diff --git a/.cvsignore b/.cvsignore index 107ca45..7c484f7 100644 --- a/.cvsignore +++ b/.cvsignore @@ -193,3 +193,4 @@ serefpolicy-3.6.32.tgz serefpolicy-3.6.33.tgz serefpolicy-3.7.1.tgz serefpolicy-3.7.2.tgz +serefpolicy-3.7.3.tgz diff --git a/nsadiff b/nsadiff index b1c3c22..9404411 100755 --- a/nsadiff +++ b/nsadiff @@ -1 +1 @@ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.7.1 > /tmp/diff +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.7.3 > /tmp/diff diff --git a/policy-F13.patch b/policy-F13.patch index 4a2d764..ac3e349 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -1,6 +1,6 @@ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.1/Makefile +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.3/Makefile --- nsaserefpolicy/Makefile 2009-08-18 11:41:14.000000000 -0400 -+++ serefpolicy-3.7.1/Makefile 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/Makefile 2009-11-25 12:39:13.000000000 -0500 @@ -244,7 +244,7 @@ appdir := $(contextpath) user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) @@ -10,9 +10,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Mak net_contexts := $(builddir)net_contexts all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.1/policy/global_tunables +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.3/policy/global_tunables --- nsaserefpolicy/policy/global_tunables 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.1/policy/global_tunables 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/global_tunables 2009-11-25 12:39:13.000000000 -0500 @@ -61,15 +61,6 @@ ## @@ -48,9 +48,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +gen_tunable(mmap_low_allowed, false) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.7.1/policy/modules/admin/alsa.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.7.3/policy/modules/admin/alsa.te --- nsaserefpolicy/policy/modules/admin/alsa.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/admin/alsa.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/alsa.te 2009-11-25 12:39:13.000000000 -0500 @@ -51,6 +51,8 @@ files_read_etc_files(alsa_t) files_read_usr_files(alsa_t) @@ -60,9 +60,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(alsa_t) init_use_fds(alsa_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.7.1/policy/modules/admin/anaconda.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.7.3/policy/modules/admin/anaconda.te --- nsaserefpolicy/policy/modules/admin/anaconda.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/admin/anaconda.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/anaconda.te 2009-11-25 12:39:13.000000000 -0500 @@ -31,6 +31,7 @@ modutils_domtrans_insmod(anaconda_t) @@ -80,9 +80,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.7.1/policy/modules/admin/brctl.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.7.3/policy/modules/admin/brctl.te --- nsaserefpolicy/policy/modules/admin/brctl.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/admin/brctl.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/brctl.te 2009-11-25 12:39:13.000000000 -0500 @@ -21,7 +21,7 @@ allow brctl_t self:unix_dgram_socket create_socket_perms; allow brctl_t self:tcp_socket create_socket_perms; @@ -92,9 +92,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_network_state(brctl_t) kernel_read_sysctl(brctl_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.7.1/policy/modules/admin/certwatch.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.7.3/policy/modules/admin/certwatch.te --- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/admin/certwatch.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/certwatch.te 2009-11-25 12:39:13.000000000 -0500 @@ -36,7 +36,7 @@ miscfiles_read_localization(certwatch_t) @@ -104,9 +104,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` apache_exec_modules(certwatch_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.7.1/policy/modules/admin/consoletype.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.7.3/policy/modules/admin/consoletype.te --- nsaserefpolicy/policy/modules/admin/consoletype.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/admin/consoletype.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/consoletype.te 2009-11-25 12:39:13.000000000 -0500 @@ -84,6 +84,7 @@ optional_policy(` hal_dontaudit_use_fds(consoletype_t) @@ -115,17 +115,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.7.1/policy/modules/admin/dmesg.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.7.3/policy/modules/admin/dmesg.fc --- nsaserefpolicy/policy/modules/admin/dmesg.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/admin/dmesg.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/dmesg.fc 2009-11-25 12:39:13.000000000 -0500 @@ -1,2 +1,4 @@ /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) + +/usr/sbin/mcelog -- gen_context(system_u:object_r:dmesg_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.7.1/policy/modules/admin/dmesg.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.7.3/policy/modules/admin/dmesg.te --- nsaserefpolicy/policy/modules/admin/dmesg.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/admin/dmesg.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/dmesg.te 2009-11-25 12:39:13.000000000 -0500 @@ -9,6 +9,7 @@ type dmesg_t; type dmesg_exec_t; @@ -167,9 +167,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +#mcelog needs +dev_read_raw_memory(dmesg_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.1/policy/modules/admin/firstboot.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.3/policy/modules/admin/firstboot.te --- nsaserefpolicy/policy/modules/admin/firstboot.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/admin/firstboot.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/firstboot.te 2009-11-25 12:39:13.000000000 -0500 @@ -91,8 +91,12 @@ userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) @@ -192,44 +192,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.fc serefpolicy-3.7.1/policy/modules/admin/kismet.fc ---- nsaserefpolicy/policy/modules/admin/kismet.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/admin/kismet.fc 2009-11-17 11:06:58.000000000 -0500 -@@ -1,3 +1,5 @@ -+HOME_DIR/\.kismet(/.*)? gen_context(system_u:object_r:kismet_home_t,s0) -+ - /usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0) - /var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0) - /var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.7.1/policy/modules/admin/kismet.te ---- nsaserefpolicy/policy/modules/admin/kismet.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/admin/kismet.te 2009-11-17 11:06:58.000000000 -0500 -@@ -26,6 +26,9 @@ - type kismet_var_run_t; - files_pid_file(kismet_var_run_t) - -+type kismet_home_t; -+userdom_user_home_content(kismet_home_t) -+ - ######################################## - # - # kismet local policy -@@ -59,6 +62,12 @@ - allow kismet_t kismet_var_run_t:dir manage_dir_perms; - files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir }) - -+manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t) -+manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t) -+manage_lnk_files_pattern(kismet_t, kismet_home_t, kismet_home_t) -+userdom_search_user_home_dirs(kismet_t) -+userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir }) -+ - kernel_search_debugfs(kismet_t) - kernel_read_system_state(kismet_t) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.1/policy/modules/admin/logrotate.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.3/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/admin/logrotate.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/logrotate.te 2009-11-25 12:39:13.000000000 -0500 @@ -32,7 +32,7 @@ # Change ownership on log files. allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; @@ -287,18 +252,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol slrnpull_manage_spool(logrotate_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.7.1/policy/modules/admin/logwatch.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.7.3/policy/modules/admin/logwatch.te --- nsaserefpolicy/policy/modules/admin/logwatch.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/admin/logwatch.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/logwatch.te 2009-11-25 12:39:13.000000000 -0500 @@ -136,4 +136,5 @@ optional_policy(` samba_read_log(logwatch_t) + samba_read_share_files(logwatch_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.7.1/policy/modules/admin/mrtg.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.7.3/policy/modules/admin/mrtg.te --- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/admin/mrtg.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/mrtg.te 2009-11-25 12:39:13.000000000 -0500 @@ -116,6 +116,7 @@ userdom_use_user_terminals(mrtg_t) userdom_dontaudit_read_user_home_content_files(mrtg_t) @@ -307,9 +272,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol netutils_domtrans_ping(mrtg_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.1/policy/modules/admin/netutils.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.3/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/admin/netutils.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/netutils.te 2009-11-25 12:39:13.000000000 -0500 @@ -44,6 +44,7 @@ allow netutils_t self:packet_socket create_socket_perms; allow netutils_t self:udp_socket create_socket_perms; @@ -326,18 +291,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_use_user_terminals(netutils_t) userdom_use_all_users_fds(netutils_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ntop.fc serefpolicy-3.7.1/policy/modules/admin/ntop.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ntop.fc serefpolicy-3.7.3/policy/modules/admin/ntop.fc --- nsaserefpolicy/policy/modules/admin/ntop.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/admin/ntop.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/ntop.fc 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,5 @@ +/etc/rc\.d/init\.d/ntop -- gen_context(system_u:object_r:ntop_initrc_exec_t,s0) + +/usr/sbin/ntop -- gen_context(system_u:object_r:ntop_exec_t,s0) + +/var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ntop.if serefpolicy-3.7.1/policy/modules/admin/ntop.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ntop.if serefpolicy-3.7.3/policy/modules/admin/ntop.if --- nsaserefpolicy/policy/modules/admin/ntop.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/admin/ntop.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/ntop.if 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,158 @@ + +## policy for ntop @@ -497,9 +462,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ntop_manage_var_lib($1) + +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ntop.te serefpolicy-3.7.1/policy/modules/admin/ntop.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ntop.te serefpolicy-3.7.3/policy/modules/admin/ntop.te --- nsaserefpolicy/policy/modules/admin/ntop.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/admin/ntop.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/ntop.te 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,40 @@ +policy_module(ntop,1.0.0) + @@ -541,9 +506,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +miscfiles_read_localization(ntop_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.te serefpolicy-3.7.1/policy/modules/admin/portage.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.te serefpolicy-3.7.3/policy/modules/admin/portage.te --- nsaserefpolicy/policy/modules/admin/portage.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/admin/portage.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/portage.te 2009-11-25 12:39:13.000000000 -0500 @@ -196,7 +196,7 @@ # - for rsync and distfile fetching # @@ -553,17 +518,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow portage_fetch_t self:process signal; allow portage_fetch_t self:unix_stream_socket create_socket_perms; allow portage_fetch_t self:tcp_socket create_stream_socket_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.7.1/policy/modules/admin/prelink.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.7.3/policy/modules/admin/prelink.fc --- nsaserefpolicy/policy/modules/admin/prelink.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/admin/prelink.fc 2009-11-18 10:28:50.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/prelink.fc 2009-11-25 12:39:13.000000000 -0500 @@ -1,3 +1,4 @@ +/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0) /etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.7.1/policy/modules/admin/prelink.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.7.3/policy/modules/admin/prelink.if --- nsaserefpolicy/policy/modules/admin/prelink.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/admin/prelink.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/prelink.if 2009-11-25 12:39:13.000000000 -0500 @@ -151,11 +151,11 @@ ## ## @@ -578,9 +543,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) + relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.1/policy/modules/admin/prelink.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.3/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/admin/prelink.te 2009-11-18 10:28:50.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/prelink.te 2009-11-25 12:39:13.000000000 -0500 @@ -21,8 +21,23 @@ type prelink_tmp_t; files_tmp_file(prelink_tmp_t) @@ -700,9 +665,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + rpm_read_db(prelink_cron_system_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.1/policy/modules/admin/readahead.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.3/policy/modules/admin/readahead.te --- nsaserefpolicy/policy/modules/admin/readahead.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/admin/readahead.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/readahead.te 2009-11-25 12:39:13.000000000 -0500 @@ -52,6 +52,7 @@ files_list_non_security(readahead_t) @@ -711,9 +676,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_create_boot_flag(readahead_t) files_getattr_all_pipes(readahead_t) files_dontaudit_getattr_all_sockets(readahead_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.1/policy/modules/admin/rpm.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.3/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/admin/rpm.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/rpm.fc 2009-11-25 12:39:13.000000000 -0500 @@ -1,18 +1,18 @@ /bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -763,9 +728,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # SuSE ifdef(`distro_suse', ` /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.1/policy/modules/admin/rpm.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.3/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/admin/rpm.if 2009-11-24 07:35:57.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/rpm.if 2009-11-25 12:39:13.000000000 -0500 @@ -13,11 +13,34 @@ interface(`rpm_domtrans',` gen_require(` @@ -1177,9 +1142,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 rpm_t:process signull; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.1/policy/modules/admin/rpm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.3/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/admin/rpm.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/rpm.te 2009-11-25 12:39:13.000000000 -0500 @@ -15,6 +15,9 @@ domain_interactive_fd(rpm_t) role system_r types rpm_t; @@ -1454,9 +1419,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` java_domtrans_unconfined(rpm_script_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.7.1/policy/modules/admin/shorewall.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.7.3/policy/modules/admin/shorewall.fc --- nsaserefpolicy/policy/modules/admin/shorewall.fc 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/admin/shorewall.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/shorewall.fc 2009-11-25 12:39:13.000000000 -0500 @@ -4,8 +4,9 @@ /etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) /etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) @@ -1468,9 +1433,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) +/var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) /var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.7.1/policy/modules/admin/shorewall.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.7.3/policy/modules/admin/shorewall.if --- nsaserefpolicy/policy/modules/admin/shorewall.if 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/admin/shorewall.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/shorewall.if 2009-11-25 12:39:13.000000000 -0500 @@ -75,6 +75,46 @@ rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) ') @@ -1518,9 +1483,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ####################################### ## ## All of the rules required to administrate -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.1/policy/modules/admin/shorewall.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.3/policy/modules/admin/shorewall.te --- nsaserefpolicy/policy/modules/admin/shorewall.te 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/admin/shorewall.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/shorewall.te 2009-11-25 12:39:13.000000000 -0500 @@ -80,6 +80,8 @@ sysnet_domtrans_ifconfig(shorewall_t) @@ -1530,22 +1495,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` iptables_domtrans(shorewall_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.7.1/policy/modules/admin/smoltclient.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.7.3/policy/modules/admin/smoltclient.fc --- nsaserefpolicy/policy/modules/admin/smoltclient.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/admin/smoltclient.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/smoltclient.fc 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,4 @@ + +/usr/share/smolt/client/sendProfile.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0) + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.if serefpolicy-3.7.1/policy/modules/admin/smoltclient.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.if serefpolicy-3.7.3/policy/modules/admin/smoltclient.if --- nsaserefpolicy/policy/modules/admin/smoltclient.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/admin/smoltclient.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/smoltclient.if 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1 @@ +## The Fedora hardware profiler client -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.7.1/policy/modules/admin/smoltclient.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.7.3/policy/modules/admin/smoltclient.te --- nsaserefpolicy/policy/modules/admin/smoltclient.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/admin/smoltclient.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/smoltclient.te 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,66 @@ +policy_module(smoltclient,1.0.0) + @@ -1613,9 +1578,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +permissive smoltclient_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.1/policy/modules/admin/sudo.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.3/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/admin/sudo.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/sudo.if 2009-11-25 12:39:13.000000000 -0500 @@ -66,8 +66,8 @@ allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; allow $1_sudo_t self:unix_dgram_socket sendto; @@ -1660,9 +1625,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.1/policy/modules/admin/tmpreaper.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.3/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/admin/tmpreaper.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/tmpreaper.te 2009-11-25 12:39:13.000000000 -0500 @@ -42,6 +42,7 @@ cron_system_entry(tmpreaper_t, tmpreaper_exec_t) @@ -1692,21 +1657,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` unconfined_domain(tmpreaper_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tzdata.te serefpolicy-3.7.1/policy/modules/admin/tzdata.te ---- nsaserefpolicy/policy/modules/admin/tzdata.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/admin/tzdata.te 2009-11-17 11:06:58.000000000 -0500 -@@ -19,6 +19,8 @@ - files_read_etc_files(tzdata_t) - files_search_spool(tzdata_t) - -+fs_getattr_xattr_fs(tzdata_t) -+ - term_dontaudit_list_ptys(tzdata_t) - - locallogin_dontaudit_use_fds(tzdata_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.7.1/policy/modules/admin/usermanage.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.7.3/policy/modules/admin/usermanage.if --- nsaserefpolicy/policy/modules/admin/usermanage.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/admin/usermanage.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/usermanage.if 2009-11-25 12:39:13.000000000 -0500 @@ -113,6 +113,12 @@ files_search_usr($1) corecmd_search_bin($1) @@ -1732,9 +1685,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` nscd_run(useradd_t, $2) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.1/policy/modules/admin/usermanage.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.3/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/admin/usermanage.te 2009-11-23 11:11:28.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/usermanage.te 2009-11-25 12:39:13.000000000 -0500 @@ -82,6 +82,7 @@ selinux_compute_relabel_context(chfn_t) selinux_compute_user_contexts(chfn_t) @@ -1864,9 +1817,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol puppet_rw_tmp(useradd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.7.1/policy/modules/admin/vbetool.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.7.3/policy/modules/admin/vbetool.te --- nsaserefpolicy/policy/modules/admin/vbetool.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/admin/vbetool.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/vbetool.te 2009-11-25 12:39:13.000000000 -0500 @@ -15,15 +15,20 @@ # Local policy # @@ -1899,9 +1852,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_exec_pid(vbetool_t) + xserver_write_pid(vbetool_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.1/policy/modules/admin/vpn.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.3/policy/modules/admin/vpn.te --- nsaserefpolicy/policy/modules/admin/vpn.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/admin/vpn.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/admin/vpn.te 2009-11-25 12:39:13.000000000 -0500 @@ -46,6 +46,7 @@ kernel_read_system_state(vpnc_t) kernel_read_network_state(vpnc_t) @@ -1910,17 +1863,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_rw_net_sysctls(vpnc_t) corenet_all_recvfrom_unlabeled(vpnc_t) -@@ -98,6 +99,7 @@ - logging_dontaudit_search_logs(vpnc_t) +@@ -105,8 +106,9 @@ + sysnet_etc_filetrans_config(vpnc_t) + sysnet_manage_config(vpnc_t) - miscfiles_read_localization(vpnc_t) -+miscfiles_read_home_certs(vpnc_t) +-userdom_use_all_users_fds(vpnc_t) + userdom_dontaudit_search_user_home_content(vpnc_t) ++userdom_read_home_certs(vpnc_t) ++userdom_use_all_users_fds(vpnc_t) - seutil_dontaudit_search_config(vpnc_t) - seutil_use_newrole_fds(vpnc_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/calamaris.te serefpolicy-3.7.1/policy/modules/apps/calamaris.te + optional_policy(` + dbus_system_bus_client(vpnc_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/calamaris.te serefpolicy-3.7.3/policy/modules/apps/calamaris.te --- nsaserefpolicy/policy/modules/apps/calamaris.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/apps/calamaris.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/calamaris.te 2009-11-25 12:39:13.000000000 -0500 @@ -59,12 +59,12 @@ libs_read_lib_files(calamaris_t) @@ -1943,15 +1899,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - nis_use_ypbind(calamaris_t) -') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.7.1/policy/modules/apps/chrome.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.7.3/policy/modules/apps/chrome.fc --- nsaserefpolicy/policy/modules/apps/chrome.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/chrome.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/chrome.fc 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.1/policy/modules/apps/chrome.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.3/policy/modules/apps/chrome.if --- nsaserefpolicy/policy/modules/apps/chrome.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/chrome.if 2009-11-23 10:04:49.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/chrome.if 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,86 @@ + +## policy for chrome @@ -2039,9 +1995,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.1/policy/modules/apps/chrome.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.3/policy/modules/apps/chrome.te --- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/chrome.te 2009-11-23 09:56:06.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/chrome.te 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,77 @@ +policy_module(chrome,1.0.0) + @@ -2120,9 +2076,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_dontaudit_read_cifs_files(chrome_sandbox_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.7.1/policy/modules/apps/cpufreqselector.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.7.3/policy/modules/apps/cpufreqselector.te --- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/cpufreqselector.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/cpufreqselector.te 2009-11-25 12:39:13.000000000 -0500 @@ -26,7 +26,7 @@ dev_rw_sysfs(cpufreqselector_t) @@ -2132,10 +2088,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.7.1/policy/modules/apps/execmem.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.7.3/policy/modules/apps/execmem.fc --- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/execmem.fc 2009-11-23 08:54:39.000000000 -0500 -@@ -0,0 +1,41 @@ ++++ serefpolicy-3.7.3/policy/modules/apps/execmem.fc 2009-11-25 14:07:42.000000000 -0500 +@@ -0,0 +1,42 @@ +/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) @@ -2172,14 +2128,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Updater -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Application -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/opt/likewise/bin/domainjoin-cli -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0) +/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.1/policy/modules/apps/execmem.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.3/policy/modules/apps/execmem.if --- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/execmem.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/execmem.if 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,104 @@ +## execmem domain + @@ -2285,9 +2242,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + domtrans_pattern($1, execmem_exec_t, $2) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.7.1/policy/modules/apps/execmem.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.7.3/policy/modules/apps/execmem.te --- nsaserefpolicy/policy/modules/apps/execmem.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/execmem.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/execmem.te 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,11 @@ + +policy_module(execmem, 1.0.0) @@ -2300,23 +2257,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +type execmem_exec_t alias unconfined_execmem_exec_t; +application_executable_file(execmem_exec_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.7.1/policy/modules/apps/firewallgui.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.7.3/policy/modules/apps/firewallgui.fc --- nsaserefpolicy/policy/modules/apps/firewallgui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/firewallgui.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/firewallgui.fc 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,3 @@ + +/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.7.1/policy/modules/apps/firewallgui.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.7.3/policy/modules/apps/firewallgui.if --- nsaserefpolicy/policy/modules/apps/firewallgui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/firewallgui.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/firewallgui.if 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,3 @@ + +## policy for firewallgui + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.1/policy/modules/apps/firewallgui.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.3/policy/modules/apps/firewallgui.te --- nsaserefpolicy/policy/modules/apps/firewallgui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/firewallgui.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/firewallgui.te 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,64 @@ + +policy_module(firewallgui,1.0.0) @@ -2382,9 +2339,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + policykit_dbus_chat(firewallgui_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.7.1/policy/modules/apps/gitosis.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.7.3/policy/modules/apps/gitosis.if --- nsaserefpolicy/policy/modules/apps/gitosis.if 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/apps/gitosis.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/gitosis.if 2009-11-25 12:39:13.000000000 -0500 @@ -43,3 +43,48 @@ role $2 types gitosis_t; ') @@ -2434,9 +2391,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) + manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.1/policy/modules/apps/gnome.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.3/policy/modules/apps/gnome.fc --- nsaserefpolicy/policy/modules/apps/gnome.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/apps/gnome.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/gnome.fc 2009-11-25 12:39:13.000000000 -0500 @@ -1,8 +1,18 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) @@ -2458,9 +2415,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0) + +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.1/policy/modules/apps/gnome.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.3/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/apps/gnome.if 2009-11-19 15:02:40.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/gnome.if 2009-11-25 12:39:13.000000000 -0500 @@ -84,10 +84,183 @@ # interface(`gnome_manage_config',` @@ -2648,9 +2605,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + # Connect to pulseaudit server + stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.7.1/policy/modules/apps/gnome.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.7.3/policy/modules/apps/gnome.te --- nsaserefpolicy/policy/modules/apps/gnome.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/apps/gnome.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/gnome.te 2009-11-25 12:39:13.000000000 -0500 @@ -7,18 +7,30 @@ # @@ -2792,9 +2749,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + policykit_read_lib(gnomesystemmm_t) + policykit_read_reload(gnomesystemmm_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.1/policy/modules/apps/gpg.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.3/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/gpg.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/gpg.te 2009-11-25 12:39:13.000000000 -0500 @@ -104,12 +104,19 @@ auth_use_nsswitch(gpg_t) @@ -2839,9 +2796,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_common_app(gpg_pinentry_t) ') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.7.1/policy/modules/apps/java.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.7.3/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/apps/java.fc 2009-11-19 09:59:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/java.fc 2009-11-25 12:39:13.000000000 -0500 @@ -2,15 +2,17 @@ # /opt # @@ -2882,9 +2839,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) + +/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.7.1/policy/modules/apps/java.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.7.3/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2009-08-18 11:41:14.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/apps/java.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/java.if 2009-11-25 12:39:13.000000000 -0500 @@ -30,6 +30,7 @@ allow java_t $2:unix_stream_socket connectto; @@ -3028,9 +2985,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_role($1_r, $1_java_t) + ') ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.1/policy/modules/apps/java.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.3/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/java.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/java.te 2009-11-25 12:39:13.000000000 -0500 @@ -20,6 +20,8 @@ typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t }; typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t }; @@ -3080,21 +3037,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - unconfined_domain_noaudit(unconfined_java_t) - unconfined_dbus_chat(unconfined_java_t) -') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.7.1/policy/modules/apps/kdumpgui.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.7.3/policy/modules/apps/kdumpgui.fc --- nsaserefpolicy/policy/modules/apps/kdumpgui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/kdumpgui.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/kdumpgui.fc 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/share/system-config-kdump/system-config-kdump-backend.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.7.1/policy/modules/apps/kdumpgui.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.7.3/policy/modules/apps/kdumpgui.if --- nsaserefpolicy/policy/modules/apps/kdumpgui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/kdumpgui.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/kdumpgui.if 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,2 @@ +## system-config-kdump policy + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.1/policy/modules/apps/kdumpgui.