diff --git a/modules-minimum.conf b/modules-minimum.conf
index a90e16b..4363833 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -968,6 +968,13 @@ miscfiles = base
#
mls = base
+# Layer: services
+# Module: mock
+#
+# Policy for mock rpm builder
+#
+mock = base
+
# Layer: system
# Module: modutils
#
diff --git a/modules-targeted.conf b/modules-targeted.conf
index a90e16b..4363833 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -968,6 +968,13 @@ miscfiles = base
#
mls = base
+# Layer: services
+# Module: mock
+#
+# Policy for mock rpm builder
+#
+mock = base
+
# Layer: system
# Module: modutils
#
diff --git a/policy-F14.patch b/policy-F14.patch
index bf26b9a..8545ce1 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -602,8 +602,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
+/usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.8.3/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/admin/netutils.te 2010-06-08 11:32:10.000000000 -0400
-@@ -144,15 +144,27 @@
++++ serefpolicy-3.8.3/policy/modules/admin/netutils.te 2010-06-10 08:42:54.000000000 -0400
+@@ -52,6 +52,8 @@
+
+ kernel_search_proc(netutils_t)
+ kernel_read_all_sysctls(netutils_t)
++kernel_read_network_state(netutils_t)
++kernel_request_load_module(netutils_t)
+
+ corenet_all_recvfrom_unlabeled(netutils_t)
+ corenet_all_recvfrom_netlabel(netutils_t)
+@@ -144,15 +146,27 @@
init_dontaudit_use_fds(ping_t)
optional_policy(`
@@ -631,9 +640,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
pcmcia_use_cardmgr_fds(ping_t)
')
-@@ -213,3 +225,10 @@
+@@ -212,4 +226,12 @@
+ #rules needed for nmap
dev_read_rand(traceroute_t)
dev_read_urand(traceroute_t)
++dev_read_usbmon_dev(netutils_t)
files_read_usr_files(traceroute_t)
+
+term_use_all_terms(traceroute_t)
@@ -763,7 +774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.8.3/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/admin/rpm.if 2010-06-08 11:32:10.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/admin/rpm.if 2010-06-09 17:43:12.000000000 -0400
@@ -13,11 +13,36 @@
interface(`rpm_domtrans',`
gen_require(`
@@ -883,7 +894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
')
########################################
-@@ -556,3 +626,48 @@
+@@ -556,3 +626,66 @@
files_pid_filetrans($1, rpm_var_run_t, file)
')
@@ -932,6 +943,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
+')
+
+
++########################################
++## <summary>
++## Make rpm_exec_t an entry point for
++## the specified domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rpm_entry_type',`
++ gen_require(`
++ type rpm_exec_t;
++ ')
++
++ domain_entry_file($1, rpm_exec_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.8.3/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/admin/rpm.te 2010-06-08 11:32:10.000000000 -0400
@@ -1119,8 +1148,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
java_domtrans_unconfined(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.8.3/policy/modules/admin/shorewall.te
--- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/admin/shorewall.te 2010-06-08 11:32:10.000000000 -0400
-@@ -87,7 +87,11 @@
++++ serefpolicy-3.8.3/policy/modules/admin/shorewall.te 2010-06-11 10:56:42.000000000 -0400
+@@ -81,13 +81,18 @@
+
+ init_rw_utmp(shorewall_t)
+
++logging_read_generic_logs(shorewall_t)
+ logging_send_syslog_msg(shorewall_t)
+
+ miscfiles_read_localization(shorewall_t)
sysnet_domtrans_ifconfig(shorewall_t)
@@ -4986,7 +5022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.8.3/policy/modules/apps/qemu.if
--- nsaserefpolicy/policy/modules/apps/qemu.if 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.8.3/policy/modules/apps/qemu.if 2010-06-08 11:32:10.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/apps/qemu.if 2010-06-09 17:41:04.000000000 -0400
@@ -127,12 +127,14 @@
template(`qemu_role',`
gen_require(`
@@ -6678,7 +6714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.8.3/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/kernel/corenetwork.te.in 2010-06-08 11:32:10.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/kernel/corenetwork.te.in 2010-06-11 11:15:13.000000000 -0400
@@ -25,6 +25,7 @@
#
type tun_tap_device_t;
@@ -6774,8 +6810,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -184,15 +202,17 @@
+@@ -182,17 +200,20 @@
+ network_port(sap, tcp,9875,s0, udp,9875,s0)
+ network_port(sieve, tcp,4190,s0)
network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
++network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0)
@@ -6793,7 +6832,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -205,13 +225,13 @@
+@@ -205,13 +226,13 @@
network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -10880,19 +10919,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.
