diff --git a/.cvsignore b/.cvsignore
index 107ca45..7c484f7 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -193,3 +193,4 @@ serefpolicy-3.6.32.tgz
serefpolicy-3.6.33.tgz
serefpolicy-3.7.1.tgz
serefpolicy-3.7.2.tgz
+serefpolicy-3.7.3.tgz
diff --git a/nsadiff b/nsadiff
index b1c3c22..9404411 100755
--- a/nsadiff
+++ b/nsadiff
@@ -1 +1 @@
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.7.1 > /tmp/diff
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.7.3 > /tmp/diff
diff --git a/policy-F13.patch b/policy-F13.patch
index 4a2d764..ac3e349 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -1,6 +1,6 @@
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.1/Makefile
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.3/Makefile
--- nsaserefpolicy/Makefile 2009-08-18 11:41:14.000000000 -0400
-+++ serefpolicy-3.7.1/Makefile 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/Makefile 2009-11-25 12:39:13.000000000 -0500
@@ -244,7 +244,7 @@
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
@@ -10,9 +10,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Mak
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.1/policy/global_tunables
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.3/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.1/policy/global_tunables 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/global_tunables 2009-11-25 12:39:13.000000000 -0500
@@ -61,15 +61,6 @@
## <desc>
@@ -48,9 +48,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## </desc>
+gen_tunable(mmap_low_allowed, false)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.7.1/policy/modules/admin/alsa.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.7.3/policy/modules/admin/alsa.te
--- nsaserefpolicy/policy/modules/admin/alsa.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/admin/alsa.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/alsa.te 2009-11-25 12:39:13.000000000 -0500
@@ -51,6 +51,8 @@
files_read_etc_files(alsa_t)
files_read_usr_files(alsa_t)
@@ -60,9 +60,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(alsa_t)
init_use_fds(alsa_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.7.1/policy/modules/admin/anaconda.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.7.3/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/admin/anaconda.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/anaconda.te 2009-11-25 12:39:13.000000000 -0500
@@ -31,6 +31,7 @@
modutils_domtrans_insmod(anaconda_t)
@@ -80,9 +80,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.7.1/policy/modules/admin/brctl.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.7.3/policy/modules/admin/brctl.te
--- nsaserefpolicy/policy/modules/admin/brctl.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/admin/brctl.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/brctl.te 2009-11-25 12:39:13.000000000 -0500
@@ -21,7 +21,7 @@
allow brctl_t self:unix_dgram_socket create_socket_perms;
allow brctl_t self:tcp_socket create_socket_perms;
@@ -92,9 +92,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_network_state(brctl_t)
kernel_read_sysctl(brctl_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.7.1/policy/modules/admin/certwatch.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.7.3/policy/modules/admin/certwatch.te
--- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/admin/certwatch.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/certwatch.te 2009-11-25 12:39:13.000000000 -0500
@@ -36,7 +36,7 @@
miscfiles_read_localization(certwatch_t)
@@ -104,9 +104,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
apache_exec_modules(certwatch_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.7.1/policy/modules/admin/consoletype.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.7.3/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/admin/consoletype.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/consoletype.te 2009-11-25 12:39:13.000000000 -0500
@@ -84,6 +84,7 @@
optional_policy(`
hal_dontaudit_use_fds(consoletype_t)
@@ -115,17 +115,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.7.1/policy/modules/admin/dmesg.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.7.3/policy/modules/admin/dmesg.fc
--- nsaserefpolicy/policy/modules/admin/dmesg.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/admin/dmesg.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/dmesg.fc 2009-11-25 12:39:13.000000000 -0500
@@ -1,2 +1,4 @@
/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
+
+/usr/sbin/mcelog -- gen_context(system_u:object_r:dmesg_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.7.1/policy/modules/admin/dmesg.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.7.3/policy/modules/admin/dmesg.te
--- nsaserefpolicy/policy/modules/admin/dmesg.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/admin/dmesg.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/dmesg.te 2009-11-25 12:39:13.000000000 -0500
@@ -9,6 +9,7 @@
type dmesg_t;
type dmesg_exec_t;
@@ -167,9 +167,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+#mcelog needs
+dev_read_raw_memory(dmesg_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.1/policy/modules/admin/firstboot.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.3/policy/modules/admin/firstboot.te
--- nsaserefpolicy/policy/modules/admin/firstboot.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/admin/firstboot.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/firstboot.te 2009-11-25 12:39:13.000000000 -0500
@@ -91,8 +91,12 @@
userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
@@ -192,44 +192,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.fc serefpolicy-3.7.1/policy/modules/admin/kismet.fc
---- nsaserefpolicy/policy/modules/admin/kismet.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/admin/kismet.fc 2009-11-17 11:06:58.000000000 -0500
-@@ -1,3 +1,5 @@
-+HOME_DIR/\.kismet(/.*)? gen_context(system_u:object_r:kismet_home_t,s0)
-+
- /usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0)
- /var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0)
- /var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.7.1/policy/modules/admin/kismet.te
---- nsaserefpolicy/policy/modules/admin/kismet.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/admin/kismet.te 2009-11-17 11:06:58.000000000 -0500
-@@ -26,6 +26,9 @@
- type kismet_var_run_t;
- files_pid_file(kismet_var_run_t)
-
-+type kismet_home_t;
-+userdom_user_home_content(kismet_home_t)
-+
- ########################################
- #
- # kismet local policy
-@@ -59,6 +62,12 @@
- allow kismet_t kismet_var_run_t:dir manage_dir_perms;
- files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir })
-
-+manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t)
-+manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
-+manage_lnk_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
-+userdom_search_user_home_dirs(kismet_t)
-+userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir })
-+
- kernel_search_debugfs(kismet_t)
- kernel_read_system_state(kismet_t)
-
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.1/policy/modules/admin/logrotate.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.3/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/admin/logrotate.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/logrotate.te 2009-11-25 12:39:13.000000000 -0500
@@ -32,7 +32,7 @@
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
@@ -287,18 +252,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
slrnpull_manage_spool(logrotate_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.7.1/policy/modules/admin/logwatch.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.7.3/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/admin/logwatch.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/logwatch.te 2009-11-25 12:39:13.000000000 -0500
@@ -136,4 +136,5 @@
optional_policy(`
samba_read_log(logwatch_t)
+ samba_read_share_files(logwatch_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.7.1/policy/modules/admin/mrtg.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.7.3/policy/modules/admin/mrtg.te
--- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/admin/mrtg.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/mrtg.te 2009-11-25 12:39:13.000000000 -0500
@@ -116,6 +116,7 @@
userdom_use_user_terminals(mrtg_t)
userdom_dontaudit_read_user_home_content_files(mrtg_t)
@@ -307,9 +272,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
netutils_domtrans_ping(mrtg_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.1/policy/modules/admin/netutils.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.3/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/admin/netutils.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/netutils.te 2009-11-25 12:39:13.000000000 -0500
@@ -44,6 +44,7 @@
allow netutils_t self:packet_socket create_socket_perms;
allow netutils_t self:udp_socket create_socket_perms;
@@ -326,18 +291,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_use_user_terminals(netutils_t)
userdom_use_all_users_fds(netutils_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ntop.fc serefpolicy-3.7.1/policy/modules/admin/ntop.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ntop.fc serefpolicy-3.7.3/policy/modules/admin/ntop.fc
--- nsaserefpolicy/policy/modules/admin/ntop.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/admin/ntop.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/ntop.fc 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,5 @@
+/etc/rc\.d/init\.d/ntop -- gen_context(system_u:object_r:ntop_initrc_exec_t,s0)
+
+/usr/sbin/ntop -- gen_context(system_u:object_r:ntop_exec_t,s0)
+
+/var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ntop.if serefpolicy-3.7.1/policy/modules/admin/ntop.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ntop.if serefpolicy-3.7.3/policy/modules/admin/ntop.if
--- nsaserefpolicy/policy/modules/admin/ntop.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/admin/ntop.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/ntop.if 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,158 @@
+
+## <summary>policy for ntop</summary>
@@ -497,9 +462,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ntop_manage_var_lib($1)
+
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ntop.te serefpolicy-3.7.1/policy/modules/admin/ntop.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ntop.te serefpolicy-3.7.3/policy/modules/admin/ntop.te
--- nsaserefpolicy/policy/modules/admin/ntop.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/admin/ntop.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/ntop.te 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,40 @@
+policy_module(ntop,1.0.0)
+
@@ -541,9 +506,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+miscfiles_read_localization(ntop_t)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.te serefpolicy-3.7.1/policy/modules/admin/portage.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.te serefpolicy-3.7.3/policy/modules/admin/portage.te
--- nsaserefpolicy/policy/modules/admin/portage.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/admin/portage.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/portage.te 2009-11-25 12:39:13.000000000 -0500
@@ -196,7 +196,7 @@
# - for rsync and distfile fetching
#
@@ -553,17 +518,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow portage_fetch_t self:process signal;
allow portage_fetch_t self:unix_stream_socket create_socket_perms;
allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.7.1/policy/modules/admin/prelink.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.7.3/policy/modules/admin/prelink.fc
--- nsaserefpolicy/policy/modules/admin/prelink.fc 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/admin/prelink.fc 2009-11-18 10:28:50.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/prelink.fc 2009-11-25 12:39:13.000000000 -0500
@@ -1,3 +1,4 @@
+/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0)
/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.7.1/policy/modules/admin/prelink.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.7.3/policy/modules/admin/prelink.if
--- nsaserefpolicy/policy/modules/admin/prelink.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/admin/prelink.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/prelink.if 2009-11-25 12:39:13.000000000 -0500
@@ -151,11 +151,11 @@
## </summary>
## </param>
@@ -578,9 +543,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
+ relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.1/policy/modules/admin/prelink.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.3/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/admin/prelink.te 2009-11-18 10:28:50.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/prelink.te 2009-11-25 12:39:13.000000000 -0500
@@ -21,8 +21,23 @@
type prelink_tmp_t;
files_tmp_file(prelink_tmp_t)
@@ -700,9 +665,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ rpm_read_db(prelink_cron_system_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.1/policy/modules/admin/readahead.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.3/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/admin/readahead.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/readahead.te 2009-11-25 12:39:13.000000000 -0500
@@ -52,6 +52,7 @@
files_list_non_security(readahead_t)
@@ -711,9 +676,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_create_boot_flag(readahead_t)
files_getattr_all_pipes(readahead_t)
files_dontaudit_getattr_all_sockets(readahead_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.1/policy/modules/admin/rpm.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.3/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/admin/rpm.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/rpm.fc 2009-11-25 12:39:13.000000000 -0500
@@ -1,18 +1,18 @@
/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -763,9 +728,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# SuSE
ifdef(`distro_suse', `
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.1/policy/modules/admin/rpm.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.3/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/admin/rpm.if 2009-11-24 07:35:57.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/rpm.if 2009-11-25 12:39:13.000000000 -0500
@@ -13,11 +13,34 @@
interface(`rpm_domtrans',`
gen_require(`
@@ -1177,9 +1142,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 rpm_t:process signull;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.1/policy/modules/admin/rpm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.3/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/admin/rpm.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/rpm.te 2009-11-25 12:39:13.000000000 -0500
@@ -15,6 +15,9 @@
domain_interactive_fd(rpm_t)
role system_r types rpm_t;
@@ -1454,9 +1419,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.7.1/policy/modules/admin/shorewall.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.7.3/policy/modules/admin/shorewall.fc
--- nsaserefpolicy/policy/modules/admin/shorewall.fc 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/admin/shorewall.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/shorewall.fc 2009-11-25 12:39:13.000000000 -0500
@@ -4,8 +4,9 @@
/etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
/etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
@@ -1468,9 +1433,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+/var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
/var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.7.1/policy/modules/admin/shorewall.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.7.3/policy/modules/admin/shorewall.if
--- nsaserefpolicy/policy/modules/admin/shorewall.if 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/admin/shorewall.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/shorewall.if 2009-11-25 12:39:13.000000000 -0500
@@ -75,6 +75,46 @@
rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
')
@@ -1518,9 +1483,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#######################################
## <summary>
## All of the rules required to administrate
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.1/policy/modules/admin/shorewall.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.3/policy/modules/admin/shorewall.te
--- nsaserefpolicy/policy/modules/admin/shorewall.te 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/admin/shorewall.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/shorewall.te 2009-11-25 12:39:13.000000000 -0500
@@ -80,6 +80,8 @@
sysnet_domtrans_ifconfig(shorewall_t)
@@ -1530,22 +1495,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
iptables_domtrans(shorewall_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.7.1/policy/modules/admin/smoltclient.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.7.3/policy/modules/admin/smoltclient.fc
--- nsaserefpolicy/policy/modules/admin/smoltclient.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/admin/smoltclient.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/smoltclient.fc 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,4 @@
+
+/usr/share/smolt/client/sendProfile.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0)
+
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.if serefpolicy-3.7.1/policy/modules/admin/smoltclient.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.if serefpolicy-3.7.3/policy/modules/admin/smoltclient.if
--- nsaserefpolicy/policy/modules/admin/smoltclient.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/admin/smoltclient.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/smoltclient.if 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1 @@
+## <summary>The Fedora hardware profiler client</summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.7.1/policy/modules/admin/smoltclient.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.7.3/policy/modules/admin/smoltclient.te
--- nsaserefpolicy/policy/modules/admin/smoltclient.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/admin/smoltclient.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/smoltclient.te 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,66 @@
+policy_module(smoltclient,1.0.0)
+
@@ -1613,9 +1578,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+permissive smoltclient_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.1/policy/modules/admin/sudo.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.3/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/admin/sudo.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/sudo.if 2009-11-25 12:39:13.000000000 -0500
@@ -66,8 +66,8 @@
allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
allow $1_sudo_t self:unix_dgram_socket sendto;
@@ -1660,9 +1625,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.1/policy/modules/admin/tmpreaper.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.3/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/admin/tmpreaper.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/tmpreaper.te 2009-11-25 12:39:13.000000000 -0500
@@ -42,6 +42,7 @@
cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
@@ -1692,21 +1657,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
unconfined_domain(tmpreaper_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tzdata.te serefpolicy-3.7.1/policy/modules/admin/tzdata.te
---- nsaserefpolicy/policy/modules/admin/tzdata.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/admin/tzdata.te 2009-11-17 11:06:58.000000000 -0500
-@@ -19,6 +19,8 @@
- files_read_etc_files(tzdata_t)
- files_search_spool(tzdata_t)
-
-+fs_getattr_xattr_fs(tzdata_t)
-+
- term_dontaudit_list_ptys(tzdata_t)
-
- locallogin_dontaudit_use_fds(tzdata_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.7.1/policy/modules/admin/usermanage.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.7.3/policy/modules/admin/usermanage.if
--- nsaserefpolicy/policy/modules/admin/usermanage.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/admin/usermanage.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/usermanage.if 2009-11-25 12:39:13.000000000 -0500
@@ -113,6 +113,12 @@
files_search_usr($1)
corecmd_search_bin($1)
@@ -1732,9 +1685,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
nscd_run(useradd_t, $2)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.1/policy/modules/admin/usermanage.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.3/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/admin/usermanage.te 2009-11-23 11:11:28.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/usermanage.te 2009-11-25 12:39:13.000000000 -0500
@@ -82,6 +82,7 @@
selinux_compute_relabel_context(chfn_t)
selinux_compute_user_contexts(chfn_t)
@@ -1864,9 +1817,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
puppet_rw_tmp(useradd_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.7.1/policy/modules/admin/vbetool.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.7.3/policy/modules/admin/vbetool.te
--- nsaserefpolicy/policy/modules/admin/vbetool.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/admin/vbetool.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/vbetool.te 2009-11-25 12:39:13.000000000 -0500
@@ -15,15 +15,20 @@
# Local policy
#
@@ -1899,9 +1852,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_exec_pid(vbetool_t)
+ xserver_write_pid(vbetool_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.1/policy/modules/admin/vpn.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.3/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/admin/vpn.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/admin/vpn.te 2009-11-25 12:39:13.000000000 -0500
@@ -46,6 +46,7 @@
kernel_read_system_state(vpnc_t)
kernel_read_network_state(vpnc_t)
@@ -1910,17 +1863,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_rw_net_sysctls(vpnc_t)
corenet_all_recvfrom_unlabeled(vpnc_t)
-@@ -98,6 +99,7 @@
- logging_dontaudit_search_logs(vpnc_t)
+@@ -105,8 +106,9 @@
+ sysnet_etc_filetrans_config(vpnc_t)
+ sysnet_manage_config(vpnc_t)
- miscfiles_read_localization(vpnc_t)
-+miscfiles_read_home_certs(vpnc_t)
+-userdom_use_all_users_fds(vpnc_t)
+ userdom_dontaudit_search_user_home_content(vpnc_t)
++userdom_read_home_certs(vpnc_t)
++userdom_use_all_users_fds(vpnc_t)
- seutil_dontaudit_search_config(vpnc_t)
- seutil_use_newrole_fds(vpnc_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/calamaris.te serefpolicy-3.7.1/policy/modules/apps/calamaris.te
+ optional_policy(`
+ dbus_system_bus_client(vpnc_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/calamaris.te serefpolicy-3.7.3/policy/modules/apps/calamaris.te
--- nsaserefpolicy/policy/modules/apps/calamaris.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/apps/calamaris.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/calamaris.te 2009-11-25 12:39:13.000000000 -0500
@@ -59,12 +59,12 @@
libs_read_lib_files(calamaris_t)
@@ -1943,15 +1899,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-optional_policy(`
- nis_use_ypbind(calamaris_t)
-')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.7.1/policy/modules/apps/chrome.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.7.3/policy/modules/apps/chrome.fc
--- nsaserefpolicy/policy/modules/apps/chrome.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/chrome.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/chrome.fc 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,2 @@
+
+/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.1/policy/modules/apps/chrome.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.3/policy/modules/apps/chrome.if
--- nsaserefpolicy/policy/modules/apps/chrome.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/chrome.if 2009-11-23 10:04:49.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/chrome.if 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,86 @@
+
+## <summary>policy for chrome</summary>
@@ -2039,9 +1995,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.1/policy/modules/apps/chrome.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.3/policy/modules/apps/chrome.te
--- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/chrome.te 2009-11-23 09:56:06.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/chrome.te 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,77 @@
+policy_module(chrome,1.0.0)
+
@@ -2120,9 +2076,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ fs_dontaudit_read_cifs_files(chrome_sandbox_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.7.1/policy/modules/apps/cpufreqselector.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.7.3/policy/modules/apps/cpufreqselector.te
--- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/cpufreqselector.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/cpufreqselector.te 2009-11-25 12:39:13.000000000 -0500
@@ -26,7 +26,7 @@
dev_rw_sysfs(cpufreqselector_t)
@@ -2132,10 +2088,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.7.1/policy/modules/apps/execmem.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.7.3/policy/modules/apps/execmem.fc
--- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/execmem.fc 2009-11-23 08:54:39.000000000 -0500
-@@ -0,0 +1,41 @@
++++ serefpolicy-3.7.3/policy/modules/apps/execmem.fc 2009-11-25 14:07:42.000000000 -0500
+@@ -0,0 +1,42 @@
+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -2172,14 +2128,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Updater -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Application -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/likewise/bin/domainjoin-cli -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.1/policy/modules/apps/execmem.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.3/policy/modules/apps/execmem.if
--- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/execmem.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/execmem.if 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,104 @@
+## <summary>execmem domain</summary>
+
@@ -2285,9 +2242,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ domtrans_pattern($1, execmem_exec_t, $2)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.7.1/policy/modules/apps/execmem.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.7.3/policy/modules/apps/execmem.te
--- nsaserefpolicy/policy/modules/apps/execmem.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/execmem.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/execmem.te 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,11 @@
+
+policy_module(execmem, 1.0.0)
@@ -2300,23 +2257,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+type execmem_exec_t alias unconfined_execmem_exec_t;
+application_executable_file(execmem_exec_t)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.7.1/policy/modules/apps/firewallgui.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.7.3/policy/modules/apps/firewallgui.fc
--- nsaserefpolicy/policy/modules/apps/firewallgui.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/firewallgui.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/firewallgui.fc 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,3 @@
+
+/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.7.1/policy/modules/apps/firewallgui.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.7.3/policy/modules/apps/firewallgui.if
--- nsaserefpolicy/policy/modules/apps/firewallgui.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/firewallgui.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/firewallgui.if 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,3 @@
+
+## <summary>policy for firewallgui</summary>
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.1/policy/modules/apps/firewallgui.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.3/policy/modules/apps/firewallgui.te
--- nsaserefpolicy/policy/modules/apps/firewallgui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/firewallgui.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/firewallgui.te 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,64 @@
+
+policy_module(firewallgui,1.0.0)
@@ -2382,9 +2339,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ policykit_dbus_chat(firewallgui_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.7.1/policy/modules/apps/gitosis.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.7.3/policy/modules/apps/gitosis.if
--- nsaserefpolicy/policy/modules/apps/gitosis.if 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/apps/gitosis.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/gitosis.if 2009-11-25 12:39:13.000000000 -0500
@@ -43,3 +43,48 @@
role $2 types gitosis_t;
')
@@ -2434,9 +2391,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.1/policy/modules/apps/gnome.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.3/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/apps/gnome.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/gnome.fc 2009-11-25 12:39:13.000000000 -0500
@@ -1,8 +1,18 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
@@ -2458,9 +2415,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
+
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.1/policy/modules/apps/gnome.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.3/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/apps/gnome.if 2009-11-19 15:02:40.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/gnome.if 2009-11-25 12:39:13.000000000 -0500
@@ -84,10 +84,183 @@
#
interface(`gnome_manage_config',`
@@ -2648,9 +2605,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ # Connect to pulseaudit server
+ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.7.1/policy/modules/apps/gnome.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.7.3/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/apps/gnome.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/gnome.te 2009-11-25 12:39:13.000000000 -0500
@@ -7,18 +7,30 @@
#
@@ -2792,9 +2749,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ policykit_read_lib(gnomesystemmm_t)
+ policykit_read_reload(gnomesystemmm_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.1/policy/modules/apps/gpg.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.3/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/gpg.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/gpg.te 2009-11-25 12:39:13.000000000 -0500
@@ -104,12 +104,19 @@
auth_use_nsswitch(gpg_t)
@@ -2839,9 +2796,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_common_app(gpg_pinentry_t)
')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.7.1/policy/modules/apps/java.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.7.3/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/apps/java.fc 2009-11-19 09:59:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/java.fc 2009-11-25 12:39:13.000000000 -0500
@@ -2,15 +2,17 @@
# /opt
#
@@ -2882,9 +2839,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.7.1/policy/modules/apps/java.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.7.3/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2009-08-18 11:41:14.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/apps/java.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/java.if 2009-11-25 12:39:13.000000000 -0500
@@ -30,6 +30,7 @@
allow java_t $2:unix_stream_socket connectto;
@@ -3028,9 +2985,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_role($1_r, $1_java_t)
+ ')
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.1/policy/modules/apps/java.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.3/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/java.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/java.te 2009-11-25 12:39:13.000000000 -0500
@@ -20,6 +20,8 @@
typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
@@ -3080,21 +3037,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- unconfined_domain_noaudit(unconfined_java_t)
- unconfined_dbus_chat(unconfined_java_t)
-')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.7.1/policy/modules/apps/kdumpgui.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.7.3/policy/modules/apps/kdumpgui.fc
--- nsaserefpolicy/policy/modules/apps/kdumpgui.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/kdumpgui.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/kdumpgui.fc 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,2 @@
+
+/usr/share/system-config-kdump/system-config-kdump-backend.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.7.1/policy/modules/apps/kdumpgui.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.7.3/policy/modules/apps/kdumpgui.if
--- nsaserefpolicy/policy/modules/apps/kdumpgui.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/kdumpgui.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/kdumpgui.if 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,2 @@
+## <summary>system-config-kdump policy</summary>
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.1/policy/modules/apps/kdumpgui.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.3/policy/modules/apps/kdumpgui.te
--- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/kdumpgui.te 2009-11-23 09:53:25.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/kdumpgui.te 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,67 @@
+policy_module(kdumpgui,1.0.0)
+
@@ -3163,15 +3120,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+permissive kdumpgui_t;
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.7.1/policy/modules/apps/livecd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.7.3/policy/modules/apps/livecd.fc
--- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/livecd.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/livecd.fc 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,2 @@
+
+/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.7.1/policy/modules/apps/livecd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.7.3/policy/modules/apps/livecd.if
--- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/livecd.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/livecd.if 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,52 @@
+
+## <summary>policy for livecd</summary>
@@ -3225,9 +3182,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ usermanage_run_chfn(livecd_t, $2)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.7.1/policy/modules/apps/livecd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.7.3/policy/modules/apps/livecd.te
--- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/livecd.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/livecd.te 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,27 @@
+policy_module(livecd, 1.0.0)
+
@@ -3256,9 +3213,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+seutil_domtrans_setfiles_mac(livecd_t)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.7.1/policy/modules/apps/loadkeys.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.7.3/policy/modules/apps/loadkeys.te
--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/apps/loadkeys.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/loadkeys.te 2009-11-25 12:42:30.000000000 -0500
@@ -40,8 +40,12 @@
miscfiles_read_localization(loadkeys_t)
@@ -3271,17 +3228,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
+
+ifdef(`hide_broken_symptoms',`
-+ dev_dontaudit_rw_lvm_control_dev(loadkeys_t)
++ dev_dontaudit_rw_lvm_control(loadkeys_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.fc serefpolicy-3.7.1/policy/modules/apps/mono.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.fc serefpolicy-3.7.3/policy/modules/apps/mono.fc
--- nsaserefpolicy/policy/modules/apps/mono.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/apps/mono.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/mono.fc 2009-11-25 12:39:13.000000000 -0500
@@ -1 +1 @@
-/usr/bin/mono -- gen_context(system_u:object_r:mono_exec_t,s0)
+/usr/bin/mono.* -- gen_context(system_u:object_r:mono_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.1/policy/modules/apps/mono.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.3/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/apps/mono.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/mono.if 2009-11-25 12:39:13.000000000 -0500
@@ -21,6 +21,105 @@
########################################
@@ -3397,9 +3354,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
corecmd_search_bin($1)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.7.1/policy/modules/apps/mono.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.7.3/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/apps/mono.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/mono.te 2009-11-25 12:39:13.000000000 -0500
@@ -15,7 +15,7 @@
# Local policy
#
@@ -3423,9 +3380,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ xserver_rw_shm(mono_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.7.1/policy/modules/apps/mozilla.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.7.3/policy/modules/apps/mozilla.fc
--- nsaserefpolicy/policy/modules/apps/mozilla.fc 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/apps/mozilla.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/mozilla.fc 2009-11-25 12:39:13.000000000 -0500
@@ -1,6 +1,7 @@
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -3434,9 +3391,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.7.1/policy/modules/apps/mozilla.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.7.3/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/apps/mozilla.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/mozilla.if 2009-11-25 12:39:13.000000000 -0500
@@ -45,6 +45,18 @@
relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
@@ -3526,9 +3483,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Run mozilla in the mozilla domain.
