+ corenet_tcp_sendrecv_http_cache_port(mozilla_t)
++corenet_tcp_connect_flash_port(mozilla_t)
+ corenet_tcp_sendrecv_ftp_port(mozilla_t)
+ corenet_tcp_sendrecv_ipp_port(mozilla_t)
+ corenet_tcp_connect_http_port(mozilla_t)
+@@ -97,6 +99,7 @@
corenet_tcp_connect_ftp_port(mozilla_t)
corenet_tcp_connect_ipp_port(mozilla_t)
corenet_tcp_connect_generic_port(mozilla_t)
@@ -3535,7 +3537,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_sendrecv_http_client_packets(mozilla_t)
corenet_sendrecv_http_cache_client_packets(mozilla_t)
corenet_sendrecv_ftp_client_packets(mozilla_t)
-@@ -114,6 +116,8 @@
+@@ -114,6 +117,8 @@
dev_dontaudit_rw_dri(mozilla_t)
dev_getattr_sysfs_dirs(mozilla_t)
@@ -3544,7 +3546,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_runtime_files(mozilla_t)
files_read_usr_files(mozilla_t)
files_read_etc_files(mozilla_t)
-@@ -129,21 +133,18 @@
+@@ -129,21 +134,18 @@
fs_rw_tmpfs_files(mozilla_t)
term_dontaudit_getattr_pty_dirs(mozilla_t)
@@ -3569,7 +3571,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
-@@ -231,11 +232,15 @@
+@@ -231,11 +233,15 @@
optional_policy(`
dbus_system_bus_client(mozilla_t)
dbus_session_bus_client(mozilla_t)
@@ -3585,7 +3587,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -256,5 +261,10 @@
+@@ -256,5 +262,10 @@
')
optional_policy(`
@@ -4382,7 +4384,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.1/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/pulseaudio.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/apps/pulseaudio.te 2009-11-19 14:58:11.000000000 -0500
+@@ -18,7 +18,7 @@
+
+ allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
+ allow pulseaudio_t self:fifo_file rw_file_perms;
+-allow pulseaudio_t self:unix_stream_socket create_stream_socket_perms;
++allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
+ allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
+ allow pulseaudio_t self:udp_socket create_socket_perms;
@@ -26,6 +26,7 @@
can_exec(pulseaudio_t, pulseaudio_exec_t)
@@ -6051,422 +6062,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# network_node examples:
#network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.1/policy/modules/kernel/devices.fc
---- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/kernel/devices.fc 2009-11-17 11:06:58.000000000 -0500
-@@ -47,8 +47,10 @@
- /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
- /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
- /dev/kqemu -c gen_context(system_u:object_r:qemu_device_t,s0)
-+/dev/ksm -c gen_context(system_u:object_r:ksm_device_t,s0)
- /dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0)
- /dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0)
-+/dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0)
- /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
-@@ -82,6 +84,7 @@
- /dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
- /dev/random -c gen_context(system_u:object_r:random_device_t,s0)
- /dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-+/dev/rfkill -c gen_context(system_u:object_r:wireless_device_t,s0)
- /dev/(misc/)?rtc[0-9]* -c gen_context(system_u:object_r:clock_device_t,s0)
- /dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -101,7 +104,7 @@
- /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
- ')
- /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
--/dev/vboxadd.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-+/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
- /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
- /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
- /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -139,8 +142,11 @@
-
- /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0)
-
-+/dev/modem -c gen_context(system_u:object_r:modem_device_t,s0)
- /dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-
-+/dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0)
-+
- /dev/pts(/.*)? <<none>>
-
- /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -148,6 +154,8 @@
- /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
-
-+/dev/vga_arbiter -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-+
- /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0)
- /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
- /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -168,6 +176,7 @@
-
- ifdef(`distro_redhat',`
- # originally from named.fc
-+/var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
- /var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
- /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
- /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.1/policy/modules/kernel/devices.if
---- nsaserefpolicy/policy/modules/kernel/devices.if 2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/kernel/devices.if 2009-11-17 11:06:58.000000000 -0500
-@@ -1692,6 +1692,78 @@
-
- ########################################
- ## <summary>
-+## Get the attributes of the ksm devices.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_getattr_ksm_dev',`
-+ gen_require(`
-+ type device_t, ksm_device_t;
-+ ')
-+
-+ getattr_chr_files_pattern($1, device_t, ksm_device_t)
-+')
-+
-+########################################
-+## <summary>
-+## Set the attributes of the ksm devices.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_setattr_ksm_dev',`
-+ gen_require(`
-+ type device_t, ksm_device_t;
-+ ')
-+
-+ setattr_chr_files_pattern($1, device_t, ksm_device_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read the ksm devices.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_read_ksm',`
-+ gen_require(`
-+ type device_t, ksm_device_t;
-+ ')
-+
-+ read_chr_files_pattern($1, device_t, ksm_device_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read and write to ksm devices.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_rw_ksm',`
-+ gen_require(`
-+ type device_t, ksm_device_t;
-+ ')
-+
-+ rw_chr_files_pattern($1, device_t, ksm_device_t)
-+')
-+
-+########################################
-+## <summary>
- ## Get the attributes of the kvm devices.