corenet_tcp_sendrecv_generic_if(afs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.8.3/policy/modules/services/aiccu.fc
--- nsaserefpolicy/policy/modules/services/aiccu.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.3/policy/modules/services/aiccu.fc 2010-06-08 11:32:10.000000000 -0400
-@@ -0,0 +1,5 @@
++++ serefpolicy-3.8.3/policy/modules/services/aiccu.fc 2010-06-11 11:16:28.000000000 -0400
+@@ -0,0 +1,6 @@
++/etc/aiccu.conf -- gen_context(system_u:object_r:aiccu_etc_t,s0)
++/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0)
+
-+/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0)
++/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0)
+
-+/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0)
-+/var/run/aiccu.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0)
++/var/run/aiccu\.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.8.3/policy/modules/services/aiccu.if
--- nsaserefpolicy/policy/modules/services/aiccu.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.3/policy/modules/services/aiccu.if 2010-06-08 11:32:10.000000000 -0400
-@@ -0,0 +1,119 @@
-+
-+## <summary>policy for aiccu</summary>
++++ serefpolicy-3.8.3/policy/modules/services/aiccu.if 2010-06-11 11:15:13.000000000 -0400
+@@ -0,0 +1,118 @@
++## <summary>Automatic IPv6 Connectivity Client Utility.</summary>
+
+########################################
+## <summary>
@@ -10910,6 +10949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+ ')
+
+ domtrans_pattern($1, aiccu_exec_t, aiccu_t)
++ corecmd_search_bin($1)
+')
+
+
@@ -10919,7 +10959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+## </summary>
+## <param name="domain">
+## <summary>
-+## The type of the process performing this action.
++## Domain allowed to transition.
+## </summary>
+## </param>
+#
@@ -10946,13 +10986,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+ type aiccu_var_run_t;
+ ')
+
-+ files_search_pids($1)
+ allow $1 aiccu_var_run_t:file read_file_perms;
++ files_search_pids($1)
+')
+
+########################################
+## <summary>
-+## Manage aiccu var_run files.
++## Manage aiccu PID files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -10965,15 +11005,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+ type aiccu_var_run_t;
+ ')
+
-+ manage_dirs_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
-+ manage_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
-+ manage_lnk_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
++ manage_dirs_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
++ manage_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
++ manage_lnk_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
++ files_search_pids($1)
+')
+
+
+########################################
+## <summary>
-+## All of the rules required to administrate
++## All of the rules required to administrate
+## an aiccu environment
+## </summary>
+## <param name="domain">
@@ -10990,31 +11031,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+#
+interface(`aiccu_admin',`
+ gen_require(`
-+ type aiccu_t;
++ type aiccu_t, aiccu_initrc_exec_t, aiccu_etc_t;
++ type aiccu_var_run_t;
+ ')
+
-+ allow $1 aiccu_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, aiccu_t, aiccu_t)
-+
-+
-+ gen_require(`
-+ type aiccu_initrc_exec_t;
-+ ')
++ allow $1 aiccu_t:process { ptrace signal_perms };
++ ps_process_pattern($1, aiccu_t)
+
-+ # Allow aiccu_t to restart the apache service
+ aiccu_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 aiccu_initrc_exec_t system_r;
+ allow $2 system_r;
+
-+ aiccu_manage_var_run($1)
++ admin_pattern($1, aiccu_etc_t)
++ files_search_etc($1)
+
++ admin_pattern($1, aiccu_var_run_t)
++ files_search_pids($1)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.8.3/policy/modules/services/aiccu.te
--- nsaserefpolicy/policy/modules/services/aiccu.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.3/policy/modules/services/aiccu.te 2010-06-08 11:32:10.000000000 -0400
-@@ -0,0 +1,42 @@
-+policy_module(aiccu,1.0.0)
++++ serefpolicy-3.8.3/policy/modules/services/aiccu.te 2010-06-11 11:20:20.000000000 -0400
+@@ -0,0 +1,71 @@
++
++policy_module(aiccu, 1.0.0)