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.3/policy/modules/apps/kdumpgui.te --- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/kdumpgui.te 2009-11-23 09:53:25.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/kdumpgui.te 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,67 @@ +policy_module(kdumpgui,1.0.0) + @@ -3163,15 +3120,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +permissive kdumpgui_t; + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.7.1/policy/modules/apps/livecd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.7.3/policy/modules/apps/livecd.fc --- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/livecd.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/livecd.fc 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.7.1/policy/modules/apps/livecd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.7.3/policy/modules/apps/livecd.if --- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/livecd.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/livecd.if 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,52 @@ + +## policy for livecd @@ -3225,9 +3182,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + usermanage_run_chfn(livecd_t, $2) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.7.1/policy/modules/apps/livecd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.7.3/policy/modules/apps/livecd.te --- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/livecd.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/livecd.te 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,27 @@ +policy_module(livecd, 1.0.0) + @@ -3256,9 +3213,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +seutil_domtrans_setfiles_mac(livecd_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.7.1/policy/modules/apps/loadkeys.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.7.3/policy/modules/apps/loadkeys.te --- nsaserefpolicy/policy/modules/apps/loadkeys.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/apps/loadkeys.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/loadkeys.te 2009-11-25 12:42:30.000000000 -0500 @@ -40,8 +40,12 @@ miscfiles_read_localization(loadkeys_t) @@ -3271,17 +3228,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') + +ifdef(`hide_broken_symptoms',` -+ dev_dontaudit_rw_lvm_control_dev(loadkeys_t) ++ dev_dontaudit_rw_lvm_control(loadkeys_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.fc serefpolicy-3.7.1/policy/modules/apps/mono.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.fc serefpolicy-3.7.3/policy/modules/apps/mono.fc --- nsaserefpolicy/policy/modules/apps/mono.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/apps/mono.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/mono.fc 2009-11-25 12:39:13.000000000 -0500 @@ -1 +1 @@ -/usr/bin/mono -- gen_context(system_u:object_r:mono_exec_t,s0) +/usr/bin/mono.* -- gen_context(system_u:object_r:mono_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.1/policy/modules/apps/mono.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.3/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/apps/mono.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/mono.if 2009-11-25 12:39:13.000000000 -0500 @@ -21,6 +21,105 @@ ######################################## @@ -3397,9 +3354,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') corecmd_search_bin($1) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.7.1/policy/modules/apps/mono.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.7.3/policy/modules/apps/mono.te --- nsaserefpolicy/policy/modules/apps/mono.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/apps/mono.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/mono.te 2009-11-25 12:39:13.000000000 -0500 @@ -15,7 +15,7 @@ # Local policy # @@ -3423,9 +3380,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + xserver_rw_shm(mono_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.7.1/policy/modules/apps/mozilla.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.7.3/policy/modules/apps/mozilla.fc --- nsaserefpolicy/policy/modules/apps/mozilla.fc 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/apps/mozilla.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/mozilla.fc 2009-11-25 12:39:13.000000000 -0500 @@ -1,6 +1,7 @@ HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) @@ -3434,9 +3391,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.7.1/policy/modules/apps/mozilla.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.7.3/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/apps/mozilla.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/mozilla.if 2009-11-25 12:39:13.000000000 -0500 @@ -45,6 +45,18 @@ relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t) relabel_files_pattern($2, mozilla_home_t, mozilla_home_t) @@ -3526,9 +3483,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Run mozilla in the mozilla domain. ## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.1/policy/modules/apps/mozilla.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.3/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/apps/mozilla.te 2009-11-20 08:13:05.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/mozilla.te 2009-11-25 12:58:28.000000000 -0500 @@ -59,6 +59,7 @@ manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) @@ -3570,7 +3527,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(mozilla_t) -+miscfiles_dontaudit_setattr_fonts(mozilla_t) ++miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) miscfiles_read_fonts(mozilla_t) miscfiles_read_localization(mozilla_t) @@ -3614,9 +3571,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` thunderbird_domtrans(mozilla_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.7.1/policy/modules/apps/nsplugin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.7.3/policy/modules/apps/nsplugin.fc --- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/nsplugin.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/nsplugin.fc 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,11 @@ +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) @@ -3629,9 +3586,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) +/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0) +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.1/policy/modules/apps/nsplugin.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.3/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/nsplugin.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/nsplugin.if 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,323 @@ + +## policy for nsplugin @@ -3956,9 +3913,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.1/policy/modules/apps/nsplugin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.3/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/nsplugin.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/nsplugin.te 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,295 @@ + +policy_module(nsplugin, 1.0.0) @@ -4255,16 +4212,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.7.1/policy/modules/apps/openoffice.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.7.3/policy/modules/apps/openoffice.fc --- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/openoffice.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/openoffice.fc 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,3 @@ +/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) +/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.7.1/policy/modules/apps/openoffice.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.7.3/policy/modules/apps/openoffice.if --- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/openoffice.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/openoffice.if 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,93 @@ +## Openoffice + @@ -4359,9 +4316,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_common_x_domain_template($1, $1_openoffice_t) + ') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.7.1/policy/modules/apps/openoffice.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.7.3/policy/modules/apps/openoffice.te --- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/openoffice.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/openoffice.te 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,11 @@ + +policy_module(openoffice, 1.0.0) @@ -4374,9 +4331,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +type openoffice_t; +type openoffice_exec_t; +application_domain(openoffice_t, openoffice_exec_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.7.1/policy/modules/apps/podsleuth.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.7.3/policy/modules/apps/podsleuth.te --- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/apps/podsleuth.te 2009-11-24 18:08:28.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/podsleuth.te 2009-11-25 12:39:13.000000000 -0500 @@ -66,11 +66,14 @@ fs_search_dos(podsleuth_t) fs_getattr_tmpfs(podsleuth_t) @@ -4392,9 +4349,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` dbus_system_bus_client(podsleuth_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.7.1/policy/modules/apps/ptchown.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.7.3/policy/modules/apps/ptchown.if --- nsaserefpolicy/policy/modules/apps/ptchown.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/apps/ptchown.if 2009-11-24 14:56:10.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/ptchown.if 2009-11-25 12:39:13.000000000 -0500 @@ -18,3 +18,27 @@ domtrans_pattern($1, ptchown_exec_t, ptchown_t) ') @@ -4423,9 +4380,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ptchown_domtrans($1) + role $2 types ptchown_t; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.1/policy/modules/apps/pulseaudio.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.3/policy/modules/apps/pulseaudio.if --- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/apps/pulseaudio.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/pulseaudio.if 2009-11-25 12:39:13.000000000 -0500 @@ -40,7 +40,7 @@ userdom_manage_tmpfs_role($1, pulseaudio_t) @@ -4435,9 +4392,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.1/policy/modules/apps/pulseaudio.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.3/policy/modules/apps/pulseaudio.te --- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/pulseaudio.te 2009-11-19 14:58:11.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/pulseaudio.te 2009-11-25 12:39:13.000000000 -0500 @@ -18,7 +18,7 @@ allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull }; @@ -4490,17 +4447,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_read_xdm_lib_files(pulseaudio_t) + xserver_common_app(pulseaudio_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.7.1/policy/modules/apps/qemu.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.7.3/policy/modules/apps/qemu.fc --- nsaserefpolicy/policy/modules/apps/qemu.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/apps/qemu.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/qemu.fc 2009-11-25 12:39:13.000000000 -0500 @@ -1,2 +1,2 @@ -/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) -/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.1/policy/modules/apps/qemu.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.3/policy/modules/apps/qemu.if --- nsaserefpolicy/policy/modules/apps/qemu.if 2009-08-31 13:44:40.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/apps/qemu.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/qemu.if 2009-11-25 12:39:13.000000000 -0500 @@ -40,6 +40,10 @@ qemu_domtrans($1) @@ -4701,9 +4658,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.1/policy/modules/apps/qemu.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.3/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/qemu.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/qemu.te 2009-11-25 12:39:13.000000000 -0500 @@ -13,15 +13,46 @@ ## gen_tunable(qemu_full_network, false) @@ -4811,20 +4768,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role unconfined_r types qemu_unconfined_t; allow qemu_unconfined_t self:process { execstack execmem }; ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.7.1/policy/modules/apps/sambagui.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.7.3/policy/modules/apps/sambagui.fc --- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/sambagui.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/sambagui.fc 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1 @@ +/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.7.1/policy/modules/apps/sambagui.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.7.3/policy/modules/apps/sambagui.if --- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/sambagui.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/sambagui.if 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,2 @@ +## system-config-samba policy + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.1/policy/modules/apps/sambagui.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.3/policy/modules/apps/sambagui.te --- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/sambagui.te 2009-11-23 10:38:27.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/sambagui.te 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,60 @@ +policy_module(sambagui,1.0.0) + @@ -4886,15 +4843,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + policykit_dbus_chat(sambagui_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.1/policy/modules/apps/sandbox.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.3/policy/modules/apps/sandbox.fc --- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/sandbox.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/sandbox.fc 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1 @@ +# No types are sandbox_exec_t -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.1/policy/modules/apps/sandbox.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.3/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/sandbox.if 2009-11-18 16:21:19.000000000 -0500 -@@ -0,0 +1,187 @@ ++++ serefpolicy-3.7.3/policy/modules/apps/sandbox.if 2009-11-25 15:14:52.000000000 -0500 +@@ -0,0 +1,188 @@ + +## policy for sandbox + @@ -4937,6 +4894,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dontaudit sandbox_xserver_t $1:fifo_file rw_fifo_file_perms; + dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms; + dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms; ++ allow sandbox_xserver_t $1:unix_stream_socket { read write }; + + allow sandbox_x_domain $1:process { sigchld signal }; + allow sandbox_x_domain sandbox_x_domain:process signal; @@ -5018,7 +4976,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_sock_files_pattern($1_t, $1_file_t, $1_file_t) + + # window manager -+ miscfiles_setattr_fonts($1_t) ++ miscfiles_setattr_fonts_dirs($1_t) + allow $1_t self:capability setuid; + + type $1_client_t, sandbox_x_domain; @@ -5082,9 +5040,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.1/policy/modules/apps/sandbox.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.3/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/sandbox.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/sandbox.te 2009-11-25 12:59:23.000000000 -0500 @@ -0,0 +1,331 @@ +policy_module(sandbox,1.0.0) +dbus_stub() @@ -5252,7 +5210,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +init_dontaudit_write_utmp(sandbox_x_domain) + +miscfiles_read_localization(sandbox_x_domain) -+miscfiles_dontaudit_setattr_fonts(sandbox_x_domain) ++miscfiles_dontaudit_setattr_fonts_dirs(sandbox_x_domain) + +term_getattr_pty_fs(sandbox_x_domain) +term_use_ptmx(sandbox_x_domain) @@ -5417,9 +5375,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + hal_dbus_chat(sandbox_net_client_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.7.1/policy/modules/apps/screen.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.7.3/policy/modules/apps/screen.if --- nsaserefpolicy/policy/modules/apps/screen.if 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/screen.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/screen.if 2009-11-25 12:39:13.000000000 -0500 @@ -80,6 +80,11 @@ relabel_files_pattern($3, screen_home_t, screen_home_t) relabel_lnk_files_pattern($3, screen_home_t, screen_home_t) @@ -5432,9 +5390,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state($1_screen_t) kernel_read_kernel_sysctls($1_screen_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.fc serefpolicy-3.7.1/policy/modules/apps/sectoolm.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.fc serefpolicy-3.7.3/policy/modules/apps/sectoolm.fc --- nsaserefpolicy/policy/modules/apps/sectoolm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/sectoolm.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/sectoolm.fc 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,6 @@ + +/usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0) @@ -5442,16 +5400,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0) + +/var/log/sectool\.log -- gen_context(system_u:object_r:sectool_var_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.if serefpolicy-3.7.1/policy/modules/apps/sectoolm.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.if serefpolicy-3.7.3/policy/modules/apps/sectoolm.if --- nsaserefpolicy/policy/modules/apps/sectoolm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/sectoolm.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/sectoolm.if 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,3 @@ + +## policy for sectool-mechanism + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.te serefpolicy-3.7.1/policy/modules/apps/sectoolm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.te serefpolicy-3.7.3/policy/modules/apps/sectoolm.te --- nsaserefpolicy/policy/modules/apps/sectoolm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/sectoolm.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/sectoolm.te 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,120 @@ + +policy_module(sectoolm,1.0.0) @@ -5573,9 +5531,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.1/policy/modules/apps/seunshare.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.3/policy/modules/apps/seunshare.if --- nsaserefpolicy/policy/modules/apps/seunshare.if 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/seunshare.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/seunshare.if 2009-11-25 12:39:13.000000000 -0500 @@ -41,6 +41,16 @@ seunshare_domtrans($1) @@ -5593,9 +5551,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.1/policy/modules/apps/seunshare.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.3/policy/modules/apps/seunshare.te --- nsaserefpolicy/policy/modules/apps/seunshare.te 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/seunshare.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/seunshare.te 2009-11-25 12:39:13.000000000 -0500 @@ -15,9 +15,8 @@ # # seunshare local policy @@ -5624,9 +5582,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + mozilla_dontaudit_manage_user_home_files(seunshare_t) + ') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.1/policy/modules/apps/vmware.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.3/policy/modules/apps/vmware.te --- nsaserefpolicy/policy/modules/apps/vmware.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/apps/vmware.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/vmware.te 2009-11-25 12:39:13.000000000 -0500 @@ -157,6 +157,7 @@ optional_policy(` xserver_read_tmp_files(vmware_host_t) @@ -5635,9 +5593,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ifdef(`TODO',` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.7.1/policy/modules/apps/wine.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.7.3/policy/modules/apps/wine.fc --- nsaserefpolicy/policy/modules/apps/wine.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/apps/wine.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/wine.fc 2009-11-25 12:39:13.000000000 -0500 @@ -1,4 +1,22 @@ -/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) +/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) @@ -5664,9 +5622,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.7.1/policy/modules/apps/wine.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.7.3/policy/modules/apps/wine.if --- nsaserefpolicy/policy/modules/apps/wine.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/apps/wine.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/wine.if 2009-11-25 12:39:13.000000000 -0500 @@ -43,3 +43,118 @@ wine_domtrans($1) role $2 types wine_t; @@ -5786,9 +5744,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_role($1_r, $1_wine_t) + ') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.7.1/policy/modules/apps/wine.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.7.3/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/apps/wine.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/apps/wine.te 2009-11-25 12:39:13.000000000 -0500 @@ -9,20 +9,46 @@ type wine_t; type wine_exec_t; @@ -5840,33 +5798,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_common_app(wine_t) + xserver_rw_shm(wine_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.1/policy/modules/kernel/corecommands.fc ---- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-07-30 13:09:10.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/kernel/corecommands.fc 2009-11-17 11:06:58.000000000 -0500 -@@ -54,6 +54,7 @@ - /etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0) - /etc/cron.monthly/.* -- gen_context(system_u:object_r:bin_t,s0) - -+/etc/dhcp/dhclient\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) - /etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0) - /etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0) - /etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0) -@@ -125,6 +126,7 @@ - /sbin/.* gen_context(system_u:object_r:bin_t,s0) - /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) - /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) -+/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) - - # - # /opt -@@ -135,13 +137,15 @@ - - /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) - --/opt/real/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0) - ifdef(`distro_gentoo',` - /opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0) - /opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.3/policy/modules/kernel/corecommands.fc +--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-11-25 11:47:19.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/kernel/corecommands.fc 2009-11-25 12:39:13.000000000 -0500 +@@ -144,6 +144,9 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -5876,34 +5811,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /usr # -@@ -211,6 +215,8 @@ - /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0) -+/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) -+/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -221,6 +227,9 @@ - /usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) -+/usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0) -+/usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0) -+/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -263,6 +272,7 @@ - /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) -+/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0) -@@ -315,3 +325,21 @@ +@@ -323,3 +326,21 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -5925,9 +5833,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) + +/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.1/policy/modules/kernel/corecommands.if ---- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/kernel/corecommands.if 2009-11-17 11:06:58.000000000 -0500 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.3/policy/modules/kernel/corecommands.if +--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-11-25 11:47:19.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/kernel/corecommands.if 2009-11-25 12:39:13.000000000 -0500 @@ -893,6 +893,7 @@ read_lnk_files_pattern($1, bin_t, bin_t) @@ -5970,9 +5878,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.1/policy/modules/kernel/corenetwork.te.in +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.3/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/kernel/corenetwork.te.in 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/kernel/corenetwork.te.in 2009-11-25 13:13:55.000000000 -0500 @@ -65,6 +65,7 @@ type server_packet_t, packet_type, server_packet_type; @@ -5990,7 +5898,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(audit, tcp,60,s0) network_port(auth, tcp,113,s0) network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) -@@ -87,26 +88,33 @@ +@@ -87,32 +88,41 @@ network_port(comsat, udp,512,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0) @@ -6027,7 +5935,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) -@@ -129,7 +137,7 @@ + network_port(innd, tcp,119,s0) + network_port(ipmi, udp,623,s0, udp,664,s0) + network_port(ipp, tcp,631,s0, udp,631,s0) ++portcon tcp 8610-8614 gen_context(system_u:object_r:ipp_port_t, s0) ++portcon udp 8610-8614 gen_context(system_u:object_r:ipp_port_t, s0) + network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) + network_port(ircd, tcp,6667,s0) + network_port(isakmp, udp,500,s0) +@@ -129,7 +139,7 @@ network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) network_port(lmtp, tcp,24,s0, udp,24,s0) type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon @@ -6036,7 +5952,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(memcache, tcp,11211,s0, udp,11211,s0) network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) -@@ -138,7 +146,7 @@ +@@ -138,7 +148,7 @@ network_port(mysqld, tcp,1186,s0, tcp,3306,s0) portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) network_port(nessus, tcp,1241,s0) @@ -6045,7 +5961,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(nmbd, udp,137,s0, udp,138,s0) network_port(ntp, udp,123,s0) network_port(ocsp, tcp,9080,s0) -@@ -147,12 +155,19 @@ +@@ -147,12 +157,19 @@ network_port(pegasus_https, tcp,5989,s0) network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) network_port(pingd, tcp,9125,s0) @@ -6065,7 +5981,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -172,29 +187,37 @@ +@@ -172,29 +189,37 @@ network_port(rsync, tcp,873,s0, udp,873,s0) network_port(rwho, udp,513,s0) network_port(sap, tcp,9875,s0, udp,9875,s0) @@ -6107,7 +6023,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -@@ -223,6 +246,8 @@ +@@ -223,6 +248,8 @@ type node_t, node_type; sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh) @@ -6116,137 +6032,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # network_node examples: #network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255) #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.1/policy/modules/kernel/devices.fc ---- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-11-20 10:51:41.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/kernel/devices.fc 2009-11-17 11:06:58.000000000 -0500 -@@ -63,12 +63,10 @@ - /dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0) --/dev/modem -c gen_context(system_u:object_r:modem_device_t,s0) - /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0) - /dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) - /dev/network_throughput -c gen_context(system_u:object_r:netcontrol_device_t,s0) --/dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0) - /dev/null -c gen_context(system_u:object_r:null_device_t,s0) - /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) - /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh) -@@ -107,7 +105,6 @@ - ') - /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) - /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) --/dev/vga_arbiter -c gen_context(system_u:object_r:xserver_misc_device_t,s0) - /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0) - /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0) - /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0) -@@ -145,8 +142,11 @@ - - /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0) - -+/dev/modem -c gen_context(system_u:object_r:modem_device_t,s0) - /dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) - -+/dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0) -+ - /dev/pts(/.*)? <> - - /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0) -@@ -154,6 +154,8 @@ - /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) - -+/dev/vga_arbiter -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -+ - /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0) - /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) - /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.1/policy/modules/kernel/devices.if ---- nsaserefpolicy/policy/modules/kernel/devices.if 2009-11-20 10:51:41.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/kernel/devices.if 2009-11-17 11:06:58.000000000 -0500 -@@ -1927,7 +1927,7 @@ - - ######################################## - ## --## Do not audit attempts to read and write lvm control device. -+## Delete the lvm control device. - ## - ## - ## -@@ -1935,17 +1935,17 @@ - ## - ## - # --interface(`dev_dontaudit_rw_lvm_control',` -+interface(`dev_delete_lvm_control_dev',` - gen_require(` -- type lvm_control_t; -+ type device_t, lvm_control_t; - ') - -- dontaudit $1 lvm_control_t:chr_file rw_file_perms; -+ delete_chr_files_pattern($1, device_t, lvm_control_t) - ') - - ######################################## - ## --## Delete the lvm control device. -+## Do not audit attempts to read and write lvm control device. - ## - ## - ## -@@ -1953,14 +1953,15 @@ - ## - ## - # --interface(`dev_delete_lvm_control_dev',` -+interface(`dev_dontaudit_rw_lvm_control_dev',` - gen_require(` -- type device_t, lvm_control_t; -+ type lvm_control_t; - ') - -- delete_chr_files_pattern($1, device_t, lvm_control_t) -+ dontaudit $1 lvm_control_t:chr_file rw_file_perms; - ') - -+ - ######################################## - ## - ## dontaudit getattr raw memory devices (e.g. /dev/mem). -@@ -2535,7 +2536,8 @@ - type device_t, null_device_t; - ') - -- delete_chr_files_pattern($1, device_t, null_device_t) -+ allow $1 device_t:dir del_entry_dir_perms; -+ allow $1 null_device_t:chr_file unlink; - ') - - ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.1/policy/modules/kernel/devices.te ---- nsaserefpolicy/policy/modules/kernel/devices.te 2009-11-20 10:51:41.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/kernel/devices.te 2009-11-17 11:06:58.000000000 -0500 -@@ -1,5 +1,5 @@ - --policy_module(devices, 1.9.1) -+policy_module(devices, 1.9.0) - - ######################################## - # -@@ -84,7 +84,8 @@ - dev_node(kmsg_device_t) - - # --# ksm_device_t is the type of /dev/ksm -+# ksm_device_t is the type of -+# /dev/ksm - # - type ksm_device_t; - dev_node(ksm_device_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.1/policy/modules/kernel/domain.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.3/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/kernel/domain.if 2009-11-23 17:52:48.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/kernel/domain.if 2009-11-25 12:39:13.000000000 -0500 @@ -44,34 +44,6 @@ interface(`domain_type',` # start with basic domain @@ -6476,9 +6264,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + dontaudit $1 domain:socket_class_set { read write }; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.1/policy/modules/kernel/domain.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.3/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/kernel/domain.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/kernel/domain.te 2009-11-25 12:39:13.000000000 -0500 @@ -5,6 +5,13 @@ # # Declarations @@ -6621,9 +6409,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + userdom_relabelto_user_home_dirs(polydomain) + userdom_relabelto_user_home_files(polydomain) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.1/policy/modules/kernel/files.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.3/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/kernel/files.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/kernel/files.fc 2009-11-25 12:39:13.000000000 -0500 @@ -18,6 +18,7 @@ /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0) /halt -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -6641,9 +6429,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) /var/lib/nfs/rpc_pipefs(/.*)? <> -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.1/policy/modules/kernel/files.if ---- nsaserefpolicy/policy/modules/kernel/files.if 2009-11-12 13:24:12.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/kernel/files.if 2009-11-23 11:26:11.000000000 -0500 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.3/policy/modules/kernel/files.if +--- nsaserefpolicy/policy/modules/kernel/files.if 2009-11-25 11:47:19.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/kernel/files.if 2009-11-25 12:39:13.000000000 -0500 @@ -932,10 +932,8 @@ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -6657,34 +6445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # satisfy the assertions: seutil_relabelto_bin_policy($1) -@@ -1154,6 +1152,26 @@ - allow $1 file_type:filesystem unmount; - ') - -+######################################## -+## -+## Read config files in /etc. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_config_files',` -+ gen_require(` -+ attribute configfile; -+ ') -+ -+ allow $1 configfile:dir list_dir_perms; -+ read_files_pattern($1, configfile, configfile) -+ read_lnk_files_pattern($1, configfile, configfile) -+') -+ - ############################################# - ## - ## Manage all configuration directories on filesystem -@@ -1411,6 +1429,24 @@ +@@ -1431,6 +1429,24 @@ ######################################## ## @@ -6709,59 +6470,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Remove entries from the root directory. ## ## -@@ -1567,6 +1603,25 @@ - - ######################################## - ## -+## read files in the /boot directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_read_boot_files',` -+ gen_require(` -+ type boot_t; -+ ') -+ -+ manage_files_pattern($1, boot_t, boot_t) -+') -+ -+######################################## -+## - ## Create, read, write, and delete files - ## in the /boot directory. - ## -@@ -1795,6 +1850,25 @@ - - ######################################## - ## -+## Manage a filesystem on a directory with the default file type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_default',` -+ gen_require(` -+ type default_t; -+ ') -+ -+ manage_dirs_pattern($1, default_t, default_t) -+ manage_files_pattern($1, default_t, default_t) -+') -+ -+######################################## -+## - ## Mount a filesystem on a directory with the default file type. - ## - ## -@@ -2030,6 +2104,8 @@ +@@ -2107,6 +2123,8 @@ allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -6770,7 +6479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2517,6 +2593,11 @@ +@@ -2594,6 +2612,11 @@ ') delete_files_pattern($1, file_t, file_t) @@ -6782,7 +6491,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3419,6 +3500,32 @@ +@@ -3496,6 +3519,32 @@ ######################################## ## @@ -6815,32 +6524,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Manage temporary files and directories in /tmp. ## ## -@@ -3548,6 +3655,24 @@ - - ######################################## - ## -+## List all tmp directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_list_all_tmp',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ -+ allow $1 tmppfile:dir list_dir_perms; -+') -+ -+######################################## -+## - ## Read all tmp files. - ## - ## -@@ -3614,6 +3739,8 @@ +@@ -3709,6 +3758,8 @@ delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -6849,7 +6533,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3722,7 +3849,12 @@ +@@ -3817,7 +3868,12 @@ type usr_t; ') @@ -6863,7 +6547,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3761,6 +3893,7 @@ +@@ -3856,6 +3912,7 @@ allow $1 usr_t:dir list_dir_perms; read_files_pattern($1, usr_t, usr_t) read_lnk_files_pattern($1, usr_t, usr_t) @@ -6871,7 +6555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4405,6 +4538,24 @@ +@@ -4500,6 +4557,24 @@ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -6896,7 +6580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -4785,6 +4936,24 @@ +@@ -4880,6 +4955,24 @@ ######################################## ## @@ -6921,7 +6605,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to write to daemon runtime data files. ## ## -@@ -4906,6 +5075,24 @@ +@@ -5001,6 +5094,24 @@ ######################################## ## @@ -6946,16 +6630,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Search the contents of generic spool ## directories (/var/spool). ## -@@ -5072,7 +5259,7 @@ - selinux_compute_member($1) - - # Need sys_admin capability for mounting -- allow $1 self:capability { chown fsetid sys_admin }; -+ allow $1 self:capability { chown fsetid sys_admin fowner }; - - # Need to give access to the directories to be polyinstantiated - allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -@@ -5094,12 +5281,15 @@ +@@ -5189,12 +5300,15 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -6972,7 +6647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -5120,3 +5310,173 @@ +@@ -5215,3 +5329,173 @@ typeattribute $1 files_unconfined_type; ') @@ -7146,9 +6821,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + allow $1 file_type:file entrypoint; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.1/policy/modules/kernel/files.te ---- nsaserefpolicy/policy/modules/kernel/files.te 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/kernel/files.te 2009-11-17 11:06:58.000000000 -0500 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.3/policy/modules/kernel/files.te +--- nsaserefpolicy/policy/modules/kernel/files.te 2009-11-25 11:47:19.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/kernel/files.te 2009-11-25 12:39:13.000000000 -0500 @@ -43,6 +43,7 @@ # type boot_t; @@ -7157,15 +6832,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # default_t is the default type for files that do not # match any specification in the file_contexts configuration -@@ -53,7 +54,7 @@ - # - # etc_t is the type of the system etc directories. - # --type etc_t; -+type etc_t, configfile; - files_type(etc_t) - # compatibility aliases for removed types: - typealias etc_t alias automount_etc_t; @@ -194,6 +195,7 @@ fs_associate_noxattr(file_type) fs_associate_tmpfs(file_type) @@ -7174,122 +6840,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.7.1/policy/modules/kernel/filesystem.fc ---- nsaserefpolicy/policy/modules/kernel/filesystem.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/kernel/filesystem.fc 2009-11-17 11:06:58.000000000 -0500 -@@ -1 +1 @@ --# This module currently does not have any file contexts. -+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.1/policy/modules/kernel/filesystem.if ---- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/kernel/filesystem.if 2009-11-18 07:50:05.000000000 -0500 -@@ -290,7 +290,7 @@ - - ######################################## - ## --## Read and write files on anon_inodefs -+## Dontaudit Read and write files on anon_inodefs - ## file systems. - ## - ## -@@ -310,6 +310,26 @@ - - ######################################## - ## -+## Dontaudit Read and write files on anon_inodefs -+## file systems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_dontaudit_rw_anon_inodefs_files',` -+ gen_require(` -+ type anon_inodefs_t; -+ -+ ') -+ -+ dontaudit $1 anon_inodefs_t:file { read write }; -+') -+ -+######################################## -+## - ## Mount an automount pseudo filesystem. - ## - ## -@@ -1149,6 +1169,44 @@ - domain_auto_transition_pattern($1, cifs_t, $2) - ') - -+####################################### -+## -+## Create, read, write, and delete dirs -+## on a configfs filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_manage_configfs_dirs',` -+ gen_require(` -+ type configfs_t; -+ ') -+ -+ manage_dirs_pattern($1,configfs_t,configfs_t) -+') -+ -+####################################### -+## -+## Create, read, write, and delete files -+## on a configfs filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_manage_configfs_files',` -+ gen_require(` -+ type configfs_t; -+ ') -+ -+ manage_files_pattern($1,configfs_t,configfs_t) -+') -+ - ######################################## - ## - ## Mount a DOS filesystem, such as -@@ -1537,6 +1595,24 @@ - - ######################################## - ## -+## Allow the type to associate to hugetlbfs filesystems. -+## -+## -+## -+## The type of the object to be associated. -+## -+## -+# -+interface(`fs_associate_hugetlbfs',` -+ gen_require(` -+ type hugetlbfs_t; -+ ') -+ -+ allow $1 hugetlbfs_t:filesystem associate; -+') -+ -+######################################## -+## - ## Search inotifyfs filesystem. - ## - ## -@@ -1993,6 +2069,25 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.3/policy/modules/kernel/filesystem.if +--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-11-25 11:47:19.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/kernel/filesystem.if 2009-11-25 12:39:13.000000000 -0500 +@@ -2069,6 +2069,25 @@ read_lnk_files_pattern($1, nfs_t, nfs_t) ') @@ -7315,50 +6869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################### ## ## Read named sockets on a NFS filesystem. -@@ -2542,6 +2637,42 @@ - - ######################################## - ## -+## List NFS server directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_list_nfsd_fs',` -+ gen_require(` -+ type nfsd_fs_t; -+ ') -+ -+ allow $1 nfsd_fs_t:dir list_dir_perms; -+') -+ -+######################################## -+## -+## Getattr files on an nfsd filesystem -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_getattr_nfsd_files',` -+ gen_require(` -+ type nfsd_fs_t; -+ ') -+ -+ allow $1 nfsd_fs_t:file getattr; -+') -+ -+######################################## -+## - ## Read and write NFS server files. - ## - ## -@@ -3971,3 +4102,122 @@ +@@ -4181,3 +4200,22 @@ relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs) ') @@ -7381,109 +6892,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + dontaudit $1 cifs_t:dir list_dir_perms; +') -+ -+ -+######################################## -+## -+## Mount a XENFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_mount_xenfs',` -+ gen_require(` -+ type xenfs_t; -+ ') -+ -+ allow $1 xenfs_t:filesystem mount; -+') -+ -+######################################## -+## -+## Create, read, write, and delete directories -+## on a XENFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`fs_manage_xenfs_dirs',` -+ gen_require(` -+ type xenfs_t; -+ ') -+ -+ allow $1 xenfs_t:dir manage_dir_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to create, read, -+## write, and delete directories -+## on a XENFS filesystem. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_manage_xenfs_dirs',` -+ gen_require(` -+ type xenfs_t; -+ ') -+ -+ dontaudit $1 xenfs_t:dir manage_dir_perms; -+') -+ -+######################################## -+## -+## Create, read, write, and delete files -+## on a XENFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`fs_manage_xenfs_files',` -+ gen_require(` -+ type xenfs_t; -+ ') -+ -+ manage_files_pattern($1, xenfs_t, xenfs_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to create, -+## read, write, and delete files -+## on a XENFS filesystem. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_manage_xenfs_files',` -+ gen_require(` -+ type xenfs_t; -+ ') -+ -+ dontaudit $1 xenfs_t:file manage_file_perms; -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.1/policy/modules/kernel/filesystem.te ---- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/kernel/filesystem.te 2009-11-17 11:06:58.000000000 -0500 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.3/policy/modules/kernel/filesystem.te +--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-11-25 11:47:19.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/kernel/filesystem.te 2009-11-25 12:39:13.000000000 -0500 @@ -29,6 +29,7 @@ fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0); fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0); @@ -7492,17 +6903,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0); -@@ -93,7 +94,9 @@ +@@ -93,6 +94,8 @@ type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) --genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0) +files_type(hugetlbfs_t) +files_poly_parent(hugetlbfs_t) -+fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); + fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); type ibmasmfs_t; - fs_type(ibmasmfs_t) @@ -171,6 +174,7 @@ fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0); fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0); @@ -7511,7 +6920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow tmpfs_t noxattrfs:filesystem associate; -@@ -200,6 +204,7 @@ +@@ -205,6 +209,7 @@ # type dosfs_t; fs_noxattr_type(dosfs_t) @@ -7519,7 +6928,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow dosfs_t fs_t:filesystem associate; genfscon fat / gen_context(system_u:object_r:dosfs_t,s0) genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0) -@@ -223,6 +228,7 @@ +@@ -216,6 +221,7 @@ + + type fusefs_t; + fs_noxattr_type(fusefs_t) ++files_mountpoint(fusefs_t) + allow fusefs_t self:filesystem associate; + allow fusefs_t fs_t:filesystem associate; + genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0) +@@ -228,6 +234,7 @@ # type iso9660_t; fs_noxattr_type(iso9660_t) @@ -7527,93 +6944,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0) genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) -@@ -250,9 +256,13 @@ - genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) - genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) - genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) --genfscon xenfs / gen_context(system_u:object_r:nfs_t,s0) - genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) - -+type xenfs_t; -+fs_noxattr_type(xenfs_t) -+files_mountpoint(xenfs_t) -+genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0) -+ - ######################################## - # - # Rules for all filesystem types -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.1/policy/modules/kernel/kernel.if ---- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-11-20 10:51:41.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/kernel/kernel.if 2009-11-19 14:06:58.000000000 -0500 -@@ -508,7 +508,7 @@ - ## - ## - ## --## Domain allowed access. -+## - ## - ## - # -@@ -941,43 +941,43 @@ - - ######################################## - ## --## Do not audit attempts to get the attributes of --## core kernel interfaces. -+## Allows caller to read th core kernel interface. - ## - ## - ## --## The process type to not audit. -+## The process type getting the attibutes. - ## - ## - # --interface(`kernel_dontaudit_getattr_core_if',` -+interface(`kernel_read_core_if',` - gen_require(` -- type proc_kcore_t; -+ type proc_t, proc_kcore_t; -+ attribute can_dump_kernel; - ') - -- dontaudit $1 proc_kcore_t:file getattr; -+ read_files_pattern($1, proc_t, proc_kcore_t) -+ list_dirs_pattern($1, proc_t, proc_t) -+ -+ typeattribute $1 can_dump_kernel; - ') +@@ -238,6 +245,7 @@ + allow removable_t noxattrfs:filesystem associate; + fs_noxattr_type(removable_t) + files_type(removable_t) ++files_mountpoint(removable_t) - ######################################## - ## --## Allows caller to read the core kernel interface. -+## Do not audit attempts to get the attributes of -+## core kernel interfaces. - ## - ## - ## --## Domain allowed access. -+## The process type to not audit. - ## - ## # --interface(`kernel_read_core_if',` -+interface(`kernel_dontaudit_getattr_core_if',` - gen_require(` -- type proc_t, proc_kcore_t; -- attribute can_dump_kernel; -+ type proc_kcore_t; - ') - -- read_files_pattern($1, proc_t, proc_kcore_t) -- list_dirs_pattern($1, proc_t, proc_t) -- -- typeattribute $1 can_dump_kernel; -+ dontaudit $1 proc_kcore_t:file getattr; - ') - - ######################################## -@@ -1848,7 +1848,7 @@ + # nfs_t is the default type for NFS file systems +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.3/policy/modules/kernel/kernel.if +--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-11-25 11:47:19.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/kernel/kernel.if 2009-11-25 12:39:13.000000000 -0500 +@@ -1849,7 +1849,7 @@ ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -7622,7 +6964,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1919,6 +1919,25 @@ +@@ -1920,6 +1920,25 @@ ######################################## ## @@ -7648,7 +6990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send general signals to unlabeled processes. ## ## -@@ -2662,6 +2681,24 @@ +@@ -2663,6 +2682,24 @@ ######################################## ## @@ -7673,7 +7015,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Unconfined access to kernel module resources. ## ## -@@ -2677,3 +2714,22 @@ +@@ -2678,3 +2715,22 @@ typeattribute $1 kern_unconfined; ') @@ -7696,16 +7038,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 kernel_t:unix_stream_socket connectto; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.1/policy/modules/kernel/kernel.te ---- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-11-20 10:51:41.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/kernel/kernel.te 2009-11-17 11:06:58.000000000 -0500 -@@ -1,5 +1,5 @@ - --policy_module(kernel, 1.11.1) -+policy_module(kernel, 1.11.0) - - ######################################## - # +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.3/policy/modules/kernel/kernel.te +--- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-11-25 11:47:19.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/kernel/kernel.te 2009-11-25 12:39:13.000000000 -0500 @@ -64,6 +64,15 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) @@ -7785,9 +7120,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; + +files_boot(kernel_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.1/policy/modules/kernel/selinux.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.3/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/kernel/selinux.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/kernel/selinux.if 2009-11-25 12:39:13.000000000 -0500 @@ -40,7 +40,7 @@ # because of this statement, any module which @@ -7845,9 +7180,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_type($1) + mls_trusted_object($1) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.7.1/policy/modules/kernel/storage.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.7.3/policy/modules/kernel/storage.fc --- nsaserefpolicy/policy/modules/kernel/storage.fc 2009-11-20 10:51:41.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/kernel/storage.fc 2009-11-24 09:55:13.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/kernel/storage.fc 2009-11-25 12:39:13.000000000 -0500 @@ -14,6 +14,7 @@ /dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) @@ -7856,9 +7191,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0) /dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.7.1/policy/modules/kernel/storage.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.7.3/policy/modules/kernel/storage.if --- nsaserefpolicy/policy/modules/kernel/storage.if 2009-11-20 10:51:41.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/kernel/storage.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/kernel/storage.if 2009-11-25 12:39:13.000000000 -0500 @@ -266,6 +266,7 @@ dev_list_all_dev_nodes($1) @@ -7867,39 +7202,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.te serefpolicy-3.7.1/policy/modules/kernel/storage.te ---- nsaserefpolicy/policy/modules/kernel/storage.te 2009-11-20 10:51:41.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/kernel/storage.te 2009-11-17 10:55:11.000000000 -0500 -@@ -1,5 +1,5 @@ - --policy_module(storage, 1.7.1) -+policy_module(storage, 1.7.0) - - ######################################## - # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.7.1/policy/modules/kernel/terminal.fc ---- nsaserefpolicy/policy/modules/kernel/terminal.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/kernel/terminal.fc 2009-11-17 11:06:58.000000000 -0500 -@@ -13,6 +13,7 @@ - /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) - /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0) - /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) -+/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) - /dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) - /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) - /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.1/policy/modules/kernel/terminal.if ---- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/kernel/terminal.if 2009-11-23 11:38:32.000000000 -0500 -@@ -196,7 +196,7 @@ - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir list_dir_perms; -- allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms; -+ allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms; - ') - - ######################################## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.3/policy/modules/kernel/terminal.if +--- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-11-25 11:47:19.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/kernel/terminal.if 2009-11-25 12:39:13.000000000 -0500 @@ -273,9 +273,11 @@ interface(`term_dontaudit_use_console',` gen_require(` @@ -7912,57 +7217,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -474,6 +476,23 @@ - - ######################################## - ## -+## dontaudit getattr of generic pty devices. -+## -+## -+## -+## The type of the process to not audit. -+## -+## -+# -+interface(`term_dontaudit_getattr_generic_ptys',` -+ gen_require(` -+ type devpts_t; -+ ') -+ -+ dontaudit $1 devpts_t:chr_file getattr; -+') -+######################################## -+## - ## ioctl of generic pty devices. - ## - ## -@@ -575,6 +594,25 @@ - dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; - ') - -+####################################### -+## -+## Set the attributes of the tty device -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`term_setattr_controlling_term',` -+ gen_require(` -+ type devtty_t; -+ ') -+ -+ dev_list_all_dev_nodes($1) -+ allow $1 devtty_t:chr_file setattr; -+') -+ - ######################################## - ## - ## Read and write the controlling -@@ -991,10 +1029,12 @@ +@@ -1028,10 +1030,12 @@ interface(`term_use_unallocated_ttys',` gen_require(` type tty_device_t; @@ -7975,7 +7230,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1011,8 +1051,10 @@ +@@ -1048,8 +1052,10 @@ interface(`term_dontaudit_use_unallocated_ttys',` gen_require(` type tty_device_t; @@ -7986,20 +7241,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-3.7.1/policy/modules/kernel/terminal.te ---- nsaserefpolicy/policy/modules/kernel/terminal.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/kernel/terminal.te 2009-11-17 11:06:58.000000000 -0500 -@@ -44,6 +44,7 @@ - type ptmx_t; - dev_node(ptmx_t) - mls_trusted_object(ptmx_t) -+allow ptmx_t devpts_t:filesystem associate; - - # - # tty_device_t is the type of /dev/*tty* -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.1/policy/modules/roles/guest.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.3/policy/modules/roles/guest.te --- nsaserefpolicy/policy/modules/roles/guest.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/roles/guest.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/roles/guest.te 2009-11-25 12:39:13.000000000 -0500 @@ -16,7 +16,11 @@ # @@ -8014,9 +7258,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +gen_user(guest_u, user, guest_r, s0, s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.1/policy/modules/roles/staff.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.3/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/roles/staff.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/roles/staff.te 2009-11-25 12:39:13.000000000 -0500 @@ -10,161 +10,117 @@ userdom_unpriv_user_template(staff) @@ -8220,9 +7464,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - xserver_role(staff_r, staff_t) + virt_stream_connect(staff_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.1/policy/modules/roles/sysadm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.3/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/roles/sysadm.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/roles/sysadm.te 2009-11-25 12:39:13.000000000 -0500 @@ -15,7 +15,7 @@ role sysadm_r; @@ -8532,9 +7776,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +init_script_role_transition(sysadm_r) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.7.1/policy/modules/roles/unconfineduser.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.7.3/policy/modules/roles/unconfineduser.fc --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/roles/unconfineduser.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/roles/unconfineduser.fc 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,8 @@ +# Add programs here which should not be confined by SELinux +# e.g.: @@ -8544,9 +7788,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) +/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.1/policy/modules/roles/unconfineduser.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.3/policy/modules/roles/unconfineduser.if --- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/roles/unconfineduser.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/roles/unconfineduser.if 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,638 @@ +## Unconfiend user role + @@ -9186,10 +8430,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 unconfined_r; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.1/policy/modules/roles/unconfineduser.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.3/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/roles/unconfineduser.te 2009-11-24 14:57:49.000000000 -0500 -@@ -0,0 +1,431 @@ ++++ serefpolicy-3.7.3/policy/modules/roles/unconfineduser.te 2009-11-25 12:39:13.000000000 -0500 +@@ -0,0 +1,449 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -9307,34 +8551,55 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + attribute unconfined_usertype; + ') + ++ nsplugin_role_notrans(unconfined_r, unconfined_usertype) ++ optional_policy(` ++ tunable_policy(`allow_unconfined_nsplugin_transition',` ++ nsplugin_domtrans(unconfined_usertype) ++ nsplugin_domtrans_config(unconfined_usertype) ++ ') ++ ') ++ ++ userdom_execmod_user_home_files(unconfined_usertype) ++ + optional_policy(` + abrt_dbus_chat(unconfined_usertype) + abrt_run_helper(unconfined_usertype, unconfined_r) + ') + -+ nsplugin_role_notrans(unconfined_r, unconfined_usertype) -+ tunable_policy(`allow_unconfined_nsplugin_transition',` -+ nsplugin_domtrans(unconfined_usertype) -+ nsplugin_domtrans_config(unconfined_usertype) ++ optional_policy(` ++ avahi_dbus_chat(unconfined_usertype) + ') + + optional_policy(` -+ rtkit_daemon_system_domain(unconfined_usertype) ++ devicekit_dbus_chat(unconfined_usertype) ++ devicekit_dbus_chat_disk(unconfined_usertype) ++ devicekit_dbus_chat_power(unconfined_usertype) + ') + -+ userdom_execmod_user_home_files(unconfined_usertype) ++ optional_policy(` ++ hal_dbus_chat(unconfined_usertype) ++ ') + + optional_policy(` -+ sandbox_transition(unconfined_usertype, unconfined_r) ++ networkmanager_dbus_chat(unconfined_usertype) + ') + + optional_policy(` -+ avahi_dbus_chat(unconfined_usertype) ++ policykit_role(unconfined_r, unconfined_usertype) + ') + + optional_policy(` -+ hal_dbus_chat(unconfined_usertype) ++ rtkit_daemon_system_domain(unconfined_usertype) ++ ') ++ ++ optional_policy(` ++ setroubleshoot_dbus_chat(unconfined_usertype) ++ ') ++ ++ optional_policy(` ++ sandbox_transition(unconfined_usertype, unconfined_r) + ') ++ +') + +ifdef(`distro_gentoo',` @@ -9496,6 +8761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + rpm_run(unconfined_t, unconfined_r) + # Allow SELinux aware applications to request rpm_script execution + rpm_transition_script(unconfined_t) ++ rpm_dbus_chat(unconfined_t) +') + +optional_policy(` @@ -9606,10 +8872,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +domain_ptrace_all_domains(unconfined_notrans_t) + +optional_policy(` -+ policykit_role(unconfined_r, unconfined_notrans_t) -+') -+ -+optional_policy(` + rtkit_daemon_system_domain(unconfined_notrans_t) +') + @@ -9621,9 +8883,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.1/policy/modules/roles/unprivuser.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.3/policy/modules/roles/unprivuser.te --- nsaserefpolicy/policy/modules/roles/unprivuser.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/roles/unprivuser.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/roles/unprivuser.te 2009-11-25 12:39:13.000000000 -0500 @@ -14,96 +14,19 @@ userdom_unpriv_user_template(user) @@ -9772,9 +9034,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - xserver_role(user_r, user_t) + setroubleshoot_dontaudit_stream_connect(user_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.1/policy/modules/roles/xguest.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.3/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/roles/xguest.te 2009-11-24 18:10:12.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/roles/xguest.te 2009-11-25 12:39:13.000000000 -0500 @@ -31,16 +31,38 @@ userdom_restricted_xwindows_user_template(xguest) @@ -9890,9 +9152,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.1/policy/modules/services/abrt.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.3/policy/modules/services/abrt.fc --- nsaserefpolicy/policy/modules/services/abrt.fc 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/abrt.fc 2009-11-18 16:55:18.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/abrt.fc 2009-11-25 12:39:13.000000000 -0500 @@ -1,11 +1,15 @@ /etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) /etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) @@ -9910,9 +9172,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) /var/run/abrt\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) +/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.1/policy/modules/services/abrt.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.3/policy/modules/services/abrt.if --- nsaserefpolicy/policy/modules/services/abrt.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/abrt.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/abrt.if 2009-11-25 12:39:13.000000000 -0500 @@ -19,6 +19,24 @@ domtrans_pattern($1, abrt_exec_t, abrt_t) ') @@ -10036,9 +9298,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##################################### ## ## All of the rules required to administrate -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.1/policy/modules/services/abrt.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.3/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/abrt.te 2009-11-24 10:12:04.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/abrt.te 2009-11-25 12:39:13.000000000 -0500 @@ -33,12 +33,25 @@ type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -10196,9 +9458,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +userdom_dontaudit_use_user_terminals(abrt_helper_t) + +permissive abrt_helper_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.7.1/policy/modules/services/afs.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.7.3/policy/modules/services/afs.fc --- nsaserefpolicy/policy/modules/services/afs.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/afs.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/afs.fc 2009-11-25 12:39:13.000000000 -0500 @@ -25,6 +25,7 @@ /usr/vice/etc/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) @@ -10207,9 +9469,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /vicepa gen_context(system_u:object_r:afs_files_t,s0) /vicepb gen_context(system_u:object_r:afs_files_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.7.1/policy/modules/services/afs.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.7.3/policy/modules/services/afs.te --- nsaserefpolicy/policy/modules/services/afs.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/afs.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/afs.te 2009-11-25 12:39:13.000000000 -0500 @@ -71,7 +71,7 @@ # afs client local policy # @@ -10227,9 +9489,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_rw_etc_runtime_files(afs_t) fs_getattr_xattr_fs(afs_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.1/policy/modules/services/aisexec.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.3/policy/modules/services/aisexec.fc --- nsaserefpolicy/policy/modules/services/aisexec.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/aisexec.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/aisexec.fc 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,12 @@ + +/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:aisexec_initrc_exec_t,s0) @@ -10243,9 +9505,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0) + +/var/run/cman_.* -s gen_context(system_u:object_r:aisexec_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.7.1/policy/modules/services/aisexec.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.7.3/policy/modules/services/aisexec.if --- nsaserefpolicy/policy/modules/services/aisexec.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/aisexec.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/aisexec.if 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,106 @@ +## SELinux policy for Aisexec Cluster Engine + @@ -10353,9 +9615,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + admin_pattern($1, aisexec_tmpfs_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.1/policy/modules/services/aisexec.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.3/policy/modules/services/aisexec.te --- nsaserefpolicy/policy/modules/services/aisexec.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/aisexec.te 2009-11-20 10:04:14.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/aisexec.te 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,112 @@ + +policy_module(aisexec,1.0.0) @@ -10469,9 +9731,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +groupd_rw_semaphores(aisexec_t) +groupd_rw_shm(aisexec_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.7.1/policy/modules/services/amavis.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.7.3/policy/modules/services/amavis.te --- nsaserefpolicy/policy/modules/services/amavis.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/amavis.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/amavis.te 2009-11-25 12:39:13.000000000 -0500 @@ -103,6 +103,8 @@ kernel_dontaudit_read_proc_symlinks(amavis_t) kernel_dontaudit_read_system_state(amavis_t) @@ -10481,9 +9743,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # find perl corecmd_exec_bin(amavis_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.1/policy/modules/services/apache.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.3/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/apache.fc 2009-11-19 15:03:04.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/apache.fc 2009-11-25 12:39:13.000000000 -0500 @@ -2,11 +2,15 @@ /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) @@ -10599,9 +9861,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.1/policy/modules/services/apache.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.3/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2009-07-28 15:51:13.