- ## </summary>
- ## <param name="domain">
-@@ -1762,6 +1834,61 @@
- rw_chr_files_pattern($1, device_t, kvm_device_t)
- ')
-
-+######################################
-+## <summary>
-+## Read the lirc device.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_read_lirc',`
-+ gen_require(`
-+ type device_t, lirc_device_t;
-+ ')
-+
-+ read_chr_files_pattern($1, device_t, lirc_device_t)
-+')
-+
-+######################################
-+## <summary>
-+## Read and write the lirc device.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_rw_lirc',`
-+ gen_require(`
-+ type device_t, lirc_device_t;
-+ ')
-+
-+ rw_chr_files_pattern($1, device_t, lirc_device_t)
-+')
-+
-+######################################
-+## <summary>
-+## Automatic type transition to the type
-+## for lirc device nodes when created in /dev.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_filetrans_lirc',`
-+ gen_require(`
-+ type device_t, lirc_device_t;
-+ ')
-+
-+ filetrans_pattern($1, device_t, lirc_device_t, chr_file)
-+')
-+
- ########################################
- ## <summary>
- ## Read the lvm comtrol device.
-@@ -1818,6 +1945,25 @@
-
- ########################################
- ## <summary>
-+## Do not audit attempts to read and write lvm control device.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_dontaudit_rw_lvm_control_dev',`
-+ gen_require(`
-+ type lvm_control_t;
-+ ')
-+
-+ dontaudit $1 lvm_control_t:chr_file rw_file_perms;
-+')
-+
-+
-+########################################
-+## <summary>
- ## dontaudit getattr raw memory devices (e.g. /dev/mem).
- ## </summary>
- ## <param name="domain">
-@@ -2046,6 +2192,78 @@
-
- ########################################
- ## <summary>
-+## Get the attributes of the modem devices.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_getattr_modem_dev',`
-+ gen_require(`
-+ type device_t, modem_device_t;
-+ ')
-+
-+ getattr_chr_files_pattern($1, device_t, modem_device_t)
-+')
-+
-+########################################
-+## <summary>
-+## Set the attributes of the modem devices.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_setattr_modem_dev',`
-+ gen_require(`
-+ type device_t, modem_device_t;
-+ ')
-+
-+ setattr_chr_files_pattern($1, device_t, modem_device_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read the modem devices.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_read_modem',`
-+ gen_require(`
-+ type device_t, modem_device_t;
-+ ')
-+
-+ read_chr_files_pattern($1, device_t, modem_device_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read and write to modem devices.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_rw_modem',`
-+ gen_require(`
-+ type device_t, modem_device_t;
-+ ')
-+
-+ rw_chr_files_pattern($1, device_t, modem_device_t)
-+')
-+
-+########################################
-+## <summary>
- ## Get the attributes of the mouse devices.
- ## </summary>
- ## <param name="domain">
-@@ -2305,6 +2523,25 @@
-
- ########################################
- ## <summary>
-+## Delete the null device (/dev/null).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_delete_null',`
-+ gen_require(`
-+ type device_t, null_device_t;
-+ ')
-+
-+ allow $1 device_t:dir del_entry_dir_perms;
-+ allow $1 null_device_t:chr_file unlink;
-+')
-+
-+########################################
-+## <summary>
- ## Read and write to the null device (/dev/null).
- ## </summary>
- ## <param name="domain">
-@@ -3599,6 +3836,24 @@
-
- ########################################
- ## <summary>
-+## Read and write the the wireless device.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_rw_wireless',`
-+ gen_require(`
-+ type device_t, wireless_device_t;
-+ ')
-+
-+ rw_chr_files_pattern($1, device_t, wireless_device_t)
-+')
-+
-+########################################
-+## <summary>
- ## Read and write Xen devices.