+
+########################################
+#
@@ -11028,6 +11068,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+type aiccu_initrc_exec_t;
+init_script_file(aiccu_initrc_exec_t)
+
++type aiccu_etc_t;
++files_config_file(aiccu_etc_t)
++
+type aiccu_var_run_t;
+files_pid_file(aiccu_var_run_t)
+
@@ -11036,25 +11079,50 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+# aiccu local policy
+#
+
-+allow aiccu_t self:capability { kill };
-+allow aiccu_t self:process { fork signal };
++allow aiccu_t self:capability { kill net_admin };
++allow aiccu_t self:process signal;
++allow aiccu_t self:fifo_file rw_file_perms;
++allow aiccu_t self:netlink_route_socket create_netlink_socket_perms;
++allow aiccu_t self:tcp_socket create_stream_socket_perms;
++allow aiccu_t self:tun_socket create_socket_perms;
++allow aiccu_t self:udp_socket create_stream_socket_perms;
++allow aiccu_t self:unix_stream_socket create_stream_socket_perms;
++
++allow aiccu_t aiccu_etc_t:file read_file_perms;
++
++manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
++manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
++files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir })
++
++kernel_read_system_state(aiccu_t)
++
++corecmd_exec_shell(aiccu_t)
++
++corenet_all_recvfrom_netlabel(aiccu_t)
++corenet_all_recvfrom_unlabeled(aiccu_t)
++corenet_tcp_bind_generic_node(aiccu_t)
++corenet_tcp_sendrecv_generic_if(aiccu_t)
++corenet_tcp_sendrecv_generic_node(aiccu_t)
++corenet_tcp_sendrecv_generic_port(aiccu_t)
++corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
++corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
++corenet_tcp_connect_sixxsconfig_port(aiccu_t)
++corenet_rw_tun_tap_dev(aiccu_t)
+
-+# Init script handling
+domain_use_interactive_fds(aiccu_t)
+
-+# internal communication is often done using fifo and unix sockets.
-+allow aiccu_t self:fifo_file rw_file_perms;
-+allow aiccu_t self:unix_stream_socket create_stream_socket_perms;
++dev_read_rand(aiccu_t)
++dev_read_urand(aiccu_t)
+
+files_read_etc_files(aiccu_t)
+
-+corenet_rw_tun_tap_dev(aiccu_t)
++logging_send_syslog_msg(aiccu_t)
+
+miscfiles_read_localization(aiccu_t)
+
-+manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
-+manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
-+files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir })
++modutils_domtrans_insmod(aiccu_t)
++
++sysnet_domtrans_ifconfig(aiccu_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.8.3/policy/modules/services/aisexec.te
--- nsaserefpolicy/policy/modules/services/aisexec.te 2010-05-25 16:28:22.000000000 -0400
@@ -12987,7 +13055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
+/var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.if serefpolicy-3.8.3/policy/modules/services/cmirrord.if
--- nsaserefpolicy/policy/modules/services/cmirrord.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.3/policy/modules/services/cmirrord.if 2010-06-08 11:32:10.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/services/cmirrord.if 2010-06-10 08:52:34.000000000 -0400
@@ -0,0 +1,118 @@
+
+## <summary>policy for cmirrord</summary>
@@ -13060,14 +13128,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
+interface(`cmirrord_rw_shm',`
+ gen_require(`
+ type cmirrord_t;
-+ type cmirrord_tmpfs_t;
++ type cmirrord_tmpfs_t;
+ ')
+
+ allow $1 cmirrord_t:shm { rw_shm_perms destroy };
+ allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
-+ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
-+ read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
++ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
++ read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ fs_search_tmpfs($1)
+')
+
@@ -13320,7 +13388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.8.3/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/services/corosync.te 2010-06-08 11:32:10.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/services/corosync.te 2010-06-11 11:31:01.000000000 -0400
@@ -33,8 +33,8 @@
# corosync local policy
#
@@ -13368,17 +13436,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
userdom_rw_user_tmpfs_files(corosync_t)
