diff --git a/policy-F14.patch b/policy-F14.patch
index f0c992f..70695c6 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -521,7 +521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.8.8/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/logwatch.te 2010-07-21 10:41:06.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/logwatch.te 2010-07-22 12:54:39.000000000 -0400
@@ -19,6 +19,9 @@
type logwatch_tmp_t;
files_tmp_file(logwatch_tmp_t)
@@ -554,7 +554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
+mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
+role system_r types logwatch_mail_t;
+logging_read_all_logs(logwatch_mail_t)
-+write_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t)
++manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t)
ifdef(`distro_redhat',`
files_search_all(logwatch_t)
@@ -1759,12 +1759,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqs
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.8.8/policy/modules/apps/execmem.fc
--- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/execmem.fc 2010-07-20 10:46:10.000000000 -0400
-@@ -0,0 +1,48 @@
++++ serefpolicy-3.8.8/policy/modules/apps/execmem.fc 2010-07-22 10:12:26.000000000 -0400
+@@ -0,0 +1,49 @@
+
+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/compiz -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/dosbox -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/mutter -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -7538,7 +7539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
typealias etc_runtime_t alias firstboot_rw_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.8.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-07-14 11:21:53.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.if 2010-07-21 10:55:44.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.if 2010-07-21 11:43:41.000000000 -0400
@@ -1233,7 +1233,7 @@
type cifs_t;
')
@@ -8304,7 +8305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.8.8/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-07-14 11:21:53.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/sysadm.te 2010-07-20 10:46:10.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/sysadm.te 2010-07-21 12:45:03.000000000 -0400
@@ -27,17 +27,29 @@
corecmd_exec_shell(sysadm_t)
@@ -10085,7 +10086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.8.8/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/abrt.te 2010-07-20 10:46:10.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/abrt.te 2010-07-21 13:12:24.000000000 -0400
@@ -5,6 +5,14 @@
# Declarations
#
@@ -10127,15 +10128,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
kernel_read_ring_buffer(abrt_t)
kernel_read_system_state(abrt_t)
-@@ -121,6 +130,7 @@
+@@ -121,6 +130,8 @@
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
+files_dontaudit_read_all_symlinks(abrt_t)
++files_dontaudit_getattr_all_sockets(abrt_t)
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,7 +141,7 @@
+@@ -131,7 +142,7 @@
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -10144,7 +10146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
logging_read_generic_logs(abrt_t)
logging_send_syslog_msg(abrt_t)
-@@ -140,6 +150,11 @@
+@@ -140,6 +151,11 @@
miscfiles_read_localization(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
@@ -10156,7 +10158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
-@@ -150,7 +165,12 @@
+@@ -150,7 +166,12 @@
')
optional_policy(`
@@ -10170,7 +10172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -178,6 +198,12 @@
+@@ -178,6 +199,12 @@
')
optional_policy(`
@@ -10183,7 +10185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
sssd_stream_connect(abrt_t)
')
-@@ -203,6 +229,7 @@
+@@ -203,6 +230,7 @@
domain_read_all_domains_state(abrt_helper_t)
files_read_etc_files(abrt_helper_t)
@@ -10191,7 +10193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
-@@ -217,11 +244,26 @@
+@@ -217,11 +245,26 @@
term_dontaudit_use_all_ptys(abrt_helper_t)
ifdef(`hide_broken_symptoms', `
@@ -10476,8 +10478,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.8.8/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2010-04-06 15:15:38.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/apache.fc 2010-07-20 10:46:10.000000000 -0400
-@@ -24,7 +24,6 @@
++++ serefpolicy-3.8.8/policy/modules/services/apache.fc 2010-07-22 11:54:47.000000000 -0400
+@@ -20,11 +20,11 @@
+ /srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+ /usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
++/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+ /usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -10485,7 +10492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-@@ -43,7 +42,6 @@
+@@ -43,10 +43,10 @@
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
@@ -10493,7 +10500,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -74,6 +72,7 @@
++/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+ /usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+@@ -74,6 +74,7 @@
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -10501,7 +10512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-@@ -86,7 +85,6 @@
+@@ -86,7 +87,6 @@
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -10509,7 +10520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -109,3 +107,17 @@
+@@ -109,3 +109,17 @@
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -10521,15 +10532,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/lib/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.8.8/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-04-06 15:15:38.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/apache.if 2010-07-20 10:46:10.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/apache.if 2010-07-21 11:17:41.000000000 -0400
@@ -13,17 +13,13 @@
#
template(`apache_content_template',`
@@ -11512,7 +11523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.8.8/policy/modules/services/apm.te
--- nsaserefpolicy/policy/modules/services/apm.te 2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/apm.te 2010-07-20 10:46:10.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/apm.te 2010-07-22 12:57:39.000000000 -0400
@@ -62,6 +62,7 @@
dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
allow apmd_t self:process { signal_perms getsession };
@@ -11529,10 +11540,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.