## </summary>
## <param name="domain">
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.1/policy/modules/apps/mozilla.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.3/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/apps/mozilla.te 2009-11-20 08:13:05.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/mozilla.te 2009-11-25 12:58:28.000000000 -0500
@@ -59,6 +59,7 @@
manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
@@ -3570,7 +3527,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(mozilla_t)
-+miscfiles_dontaudit_setattr_fonts(mozilla_t)
++miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
miscfiles_read_fonts(mozilla_t)
miscfiles_read_localization(mozilla_t)
@@ -3614,9 +3571,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
thunderbird_domtrans(mozilla_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.7.1/policy/modules/apps/nsplugin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.7.3/policy/modules/apps/nsplugin.fc
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/nsplugin.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/nsplugin.fc 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,11 @@
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
@@ -3629,9 +3586,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.1/policy/modules/apps/nsplugin.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.3/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/nsplugin.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/nsplugin.if 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,323 @@
+
+## <summary>policy for nsplugin</summary>
@@ -3956,9 +3913,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.1/policy/modules/apps/nsplugin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.3/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/nsplugin.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/nsplugin.te 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,295 @@
+
+policy_module(nsplugin, 1.0.0)
@@ -4255,16 +4212,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.7.1/policy/modules/apps/openoffice.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.7.3/policy/modules/apps/openoffice.fc
--- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/openoffice.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/openoffice.fc 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,3 @@
+/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.7.1/policy/modules/apps/openoffice.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.7.3/policy/modules/apps/openoffice.if
--- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/openoffice.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/openoffice.if 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,93 @@
+## <summary>Openoffice</summary>
+
@@ -4359,9 +4316,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_common_x_domain_template($1, $1_openoffice_t)
+ ')
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.7.1/policy/modules/apps/openoffice.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.7.3/policy/modules/apps/openoffice.te
--- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/openoffice.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/openoffice.te 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,11 @@
+
+policy_module(openoffice, 1.0.0)
@@ -4374,9 +4331,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+type openoffice_t;
+type openoffice_exec_t;
+application_domain(openoffice_t, openoffice_exec_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.7.1/policy/modules/apps/podsleuth.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.7.3/policy/modules/apps/podsleuth.te
--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/apps/podsleuth.te 2009-11-24 18:08:28.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/podsleuth.te 2009-11-25 12:39:13.000000000 -0500
@@ -66,11 +66,14 @@
fs_search_dos(podsleuth_t)
fs_getattr_tmpfs(podsleuth_t)
@@ -4392,9 +4349,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
dbus_system_bus_client(podsleuth_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.7.1/policy/modules/apps/ptchown.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.7.3/policy/modules/apps/ptchown.if
--- nsaserefpolicy/policy/modules/apps/ptchown.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/apps/ptchown.if 2009-11-24 14:56:10.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/ptchown.if 2009-11-25 12:39:13.000000000 -0500
@@ -18,3 +18,27 @@
domtrans_pattern($1, ptchown_exec_t, ptchown_t)
')
@@ -4423,9 +4380,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ptchown_domtrans($1)
+ role $2 types ptchown_t;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.1/policy/modules/apps/pulseaudio.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.3/policy/modules/apps/pulseaudio.if
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/apps/pulseaudio.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/pulseaudio.if 2009-11-25 12:39:13.000000000 -0500
@@ -40,7 +40,7 @@
userdom_manage_tmpfs_role($1, pulseaudio_t)
@@ -4435,9 +4392,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.1/policy/modules/apps/pulseaudio.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.3/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/pulseaudio.te 2009-11-19 14:58:11.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/pulseaudio.te 2009-11-25 12:39:13.000000000 -0500
@@ -18,7 +18,7 @@
allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
@@ -4490,17 +4447,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xserver_read_xdm_lib_files(pulseaudio_t)
+ xserver_common_app(pulseaudio_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.7.1/policy/modules/apps/qemu.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.7.3/policy/modules/apps/qemu.fc
--- nsaserefpolicy/policy/modules/apps/qemu.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/apps/qemu.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/qemu.fc 2009-11-25 12:39:13.000000000 -0500
@@ -1,2 +1,2 @@
-/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
-/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.1/policy/modules/apps/qemu.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.3/policy/modules/apps/qemu.if
--- nsaserefpolicy/policy/modules/apps/qemu.if 2009-08-31 13:44:40.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/apps/qemu.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/qemu.if 2009-11-25 12:39:13.000000000 -0500
@@ -40,6 +40,10 @@
qemu_domtrans($1)
@@ -4701,9 +4658,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.1/policy/modules/apps/qemu.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.3/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/qemu.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/qemu.te 2009-11-25 12:39:13.000000000 -0500
@@ -13,15 +13,46 @@
## </desc>
gen_tunable(qemu_full_network, false)
@@ -4811,20 +4768,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ role unconfined_r types qemu_unconfined_t;
allow qemu_unconfined_t self:process { execstack execmem };
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.7.1/policy/modules/apps/sambagui.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.7.3/policy/modules/apps/sambagui.fc
--- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/sambagui.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/sambagui.fc 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1 @@
+/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.7.1/policy/modules/apps/sambagui.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.7.3/policy/modules/apps/sambagui.if
--- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/sambagui.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/sambagui.if 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,2 @@
+## <summary>system-config-samba policy</summary>
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.1/policy/modules/apps/sambagui.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.3/policy/modules/apps/sambagui.te
--- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/sambagui.te 2009-11-23 10:38:27.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/sambagui.te 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,60 @@
+policy_module(sambagui,1.0.0)
+
@@ -4886,15 +4843,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ policykit_dbus_chat(sambagui_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.1/policy/modules/apps/sandbox.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.3/policy/modules/apps/sandbox.fc
--- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/sandbox.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/sandbox.fc 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1 @@
+# No types are sandbox_exec_t
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.1/policy/modules/apps/sandbox.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.3/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/sandbox.if 2009-11-18 16:21:19.000000000 -0500
-@@ -0,0 +1,187 @@
++++ serefpolicy-3.7.3/policy/modules/apps/sandbox.if 2009-11-25 15:14:52.000000000 -0500
+@@ -0,0 +1,188 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -4937,6 +4894,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ dontaudit sandbox_xserver_t $1:fifo_file rw_fifo_file_perms;
+ dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms;
+ dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms;
++ allow sandbox_xserver_t $1:unix_stream_socket { read write };
+
+ allow sandbox_x_domain $1:process { sigchld signal };
+ allow sandbox_x_domain sandbox_x_domain:process signal;
@@ -5018,7 +4976,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
+
+ # window manager
-+ miscfiles_setattr_fonts($1_t)
++ miscfiles_setattr_fonts_dirs($1_t)
+ allow $1_t self:capability setuid;
+
+ type $1_client_t, sandbox_x_domain;
@@ -5082,9 +5040,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.1/policy/modules/apps/sandbox.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.3/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/sandbox.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/sandbox.te 2009-11-25 12:59:23.000000000 -0500
@@ -0,0 +1,331 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
@@ -5252,7 +5210,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+init_dontaudit_write_utmp(sandbox_x_domain)
+
+miscfiles_read_localization(sandbox_x_domain)
-+miscfiles_dontaudit_setattr_fonts(sandbox_x_domain)
++miscfiles_dontaudit_setattr_fonts_dirs(sandbox_x_domain)
+
+term_getattr_pty_fs(sandbox_x_domain)
+term_use_ptmx(sandbox_x_domain)
@@ -5417,9 +5375,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ hal_dbus_chat(sandbox_net_client_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.7.1/policy/modules/apps/screen.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.7.3/policy/modules/apps/screen.if
--- nsaserefpolicy/policy/modules/apps/screen.if 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/screen.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/screen.if 2009-11-25 12:39:13.000000000 -0500
@@ -80,6 +80,11 @@
relabel_files_pattern($3, screen_home_t, screen_home_t)
relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
@@ -5432,9 +5390,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state($1_screen_t)
kernel_read_kernel_sysctls($1_screen_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.fc serefpolicy-3.7.1/policy/modules/apps/sectoolm.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.fc serefpolicy-3.7.3/policy/modules/apps/sectoolm.fc
--- nsaserefpolicy/policy/modules/apps/sectoolm.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/sectoolm.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/sectoolm.fc 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,6 @@
+
+/usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0)
@@ -5442,16 +5400,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0)
+
+/var/log/sectool\.log -- gen_context(system_u:object_r:sectool_var_log_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.if serefpolicy-3.7.1/policy/modules/apps/sectoolm.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.if serefpolicy-3.7.3/policy/modules/apps/sectoolm.if
--- nsaserefpolicy/policy/modules/apps/sectoolm.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/sectoolm.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/sectoolm.if 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,3 @@
+
+## <summary>policy for sectool-mechanism</summary>
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.te serefpolicy-3.7.1/policy/modules/apps/sectoolm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.te serefpolicy-3.7.3/policy/modules/apps/sectoolm.te
--- nsaserefpolicy/policy/modules/apps/sectoolm.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/sectoolm.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/sectoolm.te 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,120 @@
+
+policy_module(sectoolm,1.0.0)
@@ -5573,9 +5531,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.1/policy/modules/apps/seunshare.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.3/policy/modules/apps/seunshare.if
--- nsaserefpolicy/policy/modules/apps/seunshare.if 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/seunshare.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/seunshare.if 2009-11-25 12:39:13.000000000 -0500
@@ -41,6 +41,16 @@
seunshare_domtrans($1)
@@ -5593,9 +5551,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.1/policy/modules/apps/seunshare.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.3/policy/modules/apps/seunshare.te
--- nsaserefpolicy/policy/modules/apps/seunshare.te 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/seunshare.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/seunshare.te 2009-11-25 12:39:13.000000000 -0500
@@ -15,9 +15,8 @@
#
# seunshare local policy
@@ -5624,9 +5582,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ mozilla_dontaudit_manage_user_home_files(seunshare_t)
+ ')
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.1/policy/modules/apps/vmware.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.3/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/apps/vmware.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/vmware.te 2009-11-25 12:39:13.000000000 -0500
@@ -157,6 +157,7 @@
optional_policy(`
xserver_read_tmp_files(vmware_host_t)
@@ -5635,9 +5593,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
ifdef(`TODO',`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.7.1/policy/modules/apps/wine.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.7.3/policy/modules/apps/wine.fc
--- nsaserefpolicy/policy/modules/apps/wine.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/apps/wine.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/wine.fc 2009-11-25 12:39:13.000000000 -0500
@@ -1,4 +1,22 @@
-/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
@@ -5664,9 +5622,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-/opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
-/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.7.1/policy/modules/apps/wine.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.7.3/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/apps/wine.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/wine.if 2009-11-25 12:39:13.000000000 -0500
@@ -43,3 +43,118 @@
wine_domtrans($1)
role $2 types wine_t;
@@ -5786,9 +5744,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_role($1_r, $1_wine_t)
+ ')
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.7.1/policy/modules/apps/wine.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.7.3/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/apps/wine.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/apps/wine.te 2009-11-25 12:39:13.000000000 -0500
@@ -9,20 +9,46 @@
type wine_t;
type wine_exec_t;
@@ -5840,33 +5798,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_common_app(wine_t)
+ xserver_rw_shm(wine_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.1/policy/modules/kernel/corecommands.fc
---- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-07-30 13:09:10.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/kernel/corecommands.fc 2009-11-17 11:06:58.000000000 -0500
-@@ -54,6 +54,7 @@
- /etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0)
- /etc/cron.monthly/.* -- gen_context(system_u:object_r:bin_t,s0)
-
-+/etc/dhcp/dhclient\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
- /etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0)
- /etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0)
-@@ -125,6 +126,7 @@
- /sbin/.* gen_context(system_u:object_r:bin_t,s0)
- /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
- /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
-+/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
-
- #
- # /opt
-@@ -135,13 +137,15 @@
-
- /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
--/opt/real/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
- ifdef(`distro_gentoo',`
- /opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
- /opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.3/policy/modules/kernel/corecommands.fc
+--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/kernel/corecommands.fc 2009-11-25 12:39:13.000000000 -0500
+@@ -144,6 +144,9 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -5876,34 +5811,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
# /usr
#
-@@ -211,6 +215,8 @@
- /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -221,6 +227,9 @@
- /usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -263,6 +272,7 @@
- /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0)
-@@ -315,3 +325,21 @@
+@@ -323,3 +326,21 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -5925,9 +5833,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.1/policy/modules/kernel/corecommands.if
---- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/kernel/corecommands.if 2009-11-17 11:06:58.000000000 -0500
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.3/policy/modules/kernel/corecommands.if
+--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/kernel/corecommands.if 2009-11-25 12:39:13.000000000 -0500
@@ -893,6 +893,7 @@
read_lnk_files_pattern($1, bin_t, bin_t)
@@ -5970,9 +5878,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern($1, bin_t, exec_type)
manage_lnk_files_pattern($1, bin_t, bin_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.1/policy/modules/kernel/corenetwork.te.in
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.3/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/kernel/corenetwork.te.in 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/kernel/corenetwork.te.in 2009-11-25 13:13:55.000000000 -0500
@@ -65,6 +65,7 @@
type server_packet_t, packet_type, server_packet_type;
@@ -5990,7 +5898,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(audit, tcp,60,s0)
network_port(auth, tcp,113,s0)
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
-@@ -87,26 +88,33 @@
+@@ -87,32 +88,41 @@
network_port(comsat, udp,512,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0)
@@ -6027,7 +5935,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-@@ -129,7 +137,7 @@
+ network_port(innd, tcp,119,s0)
+ network_port(ipmi, udp,623,s0, udp,664,s0)
+ network_port(ipp, tcp,631,s0, udp,631,s0)
++portcon tcp 8610-8614 gen_context(system_u:object_r:ipp_port_t, s0)
++portcon udp 8610-8614 gen_context(system_u:object_r:ipp_port_t, s0)
+ network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
+ network_port(ircd, tcp,6667,s0)
+ network_port(isakmp, udp,500,s0)
+@@ -129,7 +139,7 @@
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
network_port(lmtp, tcp,24,s0, udp,24,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
@@ -6036,7 +5952,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
-@@ -138,7 +146,7 @@
+@@ -138,7 +148,7 @@
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
@@ -6045,7 +5961,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(nmbd, udp,137,s0, udp,138,s0)
network_port(ntp, udp,123,s0)
network_port(ocsp, tcp,9080,s0)
-@@ -147,12 +155,19 @@
+@@ -147,12 +157,19 @@
network_port(pegasus_https, tcp,5989,s0)
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
@@ -6065,7 +5981,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -172,29 +187,37 @@
+@@ -172,29 +189,37 @@
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(rwho, udp,513,s0)
network_port(sap, tcp,9875,s0, udp,9875,s0)
@@ -6107,7 +6023,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -223,6 +246,8 @@
+@@ -223,6 +248,8 @@
type node_t, node_type;
sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
@@ -6116,137 +6032,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# network_node examples:
#network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.1/policy/modules/kernel/devices.fc
---- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-11-20 10:51:41.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/kernel/devices.fc 2009-11-17 11:06:58.000000000 -0500
-@@ -63,12 +63,10 @@
- /dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
--/dev/modem -c gen_context(system_u:object_r:modem_device_t,s0)
- /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
- /dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0)
- /dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0)
- /dev/network_throughput -c gen_context(system_u:object_r:netcontrol_device_t,s0)
--/dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0)
- /dev/null -c gen_context(system_u:object_r:null_device_t,s0)
- /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
- /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
-@@ -107,7 +105,6 @@
- ')
- /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
- /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
--/dev/vga_arbiter -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
- /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
- /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
- /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -145,8 +142,11 @@
-
- /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0)
-
-+/dev/modem -c gen_context(system_u:object_r:modem_device_t,s0)
- /dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-
-+/dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0)
-+
- /dev/pts(/.*)? <<none>>
-
- /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -154,6 +154,8 @@
- /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
-
-+/dev/vga_arbiter -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-+
- /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0)
- /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
- /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.1/policy/modules/kernel/devices.if
---- nsaserefpolicy/policy/modules/kernel/devices.if 2009-11-20 10:51:41.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/kernel/devices.if 2009-11-17 11:06:58.000000000 -0500
-@@ -1927,7 +1927,7 @@
-
- ########################################
- ## <summary>
--## Do not audit attempts to read and write lvm control device.
-+## Delete the lvm control device.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -1935,17 +1935,17 @@
- ## </summary>
- ## </param>
- #
--interface(`dev_dontaudit_rw_lvm_control',`
-+interface(`dev_delete_lvm_control_dev',`
- gen_require(`
-- type lvm_control_t;
-+ type device_t, lvm_control_t;
- ')
-
-- dontaudit $1 lvm_control_t:chr_file rw_file_perms;
-+ delete_chr_files_pattern($1, device_t, lvm_control_t)
- ')
-
- ########################################
- ## <summary>
--## Delete the lvm control device.
-+## Do not audit attempts to read and write lvm control device.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -1953,14 +1953,15 @@
- ## </summary>
- ## </param>
- #
--interface(`dev_delete_lvm_control_dev',`
-+interface(`dev_dontaudit_rw_lvm_control_dev',`
- gen_require(`
-- type device_t, lvm_control_t;
-+ type lvm_control_t;
- ')
-
-- delete_chr_files_pattern($1, device_t, lvm_control_t)
-+ dontaudit $1 lvm_control_t:chr_file rw_file_perms;
- ')
-
-+
- ########################################
- ## <summary>
- ## dontaudit getattr raw memory devices (e.g. /dev/mem).
-@@ -2535,7 +2536,8 @@
- type device_t, null_device_t;
- ')
-
-- delete_chr_files_pattern($1, device_t, null_device_t)
-+ allow $1 device_t:dir del_entry_dir_perms;
-+ allow $1 null_device_t:chr_file unlink;
- ')
-
- ########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.1/policy/modules/kernel/devices.te
---- nsaserefpolicy/policy/modules/kernel/devices.te 2009-11-20 10:51:41.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/kernel/devices.te 2009-11-17 11:06:58.000000000 -0500
-@@ -1,5 +1,5 @@
-
--policy_module(devices, 1.9.1)
-+policy_module(devices, 1.9.0)
-
- ########################################
- #
-@@ -84,7 +84,8 @@
- dev_node(kmsg_device_t)
-
- #
--# ksm_device_t is the type of /dev/ksm
-+# ksm_device_t is the type of
-+# /dev/ksm
- #
- type ksm_device_t;
- dev_node(ksm_device_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.1/policy/modules/kernel/domain.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.3/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/kernel/domain.if 2009-11-23 17:52:48.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/kernel/domain.if 2009-11-25 12:39:13.000000000 -0500
@@ -44,34 +44,6 @@
interface(`domain_type',`
# start with basic domain
@@ -6476,9 +6264,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ dontaudit $1 domain:socket_class_set { read write };
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.1/policy/modules/kernel/domain.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.3/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/kernel/domain.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/kernel/domain.te 2009-11-25 12:39:13.000000000 -0500
@@ -5,6 +5,13 @@
#
# Declarations
@@ -6621,9 +6409,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ userdom_relabelto_user_home_dirs(polydomain)
+ userdom_relabelto_user_home_files(polydomain)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.1/policy/modules/kernel/files.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.3/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/kernel/files.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/kernel/files.fc 2009-11-25 12:39:13.000000000 -0500
@@ -18,6 +18,7 @@
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -6641,9 +6429,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.1/policy/modules/kernel/files.if
---- nsaserefpolicy/policy/modules/kernel/files.if 2009-11-12 13:24:12.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/kernel/files.if 2009-11-23 11:26:11.000000000 -0500
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.3/policy/modules/kernel/files.if
+--- nsaserefpolicy/policy/modules/kernel/files.if 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/kernel/files.if 2009-11-25 12:39:13.000000000 -0500
@@ -932,10 +932,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -6657,34 +6445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1154,6 +1152,26 @@
- allow $1 file_type:filesystem unmount;
- ')
-
-+########################################
-+## <summary>
-+## Read config files in /etc.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_read_config_files',`
-+ gen_require(`
-+ attribute configfile;
-+ ')
-+
-+ allow $1 configfile:dir list_dir_perms;
-+ read_files_pattern($1, configfile, configfile)
-+ read_lnk_files_pattern($1, configfile, configfile)
-+')
-+
- #############################################
- ## <summary>
- ## Manage all configuration directories on filesystem
-@@ -1411,6 +1429,24 @@
+@@ -1431,6 +1429,24 @@
########################################
## <summary>
@@ -6709,59 +6470,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Remove entries from the root directory.
## </summary>
## <param name="domain">
-@@ -1567,6 +1603,25 @@
-
- ########################################
- ## <summary>
-+## read files in the /boot directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`files_read_boot_files',`
-+ gen_require(`
-+ type boot_t;
-+ ')
-+
-+ manage_files_pattern($1, boot_t, boot_t)
-+')
-+
-+########################################
-+## <summary>
- ## Create, read, write, and delete files
- ## in the /boot directory.
- ## </summary>
-@@ -1795,6 +1850,25 @@
-
- ########################################
- ## <summary>
-+## Manage a filesystem on a directory with the default file type.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_manage_default',`
-+ gen_require(`
-+ type default_t;
-+ ')
-+
-+ manage_dirs_pattern($1, default_t, default_t)
-+ manage_files_pattern($1, default_t, default_t)
-+')
-+
-+########################################
-+## <summary>
- ## Mount a filesystem on a directory with the default file type.
- ## </summary>
- ## <param name="domain">
-@@ -2030,6 +2104,8 @@
+@@ -2107,6 +2123,8 @@
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -6770,7 +6479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2517,6 +2593,11 @@
+@@ -2594,6 +2612,11 @@
')
delete_files_pattern($1, file_t, file_t)
@@ -6782,7 +6491,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3419,6 +3500,32 @@
+@@ -3496,6 +3519,32 @@
########################################
## <summary>
@@ -6815,32 +6524,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -3548,6 +3655,24 @@
-
- ########################################
- ## <summary>
-+## List all tmp directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_list_all_tmp',`
-+ gen_require(`
-+ attribute tmpfile;
-+ ')
-+
-+ allow $1 tmppfile:dir list_dir_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Read all tmp files.
- ## </summary>
- ## <param name="domain">
-@@ -3614,6 +3739,8 @@
+@@ -3709,6 +3758,8 @@
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -6849,7 +6533,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3722,7 +3849,12 @@
+@@ -3817,7 +3868,12 @@
type usr_t;
')
@@ -6863,7 +6547,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3761,6 +3893,7 @@
+@@ -3856,6 +3912,7 @@
allow $1 usr_t:dir list_dir_perms;
read_files_pattern($1, usr_t, usr_t)
read_lnk_files_pattern($1, usr_t, usr_t)
@@ -6871,7 +6555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -4405,6 +4538,24 @@
+@@ -4500,6 +4557,24 @@
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -6896,7 +6580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -4785,6 +4936,24 @@
+@@ -4880,6 +4955,24 @@
########################################
## <summary>
@@ -6921,7 +6605,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to write to daemon runtime data files.
## </summary>
## <param name="domain">
-@@ -4906,6 +5075,24 @@
+@@ -5001,6 +5094,24 @@
########################################
## <summary>
@@ -6946,16 +6630,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
-@@ -5072,7 +5259,7 @@
- selinux_compute_member($1)
-
- # Need sys_admin capability for mounting
-- allow $1 self:capability { chown fsetid sys_admin };
-+ allow $1 self:capability { chown fsetid sys_admin fowner };
-
- # Need to give access to the directories to be polyinstantiated
- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-@@ -5094,12 +5281,15 @@
+@@ -5189,12 +5300,15 @@
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -6972,7 +6647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -5120,3 +5310,173 @@
+@@ -5215,3 +5329,173 @@
typeattribute $1 files_unconfined_type;
')
@@ -7146,9 +6821,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+ allow $1 file_type:file entrypoint;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.1/policy/modules/kernel/files.te
---- nsaserefpolicy/policy/modules/kernel/files.te 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/kernel/files.te 2009-11-17 11:06:58.000000000 -0500
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.3/policy/modules/kernel/files.te
+--- nsaserefpolicy/policy/modules/kernel/files.te 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/kernel/files.te 2009-11-25 12:39:13.000000000 -0500
@@ -43,6 +43,7 @@
#
type boot_t;
@@ -7157,15 +6832,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# default_t is the default type for files that do not
# match any specification in the file_contexts configuration
-@@ -53,7 +54,7 @@
- #
- # etc_t is the type of the system etc directories.