- ## </summary>
- ## <param name="domain">
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.1/policy/modules/kernel/devices.te
---- nsaserefpolicy/policy/modules/kernel/devices.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/kernel/devices.te 2009-11-17 11:06:58.000000000 -0500
-@@ -84,6 +84,13 @@
- dev_node(kmsg_device_t)
-
- #
-+# ksm_device_t is the type of
-+# /dev/ksm
-+#
-+type ksm_device_t;
-+dev_node(ksm_device_t)
-+
-+#
- # kvm_device_t is the type of
- # /dev/kvm
- #
-@@ -91,6 +98,12 @@
- dev_node(kvm_device_t)
-
- #
-+# Type for /dev/lirc
-+#
-+type lirc_device_t;
-+dev_node(lirc_device_t)
-+
-+#
- # Type for /dev/mapper/control
- #
- type lvm_control_t;
-@@ -110,6 +123,12 @@
- dev_node(misc_device_t)
-
- #
-+# A general type for modem devices.
-+#
-+type modem_device_t;
-+dev_node(modem_device_t)
-+
-+#
- # A more general type for mouse devices.
- #
- type mouse_device_t;
-@@ -224,6 +243,12 @@
- type watchdog_device_t;
- dev_node(watchdog_device_t)
-
-+#
-+# wireless control devices
-+#
-+type wireless_device_t;
-+dev_node(wireless_device_t)
-+
- type xen_device_t;
- dev_node(xen_device_t)
-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.1/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.1/policy/modules/kernel/domain.if 2009-11-17 11:06:58.000000000 -0500
@@ -6836,7 +6431,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.1/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-11-12 13:24:12.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/kernel/files.if 2009-11-18 16:23:37.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/kernel/files.if 2009-11-20 10:08:42.000000000 -0500
@@ -932,10 +932,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -7711,73 +7306,44 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
# Rules for all filesystem types
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.1/policy/modules/kernel/kernel.if
---- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/kernel/kernel.if 2009-11-17 11:06:58.000000000 -0500
-@@ -485,6 +485,25 @@
+--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-11-20 10:51:41.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/kernel/kernel.if 2009-11-19 14:06:58.000000000 -0500
+@@ -1848,7 +1848,7 @@
+ ')
+
+ dontaudit $1 sysctl_type:dir list_dir_perms;
+- dontaudit $1 sysctl_type:file getattr;
++ dontaudit $1 sysctl_type:file read_file_perms;
+ ')
########################################
- ## <summary>
-+## Allows caller to request the kernel to load a module
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`kernel_request_load_module',`
-+ gen_require(`
-+ type kernel_t;
-+ ')
-+
-+ allow $1 kernel_t:system module_request;
-+')
-+
-+########################################
-+## <summary>
- ## Get information on all System V IPC objects.
- ## </summary>
- ## <param name="domain">
-@@ -922,6 +941,28 @@
+@@ -1919,6 +1919,25 @@
########################################
## <summary>
-+## Allows caller to read th core kernel interface.
++## Mount a kernel unlabeled filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
-+## The process type getting the attibutes.
++## The type of the domain mounting the filesystem.
+## </summary>
+## </param>
+#
-+interface(`kernel_read_core_if',`
++interface(`kernel_mount_unlabeled',`
+ gen_require(`
-+ type proc_t, proc_kcore_t;
-+ attribute can_dump_kernel;
++ type unlabeled_t;
+ ')
+
-+ read_files_pattern($1, proc_t, proc_kcore_t)
-+ list_dirs_pattern($1, proc_t, proc_t)
-+
-+ typeattribute $1 can_dump_kernel;
++ allow $1 unlabeled_t:filesystem mount;
+')
+
++
+########################################
+## <summary>
- ## Do not audit attempts to get the attributes of
- ## core kernel interfaces.
+ ## Send general signals to unlabeled processes.