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/apache.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/apache.if 2009-11-25 12:39:13.000000000 -0500 @@ -13,21 +13,16 @@ # template(`apache_content_template',` @@ -11205,9 +10467,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + typeattribute $1 httpd_rw_content; ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.1/policy/modules/services/apache.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.3/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/apache.te 2009-11-23 11:25:41.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/apache.te 2009-11-25 12:39:13.000000000 -0500 @@ -19,6 +19,8 @@ # Declarations # @@ -12017,9 +11279,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +typealias httpd_sys_script_t alias httpd_fastcgi_script_t; +typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.7.1/policy/modules/services/apm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.7.3/policy/modules/services/apm.te --- nsaserefpolicy/policy/modules/services/apm.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/apm.te 2009-11-17 16:29:03.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/apm.te 2009-11-25 12:39:13.000000000 -0500 @@ -60,7 +60,7 @@ # mknod: controlling an orderly resume of PCMCIA requires creating device # nodes 254,{0,1,2} for some reason. @@ -12040,9 +11302,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: related to sleep/resume (?) optional_policy(` xserver_domtrans(apmd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.1/policy/modules/services/arpwatch.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.3/policy/modules/services/arpwatch.te --- nsaserefpolicy/policy/modules/services/arpwatch.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/arpwatch.te 2009-11-23 18:39:44.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/arpwatch.te 2009-11-25 12:39:13.000000000 -0500 @@ -34,6 +34,7 @@ allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms }; allow arpwatch_t self:udp_socket create_socket_perms; @@ -12059,9 +11321,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(arpwatch_t) kernel_list_proc(arpwatch_t) kernel_read_proc_symlinks(arpwatch_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.1/policy/modules/services/asterisk.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.3/policy/modules/services/asterisk.if --- nsaserefpolicy/policy/modules/services/asterisk.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/asterisk.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/asterisk.if 2009-11-25 12:39:13.000000000 -0500 @@ -1,5 +1,26 @@ ## Asterisk IP telephony server @@ -12089,9 +11351,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## All of the rules required to administrate -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.1/policy/modules/services/asterisk.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.3/policy/modules/services/asterisk.te --- nsaserefpolicy/policy/modules/services/asterisk.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/asterisk.te 2009-11-23 13:38:30.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/asterisk.te 2009-11-25 12:39:13.000000000 -0500 @@ -34,6 +34,8 @@ type asterisk_var_run_t; files_pid_file(asterisk_var_run_t) @@ -12117,9 +11379,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(asterisk_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.7.1/policy/modules/services/automount.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.7.3/policy/modules/services/automount.te --- nsaserefpolicy/policy/modules/services/automount.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/automount.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/automount.te 2009-11-25 12:39:13.000000000 -0500 @@ -75,6 +75,7 @@ fs_mount_all_fs(automount_t) @@ -12136,9 +11398,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_rw_fuse(automount_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.1/policy/modules/services/avahi.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.3/policy/modules/services/avahi.te --- nsaserefpolicy/policy/modules/services/avahi.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/avahi.te 2009-11-18 16:51:04.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/avahi.te 2009-11-25 12:39:13.000000000 -0500 @@ -24,7 +24,7 @@ # Local policy # @@ -12156,9 +11418,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.1/policy/modules/services/bind.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.3/policy/modules/services/bind.if --- nsaserefpolicy/policy/modules/services/bind.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/bind.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/bind.if 2009-11-25 12:39:13.000000000 -0500 @@ -235,7 +235,7 @@ ######################################## @@ -12220,9 +11482,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an bind environment ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.7.1/policy/modules/services/bitlbee.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.7.3/policy/modules/services/bitlbee.te --- nsaserefpolicy/policy/modules/services/bitlbee.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/bitlbee.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/bitlbee.te 2009-11-25 12:39:13.000000000 -0500 @@ -68,6 +68,8 @@ # MSN can use passport auth, which is over http: corenet_tcp_connect_http_port(bitlbee_t) @@ -12232,9 +11494,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_rand(bitlbee_t) dev_read_urand(bitlbee_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.7.1/policy/modules/services/bluetooth.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.7.3/policy/modules/services/bluetooth.if --- nsaserefpolicy/policy/modules/services/bluetooth.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/bluetooth.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/bluetooth.if 2009-11-25 12:39:13.000000000 -0500 @@ -153,6 +153,27 @@ dontaudit $1 bluetooth_helper_t:file { read getattr }; ') @@ -12263,9 +11525,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## All of the rules required to administrate -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.7.1/policy/modules/services/bluetooth.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.7.3/policy/modules/services/bluetooth.te --- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/bluetooth.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/bluetooth.te 2009-11-25 12:39:13.000000000 -0500 @@ -54,9 +54,9 @@ # Bluetooth services local policy # @@ -12313,9 +11575,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol pulseaudio_dbus_chat(bluetooth_t) ') ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-3.7.1/policy/modules/services/ccs.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-3.7.3/policy/modules/services/ccs.fc --- nsaserefpolicy/policy/modules/services/ccs.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/ccs.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/ccs.fc 2009-11-25 12:39:13.000000000 -0500 @@ -2,9 +2,5 @@ /sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0) @@ -12328,9 +11590,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/var/run/cman_.* -s gen_context(system_u:object_r:ccs_var_run_t,s0) +/var/run/cluster/ccsd\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0) +/var/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.1/policy/modules/services/ccs.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.3/policy/modules/services/ccs.te --- nsaserefpolicy/policy/modules/services/ccs.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/ccs.te 2009-11-20 16:30:47.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/ccs.te 2009-11-25 12:39:13.000000000 -0500 @@ -10,23 +10,21 @@ type ccs_exec_t; init_daemon_domain(ccs_t, ccs_exec_t) @@ -12414,9 +11676,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`hide_broken_symptoms', ` corecmd_dontaudit_write_bin_dirs(ccs_t) files_manage_isid_type_files(ccs_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.7.1/policy/modules/services/certmaster.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.7.3/policy/modules/services/certmaster.te --- nsaserefpolicy/policy/modules/services/certmaster.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/certmaster.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/certmaster.te 2009-11-25 12:39:13.000000000 -0500 @@ -30,7 +30,7 @@ # certmaster local policy # @@ -12426,9 +11688,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow certmaster_t self:tcp_socket create_stream_socket_perms; # config files -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.7.1/policy/modules/services/chronyd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.7.3/policy/modules/services/chronyd.fc --- nsaserefpolicy/policy/modules/services/chronyd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/chronyd.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/chronyd.fc 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,11 @@ + +/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) @@ -12441,9 +11703,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.1/policy/modules/services/chronyd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.3/policy/modules/services/chronyd.if --- nsaserefpolicy/policy/modules/services/chronyd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/chronyd.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/chronyd.if 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,105 @@ +## chrony background daemon + @@ -12550,9 +11812,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.1/policy/modules/services/chronyd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.3/policy/modules/services/chronyd.te --- nsaserefpolicy/policy/modules/services/chronyd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/chronyd.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/chronyd.te 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,67 @@ +policy_module(chronyd,1.0.0) + @@ -12621,9 +11883,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_localization(chronyd_t) + +permissive chronyd_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.1/policy/modules/services/clamav.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.3/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/clamav.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/clamav.te 2009-11-25 12:39:13.000000000 -0500 @@ -117,9 +117,9 @@ logging_send_syslog_msg(clamd_t) @@ -12665,17 +11927,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` apache_read_sys_content(clamscan_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.1/policy/modules/services/clogd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.3/policy/modules/services/clogd.fc --- nsaserefpolicy/policy/modules/services/clogd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/clogd.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/clogd.fc 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,4 @@ + +/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0) + +/var/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.1/policy/modules/services/clogd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.3/policy/modules/services/clogd.if --- nsaserefpolicy/policy/modules/services/clogd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/clogd.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/clogd.if 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,98 @@ +## clogd - clustered mirror log server + @@ -12775,9 +12037,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 clogd_t:shm { rw_shm_perms destroy }; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.7.1/policy/modules/services/clogd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.7.3/policy/modules/services/clogd.te --- nsaserefpolicy/policy/modules/services/clogd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/clogd.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/clogd.te 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,62 @@ + +policy_module(clogd,1.0.0) @@ -12841,15 +12103,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.7.1/policy/modules/services/cobbler.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.7.3/policy/modules/services/cobbler.fc --- nsaserefpolicy/policy/modules/services/cobbler.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/cobbler.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/cobbler.fc 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,2 @@ + +/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.1/policy/modules/services/cobbler.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.3/policy/modules/services/cobbler.if --- nsaserefpolicy/policy/modules/services/cobbler.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/cobbler.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/cobbler.if 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,44 @@ +## +## Cobbler var_lib_t @@ -12895,18 +12157,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_search_var_lib($1) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.1/policy/modules/services/cobbler.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.3/policy/modules/services/cobbler.te --- nsaserefpolicy/policy/modules/services/cobbler.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/cobbler.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/cobbler.te 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,5 @@ + +policy_module(cobbler, 1.10.0) + +type cobbler_var_lib_t; +files_type(cobbler_var_lib_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.1/policy/modules/services/consolekit.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.3/policy/modules/services/consolekit.fc --- nsaserefpolicy/policy/modules/services/consolekit.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/consolekit.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/consolekit.fc 2009-11-25 12:39:13.000000000 -0500 @@ -2,4 +2,5 @@ /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) @@ -12914,9 +12176,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0) + +/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.1/policy/modules/services/consolekit.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.3/policy/modules/services/consolekit.if --- nsaserefpolicy/policy/modules/services/consolekit.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/consolekit.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/consolekit.if 2009-11-25 12:39:13.000000000 -0500 @@ -57,3 +57,42 @@ read_files_pattern($1, consolekit_log_t, consolekit_log_t) files_search_pids($1) @@ -12960,9 +12222,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.1/policy/modules/services/consolekit.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.3/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/consolekit.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/consolekit.te 2009-11-25 12:39:13.000000000 -0500 @@ -21,7 +21,7 @@ # consolekit local policy # @@ -13036,9 +12298,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_stream_connect(consolekit_t) ') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.7.1/policy/modules/services/corosync.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.7.3/policy/modules/services/corosync.fc --- nsaserefpolicy/policy/modules/services/corosync.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/corosync.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/corosync.fc 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,13 @@ + +/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0) @@ -13053,9 +12315,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.1/policy/modules/services/corosync.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.3/policy/modules/services/corosync.if --- nsaserefpolicy/policy/modules/services/corosync.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/corosync.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/corosync.if 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,108 @@ +## SELinux policy for Corosync Cluster Engine + @@ -13165,9 +12427,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.1/policy/modules/services/corosync.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.3/policy/modules/services/corosync.te --- nsaserefpolicy/policy/modules/services/corosync.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/corosync.te 2009-11-23 13:51:04.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/corosync.te 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,109 @@ + +policy_module(corosync,1.0.0) @@ -13278,9 +12540,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +permissive corosync_t; + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.7.1/policy/modules/services/courier.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.7.3/policy/modules/services/courier.if --- nsaserefpolicy/policy/modules/services/courier.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/courier.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/courier.if 2009-11-25 12:39:13.000000000 -0500 @@ -179,6 +179,24 @@ ######################################## @@ -13306,9 +12568,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write to courier spool pipes. ## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.7.1/policy/modules/services/courier.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.7.3/policy/modules/services/courier.te --- nsaserefpolicy/policy/modules/services/courier.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/courier.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/courier.te 2009-11-25 12:39:13.000000000 -0500 @@ -10,6 +10,7 @@ type courier_etc_t; @@ -13317,9 +12579,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol courier_domain_template(pcp) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.1/policy/modules/services/cron.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.3/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/cron.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/cron.fc 2009-11-25 12:39:13.000000000 -0500 @@ -14,7 +14,7 @@ /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) @@ -13337,9 +12599,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) + +/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.1/policy/modules/services/cron.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.3/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/cron.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/cron.if 2009-11-25 12:39:13.000000000 -0500 @@ -12,6 +12,10 @@ ## # @@ -13481,9 +12743,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.1/policy/modules/services/cron.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.3/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/cron.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/cron.te 2009-11-25 12:39:13.000000000 -0500 @@ -38,6 +38,7 @@ type cron_var_lib_t; files_type(cron_var_lib_t) @@ -13740,9 +13002,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domain(system_cronjob_t) userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.1/policy/modules/services/cups.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.3/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/cups.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/cups.fc 2009-11-25 12:39:13.000000000 -0500 @@ -13,10 +13,14 @@ /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) @@ -13786,9 +13048,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.1/policy/modules/services/cups.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.3/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/cups.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/cups.te 2009-11-25 12:51:50.000000000 -0500 @@ -23,6 +23,9 @@ type cupsd_initrc_exec_t; init_script_file(cupsd_initrc_exec_t) @@ -13816,7 +13078,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type hplip_var_run_t; files_pid_file(hplip_var_run_t) -@@ -116,6 +122,9 @@ +@@ -105,6 +111,7 @@ + allow cupsd_t self:unix_dgram_socket create_socket_perms; + allow cupsd_t self:netlink_selinux_socket create_socket_perms; + allow cupsd_t self:shm create_shm_perms; ++allow cupsd_t self:sem create_sem_perms; + allow cupsd_t self:tcp_socket create_stream_socket_perms; + allow cupsd_t self:udp_socket create_socket_perms; + allow cupsd_t self:appletalk_socket create_socket_perms; +@@ -116,6 +123,9 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) files_search_etc(cupsd_t) @@ -13826,7 +13096,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) -@@ -156,6 +165,7 @@ +@@ -156,6 +166,7 @@ kernel_read_system_state(cupsd_t) kernel_read_network_state(cupsd_t) kernel_read_all_sysctls(cupsd_t) @@ -13834,7 +13104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(cupsd_t) corenet_all_recvfrom_netlabel(cupsd_t) -@@ -171,6 +181,7 @@ +@@ -171,6 +182,7 @@ corenet_udp_bind_generic_node(cupsd_t) corenet_tcp_bind_ipp_port(cupsd_t) corenet_udp_bind_ipp_port(cupsd_t) @@ -13842,15 +13112,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_reserved_port(cupsd_t) corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_bind_all_rpc_ports(cupsd_t) -@@ -250,6 +261,7 @@ +@@ -250,6 +262,7 @@ miscfiles_read_localization(cupsd_t) # invoking ghostscript needs to read fonts miscfiles_read_fonts(cupsd_t) -+miscfiles_setattr_fonts(cupsd_t) ++miscfiles_setattr_fonts_dirs(cupsd_t) seutil_read_config(cupsd_t) sysnet_exec_ifconfig(cupsd_t) -@@ -317,6 +329,10 @@ +@@ -317,6 +330,10 @@ ') optional_policy(` @@ -13861,7 +13131,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol udev_read_db(cupsd_t) ') -@@ -327,7 +343,7 @@ +@@ -327,7 +344,7 @@ allow cupsd_config_t self:capability { chown dac_override sys_tty_config }; dontaudit cupsd_config_t self:capability sys_tty_config; @@ -13870,7 +13140,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cupsd_config_t self:fifo_file rw_fifo_file_perms; allow cupsd_config_t self:unix_stream_socket create_socket_perms; allow cupsd_config_t self:unix_dgram_socket create_socket_perms; -@@ -407,6 +423,7 @@ +@@ -407,6 +424,7 @@ userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) @@ -13878,7 +13148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cups_stream_connect(cupsd_config_t) -@@ -419,12 +436,15 @@ +@@ -419,12 +437,15 @@ ') optional_policy(` @@ -13896,7 +13166,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` hal_dbus_chat(cupsd_config_t) -@@ -446,6 +466,10 @@ +@@ -446,6 +467,10 @@ ') optional_policy(` @@ -13907,7 +13177,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpm_read_db(cupsd_config_t) ') -@@ -542,6 +566,8 @@ +@@ -542,6 +567,8 @@ manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir }) @@ -13916,7 +13186,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(cups_pdf_t) files_read_etc_files(cups_pdf_t) -@@ -556,11 +582,15 @@ +@@ -556,11 +583,15 @@ miscfiles_read_fonts(cups_pdf_t) userdom_home_filetrans_user_home_dir(cups_pdf_t) @@ -13932,7 +13202,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(cups_pdf_t) -@@ -601,6 +631,9 @@ +@@ -601,6 +632,9 @@ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) @@ -13942,7 +13212,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file ) -@@ -627,6 +660,7 @@ +@@ -627,6 +661,7 @@ corenet_tcp_connect_ipp_port(hplip_t) corenet_sendrecv_hplip_client_packets(hplip_t) corenet_receive_hplip_server_packets(hplip_t) @@ -13950,18 +13220,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_sysfs(hplip_t) dev_rw_printer(hplip_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.7.1/policy/modules/services/cvs.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.7.3/policy/modules/services/cvs.te --- nsaserefpolicy/policy/modules/services/cvs.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/cvs.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/cvs.te 2009-11-25 12:39:13.000000000 -0500 @@ -112,4 +112,5 @@ read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) + files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.1/policy/modules/services/cyrus.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.3/policy/modules/services/cyrus.te --- nsaserefpolicy/policy/modules/services/cyrus.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/cyrus.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/cyrus.te 2009-11-25 12:39:13.000000000 -0500 @@ -137,6 +137,7 @@ optional_policy(` snmp_read_snmp_var_lib_files(cyrus_t) @@ -13970,9 +13240,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.1/policy/modules/services/dbus.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.3/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/dbus.if 2009-11-24 18:53:39.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/dbus.if 2009-11-25 12:39:13.000000000 -0500 @@ -42,8 +42,10 @@ gen_require(` class dbus { send_msg acquire_svc }; @@ -14097,9 +13367,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.1/policy/modules/services/dbus.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.3/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/dbus.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/dbus.te 2009-11-25 12:39:13.000000000 -0500 @@ -86,6 +86,7 @@ dev_read_sysfs(system_dbusd_t) @@ -14152,9 +13422,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; +allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms; +allow session_bus_type dbusd_unconfined:dbus send_msg; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.7.1/policy/modules/services/dcc.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.7.3/policy/modules/services/dcc.te --- nsaserefpolicy/policy/modules/services/dcc.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/dcc.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/dcc.te 2009-11-25 12:39:13.000000000 -0500 @@ -130,11 +130,13 @@ # Access files in /var/dcc. The map file can be updated @@ -14181,9 +13451,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol spamassassin_read_spamd_tmp_files(dcc_client_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.7.1/policy/modules/services/ddclient.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.7.3/policy/modules/services/ddclient.if --- nsaserefpolicy/policy/modules/services/ddclient.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/ddclient.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/ddclient.if 2009-11-25 12:39:13.000000000 -0500 @@ -21,6 +21,31 @@ ######################################## @@ -14216,18 +13486,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an ddclient environment ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.1/policy/modules/services/devicekit.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.3/policy/modules/services/devicekit.fc --- nsaserefpolicy/policy/modules/services/devicekit.fc 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/devicekit.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/devicekit.fc 2009-11-25 12:39:13.000000000 -0500 @@ -5,4 +5,4 @@ /var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) /var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.1/policy/modules/services/devicekit.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.3/policy/modules/services/devicekit.if --- nsaserefpolicy/policy/modules/services/devicekit.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/devicekit.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/devicekit.if 2009-11-25 12:39:13.000000000 -0500 @@ -139,6 +139,26 @@ ######################################## @@ -14264,9 +13534,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') allow $1 devicekit_t:process { ptrace signal_perms getattr }; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.1/policy/modules/services/devicekit.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.3/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/devicekit.te 2009-11-19 16:38:18.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/devicekit.te 2009-11-25 12:39:13.000000000 -0500 @@ -36,12 +36,15 @@ manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) @@ -14451,9 +13721,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` vbetool_domtrans(devicekit_power_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.1/policy/modules/services/dnsmasq.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.3/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/dnsmasq.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/dnsmasq.te 2009-11-25 12:39:13.000000000 -0500 @@ -83,6 +83,18 @@ userdom_dontaudit_search_user_home_dirs(dnsmasq_t) @@ -14473,9 +13743,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(dnsmasq_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.1/policy/modules/services/dovecot.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.3/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/dovecot.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/dovecot.te 2009-11-25 12:39:13.000000000 -0500 @@ -56,7 +56,7 @@ allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot }; @@ -14541,9 +13811,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_manage_cifs_symlinks(dovecot_deliver_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.7.1/policy/modules/services/exim.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.7.3/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/exim.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/exim.te 2009-11-25 12:39:13.000000000 -0500 @@ -111,6 +111,7 @@ files_search_var(exim_t) files_read_etc_files(exim_t) @@ -14563,9 +13833,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol spamassassin_exec(exim_t) spamassassin_exec_client(exim_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.7.1/policy/modules/services/fail2ban.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.7.3/policy/modules/services/fail2ban.te --- nsaserefpolicy/policy/modules/services/fail2ban.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/fail2ban.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/fail2ban.te 2009-11-25 12:39:13.000000000 -0500 @@ -33,6 +33,7 @@ allow fail2ban_t self:process signal; allow fail2ban_t self:fifo_file rw_fifo_file_perms; @@ -14582,9 +13852,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(fail2ban_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.7.1/policy/modules/services/fetchmail.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.7.3/policy/modules/services/fetchmail.te --- nsaserefpolicy/policy/modules/services/fetchmail.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/fetchmail.te 2009-11-18 08:45:23.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/fetchmail.te 2009-11-25 12:39:13.000000000 -0500 @@ -47,6 +47,9 @@ kernel_read_proc_symlinks(fetchmail_t) kernel_dontaudit_read_system_state(fetchmail_t) @@ -14595,9 +13865,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(fetchmail_t) corenet_all_recvfrom_netlabel(fetchmail_t) corenet_tcp_sendrecv_generic_if(fetchmail_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.1/policy/modules/services/fprintd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.3/policy/modules/services/fprintd.te --- nsaserefpolicy/policy/modules/services/fprintd.te 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/fprintd.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/fprintd.te 2009-11-25 12:39:13.000000000 -0500 @@ -37,6 +37,8 @@ files_read_etc_files(fprintd_t) files_read_usr_files(fprintd_t) @@ -14615,9 +13885,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol policykit_domtrans_auth(fprintd_t) ') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.1/policy/modules/services/ftp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.3/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/ftp.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/ftp.te 2009-11-25 12:39:13.000000000 -0500 @@ -41,6 +41,13 @@ ## @@ -14741,9 +14011,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(ftpd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.1/policy/modules/services/git.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.3/policy/modules/services/git.fc --- nsaserefpolicy/policy/modules/services/git.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/git.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/git.fc 2009-11-25 12:39:13.000000000 -0500 @@ -1,3 +1,9 @@ /var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0) -/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) @@ -14755,9 +14025,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +# Conflict with Fedora cgit fc spec. +/var/lib/git(/.*)? gen_context(system_u:object_r:git_data_t, s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.1/policy/modules/services/git.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.3/policy/modules/services/git.if --- nsaserefpolicy/policy/modules/services/git.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/git.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/git.if 2009-11-25 12:39:13.000000000 -0500 @@ -1 +1,285 @@ -## GIT revision control system +## Git daemon is a really simple server for Git repositories. @@ -15045,9 +14315,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + seutil_domtrans_setfiles($1) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.1/policy/modules/services/git.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.3/policy/modules/services/git.te --- nsaserefpolicy/policy/modules/services/git.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/git.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/git.te 2009-11-25 12:39:13.000000000 -0500 @@ -1,9 +1,173 @@ policy_module(git, 1.0) @@ -15223,9 +14493,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol apache_content_template(git) +git_read_data_content(httpd_git_script_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.te serefpolicy-3.7.1/policy/modules/services/gpm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.te serefpolicy-3.7.3/policy/modules/services/gpm.te --- nsaserefpolicy/policy/modules/services/gpm.