- #
--type etc_t;
-+type etc_t, configfile;
- files_type(etc_t)
- # compatibility aliases for removed types:
- typealias etc_t alias automount_etc_t;
@@ -194,6 +195,7 @@
fs_associate_noxattr(file_type)
fs_associate_tmpfs(file_type)
@@ -7174,122 +6840,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.7.1/policy/modules/kernel/filesystem.fc
---- nsaserefpolicy/policy/modules/kernel/filesystem.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/kernel/filesystem.fc 2009-11-17 11:06:58.000000000 -0500
-@@ -1 +1 @@
--# This module currently does not have any file contexts.
-+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.1/policy/modules/kernel/filesystem.if
---- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/kernel/filesystem.if 2009-11-18 07:50:05.000000000 -0500
-@@ -290,7 +290,7 @@
-
- ########################################
- ## <summary>
--## Read and write files on anon_inodefs
-+## Dontaudit Read and write files on anon_inodefs
- ## file systems.
- ## </summary>
- ## <param name="domain">
-@@ -310,6 +310,26 @@
-
- ########################################
- ## <summary>
-+## Dontaudit Read and write files on anon_inodefs
-+## file systems.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_dontaudit_rw_anon_inodefs_files',`
-+ gen_require(`
-+ type anon_inodefs_t;
-+
-+ ')
-+
-+ dontaudit $1 anon_inodefs_t:file { read write };
-+')
-+
-+########################################
-+## <summary>
- ## Mount an automount pseudo filesystem.
- ## </summary>
- ## <param name="domain">
-@@ -1149,6 +1169,44 @@
- domain_auto_transition_pattern($1, cifs_t, $2)
- ')
-
-+#######################################
-+## <summary>
-+## Create, read, write, and delete dirs
-+## on a configfs filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_manage_configfs_dirs',`
-+ gen_require(`
-+ type configfs_t;
-+ ')
-+
-+ manage_dirs_pattern($1,configfs_t,configfs_t)
-+')
-+
-+#######################################
-+## <summary>
-+## Create, read, write, and delete files
-+## on a configfs filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_manage_configfs_files',`
-+ gen_require(`
-+ type configfs_t;
-+ ')
-+
-+ manage_files_pattern($1,configfs_t,configfs_t)
-+')
-+
- ########################################
- ## <summary>
- ## Mount a DOS filesystem, such as
-@@ -1537,6 +1595,24 @@
-
- ########################################
- ## <summary>
-+## Allow the type to associate to hugetlbfs filesystems.
-+## </summary>
-+## <param name="type">
-+## <summary>
-+## The type of the object to be associated.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_associate_hugetlbfs',`
-+ gen_require(`
-+ type hugetlbfs_t;
-+ ')
-+
-+ allow $1 hugetlbfs_t:filesystem associate;
-+')
-+
-+########################################
-+## <summary>
- ## Search inotifyfs filesystem.
- ## </summary>
- ## <param name="domain">
-@@ -1993,6 +2069,25 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.3/policy/modules/kernel/filesystem.if
+--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/kernel/filesystem.if 2009-11-25 12:39:13.000000000 -0500
+@@ -2069,6 +2069,25 @@
read_lnk_files_pattern($1, nfs_t, nfs_t)
')
@@ -7315,50 +6869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#########################################
## <summary>
## Read named sockets on a NFS filesystem.
-@@ -2542,6 +2637,42 @@
-
- ########################################
- ## <summary>
-+## List NFS server directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_list_nfsd_fs',`
-+ gen_require(`
-+ type nfsd_fs_t;
-+ ')
-+
-+ allow $1 nfsd_fs_t:dir list_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Getattr files on an nfsd filesystem
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_getattr_nfsd_files',`
-+ gen_require(`
-+ type nfsd_fs_t;
-+ ')
-+
-+ allow $1 nfsd_fs_t:file getattr;
-+')
-+
-+########################################
-+## <summary>
- ## Read and write NFS server files.
- ## </summary>
- ## <param name="domain">
-@@ -3971,3 +4102,122 @@
+@@ -4181,3 +4200,22 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
')
@@ -7381,109 +6892,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ dontaudit $1 cifs_t:dir list_dir_perms;
+')
-+
-+
-+########################################
-+## <summary>
-+## Mount a XENFS filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_mount_xenfs',`
-+ gen_require(`
-+ type xenfs_t;
-+ ')
-+
-+ allow $1 xenfs_t:filesystem mount;
-+')
-+
-+########################################
-+## <summary>
-+## Create, read, write, and delete directories
-+## on a XENFS filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`fs_manage_xenfs_dirs',`
-+ gen_require(`
-+ type xenfs_t;
-+ ')
-+
-+ allow $1 xenfs_t:dir manage_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to create, read,
-+## write, and delete directories
-+## on a XENFS filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_dontaudit_manage_xenfs_dirs',`
-+ gen_require(`
-+ type xenfs_t;
-+ ')
-+
-+ dontaudit $1 xenfs_t:dir manage_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Create, read, write, and delete files
-+## on a XENFS filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`fs_manage_xenfs_files',`
-+ gen_require(`
-+ type xenfs_t;
-+ ')
-+
-+ manage_files_pattern($1, xenfs_t, xenfs_t)
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to create,
-+## read, write, and delete files
-+## on a XENFS filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_dontaudit_manage_xenfs_files',`
-+ gen_require(`
-+ type xenfs_t;
-+ ')
-+
-+ dontaudit $1 xenfs_t:file manage_file_perms;
-+')
-+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.1/policy/modules/kernel/filesystem.te
---- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/kernel/filesystem.te 2009-11-17 11:06:58.000000000 -0500
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.3/policy/modules/kernel/filesystem.te
+--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/kernel/filesystem.te 2009-11-25 12:39:13.000000000 -0500
@@ -29,6 +29,7 @@
fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
@@ -7492,17 +6903,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
-@@ -93,7 +94,9 @@
+@@ -93,6 +94,8 @@
type hugetlbfs_t;
fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
--genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0)
+files_type(hugetlbfs_t)
+files_poly_parent(hugetlbfs_t)
-+fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
+ fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
type ibmasmfs_t;
- fs_type(ibmasmfs_t)
@@ -171,6 +174,7 @@
fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);
fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0);
@@ -7511,7 +6920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow tmpfs_t noxattrfs:filesystem associate;
-@@ -200,6 +204,7 @@
+@@ -205,6 +209,7 @@
#
type dosfs_t;
fs_noxattr_type(dosfs_t)
@@ -7519,7 +6928,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow dosfs_t fs_t:filesystem associate;
genfscon fat / gen_context(system_u:object_r:dosfs_t,s0)
genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0)
-@@ -223,6 +228,7 @@
+@@ -216,6 +221,7 @@
+
+ type fusefs_t;
+ fs_noxattr_type(fusefs_t)
++files_mountpoint(fusefs_t)
+ allow fusefs_t self:filesystem associate;
+ allow fusefs_t fs_t:filesystem associate;
+ genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
+@@ -228,6 +234,7 @@
#
type iso9660_t;
fs_noxattr_type(iso9660_t)
@@ -7527,93 +6944,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0)
genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
-@@ -250,9 +256,13 @@
- genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
- genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
- genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
--genfscon xenfs / gen_context(system_u:object_r:nfs_t,s0)
- genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
-
-+type xenfs_t;
-+fs_noxattr_type(xenfs_t)
-+files_mountpoint(xenfs_t)
-+genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0)
-+
- ########################################
- #
- # Rules for all filesystem types
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.1/policy/modules/kernel/kernel.if
---- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-11-20 10:51:41.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/kernel/kernel.if 2009-11-19 14:06:58.000000000 -0500
-@@ -508,7 +508,7 @@
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+##
- ## </summary>
- ## </param>
- #
-@@ -941,43 +941,43 @@
-
- ########################################
- ## <summary>
--## Do not audit attempts to get the attributes of
--## core kernel interfaces.
-+## Allows caller to read th core kernel interface.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## The process type to not audit.
-+## The process type getting the attibutes.
- ## </summary>
- ## </param>
- #
--interface(`kernel_dontaudit_getattr_core_if',`
-+interface(`kernel_read_core_if',`
- gen_require(`
-- type proc_kcore_t;
-+ type proc_t, proc_kcore_t;
-+ attribute can_dump_kernel;
- ')
-
-- dontaudit $1 proc_kcore_t:file getattr;
-+ read_files_pattern($1, proc_t, proc_kcore_t)
-+ list_dirs_pattern($1, proc_t, proc_t)
-+
-+ typeattribute $1 can_dump_kernel;
- ')
+@@ -238,6 +245,7 @@
+ allow removable_t noxattrfs:filesystem associate;
+ fs_noxattr_type(removable_t)
+ files_type(removable_t)
++files_mountpoint(removable_t)
- ########################################
- ## <summary>
--## Allows caller to read the core kernel interface.
-+## Do not audit attempts to get the attributes of
-+## core kernel interfaces.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## The process type to not audit.
- ## </summary>
- ## </param>
#
--interface(`kernel_read_core_if',`
-+interface(`kernel_dontaudit_getattr_core_if',`
- gen_require(`
-- type proc_t, proc_kcore_t;
-- attribute can_dump_kernel;
-+ type proc_kcore_t;
- ')
-
-- read_files_pattern($1, proc_t, proc_kcore_t)
-- list_dirs_pattern($1, proc_t, proc_t)
--
-- typeattribute $1 can_dump_kernel;
-+ dontaudit $1 proc_kcore_t:file getattr;
- ')
-
- ########################################
-@@ -1848,7 +1848,7 @@
+ # nfs_t is the default type for NFS file systems
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.3/policy/modules/kernel/kernel.if
+--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/kernel/kernel.if 2009-11-25 12:39:13.000000000 -0500
+@@ -1849,7 +1849,7 @@
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -7622,7 +6964,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1919,6 +1919,25 @@
+@@ -1920,6 +1920,25 @@
########################################
## <summary>
@@ -7648,7 +6990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Send general signals to unlabeled processes.
## </summary>
## <param name="domain">
-@@ -2662,6 +2681,24 @@
+@@ -2663,6 +2682,24 @@
########################################
## <summary>
@@ -7673,7 +7015,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2677,3 +2714,22 @@
+@@ -2678,3 +2715,22 @@
typeattribute $1 kern_unconfined;
')
@@ -7696,16 +7038,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 kernel_t:unix_stream_socket connectto;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.1/policy/modules/kernel/kernel.te
---- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-11-20 10:51:41.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/kernel/kernel.te 2009-11-17 11:06:58.000000000 -0500
-@@ -1,5 +1,5 @@
-
--policy_module(kernel, 1.11.1)
-+policy_module(kernel, 1.11.0)
-
- ########################################
- #
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.3/policy/modules/kernel/kernel.te
+--- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/kernel/kernel.te 2009-11-25 12:39:13.000000000 -0500
@@ -64,6 +64,15 @@
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
@@ -7785,9 +7120,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
+
+files_boot(kernel_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.1/policy/modules/kernel/selinux.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.3/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/kernel/selinux.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/kernel/selinux.if 2009-11-25 12:39:13.000000000 -0500
@@ -40,7 +40,7 @@
# because of this statement, any module which
@@ -7845,9 +7180,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ fs_type($1)
+ mls_trusted_object($1)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.7.1/policy/modules/kernel/storage.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.7.3/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2009-11-20 10:51:41.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/kernel/storage.fc 2009-11-24 09:55:13.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/kernel/storage.fc 2009-11-25 12:39:13.000000000 -0500
@@ -14,6 +14,7 @@
/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -7856,9 +7191,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.7.1/policy/modules/kernel/storage.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.7.3/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2009-11-20 10:51:41.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/kernel/storage.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/kernel/storage.if 2009-11-25 12:39:13.000000000 -0500
@@ -266,6 +266,7 @@
dev_list_all_dev_nodes($1)
@@ -7867,39 +7202,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.te serefpolicy-3.7.1/policy/modules/kernel/storage.te
---- nsaserefpolicy/policy/modules/kernel/storage.te 2009-11-20 10:51:41.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/kernel/storage.te 2009-11-17 10:55:11.000000000 -0500
-@@ -1,5 +1,5 @@
-
--policy_module(storage, 1.7.1)
-+policy_module(storage, 1.7.0)
-
- ########################################
- #
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.7.1/policy/modules/kernel/terminal.fc
---- nsaserefpolicy/policy/modules/kernel/terminal.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/kernel/terminal.fc 2009-11-17 11:06:58.000000000 -0500
-@@ -13,6 +13,7 @@
- /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
- /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
- /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
-+/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
- /dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
- /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
- /dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.1/policy/modules/kernel/terminal.if
---- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/kernel/terminal.if 2009-11-23 11:38:32.000000000 -0500
-@@ -196,7 +196,7 @@
-
- dev_list_all_dev_nodes($1)
- allow $1 devpts_t:dir list_dir_perms;
-- allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms;
-+ allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms;
- ')
-
- ########################################
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.3/policy/modules/kernel/terminal.if
+--- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/kernel/terminal.if 2009-11-25 12:39:13.000000000 -0500
@@ -273,9 +273,11 @@
interface(`term_dontaudit_use_console',`
gen_require(`
@@ -7912,57 +7217,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -474,6 +476,23 @@
-
- ########################################
- ## <summary>
-+## dontaudit getattr of generic pty devices.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The type of the process to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`term_dontaudit_getattr_generic_ptys',`
-+ gen_require(`
-+ type devpts_t;
-+ ')
-+
-+ dontaudit $1 devpts_t:chr_file getattr;
-+')
-+########################################
-+## <summary>
- ## ioctl of generic pty devices.
- ## </summary>
- ## <param name="domain">
-@@ -575,6 +594,25 @@
- dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
- ')
-
-+#######################################
-+## <summary>
-+## Set the attributes of the tty device
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`term_setattr_controlling_term',`
-+ gen_require(`
-+ type devtty_t;
-+ ')
-+
-+ dev_list_all_dev_nodes($1)
-+ allow $1 devtty_t:chr_file setattr;
-+')
-+
- ########################################
- ## <summary>
- ## Read and write the controlling
-@@ -991,10 +1029,12 @@
+@@ -1028,10 +1030,12 @@
interface(`term_use_unallocated_ttys',`
gen_require(`
type tty_device_t;
@@ -7975,7 +7230,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1011,8 +1051,10 @@
+@@ -1048,8 +1052,10 @@
interface(`term_dontaudit_use_unallocated_ttys',`
gen_require(`
type tty_device_t;
@@ -7986,20 +7241,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-3.7.1/policy/modules/kernel/terminal.te
---- nsaserefpolicy/policy/modules/kernel/terminal.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/kernel/terminal.te 2009-11-17 11:06:58.000000000 -0500
-@@ -44,6 +44,7 @@
- type ptmx_t;
- dev_node(ptmx_t)
- mls_trusted_object(ptmx_t)
-+allow ptmx_t devpts_t:filesystem associate;
-
- #
- # tty_device_t is the type of /dev/*tty*
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.1/policy/modules/roles/guest.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.3/policy/modules/roles/guest.te
--- nsaserefpolicy/policy/modules/roles/guest.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/roles/guest.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/roles/guest.te 2009-11-25 12:39:13.000000000 -0500
@@ -16,7 +16,11 @@
#
@@ -8014,9 +7258,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+gen_user(guest_u, user, guest_r, s0, s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.1/policy/modules/roles/staff.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.3/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/roles/staff.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/roles/staff.te 2009-11-25 12:39:13.000000000 -0500
@@ -10,161 +10,117 @@
userdom_unpriv_user_template(staff)
@@ -8220,9 +7464,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- xserver_role(staff_r, staff_t)
+ virt_stream_connect(staff_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.1/policy/modules/roles/sysadm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.3/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/roles/sysadm.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/roles/sysadm.te 2009-11-25 12:39:13.000000000 -0500
@@ -15,7 +15,7 @@
role sysadm_r;
@@ -8532,9 +7776,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+init_script_role_transition(sysadm_r)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.7.1/policy/modules/roles/unconfineduser.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.7.3/policy/modules/roles/unconfineduser.fc
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/roles/unconfineduser.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/roles/unconfineduser.fc 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,8 @@
+# Add programs here which should not be confined by SELinux
+# e.g.:
@@ -8544,9 +7788,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.1/policy/modules/roles/unconfineduser.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.3/policy/modules/roles/unconfineduser.if
--- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/roles/unconfineduser.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/roles/unconfineduser.if 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,638 @@
+## <summary>Unconfiend user role</summary>
+
@@ -9186,10 +8430,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 unconfined_r;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.1/policy/modules/roles/unconfineduser.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.3/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/roles/unconfineduser.te 2009-11-24 14:57:49.000000000 -0500
-@@ -0,0 +1,431 @@
++++ serefpolicy-3.7.3/policy/modules/roles/unconfineduser.te 2009-11-25 12:39:13.000000000 -0500
+@@ -0,0 +1,449 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -9307,34 +8551,55 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ attribute unconfined_usertype;
+ ')
+
++ nsplugin_role_notrans(unconfined_r, unconfined_usertype)
++ optional_policy(`
++ tunable_policy(`allow_unconfined_nsplugin_transition',`
++ nsplugin_domtrans(unconfined_usertype)
++ nsplugin_domtrans_config(unconfined_usertype)
++ ')
++ ')
++
++ userdom_execmod_user_home_files(unconfined_usertype)
++
+ optional_policy(`
+ abrt_dbus_chat(unconfined_usertype)
+ abrt_run_helper(unconfined_usertype, unconfined_r)
+ ')
+
-+ nsplugin_role_notrans(unconfined_r, unconfined_usertype)
-+ tunable_policy(`allow_unconfined_nsplugin_transition',`
-+ nsplugin_domtrans(unconfined_usertype)
-+ nsplugin_domtrans_config(unconfined_usertype)
++ optional_policy(`
++ avahi_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
-+ rtkit_daemon_system_domain(unconfined_usertype)
++ devicekit_dbus_chat(unconfined_usertype)
++ devicekit_dbus_chat_disk(unconfined_usertype)
++ devicekit_dbus_chat_power(unconfined_usertype)
+ ')
+
-+ userdom_execmod_user_home_files(unconfined_usertype)
++ optional_policy(`
++ hal_dbus_chat(unconfined_usertype)
++ ')
+
+ optional_policy(`
-+ sandbox_transition(unconfined_usertype, unconfined_r)
++ networkmanager_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
-+ avahi_dbus_chat(unconfined_usertype)
++ policykit_role(unconfined_r, unconfined_usertype)
+ ')
+
+ optional_policy(`
-+ hal_dbus_chat(unconfined_usertype)
++ rtkit_daemon_system_domain(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ setroubleshoot_dbus_chat(unconfined_usertype)
++ ')
++
++ optional_policy(`
++ sandbox_transition(unconfined_usertype, unconfined_r)
+ ')
++
+')
+
+ifdef(`distro_gentoo',`
@@ -9496,6 +8761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ rpm_run(unconfined_t, unconfined_r)
+ # Allow SELinux aware applications to request rpm_script execution
+ rpm_transition_script(unconfined_t)
++ rpm_dbus_chat(unconfined_t)
+')
+
+optional_policy(`
@@ -9606,10 +8872,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+domain_ptrace_all_domains(unconfined_notrans_t)
+
+optional_policy(`
-+ policykit_role(unconfined_r, unconfined_notrans_t)
-+')
-+
-+optional_policy(`
+ rtkit_daemon_system_domain(unconfined_notrans_t)
+')
+
@@ -9621,9 +8883,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.1/policy/modules/roles/unprivuser.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.3/policy/modules/roles/unprivuser.te
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/roles/unprivuser.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/roles/unprivuser.te 2009-11-25 12:39:13.000000000 -0500
@@ -14,96 +14,19 @@
userdom_unpriv_user_template(user)
@@ -9772,9 +9034,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- xserver_role(user_r, user_t)
+ setroubleshoot_dontaudit_stream_connect(user_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.1/policy/modules/roles/xguest.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.3/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/roles/xguest.te 2009-11-24 18:10:12.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/roles/xguest.te 2009-11-25 12:39:13.000000000 -0500
@@ -31,16 +31,38 @@
userdom_restricted_xwindows_user_template(xguest)
@@ -9890,9 +9152,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.1/policy/modules/services/abrt.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.3/policy/modules/services/abrt.fc
--- nsaserefpolicy/policy/modules/services/abrt.fc 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/abrt.fc 2009-11-18 16:55:18.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/abrt.fc 2009-11-25 12:39:13.000000000 -0500
@@ -1,11 +1,15 @@
/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
@@ -9910,9 +9172,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/run/abrt\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.1/policy/modules/services/abrt.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.3/policy/modules/services/abrt.if
--- nsaserefpolicy/policy/modules/services/abrt.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/abrt.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/abrt.if 2009-11-25 12:39:13.000000000 -0500
@@ -19,6 +19,24 @@
domtrans_pattern($1, abrt_exec_t, abrt_t)
')
@@ -10036,9 +9298,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#####################################
## <summary>
## All of the rules required to administrate
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.1/policy/modules/services/abrt.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.3/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/abrt.te 2009-11-24 10:12:04.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/abrt.te 2009-11-25 12:39:13.000000000 -0500
@@ -33,12 +33,25 @@
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -10196,9 +9458,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+userdom_dontaudit_use_user_terminals(abrt_helper_t)
+
+permissive abrt_helper_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.7.1/policy/modules/services/afs.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.7.3/policy/modules/services/afs.fc
--- nsaserefpolicy/policy/modules/services/afs.fc 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/afs.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/afs.fc 2009-11-25 12:39:13.000000000 -0500
@@ -25,6 +25,7 @@
/usr/vice/etc/afsd -- gen_context(system_u:object_r:afs_exec_t,s0)
@@ -10207,9 +9469,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/vicepa gen_context(system_u:object_r:afs_files_t,s0)
/vicepb gen_context(system_u:object_r:afs_files_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.7.1/policy/modules/services/afs.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.7.3/policy/modules/services/afs.te
--- nsaserefpolicy/policy/modules/services/afs.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/afs.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/afs.te 2009-11-25 12:39:13.000000000 -0500
@@ -71,7 +71,7 @@
# afs client local policy
#
@@ -10227,9 +9489,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_rw_etc_runtime_files(afs_t)
fs_getattr_xattr_fs(afs_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.1/policy/modules/services/aisexec.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.3/policy/modules/services/aisexec.fc
--- nsaserefpolicy/policy/modules/services/aisexec.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/aisexec.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/aisexec.fc 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,12 @@
+
+/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:aisexec_initrc_exec_t,s0)
@@ -10243,9 +9505,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0)
+
+/var/run/cman_.* -s gen_context(system_u:object_r:aisexec_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.7.1/policy/modules/services/aisexec.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.7.3/policy/modules/services/aisexec.if
--- nsaserefpolicy/policy/modules/services/aisexec.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/aisexec.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/aisexec.if 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,106 @@
+## <summary>SELinux policy for Aisexec Cluster Engine</summary>
+
@@ -10353,9 +9615,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ admin_pattern($1, aisexec_tmpfs_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.1/policy/modules/services/aisexec.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.3/policy/modules/services/aisexec.te
--- nsaserefpolicy/policy/modules/services/aisexec.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/aisexec.te 2009-11-20 10:04:14.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/aisexec.te 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,112 @@
+
+policy_module(aisexec,1.0.0)
@@ -10469,9 +9731,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+groupd_rw_semaphores(aisexec_t)
+groupd_rw_shm(aisexec_t)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.7.1/policy/modules/services/amavis.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.7.3/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/amavis.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/amavis.te 2009-11-25 12:39:13.000000000 -0500
@@ -103,6 +103,8 @@
kernel_dontaudit_read_proc_symlinks(amavis_t)
kernel_dontaudit_read_system_state(amavis_t)
@@ -10481,9 +9743,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# find perl
corecmd_exec_bin(amavis_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.1/policy/modules/services/apache.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.3/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/apache.fc 2009-11-19 15:03:04.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/apache.fc 2009-11-25 12:39:13.000000000 -0500
@@ -2,11 +2,15 @@
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
@@ -10599,9 +9861,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.1/policy/modules/services/apache.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.3/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/apache.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/apache.if 2009-11-25 12:39:13.000000000 -0500
@@ -13,21 +13,16 @@
#
template(`apache_content_template',`
@@ -11205,9 +10467,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+ typeattribute $1 httpd_rw_content;
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.1/policy/modules/services/apache.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.3/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/apache.te 2009-11-23 11:25:41.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/apache.te 2009-11-25 12:39:13.000000000 -0500
@@ -19,6 +19,8 @@
# Declarations
#
@@ -12017,9 +11279,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.7.1/policy/modules/services/apm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.7.3/policy/modules/services/apm.te
--- nsaserefpolicy/policy/modules/services/apm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/apm.te 2009-11-17 16:29:03.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/apm.te 2009-11-25 12:39:13.000000000 -0500
@@ -60,7 +60,7 @@
# mknod: controlling an orderly resume of PCMCIA requires creating device
# nodes 254,{0,1,2} for some reason.
@@ -12040,9 +11302,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cjp: related to sleep/resume (?)