## </summary>
-@@ -1807,7 +1848,7 @@
- ')
-
- dontaudit $1 sysctl_type:dir list_dir_perms;
-- dontaudit $1 sysctl_type:file getattr;
-+ dontaudit $1 sysctl_type:file read_file_perms;
- ')
-
- ########################################
-@@ -2621,6 +2662,24 @@
+ ## <param name="domain">
+@@ -2662,6 +2681,24 @@
########################################
## <summary>
@@ -7802,7 +7368,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2636,3 +2695,22 @@
+@@ -2677,3 +2714,22 @@
typeattribute $1 kern_unconfined;
')
@@ -7826,17 +7392,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 kernel_t:unix_stream_socket connectto;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.1/policy/modules/kernel/kernel.te
---- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-08-14 16:14:31.000000000 -0400
+--- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-11-20 10:51:41.000000000 -0500
+++ serefpolicy-3.7.1/policy/modules/kernel/kernel.te 2009-11-17 11:06:58.000000000 -0500
-@@ -9,6 +9,7 @@
- # assertion related attributes
- attribute can_load_kernmodule;
- attribute can_receive_kernel_messages;
-+attribute can_dump_kernel;
-
- neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module;
-
-@@ -63,6 +64,15 @@
+@@ -64,6 +64,15 @@
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
#
@@ -7852,16 +7410,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# kvmFS
#
-@@ -90,7 +100,7 @@
-
- # /proc kcore: inaccessible
- type proc_kcore_t, proc_type;
--neverallow ~kern_unconfined proc_kcore_t:file ~getattr;
-+neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~getattr;
- genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
-
- type proc_mdstat_t, proc_type;
-@@ -165,6 +175,7 @@
+@@ -166,6 +175,7 @@
#
type unlabeled_t;
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -7869,7 +7418,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -255,7 +266,8 @@
+@@ -256,7 +266,8 @@
selinux_load_policy(kernel_t)
@@ -7879,7 +7428,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -269,6 +281,8 @@
+@@ -270,6 +281,8 @@
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -7888,10 +7437,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mcs_process_set_categories(kernel_t)
-@@ -276,12 +290,18 @@
+@@ -277,12 +290,18 @@
mls_process_write_down(kernel_t)
mls_file_write_all_levels(kernel_t)
- mls_file_read_all_levels(kernel_t)
+ mls_file_read_all_levels(kernel_t)
+mls_socket_write_all_levels(kernel_t)
+mls_fd_share_all_levels(kernel_t)
+
@@ -7907,20 +7456,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
hotplug_search_config(kernel_t)
')
-@@ -355,7 +375,11 @@
+@@ -359,6 +378,10 @@
+ unconfined_domain_noaudit(kernel_t)
')
- optional_policy(`
-- unconfined_domain(kernel_t)
-+ unconfined_domain_noaudit(kernel_t)
-+')
-+
+optional_policy(`
+ xserver_xdm_manage_spool(kernel_t)
- ')
-
++')
++
########################################
-@@ -387,3 +411,5 @@
+ #
+ # Unlabeled process local policy
+@@ -388,3 +411,5 @@
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
@@ -7986,19 +7533,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ fs_type($1)
+ mls_trusted_object($1)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.7.1/policy/modules/kernel/storage.fc
---- nsaserefpolicy/policy/modules/kernel/storage.fc 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/kernel/storage.fc 2009-11-17 11:06:58.000000000 -0500
-@@ -28,6 +28,7 @@
- /dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0)
- /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
- /dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
-+/dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- /dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- /dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
- /dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.7.1/policy/modules/kernel/storage.if
---- nsaserefpolicy/policy/modules/kernel/storage.if 2009-07-14 14:19:57.000000000 -0400
+--- nsaserefpolicy/policy/modules/kernel/storage.if 2009-11-20 10:51:41.000000000 -0500
+++ serefpolicy-3.7.1/policy/modules/kernel/storage.if 2009-11-17 11:06:58.000000000 -0500
@@ -266,6 +266,7 @@
@@ -8008,15 +7544,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -529,7 +530,7 @@
-
- ')
-
-- dontaudit $1 removable_device_t:blk_file { getattr ioctl read };
-+ dontaudit $1 removable_device_t:blk_file read_blk_file_perms;
- ')
-
- ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.7.1/policy/modules/kernel/terminal.fc
--- nsaserefpolicy/policy/modules/kernel/terminal.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.1/policy/modules/kernel/terminal.fc 2009-11-17 11:06:58.000000000 -0500
@@ -9317,8 +8844,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.1/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/roles/unconfineduser.te 2009-11-18 16:34:24.000000000 -0500
-@@ -0,0 +1,426 @@
++++ serefpolicy-3.7.1/policy/modules/roles/unconfineduser.te 2009-11-20 08:01:52.000000000 -0500
+@@ -0,0 +1,427 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -9380,6 +8907,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#
+
+dontaudit unconfined_t self:dir write;
++dontaudit unconfined_t self:file setattr;
+
+allow unconfined_t self:system syslog_read;
+dontaudit unconfined_t self:capability sys_module;
@@ -9898,7 +9426,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.1/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/roles/xguest.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/roles/xguest.te 2009-11-20 08:12:41.000000000 -0500
@@ -31,16 +31,37 @@
userdom_restricted_xwindows_user_template(xguest)
@@ -9958,7 +9486,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -75,9 +101,16 @@
+@@ -75,9 +101,17 @@
')
optional_policy(`
@@ -9971,6 +9499,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ networkmanager_read_var_lib_files(xguest_t)