optional_policy(`
-@@ -91,6 +97,10 @@
+@@ -91,12 +97,12 @@
')
optional_policy(`
+- # to communication with RHCS
+- rhcs_rw_dlm_controld_semaphores(corosync_t)
+-
+- rhcs_rw_fenced_semaphores(corosync_t)
+ cmirrord_rw_shm(corosync_t)
+')
-+
+
+- rhcs_rw_gfs_controld_semaphores(corosync_t)
+optional_policy(`
- # to communication with RHCS
- rhcs_rw_dlm_controld_semaphores(corosync_t)
++ # to communication with RHCS
++ rhcs_rw_cluster_shm(corosync_t)
+ ')
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.8.3/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2009-09-16 09:09:20.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/cron.fc 2010-06-08 11:32:10.000000000 -0400
@@ -15791,6 +15866,301 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt
## Manage spamassassin milter state
## </summary>
## <param name="domain">
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.fc serefpolicy-3.8.3/policy/modules/services/mock.fc
+--- nsaserefpolicy/policy/modules/services/mock.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.8.3/policy/modules/services/mock.fc 2010-06-09 17:38:11.000000000 -0400
+@@ -0,0 +1,6 @@
++
++/usr/sbin/mock -- gen_context(system_u:object_r:mock_exec_t,s0)
++
++/var/lib/mock(/.*)? gen_context(system_u:object_r:mock_var_lib_t,s0)
++
++/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.if serefpolicy-3.8.3/policy/modules/services/mock.if
+--- nsaserefpolicy/policy/modules/services/mock.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.8.3/policy/modules/services/mock.if 2010-06-09 17:38:11.000000000 -0400
+@@ -0,0 +1,183 @@
++
++## <summary>policy for mock</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run mock.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`mock_domtrans',`
++ gen_require(`
++ type mock_t, mock_exec_t;
++ ')
++
++ domtrans_pattern($1, mock_exec_t, mock_t)
++')
++
++
++########################################
++## <summary>
++## Search mock lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mock_search_lib',`
++ gen_require(`
++ type mock_var_lib_t;
++ ')
++
++ allow $1 mock_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read mock lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mock_read_lib_files',`
++ gen_require(`
++ type mock_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## mock lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mock_manage_lib_files',`
++ gen_require(`
++ type mock_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage mock lib dirs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mock_manage_lib_dirs',`
++ gen_require(`
++ type mock_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
++')
++
++
++########################################
++## <summary>
++## Execute mock in the mock domain, and
++## allow the specified role the mock domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the mock domain.
++## </summary>
++## </param>
++#
++interface(`mock_run',`
++ gen_require(`
++ type mock_t;
++ ')
++
++ mock_domtrans($1)
++ role $2 types mock_t;
++')
++
++########################################
++## <summary>
++## Role access for mock
++## </summary>
++## <param name="role">
++## <summary>
++## Role allowed access
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## User domain for the role
++## </summary>
++## </param>
++#
++interface(`mock_role',`
++ gen_require(`
++ type mock_t;
++ ')
++
++ role $1 types mock_t;
++
++ mock_domtrans($2)
++
++ ps_process_pattern($2, mock_t)
++ allow $2 mock_t:process signal;
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an mock environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`mock_admin',`
++ gen_require(`
++ type mock_t;
++ type mock_var_lib_t;
++ ')
++
++ allow $1 mock_t:process { ptrace signal_perms };
++ ps_process_pattern($1, mock_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, mock_var_lib_t)
++
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.te serefpolicy-3.8.3/policy/modules/services/mock.te
+--- nsaserefpolicy/policy/modules/services/mock.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.8.3/policy/modules/services/mock.te 2010-06-09 17:44:30.000000000 -0400
+@@ -0,0 +1,94 @@