optional_policy(`
xserver_domtrans(apmd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.1/policy/modules/services/arpwatch.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.3/policy/modules/services/arpwatch.te
--- nsaserefpolicy/policy/modules/services/arpwatch.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/arpwatch.te 2009-11-23 18:39:44.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/arpwatch.te 2009-11-25 12:39:13.000000000 -0500
@@ -34,6 +34,7 @@
allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
allow arpwatch_t self:udp_socket create_socket_perms;
@@ -12059,9 +11321,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_kernel_sysctls(arpwatch_t)
kernel_list_proc(arpwatch_t)
kernel_read_proc_symlinks(arpwatch_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.1/policy/modules/services/asterisk.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.3/policy/modules/services/asterisk.if
--- nsaserefpolicy/policy/modules/services/asterisk.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/asterisk.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/asterisk.if 2009-11-25 12:39:13.000000000 -0500
@@ -1,5 +1,26 @@
## <summary>Asterisk IP telephony server</summary>
@@ -12089,9 +11351,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
## <summary>
## All of the rules required to administrate
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.1/policy/modules/services/asterisk.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.3/policy/modules/services/asterisk.te
--- nsaserefpolicy/policy/modules/services/asterisk.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/asterisk.te 2009-11-23 13:38:30.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/asterisk.te 2009-11-25 12:39:13.000000000 -0500
@@ -34,6 +34,8 @@
type asterisk_var_run_t;
files_pid_file(asterisk_var_run_t)
@@ -12117,9 +11379,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_use_interactive_fds(asterisk_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.7.1/policy/modules/services/automount.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.7.3/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/automount.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/automount.te 2009-11-25 12:39:13.000000000 -0500
@@ -75,6 +75,7 @@
fs_mount_all_fs(automount_t)
@@ -12136,9 +11398,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
storage_rw_fuse(automount_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.1/policy/modules/services/avahi.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.3/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/avahi.te 2009-11-18 16:51:04.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/avahi.te 2009-11-25 12:39:13.000000000 -0500
@@ -24,7 +24,7 @@
# Local policy
#
@@ -12156,9 +11418,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.1/policy/modules/services/bind.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.3/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/bind.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/bind.if 2009-11-25 12:39:13.000000000 -0500
@@ -235,7 +235,7 @@
########################################
@@ -12220,9 +11482,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
## an bind environment
## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.7.1/policy/modules/services/bitlbee.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.7.3/policy/modules/services/bitlbee.te
--- nsaserefpolicy/policy/modules/services/bitlbee.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/bitlbee.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/bitlbee.te 2009-11-25 12:39:13.000000000 -0500
@@ -68,6 +68,8 @@
# MSN can use passport auth, which is over http:
corenet_tcp_connect_http_port(bitlbee_t)
@@ -12232,9 +11494,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_rand(bitlbee_t)
dev_read_urand(bitlbee_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.7.1/policy/modules/services/bluetooth.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.7.3/policy/modules/services/bluetooth.if
--- nsaserefpolicy/policy/modules/services/bluetooth.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/bluetooth.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/bluetooth.if 2009-11-25 12:39:13.000000000 -0500
@@ -153,6 +153,27 @@
dontaudit $1 bluetooth_helper_t:file { read getattr };
')
@@ -12263,9 +11525,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
## <summary>
## All of the rules required to administrate
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.7.1/policy/modules/services/bluetooth.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.7.3/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/bluetooth.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/bluetooth.te 2009-11-25 12:39:13.000000000 -0500
@@ -54,9 +54,9 @@
# Bluetooth services local policy
#
@@ -12313,9 +11575,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
pulseaudio_dbus_chat(bluetooth_t)
')
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-3.7.1/policy/modules/services/ccs.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-3.7.3/policy/modules/services/ccs.fc
--- nsaserefpolicy/policy/modules/services/ccs.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/ccs.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/ccs.fc 2009-11-25 12:39:13.000000000 -0500
@@ -2,9 +2,5 @@
/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
@@ -12328,9 +11590,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-/var/run/cman_.* -s gen_context(system_u:object_r:ccs_var_run_t,s0)
+/var/run/cluster/ccsd\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0)
+/var/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.1/policy/modules/services/ccs.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.3/policy/modules/services/ccs.te
--- nsaserefpolicy/policy/modules/services/ccs.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/ccs.te 2009-11-20 16:30:47.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/ccs.te 2009-11-25 12:39:13.000000000 -0500
@@ -10,23 +10,21 @@
type ccs_exec_t;
init_daemon_domain(ccs_t, ccs_exec_t)
@@ -12414,9 +11676,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`hide_broken_symptoms', `
corecmd_dontaudit_write_bin_dirs(ccs_t)
files_manage_isid_type_files(ccs_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.7.1/policy/modules/services/certmaster.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.7.3/policy/modules/services/certmaster.te
--- nsaserefpolicy/policy/modules/services/certmaster.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/certmaster.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/certmaster.te 2009-11-25 12:39:13.000000000 -0500
@@ -30,7 +30,7 @@
# certmaster local policy
#
@@ -12426,9 +11688,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow certmaster_t self:tcp_socket create_stream_socket_perms;
# config files
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.7.1/policy/modules/services/chronyd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.7.3/policy/modules/services/chronyd.fc
--- nsaserefpolicy/policy/modules/services/chronyd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/chronyd.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/chronyd.fc 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,11 @@
+
+/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
@@ -12441,9 +11703,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.1/policy/modules/services/chronyd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.3/policy/modules/services/chronyd.if
--- nsaserefpolicy/policy/modules/services/chronyd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/chronyd.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/chronyd.if 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,105 @@
+## <summary>chrony background daemon</summary>
+
@@ -12550,9 +11812,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.1/policy/modules/services/chronyd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.3/policy/modules/services/chronyd.te
--- nsaserefpolicy/policy/modules/services/chronyd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/chronyd.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/chronyd.te 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,67 @@
+policy_module(chronyd,1.0.0)
+
@@ -12621,9 +11883,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+miscfiles_read_localization(chronyd_t)
+
+permissive chronyd_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.1/policy/modules/services/clamav.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.3/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/clamav.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/clamav.te 2009-11-25 12:39:13.000000000 -0500
@@ -117,9 +117,9 @@
logging_send_syslog_msg(clamd_t)
@@ -12665,17 +11927,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
apache_read_sys_content(clamscan_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.1/policy/modules/services/clogd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.3/policy/modules/services/clogd.fc
--- nsaserefpolicy/policy/modules/services/clogd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/clogd.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/clogd.fc 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,4 @@
+
+/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0)
+
+/var/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.1/policy/modules/services/clogd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.3/policy/modules/services/clogd.if
--- nsaserefpolicy/policy/modules/services/clogd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/clogd.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/clogd.if 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,98 @@
+## <summary>clogd - clustered mirror log server</summary>
+
@@ -12775,9 +12037,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 clogd_t:shm { rw_shm_perms destroy };
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.7.1/policy/modules/services/clogd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.7.3/policy/modules/services/clogd.te
--- nsaserefpolicy/policy/modules/services/clogd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/clogd.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/clogd.te 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,62 @@
+
+policy_module(clogd,1.0.0)
@@ -12841,15 +12103,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.7.1/policy/modules/services/cobbler.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.7.3/policy/modules/services/cobbler.fc
--- nsaserefpolicy/policy/modules/services/cobbler.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/cobbler.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/cobbler.fc 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,2 @@
+
+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.1/policy/modules/services/cobbler.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.3/policy/modules/services/cobbler.if
--- nsaserefpolicy/policy/modules/services/cobbler.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/cobbler.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/cobbler.if 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,44 @@
+## <summary>
+## Cobbler var_lib_t
@@ -12895,18 +12157,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ files_search_var_lib($1)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.1/policy/modules/services/cobbler.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.3/policy/modules/services/cobbler.te
--- nsaserefpolicy/policy/modules/services/cobbler.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/cobbler.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/cobbler.te 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,5 @@
+
+policy_module(cobbler, 1.10.0)
+
+type cobbler_var_lib_t;
+files_type(cobbler_var_lib_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.1/policy/modules/services/consolekit.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.3/policy/modules/services/consolekit.fc
--- nsaserefpolicy/policy/modules/services/consolekit.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/consolekit.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/consolekit.fc 2009-11-25 12:39:13.000000000 -0500
@@ -2,4 +2,5 @@
/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
@@ -12914,9 +12176,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
+
+/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.1/policy/modules/services/consolekit.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.3/policy/modules/services/consolekit.if
--- nsaserefpolicy/policy/modules/services/consolekit.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/consolekit.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/consolekit.if 2009-11-25 12:39:13.000000000 -0500
@@ -57,3 +57,42 @@
read_files_pattern($1, consolekit_log_t, consolekit_log_t)
files_search_pids($1)
@@ -12960,9 +12222,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.1/policy/modules/services/consolekit.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.3/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/consolekit.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/consolekit.te 2009-11-25 12:39:13.000000000 -0500
@@ -21,7 +21,7 @@
# consolekit local policy
#
@@ -13036,9 +12298,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_stream_connect(consolekit_t)
')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.7.1/policy/modules/services/corosync.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.7.3/policy/modules/services/corosync.fc
--- nsaserefpolicy/policy/modules/services/corosync.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/corosync.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/corosync.fc 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,13 @@
+
+/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
@@ -13053,9 +12315,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.1/policy/modules/services/corosync.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.3/policy/modules/services/corosync.if
--- nsaserefpolicy/policy/modules/services/corosync.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/corosync.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/corosync.if 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,108 @@
+## <summary>SELinux policy for Corosync Cluster Engine</summary>
+
@@ -13165,9 +12427,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.1/policy/modules/services/corosync.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.3/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/corosync.te 2009-11-23 13:51:04.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/corosync.te 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,109 @@
+
+policy_module(corosync,1.0.0)
@@ -13278,9 +12540,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+permissive corosync_t;
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.7.1/policy/modules/services/courier.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.7.3/policy/modules/services/courier.if
--- nsaserefpolicy/policy/modules/services/courier.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/courier.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/courier.if 2009-11-25 12:39:13.000000000 -0500
@@ -179,6 +179,24 @@
########################################
@@ -13306,9 +12568,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read and write to courier spool pipes.
## </summary>
## <param name="domain">
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.7.1/policy/modules/services/courier.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.7.3/policy/modules/services/courier.te
--- nsaserefpolicy/policy/modules/services/courier.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/courier.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/courier.te 2009-11-25 12:39:13.000000000 -0500
@@ -10,6 +10,7 @@
type courier_etc_t;
@@ -13317,9 +12579,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
courier_domain_template(pcp)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.1/policy/modules/services/cron.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.3/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/cron.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/cron.fc 2009-11-25 12:39:13.000000000 -0500
@@ -14,7 +14,7 @@
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -13337,9 +12599,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
+
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.1/policy/modules/services/cron.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.3/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/cron.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/cron.if 2009-11-25 12:39:13.000000000 -0500
@@ -12,6 +12,10 @@
## </param>
#
@@ -13481,9 +12743,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.1/policy/modules/services/cron.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.3/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/cron.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/cron.te 2009-11-25 12:39:13.000000000 -0500
@@ -38,6 +38,7 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -13740,9 +13002,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_domain(system_cronjob_t)
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.1/policy/modules/services/cups.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.3/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/cups.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/cups.fc 2009-11-25 12:39:13.000000000 -0500
@@ -13,10 +13,14 @@
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
@@ -13786,9 +13048,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.1/policy/modules/services/cups.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.3/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/cups.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/cups.te 2009-11-25 12:51:50.000000000 -0500
@@ -23,6 +23,9 @@
type cupsd_initrc_exec_t;
init_script_file(cupsd_initrc_exec_t)
@@ -13816,7 +13078,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type hplip_var_run_t;
files_pid_file(hplip_var_run_t)
-@@ -116,6 +122,9 @@
+@@ -105,6 +111,7 @@
+ allow cupsd_t self:unix_dgram_socket create_socket_perms;
+ allow cupsd_t self:netlink_selinux_socket create_socket_perms;
+ allow cupsd_t self:shm create_shm_perms;
++allow cupsd_t self:sem create_sem_perms;
+ allow cupsd_t self:tcp_socket create_stream_socket_perms;
+ allow cupsd_t self:udp_socket create_socket_perms;
+ allow cupsd_t self:appletalk_socket create_socket_perms;
+@@ -116,6 +123,9 @@
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
files_search_etc(cupsd_t)
@@ -13826,7 +13096,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
-@@ -156,6 +165,7 @@
+@@ -156,6 +166,7 @@
kernel_read_system_state(cupsd_t)
kernel_read_network_state(cupsd_t)
kernel_read_all_sysctls(cupsd_t)
@@ -13834,7 +13104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(cupsd_t)
corenet_all_recvfrom_netlabel(cupsd_t)
-@@ -171,6 +181,7 @@
+@@ -171,6 +182,7 @@
corenet_udp_bind_generic_node(cupsd_t)
corenet_tcp_bind_ipp_port(cupsd_t)
corenet_udp_bind_ipp_port(cupsd_t)
@@ -13842,15 +13112,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_bind_all_rpc_ports(cupsd_t)
-@@ -250,6 +261,7 @@
+@@ -250,6 +262,7 @@
miscfiles_read_localization(cupsd_t)
# invoking ghostscript needs to read fonts
miscfiles_read_fonts(cupsd_t)
-+miscfiles_setattr_fonts(cupsd_t)
++miscfiles_setattr_fonts_dirs(cupsd_t)
seutil_read_config(cupsd_t)
sysnet_exec_ifconfig(cupsd_t)
-@@ -317,6 +329,10 @@
+@@ -317,6 +330,10 @@
')
optional_policy(`
@@ -13861,7 +13131,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
udev_read_db(cupsd_t)
')
-@@ -327,7 +343,7 @@
+@@ -327,7 +344,7 @@
allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
dontaudit cupsd_config_t self:capability sys_tty_config;
@@ -13870,7 +13140,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
-@@ -407,6 +423,7 @@
+@@ -407,6 +424,7 @@
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -13878,7 +13148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cups_stream_connect(cupsd_config_t)
-@@ -419,12 +436,15 @@
+@@ -419,12 +437,15 @@
')
optional_policy(`
@@ -13896,7 +13166,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
hal_dbus_chat(cupsd_config_t)
-@@ -446,6 +466,10 @@
+@@ -446,6 +467,10 @@
')
optional_policy(`
@@ -13907,7 +13177,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rpm_read_db(cupsd_config_t)
')
-@@ -542,6 +566,8 @@
+@@ -542,6 +567,8 @@
manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
@@ -13916,7 +13186,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(cups_pdf_t)
files_read_etc_files(cups_pdf_t)
-@@ -556,11 +582,15 @@
+@@ -556,11 +583,15 @@
miscfiles_read_fonts(cups_pdf_t)
userdom_home_filetrans_user_home_dir(cups_pdf_t)
@@ -13932,7 +13202,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(cups_pdf_t)
-@@ -601,6 +631,9 @@
+@@ -601,6 +632,9 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
@@ -13942,7 +13212,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
-@@ -627,6 +660,7 @@
+@@ -627,6 +661,7 @@
corenet_tcp_connect_ipp_port(hplip_t)
corenet_sendrecv_hplip_client_packets(hplip_t)
corenet_receive_hplip_server_packets(hplip_t)
@@ -13950,18 +13220,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_sysfs(hplip_t)
dev_rw_printer(hplip_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.7.1/policy/modules/services/cvs.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.7.3/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/cvs.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/cvs.te 2009-11-25 12:39:13.000000000 -0500
@@ -112,4 +112,5 @@
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.1/policy/modules/services/cyrus.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.3/policy/modules/services/cyrus.te
--- nsaserefpolicy/policy/modules/services/cyrus.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/cyrus.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/cyrus.te 2009-11-25 12:39:13.000000000 -0500
@@ -137,6 +137,7 @@
optional_policy(`
snmp_read_snmp_var_lib_files(cyrus_t)
@@ -13970,9 +13240,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.1/policy/modules/services/dbus.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.3/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/dbus.if 2009-11-24 18:53:39.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/dbus.if 2009-11-25 12:39:13.000000000 -0500
@@ -42,8 +42,10 @@
gen_require(`
class dbus { send_msg acquire_svc };
@@ -14097,9 +13367,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.1/policy/modules/services/dbus.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.3/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/dbus.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/dbus.te 2009-11-25 12:39:13.000000000 -0500
@@ -86,6 +86,7 @@
dev_read_sysfs(system_dbusd_t)
@@ -14152,9 +13422,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.7.1/policy/modules/services/dcc.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.7.3/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/dcc.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/dcc.te 2009-11-25 12:39:13.000000000 -0500
@@ -130,11 +130,13 @@
# Access files in /var/dcc. The map file can be updated
@@ -14181,9 +13451,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
spamassassin_read_spamd_tmp_files(dcc_client_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.7.1/policy/modules/services/ddclient.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.7.3/policy/modules/services/ddclient.if
--- nsaserefpolicy/policy/modules/services/ddclient.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/ddclient.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/ddclient.if 2009-11-25 12:39:13.000000000 -0500
@@ -21,6 +21,31 @@
########################################
@@ -14216,18 +13486,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
## an ddclient environment
## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.1/policy/modules/services/devicekit.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.3/policy/modules/services/devicekit.fc
--- nsaserefpolicy/policy/modules/services/devicekit.fc 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/devicekit.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/devicekit.fc 2009-11-25 12:39:13.000000000 -0500
@@ -5,4 +5,4 @@
/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
-/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.1/policy/modules/services/devicekit.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.3/policy/modules/services/devicekit.if
--- nsaserefpolicy/policy/modules/services/devicekit.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/devicekit.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/devicekit.if 2009-11-25 12:39:13.000000000 -0500
@@ -139,6 +139,26 @@
########################################
@@ -14264,9 +13534,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
allow $1 devicekit_t:process { ptrace signal_perms getattr };
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.1/policy/modules/services/devicekit.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.3/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/devicekit.te 2009-11-19 16:38:18.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/devicekit.te 2009-11-25 12:39:13.000000000 -0500
@@ -36,12 +36,15 @@
manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
@@ -14451,9 +13721,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.1/policy/modules/services/dnsmasq.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.3/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/dnsmasq.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/dnsmasq.te 2009-11-25 12:39:13.000000000 -0500
@@ -83,6 +83,18 @@
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
@@ -14473,9 +13743,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(dnsmasq_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.1/policy/modules/services/dovecot.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.3/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/dovecot.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/dovecot.te 2009-11-25 12:39:13.000000000 -0500
@@ -56,7 +56,7 @@
allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
@@ -14541,9 +13811,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ fs_manage_cifs_symlinks(dovecot_deliver_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.7.1/policy/modules/services/exim.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.7.3/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/exim.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/exim.te 2009-11-25 12:39:13.000000000 -0500
@@ -111,6 +111,7 @@
files_search_var(exim_t)
files_read_etc_files(exim_t)
@@ -14563,9 +13833,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
spamassassin_exec(exim_t)
spamassassin_exec_client(exim_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.7.1/policy/modules/services/fail2ban.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.7.3/policy/modules/services/fail2ban.te
--- nsaserefpolicy/policy/modules/services/fail2ban.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/fail2ban.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/fail2ban.te 2009-11-25 12:39:13.000000000 -0500
@@ -33,6 +33,7 @@
allow fail2ban_t self:process signal;
allow fail2ban_t self:fifo_file rw_fifo_file_perms;
@@ -14582,9 +13852,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization(fail2ban_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.7.1/policy/modules/services/fetchmail.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.7.3/policy/modules/services/fetchmail.te
--- nsaserefpolicy/policy/modules/services/fetchmail.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/fetchmail.te 2009-11-18 08:45:23.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/fetchmail.te 2009-11-25 12:39:13.000000000 -0500
@@ -47,6 +47,9 @@
kernel_read_proc_symlinks(fetchmail_t)
kernel_dontaudit_read_system_state(fetchmail_t)
@@ -14595,9 +13865,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(fetchmail_t)
corenet_all_recvfrom_netlabel(fetchmail_t)
corenet_tcp_sendrecv_generic_if(fetchmail_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.1/policy/modules/services/fprintd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.3/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/fprintd.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/fprintd.te 2009-11-25 12:39:13.000000000 -0500
@@ -37,6 +37,8 @@
files_read_etc_files(fprintd_t)
files_read_usr_files(fprintd_t)
@@ -14615,9 +13885,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
policykit_domtrans_auth(fprintd_t)
')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.1/policy/modules/services/ftp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.3/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/ftp.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/ftp.te 2009-11-25 12:39:13.000000000 -0500
@@ -41,6 +41,13 @@
## <desc>
@@ -14741,9 +14011,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(ftpd_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.1/policy/modules/services/git.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.3/policy/modules/services/git.fc
--- nsaserefpolicy/policy/modules/services/git.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/git.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/git.fc 2009-11-25 12:39:13.000000000 -0500
@@ -1,3 +1,9 @@
/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
-/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
@@ -14755,9 +14025,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+# Conflict with Fedora cgit fc spec.
+/var/lib/git(/.*)? gen_context(system_u:object_r:git_data_t, s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.1/policy/modules/services/git.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.3/policy/modules/services/git.if
--- nsaserefpolicy/policy/modules/services/git.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/git.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/git.if 2009-11-25 12:39:13.000000000 -0500
@@ -1 +1,285 @@
-## <summary>GIT revision control system</summary>
+## <summary>Git daemon is a really simple server for Git repositories.</summary>
@@ -15045,9 +14315,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ seutil_domtrans_setfiles($1)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.1/policy/modules/services/git.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.3/policy/modules/services/git.te
--- nsaserefpolicy/policy/modules/services/git.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/git.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/git.te 2009-11-25 12:39:13.000000000 -0500
@@ -1,9 +1,173 @@
policy_module(git, 1.0)
@@ -15223,9 +14493,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
apache_content_template(git)
+git_read_data_content(httpd_git_script_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.te serefpolicy-3.7.1/policy/modules/services/gpm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.te serefpolicy-3.7.3/policy/modules/services/gpm.te
--- nsaserefpolicy/policy/modules/services/gpm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/gpm.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/gpm.te 2009-11-25 12:39:13.000000000 -0500
@@ -27,7 +27,8 @@
# Local policy
#
@@ -15236,9 +14506,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow gpm_t self:unix_stream_socket create_stream_socket_perms;
allow gpm_t gpm_conf_t:dir list_dir_perms;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.7.1/policy/modules/services/gpsd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.7.3/policy/modules/services/gpsd.fc
--- nsaserefpolicy/policy/modules/services/gpsd.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/gpsd.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/gpsd.fc 2009-11-25 12:39:13.000000000 -0500
@@ -1 +1,6 @@
+/etc/rc\.d/init\.d/gpsd -- gen_context(system_u:object_r:gpsd_initrc_exec_t,s0)
+
@@ -15246,9 +14516,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/var/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0)
+/var/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.7.1/policy/modules/services/gpsd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.7.3/policy/modules/services/gpsd.if
--- nsaserefpolicy/policy/modules/services/gpsd.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/gpsd.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/gpsd.if 2009-11-25 12:39:13.000000000 -0500