+ corenet_tcp_connect_pulseaudio_port(xguest_t)
+ corenet_tcp_connect_ipp_port(xguest_t)
++ corenet_tcp_connect_http_port(xguest_t)
')
')
@@ -10124,7 +9653,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.1/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/abrt.te 2009-11-18 16:55:40.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/services/abrt.te 2009-11-19 14:06:09.000000000 -0500
@@ -33,12 +33,23 @@
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -10197,7 +9726,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
sysnet_read_config(abrt_t)
-@@ -96,22 +118,60 @@
+@@ -96,22 +118,64 @@
miscfiles_read_certs(abrt_t)
miscfiles_read_localization(abrt_t)
@@ -10211,6 +9740,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+optional_policy(`
++ nis_use_ypbind(abrt_t)
++')
++
++optional_policy(`
+ nsplugin_read_rw_files(abrt_t)
+ nsplugin_read_home(abrt_t)
+')
@@ -10424,7 +9957,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.1/policy/modules/services/aisexec.te
--- nsaserefpolicy/policy/modules/services/aisexec.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/aisexec.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/services/aisexec.te 2009-11-20 10:04:14.000000000 -0500
@@ -0,0 +1,112 @@
+
+policy_module(aisexec,1.0.0)
@@ -10552,10 +10085,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.1/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/apache.fc 2009-11-18 10:24:03.000000000 -0500
-@@ -1,12 +1,16 @@
--HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
++++ serefpolicy-3.7.1/policy/modules/services/apache.fc 2009-11-19 15:03:04.000000000 -0500
+@@ -2,11 +2,15 @@
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
@@ -12107,6 +11638,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cjp: related to sleep/resume (?)
optional_policy(`
xserver_domtrans(apmd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.1/policy/modules/services/arpwatch.te
+--- nsaserefpolicy/policy/modules/services/arpwatch.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.7.1/policy/modules/services/arpwatch.te 2009-11-19 09:58:15.000000000 -0500
+@@ -34,6 +34,7 @@
+ allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
+ allow arpwatch_t self:udp_socket create_socket_perms;
+ allow arpwatch_t self:packet_socket create_socket_perms;
++allow arpwatch_t self:socket create_socket_perms;
+
+ manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
+ manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.1/policy/modules/services/asterisk.if
--- nsaserefpolicy/policy/modules/services/asterisk.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.1/policy/modules/services/asterisk.if 2009-11-17 11:06:58.000000000 -0500
@@ -12139,7 +11681,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.1/policy/modules/services/asterisk.te
--- nsaserefpolicy/policy/modules/services/asterisk.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/asterisk.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/services/asterisk.te 2009-11-19 13:52:42.000000000 -0500
@@ -34,6 +34,8 @@
type asterisk_var_run_t;
files_pid_file(asterisk_var_run_t)
@@ -14305,7 +13847,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $1 devicekit_t:process { ptrace signal_perms getattr };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.1/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/devicekit.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/services/devicekit.te 2009-11-19 16:38:18.000000000 -0500
@@ -36,12 +36,15 @@
manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
@@ -14397,7 +13939,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+optional_policy(`
-+ virt_read_images(devicekit_disk_t)
++ virt_manage_images(devicekit_disk_t)
+')
+
+optional_policy(`
@@ -17411,19 +16953,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+miscfiles_read_localization(upsdrvctl_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.7.1/policy/modules/services/nx.fc
--- nsaserefpolicy/policy/modules/services/nx.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/nx.fc 2009-11-17 11:06:58.000000000 -0500
-@@ -1,6 +1,7 @@
++++ serefpolicy-3.7.1/policy/modules/services/nx.fc 2009-11-20 10:11:27.000000000 -0500
+@@ -1,6 +1,8 @@
/opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
+/var/lib/nxserver/home/.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
++/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0)
/opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.7.1/policy/modules/services/nx.if
--- nsaserefpolicy/policy/modules/services/nx.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/nx.if 2009-11-17 11:06:58.000000000 -0500
-@@ -17,3 +17,22 @@
++++ serefpolicy-3.7.1/policy/modules/services/nx.if 2009-11-20 10:16:07.000000000 -0500
+@@ -17,3 +17,70 @@
spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t)
')
@@ -17440,26 +16983,88 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#
+interface(`nx_read_home_files',`
+ gen_require(`
-+ type nx_server_home_ssh_t;
++ type nx_server_home_ssh_t, nx_server_var_lib_t;
+ ')
+
++ allow $1 nx_server_var_lib_t:dir search_dir_perms;
+ read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+ read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+')
++
++########################################
++## <summary>
++## Read nx home directory content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`nx_search_var_lib',`
++ gen_require(`
++ type nx_server_var_lib_t;
++ ')
++
++ allow $1 nx_server_var_lib_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++## Create an object in the root directory, with a private
++## type using a type transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private type">
++## <summary>
++## The type of the object to be created.