dev_read_realtime_clock(apmd_t)
dev_read_urand(apmd_t)
dev_rw_apm_bios(apmd_t)
+@@ -144,6 +146,10 @@
+
+ # ifconfig_exec_t needs to be run in its own domain for Red Hat
+ optional_policy(`
++ sssd_search_lib(apmd_t)
++ ')
++
++ optional_policy(`
+ sysnet_domtrans_ifconfig(apmd_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.8.8/policy/modules/services/arpwatch.te
--- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/arpwatch.te 2010-07-20 10:46:10.000000000 -0400
-@@ -63,6 +63,7 @@
++++ serefpolicy-3.8.8/policy/modules/services/arpwatch.te 2010-07-22 10:21:38.000000000 -0400
+@@ -50,6 +50,7 @@
+ kernel_read_kernel_sysctls(arpwatch_t)
+ kernel_list_proc(arpwatch_t)
+ kernel_read_proc_symlinks(arpwatch_t)
++kernel_request_load_module(arpwatch_t)
+
+ corenet_all_recvfrom_unlabeled(arpwatch_t)
+ corenet_all_recvfrom_netlabel(arpwatch_t)
+@@ -63,6 +64,7 @@
corenet_udp_sendrecv_all_ports(arpwatch_t)
dev_read_sysfs(arpwatch_t)
@@ -11542,7 +11572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw
fs_getattr_all_fs(arpwatch_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.8.8/policy/modules/services/asterisk.te
--- nsaserefpolicy/policy/modules/services/asterisk.te 2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/asterisk.te 2010-07-20 10:46:10.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/asterisk.te 2010-07-22 10:21:28.000000000 -0400
@@ -99,6 +99,7 @@
corenet_tcp_bind_generic_node(asterisk_t)
corenet_udp_bind_generic_node(asterisk_t)
@@ -11635,7 +11665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
admin_pattern($1, named_var_run_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.8.8/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/bind.te 2010-07-20 10:46:10.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/bind.te 2010-07-22 11:06:54.000000000 -0400
@@ -89,9 +89,10 @@
manage_files_pattern(named_t, named_tmp_t, named_tmp_t)
files_tmp_filetrans(named_t, named_tmp_t, { file dir })
@@ -19563,7 +19593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.te serefpolicy-3.8.8/policy/modules/services/puppet.te
--- nsaserefpolicy/policy/modules/services/puppet.te 2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/puppet.te 2010-07-20 10:46:10.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/puppet.te 2010-07-22 10:35:30.000000000 -0400
@@ -63,7 +63,7 @@
manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
files_search_var_lib(puppet_t)
@@ -19573,7 +19603,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp
manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
-@@ -221,6 +221,8 @@
+@@ -179,21 +179,26 @@
+ allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
+ allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
+ logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
++allow puppetmaster_t puppet_log_t:file { relabelfrom relabelto };
+
+ manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
+ manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
++allow puppetmaster_t puppet_var_lib_t:dir { relabelfrom relabelto };
+
+ setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
+ manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
+ files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
++allow puppetmaster_t puppet_var_run_t:dir { relabelfrom relabelto };
+
+ manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
+ manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
+ files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
++allow puppetmaster_t puppet_tmp_t:dir { relabelfrom relabelto };
+
+ kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