@@ -33,11 +33,6 @@
## The role to be allowed the gpsd domain.
## </summary>
@@ -15294,9 +14564,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
+ read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.1/policy/modules/services/gpsd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.3/policy/modules/services/gpsd.te
--- nsaserefpolicy/policy/modules/services/gpsd.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/gpsd.te 2009-11-23 11:58:28.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/gpsd.te 2009-11-25 12:39:13.000000000 -0500
@@ -11,15 +11,21 @@
application_domain(gpsd_t, gpsd_exec_t)
init_daemon_domain(gpsd_t, gpsd_exec_t)
@@ -15338,9 +14608,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- ntpd_rw_shm(gpsd_t)
+ ntp_rw_shm(gpsd_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.7.1/policy/modules/services/hal.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.7.3/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/hal.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/hal.fc 2009-11-25 12:39:13.000000000 -0500
@@ -26,6 +26,7 @@
/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
/var/run/pm-utils(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
@@ -15349,9 +14619,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_gentoo',`
/var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.7.1/policy/modules/services/hal.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.7.3/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/hal.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/hal.if 2009-11-25 12:39:13.000000000 -0500
@@ -413,3 +413,21 @@
files_search_pids($1)
manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
@@ -15374,9 +14644,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ dontaudit $1 hald_t:unix_dgram_socket { read write };
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.1/policy/modules/services/hal.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.3/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/hal.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/hal.te 2009-11-25 12:39:13.000000000 -0500
@@ -55,6 +55,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -15529,9 +14799,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ dbus_system_bus_client(hald_dccm_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl.te serefpolicy-3.7.1/policy/modules/services/howl.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl.te serefpolicy-3.7.3/policy/modules/services/howl.te
--- nsaserefpolicy/policy/modules/services/howl.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/howl.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/howl.te 2009-11-25 12:39:13.000000000 -0500
@@ -30,7 +30,7 @@
kernel_read_network_state(howl_t)
@@ -15541,18 +14811,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_list_proc(howl_t)
kernel_read_proc_symlinks(howl_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.fc serefpolicy-3.7.1/policy/modules/services/inetd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.fc serefpolicy-3.7.3/policy/modules/services/inetd.fc
--- nsaserefpolicy/policy/modules/services/inetd.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/inetd.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/inetd.fc 2009-11-25 12:39:13.000000000 -0500
@@ -9,4 +9,4 @@
/var/log/(x)?inetd\.log -- gen_context(system_u:object_r:inetd_log_t,s0)
-/var/run/inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0)
+/var/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.7.1/policy/modules/services/inetd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.7.3/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/inetd.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/inetd.te 2009-11-25 12:39:13.000000000 -0500
@@ -104,6 +104,8 @@
corenet_tcp_bind_telnetd_port(inetd_t)
corenet_udp_bind_tftp_port(inetd_t)
@@ -15571,9 +14841,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(inetd_t)
miscfiles_read_localization(inetd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/irqbalance.te serefpolicy-3.7.1/policy/modules/services/irqbalance.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/irqbalance.te serefpolicy-3.7.3/policy/modules/services/irqbalance.te
--- nsaserefpolicy/policy/modules/services/irqbalance.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/irqbalance.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/irqbalance.te 2009-11-25 12:39:13.000000000 -0500
@@ -18,11 +18,11 @@
# Local policy
#
@@ -15588,9 +14858,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
files_pid_filetrans(irqbalance_t, irqbalance_var_run_t, file)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.1/policy/modules/services/kerberos.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.3/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/kerberos.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/kerberos.if 2009-11-25 12:39:13.000000000 -0500
@@ -74,7 +74,7 @@
')
@@ -15611,9 +14881,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`allow_kerberos',`
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.1/policy/modules/services/kerberos.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.3/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/kerberos.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/kerberos.te 2009-11-25 12:39:13.000000000 -0500
@@ -110,8 +110,9 @@
manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t)
files_pid_filetrans(kadmind_t, kadmind_var_run_t, file)
@@ -15664,9 +14934,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
sysnet_dns_name_resolve(kpropd_t)
kerberos_use(kpropd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.7.1/policy/modules/services/kerneloops.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.7.3/policy/modules/services/kerneloops.te
--- nsaserefpolicy/policy/modules/services/kerneloops.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/kerneloops.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/kerneloops.te 2009-11-25 12:39:13.000000000 -0500
@@ -22,7 +22,7 @@
#
@@ -15676,9 +14946,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow kerneloops_t self:fifo_file rw_file_perms;
manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.7.1/policy/modules/services/ktalk.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.7.3/policy/modules/services/ktalk.te
--- nsaserefpolicy/policy/modules/services/ktalk.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/ktalk.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/ktalk.te 2009-11-25 12:39:13.000000000 -0500
@@ -69,6 +69,7 @@
files_read_etc_files(ktalkd_t)
@@ -15687,18 +14957,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(ktalkd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.fc serefpolicy-3.7.1/policy/modules/services/lircd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.fc serefpolicy-3.7.3/policy/modules/services/lircd.fc
--- nsaserefpolicy/policy/modules/services/lircd.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/lircd.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/lircd.fc 2009-11-25 12:39:13.000000000 -0500
@@ -6,3 +6,5 @@
/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
/var/run/lircd\.pid gen_context(system_u:object_r:lircd_var_run_t,s0)
+/var/run/lircd(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0)
+/var/run/lirc(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.if serefpolicy-3.7.1/policy/modules/services/lircd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.if serefpolicy-3.7.3/policy/modules/services/lircd.if
--- nsaserefpolicy/policy/modules/services/lircd.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/lircd.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/lircd.if 2009-11-25 12:39:13.000000000 -0500
@@ -32,12 +32,11 @@
#
interface(`lircd_stream_connect',`
@@ -15730,9 +15000,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-
- admin_pattern($1, lircd_sock_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.1/policy/modules/services/lircd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.3/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/lircd.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/lircd.te 2009-11-25 12:39:13.000000000 -0500
@@ -16,13 +16,9 @@
type lircd_etc_t;
files_type(lircd_etc_t)
@@ -15778,9 +15048,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
miscfiles_read_localization(lircd_t)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.7.1/policy/modules/services/mailman.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.7.3/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/mailman.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/mailman.te 2009-11-25 12:39:13.000000000 -0500
@@ -78,6 +78,10 @@
mta_dontaudit_rw_queue(mailman_mail_t)
@@ -15792,9 +15062,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cron_read_pipes(mailman_mail_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.7.1/policy/modules/services/memcached.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.7.3/policy/modules/services/memcached.te
--- nsaserefpolicy/policy/modules/services/memcached.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/memcached.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/memcached.te 2009-11-25 12:39:13.000000000 -0500
@@ -44,6 +44,8 @@
files_read_etc_files(memcached_t)
@@ -15804,9 +15074,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization(memcached_t)
sysnet_dns_name_resolve(memcached_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.7.1/policy/modules/services/milter.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.7.3/policy/modules/services/milter.if
--- nsaserefpolicy/policy/modules/services/milter.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/milter.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/milter.if 2009-11-25 12:39:13.000000000 -0500
@@ -35,6 +35,8 @@
# Create other data files and directories in the data directory
manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
@@ -15816,9 +15086,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization($1_milter_t)
logging_send_syslog_msg($1_milter_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.1/policy/modules/services/modemmanager.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.3/policy/modules/services/modemmanager.te
--- nsaserefpolicy/policy/modules/services/modemmanager.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/modemmanager.te 2009-11-24 07:19:22.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/modemmanager.te 2009-11-25 12:39:13.000000000 -0500
@@ -16,7 +16,8 @@
#
# ModemManager local policy
@@ -15837,18 +15107,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(modemmanager_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.1/policy/modules/services/mta.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.3/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/mta.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/mta.fc 2009-11-25 12:39:13.000000000 -0500
@@ -26,3 +26,5 @@
/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
+/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.1/policy/modules/services/mta.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.3/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/mta.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/mta.if 2009-11-25 12:39:13.000000000 -0500
@@ -69,6 +69,7 @@
can_exec($1_mail_t, sendmail_exec_t)
allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms;
@@ -15910,9 +15180,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.1/policy/modules/services/mta.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.3/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/mta.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/mta.te 2009-11-25 12:39:13.000000000 -0500
@@ -27,6 +27,9 @@
type mail_spool_t;
files_mountpoint(mail_spool_t)
@@ -16002,9 +15272,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# User send mail local policy
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.1/policy/modules/services/munin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.3/policy/modules/services/munin.fc
--- nsaserefpolicy/policy/modules/services/munin.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/munin.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/munin.fc 2009-11-25 12:39:13.000000000 -0500
@@ -9,3 +9,6 @@
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
@@ -16012,9 +15282,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.1/policy/modules/services/munin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.3/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/munin.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/munin.te 2009-11-25 12:39:13.000000000 -0500
@@ -33,7 +33,7 @@
# Local policy
#
@@ -16032,9 +15302,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.1/policy/modules/services/mysql.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.3/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/mysql.te 2009-11-18 16:52:13.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/mysql.te 2009-11-25 12:39:13.000000000 -0500
@@ -136,10 +136,17 @@
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
@@ -16062,9 +15332,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mysql_read_config(mysqld_safe_t)
mysql_search_pid_files(mysqld_safe_t)
mysql_write_log(mysqld_safe_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.1/policy/modules/services/nagios.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.3/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/nagios.fc 2009-11-23 14:12:37.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/nagios.fc 2009-11-25 12:39:13.000000000 -0500
@@ -1,16 +1,26 @@
/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
@@ -16097,9 +15367,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
+/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.1/policy/modules/services/nagios.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.3/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/nagios.if 2009-11-23 14:12:16.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/nagios.if 2009-11-25 12:39:13.000000000 -0500
@@ -64,7 +64,7 @@
########################################
@@ -16218,9 +15488,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ admin_pattern($1, nrpe_etc_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.1/policy/modules/services/nagios.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.3/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/nagios.te 2009-11-23 14:23:43.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/nagios.te 2009-11-25 12:39:13.000000000 -0500
@@ -10,13 +10,12 @@
type nagios_exec_t;
init_daemon_domain(nagios_t, nagios_exec_t)
@@ -16420,9 +15690,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+
+miscfiles_read_localization(nagios_checkdisk_plugin_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.7.1/policy/modules/services/networkmanager.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.7.3/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/networkmanager.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/networkmanager.fc 2009-11-25 12:39:13.000000000 -0500
@@ -1,12 +1,28 @@
+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0)
+/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -16452,9 +15722,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.1/policy/modules/services/networkmanager.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.3/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/networkmanager.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/networkmanager.if 2009-11-25 12:39:13.000000000 -0500
@@ -118,6 +118,24 @@
########################################
@@ -16531,9 +15801,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ role $2 types NetworkManager_t;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.1/policy/modules/services/networkmanager.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.3/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/networkmanager.te 2009-11-24 07:18:48.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/networkmanager.te 2009-11-25 12:39:13.000000000 -0500
@@ -19,6 +19,9 @@
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
@@ -16774,9 +16044,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.7.1/policy/modules/services/nis.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.7.3/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/nis.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/nis.fc 2009-11-25 12:39:13.000000000 -0500
@@ -1,4 +1,7 @@
-
+/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0)
@@ -16786,9 +16056,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0)
/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.7.1/policy/modules/services/nis.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.7.3/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/nis.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/nis.if 2009-11-25 12:39:13.000000000 -0500
@@ -28,7 +28,7 @@
type var_yp_t;
')
@@ -16930,9 +16200,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ role $2 types ypbind_t;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.7.1/policy/modules/services/nis.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.7.3/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/nis.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/nis.te 2009-11-25 12:39:13.000000000 -0500
@@ -13,6 +13,9 @@
type ypbind_exec_t;
init_daemon_domain(ypbind_t, ypbind_exec_t)
@@ -16982,9 +16252,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_all_rpc_ports(ypxfr_t)
corenet_udp_bind_all_rpc_ports(ypxfr_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.7.1/policy/modules/services/nscd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.7.3/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/nscd.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/nscd.if 2009-11-25 12:39:13.000000000 -0500
@@ -121,6 +121,24 @@
########################################
@@ -17010,9 +16280,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Use NSCD services by mapping the database from
## an inherited NSCD file descriptor.
## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.7.1/policy/modules/services/nscd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.7.3/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/nscd.te 2009-11-17 11:08:16.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/nscd.te 2009-11-25 12:39:13.000000000 -0500
@@ -1,10 +1,17 @@
-policy_module(nscd, 1.10.0)
@@ -17053,9 +16323,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.7.1/policy/modules/services/nslcd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.7.3/policy/modules/services/nslcd.if
--- nsaserefpolicy/policy/modules/services/nslcd.if 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/nslcd.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/nslcd.if 2009-11-25 12:39:13.000000000 -0500
@@ -94,6 +94,7 @@
interface(`nslcd_admin',`
gen_require(`
@@ -17076,9 +16346,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ manage_lnk_files_pattern($1,nslcd_var_run_t,nslcd_var_run_t)
')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.7.1/policy/modules/services/ntp.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.7.3/policy/modules/services/ntp.if
--- nsaserefpolicy/policy/modules/services/ntp.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/ntp.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/ntp.if 2009-11-25 12:39:13.000000000 -0500
@@ -37,6 +37,32 @@
########################################
@@ -17146,9 +16416,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
## an ntp environment
## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.7.1/policy/modules/services/ntp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.7.3/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/ntp.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/ntp.te 2009-11-25 12:39:13.000000000 -0500
@@ -41,10 +41,11 @@
# sys_resource and setrlimit is for locking memory
@@ -17195,9 +16465,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.fc serefpolicy-3.7.1/policy/modules/services/nut.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.fc serefpolicy-3.7.3/policy/modules/services/nut.fc
--- nsaserefpolicy/policy/modules/services/nut.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/nut.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/nut.fc 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,8 @@
+
+/usr/sbin/upsd -- gen_context(system_u:object_r:upsd_exec_t,s0)
@@ -17207,9 +16477,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/sbin/upsdrvctl -- gen_context(system_u:object_r:upsdrvctl_exec_t,s0)
+
+/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.if serefpolicy-3.7.1/policy/modules/services/nut.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.if serefpolicy-3.7.3/policy/modules/services/nut.if
--- nsaserefpolicy/policy/modules/services/nut.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/nut.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/nut.if 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,82 @@
+## <summary>SELinux policy for nut - Network UPS Tools </summary>
+
@@ -17293,9 +16563,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ stream_connect_pattern($1, nut_var_run_t, nut_var_run_t, upsdrvctl_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.1/policy/modules/services/nut.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.3/policy/modules/services/nut.te
--- nsaserefpolicy/policy/modules/services/nut.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/nut.te 2009-11-24 15:02:15.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/nut.te 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,127 @@
+
+policy_module(nut,1.0.0)
@@ -17309,7 +16579,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+type upsd_exec_t;
+init_daemon_domain(upsd_t,upsd_exec_t)
+
-+type nut_var_run_t
++type nut_var_run_t;
+files_pid_file(nut_var_run_t)
+typealias nut_var_run_t alias { upsd_var_run_t upsmon_var_run_t upsdrvctl_var_run_t };
+
@@ -17424,9 +16694,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+logging_send_syslog_msg(upsdrvctl_t)
+
+miscfiles_read_localization(upsdrvctl_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.7.1/policy/modules/services/nx.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.7.3/policy/modules/services/nx.fc
--- nsaserefpolicy/policy/modules/services/nx.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/nx.fc 2009-11-23 10:16:14.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/nx.fc 2009-11-25 12:39:13.000000000 -0500
@@ -1,6 +1,9 @@
/opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
@@ -17437,9 +16707,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.7.1/policy/modules/services/nx.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.7.3/policy/modules/services/nx.if
--- nsaserefpolicy/policy/modules/services/nx.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/nx.if 2009-11-20 10:16:07.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/nx.if 2009-11-25 12:39:13.000000000 -0500
@@ -17,3 +17,70 @@
spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t)
@@ -17511,9 +16781,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ filetrans_pattern($1, nx_server_var_lib_t, $2, $3)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.7.1/policy/modules/services/nx.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.7.3/policy/modules/services/nx.te
--- nsaserefpolicy/policy/modules/services/nx.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/nx.te 2009-11-20 10:15:44.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/nx.te 2009-11-25 12:39:13.000000000 -0500
@@ -25,6 +25,12 @@
type nx_server_var_run_t;
files_pid_file(nx_server_var_run_t)
@@ -17548,9 +16818,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(nx_server_t)
kernel_read_kernel_sysctls(nx_server_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.1/policy/modules/services/oddjob.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.3/policy/modules/services/oddjob.if
--- nsaserefpolicy/policy/modules/services/oddjob.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/oddjob.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/oddjob.if 2009-11-25 12:39:13.000000000 -0500
@@ -44,6 +44,7 @@
')
@@ -17559,9 +16829,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.1/policy/modules/services/openvpn.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.3/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/openvpn.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/openvpn.te 2009-11-25 12:39:13.000000000 -0500
@@ -100,6 +100,8 @@
files_read_etc_files(openvpn_t)
files_read_etc_runtime_files(openvpn_t)
@@ -17571,9 +16841,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.7.1/policy/modules/services/pcscd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.7.3/policy/modules/services/pcscd.if
--- nsaserefpolicy/policy/modules/services/pcscd.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/pcscd.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/pcscd.if 2009-11-25 12:39:13.000000000 -0500
@@ -53,6 +53,5 @@
')
@@ -17582,9 +16852,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- allow $1 pcscd_t:unix_stream_socket connectto;
+ stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.7.1/policy/modules/services/pcscd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.7.3/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/pcscd.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/pcscd.te 2009-11-25 12:39:13.000000000 -0500
@@ -29,6 +29,7 @@
manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
@@ -17609,9 +16879,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_use_unallocated_ttys(pcscd_t)
term_dontaudit_getattr_pty_dirs(pcscd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.1/policy/modules/services/pegasus.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.3/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/pegasus.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/pegasus.te 2009-11-25 12:39:13.000000000 -0500
@@ -30,7 +30,7 @@
# Local policy
#
@@ -17683,18 +16953,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xen_stream_connect(pegasus_t)
+ xen_stream_connect_xenstore(pegasus_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.fc serefpolicy-3.7.1/policy/modules/services/plymouth.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.fc serefpolicy-3.7.3/policy/modules/services/plymouth.fc
--- nsaserefpolicy/policy/modules/services/plymouth.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/plymouth.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/plymouth.fc 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,5 @@
+/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t, s0)
+/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t, s0)
+/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t, s0)
+/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t, s0)
+/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.if serefpolicy-3.7.1/policy/modules/services/plymouth.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.if serefpolicy-3.7.3/policy/modules/services/plymouth.if
--- nsaserefpolicy/policy/modules/services/plymouth.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/plymouth.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/plymouth.if 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,286 @@
+## <summary>policy for plymouthd</summary>
+
@@ -17982,9 +17252,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 plymouthd_t:unix_stream_socket connectto;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.7.1/policy/modules/services/plymouth.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.7.3/policy/modules/services/plymouth.te
--- nsaserefpolicy/policy/modules/services/plymouth.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/plymouth.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/plymouth.te 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,101 @@
+policy_module(plymouthd, 1.0.0)
+
@@ -18087,9 +17357,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ hal_dontaudit_rw_pipes(plymouth_t)
+')
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.7.1/policy/modules/services/policykit.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.7.3/policy/modules/services/policykit.fc
--- nsaserefpolicy/policy/modules/services/policykit.fc 2009-08-18 11:41:14.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/policykit.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/policykit.fc 2009-11-25 12:39:13.000000000 -0500
@@ -6,10 +6,13 @@
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
@@ -18105,9 +17375,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.7.1/policy/modules/services/policykit.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.7.3/policy/modules/services/policykit.if
--- nsaserefpolicy/policy/modules/services/policykit.if 2009-08-18 18:39:50.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/policykit.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/policykit.if 2009-11-25 12:39:13.000000000 -0500
@@ -17,6 +17,8 @@
class dbus send_msg;
')
@@ -18175,9 +17445,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 policykit_auth_t:process signal;
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.1/policy/modules/services/policykit.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.3/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/policykit.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/policykit.te 2009-11-25 12:39:13.000000000 -0500
@@ -36,11 +36,12 @@
# policykit local policy
#
@@ -18327,9 +17597,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.1/policy/modules/services/postfix.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.3/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/postfix.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/postfix.fc 2009-11-25 12:39:13.000000000 -0500
@@ -29,12 +29,10 @@
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
@@ -18343,9 +17613,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.1/policy/modules/services/postfix.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.3/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/postfix.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/postfix.if 2009-11-25 12:39:13.000000000 -0500
@@ -46,6 +46,7 @@
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
@@ -18592,9 +17862,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ role $2 types postfix_postdrop_t;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.1/policy/modules/services/postfix.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.3/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/postfix.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/postfix.te 2009-11-25 12:39:13.000000000 -0500
@@ -6,6 +6,15 @@
# Declarations
#
@@ -18987,9 +18257,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+userdom_manage_user_home_content(postfix_virtual_t)
+userdom_home_filetrans_user_home_dir(postfix_virtual_t)
+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.7.1/policy/modules/services/postgresql.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.7.3/policy/modules/services/postgresql.fc
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/postgresql.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/postgresql.fc 2009-11-25 12:39:13.000000000 -0500
@@ -2,6 +2,8 @@
# /etc
#
@@ -19027,9 +18297,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
+
+/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.7.1/policy/modules/services/postgresql.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.7.3/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/postgresql.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/postgresql.if 2009-11-25 12:39:13.000000000 -0500
@@ -384,3 +384,46 @@
typeattribute $1 sepgsql_unconfined_type;
@@ -19077,9 +18347,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ admin_pattern($1, postgresql_tmp_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.1/policy/modules/services/postgresql.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.3/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/postgresql.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/postgresql.te 2009-11-25 12:39:13.000000000 -0500
@@ -32,6 +32,9 @@
type postgresql_etc_t;
files_config_file(postgresql_etc_t)
@@ -19124,9 +18394,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization(postgresql_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.1/policy/modules/services/ppp.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.3/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/ppp.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/ppp.if 2009-11-25 12:39:13.000000000 -0500
@@ -177,10 +177,16 @@
interface(`ppp_run',`
gen_require(`
@@ -19144,9 +18414,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.7.1/policy/modules/services/ppp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.7.3/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/ppp.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/ppp.te 2009-11-25 12:39:13.000000000 -0500
@@ -38,7 +38,7 @@
files_type(pppd_etc_rw_t)
@@ -19198,9 +18468,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hostname_exec(pptp_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.7.1/policy/modules/services/prelude.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.7.3/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/prelude.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/prelude.te 2009-11-25 12:39:13.000000000 -0500
@@ -122,7 +122,8 @@
#
# prelude_audisp local policy
@@ -19211,9 +18481,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow prelude_audisp_t self:fifo_file rw_file_perms;
allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms;
allow prelude_audisp_t self:unix_dgram_socket create_socket_perms;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.7.1/policy/modules/services/privoxy.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.7.3/policy/modules/services/privoxy.fc
--- nsaserefpolicy/policy/modules/services/privoxy.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/privoxy.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/privoxy.fc 2009-11-25 12:39:13.000000000 -0500
@@ -1,6 +1,5 @@
-/etc/privoxy/user\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
@@ -19222,9 +18492,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/etc/rc\.d/init\.d/privoxy -- gen_context(system_u:object_r:privoxy_initrc_exec_t,s0)
/usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.7.1/policy/modules/services/privoxy.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.7.3/policy/modules/services/privoxy.te
--- nsaserefpolicy/policy/modules/services/privoxy.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/privoxy.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/privoxy.te 2009-11-25 12:39:13.000000000 -0500
@@ -47,9 +47,8 @@
manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t)
files_pid_filetrans(privoxy_t, privoxy_var_run_t, file)
@@ -19236,9 +18506,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(privoxy_t)
corenet_all_recvfrom_netlabel(privoxy_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.1/policy/modules/services/procmail.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.3/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/procmail.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/procmail.te 2009-11-25 12:39:13.000000000 -0500
@@ -22,7 +22,7 @@
# Local policy
#
@@ -19286,9 +18556,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.1/policy/modules/services/pyzor.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.3/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/pyzor.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/pyzor.fc 2009-11-25 12:39:13.000000000 -0500
@@ -1,6 +1,10 @@
/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
+/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
@@ -19300,9 +18570,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.7.1/policy/modules/services/pyzor.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.7.3/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/pyzor.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/pyzor.if 2009-11-25 12:39:13.000000000 -0500
@@ -88,3 +88,50 @@
corecmd_search_bin($1)
can_exec($1, pyzor_exec_t)
@@ -19354,9 +18624,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.7.1/policy/modules/services/pyzor.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.7.3/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/pyzor.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/pyzor.te 2009-11-25 12:39:13.000000000 -0500
@@ -6,6 +6,38 @@