++## </summary>
++## </param>
++## <param name="object">
++## <summary>
++## The object class of the object being created.
++## </summary>
++## </param>
++#
++interface(`nx_var_lib_filetrans',`
++ gen_require(`
++ type nx_server_var_lib_t;
++ ')
++
++ filetrans_pattern($1, nx_server_var_lib_t, $2, $3)
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.7.1/policy/modules/services/nx.te
--- nsaserefpolicy/policy/modules/services/nx.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/nx.te 2009-11-17 11:06:58.000000000 -0500
-@@ -25,6 +25,9 @@
++++ serefpolicy-3.7.1/policy/modules/services/nx.te 2009-11-20 10:15:44.000000000 -0500
+@@ -25,6 +25,12 @@
type nx_server_var_run_t;
files_pid_file(nx_server_var_run_t)
++type nx_server_var_lib_t;
++files_type(nx_server_var_lib_t)
++
+type nx_server_home_ssh_t;
+files_type(nx_server_home_ssh_t)
+
########################################
#
# NX server local policy
-@@ -44,6 +47,9 @@
+@@ -37,6 +43,10 @@
+ allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr };
+ term_create_pty(nx_server_t, nx_server_devpts_t)
+
++manage_files_pattern(nx_server_t, nx_server_var_lib_t,nx_server_var_lib_t)
++manage_dirs_pattern(nx_server_t, nx_server_var_lib_t,nx_server_var_lib_t)
++files_var_lib_filetrans(nx_server_t,nx_server_var_lib_t, { file dir })
++
+ manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
+ manage_files_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
+ files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir })
+@@ -44,6 +54,9 @@
manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t)
files_pid_filetrans(nx_server_t, nx_server_var_run_t, file)
@@ -23397,7 +23002,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.1/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/virt.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/services/virt.if 2009-11-19 16:38:10.000000000 -0500
@@ -136,7 +136,7 @@
')
@@ -24035,7 +23640,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.1/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/xserver.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/services/xserver.fc 2009-11-20 10:11:53.000000000 -0500
@@ -3,12 +3,19 @@
#
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
@@ -24091,7 +23696,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
ifdef(`distro_debian', `
-@@ -89,16 +93,31 @@
+@@ -89,17 +93,35 @@
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
@@ -24099,19 +23704,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/lib/[gxkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
++
++/var/cache/gdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-+/var/cache/gdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-+
+/var/log/gdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
-+
-+/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0)
++/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0)
++
+/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/kdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/gdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -24126,6 +23731,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_suse',`
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
+ ')
++
++/var/lib/nxserver/home/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
++/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-09-09 15:37:17.000000000 -0400
+++ serefpolicy-3.7.1/policy/modules/services/xserver.if 2009-11-17 11:06:58.000000000 -0500
@@ -25001,7 +24610,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/xserver.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/services/xserver.te 2009-11-20 10:12:02.000000000 -0500
@@ -34,6 +34,13 @@
## <desc>
@@ -25184,7 +24793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xserver_rw_xdm_tmp_files(xauth_t)
tunable_policy(`use_nfs_home_dirs',`
-@@ -289,6 +318,11 @@
+@@ -289,6 +318,15 @@
fs_manage_cifs_files(xauth_t)
')
@@ -25193,10 +24802,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ dev_dontaudit_rw_dri(xauth_t)
+')
+
++optional_policy(`
++ nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
++')
++
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
-@@ -300,20 +334,31 @@
+@@ -300,20 +338,31 @@
# XDM Local policy
#
@@ -25231,7 +24844,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -325,26 +370,43 @@