++policy_module(mock,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type mock_t;
++type mock_exec_t;
++application_domain(mock_t, mock_exec_t)
++domain_role_change_exemption(mock_t)
++domain_system_change_exemption(mock_t)
++role system_r types mock_t;
++
++permissive mock_t;
++
++type mock_cache_t;
++files_type(mock_cache_t)
++
++type mock_tmp_t;
++files_tmp_file(mock_tmp_t)
++
++type mock_var_lib_t;
++files_type(mock_var_lib_t)
++
++########################################
++#
++# mock local policy
++#
++allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
++allow mock_t self:process { siginh noatsecure signull transition rlimitinh setsched setpgid };
++dontaudit mock_t self:process { siginh noatsecure rlimitinh };
++allow mock_t self:fifo_file manage_fifo_file_perms;
++allow mock_t self:unix_stream_socket create_stream_socket_perms;
++allow mock_t self:unix_dgram_socket create_socket_perms;
++
++manage_dirs_pattern(mock_t, mock_cache_t, mock_cache_t)
++manage_files_pattern(mock_t, mock_cache_t, mock_cache_t)
++files_var_filetrans(mock_t, mock_cache_t, { dir file } )
++
++manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t)
++manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
++files_tmp_filetrans(mock_t, mock_tmp_t, { dir file } )
++can_exec(mock_t, mock_tmp_t)
++
++manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
++manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
++manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
++manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
++files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file } )
++can_exec(mock_t, mock_var_lib_t)
++allow mock_t mock_var_lib_t:dir mounton;
++
++kernel_list_proc(mock_t)
++kernel_read_irq_sysctls(mock_t)
++kernel_read_system_state(mock_t)
++kernel_read_kernel_sysctls(mock_t)
++
++corecmd_exec_bin(mock_t)
++corecmd_exec_shell(mock_t)
++
++corenet_tcp_connect_http_port(mock_t)
++
++dev_read_urand(mock_t)
++
++domain_poly(mock_t)
++domain_read_all_domains_state(mock_t)
++domain_use_interactive_fds(mock_t)
++
++files_read_etc_files(mock_t)
++files_read_usr_files(mock_t)
++
++fs_getattr_all_fs(mock_t)
++
++selinux_get_enforce_mode(mock_t)
++
++auth_use_nsswitch(mock_t)
++
++init_exec(mock_t)
++
++libs_domtrans_ldconfig(mock_t)
++
++logging_send_audit_msgs(mock_t)
++logging_send_syslog_msg(mock_t)
++
++miscfiles_read_localization(mock_t)
++
++mount_domtrans(mock_t)
++
++optional_policy(`
++ rpm_exec(mock_t)
++ rpm_manage_db(mock_t)
++ rpm_entry_type(mock_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.8.3/policy/modules/services/modemmanager.te
--- nsaserefpolicy/policy/modules/services/modemmanager.te 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/modemmanager.te 2010-06-08 11:32:10.000000000 -0400
@@ -19103,10 +19473,89 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
mysql_domtrans_mysql_safe(rgmanager_t)
mysql_stream_connect(rgmanager_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.8.3/policy/modules/services/rhcs.if
+--- nsaserefpolicy/policy/modules/services/rhcs.if 2010-05-25 16:28:22.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/services/rhcs.if 2010-06-11 11:30:32.000000000 -0400
+@@ -14,6 +14,7 @@
+ template(`rhcs_domain_template',`
+ gen_require(`
+ attribute cluster_domain;
++ attribute cluster_tmpfs;
+ ')
+
+ ##############################
+@@ -25,7 +26,7 @@
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
+
+- type $1_tmpfs_t;
++ type $1_tmpfs_t, cluster_tmpfs;
+ files_tmpfs_file($1_tmpfs_t)
+
+ type $1_var_log_t;
+@@ -335,6 +336,28 @@
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+ ')
+
++########################################
++## <summary>
++## Read and write to group shared memory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhcs_rw_cluster_shm',`
++ gen_require(`
++ attribute cluster_domain;
++ attribute cluster_tmpfs;
++ ')
++
++ allow $1 cluster_domain:shm { rw_shm_perms destroy };
++
++ fs_search_tmpfs($1)
++ manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
++')
++
+ ######################################
+ ## <summary>
+ ## Execute a domain transition to run qdiskd.