# Declarations
#
@@ -19421,9 +18691,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_dontaudit_search_user_home_dirs(pyzor_t)
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.7.1/policy/modules/services/radvd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.7.3/policy/modules/services/radvd.te
--- nsaserefpolicy/policy/modules/services/radvd.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/radvd.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/radvd.te 2009-11-25 12:39:13.000000000 -0500
@@ -41,6 +41,7 @@
kernel_rw_net_sysctls(radvd_t)
kernel_read_network_state(radvd_t)
@@ -19432,17 +18702,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(radvd_t)
corenet_all_recvfrom_netlabel(radvd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.1/policy/modules/services/razor.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.3/policy/modules/services/razor.fc
--- nsaserefpolicy/policy/modules/services/razor.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/razor.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/razor.fc 2009-11-25 12:39:13.000000000 -0500
@@ -1,3 +1,4 @@
+/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.7.1/policy/modules/services/razor.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.7.3/policy/modules/services/razor.if
--- nsaserefpolicy/policy/modules/services/razor.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/razor.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/razor.if 2009-11-25 12:39:13.000000000 -0500
@@ -157,3 +157,45 @@
domtrans_pattern($1, razor_exec_t, razor_t)
@@ -19489,9 +18759,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.7.1/policy/modules/services/razor.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.7.3/policy/modules/services/razor.te
--- nsaserefpolicy/policy/modules/services/razor.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/razor.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/razor.te 2009-11-25 12:39:13.000000000 -0500
@@ -6,6 +6,32 @@
# Declarations
#
@@ -19543,9 +18813,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.1/policy/modules/services/rgmanager.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.3/policy/modules/services/rgmanager.fc
--- nsaserefpolicy/policy/modules/services/rgmanager.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/rgmanager.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/rgmanager.fc 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,8 @@
+
+/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
@@ -19555,9 +18825,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+
+/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.1/policy/modules/services/rgmanager.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.3/policy/modules/services/rgmanager.if
--- nsaserefpolicy/policy/modules/services/rgmanager.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/rgmanager.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/rgmanager.if 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,59 @@
+## <summary>SELinux policy for rgmanager</summary>
+
@@ -19618,9 +18888,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.1/policy/modules/services/rgmanager.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.3/policy/modules/services/rgmanager.te
--- nsaserefpolicy/policy/modules/services/rgmanager.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/rgmanager.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/rgmanager.te 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,83 @@
+
+policy_module(rgmanager,1.0.0)
@@ -19705,9 +18975,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ccs_stream_connect(rgmanager_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.1/policy/modules/services/rhcs.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.3/policy/modules/services/rhcs.fc
--- nsaserefpolicy/policy/modules/services/rhcs.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/rhcs.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/rhcs.fc 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,22 @@
+
+/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@@ -19731,9 +19001,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
+/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
+/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.1/policy/modules/services/rhcs.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.3/policy/modules/services/rhcs.if
--- nsaserefpolicy/policy/modules/services/rhcs.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/rhcs.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/rhcs.if 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,348 @@
+## <summary>SELinux policy for RHCS - Red Hat Cluster Suite </summary>
+
@@ -20083,9 +19353,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.1/policy/modules/services/rhcs.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.3/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/rhcs.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/rhcs.te 2009-11-25 12:39:13.000000000 -0500
@@ -0,0 +1,394 @@
+
+policy_module(rhcs,1.0.0)
@@ -20481,9 +19751,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.1/policy/modules/services/ricci.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.3/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/ricci.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/ricci.te 2009-11-25 13:13:44.000000000 -0500
@@ -194,10 +194,13 @@
# ricci_modcluster local policy
#
@@ -20550,18 +19820,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_use_fds(ricci_modclusterd_t)
')
-@@ -440,6 +460,10 @@
+@@ -440,6 +460,11 @@
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
+files_create_default_dir(ricci_modstorage_t)
+files_mounton_default(ricci_modstorage_t)
-+files_manage_default(ricci_modstorage_t)
++files_manage_default_dirs(ricci_modstorage_t)
++files_manage_default_files(ricci_modstorage_t)
+
storage_raw_read_fixed_disk(ricci_modstorage_t)
term_dontaudit_use_console(ricci_modstorage_t)
-@@ -457,6 +481,10 @@
+@@ -457,6 +482,10 @@
mount_domtrans(ricci_modstorage_t)
optional_policy(`
@@ -20572,9 +19843,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ccs_stream_connect(ricci_modstorage_t)
ccs_read_config(ricci_modstorage_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.7.1/policy/modules/services/rpcbind.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.7.3/policy/modules/services/rpcbind.if
--- nsaserefpolicy/policy/modules/services/rpcbind.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/rpcbind.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/rpcbind.if 2009-11-25 12:39:13.000000000 -0500
@@ -97,6 +97,26 @@
########################################
@@ -20602,9 +19873,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
## an rpcbind environment
## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.7.1/policy/modules/services/rpcbind.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.7.3/policy/modules/services/rpcbind.te
--- nsaserefpolicy/policy/modules/services/rpcbind.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/rpcbind.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/rpcbind.te 2009-11-25 12:39:13.000000000 -0500
@@ -42,6 +42,7 @@
kernel_read_system_state(rpcbind_t)
@@ -20613,9 +19884,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(rpcbind_t)
corenet_all_recvfrom_netlabel(rpcbind_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.1/policy/modules/services/rpc.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.3/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/rpc.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/rpc.if 2009-11-25 12:39:13.000000000 -0500
@@ -54,7 +54,7 @@
allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
@@ -20644,9 +19915,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole($1_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.1/policy/modules/services/rpc.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.3/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/rpc.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/rpc.te 2009-11-25 12:39:13.000000000 -0500
@@ -53,7 +53,7 @@
# RPC local policy
#
@@ -20733,9 +20004,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.7.1/policy/modules/services/rsync.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.7.3/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/rsync.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/rsync.te 2009-11-25 12:39:13.000000000 -0500
@@ -8,6 +8,13 @@
## <desc>
@@ -20778,9 +20049,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
auth_can_read_shadow_passwords(rsync_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.7.1/policy/modules/services/rtkit.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.7.3/policy/modules/services/rtkit.if
--- nsaserefpolicy/policy/modules/services/rtkit.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/rtkit.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/rtkit.if 2009-11-25 12:39:13.000000000 -0500
@@ -38,3 +38,23 @@
allow $1 rtkit_daemon_t:dbus send_msg;
allow rtkit_daemon_t $1:dbus send_msg;
@@ -20805,9 +20076,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow rtkit_daemon_t $1:process { getsched setsched };
+ rtkit_daemon_dbus_chat($1)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.7.1/policy/modules/services/rtkit.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.7.3/policy/modules/services/rtkit.te
--- nsaserefpolicy/policy/modules/services/rtkit.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/rtkit.te 2009-11-23 11:53:29.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/rtkit.te 2009-11-25 12:39:13.000000000 -0500
@@ -17,9 +17,11 @@
allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace };
@@ -20829,9 +20100,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
policykit_dbus_chat(rtkit_daemon_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.1/policy/modules/services/samba.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.3/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/samba.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/samba.fc 2009-11-25 12:39:13.000000000 -0500
@@ -51,3 +51,7 @@
/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
@@ -20840,9 +20111,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ifndef(`enable_mls',`
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.1/policy/modules/services/samba.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.3/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/samba.if 2009-11-23 10:38:07.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/samba.if 2009-11-25 12:39:13.000000000 -0500
@@ -62,6 +62,25 @@
########################################
@@ -21015,9 +20286,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
admin_pattern($1, winbind_var_run_t)
+ admin_pattern($1, samba_unconfined_script_exec_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.1/policy/modules/services/samba.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.3/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/samba.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/samba.te 2009-11-25 12:39:13.000000000 -0500
@@ -66,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
@@ -21249,9 +20520,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+',`
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.1/policy/modules/services/sasl.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.3/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/sasl.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/sasl.te 2009-11-25 12:39:13.000000000 -0500
@@ -31,7 +31,7 @@
# Local policy
#
@@ -21314,9 +20585,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(saslauthd_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.1/policy/modules/services/sendmail.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.3/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/sendmail.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/sendmail.if 2009-11-25 12:39:13.000000000 -0500
@@ -59,20 +59,20 @@
########################################
@@ -21489,9 +20760,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 sendmail_t:fifo_file rw_fifo_file_perms;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.1/policy/modules/services/sendmail.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.3/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/sendmail.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/sendmail.te 2009-11-25 12:39:13.000000000 -0500
@@ -20,13 +20,17 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -21667,18 +20938,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
-') dnl end TODO
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.7.1/policy/modules/services/setroubleshoot.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.7.3/policy/modules/services/setroubleshoot.fc
--- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/setroubleshoot.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/setroubleshoot.fc 2009-11-25 12:39:13.000000000 -0500
@@ -5,3 +5,5 @@
/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
+
+/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.1/policy/modules/services/setroubleshoot.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.3/policy/modules/services/setroubleshoot.if
--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/setroubleshoot.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/setroubleshoot.if 2009-11-25 12:39:13.000000000 -0500
@@ -16,8 +16,8 @@
')
@@ -21815,9 +21086,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ files_list_pids($1)
+ admin_pattern($1, setroubleshoot_var_run_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.1/policy/modules/services/setroubleshoot.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.3/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/setroubleshoot.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/setroubleshoot.te 2009-11-25 12:39:13.000000000 -0500
@@ -22,13 +22,19 @@
type setroubleshoot_var_run_t;
files_pid_file(setroubleshoot_var_run_t)
@@ -21958,9 +21229,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ policykit_dbus_chat(setroubleshoot_fixit_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.7.1/policy/modules/services/smartmon.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.7.3/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/smartmon.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/smartmon.te 2009-11-25 12:39:13.000000000 -0500
@@ -19,14 +19,18 @@
type fsdaemon_tmp_t;
files_tmp_file(fsdaemon_tmp_t)
@@ -22021,9 +21292,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.7.1/policy/modules/services/snmp.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.7.3/policy/modules/services/snmp.if
--- nsaserefpolicy/policy/modules/services/snmp.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/snmp.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/snmp.if 2009-11-25 12:39:13.000000000 -0500
@@ -50,6 +50,24 @@
########################################
@@ -22076,9 +21347,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
## <summary>
## All of the rules required to administrate
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.1/policy/modules/services/snmp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.3/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/snmp.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/snmp.te 2009-11-25 12:39:13.000000000 -0500
@@ -27,7 +27,7 @@
#
allow snmpd_t self:capability { dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
@@ -22097,9 +21368,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_list_sysfs(snmpd_t)
dev_read_sysfs(snmpd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.1/policy/modules/services/snort.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.3/policy/modules/services/snort.te
--- nsaserefpolicy/policy/modules/services/snort.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/snort.te 2009-11-23 10:22:33.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/snort.te 2009-11-25 12:39:13.000000000 -0500
@@ -37,6 +37,7 @@
allow snort_t self:tcp_socket create_stream_socket_perms;
allow snort_t self:udp_socket create_socket_perms;
@@ -22108,9 +21379,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Snort IPS node. unverified.
allow snort_t self:netlink_firewall_socket { bind create getattr };
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.1/policy/modules/services/spamassassin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.3/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/spamassassin.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/spamassassin.fc 2009-11-25 12:39:13.000000000 -0500
@@ -1,15 +1,26 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
@@ -22140,9 +21411,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.1/policy/modules/services/spamassassin.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.3/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/spamassassin.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/spamassassin.if 2009-11-25 12:39:13.000000000 -0500
@@ -111,6 +111,27 @@
')
@@ -22251,9 +21522,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ files_list_pids($1)
+ admin_pattern($1, spamd_var_run_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.1/policy/modules/services/spamassassin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.3/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/spamassassin.te 2009-11-24 18:16:01.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/spamassassin.te 2009-11-25 12:39:13.000000000 -0500
@@ -20,6 +20,35 @@
## </desc>
gen_tunable(spamd_enable_home_dirs, true)
@@ -22556,9 +21827,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
udev_read_db(spamd_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.1/policy/modules/services/squid.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.3/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/squid.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/squid.te 2009-11-25 12:39:13.000000000 -0500
@@ -67,7 +67,9 @@
can_exec(squid_t, squid_exec_t)
@@ -22587,18 +21858,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-#squid requires the following when run in diskd mode, the recommended setting
-allow squid_t tmpfs_t:file { read write };
-') dnl end TODO
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.1/policy/modules/services/ssh.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.3/policy/modules/services/ssh.fc
--- nsaserefpolicy/policy/modules/services/ssh.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/ssh.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/ssh.fc 2009-11-25 12:39:13.000000000 -0500
@@ -14,3 +14,5 @@
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
+
+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.1/policy/modules/services/ssh.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.3/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/ssh.if 2009-11-18 16:54:14.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/ssh.if 2009-11-25 12:39:13.000000000 -0500
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -22945,9 +22216,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ files_search_pids($1)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.1/policy/modules/services/ssh.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.3/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/ssh.te 2009-11-18 16:54:37.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/ssh.te 2009-11-25 12:39:13.000000000 -0500
@@ -8,6 +8,31 @@
## <desc>
@@ -23234,9 +22505,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ fs_manage_cifs_dirs(sftpd_t)
+ fs_manage_cifs_files(sftpd_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.7.1/policy/modules/services/sssd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.7.3/policy/modules/services/sssd.fc
--- nsaserefpolicy/policy/modules/services/sssd.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/sssd.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/sssd.fc 2009-11-25 12:39:13.000000000 -0500
@@ -1,6 +1,9 @@
-/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
@@ -23248,9 +22519,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+
/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.1/policy/modules/services/sssd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.3/policy/modules/services/sssd.if
--- nsaserefpolicy/policy/modules/services/sssd.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/sssd.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/sssd.if 2009-11-25 12:39:13.000000000 -0500
@@ -12,12 +12,32 @@
#
interface(`sssd_domtrans',`
@@ -23339,9 +22610,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Send and receive messages from
## sssd over dbus.
## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.1/policy/modules/services/sssd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.3/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/sssd.te 2009-11-23 17:38:47.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/sssd.te 2009-11-25 12:39:13.000000000 -0500
@@ -16,6 +16,9 @@
type sssd_var_lib_t;
files_type(sssd_var_lib_t)
@@ -23394,9 +22665,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
dbus_system_bus_client(sssd_t)
dbus_connect_system_bus(sssd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.1/policy/modules/services/sysstat.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.3/policy/modules/services/sysstat.te
--- nsaserefpolicy/policy/modules/services/sysstat.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/sysstat.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/sysstat.te 2009-11-25 12:39:13.000000000 -0500
@@ -19,14 +19,15 @@
# Local policy
#
@@ -23415,18 +22686,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
# get info from /proc
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-3.7.1/policy/modules/services/tftp.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-3.7.3/policy/modules/services/tftp.fc
--- nsaserefpolicy/policy/modules/services/tftp.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/tftp.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/tftp.fc 2009-11-25 12:39:13.000000000 -0500
@@ -5,4 +5,4 @@
/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0)
-/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_t,s0)
+/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.7.1/policy/modules/services/tuned.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.7.3/policy/modules/services/tuned.te
--- nsaserefpolicy/policy/modules/services/tuned.te 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/tuned.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/tuned.te 2009-11-25 12:39:13.000000000 -0500
@@ -16,12 +16,14 @@
type tuned_var_run_t;
files_pid_file(tuned_var_run_t)
@@ -23443,9 +22714,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
files_pid_filetrans(tuned_t, tuned_var_run_t, file)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.1/policy/modules/services/uucp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.3/policy/modules/services/uucp.te
--- nsaserefpolicy/policy/modules/services/uucp.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/uucp.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/uucp.te 2009-11-25 12:39:13.000000000 -0500
@@ -90,17 +90,26 @@
fs_getattr_xattr_fs(uucpd_t)
@@ -23481,9 +22752,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.1/policy/modules/services/virt.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.3/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/virt.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/virt.fc 2009-11-25 12:39:13.000000000 -0500
@@ -8,5 +8,18 @@
/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
@@ -23503,9 +22774,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0)
+
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.1/policy/modules/services/virt.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.3/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/virt.if 2009-11-24 14:56:33.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/virt.if 2009-11-25 12:39:13.000000000 -0500
@@ -136,7 +136,7 @@
')
@@ -23758,9 +23029,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ptchown_run(svirt_t, $2)
+ ')
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.1/policy/modules/services/virt.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.3/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/virt.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/virt.te 2009-11-25 12:39:13.000000000 -0500
@@ -20,6 +20,28 @@
## </desc>
gen_tunable(virt_use_samba, false)
@@ -24003,7 +23274,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -196,8 +300,150 @@
+@@ -196,8 +300,152 @@
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
@@ -24047,6 +23318,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+corenet_udp_sendrecv_all_ports(svirt_t)
+corenet_udp_bind_generic_node(svirt_t)
+corenet_udp_bind_all_ports(svirt_t)
++corenet_tcp_bind_all_ports(svirt_t)
++corenet_tcp_connect_all_ports(svirt_t)
+
+tunable_policy(`virt_use_comm',`
+ term_use_unallocated_ttys(svirt_t)
@@ -24154,9 +23427,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ virt_read_content(virt_domain)
+ virt_stream_connect(virt_domain)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.7.1/policy/modules/services/w3c.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.7.3/policy/modules/services/w3c.te
--- nsaserefpolicy/policy/modules/services/w3c.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/w3c.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/w3c.te 2009-11-25 12:39:13.000000000 -0500
@@ -8,11 +8,18 @@
apache_content_template(w3c_validator)
@@ -24176,9 +23449,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.1/policy/modules/services/xserver.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.3/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/xserver.fc 2009-11-20 10:11:53.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/xserver.fc 2009-11-25 12:39:13.000000000 -0500
@@ -3,12 +3,19 @@
#
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
@@ -24273,9 +23546,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/var/lib/nxserver/home/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.1/policy/modules/services/xserver.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.3/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-09-09 15:37:17.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/services/xserver.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/xserver.if 2009-11-25 12:39:13.000000000 -0500
@@ -74,6 +74,12 @@
domtrans_pattern($2, iceauth_exec_t, iceauth_t)
@@ -25146,9 +24419,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow xdm_t $1:dbus send_msg;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.1/policy/modules/services/xserver.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.3/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/services/xserver.te 2009-11-20 16:23:57.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/services/xserver.te 2009-11-25 12:39:13.000000000 -0500
@@ -34,6 +34,13 @@
## <desc>
@@ -25952,44 +25225,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-#
-allow xdm_t user_home_type:file unlink;
-') dnl end TODO
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.7.1/policy/modules/system/application.if
---- nsaserefpolicy/policy/modules/system/application.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/application.if 2009-11-17 11:06:58.000000000 -0500
-@@ -2,7 +2,7 @@
-
- ########################################
- ## <summary>
--## Make the specified type usable as an application domain.
-+## Send signull to application domains
- ## </summary>
- ## <param name="type">
- ## <summary>
-@@ -101,3 +101,21 @@
- application_executable_file($2)
- domain_entry_file($1,$2)
- ')
-+
-+########################################
-+## <summary>
-+## Send signull to unprivileged user domains.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`application_signull',`
-+ gen_require(`
-+ attribute application_domain_type;
-+ ')
-+
-+ allow $1 application_domain_type:process signull;
-+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.1/policy/modules/system/application.te
---- nsaserefpolicy/policy/modules/system/application.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/application.te 2009-11-17 11:06:58.000000000 -0500
-@@ -7,7 +7,18 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.3/policy/modules/system/application.te
+--- nsaserefpolicy/policy/modules/system/application.te 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/application.te 2009-11-25 12:39:13.000000000 -0500
+@@ -7,6 +7,12 @@
# Executables to be run by user
attribute application_exec_type;
@@ -26002,15 +25241,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
ssh_sigchld(application_domain_type)
ssh_rw_stream_sockets(application_domain_type)
- ')
-+
-+optional_policy(`
-+ sudo_sigchld(application_domain_type)
-+')
-+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.1/policy/modules/system/authlogin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.3/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/authlogin.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/authlogin.fc 2009-11-25 12:39:13.000000000 -0500
@@ -7,12 +7,10 @@
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
@@ -26036,9 +25269,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.1/policy/modules/system/authlogin.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.3/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/authlogin.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/authlogin.if 2009-11-25 12:39:13.000000000 -0500
@@ -40,17 +40,76 @@
## </summary>
## </param>
@@ -26349,9 +25582,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.1/policy/modules/system/authlogin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.3/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/authlogin.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/authlogin.te 2009-11-25 12:39:13.000000000 -0500
@@ -103,6 +103,7 @@
fs_dontaudit_getattr_xattr_fs(chkpwd_t)
@@ -26379,23 +25612,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# PAM local policy
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.7.1/policy/modules/system/fstools.fc
---- nsaserefpolicy/policy/modules/system/fstools.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/fstools.fc 2009-11-17 11:06:58.000000000 -0500
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.7.3/policy/modules/system/fstools.fc
+--- nsaserefpolicy/policy/modules/system/fstools.fc 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/fstools.fc 2009-11-25 12:39:13.000000000 -0500
@@ -1,4 +1,3 @@
-/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -6,6 +5,7 @@
- /sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -21,7 +21,6 @@
+@@ -22,7 +21,6 @@
/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -26403,9 +25628,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.1/policy/modules/system/fstools.te
---- nsaserefpolicy/policy/modules/system/fstools.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/fstools.te 2009-11-17 11:06:58.000000000 -0500
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.3/policy/modules/system/fstools.te
+--- nsaserefpolicy/policy/modules/system/fstools.te 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/fstools.te 2009-11-25 12:39:13.000000000 -0500
@@ -118,6 +118,8 @@
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dirs(fsadm_t)
@@ -26415,11 +25640,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
# for tune2fs
-@@ -144,11 +146,11 @@
- miscfiles_read_localization(fsadm_t)
-
- modutils_read_module_config(fsadm_t)
-+modutils_read_module_deps(fsadm_t)
+@@ -148,8 +150,7 @@
seutil_read_config(fsadm_t)
@@ -26429,15 +25650,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_redhat',`
optional_policy(`
-@@ -177,4 +179,5 @@
-
- optional_policy(`
- xen_append_log(fsadm_t)
-+ xen_rw_image_files(fsadm_t)
- ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.1/policy/modules/system/init.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.3/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/init.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/init.fc 2009-11-25 12:39:13.000000000 -0500
@@ -4,10 +4,10 @@
/etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -26461,9 +25676,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
# /var
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.1/policy/modules/system/init.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.3/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/system/init.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/init.if 2009-11-25 12:39:13.000000000 -0500
@@ -162,6 +162,7 @@
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
@@ -26718,9 +25933,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 init_t:unix_dgram_socket sendto;
+ allow init_t $1:unix_dgram_socket sendto;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.1/policy/modules/system/init.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.3/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/system/init.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/init.te 2009-11-25 12:39:13.000000000 -0500
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart, false)
@@ -27305,17 +26520,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ fail2ban_read_lib_files(daemon)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.7.1/policy/modules/system/ipsec.fc
---- nsaserefpolicy/policy/modules/system/ipsec.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/ipsec.fc 2009-11-17 11:06:58.000000000 -0500
-@@ -1,3 +1,6 @@
-+/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
-+
- /etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
- /etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
- /etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
-@@ -34,6 +37,8 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.7.3/policy/modules/system/ipsec.fc
+--- nsaserefpolicy/policy/modules/system/ipsec.fc 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/ipsec.fc 2009-11-25 12:39:13.000000000 -0500
+@@ -37,6 +37,8 @@
/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
@@ -27325,66 +26533,104 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
-/var/run/racoon.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.1/policy/modules/system/ipsec.if
---- nsaserefpolicy/policy/modules/system/ipsec.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/ipsec.if 2009-11-17 11:06:58.000000000 -0500
-@@ -229,3 +229,28 @@
- ipsec_domtrans_setkey($1)
- role $2 types setkey_t;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.3/policy/modules/system/ipsec.if
+--- nsaserefpolicy/policy/modules/system/ipsec.if 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/ipsec.if 2009-11-25 12:39:13.000000000 -0500
+@@ -189,50 +189,50 @@
+
+ ########################################
+ ## <summary>
+-## Execute racoon and allow the specified role the domain.
++## Execute setkey in the setkey domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
++## The type of the process performing this action.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`ipsec_run_racoon',`
++interface(`ipsec_domtrans_setkey',`
+ gen_require(`
+- type racoon_t;
++ type setkey_t, setkey_exec_t;
+ ')
+
+- ipsec_domtrans_racoon($1)
+- role $2 types racoon_t;
++ domtrans_pattern($1, setkey_exec_t, setkey_t)
')
-+
-+########################################
-+## <summary>
-+## Execute racoon and allow the specified role the domains.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+
+ ########################################
+ ## <summary>
+-## Execute setkey in the setkey domain.
++## Execute setkey and allow the specified role the domains.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## The type of the process performing this action.
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
-+## The role to be allowed the racoon and racoon domains.
-+## </summary>
-+## </param>
++## The role to be allowed the racoon and setkey domains.
+ ## </summary>
+ ## </param>
+## <rolecap/>
-+#
+ #
+-interface(`ipsec_domtrans_setkey',`
++interface(`ipsec_run_setkey',`
+ gen_require(`
+- type setkey_t, setkey_exec_t;
++ type setkey_t;
+ ')
+
+- domtrans_pattern($1, setkey_exec_t, setkey_t)
++ ipsec_domtrans_setkey($1)
++ role $2 types setkey_t;
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute setkey and allow the specified role the domains.
++## Execute racoon and allow the specified role the domains.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -241,16 +241,16 @@
+ ## </param>
+ ## <param name="role">
+ ## <summary>
+-## The role to be allowed the racoon and setkey domains.
++## The role to be allowed the racoon and racoon domains.