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/gpm.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/gpm.te 2009-11-25 12:39:13.000000000 -0500 @@ -27,7 +27,8 @@ # Local policy # @@ -15236,9 +14506,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow gpm_t self:unix_stream_socket create_stream_socket_perms; allow gpm_t gpm_conf_t:dir list_dir_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.7.1/policy/modules/services/gpsd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.7.3/policy/modules/services/gpsd.fc --- nsaserefpolicy/policy/modules/services/gpsd.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/gpsd.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/gpsd.fc 2009-11-25 12:39:13.000000000 -0500 @@ -1 +1,6 @@ +/etc/rc\.d/init\.d/gpsd -- gen_context(system_u:object_r:gpsd_initrc_exec_t,s0) + @@ -15246,9 +14516,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/var/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0) +/var/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.7.1/policy/modules/services/gpsd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.7.3/policy/modules/services/gpsd.if --- nsaserefpolicy/policy/modules/services/gpsd.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/gpsd.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/gpsd.if 2009-11-25 12:39:13.000000000 -0500 @@ -33,11 +33,6 @@ ## The role to be allowed the gpsd domain. ## @@ -15294,9 +14564,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) + read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.1/policy/modules/services/gpsd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.3/policy/modules/services/gpsd.te --- nsaserefpolicy/policy/modules/services/gpsd.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/gpsd.te 2009-11-23 11:58:28.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/gpsd.te 2009-11-25 12:39:13.000000000 -0500 @@ -11,15 +11,21 @@ application_domain(gpsd_t, gpsd_exec_t) init_daemon_domain(gpsd_t, gpsd_exec_t) @@ -15338,9 +14608,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - ntpd_rw_shm(gpsd_t) + ntp_rw_shm(gpsd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.7.1/policy/modules/services/hal.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.7.3/policy/modules/services/hal.fc --- nsaserefpolicy/policy/modules/services/hal.fc 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/hal.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/hal.fc 2009-11-25 12:39:13.000000000 -0500 @@ -26,6 +26,7 @@ /var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) /var/run/pm-utils(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) @@ -15349,9 +14619,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_gentoo',` /var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.7.1/policy/modules/services/hal.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.7.3/policy/modules/services/hal.if --- nsaserefpolicy/policy/modules/services/hal.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/hal.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/hal.if 2009-11-25 12:39:13.000000000 -0500 @@ -413,3 +413,21 @@ files_search_pids($1) manage_files_pattern($1, hald_var_run_t, hald_var_run_t) @@ -15374,9 +14644,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + dontaudit $1 hald_t:unix_dgram_socket { read write }; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.1/policy/modules/services/hal.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.3/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/hal.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/hal.te 2009-11-25 12:39:13.000000000 -0500 @@ -55,6 +55,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -15529,9 +14799,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + dbus_system_bus_client(hald_dccm_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl.te serefpolicy-3.7.1/policy/modules/services/howl.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl.te serefpolicy-3.7.3/policy/modules/services/howl.te --- nsaserefpolicy/policy/modules/services/howl.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/howl.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/howl.te 2009-11-25 12:39:13.000000000 -0500 @@ -30,7 +30,7 @@ kernel_read_network_state(howl_t) @@ -15541,18 +14811,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_list_proc(howl_t) kernel_read_proc_symlinks(howl_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.fc serefpolicy-3.7.1/policy/modules/services/inetd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.fc serefpolicy-3.7.3/policy/modules/services/inetd.fc --- nsaserefpolicy/policy/modules/services/inetd.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/inetd.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/inetd.fc 2009-11-25 12:39:13.000000000 -0500 @@ -9,4 +9,4 @@ /var/log/(x)?inetd\.log -- gen_context(system_u:object_r:inetd_log_t,s0) -/var/run/inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0) +/var/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.7.1/policy/modules/services/inetd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.7.3/policy/modules/services/inetd.te --- nsaserefpolicy/policy/modules/services/inetd.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/inetd.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/inetd.te 2009-11-25 12:39:13.000000000 -0500 @@ -104,6 +104,8 @@ corenet_tcp_bind_telnetd_port(inetd_t) corenet_udp_bind_tftp_port(inetd_t) @@ -15571,9 +14841,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(inetd_t) miscfiles_read_localization(inetd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/irqbalance.te serefpolicy-3.7.1/policy/modules/services/irqbalance.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/irqbalance.te serefpolicy-3.7.3/policy/modules/services/irqbalance.te --- nsaserefpolicy/policy/modules/services/irqbalance.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/irqbalance.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/irqbalance.te 2009-11-25 12:39:13.000000000 -0500 @@ -18,11 +18,11 @@ # Local policy # @@ -15588,9 +14858,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t) files_pid_filetrans(irqbalance_t, irqbalance_var_run_t, file) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.1/policy/modules/services/kerberos.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.3/policy/modules/services/kerberos.if --- nsaserefpolicy/policy/modules/services/kerberos.if 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/kerberos.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/kerberos.if 2009-11-25 12:39:13.000000000 -0500 @@ -74,7 +74,7 @@ ') @@ -15611,9 +14881,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`allow_kerberos',` allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.1/policy/modules/services/kerberos.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.3/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/kerberos.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/kerberos.te 2009-11-25 12:39:13.000000000 -0500 @@ -110,8 +110,9 @@ manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t) files_pid_filetrans(kadmind_t, kadmind_var_run_t, file) @@ -15664,9 +14934,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sysnet_dns_name_resolve(kpropd_t) kerberos_use(kpropd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.7.1/policy/modules/services/kerneloops.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.7.3/policy/modules/services/kerneloops.te --- nsaserefpolicy/policy/modules/services/kerneloops.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/kerneloops.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/kerneloops.te 2009-11-25 12:39:13.000000000 -0500 @@ -22,7 +22,7 @@ # @@ -15676,9 +14946,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow kerneloops_t self:fifo_file rw_file_perms; manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.7.1/policy/modules/services/ktalk.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.7.3/policy/modules/services/ktalk.te --- nsaserefpolicy/policy/modules/services/ktalk.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/ktalk.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/ktalk.te 2009-11-25 12:39:13.000000000 -0500 @@ -69,6 +69,7 @@ files_read_etc_files(ktalkd_t) @@ -15687,18 +14957,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(ktalkd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.fc serefpolicy-3.7.1/policy/modules/services/lircd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.fc serefpolicy-3.7.3/policy/modules/services/lircd.fc --- nsaserefpolicy/policy/modules/services/lircd.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/lircd.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/lircd.fc 2009-11-25 12:39:13.000000000 -0500 @@ -6,3 +6,5 @@ /usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0) /var/run/lircd\.pid gen_context(system_u:object_r:lircd_var_run_t,s0) +/var/run/lircd(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0) +/var/run/lirc(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.if serefpolicy-3.7.1/policy/modules/services/lircd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.if serefpolicy-3.7.3/policy/modules/services/lircd.if --- nsaserefpolicy/policy/modules/services/lircd.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/lircd.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/lircd.if 2009-11-25 12:39:13.000000000 -0500 @@ -32,12 +32,11 @@ # interface(`lircd_stream_connect',` @@ -15730,9 +15000,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - - admin_pattern($1, lircd_sock_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.1/policy/modules/services/lircd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.3/policy/modules/services/lircd.te --- nsaserefpolicy/policy/modules/services/lircd.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/lircd.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/lircd.te 2009-11-25 12:39:13.000000000 -0500 @@ -16,13 +16,9 @@ type lircd_etc_t; files_type(lircd_etc_t) @@ -15778,9 +15048,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + miscfiles_read_localization(lircd_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.7.1/policy/modules/services/mailman.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.7.3/policy/modules/services/mailman.te --- nsaserefpolicy/policy/modules/services/mailman.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/mailman.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/mailman.te 2009-11-25 12:39:13.000000000 -0500 @@ -78,6 +78,10 @@ mta_dontaudit_rw_queue(mailman_mail_t) @@ -15792,9 +15062,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_read_pipes(mailman_mail_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.7.1/policy/modules/services/memcached.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.7.3/policy/modules/services/memcached.te --- nsaserefpolicy/policy/modules/services/memcached.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/memcached.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/memcached.te 2009-11-25 12:39:13.000000000 -0500 @@ -44,6 +44,8 @@ files_read_etc_files(memcached_t) @@ -15804,9 +15074,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(memcached_t) sysnet_dns_name_resolve(memcached_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.7.1/policy/modules/services/milter.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.7.3/policy/modules/services/milter.if --- nsaserefpolicy/policy/modules/services/milter.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/milter.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/milter.if 2009-11-25 12:39:13.000000000 -0500 @@ -35,6 +35,8 @@ # Create other data files and directories in the data directory manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) @@ -15816,9 +15086,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization($1_milter_t) logging_send_syslog_msg($1_milter_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.1/policy/modules/services/modemmanager.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.3/policy/modules/services/modemmanager.te --- nsaserefpolicy/policy/modules/services/modemmanager.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/modemmanager.te 2009-11-24 07:19:22.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/modemmanager.te 2009-11-25 12:39:13.000000000 -0500 @@ -16,7 +16,8 @@ # # ModemManager local policy @@ -15837,18 +15107,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(modemmanager_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.1/policy/modules/services/mta.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.3/policy/modules/services/mta.fc --- nsaserefpolicy/policy/modules/services/mta.fc 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/mta.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/mta.fc 2009-11-25 12:39:13.000000000 -0500 @@ -26,3 +26,5 @@ /var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) +/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.1/policy/modules/services/mta.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.3/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/mta.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/mta.if 2009-11-25 12:39:13.000000000 -0500 @@ -69,6 +69,7 @@ can_exec($1_mail_t, sendmail_exec_t) allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms; @@ -15910,9 +15180,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.1/policy/modules/services/mta.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.3/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/mta.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/mta.te 2009-11-25 12:39:13.000000000 -0500 @@ -27,6 +27,9 @@ type mail_spool_t; files_mountpoint(mail_spool_t) @@ -16002,9 +15272,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # User send mail local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.1/policy/modules/services/munin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.3/policy/modules/services/munin.fc --- nsaserefpolicy/policy/modules/services/munin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/munin.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/munin.fc 2009-11-25 12:39:13.000000000 -0500 @@ -9,3 +9,6 @@ /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) /var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) @@ -16012,9 +15282,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) +/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.1/policy/modules/services/munin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.3/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/munin.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/munin.te 2009-11-25 12:39:13.000000000 -0500 @@ -33,7 +33,7 @@ # Local policy # @@ -16032,9 +15302,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.1/policy/modules/services/mysql.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.3/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/mysql.te 2009-11-18 16:52:13.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/mysql.te 2009-11-25 12:39:13.000000000 -0500 @@ -136,10 +136,17 @@ domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) @@ -16062,9 +15332,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mysql_read_config(mysqld_safe_t) mysql_search_pid_files(mysqld_safe_t) mysql_write_log(mysqld_safe_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.1/policy/modules/services/nagios.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.3/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/nagios.fc 2009-11-23 14:12:37.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/nagios.fc 2009-11-25 12:39:13.000000000 -0500 @@ -1,16 +1,26 @@ /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) /etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) @@ -16097,9 +15367,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') +/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.1/policy/modules/services/nagios.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.3/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/nagios.if 2009-11-23 14:12:16.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/nagios.if 2009-11-25 12:39:13.000000000 -0500 @@ -64,7 +64,7 @@ ######################################## @@ -16218,9 +15488,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + admin_pattern($1, nrpe_etc_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.1/policy/modules/services/nagios.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.3/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/nagios.te 2009-11-23 14:23:43.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/nagios.te 2009-11-25 12:39:13.000000000 -0500 @@ -10,13 +10,12 @@ type nagios_exec_t; init_daemon_domain(nagios_t, nagios_exec_t) @@ -16420,9 +15690,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) + +miscfiles_read_localization(nagios_checkdisk_plugin_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.7.1/policy/modules/services/networkmanager.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.7.3/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/networkmanager.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/networkmanager.fc 2009-11-25 12:39:13.000000000 -0500 @@ -1,12 +1,28 @@ +/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0) +/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) @@ -16452,9 +15722,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.1/policy/modules/services/networkmanager.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.3/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/networkmanager.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/networkmanager.if 2009-11-25 12:39:13.000000000 -0500 @@ -118,6 +118,24 @@ ######################################## @@ -16531,9 +15801,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role $2 types NetworkManager_t; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.1/policy/modules/services/networkmanager.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.3/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/networkmanager.te 2009-11-24 07:18:48.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/networkmanager.te 2009-11-25 12:39:13.000000000 -0500 @@ -19,6 +19,9 @@ type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) @@ -16774,9 +16044,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.7.1/policy/modules/services/nis.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.7.3/policy/modules/services/nis.fc --- nsaserefpolicy/policy/modules/services/nis.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/nis.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/nis.fc 2009-11-25 12:39:13.000000000 -0500 @@ -1,4 +1,7 @@ - +/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) @@ -16786,9 +16056,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0) /sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.7.1/policy/modules/services/nis.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.7.3/policy/modules/services/nis.if --- nsaserefpolicy/policy/modules/services/nis.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/nis.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/nis.if 2009-11-25 12:39:13.000000000 -0500 @@ -28,7 +28,7 @@ type var_yp_t; ') @@ -16930,9 +16200,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role $2 types ypbind_t; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.7.1/policy/modules/services/nis.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.7.3/policy/modules/services/nis.te --- nsaserefpolicy/policy/modules/services/nis.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/nis.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/nis.te 2009-11-25 12:39:13.000000000 -0500 @@ -13,6 +13,9 @@ type ypbind_exec_t; init_daemon_domain(ypbind_t, ypbind_exec_t) @@ -16982,9 +16252,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_all_rpc_ports(ypxfr_t) corenet_udp_bind_all_rpc_ports(ypxfr_t) corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.7.1/policy/modules/services/nscd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.7.3/policy/modules/services/nscd.if --- nsaserefpolicy/policy/modules/services/nscd.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/nscd.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/nscd.if 2009-11-25 12:39:13.000000000 -0500 @@ -121,6 +121,24 @@ ######################################## @@ -17010,9 +16280,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Use NSCD services by mapping the database from ## an inherited NSCD file descriptor. ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.7.1/policy/modules/services/nscd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.7.3/policy/modules/services/nscd.te --- nsaserefpolicy/policy/modules/services/nscd.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/nscd.te 2009-11-17 11:08:16.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/nscd.te 2009-11-25 12:39:13.000000000 -0500 @@ -1,10 +1,17 @@ -policy_module(nscd, 1.10.0) @@ -17053,9 +16323,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + samba_read_config(nscd_t) + samba_read_var_files(nscd_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.7.1/policy/modules/services/nslcd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.7.3/policy/modules/services/nslcd.if --- nsaserefpolicy/policy/modules/services/nslcd.if 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/nslcd.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/nslcd.if 2009-11-25 12:39:13.000000000 -0500 @@ -94,6 +94,7 @@ interface(`nslcd_admin',` gen_require(` @@ -17076,9 +16346,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_lnk_files_pattern($1,nslcd_var_run_t,nslcd_var_run_t) ') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.7.1/policy/modules/services/ntp.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.7.3/policy/modules/services/ntp.if --- nsaserefpolicy/policy/modules/services/ntp.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/ntp.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/ntp.if 2009-11-25 12:39:13.000000000 -0500 @@ -37,6 +37,32 @@ ######################################## @@ -17146,9 +16416,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an ntp environment ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.7.1/policy/modules/services/ntp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.7.3/policy/modules/services/ntp.te --- nsaserefpolicy/policy/modules/services/ntp.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/ntp.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/ntp.te 2009-11-25 12:39:13.000000000 -0500 @@ -41,10 +41,11 @@ # sys_resource and setrlimit is for locking memory @@ -17195,9 +16465,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.fc serefpolicy-3.7.1/policy/modules/services/nut.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.fc serefpolicy-3.7.3/policy/modules/services/nut.fc --- nsaserefpolicy/policy/modules/services/nut.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/nut.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/nut.fc 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,8 @@ + +/usr/sbin/upsd -- gen_context(system_u:object_r:upsd_exec_t,s0) @@ -17207,9 +16477,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/sbin/upsdrvctl -- gen_context(system_u:object_r:upsdrvctl_exec_t,s0) + +/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.if serefpolicy-3.7.1/policy/modules/services/nut.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.if serefpolicy-3.7.3/policy/modules/services/nut.if --- nsaserefpolicy/policy/modules/services/nut.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/nut.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/nut.if 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,82 @@ +## SELinux policy for nut - Network UPS Tools + @@ -17293,9 +16563,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + stream_connect_pattern($1, nut_var_run_t, nut_var_run_t, upsdrvctl_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.1/policy/modules/services/nut.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.3/policy/modules/services/nut.te --- nsaserefpolicy/policy/modules/services/nut.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/nut.te 2009-11-24 15:02:15.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/nut.te 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,127 @@ + +policy_module(nut,1.0.0) @@ -17309,7 +16579,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +type upsd_exec_t; +init_daemon_domain(upsd_t,upsd_exec_t) + -+type nut_var_run_t ++type nut_var_run_t; +files_pid_file(nut_var_run_t) +typealias nut_var_run_t alias { upsd_var_run_t upsmon_var_run_t upsdrvctl_var_run_t }; + @@ -17424,9 +16694,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +logging_send_syslog_msg(upsdrvctl_t) + +miscfiles_read_localization(upsdrvctl_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.7.1/policy/modules/services/nx.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.7.3/policy/modules/services/nx.fc --- nsaserefpolicy/policy/modules/services/nx.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/nx.fc 2009-11-23 10:16:14.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/nx.fc 2009-11-25 12:39:13.000000000 -0500 @@ -1,6 +1,9 @@ /opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) @@ -17437,9 +16707,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.7.1/policy/modules/services/nx.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.7.3/policy/modules/services/nx.if --- nsaserefpolicy/policy/modules/services/nx.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/nx.if 2009-11-20 10:16:07.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/nx.if 2009-11-25 12:39:13.000000000 -0500 @@ -17,3 +17,70 @@ spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t) @@ -17511,9 +16781,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + filetrans_pattern($1, nx_server_var_lib_t, $2, $3) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.7.1/policy/modules/services/nx.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.7.3/policy/modules/services/nx.te --- nsaserefpolicy/policy/modules/services/nx.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/nx.te 2009-11-20 10:15:44.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/nx.te 2009-11-25 12:39:13.000000000 -0500 @@ -25,6 +25,12 @@ type nx_server_var_run_t; files_pid_file(nx_server_var_run_t) @@ -17548,9 +16818,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(nx_server_t) kernel_read_kernel_sysctls(nx_server_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.1/policy/modules/services/oddjob.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.3/policy/modules/services/oddjob.if --- nsaserefpolicy/policy/modules/services/oddjob.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/oddjob.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/oddjob.if 2009-11-25 12:39:13.000000000 -0500 @@ -44,6 +44,7 @@ ') @@ -17559,9 +16829,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.1/policy/modules/services/openvpn.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.3/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/openvpn.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/openvpn.te 2009-11-25 12:39:13.000000000 -0500 @@ -100,6 +100,8 @@ files_read_etc_files(openvpn_t) files_read_etc_runtime_files(openvpn_t) @@ -17571,9 +16841,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(openvpn_t) miscfiles_read_localization(openvpn_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.7.1/policy/modules/services/pcscd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.7.3/policy/modules/services/pcscd.if --- nsaserefpolicy/policy/modules/services/pcscd.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/pcscd.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/pcscd.if 2009-11-25 12:39:13.000000000 -0500 @@ -53,6 +53,5 @@ ') @@ -17582,9 +16852,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - allow $1 pcscd_t:unix_stream_socket connectto; + stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.7.1/policy/modules/services/pcscd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.7.3/policy/modules/services/pcscd.te --- nsaserefpolicy/policy/modules/services/pcscd.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/pcscd.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/pcscd.te 2009-11-25 12:39:13.000000000 -0500 @@ -29,6 +29,7 @@ manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) @@ -17609,9 +16879,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_unallocated_ttys(pcscd_t) term_dontaudit_getattr_pty_dirs(pcscd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.1/policy/modules/services/pegasus.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.3/policy/modules/services/pegasus.te --- nsaserefpolicy/policy/modules/services/pegasus.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/pegasus.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/pegasus.te 2009-11-25 12:39:13.000000000 -0500 @@ -30,7 +30,7 @@ # Local policy # @@ -17683,18 +16953,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xen_stream_connect(pegasus_t) + xen_stream_connect_xenstore(pegasus_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.fc serefpolicy-3.7.1/policy/modules/services/plymouth.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.fc serefpolicy-3.7.3/policy/modules/services/plymouth.fc --- nsaserefpolicy/policy/modules/services/plymouth.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/plymouth.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/plymouth.fc 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,5 @@ +/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t, s0) +/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t, s0) +/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t, s0) +/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t, s0) +/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.if serefpolicy-3.7.1/policy/modules/services/plymouth.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.if serefpolicy-3.7.3/policy/modules/services/plymouth.if --- nsaserefpolicy/policy/modules/services/plymouth.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/plymouth.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/plymouth.if 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,286 @@ +## policy for plymouthd + @@ -17982,9 +17252,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 plymouthd_t:unix_stream_socket connectto; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.7.1/policy/modules/services/plymouth.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.7.3/policy/modules/services/plymouth.te --- nsaserefpolicy/policy/modules/services/plymouth.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/plymouth.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/plymouth.te 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,101 @@ +policy_module(plymouthd, 1.0.0) + @@ -18087,9 +17357,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + hal_dontaudit_rw_pipes(plymouth_t) +') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.7.1/policy/modules/services/policykit.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.7.3/policy/modules/services/policykit.fc --- nsaserefpolicy/policy/modules/services/policykit.fc 2009-08-18 11:41:14.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/policykit.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/policykit.fc 2009-11-25 12:39:13.000000000 -0500 @@ -6,10 +6,13 @@ /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) /usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) @@ -18105,9 +17375,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) /var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.7.1/policy/modules/services/policykit.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.7.3/policy/modules/services/policykit.if --- nsaserefpolicy/policy/modules/services/policykit.if 2009-08-18 18:39:50.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/policykit.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/policykit.if 2009-11-25 12:39:13.000000000 -0500 @@ -17,6 +17,8 @@ class dbus send_msg; ') @@ -18175,9 +17445,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 policykit_auth_t:process signal; ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.1/policy/modules/services/policykit.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.3/policy/modules/services/policykit.te --- nsaserefpolicy/policy/modules/services/policykit.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/policykit.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/policykit.te 2009-11-25 12:39:13.000000000 -0500 @@ -36,11 +36,12 @@ # policykit local policy # @@ -18327,9 +17597,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.1/policy/modules/services/postfix.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.3/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/postfix.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/postfix.fc 2009-11-25 12:39:13.000000000 -0500 @@ -29,12 +29,10 @@ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) @@ -18343,9 +17613,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.1/policy/modules/services/postfix.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.3/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/postfix.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/postfix.if 2009-11-25 12:39:13.000000000 -0500 @@ -46,6 +46,7 @@ allow postfix_$1_t postfix_etc_t:dir list_dir_perms; @@ -18592,9 +17862,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role $2 types postfix_postdrop_t; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.1/policy/modules/services/postfix.