+@@ -353,3 +376,21 @@
+ corecmd_search_bin($1)
+ domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
+ ')
++
++########################################
++## <summary>
++## Allow domain to read qdiskd tmpfs files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhcs_read_qdiskd_tmpfs_files',`
++ gen_require(`
++ type qdiskd_tmpfs_t;
++ ')
++
++ allow $1 qdiskd_tmpfs_t:file read_file_perms;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.8.3/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/services/rhcs.te 2010-06-08 11:32:10.000000000 -0400
-@@ -56,17 +56,13 @@
++++ serefpolicy-3.8.3/policy/modules/services/rhcs.te 2010-06-11 11:31:16.000000000 -0400
+@@ -14,6 +14,7 @@
+ gen_tunable(fenced_can_network_connect, false)
+
+ attribute cluster_domain;
++attribute cluster_tmpfs;
+
+ rhcs_domain_template(dlm_controld)
+
+@@ -56,17 +57,13 @@
init_rw_script_tmp_files(dlm_controld_t)
@@ -19125,7 +19574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
allow fenced_t self:tcp_socket create_stream_socket_perms;
allow fenced_t self:udp_socket create_socket_perms;
-@@ -83,7 +79,10 @@
+@@ -83,7 +80,10 @@
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -19136,7 +19585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
corenet_tcp_connect_http_port(fenced_t)
-@@ -107,7 +106,6 @@
+@@ -107,7 +107,6 @@
optional_policy(`
ccs_read_config(fenced_t)
@@ -19144,7 +19593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
')
optional_policy(`
-@@ -140,10 +138,6 @@
+@@ -140,10 +139,6 @@
init_rw_script_tmp_files(gfs_controld_t)
optional_policy(`
@@ -19155,7 +19604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
')
-@@ -169,7 +163,7 @@
+@@ -169,7 +164,7 @@
# qdiskd local policy
#
@@ -19164,7 +19613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;
-@@ -208,10 +202,6 @@
+@@ -208,10 +203,6 @@
auth_use_nsswitch(qdiskd_t)
optional_policy(`
@@ -19175,7 +19624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
netutils_domtrans_ping(qdiskd_t)
')
-@@ -237,5 +227,9 @@
+@@ -237,5 +228,9 @@
miscfiles_read_localization(cluster_domain)
optional_policy(`
@@ -21127,6 +21576,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varn
#######################################
## <summary>
## Read varnish logs.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.8.3/policy/modules/services/vhostmd.if
+--- nsaserefpolicy/policy/modules/services/vhostmd.if 2010-03-29 15:04:22.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/services/vhostmd.if 2010-06-10 08:52:54.000000000 -0400
+@@ -42,7 +42,7 @@
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.8.3/policy/modules/services/vhostmd.te
--- nsaserefpolicy/policy/modules/services/vhostmd.te 2010-03-29 15:04:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/vhostmd.te 2010-06-08 11:32:10.000000000 -0400
@@ -23631,7 +24092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
# /var
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.8.3/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2010-03-18 10:35:11.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/system/init.if 2010-06-09 16:31:07.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/system/init.if 2010-06-09 17:42:17.000000000 -0400
@@ -193,8 +193,10 @@
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
@@ -28117,7 +28578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.8.3/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-06-08 10:35:48.000000000 -0400
-+++ serefpolicy-3.8.3/policy/modules/system/userdomain.if 2010-06-08 11:56:33.000000000 -0400
++++ serefpolicy-3.8.3/policy/modules/system/userdomain.if 2010-06-10 09:12:21.000000000 -0400
@@ -30,8 +30,9 @@
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index fbc1780..2374cee 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.8.3
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,10 @@ exit 0
%endif
%changelog
+* Wed Jun 9 2010 Dan Walsh <dwalsh@redhat.com> 3.8.3-3
+- Cleanup of aiccu policy
+- initial mock policy
+
* Wed Jun 9 2010 Dan Walsh <dwalsh@redhat.com> 3.8.3-2
- Lots of random fixes