+ ## </summary>
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`ipsec_run_setkey',`
+interface(`ipsec_run_racoon',`
-+ gen_require(`
+ gen_require(`
+- type setkey_t;
+ type racoon_t;
-+ ')
-+
+ ')
+
+- ipsec_domtrans_setkey($1)
+- role $2 types setkey_t;
+ ipsec_domtrans_racoon($1)
+ role $2 types racoon_t;
-+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.1/policy/modules/system/ipsec.te
---- nsaserefpolicy/policy/modules/system/ipsec.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/ipsec.te 2009-11-19 09:40:34.000000000 -0500
-@@ -6,6 +6,13 @@
- # Declarations
- #
-
-+## <desc>
-+## <p>
-+## Allow racoon to read shadow
-+## </p>
-+## </desc>
-+gen_tunable(racoon_read_shadow, false)
-+
- type ipsec_t;
- type ipsec_exec_t;
- init_daemon_domain(ipsec_t, ipsec_exec_t)
-@@ -15,6 +22,9 @@
- type ipsec_conf_file_t;
- files_type(ipsec_conf_file_t)
-
-+type ipsec_initrc_exec_t;
-+init_script_file(ipsec_initrc_exec_t)
-+
- # type for file(s) containing ipsec keys - RSA or preshared
- type ipsec_key_file_t;
- files_type(ipsec_key_file_t)
-@@ -22,6 +32,9 @@
+ ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.3/policy/modules/system/ipsec.te
+--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/ipsec.te 2009-11-25 12:39:13.000000000 -0500
+@@ -32,6 +32,9 @@
# Default type for IPSEC SPD entries
type ipsec_spd_t;
@@ -27394,74 +26640,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# type for runtime files, including pluto.ctl
type ipsec_var_run_t;
files_pid_file(ipsec_var_run_t)
-@@ -43,6 +56,9 @@
- init_daemon_domain(racoon_t, racoon_exec_t)
- role system_r types racoon_t;
-
-+type racoon_tmp_t;
-+files_tmp_file(racoon_tmp_t)
-+
- type setkey_t;
- type setkey_exec_t;
- init_system_domain(setkey_t, setkey_exec_t)
-@@ -53,21 +69,23 @@
+@@ -66,7 +69,7 @@
# ipsec Local policy
#
--allow ipsec_t self:capability { net_admin dac_override dac_read_search };
-+allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice };
+-allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice };
++allow ipsec_t self:capability { setpcap net_admin dac_override dac_read_search sys_nice };
dontaudit ipsec_t self:capability sys_tty_config;
--allow ipsec_t self:process { signal setsched };
-+allow ipsec_t self:process { getcap setcap getsched signal setsched };
+ allow ipsec_t self:process { getcap setcap getsched signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
- allow ipsec_t self:udp_socket create_socket_perms;
- allow ipsec_t self:key_socket create_socket_perms;
- allow ipsec_t self:fifo_file read_fifo_file_perms;
- allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
-
-+allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
-+
- allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
- read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
- read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
-
- allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
--read_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
-+manage_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
- read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
-
- manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
-@@ -82,16 +100,17 @@
- # so try flipping back into the ipsec_mgmt_t domain
- corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
- allow ipsec_mgmt_t ipsec_t:fd use;
--allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms;
-+allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
- allow ipsec_mgmt_t ipsec_t:process sigchld;
-
--kernel_read_kernel_sysctls(ipsec_t)
- kernel_list_proc(ipsec_t)
-+kernel_read_kernel_sysctls(ipsec_t)
- kernel_read_proc_symlinks(ipsec_t)
- # allow pluto to access /proc/net/ipsec_eroute;
- kernel_read_system_state(ipsec_t)
- kernel_read_network_state(ipsec_t)
- kernel_read_software_raid_state(ipsec_t)
-+kernel_request_load_module(ipsec_t)
- kernel_getattr_core_if(ipsec_t)
- kernel_getattr_message_if(ipsec_t)
-
-@@ -120,7 +139,9 @@
-
- domain_use_interactive_fds(ipsec_t)
-
-+files_list_tmp(ipsec_t)
- files_read_etc_files(ipsec_t)
-+files_read_usr_files(ipsec_t)
-
- fs_getattr_all_fs(ipsec_t)
- fs_search_auto_mountpoints(ipsec_t)
-@@ -154,16 +175,19 @@
+@@ -172,7 +175,7 @@
#
allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
@@ -27470,10 +26658,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
- allow ipsec_mgmt_t self:key_socket create_socket_perms;
--allow ipsec_mgmt_t self:fifo_file rw_file_perms;
-+allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
-
+@@ -182,6 +185,9 @@
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
@@ -27483,7 +26668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
-@@ -241,6 +265,7 @@
+@@ -259,6 +265,7 @@
init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
@@ -27491,60 +26676,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(ipsec_mgmt_t)
-@@ -280,6 +305,13 @@
- allow racoon_t self:netlink_selinux_socket { bind create read };
- allow racoon_t self:udp_socket create_socket_perms;
- allow racoon_t self:key_socket create_socket_perms;
-+allow racoon_t self:fifo_file rw_fifo_file_perms;
-+
-+manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
-+manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
-+files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file })
-+
-+can_exec(racoon_t, setkey_exec_t)
-
- # manage pid file
- manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
-@@ -296,6 +328,14 @@
+@@ -323,6 +330,7 @@
kernel_read_system_state(racoon_t)
kernel_read_network_state(racoon_t)
+kernel_request_load_module(racoon_t)
-+
-+can_exec(racoon_t, racoon_exec_t)
-+
-+corecmd_exec_shell(racoon_t)
-+corecmd_exec_bin(racoon_t)
-+
-+sysnet_exec_ifconfig(racoon_t)
- corenet_all_recvfrom_unlabeled(racoon_t)
- corenet_tcp_sendrecv_all_if(racoon_t)
-@@ -314,6 +354,8 @@
+ corecmd_exec_shell(racoon_t)
+ corecmd_exec_bin(racoon_t)
+@@ -362,6 +370,8 @@
- files_read_etc_files(racoon_t)
-
-+fs_dontaudit_getattr_xattr_fs(racoon_t)
-+
- # allow racoon to use avc_has_perm to check context on proposed SA
- selinux_compute_access_vector(racoon_t)
-
-@@ -328,6 +370,14 @@
-
- miscfiles_read_localization(racoon_t)
+ sysnet_exec_ifconfig(racoon_t)
+auth_use_pam(racoon_t)
+
-+
-+auth_can_read_shadow_passwords(racoon_t)
-+tunable_policy(`racoon_read_shadow',`
-+ auth_tunable_read_shadow(racoon_t)
-+')
-+
- ########################################
- #
- # Setkey local policy
-@@ -341,12 +391,15 @@
+ auth_can_read_shadow_passwords(racoon_t)
+ tunable_policy(`racoon_read_shadow',`
+ auth_tunable_read_shadow(racoon_t)
+@@ -380,12 +390,15 @@
read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
@@ -27560,9 +26709,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.1/policy/modules/system/iptables.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.3/policy/modules/system/iptables.fc
--- nsaserefpolicy/policy/modules/system/iptables.fc 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/iptables.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/iptables.fc 2009-11-25 12:39:13.000000000 -0500
@@ -1,7 +1,16 @@
-/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
@@ -27584,9 +26733,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.1/policy/modules/system/iptables.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.3/policy/modules/system/iptables.if
--- nsaserefpolicy/policy/modules/system/iptables.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/iptables.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/iptables.if 2009-11-25 12:39:13.000000000 -0500
@@ -19,6 +19,24 @@
domtrans_pattern($1, iptables_exec_t, iptables_t)
')
@@ -27695,9 +26844,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.1/policy/modules/system/iptables.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.3/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/system/iptables.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/iptables.te 2009-11-25 12:39:13.000000000 -0500
@@ -11,6 +11,12 @@
init_system_domain(iptables_t, iptables_exec_t)
role system_r types iptables_t;
@@ -27759,106 +26908,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
udev_read_db(iptables_t)
')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.7.1/policy/modules/system/iscsi.if
---- nsaserefpolicy/policy/modules/system/iscsi.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/iscsi.if 2009-11-17 11:06:58.000000000 -0500
-@@ -17,3 +17,43 @@
-
- domtrans_pattern($1, iscsid_exec_t, iscsid_t)
- ')
-+
-+########################################
-+## <summary>
-+## Read iscsi lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`iscsi_read_lib_files',`
-+ gen_require(`
-+ type iscsi_var_lib_t;
-+ ')
-+
-+ read_files_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t)
-+ allow $1 iscsi_var_lib_t:dir list_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+## <summary>
-+## Connect to ISCSI using a unix domain stream socket.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
-+## </param>
-+#
-+interface(`iscsi_stream_connect',`
-+ gen_require(`
-+ type iscsid_t, iscsi_var_lib_t;
-+ ')
-+
-+ files_search_pids($1)
-+ stream_connect_pattern($1,iscsi_var_lib_t,iscsi_var_lib_t,iscsid_t)
-+')
-+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.7.1/policy/modules/system/iscsi.te
---- nsaserefpolicy/policy/modules/system/iscsi.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/iscsi.te 2009-11-17 11:06:58.000000000 -0500
-@@ -55,6 +55,7 @@
- files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
-
- kernel_read_system_state(iscsid_t)
-+kernel_search_debugfs(iscsid_t)
-
- corenet_all_recvfrom_unlabeled(iscsid_t)
- corenet_all_recvfrom_netlabel(iscsid_t)
-@@ -68,11 +69,12 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.7.3/policy/modules/system/iscsi.te
+--- nsaserefpolicy/policy/modules/system/iscsi.te 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/iscsi.te 2009-11-25 12:39:13.000000000 -0500
+@@ -69,6 +69,7 @@
dev_rw_sysfs(iscsid_t)
domain_use_interactive_fds(iscsid_t)
-+domain_read_all_domains_state(iscsid_t)
++domain_dontaudit_read_all_domains_state(iscsid_t)
files_read_etc_files(iscsid_t)
- logging_send_syslog_msg(iscsid_t)
-
--miscfiles_read_localization(iscsid_t)
-+auth_use_nsswitch(iscsid_t)
-
--sysnet_dns_name_resolve(iscsid_t)
-+miscfiles_read_localization(iscsid_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.te serefpolicy-3.7.1/policy/modules/system/kdump.te
---- nsaserefpolicy/policy/modules/system/kdump.te 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/kdump.te 2009-11-17 11:06:58.000000000 -0500
-@@ -21,7 +21,7 @@
- # kdump local policy
- #
-
--allow kdump_t self:capability { sys_boot dac_override };
-+allow kdump_t self:capability { sys_boot sys_rawio dac_override };
-
- read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
-
-@@ -29,8 +29,11 @@
- files_read_kernel_img(kdump_t)
-
- kernel_read_system_state(kdump_t)
-+kernel_read_core_if(kdump_t)
-
- dev_read_framebuffer(kdump_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.te serefpolicy-3.7.3/policy/modules/system/kdump.te
+--- nsaserefpolicy/policy/modules/system/kdump.te 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/kdump.te 2009-11-25 12:39:13.000000000 -0500
+@@ -35,3 +35,5 @@
dev_read_sysfs(kdump_t)
term_use_console(kdump_t)
+
+permissive kdump_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.1/policy/modules/system/libraries.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.3/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/libraries.fc 2009-11-25 06:13:34.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/libraries.fc 2009-11-25 12:39:13.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
@@ -28173,9 +27245,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.1/policy/modules/system/libraries.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.3/policy/modules/system/libraries.if
--- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/libraries.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/libraries.if 2009-11-25 12:39:13.000000000 -0500
@@ -17,6 +17,7 @@
corecmd_search_bin($1)
@@ -28202,9 +27274,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $1 lib_t:dir list_dir_perms;
read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.7.1/policy/modules/system/libraries.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.7.3/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/system/libraries.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/libraries.te 2009-11-25 12:39:13.000000000 -0500
@@ -58,11 +58,11 @@
# ldconfig local policy
#
@@ -28266,9 +27338,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ unconfined_domain(ldconfig_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.1/policy/modules/system/locallogin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.3/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/locallogin.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/locallogin.te 2009-11-25 12:39:13.000000000 -0500
@@ -33,7 +33,7 @@
# Local login local policy
#
@@ -28357,9 +27429,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-optional_policy(`
- nscd_socket_use(sulogin_t)
-')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.1/policy/modules/system/logging.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.3/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/logging.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/logging.fc 2009-11-25 12:39:13.000000000 -0500
@@ -51,17 +51,21 @@
ifdef(`distro_redhat',`
@@ -28386,9 +27458,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.1/policy/modules/system/logging.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.3/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/logging.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/logging.if 2009-11-25 12:39:13.000000000 -0500
@@ -69,6 +69,20 @@
########################################
@@ -28428,9 +27500,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.1/policy/modules/system/logging.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.3/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/system/logging.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/logging.te 2009-11-25 12:39:13.000000000 -0500
@@ -123,10 +123,10 @@
allow auditd_t self:capability { chown fsetid sys_nice sys_resource };
@@ -28538,81 +27610,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
inn_manage_log(syslogd_t)
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.1/policy/modules/system/lvm.if
---- nsaserefpolicy/policy/modules/system/lvm.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/lvm.if 2009-11-17 11:06:58.000000000 -0500
-@@ -21,6 +21,26 @@
-
- ########################################
- ## <summary>
-+## Execute lvm programs in the caller domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
-+## </param>
-+#
-+interface(`lvm_exec',`
-+ gen_require(`
-+ type lvm_exec_t;
-+ ')
-+
-+ corecmd_search_sbin($1)
-+ can_exec($1, lvm_exec_t)
-+
-+')
-+
-+########################################
-+## <summary>
- ## Execute lvm programs in the lvm domain.
- ## </summary>
- ## <param name="domain">
-@@ -85,3 +105,22 @@
- manage_dirs_pattern($1, lvm_etc_t, lvm_etc_t)
- manage_files_pattern($1, lvm_etc_t, lvm_etc_t)
- ')
-+
-+######################################
-+## <summary>
-+## Execute a domain transition to run clvmd.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`lvm_clvmd_domtrans',`
-+ gen_require(`
-+ type clvmd_t, clvmd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1,clvmd_exec_t,clvmd_t)
-+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.1/policy/modules/system/lvm.te
---- nsaserefpolicy/policy/modules/system/lvm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/lvm.te 2009-11-17 11:06:58.000000000 -0500
-@@ -10,6 +10,9 @@
- type clvmd_exec_t;
- init_daemon_domain(clvmd_t, clvmd_exec_t)
-
-+type clvmd_initrc_exec_t;
-+init_script_file(clvmd_initrc_exec_t)
-+
- type clvmd_var_run_t;
- files_pid_file(clvmd_var_run_t)
-
-@@ -102,6 +105,7 @@
- fs_search_auto_mountpoints(clvmd_t)
- fs_dontaudit_list_tmpfs(clvmd_t)
- fs_dontaudit_read_removable_files(clvmd_t)
-+fs_rw_anon_inodefs_files(clvmd_t)
-
- storage_dontaudit_getattr_removable_dev(clvmd_t)
- storage_manage_fixed_disk(clvmd_t)
-@@ -138,6 +142,10 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.3/policy/modules/system/lvm.te
+--- nsaserefpolicy/policy/modules/system/lvm.te 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/lvm.te 2009-11-25 12:39:13.000000000 -0500
+@@ -142,6 +142,10 @@
')
optional_policy(`
@@ -28623,24 +27624,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ccs_stream_connect(clvmd_t)
')
-@@ -168,7 +176,7 @@
- # LVM will complain a lot if it cannot set its priority.
- allow lvm_t self:process setsched;
- allow lvm_t self:file rw_file_perms;
--allow lvm_t self:fifo_file rw_fifo_file_perms;
-+allow lvm_t self:fifo_file manage_fifo_file_perms;
- allow lvm_t self:unix_dgram_socket create_socket_perms;
- allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
-
-@@ -214,6 +222,7 @@
- # it has no reason to need this
- kernel_dontaudit_getattr_core_if(lvm_t)
- kernel_use_fds(lvm_t)
-+kernel_search_debugfs(lvm_t)
-
- corecmd_exec_bin(lvm_t)
- corecmd_exec_shell(lvm_t)
-@@ -239,6 +248,7 @@
+@@ -244,6 +248,7 @@
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -28648,7 +27632,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_use_interactive_fds(lvm_t)
domain_read_all_domains_state(lvm_t)
-@@ -248,6 +258,7 @@
+@@ -253,6 +258,7 @@
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(lvm_t)
@@ -28656,31 +27640,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_getattr_xattr_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
-@@ -255,6 +266,7 @@
- fs_read_tmpfs_symlinks(lvm_t)
- fs_dontaudit_read_removable_files(lvm_t)
- fs_dontaudit_getattr_tmpfs_files(lvm_t)
-+fs_rw_anon_inodefs_files(lvm_t)
-
- selinux_get_fs_mount(lvm_t)
- selinux_validate_context(lvm_t)
-@@ -273,10 +285,15 @@
- storage_dev_filetrans_fixed_disk(lvm_t)
- # Access raw devices and old /dev/lvm (c 109,0). Is this needed?
- storage_manage_fixed_disk(lvm_t)
-+mls_file_read_all_levels(lvm_t)
-+mls_file_write_to_clearance(lvm_t)
-+
-+term_use_all_terms(lvm_t)
-
- init_use_fds(lvm_t)
- init_dontaudit_getattr_initctl(lvm_t)
- init_use_script_ptys(lvm_t)
-+init_read_script_state(lvm_t)
-
- logging_send_syslog_msg(lvm_t)
-
-@@ -299,6 +316,10 @@
+@@ -311,6 +317,10 @@
')
optional_policy(`
@@ -28691,164 +27651,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
bootloader_rw_tmp_files(lvm_t)
')
-@@ -313,8 +334,10 @@
- optional_policy(`
- dbus_system_bus_client(lvm_t)
-
-+ optional_policy(`
- hal_dbus_chat(lvm_t)
- ')
-+')
-
- optional_policy(`
- modutils_domtrans_insmod(lvm_t)
-@@ -329,6 +352,10 @@
- ')
-
- optional_policy(`
-+ virt_manage_images(lvm_t)
-+')
-+
-+optional_policy(`
- xen_append_log(lvm_t)
- xen_dontaudit_rw_unix_stream_sockets(lvm_t)
- ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.7.1/policy/modules/system/miscfiles.fc
---- nsaserefpolicy/policy/modules/system/miscfiles.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/miscfiles.fc 2009-11-17 11:06:58.000000000 -0500
-@@ -85,3 +85,5 @@
- /var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
- /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
- ')
-+
-+HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.1/policy/modules/system/miscfiles.if
---- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/miscfiles.if 2009-11-17 11:06:58.000000000 -0500
-@@ -23,6 +23,28 @@
-
- ########################################
- ## <summary>
-+## Read system SSL certificates in the users homedir.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`miscfiles_read_home_certs',`
-+ gen_require(`
-+ type home_cert_t;
-+ ')
-+
-+ userdom_search_user_home_dirs($1)
-+ allow $1 home_cert_t:dir list_dir_perms;
-+ read_files_pattern($1, home_cert_t, home_cert_t)
-+ read_lnk_files_pattern($1, home_cert_t, home_cert_t)
-+')
-+
-+########################################
-+## <summary>
- ## manange system SSL certificates.
- ## </summary>
- ## <param name="domain">
-@@ -87,6 +109,44 @@
-
- ########################################
- ## <summary>
-+## dontaudit domain setattr on fonts dir
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`miscfiles_dontaudit_setattr_fonts',`
-+ gen_require(`
-+ type fonts_t;
-+ ')
-+
-+ dontaudit $1 fonts_t:dir setattr;
-+')
-+
-+########################################
-+## <summary>
-+## Allow domain to setattr on fonts dir
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`miscfiles_setattr_fonts',`
-+ gen_require(`
-+ type fonts_t;
-+ ')
-+
-+ allow $1 fonts_t:dir setattr;
-+')
-+
-+########################################
-+## <summary>
- ## Do not audit attempts to write fonts.
- ## </summary>
- ## <param name="domain">
-@@ -255,6 +315,24 @@
-
- ########################################
- ## <summary>
-+## Allow process to search man pages.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`miscfiles_search_man_pages',`
-+ gen_require(`
-+ type man_t;
-+ ')
-+
-+ allow $1 man_t:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Do not audit attempts to search man pages.
- ## </summary>
- ## <param name="domain">
-@@ -268,7 +346,7 @@
- type man_t;
- ')
-
-- dontaudit $1 man_t:dir search;
-+ dontaudit $1 man_t:dir search_dir_perms;
- ')
-
- ########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.7.1/policy/modules/system/miscfiles.te
---- nsaserefpolicy/policy/modules/system/miscfiles.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/miscfiles.te 2009-11-17 11:06:58.000000000 -0500
-@@ -12,6 +12,9 @@
- type cert_t;
- files_type(cert_t)
-
-+type home_cert_t;
-+userdom_user_home_content(home_cert_t)
-+
- #
- # fonts_t is the type of various font
- # files in /usr
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.fc serefpolicy-3.7.1/policy/modules/system/modutils.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.fc serefpolicy-3.7.3/policy/modules/system/modutils.fc
--- nsaserefpolicy/policy/modules/system/modutils.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/modutils.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/modutils.fc 2009-11-25 12:39:13.000000000 -0500
@@ -1,6 +1,7 @@
/etc/modules\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)
@@ -28857,9 +27662,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_gentoo',`
# gentoo init scripts still manage this file
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.7.1/policy/modules/system/modutils.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.7.3/policy/modules/system/modutils.if
--- nsaserefpolicy/policy/modules/system/modutils.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/modutils.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/modutils.if 2009-11-25 12:39:13.000000000 -0500
@@ -1,5 +1,24 @@
## <summary>Policy for kernel module utilities</summary>
@@ -28933,9 +27738,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.1/policy/modules/system/modutils.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.3/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/modutils.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/modutils.te 2009-11-25 12:39:13.000000000 -0500
@@ -19,6 +19,7 @@
type insmod_exec_t;
application_domain(insmod_t, insmod_exec_t)
@@ -29102,9 +27907,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_kernel_modules_filetrans(update_modules_t, modules_conf_t, file)
files_etc_filetrans(update_modules_t, modules_conf_t, file)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.7.1/policy/modules/system/mount.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.7.3/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/mount.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/mount.fc 2009-11-25 12:39:13.000000000 -0500
@@ -1,4 +1,9 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
@@ -29116,9 +27921,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.1/policy/modules/system/mount.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.3/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/mount.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/mount.if 2009-11-25 12:39:13.000000000 -0500
@@ -84,9 +84,11 @@
interface(`mount_signal',`
gen_require(`
@@ -29131,9 +27936,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.1/policy/modules/system/mount.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.3/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/mount.te 2009-11-19 14:07:23.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/mount.te 2009-11-25 12:39:13.000000000 -0500
@@ -18,8 +18,12 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -29342,36 +28147,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ rpc_domtrans_rpcd(unconfined_mount_t)
')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.fc serefpolicy-3.7.1/policy/modules/system/raid.fc
---- nsaserefpolicy/policy/modules/system/raid.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/raid.fc 2009-11-17 11:06:58.000000000 -0500
-@@ -3,3 +3,5 @@
- /sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
-
- /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
-+
-+/dev/.mdadm.map -- gen_context(system_u:object_r:mdadm_map_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.7.1/policy/modules/system/raid.te
---- nsaserefpolicy/policy/modules/system/raid.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/raid.te 2009-11-17 11:06:58.000000000 -0500
-@@ -14,6 +14,9 @@
- type mdadm_var_run_t;
- files_pid_file(mdadm_var_run_t)
-
-+type mdadm_map_t;
-+files_type(mdadm_map_t)
-+
- ########################################
- #
- # Local policy
-@@ -44,11 +47,16 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.7.3/policy/modules/system/raid.te
+--- nsaserefpolicy/policy/modules/system/raid.te 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/raid.te 2009-11-25 12:39:13.000000000 -0500
+@@ -51,11 +51,13 @@
dev_dontaudit_getattr_generic_chr_files(mdadm_t)
dev_dontaudit_getattr_generic_blk_files(mdadm_t)
dev_read_realtime_clock(mdadm_t)
+dev_read_raw_memory(mdadm_t)
-+# create .mdadm files in /dev
-+allow mdadm_t mdadm_map_t:file manage_file_perms;
-+dev_filetrans(mdadm_t, mdadm_map_t, file)
domain_use_interactive_fds(mdadm_t)
@@ -29381,9 +28164,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_search_auto_mountpoints(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.7.1/policy/modules/system/selinuxutil.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.7.3/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/selinuxutil.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/selinuxutil.fc 2009-11-25 12:39:13.000000000 -0500
@@ -6,13 +6,13 @@
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
@@ -29423,9 +28206,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.1/policy/modules/system/selinuxutil.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.3/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/selinuxutil.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/selinuxutil.if 2009-11-25 12:39:13.000000000 -0500
@@ -351,6 +351,27 @@
########################################
@@ -29781,9 +28564,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ hotplug_use_fds($1)
+')
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.1/policy/modules/system/selinuxutil.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.3/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/selinuxutil.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/selinuxutil.te 2009-11-25 12:39:13.000000000 -0500
@@ -23,6 +23,9 @@
type selinux_config_t;
files_type(selinux_config_t)
@@ -30146,48 +28929,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+kernel_relabelto_unlabeled(setfiles_mac_t)
- # cjp: cover up stray file descriptors.