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.3/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/postfix.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/postfix.te 2009-11-25 12:39:13.000000000 -0500 @@ -6,6 +6,15 @@ # Declarations # @@ -18987,9 +18257,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +userdom_manage_user_home_content(postfix_virtual_t) +userdom_home_filetrans_user_home_dir(postfix_virtual_t) +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.7.1/policy/modules/services/postgresql.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.7.3/policy/modules/services/postgresql.fc --- nsaserefpolicy/policy/modules/services/postgresql.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/postgresql.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/postgresql.fc 2009-11-25 12:39:13.000000000 -0500 @@ -2,6 +2,8 @@ # /etc # @@ -19027,9 +18297,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) + +/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.7.1/policy/modules/services/postgresql.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.7.3/policy/modules/services/postgresql.if --- nsaserefpolicy/policy/modules/services/postgresql.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/postgresql.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/postgresql.if 2009-11-25 12:39:13.000000000 -0500 @@ -384,3 +384,46 @@ typeattribute $1 sepgsql_unconfined_type; @@ -19077,9 +18347,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + admin_pattern($1, postgresql_tmp_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.1/policy/modules/services/postgresql.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.3/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/postgresql.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/postgresql.te 2009-11-25 12:39:13.000000000 -0500 @@ -32,6 +32,9 @@ type postgresql_etc_t; files_config_file(postgresql_etc_t) @@ -19124,9 +18394,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(postgresql_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.1/policy/modules/services/ppp.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.3/policy/modules/services/ppp.if --- nsaserefpolicy/policy/modules/services/ppp.if 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/ppp.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/ppp.if 2009-11-25 12:39:13.000000000 -0500 @@ -177,10 +177,16 @@ interface(`ppp_run',` gen_require(` @@ -19144,9 +18414,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.7.1/policy/modules/services/ppp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.7.3/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/ppp.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/ppp.te 2009-11-25 12:39:13.000000000 -0500 @@ -38,7 +38,7 @@ files_type(pppd_etc_rw_t) @@ -19198,9 +18468,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_exec(pptp_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.7.1/policy/modules/services/prelude.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.7.3/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/prelude.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/prelude.te 2009-11-25 12:39:13.000000000 -0500 @@ -122,7 +122,8 @@ # # prelude_audisp local policy @@ -19211,9 +18481,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow prelude_audisp_t self:fifo_file rw_file_perms; allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms; allow prelude_audisp_t self:unix_dgram_socket create_socket_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.7.1/policy/modules/services/privoxy.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.7.3/policy/modules/services/privoxy.fc --- nsaserefpolicy/policy/modules/services/privoxy.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/privoxy.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/privoxy.fc 2009-11-25 12:39:13.000000000 -0500 @@ -1,6 +1,5 @@ -/etc/privoxy/user\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0) @@ -19222,9 +18492,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/rc\.d/init\.d/privoxy -- gen_context(system_u:object_r:privoxy_initrc_exec_t,s0) /usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.7.1/policy/modules/services/privoxy.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.7.3/policy/modules/services/privoxy.te --- nsaserefpolicy/policy/modules/services/privoxy.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/privoxy.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/privoxy.te 2009-11-25 12:39:13.000000000 -0500 @@ -47,9 +47,8 @@ manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t) files_pid_filetrans(privoxy_t, privoxy_var_run_t, file) @@ -19236,9 +18506,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(privoxy_t) corenet_all_recvfrom_netlabel(privoxy_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.1/policy/modules/services/procmail.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.3/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/procmail.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/procmail.te 2009-11-25 12:39:13.000000000 -0500 @@ -22,7 +22,7 @@ # Local policy # @@ -19286,9 +18556,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.1/policy/modules/services/pyzor.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.3/policy/modules/services/pyzor.fc --- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/pyzor.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/pyzor.fc 2009-11-25 12:39:13.000000000 -0500 @@ -1,6 +1,10 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) +/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) @@ -19300,9 +18570,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.7.1/policy/modules/services/pyzor.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.7.3/policy/modules/services/pyzor.if --- nsaserefpolicy/policy/modules/services/pyzor.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/pyzor.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/pyzor.if 2009-11-25 12:39:13.000000000 -0500 @@ -88,3 +88,50 @@ corecmd_search_bin($1) can_exec($1, pyzor_exec_t) @@ -19354,9 +18624,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.7.1/policy/modules/services/pyzor.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.7.3/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/pyzor.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/pyzor.te 2009-11-25 12:39:13.000000000 -0500 @@ -6,6 +6,38 @@ # Declarations # @@ -19421,9 +18691,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_search_user_home_dirs(pyzor_t) optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.7.1/policy/modules/services/radvd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.7.3/policy/modules/services/radvd.te --- nsaserefpolicy/policy/modules/services/radvd.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/radvd.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/radvd.te 2009-11-25 12:39:13.000000000 -0500 @@ -41,6 +41,7 @@ kernel_rw_net_sysctls(radvd_t) kernel_read_network_state(radvd_t) @@ -19432,17 +18702,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(radvd_t) corenet_all_recvfrom_netlabel(radvd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.1/policy/modules/services/razor.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.3/policy/modules/services/razor.fc --- nsaserefpolicy/policy/modules/services/razor.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/razor.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/razor.fc 2009-11-25 12:39:13.000000000 -0500 @@ -1,3 +1,4 @@ +/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.7.1/policy/modules/services/razor.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.7.3/policy/modules/services/razor.if --- nsaserefpolicy/policy/modules/services/razor.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/razor.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/razor.if 2009-11-25 12:39:13.000000000 -0500 @@ -157,3 +157,45 @@ domtrans_pattern($1, razor_exec_t, razor_t) @@ -19489,9 +18759,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.7.1/policy/modules/services/razor.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.7.3/policy/modules/services/razor.te --- nsaserefpolicy/policy/modules/services/razor.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/razor.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/razor.te 2009-11-25 12:39:13.000000000 -0500 @@ -6,6 +6,32 @@ # Declarations # @@ -19543,9 +18813,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.1/policy/modules/services/rgmanager.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.3/policy/modules/services/rgmanager.fc --- nsaserefpolicy/policy/modules/services/rgmanager.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/rgmanager.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/rgmanager.fc 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,8 @@ + +/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) @@ -19555,9 +18825,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) + +/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.1/policy/modules/services/rgmanager.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.3/policy/modules/services/rgmanager.if --- nsaserefpolicy/policy/modules/services/rgmanager.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/rgmanager.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/rgmanager.if 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,59 @@ +## SELinux policy for rgmanager + @@ -19618,9 +18888,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.1/policy/modules/services/rgmanager.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.3/policy/modules/services/rgmanager.te --- nsaserefpolicy/policy/modules/services/rgmanager.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/rgmanager.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/rgmanager.te 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,83 @@ + +policy_module(rgmanager,1.0.0) @@ -19705,9 +18975,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ccs_stream_connect(rgmanager_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.1/policy/modules/services/rhcs.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.3/policy/modules/services/rhcs.fc --- nsaserefpolicy/policy/modules/services/rhcs.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/rhcs.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/rhcs.fc 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,22 @@ + +/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) @@ -19731,9 +19001,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0) +/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) +/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.1/policy/modules/services/rhcs.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.3/policy/modules/services/rhcs.if --- nsaserefpolicy/policy/modules/services/rhcs.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/rhcs.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/rhcs.if 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,348 @@ +## SELinux policy for RHCS - Red Hat Cluster Suite + @@ -20083,9 +19353,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.1/policy/modules/services/rhcs.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.3/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/rhcs.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/rhcs.te 2009-11-25 12:39:13.000000000 -0500 @@ -0,0 +1,394 @@ + +policy_module(rhcs,1.0.0) @@ -20481,9 +19751,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.1/policy/modules/services/ricci.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.3/policy/modules/services/ricci.te --- nsaserefpolicy/policy/modules/services/ricci.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/ricci.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/ricci.te 2009-11-25 13:13:44.000000000 -0500 @@ -194,10 +194,13 @@ # ricci_modcluster local policy # @@ -20550,18 +19820,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_use_fds(ricci_modclusterd_t) ') -@@ -440,6 +460,10 @@ +@@ -440,6 +460,11 @@ files_read_usr_files(ricci_modstorage_t) files_read_kernel_modules(ricci_modstorage_t) +files_create_default_dir(ricci_modstorage_t) +files_mounton_default(ricci_modstorage_t) -+files_manage_default(ricci_modstorage_t) ++files_manage_default_dirs(ricci_modstorage_t) ++files_manage_default_files(ricci_modstorage_t) + storage_raw_read_fixed_disk(ricci_modstorage_t) term_dontaudit_use_console(ricci_modstorage_t) -@@ -457,6 +481,10 @@ +@@ -457,6 +482,10 @@ mount_domtrans(ricci_modstorage_t) optional_policy(` @@ -20572,9 +19843,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ccs_stream_connect(ricci_modstorage_t) ccs_read_config(ricci_modstorage_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.7.1/policy/modules/services/rpcbind.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.7.3/policy/modules/services/rpcbind.if --- nsaserefpolicy/policy/modules/services/rpcbind.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/rpcbind.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/rpcbind.if 2009-11-25 12:39:13.000000000 -0500 @@ -97,6 +97,26 @@ ######################################## @@ -20602,9 +19873,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an rpcbind environment ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.7.1/policy/modules/services/rpcbind.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.7.3/policy/modules/services/rpcbind.te --- nsaserefpolicy/policy/modules/services/rpcbind.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/rpcbind.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/rpcbind.te 2009-11-25 12:39:13.000000000 -0500 @@ -42,6 +42,7 @@ kernel_read_system_state(rpcbind_t) @@ -20613,9 +19884,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(rpcbind_t) corenet_all_recvfrom_netlabel(rpcbind_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.1/policy/modules/services/rpc.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.3/policy/modules/services/rpc.if --- nsaserefpolicy/policy/modules/services/rpc.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/rpc.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/rpc.if 2009-11-25 12:39:13.000000000 -0500 @@ -54,7 +54,7 @@ allow $1_t self:unix_dgram_socket create_socket_perms; allow $1_t self:unix_stream_socket create_stream_socket_perms; @@ -20644,9 +19915,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole($1_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.1/policy/modules/services/rpc.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.3/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/rpc.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/rpc.te 2009-11-25 12:39:13.000000000 -0500 @@ -53,7 +53,7 @@ # RPC local policy # @@ -20733,9 +20004,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.7.1/policy/modules/services/rsync.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.7.3/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/rsync.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/rsync.te 2009-11-25 12:39:13.000000000 -0500 @@ -8,6 +8,13 @@ ## @@ -20778,9 +20049,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + auth_can_read_shadow_passwords(rsync_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.7.1/policy/modules/services/rtkit.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.7.3/policy/modules/services/rtkit.if --- nsaserefpolicy/policy/modules/services/rtkit.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/rtkit.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/rtkit.if 2009-11-25 12:39:13.000000000 -0500 @@ -38,3 +38,23 @@ allow $1 rtkit_daemon_t:dbus send_msg; allow rtkit_daemon_t $1:dbus send_msg; @@ -20805,9 +20076,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow rtkit_daemon_t $1:process { getsched setsched }; + rtkit_daemon_dbus_chat($1) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.7.1/policy/modules/services/rtkit.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.7.3/policy/modules/services/rtkit.te --- nsaserefpolicy/policy/modules/services/rtkit.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/rtkit.te 2009-11-23 11:53:29.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/rtkit.te 2009-11-25 12:39:13.000000000 -0500 @@ -17,9 +17,11 @@ allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace }; @@ -20829,9 +20100,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` policykit_dbus_chat(rtkit_daemon_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.1/policy/modules/services/samba.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.3/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/samba.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/samba.fc 2009-11-25 12:39:13.000000000 -0500 @@ -51,3 +51,7 @@ /var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) @@ -20840,9 +20111,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +ifndef(`enable_mls',` +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.1/policy/modules/services/samba.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.3/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/samba.if 2009-11-23 10:38:07.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/samba.if 2009-11-25 12:39:13.000000000 -0500 @@ -62,6 +62,25 @@ ######################################## @@ -21015,9 +20286,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol admin_pattern($1, winbind_var_run_t) + admin_pattern($1, samba_unconfined_script_exec_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.1/policy/modules/services/samba.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.3/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/samba.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/samba.te 2009-11-25 12:39:13.000000000 -0500 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -21249,9 +20520,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +',` + can_exec(smbd_t, samba_unconfined_script_exec_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.1/policy/modules/services/sasl.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.3/policy/modules/services/sasl.te --- nsaserefpolicy/policy/modules/services/sasl.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/sasl.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/sasl.te 2009-11-25 12:39:13.000000000 -0500 @@ -31,7 +31,7 @@ # Local policy # @@ -21314,9 +20585,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(saslauthd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.1/policy/modules/services/sendmail.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.3/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/sendmail.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/sendmail.if 2009-11-25 12:39:13.000000000 -0500 @@ -59,20 +59,20 @@ ######################################## @@ -21489,9 +20760,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 sendmail_t:fifo_file rw_fifo_file_perms; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.1/policy/modules/services/sendmail.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.3/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/sendmail.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/sendmail.te 2009-11-25 12:39:13.000000000 -0500 @@ -20,13 +20,17 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -21667,18 +20938,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; -') dnl end TODO -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.7.1/policy/modules/services/setroubleshoot.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.7.3/policy/modules/services/setroubleshoot.fc --- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/setroubleshoot.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/setroubleshoot.fc 2009-11-25 12:39:13.000000000 -0500 @@ -5,3 +5,5 @@ /var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) /var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) + +/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.1/policy/modules/services/setroubleshoot.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.3/policy/modules/services/setroubleshoot.if --- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/setroubleshoot.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/setroubleshoot.if 2009-11-25 12:39:13.000000000 -0500 @@ -16,8 +16,8 @@ ') @@ -21815,9 +21086,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_list_pids($1) + admin_pattern($1, setroubleshoot_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.1/policy/modules/services/setroubleshoot.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.3/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/setroubleshoot.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/setroubleshoot.te 2009-11-25 12:39:13.000000000 -0500 @@ -22,13 +22,19 @@ type setroubleshoot_var_run_t; files_pid_file(setroubleshoot_var_run_t) @@ -21958,9 +21229,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + policykit_dbus_chat(setroubleshoot_fixit_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.7.1/policy/modules/services/smartmon.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.7.3/policy/modules/services/smartmon.te --- nsaserefpolicy/policy/modules/services/smartmon.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/smartmon.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/smartmon.te 2009-11-25 12:39:13.000000000 -0500 @@ -19,14 +19,18 @@ type fsdaemon_tmp_t; files_tmp_file(fsdaemon_tmp_t) @@ -22021,9 +21292,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.7.1/policy/modules/services/snmp.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.7.3/policy/modules/services/snmp.if --- nsaserefpolicy/policy/modules/services/snmp.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/snmp.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/snmp.if 2009-11-25 12:39:13.000000000 -0500 @@ -50,6 +50,24 @@ ######################################## @@ -22076,9 +21347,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## All of the rules required to administrate -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.1/policy/modules/services/snmp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.3/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/snmp.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/snmp.te 2009-11-25 12:39:13.000000000 -0500 @@ -27,7 +27,7 @@ # allow snmpd_t self:capability { dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config }; @@ -22097,9 +21368,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_list_sysfs(snmpd_t) dev_read_sysfs(snmpd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.1/policy/modules/services/snort.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.3/policy/modules/services/snort.te --- nsaserefpolicy/policy/modules/services/snort.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/snort.te 2009-11-23 10:22:33.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/snort.te 2009-11-25 12:39:13.000000000 -0500 @@ -37,6 +37,7 @@ allow snort_t self:tcp_socket create_stream_socket_perms; allow snort_t self:udp_socket create_socket_perms; @@ -22108,9 +21379,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Snort IPS node. unverified. allow snort_t self:netlink_firewall_socket { bind create getattr }; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.1/policy/modules/services/spamassassin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.3/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/spamassassin.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/spamassassin.fc 2009-11-25 12:39:13.000000000 -0500 @@ -1,15 +1,26 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) @@ -22140,9 +21411,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.1/policy/modules/services/spamassassin.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.3/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/spamassassin.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/spamassassin.if 2009-11-25 12:39:13.000000000 -0500 @@ -111,6 +111,27 @@ ') @@ -22251,9 +21522,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_list_pids($1) + admin_pattern($1, spamd_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.1/policy/modules/services/spamassassin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.3/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/spamassassin.te 2009-11-24 18:16:01.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/spamassassin.te 2009-11-25 12:39:13.000000000 -0500 @@ -20,6 +20,35 @@ ## gen_tunable(spamd_enable_home_dirs, true) @@ -22556,9 +21827,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` udev_read_db(spamd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.1/policy/modules/services/squid.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.3/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/squid.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/squid.te 2009-11-25 12:39:13.000000000 -0500 @@ -67,7 +67,9 @@ can_exec(squid_t, squid_exec_t) @@ -22587,18 +21858,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -#squid requires the following when run in diskd mode, the recommended setting -allow squid_t tmpfs_t:file { read write }; -') dnl end TODO -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.1/policy/modules/services/ssh.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.3/policy/modules/services/ssh.fc --- nsaserefpolicy/policy/modules/services/ssh.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/ssh.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/ssh.fc 2009-11-25 12:39:13.000000000 -0500 @@ -14,3 +14,5 @@ /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) + +/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.1/policy/modules/services/ssh.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.3/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/ssh.if 2009-11-18 16:54:14.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/ssh.if 2009-11-25 12:39:13.000000000 -0500 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -22945,9 +22216,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_search_pids($1) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.1/policy/modules/services/ssh.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.3/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/ssh.te 2009-11-18 16:54:37.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/ssh.te 2009-11-25 12:39:13.000000000 -0500 @@ -8,6 +8,31 @@ ## @@ -23234,9 +22505,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_manage_cifs_dirs(sftpd_t) + fs_manage_cifs_files(sftpd_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.7.1/policy/modules/services/sssd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.7.3/policy/modules/services/sssd.fc --- nsaserefpolicy/policy/modules/services/sssd.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/sssd.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/sssd.fc 2009-11-25 12:39:13.000000000 -0500 @@ -1,6 +1,9 @@ -/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) @@ -23248,9 +22519,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) + /var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.1/policy/modules/services/sssd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.3/policy/modules/services/sssd.if --- nsaserefpolicy/policy/modules/services/sssd.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/sssd.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/sssd.if 2009-11-25 12:39:13.000000000 -0500 @@ -12,12 +12,32 @@ # interface(`sssd_domtrans',` @@ -23339,9 +22610,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send and receive messages from ## sssd over dbus. ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.1/policy/modules/services/sssd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.3/policy/modules/services/sssd.te --- nsaserefpolicy/policy/modules/services/sssd.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/sssd.te 2009-11-23 17:38:47.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/sssd.te 2009-11-25 12:39:13.000000000 -0500 @@ -16,6 +16,9 @@ type sssd_var_lib_t; files_type(sssd_var_lib_t) @@ -23394,9 +22665,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` dbus_system_bus_client(sssd_t) dbus_connect_system_bus(sssd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.1/policy/modules/services/sysstat.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.3/policy/modules/services/sysstat.te --- nsaserefpolicy/policy/modules/services/sysstat.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/sysstat.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/sysstat.te 2009-11-25 12:39:13.000000000 -0500 @@ -19,14 +19,15 @@ # Local policy # @@ -23415,18 +22686,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir }) # get info from /proc -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-3.7.1/policy/modules/services/tftp.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-3.7.3/policy/modules/services/tftp.fc --- nsaserefpolicy/policy/modules/services/tftp.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/tftp.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/tftp.fc 2009-11-25 12:39:13.000000000 -0500 @@ -5,4 +5,4 @@ /tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0) /tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0) -/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_t,s0) +/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.7.1/policy/modules/services/tuned.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.7.3/policy/modules/services/tuned.te --- nsaserefpolicy/policy/modules/services/tuned.te 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/tuned.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/tuned.te 2009-11-25 12:39:13.000000000 -0500 @@ -16,12 +16,14 @@ type tuned_var_run_t; files_pid_file(tuned_var_run_t) @@ -23443,9 +22714,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) files_pid_filetrans(tuned_t, tuned_var_run_t, file) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.1/policy/modules/services/uucp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.3/policy/modules/services/uucp.te --- nsaserefpolicy/policy/modules/services/uucp.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/uucp.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/uucp.te 2009-11-25 12:39:13.000000000 -0500 @@ -90,17 +90,26 @@ fs_getattr_xattr_fs(uucpd_t) @@ -23481,9 +22752,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.1/policy/modules/services/virt.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.3/policy/modules/services/virt.fc --- nsaserefpolicy/policy/modules/services/virt.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/virt.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/virt.fc 2009-11-25 12:39:13.000000000 -0500 @@ -8,5 +8,18 @@ /var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) @@ -23503,9 +22774,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0) + +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.1/policy/modules/services/virt.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.3/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/virt.if 2009-11-24 14:56:33.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/virt.if 2009-11-25 12:39:13.000000000 -0500 @@ -136,7 +136,7 @@ ') @@ -23758,9 +23029,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ptchown_run(svirt_t, $2) + ') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.1/policy/modules/services/virt.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.3/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/virt.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/virt.te 2009-11-25 12:39:13.000000000 -0500 @@ -20,6 +20,28 @@ ## gen_tunable(virt_use_samba, false) @@ -24003,7 +23274,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -196,8 +300,150 @@ +@@ -196,8 +300,152 @@ xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) @@ -24047,6 +23318,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +corenet_udp_sendrecv_all_ports(svirt_t) +corenet_udp_bind_generic_node(svirt_t) +corenet_udp_bind_all_ports(svirt_t) ++corenet_tcp_bind_all_ports(svirt_t) ++corenet_tcp_connect_all_ports(svirt_t) + +tunable_policy(`virt_use_comm',` + term_use_unallocated_ttys(svirt_t) @@ -24154,9 +23427,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + virt_read_content(virt_domain) + virt_stream_connect(virt_domain) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.7.1/policy/modules/services/w3c.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.7.3/policy/modules/services/w3c.te --- nsaserefpolicy/policy/modules/services/w3c.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/w3c.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/w3c.te 2009-11-25 12:39:13.000000000 -0500 @@ -8,11 +8,18 @@ apache_content_template(w3c_validator) @@ -24176,9 +23449,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.1/policy/modules/services/xserver.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.3/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/xserver.fc 2009-11-20 10:11:53.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/xserver.fc 2009-11-25 12:39:13.000000000 -0500 @@ -3,12 +3,19 @@ # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) @@ -24273,9 +23546,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/var/lib/nxserver/home/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.1/policy/modules/services/xserver.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.3/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-09-09 15:37:17.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/services/xserver.