+@@ -325,26 +374,43 @@
# this is ugly, daemons should not create files under /etc!
manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)
@@ -25282,7 +24895,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xdm_t xserver_t:process signal;
allow xdm_t xserver_t:unix_stream_socket connectto;
-@@ -358,6 +420,7 @@
+@@ -358,6 +424,7 @@
allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xserver_t:shm rw_shm_perms;
@@ -25290,7 +24903,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -366,10 +429,14 @@
+@@ -366,10 +433,14 @@
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -25306,7 +24919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(xdm_t)
kernel_read_kernel_sysctls(xdm_t)
-@@ -389,11 +456,13 @@
+@@ -389,11 +460,13 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -25320,7 +24933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -401,6 +470,7 @@
+@@ -401,6 +474,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -25328,7 +24941,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -413,14 +483,17 @@
+@@ -413,14 +487,17 @@
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
@@ -25348,7 +24961,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -431,9 +504,13 @@
+@@ -431,9 +508,13 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -25362,7 +24975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,6 +519,7 @@
+@@ -442,6 +523,7 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -25370,7 +24983,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_setattr_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
-@@ -450,6 +528,7 @@
+@@ -450,6 +532,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -25378,7 +24991,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -460,10 +539,12 @@
+@@ -460,10 +543,12 @@
logging_read_generic_logs(xdm_t)
@@ -25393,7 +25006,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,6 +553,10 @@
+@@ -472,6 +557,10 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -25404,7 +25017,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -504,10 +589,12 @@
+@@ -504,10 +593,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@@ -25417,7 +25030,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -515,12 +602,47 @@
+@@ -515,12 +606,47 @@
')
optional_policy(`
@@ -25465,7 +25078,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hostname_exec(xdm_t)
')
-@@ -542,6 +664,38 @@
+@@ -542,6 +668,38 @@
')
optional_policy(`
@@ -25504,7 +25117,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(xdm_t)
')
-@@ -550,8 +704,9 @@
+@@ -550,8 +708,9 @@
')
optional_policy(`
@@ -25516,7 +25129,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -560,7 +715,6 @@
+@@ -560,7 +719,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -25524,7 +25137,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +725,10 @@
+@@ -571,6 +729,10 @@
')
optional_policy(`
@@ -25535,7 +25148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xfs_stream_connect(xdm_t)
')
-@@ -587,10 +745,9 @@
+@@ -587,10 +749,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -25547,7 +25160,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -602,9 +759,12 @@
+@@ -602,9 +763,12 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -25560,7 +25173,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
-@@ -616,13 +776,14 @@
+@@ -616,13 +780,14 @@
type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
allow xserver_t { rootwindow_t x_domain }:x_drawable send;
@@ -25576,7 +25189,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +796,19 @@
+@@ -635,9 +800,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -25596,7 +25209,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -671,7 +842,6 @@
+@@ -671,7 +846,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -25604,7 +25217,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -681,9 +851,12 @@
+@@ -681,9 +855,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -25618,7 +25231,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -698,8 +871,12 @@
+@@ -698,8 +875,12 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -25631,7 +25244,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -721,6 +898,7 @@
+@@ -721,6 +902,7 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -25639,7 +25252,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
modutils_domtrans_insmod(xserver_t)
-@@ -743,7 +921,7 @@
+@@ -743,7 +925,7 @@
')
ifdef(`enable_mls',`
@@ -25648,7 +25261,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
-@@ -775,12 +953,20 @@
+@@ -775,12 +957,20 @@
')
optional_policy(`
@@ -25670,7 +25283,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_domtrans(xserver_t)
')
-@@ -807,12 +993,12 @@
+@@ -807,12 +997,12 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -25687,7 +25300,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Run xkbcomp.