- optional_policy(`
-- unconfined_dontaudit_read_pipes(setfiles_t)
-- unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
-- ')
-+ setroubleshoot_dontaudit_rw_dgram_sockets(setfiles_t)
-+ setroubleshoot_dontaudit_rw_dgram_sockets(setsebool_t)
- ')
-
- optional_policy(`
-- hotplug_use_fds(setfiles_t)
-+ unconfined_domain(setfiles_mac_t)
- ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.7.1/policy/modules/system/setrans.if
---- nsaserefpolicy/policy/modules/system/setrans.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/setrans.if 2009-11-17 11:06:58.000000000 -0500
-@@ -21,3 +21,23 @@
- stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t)
- files_list_pids($1)
- ')
-+
-+########################################
-+## <summary>
-+## Execute setrans server in the setrans domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
-+## </param>
-+#
-+#
-+interface(`setrans_initrc_domtrans',`
-+ gen_require(`
-+ type setrans_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, setrans_initrc_exec_t)
-+')
-+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.1/policy/modules/system/sysnetwork.fc
+ optional_policy(`
+- unconfined_dontaudit_read_pipes(setfiles_t)
+- unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
+- ')
++ setroubleshoot_dontaudit_rw_dgram_sockets(setfiles_t)
++ setroubleshoot_dontaudit_rw_dgram_sockets(setsebool_t)
+ ')
+
+ optional_policy(`
+- hotplug_use_fds(setfiles_t)
++ unconfined_domain(setfiles_mac_t)
+ ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.3/policy/modules/system/sysnetwork.fc
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/sysnetwork.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/sysnetwork.fc 2009-11-25 12:39:13.000000000 -0500
@@ -11,15 +11,20 @@
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
@@ -30216,9 +28972,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
+
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.1/policy/modules/system/sysnetwork.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.3/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/sysnetwork.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/sysnetwork.if 2009-11-25 12:39:13.000000000 -0500
@@ -43,6 +43,39 @@
sysnet_domtrans_dhcpc($1)
@@ -30396,9 +29152,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ role_transition $1 dhcpc_exec_t system_r;
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.1/policy/modules/system/sysnetwork.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.3/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/sysnetwork.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/sysnetwork.te 2009-11-25 12:39:13.000000000 -0500
@@ -20,6 +20,9 @@
init_daemon_domain(dhcpc_t, dhcpc_exec_t)
role system_r types dhcpc_t;
@@ -30611,69 +29367,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ hal_dontaudit_rw_pipes(ifconfig_t)
+ hal_dontaudit_rw_dgram_sockets(ifconfig_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.7.1/policy/modules/system/udev.fc
---- nsaserefpolicy/policy/modules/system/udev.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/udev.fc 2009-11-17 11:06:58.000000000 -0500
-@@ -7,6 +7,9 @@
- /etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
-
- /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
-+/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
-+
-+/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
-
- /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
- /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.1/policy/modules/system/udev.if
---- nsaserefpolicy/policy/modules/system/udev.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/udev.if 2009-11-17 11:06:58.000000000 -0500
-@@ -168,4 +168,43 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.3/policy/modules/system/udev.if
+--- nsaserefpolicy/policy/modules/system/udev.if 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/udev.if 2009-11-25 12:39:13.000000000 -0500
+@@ -186,6 +186,7 @@
dev_list_all_dev_nodes($1)
allow $1 udev_tbl_t:file rw_file_perms;
+ allow $1 udev_tbl_t:file unlink;
-+')
-+
-+########################################
-+## <summary>
-+## Create, read, write, and delete
-+## udev pid files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`udev_manage_pid_files',`
-+ gen_require(`
-+ type udev_var_run_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+## Send signal to udev process
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`udev_signal',`
-+ gen_require(`
-+ type udev_t;
-+ ')
-+
-+ allow $1 udev_t:process signal;
')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.1/policy/modules/system/udev.te
---- nsaserefpolicy/policy/modules/system/udev.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/udev.te 2009-11-17 11:06:58.000000000 -0500
+
+ ########################################
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.3/policy/modules/system/udev.te
+--- nsaserefpolicy/policy/modules/system/udev.te 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/udev.te 2009-11-25 12:39:13.000000000 -0500
@@ -50,6 +50,7 @@
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -30682,46 +29389,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
-@@ -66,9 +67,11 @@
-
- manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
- manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
-+manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
- files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
-
- kernel_read_system_state(udev_t)
-+kernel_request_load_module(udev_t)
- kernel_getattr_core_if(udev_t)
- kernel_use_fds(udev_t)
- kernel_read_device_sysctls(udev_t)
-@@ -111,6 +114,7 @@
-
- fs_getattr_all_fs(udev_t)
- fs_list_inotifyfs(udev_t)
-+fs_rw_anon_inodefs_files(udev_t)
-
- mcs_ptrace_all(udev_t)
-
-@@ -140,6 +144,7 @@
- logging_send_audit_msgs(udev_t)
-
- miscfiles_read_localization(udev_t)
-+miscfiles_read_hwdata(udev_t)
-
- modutils_domtrans_insmod(udev_t)
- # read modules.inputmap:
-@@ -194,6 +199,10 @@
- ')
-
- optional_policy(`
-+ bluetooth_domtrans(udev_t)
-+')
-+
-+optional_policy(`
- brctl_domtrans(udev_t)
- ')
-
-@@ -202,14 +211,27 @@
+@@ -210,6 +211,10 @@
')
optional_policy(`
@@ -30732,24 +29400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
consoletype_exec(udev_t)
')
- optional_policy(`
-+ cups_domtrans_config(udev_t)
-+')
-+
-+optional_policy(`
- dbus_system_bus_client(udev_t)
- ')
-
- optional_policy(`
-+ devicekit_read_pid_files(udev_t)
-+ devicekit_dgram_send(udev_t)
-+')
-+
-+optional_policy(`
- lvm_domtrans(udev_t)
- ')
-
-@@ -219,6 +241,7 @@
+@@ -236,6 +241,7 @@
optional_policy(`
hal_dgram_send(udev_t)
@@ -30757,29 +29408,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -228,6 +251,10 @@
+@@ -263,7 +269,7 @@
')
optional_policy(`
-+ mount_domtrans(udev_t)
-+')
-+
-+optional_policy(`
- openct_read_pid_files(udev_t)
- openct_domtrans(udev_t)
+- unconfined_signal(udev_t)
++ rpm_search_log(udev_t)
')
-@@ -242,6 +269,18 @@
+
+ optional_policy(`
+@@ -271,6 +277,10 @@
')
optional_policy(`
-+ rpm_search_log(udev_t)
-+')
-+
-+optional_policy(`
-+ vbetool_domtrans(udev_t)
-+')
-+
-+optional_policy(`
+ unconfined_signal(udev_t)
+')
+
@@ -30787,9 +29428,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_write_xen_state(udev_t)
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.7.1/policy/modules/system/unconfined.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.7.3/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/unconfined.fc 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/unconfined.fc 2009-11-25 12:39:13.000000000 -0500
@@ -1,16 +1 @@
# Add programs here which should not be confined by SELinux
-# e.g.:
@@ -30807,9 +29448,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-ifdef(`distro_gentoo',`
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.1/policy/modules/system/unconfined.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.3/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/unconfined.if 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/unconfined.if 2009-11-25 12:39:13.000000000 -0500
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -31313,9 +29954,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-
- allow $1 unconfined_t:dbus acquire_svc;
-')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.7.1/policy/modules/system/unconfined.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.7.3/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/system/unconfined.te 2009-11-17 11:08:37.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/unconfined.te 2009-11-25 12:39:13.000000000 -0500
@@ -5,227 +5,5 @@
#
# Declarations
@@ -31545,10 +30186,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- hal_dbus_chat(unconfined_execmem_t)
- ')
-')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.1/policy/modules/system/userdomain.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.3/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/userdomain.fc 2009-11-17 11:06:58.000000000 -0500
-@@ -1,4 +1,8 @@
++++ serefpolicy-3.7.3/policy/modules/system/userdomain.fc 2009-11-25 12:39:13.000000000 -0500
+@@ -1,4 +1,9 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
@@ -31557,10 +30198,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
+/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
++HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.gvfs(/.*)? <<none>>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.1/policy/modules/system/userdomain.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.3/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/userdomain.if 2009-11-23 14:09:57.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/userdomain.if 2009-11-25 12:39:13.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -32478,7 +31120,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
loadkeys_run($1_t,$1_r)
')
')
-@@ -865,51 +950,97 @@
+@@ -865,51 +950,93 @@
userdom_restricted_user_template($1)
@@ -32535,7 +31177,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ optional_policy(`
+ alsa_read_rw_config($1_usertype)
+ ')
-+
+
+- xserver_restricted_role($1_r, $1_t)
+ optional_policy(`
+ apache_role($1_r, $1_usertype)
+ ')
@@ -32546,14 +31189,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ devicekit_dbus_chat_power($1_usertype)
+ ')
-- xserver_restricted_role($1_r, $1_t)
-+ optional_policy(`
-+ fprintd_dbus_chat($1_t)
-+ ')
-
optional_policy(`
- alsa_read_rw_config($1_t)
-+ gnomeclock_dbus_chat($1_t)
++ fprintd_dbus_chat($1_t)
')
optional_policy(`
@@ -32589,7 +31227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -943,8 +1074,8 @@
+@@ -943,8 +1070,8 @@
# Declarations
#
@@ -32599,7 +31237,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_common_user_template($1)
##############################
-@@ -953,58 +1084,67 @@
+@@ -953,58 +1080,71 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -32633,10 +31271,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- storage_raw_read_removable_device($1_t)
+ optional_policy(`
+ cdrecord_role($1_r, $1_t)
- ')
++ ')
+
+ optional_policy(`
+ cron_role($1_r, $1_t)
+ ')
++
++ optional_policy(`
++ games_rw_data($1_usertype)
')
- tunable_policy(`user_dmesg',`
@@ -32644,7 +31286,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- ',`
- kernel_dontaudit_read_ring_buffer($1_t)
+ optional_policy(`
-+ games_rw_data($1_usertype)
++ gpg_role($1_r, $1_usertype)
')
- # Allow users to run TCP servers (bind to ports and accept connection from
@@ -32654,7 +31296,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- corenet_tcp_bind_generic_node($1_t)
- corenet_tcp_bind_generic_port($1_t)
+ optional_policy(`
-+ gpg_role($1_r, $1_usertype)
++ gnomeclock_dbus_chat($1_t)
')
optional_policy(`
@@ -33259,7 +31901,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_search_proc($1)
')
-@@ -3064,3 +3395,597 @@
+@@ -3064,3 +3395,619 @@
allow $1 userdomain:dbus send_msg;
')
@@ -33857,9 +32499,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 user_tmp_t:file { getattr append };
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.1/policy/modules/system/userdomain.te
++
++########################################
++## <summary>
++## Read system SSL certificates in the users homedir.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`userdom_read_home_certs',`
++ gen_require(`
++ type home_cert_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ allow $1 home_cert_t:dir list_dir_perms;
++ read_files_pattern($1, home_cert_t, home_cert_t)
++ read_lnk_files_pattern($1, home_cert_t, home_cert_t)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.3/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/policy/modules/system/userdomain.te 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/userdomain.te 2009-11-25 12:39:13.000000000 -0500
@@ -8,13 +8,6 @@
## <desc>
@@ -33918,11 +32582,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_user_home_content(user_home_t)
fs_associate_tmpfs(user_home_t)
files_associate_tmp(user_home_t)
-@@ -97,3 +100,25 @@
+@@ -97,3 +100,29 @@
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
+
++type home_cert_t, user_home_type;
++files_type(home_cert_t)
++ubac_constrained(home_cert_t)
++
+tunable_policy(`allow_console_login',`
+ term_use_console(userdomain)
+')
@@ -33944,206 +32612,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+allow userdomain userdomain:process signull;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.7.1/policy/modules/system/xen.fc
---- nsaserefpolicy/policy/modules/system/xen.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/xen.fc 2009-11-17 11:06:58.000000000 -0500
-@@ -1,5 +1,7 @@
- /dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0)
-
-+/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
-+
- /usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0)
-
- ifdef(`distro_debian',`
-@@ -19,14 +21,18 @@
- /var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
- /var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0)
-
-+/var/log/evtchnd\.log -- gen_context(system_u:object_r:evtchnd_var_log_t,s0)
- /var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0)
- /var/log/xen-hotplug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
- /var/log/xend\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
- /var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
-
-+/var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0)
-+/var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0)
- /var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
- /var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
- /var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
-+/var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
- /var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
- /var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)
-
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.7.1/policy/modules/system/xen.if
---- nsaserefpolicy/policy/modules/system/xen.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/xen.if 2009-11-17 11:06:58.000000000 -0500
-@@ -71,6 +71,8 @@
- ')
-
- files_list_var_lib($1)
-+
-+ list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
- read_files_pattern($1,{ xend_var_lib_t xen_image_t },xen_image_t)
- ')
-
-@@ -167,11 +169,14 @@
- #
- interface(`xen_stream_connect',`
- gen_require(`
-- type xend_t, xend_var_run_t;
-+ type xend_t, xend_var_run_t, xend_var_lib_t;
- ')
-
- files_search_pids($1)
- stream_connect_pattern($1, xend_var_run_t, xend_var_run_t, xend_t)
-+
-+ files_search_var_lib($1)
-+ stream_connect_pattern($1, xend_var_lib_t, xend_var_lib_t, xend_t)
- ')
-
- ########################################
-@@ -191,3 +196,24 @@
-
- domtrans_pattern($1, xm_exec_t, xm_t)
- ')
-+
-+########################################
-+## <summary>
-+## Allow the specified domain to read/write
-+## xend image files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`xen_rw_image_files',`
-+ gen_require(`
-+ type xen_image_t, xend_var_lib_t;
-+ ')
-+
-+ files_list_var_lib($1)
-+ allow $1 xend_var_lib_t:dir search_dir_perms;
-+ rw_files_pattern($1, xen_image_t, xen_image_t)
-+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.1/policy/modules/system/xen.te
---- nsaserefpolicy/policy/modules/system/xen.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.1/policy/modules/system/xen.te 2009-11-17 11:06:58.000000000 -0500
-@@ -6,6 +6,13 @@
- # Declarations
- #
-
-+## <desc>
-+## <p>
-+## Allow xen to manage nfs files
-+## </p>
-+## </desc>
-+gen_tunable(xen_use_nfs, false)
-+
- # console ptys
- type xen_devpts_t;
- term_pty(xen_devpts_t)
-@@ -42,25 +49,31 @@
- # pid files
- type xend_var_run_t;
- files_pid_file(xend_var_run_t)
-+files_mountpoint(xend_var_run_t)
-
- type xenstored_t;
- type xenstored_exec_t;
--domain_type(xenstored_t)
--domain_entry_file(xenstored_t, xenstored_exec_t)
--role system_r types xenstored_t;
-+init_daemon_domain(xenstored_t, xenstored_exec_t)
-+
-+# tmp files
-+type xenstored_tmp_t;
-+files_tmp_file(xenstored_tmp_t)
-
- # var/lib files
- type xenstored_var_lib_t;
- files_type(xenstored_var_lib_t)
-
-+# log files
-+type xenstored_var_log_t;
-+logging_log_file(xenstored_var_log_t)
-+
- # pid files
- type xenstored_var_run_t;
- files_pid_file(xenstored_var_run_t)
-
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.3/policy/modules/system/xen.te
+--- nsaserefpolicy/policy/modules/system/xen.te 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/xen.te 2009-11-25 12:39:13.000000000 -0500
+@@ -85,6 +85,7 @@
type xenconsoled_t;
type xenconsoled_exec_t;
--domain_type(xenconsoled_t)
--domain_entry_file(xenconsoled_t, xenconsoled_exec_t)
-+init_daemon_domain(xenconsoled_t, xenconsoled_exec_t)
- role system_r types xenconsoled_t;
+ init_daemon_domain(xenconsoled_t, xenconsoled_exec_t)
++role system_r types xenconsoled_t;
# pid files
-@@ -72,6 +85,18 @@
- domain_type(xm_t)
- init_system_domain(xm_t, xm_exec_t)
-
-+type evtchnd_t;
-+type evtchnd_exec_t;
-+init_daemon_domain(evtchnd_t, evtchnd_exec_t)
-+
-+# log files
-+type evtchnd_var_log_t;
-+logging_log_file(evtchnd_var_log_t)
-+
-+# pid files
-+type evtchnd_var_run_t;
-+files_pid_file(evtchnd_var_run_t)
-+
- ########################################
- #
- # xend local policy
-@@ -95,7 +120,7 @@
- read_lnk_files_pattern(xend_t, xen_image_t, xen_image_t)
- rw_blk_files_pattern(xend_t, xen_image_t, xen_image_t)
-
--allow xend_t xenctl_t:fifo_file manage_file_perms;
-+allow xend_t xenctl_t:fifo_file manage_fifo_file_perms;
- dev_filetrans(xend_t, xenctl_t, fifo_file)
-
- manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t)
-@@ -103,14 +128,14 @@
- files_tmp_filetrans(xend_t, xend_tmp_t, { file dir })
-
- # pid file
--allow xend_t xend_var_run_t:dir setattr;
-+manage_dirs_pattern(xend_t, xend_var_run_t, xend_var_run_t)
- manage_files_pattern(xend_t, xend_var_run_t, xend_var_run_t)
- manage_sock_files_pattern(xend_t, xend_var_run_t, xend_var_run_t)
- manage_fifo_files_pattern(xend_t, xend_var_run_t, xend_var_run_t)
--files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file })
-+files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file dir })
-
- # log files
--allow xend_t xend_var_log_t:dir setattr;
-+manage_dirs_pattern(xend_t, xend_var_log_t, xend_var_log_t)
- manage_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
- manage_sock_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
- logging_log_filetrans(xend_t, xend_var_log_t,{ sock_file file dir })
-@@ -122,12 +147,13 @@
- manage_fifo_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
- files_var_lib_filetrans(xend_t, xend_var_lib_t,{ file dir })
-
-+init_stream_connect_script(xend_t)
-+
- # transition to store
- domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
-
- # transition to console
--domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t)
--allow xenconsoled_t xend_t:fd use;
-+domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t)
-
- kernel_read_kernel_sysctls(xend_t)
- kernel_read_system_state(xend_t)
-@@ -173,6 +199,7 @@
+ type xenconsoled_var_run_t;
+@@ -209,6 +210,7 @@
files_manage_etc_runtime_files(xend_t)
files_etc_filetrans_etc_runtime(xend_t, file)
files_read_usr_files(xend_t)
@@ -34151,208 +32631,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
storage_raw_read_fixed_disk(xend_t)
storage_raw_write_fixed_disk(xend_t)
-@@ -208,6 +235,10 @@
- netutils_domtrans(xend_t)
-
- optional_policy(`
-+ brctl_domtrans(xend_t)
-+')
-+
-+optional_policy(`
- consoletype_exec(xend_t)
- ')
-
-@@ -239,6 +270,10 @@
-
- files_read_usr_files(xenconsoled_t)
-
-+fs_list_tmpfs(xenconsoled_t)
-+fs_manage_xenfs_dirs(xenconsoled_t)
-+fs_manage_xenfs_files(xenconsoled_t)
-+
- term_create_pty(xenconsoled_t, xen_devpts_t)
- term_use_generic_ptys(xenconsoled_t)
- term_use_console(xenconsoled_t)
-@@ -248,7 +283,7 @@
-
- miscfiles_read_localization(xenconsoled_t)
+@@ -438,6 +440,8 @@
+ fs_manage_xenfs_dirs(xm_ssh_t)
+ fs_manage_xenfs_files(xm_ssh_t)
--xen_append_log(xenconsoled_t)
-+xen_manage_log(xenconsoled_t)
- xen_stream_connect_xenstore(xenconsoled_t)
-
- ########################################
-@@ -256,21 +291,33 @@
- # Xen store local policy
- #
-
--allow xenstored_t self:capability { dac_override mknod ipc_lock };
-+allow xenstored_t self:capability { dac_override mknod ipc_lock sys_resource };
- allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
- allow xenstored_t self:unix_dgram_socket create_socket_perms;
-
-+manage_files_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
-+manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
-+files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
-+
- # pid file
- manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
- manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
- files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file })
-
-+# log files
-+manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-+manage_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-+manage_sock_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-+logging_log_filetrans(xenstored_t, xenstored_var_log_t, { sock_file file dir })
-+
- # var/lib files for xenstored
- manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
- manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
- manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
- files_var_lib_filetrans(xenstored_t, xenstored_var_lib_t,{ file dir sock_file })
-
-+stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchnd_t)
++userdom_search_admin_dir(xm_ssh_t)
+
- kernel_write_xen_state(xenstored_t)
- kernel_read_xen_state(xenstored_t)
-
-@@ -304,6 +351,7 @@
+ #Should have a boolean wrapping these
+ fs_list_auto_mountpoints(xend_t)
+ files_search_mnt(xend_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.3/policy/support/obj_perm_sets.spt
+--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.3/policy/support/obj_perm_sets.spt 2009-11-25 12:39:13.000000000 -0500
+@@ -317,3 +317,15 @@
+ # Keys
#
-
- allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
-+allow xm_t self:process { getsched signal };
-
- # internal communication is often done using fifo and unix sockets.
- allow xm_t self:fifo_file rw_fifo_file_perms;
-@@ -312,24 +360,28 @@
-
- manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
- manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
-+manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
- files_search_var_lib(xm_t)
-
- allow xm_t xen_image_t:dir rw_dir_perms;
- allow xm_t xen_image_t:file read_file_perms;
- allow xm_t xen_image_t:blk_file read_blk_file_perms;
-
--kernel_read_system_state(xm_t)
- kernel_read_kernel_sysctls(xm_t)
-+kernel_read_sysctl(xm_t)
-+kernel_read_system_state(xm_t)
- kernel_read_xen_state(xm_t)
- kernel_write_xen_state(xm_t)
-
- corecmd_exec_bin(xm_t)
-+corecmd_exec_shell(xm_t)
-
- corenet_tcp_sendrecv_generic_if(xm_t)
- corenet_tcp_sendrecv_generic_node(xm_t)
- corenet_tcp_connect_soundd_port(xm_t)
-
- dev_read_urand(xm_t)
-+dev_read_sysfs(xm_t)
-
- files_read_etc_runtime_files(xm_t)
- files_read_usr_files(xm_t)
-@@ -339,15 +391,70 @@
-
- storage_raw_read_fixed_disk(xm_t)
-
-+fs_getattr_all_fs(xm_t)
-+fs_manage_xenfs_dirs(xm_t)
-+fs_manage_xenfs_files(xm_t)
-+
- term_use_all_terms(xm_t)
-
-+init_stream_connect_script(xm_t)
- init_rw_script_stream_sockets(xm_t)
- init_use_fds(xm_t)
-
- miscfiles_read_localization(xm_t)
-
--sysnet_read_config(xm_t)
-+sysnet_dns_name_resolve(xm_t)
-
- xen_append_log(xm_t)
- xen_stream_connect(xm_t)
- xen_stream_connect_xenstore(xm_t)
-+
-+optional_policy(`
-+ virt_manage_images(xm_t)
-+ virt_stream_connect(xm_t)
-+')
+ define(`manage_key_perms', `{ create link read search setattr view write } ')
+
-+########################################
-+#
-+# SSH component local policy
+#
-+ssh_basic_client_template(xm,xm_t,system_r)
-+kernel_read_xen_state(xm_ssh_t)
-+kernel_write_xen_state(xm_ssh_t)
-+
-+fs_manage_xenfs_dirs(xm_ssh_t)
-+fs_manage_xenfs_files(xm_ssh_t)
-+
-+userdom_search_admin_dir(xm_ssh_t)
-+
-+#Should have a boolean wrapping these
-+fs_list_auto_mountpoints(xend_t)
-+files_search_mnt(xend_t)
-+fs_getattr_all_fs(xend_t)
-+fs_read_dos_files(xend_t)
-+fs_manage_xenfs_dirs(xend_t)
-+fs_manage_xenfs_files(xend_t)
-+
-+tunable_policy(`xen_use_nfs',`
-+ fs_manage_nfs_files(xend_t)
-+ fs_read_nfs_symlinks(xend_t)
-+')
-+
-+optional_policy(`
-+ unconfined_domain(xend_t)
-+')
-+
-+#######################################
++# All
+#
-+# evtchnd local policy
-+#
-+
-+manage_dirs_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
-+manage_files_pattern(evtchnd_t,evtchnd_var_log_t,evtchnd_var_log_t)
-+logging_log_filetrans(evtchnd_t,evtchnd_var_log_t,{ file dir })
-+
-+manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t)
-+manage_files_pattern(evtchnd_t,evtchnd_var_run_t,evtchnd_var_run_t)
-+manage_sock_files_pattern(evtchnd_t,evtchnd_var_run_t,evtchnd_var_run_t)
-+files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
-+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.1/policy/support/obj_perm_sets.spt
---- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.1/policy/support/obj_perm_sets.spt 2009-11-17 11:06:58.000000000 -0500
-@@ -201,7 +201,7 @@
- define(`setattr_file_perms',`{ setattr }')
- define(`read_file_perms',`{ getattr open read lock ioctl }')
- define(`mmap_file_perms',`{ getattr open read execute ioctl }')
--define(`exec_file_perms',`{ getattr open read execute execute_no_trans }')
-+define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
- define(`append_file_perms',`{ getattr open append lock ioctl }')
- define(`write_file_perms',`{ getattr open write append lock ioctl }')
- define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
-@@ -225,7 +225,7 @@
- define(`create_lnk_file_perms',`{ create getattr }')
- define(`rename_lnk_file_perms',`{ getattr rename }')
- define(`delete_lnk_file_perms',`{ getattr unlink }')
--define(`manage_lnk_file_perms',`{ create read getattr setattr unlink rename }')
-+define(`manage_lnk_file_perms',`{ create read getattr setattr link unlink rename }')
- define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
- define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
- define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
-@@ -312,3 +312,13 @@
- #
- define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
- define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }')
-+
+define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }
+')
+
@@ -34361,10 +32659,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
+
-+define(`manage_key_perms', `{ create link read search setattr view write } ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.1/policy/users
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.3/policy/users
--- nsaserefpolicy/policy/users 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/users 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/users 2009-11-25 12:39:13.000000000 -0500
@@ -25,11 +25,8 @@
# permit any access to such users, then remove this entry.
#
@@ -34389,9 +32686,3 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/VERSION serefpolicy-3.7.1/VERSION
---- nsaserefpolicy/VERSION 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/VERSION 2009-11-17 11:06:58.000000000 -0500
-@@ -1 +1 @@
--2.20091117
-+2.20090730
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e844528..27c7f2a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
%define CHECKPOLICYVER 2.0.16-3
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.7.2
+Version: 3.7.3
Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
@@ -449,8 +449,9 @@ exit 0
%endif
%changelog
-* Mon Nov 16 2009 Dan Walsh <dwalsh@redhat.com> 3.7.2-1
+* Mon Nov 16 2009 Dan Walsh <dwalsh@redhat.com> 3.7.3-1
- Add asterisk policy back in
+- Update to upstream release 2.20091117
* Mon Nov 16 2009 Dan Walsh <dwalsh@redhat.com> 3.7.1-1
- Update to upstream release 2.20091117
diff --git a/sources b/sources
index 881f21d..ddfc333 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
3651679c4b12a31d2ba5f4305bba5540 config.tgz
-7caf1e23a7c13a97f49d83c82b042c27 serefpolicy-3.7.2.tgz
+ae593cb93bcd26546be99064d16b372a serefpolicy-3.7.3.tgz