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/xserver.if 2009-11-25 12:39:13.000000000 -0500 @@ -74,6 +74,12 @@ domtrans_pattern($2, iceauth_exec_t, iceauth_t) @@ -25146,9 +24419,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow xdm_t $1:dbus send_msg; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.1/policy/modules/services/xserver.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.3/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/services/xserver.te 2009-11-20 16:23:57.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/services/xserver.te 2009-11-25 12:39:13.000000000 -0500 @@ -34,6 +34,13 @@ ## @@ -25952,44 +25225,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -# -allow xdm_t user_home_type:file unlink; -') dnl end TODO -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.7.1/policy/modules/system/application.if ---- nsaserefpolicy/policy/modules/system/application.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/application.if 2009-11-17 11:06:58.000000000 -0500 -@@ -2,7 +2,7 @@ - - ######################################## - ## --## Make the specified type usable as an application domain. -+## Send signull to application domains - ## - ## - ## -@@ -101,3 +101,21 @@ - application_executable_file($2) - domain_entry_file($1,$2) - ') -+ -+######################################## -+## -+## Send signull to unprivileged user domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`application_signull',` -+ gen_require(` -+ attribute application_domain_type; -+ ') -+ -+ allow $1 application_domain_type:process signull; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.1/policy/modules/system/application.te ---- nsaserefpolicy/policy/modules/system/application.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/application.te 2009-11-17 11:06:58.000000000 -0500 -@@ -7,7 +7,18 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.3/policy/modules/system/application.te +--- nsaserefpolicy/policy/modules/system/application.te 2009-11-25 11:47:19.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/application.te 2009-11-25 12:39:13.000000000 -0500 +@@ -7,6 +7,12 @@ # Executables to be run by user attribute application_exec_type; @@ -26002,15 +25241,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ssh_sigchld(application_domain_type) ssh_rw_stream_sockets(application_domain_type) - ') -+ -+optional_policy(` -+ sudo_sigchld(application_domain_type) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.1/policy/modules/system/authlogin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.3/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/authlogin.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/authlogin.fc 2009-11-25 12:39:13.000000000 -0500 @@ -7,12 +7,10 @@ /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) @@ -26036,9 +25269,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) +/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.1/policy/modules/system/authlogin.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.3/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/authlogin.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/authlogin.if 2009-11-25 12:39:13.000000000 -0500 @@ -40,17 +40,76 @@ ## ## @@ -26349,9 +25582,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.1/policy/modules/system/authlogin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.3/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/authlogin.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/authlogin.te 2009-11-25 12:39:13.000000000 -0500 @@ -103,6 +103,7 @@ fs_dontaudit_getattr_xattr_fs(chkpwd_t) @@ -26379,23 +25612,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # PAM local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.7.1/policy/modules/system/fstools.fc ---- nsaserefpolicy/policy/modules/system/fstools.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/fstools.fc 2009-11-17 11:06:58.000000000 -0500 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.7.3/policy/modules/system/fstools.fc +--- nsaserefpolicy/policy/modules/system/fstools.fc 2009-11-25 11:47:19.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/fstools.fc 2009-11-25 12:39:13.000000000 -0500 @@ -1,4 +1,3 @@ -/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -6,6 +5,7 @@ - /sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -21,7 +21,6 @@ +@@ -22,7 +21,6 @@ /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -26403,9 +25628,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.1/policy/modules/system/fstools.te ---- nsaserefpolicy/policy/modules/system/fstools.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/fstools.te 2009-11-17 11:06:58.000000000 -0500 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.3/policy/modules/system/fstools.te +--- nsaserefpolicy/policy/modules/system/fstools.te 2009-11-25 11:47:19.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/fstools.te 2009-11-25 12:39:13.000000000 -0500 @@ -118,6 +118,8 @@ fs_search_tmpfs(fsadm_t) fs_getattr_tmpfs_dirs(fsadm_t) @@ -26415,11 +25640,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Recreate /mnt/cdrom. files_manage_mnt_dirs(fsadm_t) # for tune2fs -@@ -144,11 +146,11 @@ - miscfiles_read_localization(fsadm_t) - - modutils_read_module_config(fsadm_t) -+modutils_read_module_deps(fsadm_t) +@@ -148,8 +150,7 @@ seutil_read_config(fsadm_t) @@ -26429,15 +25650,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_redhat',` optional_policy(` -@@ -177,4 +179,5 @@ - - optional_policy(` - xen_append_log(fsadm_t) -+ xen_rw_image_files(fsadm_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.1/policy/modules/system/init.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.3/policy/modules/system/init.fc --- nsaserefpolicy/policy/modules/system/init.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/init.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/init.fc 2009-11-25 12:39:13.000000000 -0500 @@ -4,10 +4,10 @@ /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -26461,9 +25676,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /var -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.1/policy/modules/system/init.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.3/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/system/init.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/init.if 2009-11-25 12:39:13.000000000 -0500 @@ -162,6 +162,7 @@ gen_require(` attribute direct_run_init, direct_init, direct_init_entry; @@ -26718,9 +25933,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 init_t:unix_dgram_socket sendto; + allow init_t $1:unix_dgram_socket sendto; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.1/policy/modules/system/init.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.3/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/system/init.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/init.te 2009-11-25 12:39:13.000000000 -0500 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart, false) @@ -27305,17 +26520,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + fail2ban_read_lib_files(daemon) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.7.1/policy/modules/system/ipsec.fc ---- nsaserefpolicy/policy/modules/system/ipsec.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/ipsec.fc 2009-11-17 11:06:58.000000000 -0500 -@@ -1,3 +1,6 @@ -+/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) -+ - /etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0) - /etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) - /etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0) -@@ -34,6 +37,8 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.7.3/policy/modules/system/ipsec.fc +--- nsaserefpolicy/policy/modules/system/ipsec.fc 2009-11-25 11:47:19.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/ipsec.fc 2009-11-25 12:39:13.000000000 -0500 +@@ -37,6 +37,8 @@ /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) @@ -27325,66 +26533,104 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) -/var/run/racoon.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.1/policy/modules/system/ipsec.if ---- nsaserefpolicy/policy/modules/system/ipsec.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/ipsec.if 2009-11-17 11:06:58.000000000 -0500 -@@ -229,3 +229,28 @@ - ipsec_domtrans_setkey($1) - role $2 types setkey_t; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.3/policy/modules/system/ipsec.if +--- nsaserefpolicy/policy/modules/system/ipsec.if 2009-11-25 11:47:19.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/ipsec.if 2009-11-25 12:39:13.000000000 -0500 +@@ -189,50 +189,50 @@ + + ######################################## + ## +-## Execute racoon and allow the specified role the domain. ++## Execute setkey in the setkey domain. + ## + ## + ## +-## Domain allowed access. +-## +-## +-## +-## +-## Role allowed access. ++## The type of the process performing this action. + ## + ## +-## + # +-interface(`ipsec_run_racoon',` ++interface(`ipsec_domtrans_setkey',` + gen_require(` +- type racoon_t; ++ type setkey_t, setkey_exec_t; + ') + +- ipsec_domtrans_racoon($1) +- role $2 types racoon_t; ++ domtrans_pattern($1, setkey_exec_t, setkey_t) ') -+ -+######################################## -+## -+## Execute racoon and allow the specified role the domains. -+## -+## -+## + + ######################################## + ## +-## Execute setkey in the setkey domain. ++## Execute setkey and allow the specified role the domains. + ## + ## + ## +-## The type of the process performing this action. +## Domain allowed access. +## +## +## +## -+## The role to be allowed the racoon and racoon domains. -+## -+## ++## The role to be allowed the racoon and setkey domains. + ## + ## +## -+# + # +-interface(`ipsec_domtrans_setkey',` ++interface(`ipsec_run_setkey',` + gen_require(` +- type setkey_t, setkey_exec_t; ++ type setkey_t; + ') + +- domtrans_pattern($1, setkey_exec_t, setkey_t) ++ ipsec_domtrans_setkey($1) ++ role $2 types setkey_t; + ') + + ######################################## + ## +-## Execute setkey and allow the specified role the domains. ++## Execute racoon and allow the specified role the domains. + ## + ## + ## +@@ -241,16 +241,16 @@ + ## + ## + ## +-## The role to be allowed the racoon and setkey domains. ++## The role to be allowed the racoon and racoon domains. + ## + ## + ## + # +-interface(`ipsec_run_setkey',` +interface(`ipsec_run_racoon',` -+ gen_require(` + gen_require(` +- type setkey_t; + type racoon_t; -+ ') -+ + ') + +- ipsec_domtrans_setkey($1) +- role $2 types setkey_t; + ipsec_domtrans_racoon($1) + role $2 types racoon_t; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.1/policy/modules/system/ipsec.te ---- nsaserefpolicy/policy/modules/system/ipsec.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/ipsec.te 2009-11-19 09:40:34.000000000 -0500 -@@ -6,6 +6,13 @@ - # Declarations - # - -+## -+##

-+## Allow racoon to read shadow -+##

-+##
-+gen_tunable(racoon_read_shadow, false) -+ - type ipsec_t; - type ipsec_exec_t; - init_daemon_domain(ipsec_t, ipsec_exec_t) -@@ -15,6 +22,9 @@ - type ipsec_conf_file_t; - files_type(ipsec_conf_file_t) - -+type ipsec_initrc_exec_t; -+init_script_file(ipsec_initrc_exec_t) -+ - # type for file(s) containing ipsec keys - RSA or preshared - type ipsec_key_file_t; - files_type(ipsec_key_file_t) -@@ -22,6 +32,9 @@ + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.3/policy/modules/system/ipsec.te +--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-11-25 11:47:19.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/ipsec.te 2009-11-25 12:39:13.000000000 -0500 +@@ -32,6 +32,9 @@ # Default type for IPSEC SPD entries type ipsec_spd_t; @@ -27394,74 +26640,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # type for runtime files, including pluto.ctl type ipsec_var_run_t; files_pid_file(ipsec_var_run_t) -@@ -43,6 +56,9 @@ - init_daemon_domain(racoon_t, racoon_exec_t) - role system_r types racoon_t; - -+type racoon_tmp_t; -+files_tmp_file(racoon_tmp_t) -+ - type setkey_t; - type setkey_exec_t; - init_system_domain(setkey_t, setkey_exec_t) -@@ -53,21 +69,23 @@ +@@ -66,7 +69,7 @@ # ipsec Local policy # --allow ipsec_t self:capability { net_admin dac_override dac_read_search }; -+allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice }; +-allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice }; ++allow ipsec_t self:capability { setpcap net_admin dac_override dac_read_search sys_nice }; dontaudit ipsec_t self:capability sys_tty_config; --allow ipsec_t self:process { signal setsched }; -+allow ipsec_t self:process { getcap setcap getsched signal setsched }; + allow ipsec_t self:process { getcap setcap getsched signal setsched }; allow ipsec_t self:tcp_socket create_stream_socket_perms; - allow ipsec_t self:udp_socket create_socket_perms; - allow ipsec_t self:key_socket create_socket_perms; - allow ipsec_t self:fifo_file read_fifo_file_perms; - allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write }; - -+allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; -+ - allow ipsec_t ipsec_conf_file_t:dir list_dir_perms; - read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) - read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) - - allow ipsec_t ipsec_key_file_t:dir list_dir_perms; --read_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) -+manage_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t) - read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) - - manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) -@@ -82,16 +100,17 @@ - # so try flipping back into the ipsec_mgmt_t domain - corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) - allow ipsec_mgmt_t ipsec_t:fd use; --allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms; -+allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms; - allow ipsec_mgmt_t ipsec_t:process sigchld; - --kernel_read_kernel_sysctls(ipsec_t) - kernel_list_proc(ipsec_t) -+kernel_read_kernel_sysctls(ipsec_t) - kernel_read_proc_symlinks(ipsec_t) - # allow pluto to access /proc/net/ipsec_eroute; - kernel_read_system_state(ipsec_t) - kernel_read_network_state(ipsec_t) - kernel_read_software_raid_state(ipsec_t) -+kernel_request_load_module(ipsec_t) - kernel_getattr_core_if(ipsec_t) - kernel_getattr_message_if(ipsec_t) - -@@ -120,7 +139,9 @@ - - domain_use_interactive_fds(ipsec_t) - -+files_list_tmp(ipsec_t) - files_read_etc_files(ipsec_t) -+files_read_usr_files(ipsec_t) - - fs_getattr_all_fs(ipsec_t) - fs_search_auto_mountpoints(ipsec_t) -@@ -154,16 +175,19 @@ +@@ -172,7 +175,7 @@ # allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search }; @@ -27470,10 +26658,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; - allow ipsec_mgmt_t self:key_socket create_socket_perms; --allow ipsec_mgmt_t self:fifo_file rw_file_perms; -+allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms; - +@@ -182,6 +185,9 @@ allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) @@ -27483,7 +26668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) -@@ -241,6 +265,7 @@ +@@ -259,6 +265,7 @@ init_use_script_ptys(ipsec_mgmt_t) init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) @@ -27491,60 +26676,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(ipsec_mgmt_t) -@@ -280,6 +305,13 @@ - allow racoon_t self:netlink_selinux_socket { bind create read }; - allow racoon_t self:udp_socket create_socket_perms; - allow racoon_t self:key_socket create_socket_perms; -+allow racoon_t self:fifo_file rw_fifo_file_perms; -+ -+manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t) -+manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t) -+files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file }) -+ -+can_exec(racoon_t, setkey_exec_t) - - # manage pid file - manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t) -@@ -296,6 +328,14 @@ +@@ -323,6 +330,7 @@ kernel_read_system_state(racoon_t) kernel_read_network_state(racoon_t) +kernel_request_load_module(racoon_t) -+ -+can_exec(racoon_t, racoon_exec_t) -+ -+corecmd_exec_shell(racoon_t) -+corecmd_exec_bin(racoon_t) -+ -+sysnet_exec_ifconfig(racoon_t) - corenet_all_recvfrom_unlabeled(racoon_t) - corenet_tcp_sendrecv_all_if(racoon_t) -@@ -314,6 +354,8 @@ + corecmd_exec_shell(racoon_t) + corecmd_exec_bin(racoon_t) +@@ -362,6 +370,8 @@ - files_read_etc_files(racoon_t) - -+fs_dontaudit_getattr_xattr_fs(racoon_t) -+ - # allow racoon to use avc_has_perm to check context on proposed SA - selinux_compute_access_vector(racoon_t) - -@@ -328,6 +370,14 @@ - - miscfiles_read_localization(racoon_t) + sysnet_exec_ifconfig(racoon_t) +auth_use_pam(racoon_t) + -+ -+auth_can_read_shadow_passwords(racoon_t) -+tunable_policy(`racoon_read_shadow',` -+ auth_tunable_read_shadow(racoon_t) -+') -+ - ######################################## - # - # Setkey local policy -@@ -341,12 +391,15 @@ + auth_can_read_shadow_passwords(racoon_t) + tunable_policy(`racoon_read_shadow',` + auth_tunable_read_shadow(racoon_t) +@@ -380,12 +390,15 @@ read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) @@ -27560,9 +26709,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # allow setkey to set the context for ipsec SAs and policy. ipsec_setcontext_default_spd(setkey_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.1/policy/modules/system/iptables.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.3/policy/modules/system/iptables.fc --- nsaserefpolicy/policy/modules/system/iptables.fc 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/iptables.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/iptables.fc 2009-11-25 12:39:13.000000000 -0500 @@ -1,7 +1,16 @@ -/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) + @@ -27584,9 +26733,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.1/policy/modules/system/iptables.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.3/policy/modules/system/iptables.if --- nsaserefpolicy/policy/modules/system/iptables.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/iptables.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/iptables.if 2009-11-25 12:39:13.000000000 -0500 @@ -19,6 +19,24 @@ domtrans_pattern($1, iptables_exec_t, iptables_t) ') @@ -27695,9 +26844,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_files_pattern($1, iptables_conf_t, iptables_conf_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.1/policy/modules/system/iptables.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.3/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/system/iptables.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/iptables.te 2009-11-25 12:39:13.000000000 -0500 @@ -11,6 +11,12 @@ init_system_domain(iptables_t, iptables_exec_t) role system_r types iptables_t; @@ -27759,106 +26908,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol udev_read_db(iptables_t) ') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.7.1/policy/modules/system/iscsi.if ---- nsaserefpolicy/policy/modules/system/iscsi.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/iscsi.if 2009-11-17 11:06:58.000000000 -0500 -@@ -17,3 +17,43 @@ - - domtrans_pattern($1, iscsid_exec_t, iscsid_t) - ') -+ -+######################################## -+## -+## Read iscsi lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`iscsi_read_lib_files',` -+ gen_require(` -+ type iscsi_var_lib_t; -+ ') -+ -+ read_files_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t) -+ allow $1 iscsi_var_lib_t:dir list_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Connect to ISCSI using a unix domain stream socket. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`iscsi_stream_connect',` -+ gen_require(` -+ type iscsid_t, iscsi_var_lib_t; -+ ') -+ -+ files_search_pids($1) -+ stream_connect_pattern($1,iscsi_var_lib_t,iscsi_var_lib_t,iscsid_t) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.7.1/policy/modules/system/iscsi.te ---- nsaserefpolicy/policy/modules/system/iscsi.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/iscsi.te 2009-11-17 11:06:58.000000000 -0500 -@@ -55,6 +55,7 @@ - files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) - - kernel_read_system_state(iscsid_t) -+kernel_search_debugfs(iscsid_t) - - corenet_all_recvfrom_unlabeled(iscsid_t) - corenet_all_recvfrom_netlabel(iscsid_t) -@@ -68,11 +69,12 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.7.3/policy/modules/system/iscsi.te +--- nsaserefpolicy/policy/modules/system/iscsi.te 2009-11-25 11:47:19.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/iscsi.te 2009-11-25 12:39:13.000000000 -0500 +@@ -69,6 +69,7 @@ dev_rw_sysfs(iscsid_t) domain_use_interactive_fds(iscsid_t) -+domain_read_all_domains_state(iscsid_t) ++domain_dontaudit_read_all_domains_state(iscsid_t) files_read_etc_files(iscsid_t) - logging_send_syslog_msg(iscsid_t) - --miscfiles_read_localization(iscsid_t) -+auth_use_nsswitch(iscsid_t) - --sysnet_dns_name_resolve(iscsid_t) -+miscfiles_read_localization(iscsid_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.te serefpolicy-3.7.1/policy/modules/system/kdump.te ---- nsaserefpolicy/policy/modules/system/kdump.te 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/kdump.te 2009-11-17 11:06:58.000000000 -0500 -@@ -21,7 +21,7 @@ - # kdump local policy - # - --allow kdump_t self:capability { sys_boot dac_override }; -+allow kdump_t self:capability { sys_boot sys_rawio dac_override }; - - read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t) - -@@ -29,8 +29,11 @@ - files_read_kernel_img(kdump_t) - - kernel_read_system_state(kdump_t) -+kernel_read_core_if(kdump_t) - - dev_read_framebuffer(kdump_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.te serefpolicy-3.7.3/policy/modules/system/kdump.te +--- nsaserefpolicy/policy/modules/system/kdump.te 2009-11-25 11:47:19.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/kdump.te 2009-11-25 12:39:13.000000000 -0500 +@@ -35,3 +35,5 @@ dev_read_sysfs(kdump_t) term_use_console(kdump_t) + +permissive kdump_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.1/policy/modules/system/libraries.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.3/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/libraries.fc 2009-11-25 06:13:34.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/libraries.fc 2009-11-25 12:39:13.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -28173,9 +27245,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.1/policy/modules/system/libraries.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.3/policy/modules/system/libraries.if --- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/libraries.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/libraries.if 2009-11-25 12:39:13.000000000 -0500 @@ -17,6 +17,7 @@ corecmd_search_bin($1) @@ -28202,9 +27274,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1 lib_t:dir list_dir_perms; read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.7.1/policy/modules/system/libraries.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.7.3/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/system/libraries.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/libraries.te 2009-11-25 12:39:13.000000000 -0500 @@ -58,11 +58,11 @@ # ldconfig local policy # @@ -28266,9 +27338,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + unconfined_domain(ldconfig_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.1/policy/modules/system/locallogin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.3/policy/modules/system/locallogin.te --- nsaserefpolicy/policy/modules/system/locallogin.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/locallogin.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/locallogin.te 2009-11-25 12:39:13.000000000 -0500 @@ -33,7 +33,7 @@ # Local login local policy # @@ -28357,9 +27429,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - nscd_socket_use(sulogin_t) -') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.1/policy/modules/system/logging.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.3/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/logging.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/logging.fc 2009-11-25 12:39:13.000000000 -0500 @@ -51,17 +51,21 @@ ifdef(`distro_redhat',` @@ -28386,9 +27458,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.1/policy/modules/system/logging.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.3/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2009-08-28 14:58:20.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/logging.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/logging.if 2009-11-25 12:39:13.000000000 -0500 @@ -69,6 +69,20 @@ ######################################## @@ -28428,9 +27500,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.1/policy/modules/system/logging.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.3/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/system/logging.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/logging.te 2009-11-25 12:39:13.000000000 -0500 @@ -123,10 +123,10 @@ allow auditd_t self:capability { chown fsetid sys_nice sys_resource }; @@ -28538,81 +27610,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol inn_manage_log(syslogd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.1/policy/modules/system/lvm.if ---- nsaserefpolicy/policy/modules/system/lvm.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/lvm.if 2009-11-17 11:06:58.000000000 -0500 -@@ -21,6 +21,26 @@ - - ######################################## - ## -+## Execute lvm programs in the caller domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`lvm_exec',` -+ gen_require(` -+ type lvm_exec_t; -+ ') -+ -+ corecmd_search_sbin($1) -+ can_exec($1, lvm_exec_t) -+ -+') -+ -+######################################## -+## - ## Execute lvm programs in the lvm domain. - ## - ## -@@ -85,3 +105,22 @@ - manage_dirs_pattern($1, lvm_etc_t, lvm_etc_t) - manage_files_pattern($1, lvm_etc_t, lvm_etc_t) - ') -+ -+###################################### -+## -+## Execute a domain transition to run clvmd. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`lvm_clvmd_domtrans',` -+ gen_require(` -+ type clvmd_t, clvmd_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1,clvmd_exec_t,clvmd_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.1/policy/modules/system/lvm.te ---- nsaserefpolicy/policy/modules/system/lvm.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/lvm.te 2009-11-17 11:06:58.000000000 -0500 -@@ -10,6 +10,9 @@ - type clvmd_exec_t; - init_daemon_domain(clvmd_t, clvmd_exec_t) - -+type clvmd_initrc_exec_t; -+init_script_file(clvmd_initrc_exec_t) -+ - type clvmd_var_run_t; - files_pid_file(clvmd_var_run_t) - -@@ -102,6 +105,7 @@ - fs_search_auto_mountpoints(clvmd_t) - fs_dontaudit_list_tmpfs(clvmd_t) - fs_dontaudit_read_removable_files(clvmd_t) -+fs_rw_anon_inodefs_files(clvmd_t) - - storage_dontaudit_getattr_removable_dev(clvmd_t) - storage_manage_fixed_disk(clvmd_t) -@@ -138,6 +142,10 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.3/policy/modules/system/lvm.te +--- nsaserefpolicy/policy/modules/system/lvm.te 2009-11-25 11:47:19.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/lvm.te 2009-11-25 12:39:13.000000000 -0500 +@@ -142,6 +142,10 @@ ') optional_policy(` @@ -28623,24 +27624,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ccs_stream_connect(clvmd_t) ') -@@ -168,7 +176,7 @@ - # LVM will complain a lot if it cannot set its priority. - allow lvm_t self:process setsched; - allow lvm_t self:file rw_file_perms; --allow lvm_t self:fifo_file rw_fifo_file_perms; -+allow lvm_t self:fifo_file manage_fifo_file_perms; - allow lvm_t self:unix_dgram_socket create_socket_perms; - allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms; - -@@ -214,6 +222,7 @@ - # it has no reason to need this - kernel_dontaudit_getattr_core_if(lvm_t) - kernel_use_fds(lvm_t) -+kernel_search_debugfs(lvm_t) - - corecmd_exec_bin(lvm_t) - corecmd_exec_shell(lvm_t) -@@ -239,6 +248,7 @@ +@@ -244,6 +248,7 @@ dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -28648,7 +27632,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t) -@@ -248,6 +258,7 @@ +@@ -253,6 +258,7 @@ files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) @@ -28656,31 +27640,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_xattr_fs(lvm_t) fs_search_auto_mountpoints(lvm_t) -@@ -255,6 +266,7 @@ - fs_read_tmpfs_symlinks(lvm_t) - fs_dontaudit_read_removable_files(lvm_t) - fs_dontaudit_getattr_tmpfs_files(lvm_t) -+fs_rw_anon_inodefs_files(lvm_t) - - selinux_get_fs_mount(lvm_t) - selinux_validate_context(lvm_t) -@@ -273,10 +285,15 @@ - storage_dev_filetrans_fixed_disk(lvm_t) - # Access raw devices and old /dev/lvm (c 109,0). Is this needed? - storage_manage_fixed_disk(lvm_t) -+mls_file_read_all_levels(lvm_t) -+mls_file_write_to_clearance(lvm_t) -+ -+term_use_all_terms(lvm_t) - - init_use_fds(lvm_t) - init_dontaudit_getattr_initctl(lvm_t) - init_use_script_ptys(lvm_t) -+init_read_script_state(lvm_t) - - logging_send_syslog_msg(lvm_t) - -@@ -299,6 +316,10 @@ +@@ -311,6 +317,10 @@ ') optional_policy(` @@ -28691,164 +27651,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol bootloader_rw_tmp_files(lvm_t) ') -@@ -313,8 +334,10 @@ - optional_policy(` - dbus_system_bus_client(lvm_t) - -+ optional_policy(` - hal_dbus_chat(lvm_t) - ') -+') - - optional_policy(` - modutils_domtrans_insmod(lvm_t) -@@ -329,6 +352,10 @@ - ') - - optional_policy(` -+ virt_manage_images(lvm_t) -+') -+ -+optional_policy(` - xen_append_log(lvm_t) - xen_dontaudit_rw_unix_stream_sockets(lvm_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.7.1/policy/modules/system/miscfiles.fc ---- nsaserefpolicy/policy/modules/system/miscfiles.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/miscfiles.fc 2009-11-17 11:06:58.000000000 -0500 -@@ -85,3 +85,5 @@ - /var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) - /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) - ') -+ -+HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.1/policy/modules/system/miscfiles.if ---- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/miscfiles.if 2009-11-17 11:06:58.000000000 -0500 -@@ -23,6 +23,28 @@ - - ######################################## - ## -+## Read system SSL certificates in the users homedir. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`miscfiles_read_home_certs',` -+ gen_require(` -+ type home_cert_t; -+ ') -+ -+ userdom_search_user_home_dirs($1) -+ allow $1 home_cert_t:dir list_dir_perms; -+ read_files_pattern($1, home_cert_t, home_cert_t) -+ read_lnk_files_pattern($1, home_cert_t, home_cert_t) -+') -+ -+######################################## -+## - ## manange system SSL certificates. - ## - ## -@@ -87,6 +109,44 @@ - - ######################################## - ## -+## dontaudit domain setattr on fonts dir -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`miscfiles_dontaudit_setattr_fonts',` -+ gen_require(` -+ type fonts_t; -+ ') -+ -+ dontaudit $1 fonts_t:dir setattr; -+') -+ -+######################################## -+## -+## Allow domain to setattr on fonts dir -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`miscfiles_setattr_fonts',` -+ gen_require(` -+ type fonts_t; -+ ') -+ -+ allow $1 fonts_t:dir setattr; -+') -+ -+######################################## -+## - ## Do not audit attempts to write fonts. - ## - ## -@@ -255,6 +315,24 @@ - - ######################################## - ## -+## Allow process to search man pages. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`miscfiles_search_man_pages',` -+ gen_require(` -+ type man_t; -+ ') -+ -+ allow $1 man_t:dir search_dir_perms; -+') -+ -+######################################## -+## - ## Do not audit attempts to search man pages. - ## - ## -@@ -268,7 +346,7 @@ - type man_t; - ') - -- dontaudit $1 man_t:dir search; -+ dontaudit $1 man_t:dir search_dir_perms; - ') - - ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.7.1/policy/modules/system/miscfiles.te ---- nsaserefpolicy/policy/modules/system/miscfiles.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/miscfiles.te 2009-11-17 11:06:58.000000000 -0500 -@@ -12,6 +12,9 @@ - type cert_t; - files_type(cert_t) - -+type home_cert_t; -+userdom_user_home_content(home_cert_t) -+ - # - # fonts_t is the type of various font - # files in /usr -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.fc serefpolicy-3.7.1/policy/modules/system/modutils.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.fc serefpolicy-3.7.3/policy/modules/system/modutils.fc --- nsaserefpolicy/policy/modules/system/modutils.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/modutils.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/modutils.fc 2009-11-25 12:39:13.000000000 -0500 @@ -1,6 +1,7 @@ /etc/modules\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0) @@ -28857,9 +27662,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_gentoo',` # gentoo init scripts still manage this file -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.7.1/policy/modules/system/modutils.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.7.3/policy/modules/system/modutils.if --- nsaserefpolicy/policy/modules/system/modutils.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/modutils.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/modutils.if 2009-11-25 12:39:13.000000000 -0500 @@ -1,5 +1,24 @@ ## Policy for kernel module utilities @@ -28933,9 +27738,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.1/policy/modules/system/modutils.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.3/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/modutils.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/modutils.te 2009-11-25 12:39:13.000000000 -0500 @@ -19,6 +19,7 @@ type insmod_exec_t; application_domain(insmod_t, insmod_exec_t) @@ -29102,9 +27907,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_kernel_modules_filetrans(update_modules_t, modules_conf_t, file) files_etc_filetrans(update_modules_t, modules_conf_t, file) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.7.1/policy/modules/system/mount.