allow xserver_t xkb_var_lib_t:lnk_file read;
-@@ -828,9 +1014,14 @@
+@@ -828,9 +1018,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -25702,7 +25315,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -845,11 +1036,14 @@
+@@ -845,11 +1040,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -25718,7 +25331,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -882,6 +1076,8 @@
+@@ -882,6 +1080,8 @@
# X Server
# can read server-owned resources
allow x_domain xserver_t:x_resource read;
@@ -25727,7 +25340,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# can mess with own clients
allow x_domain self:x_client { manage destroy };
-@@ -906,6 +1102,8 @@
+@@ -906,6 +1106,8 @@
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -25736,7 +25349,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# X Colormaps
# can use the default colormap
allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -973,17 +1171,49 @@
+@@ -973,17 +1175,49 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -27205,7 +26818,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.1/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/ipsec.te 2009-11-18 16:16:02.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/system/ipsec.te 2009-11-19 09:40:34.000000000 -0500
@@ -6,6 +6,13 @@
# Declarations
#
@@ -27351,21 +26964,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# manage pid file
manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
-@@ -297,6 +329,13 @@
+@@ -296,6 +328,14 @@
+
kernel_read_system_state(racoon_t)
kernel_read_network_state(racoon_t)
-
++kernel_request_load_module(racoon_t)
++
+can_exec(racoon_t, racoon_exec_t)
+
+corecmd_exec_shell(racoon_t)
+corecmd_exec_bin(racoon_t)
+
+sysnet_exec_ifconfig(racoon_t)
-+
+
corenet_all_recvfrom_unlabeled(racoon_t)
corenet_tcp_sendrecv_all_if(racoon_t)
- corenet_udp_sendrecv_all_if(racoon_t)
-@@ -314,6 +353,8 @@
+@@ -314,6 +354,8 @@
files_read_etc_files(racoon_t)
@@ -27374,7 +26988,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# allow racoon to use avc_has_perm to check context on proposed SA
selinux_compute_access_vector(racoon_t)
-@@ -328,6 +369,14 @@
+@@ -328,6 +370,14 @@
miscfiles_read_localization(racoon_t)
@@ -27389,7 +27003,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Setkey local policy
-@@ -341,12 +390,15 @@
+@@ -341,12 +391,15 @@
read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
@@ -28965,7 +28579,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.1/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/mount.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.1/policy/modules/system/mount.te 2009-11-19 14:07:23.000000000 -0500
@@ -18,8 +18,12 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -29003,7 +28617,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -47,21 +59,37 @@
+@@ -47,21 +59,38 @@
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
@@ -29013,11 +28627,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+files_var_filetrans(mount_t,mount_var_run_t,dir)
+
+# In order to mount reiserfs_t
++kernel_dontaudit_getattr_core_if(mount_t)
+kernel_list_unlabeled(mount_t)
++kernel_mount_unlabeled(mount_t)
kernel_read_system_state(mount_t)
+kernel_read_network_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
- kernel_dontaudit_getattr_core_if(mount_t)
+-kernel_dontaudit_getattr_core_if(mount_t)
+kernel_search_debugfs(mount_t)
+kernel_setsched(mount_t)
+kernel_use_fds(mount_t)
@@ -29041,7 +28657,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_search_all(mount_t)
files_read_etc_files(mount_t)
-@@ -70,7 +98,7 @@
+@@ -70,7 +99,7 @@
files_mounton_all_mountpoints(mount_t)
files_unmount_rootfs(mount_t)
# These rules need to be generalized. Only admin, initrc should have it:
@@ -29050,7 +28666,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_mount_all_file_type_fs(mount_t)
files_unmount_all_file_type_fs(mount_t)
# for when /etc/mtab loses its type
-@@ -80,15 +108,17 @@
+@@ -80,15 +109,17 @@
files_read_usr_files(mount_t)
files_list_mnt(mount_t)
@@ -29071,7 +28687,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mls_file_read_all_levels(mount_t)
mls_file_write_all_levels(mount_t)
-@@ -99,6 +129,7 @@
+@@ -99,6 +130,7 @@
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@@ -29079,7 +28695,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_use_all_terms(mount_t)
-@@ -107,6 +138,8 @@
+@@ -107,6 +139,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -29088,7 +28704,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(mount_t)
-@@ -117,6 +150,7 @@
+@@ -117,6 +151,7 @@
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -29096,7 +28712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_redhat',`
optional_policy(`
-@@ -132,6 +166,10 @@
+@@ -132,6 +167,10 @@
')
')
@@ -29107,7 +28723,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`allow_mount_anyfile',`
auth_read_all_dirs_except_shadow(mount_t)
auth_read_all_files_except_shadow(mount_t)
-@@ -165,6 +203,8 @@
+@@ -165,6 +204,8 @@
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -29116,7 +28732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -172,6 +212,25 @@
+@@ -172,6 +213,25 @@
')
optional_policy(`
@@ -29142,7 +28758,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -179,6 +238,11 @@
+@@ -179,6 +239,11 @@
')
')
@@ -29154,7 +28770,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -186,6 +250,7 @@
+@@ -186,6 +251,7 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -29162,7 +28778,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -195,5 +260,8 @@
+@@ -195,5 +261,8 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c06d6e3..e844528 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
%define CHECKPOLICYVER 2.0.16-3
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.7.1
+Version: 3.7.2
Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
diff --git a/sources b/sources
index bad52c6..881f21d 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
3651679c4b12a31d2ba5f4305bba5540 config.tgz
-e6bfc4fb384c2ff376951bd9fc6e1411 serefpolicy-3.7.1.tgz
+7caf1e23a7c13a97f49d83c82b042c27 serefpolicy-3.7.2.tgz