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.7.3/policy/modules/system/mount.fc --- nsaserefpolicy/policy/modules/system/mount.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/mount.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/mount.fc 2009-11-25 12:39:13.000000000 -0500 @@ -1,4 +1,9 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) @@ -29116,9 +27921,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.1/policy/modules/system/mount.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.3/policy/modules/system/mount.if --- nsaserefpolicy/policy/modules/system/mount.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/mount.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/mount.if 2009-11-25 12:39:13.000000000 -0500 @@ -84,9 +84,11 @@ interface(`mount_signal',` gen_require(` @@ -29131,9 +27936,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.1/policy/modules/system/mount.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.3/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/mount.te 2009-11-19 14:07:23.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/mount.te 2009-11-25 12:39:13.000000000 -0500 @@ -18,8 +18,12 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -29342,36 +28147,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + rpc_domtrans_rpcd(unconfined_mount_t) ') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.fc serefpolicy-3.7.1/policy/modules/system/raid.fc ---- nsaserefpolicy/policy/modules/system/raid.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/raid.fc 2009-11-17 11:06:58.000000000 -0500 -@@ -3,3 +3,5 @@ - /sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) - - /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0) -+ -+/dev/.mdadm.map -- gen_context(system_u:object_r:mdadm_map_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.7.1/policy/modules/system/raid.te ---- nsaserefpolicy/policy/modules/system/raid.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/raid.te 2009-11-17 11:06:58.000000000 -0500 -@@ -14,6 +14,9 @@ - type mdadm_var_run_t; - files_pid_file(mdadm_var_run_t) - -+type mdadm_map_t; -+files_type(mdadm_map_t) -+ - ######################################## - # - # Local policy -@@ -44,11 +47,16 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.7.3/policy/modules/system/raid.te +--- nsaserefpolicy/policy/modules/system/raid.te 2009-11-25 11:47:19.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/raid.te 2009-11-25 12:39:13.000000000 -0500 +@@ -51,11 +51,13 @@ dev_dontaudit_getattr_generic_chr_files(mdadm_t) dev_dontaudit_getattr_generic_blk_files(mdadm_t) dev_read_realtime_clock(mdadm_t) +dev_read_raw_memory(mdadm_t) -+# create .mdadm files in /dev -+allow mdadm_t mdadm_map_t:file manage_file_perms; -+dev_filetrans(mdadm_t, mdadm_map_t, file) domain_use_interactive_fds(mdadm_t) @@ -29381,9 +28164,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_auto_mountpoints(mdadm_t) fs_dontaudit_list_tmpfs(mdadm_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.7.1/policy/modules/system/selinuxutil.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.7.3/policy/modules/system/selinuxutil.fc --- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/selinuxutil.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/selinuxutil.fc 2009-11-25 12:39:13.000000000 -0500 @@ -6,13 +6,13 @@ /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) @@ -29423,9 +28206,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.1/policy/modules/system/selinuxutil.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.3/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/selinuxutil.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/selinuxutil.if 2009-11-25 12:39:13.000000000 -0500 @@ -351,6 +351,27 @@ ######################################## @@ -29781,9 +28564,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + hotplug_use_fds($1) +') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.1/policy/modules/system/selinuxutil.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.3/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/selinuxutil.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/selinuxutil.te 2009-11-25 12:39:13.000000000 -0500 @@ -23,6 +23,9 @@ type selinux_config_t; files_type(selinux_config_t) @@ -30146,48 +28929,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +kernel_relabelto_unlabeled(setfiles_mac_t) - # cjp: cover up stray file descriptors. - optional_policy(` -- unconfined_dontaudit_read_pipes(setfiles_t) -- unconfined_dontaudit_rw_tcp_sockets(setfiles_t) -- ') -+ setroubleshoot_dontaudit_rw_dgram_sockets(setfiles_t) -+ setroubleshoot_dontaudit_rw_dgram_sockets(setsebool_t) - ') - - optional_policy(` -- hotplug_use_fds(setfiles_t) -+ unconfined_domain(setfiles_mac_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.7.1/policy/modules/system/setrans.if ---- nsaserefpolicy/policy/modules/system/setrans.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/setrans.if 2009-11-17 11:06:58.000000000 -0500 -@@ -21,3 +21,23 @@ - stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t) - files_list_pids($1) - ') -+ -+######################################## -+## -+## Execute setrans server in the setrans domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+# -+interface(`setrans_initrc_domtrans',` -+ gen_require(` -+ type setrans_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, setrans_initrc_exec_t) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.1/policy/modules/system/sysnetwork.fc + optional_policy(` +- unconfined_dontaudit_read_pipes(setfiles_t) +- unconfined_dontaudit_rw_tcp_sockets(setfiles_t) +- ') ++ setroubleshoot_dontaudit_rw_dgram_sockets(setfiles_t) ++ setroubleshoot_dontaudit_rw_dgram_sockets(setsebool_t) + ') + + optional_policy(` +- hotplug_use_fds(setfiles_t) ++ unconfined_domain(setfiles_mac_t) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.3/policy/modules/system/sysnetwork.fc --- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/sysnetwork.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/sysnetwork.fc 2009-11-25 12:39:13.000000000 -0500 @@ -11,15 +11,20 @@ /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) @@ -30216,9 +28972,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.1/policy/modules/system/sysnetwork.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.3/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/sysnetwork.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/sysnetwork.if 2009-11-25 12:39:13.000000000 -0500 @@ -43,6 +43,39 @@ sysnet_domtrans_dhcpc($1) @@ -30396,9 +29152,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + role_transition $1 dhcpc_exec_t system_r; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.1/policy/modules/system/sysnetwork.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.3/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/sysnetwork.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/sysnetwork.te 2009-11-25 12:39:13.000000000 -0500 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpc_t, dhcpc_exec_t) role system_r types dhcpc_t; @@ -30611,69 +29367,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + hal_dontaudit_rw_pipes(ifconfig_t) + hal_dontaudit_rw_dgram_sockets(ifconfig_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.7.1/policy/modules/system/udev.fc ---- nsaserefpolicy/policy/modules/system/udev.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/udev.fc 2009-11-17 11:06:58.000000000 -0500 -@@ -7,6 +7,9 @@ - /etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0) - - /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) -+/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) -+ -+/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) - - /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) - /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.1/policy/modules/system/udev.if ---- nsaserefpolicy/policy/modules/system/udev.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/udev.if 2009-11-17 11:06:58.000000000 -0500 -@@ -168,4 +168,43 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.3/policy/modules/system/udev.if +--- nsaserefpolicy/policy/modules/system/udev.if 2009-11-25 11:47:19.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/udev.if 2009-11-25 12:39:13.000000000 -0500 +@@ -186,6 +186,7 @@ dev_list_all_dev_nodes($1) allow $1 udev_tbl_t:file rw_file_perms; + allow $1 udev_tbl_t:file unlink; -+') -+ -+######################################## -+## -+## Create, read, write, and delete -+## udev pid files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`udev_manage_pid_files',` -+ gen_require(` -+ type udev_var_run_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, udev_var_run_t, udev_var_run_t) -+') -+ -+######################################## -+## -+## Send signal to udev process -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`udev_signal',` -+ gen_require(` -+ type udev_t; -+ ') -+ -+ allow $1 udev_t:process signal; ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.1/policy/modules/system/udev.te ---- nsaserefpolicy/policy/modules/system/udev.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/udev.te 2009-11-17 11:06:58.000000000 -0500 + + ######################################## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.3/policy/modules/system/udev.te +--- nsaserefpolicy/policy/modules/system/udev.te 2009-11-25 11:47:19.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/udev.te 2009-11-25 12:39:13.000000000 -0500 @@ -50,6 +50,7 @@ allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -30682,46 +29389,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) -@@ -66,9 +67,11 @@ - - manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t) - manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) -+manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) - files_pid_filetrans(udev_t, udev_var_run_t, { dir file }) - - kernel_read_system_state(udev_t) -+kernel_request_load_module(udev_t) - kernel_getattr_core_if(udev_t) - kernel_use_fds(udev_t) - kernel_read_device_sysctls(udev_t) -@@ -111,6 +114,7 @@ - - fs_getattr_all_fs(udev_t) - fs_list_inotifyfs(udev_t) -+fs_rw_anon_inodefs_files(udev_t) - - mcs_ptrace_all(udev_t) - -@@ -140,6 +144,7 @@ - logging_send_audit_msgs(udev_t) - - miscfiles_read_localization(udev_t) -+miscfiles_read_hwdata(udev_t) - - modutils_domtrans_insmod(udev_t) - # read modules.inputmap: -@@ -194,6 +199,10 @@ - ') - - optional_policy(` -+ bluetooth_domtrans(udev_t) -+') -+ -+optional_policy(` - brctl_domtrans(udev_t) - ') - -@@ -202,14 +211,27 @@ +@@ -210,6 +211,10 @@ ') optional_policy(` @@ -30732,24 +29400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol consoletype_exec(udev_t) ') - optional_policy(` -+ cups_domtrans_config(udev_t) -+') -+ -+optional_policy(` - dbus_system_bus_client(udev_t) - ') - - optional_policy(` -+ devicekit_read_pid_files(udev_t) -+ devicekit_dgram_send(udev_t) -+') -+ -+optional_policy(` - lvm_domtrans(udev_t) - ') - -@@ -219,6 +241,7 @@ +@@ -236,6 +241,7 @@ optional_policy(` hal_dgram_send(udev_t) @@ -30757,29 +29408,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -228,6 +251,10 @@ +@@ -263,7 +269,7 @@ ') optional_policy(` -+ mount_domtrans(udev_t) -+') -+ -+optional_policy(` - openct_read_pid_files(udev_t) - openct_domtrans(udev_t) +- unconfined_signal(udev_t) ++ rpm_search_log(udev_t) ') -@@ -242,6 +269,18 @@ + + optional_policy(` +@@ -271,6 +277,10 @@ ') optional_policy(` -+ rpm_search_log(udev_t) -+') -+ -+optional_policy(` -+ vbetool_domtrans(udev_t) -+') -+ -+optional_policy(` + unconfined_signal(udev_t) +') + @@ -30787,9 +29428,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_write_xen_state(udev_t) kernel_read_xen_state(udev_t) xen_manage_log(udev_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.7.1/policy/modules/system/unconfined.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.7.3/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/unconfined.fc 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/unconfined.fc 2009-11-25 12:39:13.000000000 -0500 @@ -1,16 +1 @@ # Add programs here which should not be confined by SELinux -# e.g.: @@ -30807,9 +29448,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -ifdef(`distro_gentoo',` -/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.1/policy/modules/system/unconfined.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.3/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/unconfined.if 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/unconfined.if 2009-11-25 12:39:13.000000000 -0500 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -31313,9 +29954,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - - allow $1 unconfined_t:dbus acquire_svc; -') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.7.1/policy/modules/system/unconfined.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.7.3/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/system/unconfined.te 2009-11-17 11:08:37.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/unconfined.te 2009-11-25 12:39:13.000000000 -0500 @@ -5,227 +5,5 @@ # # Declarations @@ -31545,10 +30186,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - hal_dbus_chat(unconfined_execmem_t) - ') -') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.1/policy/modules/system/userdomain.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.3/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/userdomain.fc 2009-11-17 11:06:58.000000000 -0500 -@@ -1,4 +1,8 @@ ++++ serefpolicy-3.7.3/policy/modules/system/userdomain.fc 2009-11-25 12:39:13.000000000 -0500 +@@ -1,4 +1,9 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) @@ -31557,10 +30198,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) +/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0) +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) ++HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.gvfs(/.*)? <> -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.1/policy/modules/system/userdomain.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.3/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/userdomain.if 2009-11-23 14:09:57.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/userdomain.if 2009-11-25 12:39:13.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -32478,7 +31120,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol loadkeys_run($1_t,$1_r) ') ') -@@ -865,51 +950,97 @@ +@@ -865,51 +950,93 @@ userdom_restricted_user_template($1) @@ -32535,7 +31177,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + optional_policy(` + alsa_read_rw_config($1_usertype) + ') -+ + +- xserver_restricted_role($1_r, $1_t) + optional_policy(` + apache_role($1_r, $1_usertype) + ') @@ -32546,14 +31189,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + devicekit_dbus_chat_power($1_usertype) + ') -- xserver_restricted_role($1_r, $1_t) -+ optional_policy(` -+ fprintd_dbus_chat($1_t) -+ ') - optional_policy(` - alsa_read_rw_config($1_t) -+ gnomeclock_dbus_chat($1_t) ++ fprintd_dbus_chat($1_t) ') optional_policy(` @@ -32589,7 +31227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -943,8 +1074,8 @@ +@@ -943,8 +1070,8 @@ # Declarations # @@ -32599,7 +31237,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -953,58 +1084,67 @@ +@@ -953,58 +1080,71 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -32633,10 +31271,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - storage_raw_read_removable_device($1_t) + optional_policy(` + cdrecord_role($1_r, $1_t) - ') ++ ') + + optional_policy(` + cron_role($1_r, $1_t) + ') ++ ++ optional_policy(` ++ games_rw_data($1_usertype) ') - tunable_policy(`user_dmesg',` @@ -32644,7 +31286,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - ',` - kernel_dontaudit_read_ring_buffer($1_t) + optional_policy(` -+ games_rw_data($1_usertype) ++ gpg_role($1_r, $1_usertype) ') - # Allow users to run TCP servers (bind to ports and accept connection from @@ -32654,7 +31296,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - corenet_tcp_bind_generic_node($1_t) - corenet_tcp_bind_generic_port($1_t) + optional_policy(` -+ gpg_role($1_r, $1_usertype) ++ gnomeclock_dbus_chat($1_t) ') optional_policy(` @@ -33259,7 +31901,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -3064,3 +3395,597 @@ +@@ -3064,3 +3395,619 @@ allow $1 userdomain:dbus send_msg; ') @@ -33857,9 +32499,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 user_tmp_t:file { getattr append }; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.1/policy/modules/system/userdomain.te ++ ++######################################## ++## ++## Read system SSL certificates in the users homedir. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_read_home_certs',` ++ gen_require(` ++ type home_cert_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ allow $1 home_cert_t:dir list_dir_perms; ++ read_files_pattern($1, home_cert_t, home_cert_t) ++ read_lnk_files_pattern($1, home_cert_t, home_cert_t) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.3/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/policy/modules/system/userdomain.te 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/userdomain.te 2009-11-25 12:39:13.000000000 -0500 @@ -8,13 +8,6 @@ ## @@ -33918,11 +32582,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_user_home_content(user_home_t) fs_associate_tmpfs(user_home_t) files_associate_tmp(user_home_t) -@@ -97,3 +100,25 @@ +@@ -97,3 +100,29 @@ type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t) + ++type home_cert_t, user_home_type; ++files_type(home_cert_t) ++ubac_constrained(home_cert_t) ++ +tunable_policy(`allow_console_login',` + term_use_console(userdomain) +') @@ -33944,206 +32612,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +allow userdomain userdomain:process signull; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.7.1/policy/modules/system/xen.fc ---- nsaserefpolicy/policy/modules/system/xen.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/xen.fc 2009-11-17 11:06:58.000000000 -0500 -@@ -1,5 +1,7 @@ - /dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0) - -+/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0) -+ - /usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0) - - ifdef(`distro_debian',` -@@ -19,14 +21,18 @@ - /var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) - /var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0) - -+/var/log/evtchnd\.log -- gen_context(system_u:object_r:evtchnd_var_log_t,s0) - /var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0) - /var/log/xen-hotplug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) - /var/log/xend\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) - /var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) - -+/var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0) -+/var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0) - /var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) - /var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) - /var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0) -+/var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) - /var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) - /var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.7.1/policy/modules/system/xen.if ---- nsaserefpolicy/policy/modules/system/xen.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/xen.if 2009-11-17 11:06:58.000000000 -0500 -@@ -71,6 +71,8 @@ - ') - - files_list_var_lib($1) -+ -+ list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) - read_files_pattern($1,{ xend_var_lib_t xen_image_t },xen_image_t) - ') - -@@ -167,11 +169,14 @@ - # - interface(`xen_stream_connect',` - gen_require(` -- type xend_t, xend_var_run_t; -+ type xend_t, xend_var_run_t, xend_var_lib_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, xend_var_run_t, xend_var_run_t, xend_t) -+ -+ files_search_var_lib($1) -+ stream_connect_pattern($1, xend_var_lib_t, xend_var_lib_t, xend_t) - ') - - ######################################## -@@ -191,3 +196,24 @@ - - domtrans_pattern($1, xm_exec_t, xm_t) - ') -+ -+######################################## -+## -+## Allow the specified domain to read/write -+## xend image files. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`xen_rw_image_files',` -+ gen_require(` -+ type xen_image_t, xend_var_lib_t; -+ ') -+ -+ files_list_var_lib($1) -+ allow $1 xend_var_lib_t:dir search_dir_perms; -+ rw_files_pattern($1, xen_image_t, xen_image_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.1/policy/modules/system/xen.te ---- nsaserefpolicy/policy/modules/system/xen.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.1/policy/modules/system/xen.te 2009-11-17 11:06:58.000000000 -0500 -@@ -6,6 +6,13 @@ - # Declarations - # - -+## -+##

-+## Allow xen to manage nfs files -+##

-+##
-+gen_tunable(xen_use_nfs, false) -+ - # console ptys - type xen_devpts_t; - term_pty(xen_devpts_t) -@@ -42,25 +49,31 @@ - # pid files - type xend_var_run_t; - files_pid_file(xend_var_run_t) -+files_mountpoint(xend_var_run_t) - - type xenstored_t; - type xenstored_exec_t; --domain_type(xenstored_t) --domain_entry_file(xenstored_t, xenstored_exec_t) --role system_r types xenstored_t; -+init_daemon_domain(xenstored_t, xenstored_exec_t) -+ -+# tmp files -+type xenstored_tmp_t; -+files_tmp_file(xenstored_tmp_t) - - # var/lib files - type xenstored_var_lib_t; - files_type(xenstored_var_lib_t) - -+# log files -+type xenstored_var_log_t; -+logging_log_file(xenstored_var_log_t) -+ - # pid files - type xenstored_var_run_t; - files_pid_file(xenstored_var_run_t) - +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.3/policy/modules/system/xen.te +--- nsaserefpolicy/policy/modules/system/xen.te 2009-11-25 11:47:19.000000000 -0500 ++++ serefpolicy-3.7.3/policy/modules/system/xen.te 2009-11-25 12:39:13.000000000 -0500 +@@ -85,6 +85,7 @@ type xenconsoled_t; type xenconsoled_exec_t; --domain_type(xenconsoled_t) --domain_entry_file(xenconsoled_t, xenconsoled_exec_t) -+init_daemon_domain(xenconsoled_t, xenconsoled_exec_t) - role system_r types xenconsoled_t; + init_daemon_domain(xenconsoled_t, xenconsoled_exec_t) ++role system_r types xenconsoled_t; # pid files -@@ -72,6 +85,18 @@ - domain_type(xm_t) - init_system_domain(xm_t, xm_exec_t) - -+type evtchnd_t; -+type evtchnd_exec_t; -+init_daemon_domain(evtchnd_t, evtchnd_exec_t) -+ -+# log files -+type evtchnd_var_log_t; -+logging_log_file(evtchnd_var_log_t) -+ -+# pid files -+type evtchnd_var_run_t; -+files_pid_file(evtchnd_var_run_t) -+ - ######################################## - # - # xend local policy -@@ -95,7 +120,7 @@ - read_lnk_files_pattern(xend_t, xen_image_t, xen_image_t) - rw_blk_files_pattern(xend_t, xen_image_t, xen_image_t) - --allow xend_t xenctl_t:fifo_file manage_file_perms; -+allow xend_t xenctl_t:fifo_file manage_fifo_file_perms; - dev_filetrans(xend_t, xenctl_t, fifo_file) - - manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t) -@@ -103,14 +128,14 @@ - files_tmp_filetrans(xend_t, xend_tmp_t, { file dir }) - - # pid file --allow xend_t xend_var_run_t:dir setattr; -+manage_dirs_pattern(xend_t, xend_var_run_t, xend_var_run_t) - manage_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) - manage_sock_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) - manage_fifo_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) --files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file }) -+files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file dir }) - - # log files --allow xend_t xend_var_log_t:dir setattr; -+manage_dirs_pattern(xend_t, xend_var_log_t, xend_var_log_t) - manage_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) - manage_sock_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) - logging_log_filetrans(xend_t, xend_var_log_t,{ sock_file file dir }) -@@ -122,12 +147,13 @@ - manage_fifo_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) - files_var_lib_filetrans(xend_t, xend_var_lib_t,{ file dir }) - -+init_stream_connect_script(xend_t) -+ - # transition to store - domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t) - - # transition to console --domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t) --allow xenconsoled_t xend_t:fd use; -+domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t) - - kernel_read_kernel_sysctls(xend_t) - kernel_read_system_state(xend_t) -@@ -173,6 +199,7 @@ + type xenconsoled_var_run_t; +@@ -209,6 +210,7 @@ files_manage_etc_runtime_files(xend_t) files_etc_filetrans_etc_runtime(xend_t, file) files_read_usr_files(xend_t) @@ -34151,208 +32631,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_raw_read_fixed_disk(xend_t) storage_raw_write_fixed_disk(xend_t) -@@ -208,6 +235,10 @@ - netutils_domtrans(xend_t) - - optional_policy(` -+ brctl_domtrans(xend_t) -+') -+ -+optional_policy(` - consoletype_exec(xend_t) - ') - -@@ -239,6 +270,10 @@ - - files_read_usr_files(xenconsoled_t) - -+fs_list_tmpfs(xenconsoled_t) -+fs_manage_xenfs_dirs(xenconsoled_t) -+fs_manage_xenfs_files(xenconsoled_t) -+ - term_create_pty(xenconsoled_t, xen_devpts_t) - term_use_generic_ptys(xenconsoled_t) - term_use_console(xenconsoled_t) -@@ -248,7 +283,7 @@ - - miscfiles_read_localization(xenconsoled_t) +@@ -438,6 +440,8 @@ + fs_manage_xenfs_dirs(xm_ssh_t) + fs_manage_xenfs_files(xm_ssh_t) --xen_append_log(xenconsoled_t) -+xen_manage_log(xenconsoled_t) - xen_stream_connect_xenstore(xenconsoled_t) - - ######################################## -@@ -256,21 +291,33 @@ - # Xen store local policy - # - --allow xenstored_t self:capability { dac_override mknod ipc_lock }; -+allow xenstored_t self:capability { dac_override mknod ipc_lock sys_resource }; - allow xenstored_t self:unix_stream_socket create_stream_socket_perms; - allow xenstored_t self:unix_dgram_socket create_socket_perms; - -+manage_files_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) -+manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) -+files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) -+ - # pid file - manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) - manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) - files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file }) - -+# log files -+manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -+manage_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -+manage_sock_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -+logging_log_filetrans(xenstored_t, xenstored_var_log_t, { sock_file file dir }) -+ - # var/lib files for xenstored - manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) - manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) - manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) - files_var_lib_filetrans(xenstored_t, xenstored_var_lib_t,{ file dir sock_file }) - -+stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchnd_t) ++userdom_search_admin_dir(xm_ssh_t) + - kernel_write_xen_state(xenstored_t) - kernel_read_xen_state(xenstored_t) - -@@ -304,6 +351,7 @@ + #Should have a boolean wrapping these + fs_list_auto_mountpoints(xend_t) + files_search_mnt(xend_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.3/policy/support/obj_perm_sets.spt +--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-11-25 11:47:19.000000000 -0500 ++++ serefpolicy-3.7.3/policy/support/obj_perm_sets.spt 2009-11-25 12:39:13.000000000 -0500 +@@ -317,3 +317,15 @@ + # Keys # - - allow xm_t self:capability { dac_override ipc_lock sys_tty_config }; -+allow xm_t self:process { getsched signal }; - - # internal communication is often done using fifo and unix sockets. - allow xm_t self:fifo_file rw_fifo_file_perms; -@@ -312,24 +360,28 @@ - - manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) - manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) -+manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) - files_search_var_lib(xm_t) - - allow xm_t xen_image_t:dir rw_dir_perms; - allow xm_t xen_image_t:file read_file_perms; - allow xm_t xen_image_t:blk_file read_blk_file_perms; - --kernel_read_system_state(xm_t) - kernel_read_kernel_sysctls(xm_t) -+kernel_read_sysctl(xm_t) -+kernel_read_system_state(xm_t) - kernel_read_xen_state(xm_t) - kernel_write_xen_state(xm_t) - - corecmd_exec_bin(xm_t) -+corecmd_exec_shell(xm_t) - - corenet_tcp_sendrecv_generic_if(xm_t) - corenet_tcp_sendrecv_generic_node(xm_t) - corenet_tcp_connect_soundd_port(xm_t) - - dev_read_urand(xm_t) -+dev_read_sysfs(xm_t) - - files_read_etc_runtime_files(xm_t) - files_read_usr_files(xm_t) -@@ -339,15 +391,70 @@ - - storage_raw_read_fixed_disk(xm_t) - -+fs_getattr_all_fs(xm_t) -+fs_manage_xenfs_dirs(xm_t) -+fs_manage_xenfs_files(xm_t) -+ - term_use_all_terms(xm_t) - -+init_stream_connect_script(xm_t) - init_rw_script_stream_sockets(xm_t) - init_use_fds(xm_t) - - miscfiles_read_localization(xm_t) - --sysnet_read_config(xm_t) -+sysnet_dns_name_resolve(xm_t) - - xen_append_log(xm_t) - xen_stream_connect(xm_t) - xen_stream_connect_xenstore(xm_t) -+ -+optional_policy(` -+ virt_manage_images(xm_t) -+ virt_stream_connect(xm_t) -+') + define(`manage_key_perms', `{ create link read search setattr view write } ') + -+######################################## -+# -+# SSH component local policy +# -+ssh_basic_client_template(xm,xm_t,system_r) -+kernel_read_xen_state(xm_ssh_t) -+kernel_write_xen_state(xm_ssh_t) -+ -+fs_manage_xenfs_dirs(xm_ssh_t) -+fs_manage_xenfs_files(xm_ssh_t) -+ -+userdom_search_admin_dir(xm_ssh_t) -+ -+#Should have a boolean wrapping these -+fs_list_auto_mountpoints(xend_t) -+files_search_mnt(xend_t) -+fs_getattr_all_fs(xend_t) -+fs_read_dos_files(xend_t) -+fs_manage_xenfs_dirs(xend_t) -+fs_manage_xenfs_files(xend_t) -+ -+tunable_policy(`xen_use_nfs',` -+ fs_manage_nfs_files(xend_t) -+ fs_read_nfs_symlinks(xend_t) -+') -+ -+optional_policy(` -+ unconfined_domain(xend_t) -+') -+ -+####################################### ++# All +# -+# evtchnd local policy -+# -+ -+manage_dirs_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) -+manage_files_pattern(evtchnd_t,evtchnd_var_log_t,evtchnd_var_log_t) -+logging_log_filetrans(evtchnd_t,evtchnd_var_log_t,{ file dir }) -+ -+manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) -+manage_files_pattern(evtchnd_t,evtchnd_var_run_t,evtchnd_var_run_t) -+manage_sock_files_pattern(evtchnd_t,evtchnd_var_run_t,evtchnd_var_run_t) -+files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir }) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.1/policy/support/obj_perm_sets.spt ---- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.1/policy/support/obj_perm_sets.spt 2009-11-17 11:06:58.000000000 -0500 -@@ -201,7 +201,7 @@ - define(`setattr_file_perms',`{ setattr }') - define(`read_file_perms',`{ getattr open read lock ioctl }') - define(`mmap_file_perms',`{ getattr open read execute ioctl }') --define(`exec_file_perms',`{ getattr open read execute execute_no_trans }') -+define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }') - define(`append_file_perms',`{ getattr open append lock ioctl }') - define(`write_file_perms',`{ getattr open write append lock ioctl }') - define(`rw_file_perms',`{ getattr open read write append ioctl lock }') -@@ -225,7 +225,7 @@ - define(`create_lnk_file_perms',`{ create getattr }') - define(`rename_lnk_file_perms',`{ getattr rename }') - define(`delete_lnk_file_perms',`{ getattr unlink }') --define(`manage_lnk_file_perms',`{ create read getattr setattr unlink rename }') -+define(`manage_lnk_file_perms',`{ create read getattr setattr link unlink rename }') - define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') - define(`relabelto_lnk_file_perms',`{ getattr relabelto }') - define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }') -@@ -312,3 +312,13 @@ - # - define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') - define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }') -+ +define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap } +') + @@ -34361,10 +32659,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ') +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') + -+define(`manage_key_perms', `{ create link read search setattr view write } ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.1/policy/users +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.3/policy/users --- nsaserefpolicy/policy/users 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.1/policy/users 2009-11-17 11:06:58.000000000 -0500 ++++ serefpolicy-3.7.3/policy/users 2009-11-25 12:39:13.000000000 -0500 @@ -25,11 +25,8 @@ # permit any access to such users, then remove this entry. # @@ -34389,9 +32686,3 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -') +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/VERSION serefpolicy-3.7.1/VERSION ---- nsaserefpolicy/VERSION 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.1/VERSION 2009-11-17 11:06:58.000000000 -0500 -@@ -1 +1 @@ --2.20091117 -+2.20090730 diff --git a/selinux-policy.spec b/selinux-policy.spec index e844528..27c7f2a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ %define CHECKPOLICYVER 2.0.16-3 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.7.2 +Version: 3.7.3 Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base @@ -449,8 +449,9 @@ exit 0 %endif %changelog -* Mon Nov 16 2009 Dan Walsh 3.7.2-1 +* Mon Nov 16 2009 Dan Walsh 3.7.3-1 - Add asterisk policy back in +- Update to upstream release 2.20091117 * Mon Nov 16 2009 Dan Walsh 3.7.1-1 - Update to upstream release 2.20091117 diff --git a/sources b/sources index 881f21d..ddfc333 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 3651679c4b12a31d2ba5f4305bba5540 config.tgz -7caf1e23a7c13a97f49d83c82b042c27 serefpolicy-3.7.2.tgz +ae593cb93bcd26546be99064d16b372a serefpolicy-3.7.3.tgz