+ kernel_read_system_state(puppetmaster_t)
+ kernel_read_crypto_sysctls(puppetmaster_t)
++kernel_read_kernel_sysctls(puppetmaster_t)
+
+ corecmd_exec_bin(puppetmaster_t)
+ corecmd_exec_shell(puppetmaster_t)
+@@ -214,13 +219,19 @@
+ files_read_etc_files(puppetmaster_t)
+ files_search_var_lib(puppetmaster_t)
+
++selinux_validate_context(puppetmaster_t)
++
+ logging_send_syslog_msg(puppetmaster_t)
+
+ miscfiles_read_localization(puppetmaster_t)
+
++seutil_read_file_contexts(puppetmaster_t)
++
sysnet_dns_name_resolve(puppetmaster_t)
sysnet_run_ifconfig(puppetmaster_t, system_r)
@@ -20549,7 +20617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
/usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-3.8.8/policy/modules/services/ricci.if
--- nsaserefpolicy/policy/modules/services/ricci.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ricci.if 2010-07-20 10:46:11.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ricci.if 2010-07-21 11:06:52.000000000 -0400
@@ -18,6 +18,24 @@
domtrans_pattern($1, ricci_exec_t, ricci_t)
')
@@ -20575,7 +20643,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
########################################
##
## Execute a domain transition to run ricci_modcluster.
-@@ -165,3 +183,47 @@
+@@ -165,3 +183,48 @@
domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
')
@@ -20604,12 +20672,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
+ type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t;
+ ')
+
-+ allow $1 ricci_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, ricci_t, ricci_t)
++ allow $1 ricci_t:process { ptrace signal_perms };
++ ps_process_pattern($1, ricci_t)
+
+ ricci_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 ricci_initrc_exec_t system_r;
++ allow $2 system_r;
+
+ files_search_tmp($1)
+ admin_pattern($1, ricci_tmp_t)
@@ -22909,7 +22978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varn
## Read varnish logs.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.8.8/policy/modules/services/vhostmd.if
--- nsaserefpolicy/policy/modules/services/vhostmd.if 2010-03-29 15:04:22.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/vhostmd.if 2010-07-20 10:46:11.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/vhostmd.if 2010-07-21 11:07:39.000000000 -0400
@@ -42,7 +42,7 @@
##
##
@@ -22919,6 +22988,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
##
##
#
+@@ -209,7 +209,7 @@
+ type vhostmd_t, vhostmd_initrc_exec_t;
+ ')
+
+- allow $1 vhostmd_t:process { ptrace signal_perms getattr };
++ allow $1 vhostmd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, vhostmd_t)
+
+ vhostmd_initrc_domtrans($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.8.8/policy/modules/services/vhostmd.te
--- nsaserefpolicy/policy/modules/services/vhostmd.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/vhostmd.te 2010-07-20 10:46:11.000000000 -0400
@@ -23124,7 +23202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.8.8/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-07-14 11:21:53.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/virt.te 2010-07-20 10:46:11.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/virt.te 2010-07-21 11:44:07.000000000 -0400
@@ -4,6 +4,7 @@
#
# Declarations
@@ -23406,7 +23484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -457,8 +533,120 @@
+@@ -457,8 +533,121 @@
')
optional_policy(`
@@ -23471,6 +23549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+fs_getattr_all_fs(virsh_t)
+fs_manage_xenfs_dirs(virsh_t)
+fs_manage_xenfs_files(virsh_t)
++fs_search_auto_mountpoints(virsh_t)
+
+storage_raw_read_fixed_disk(virsh_t)
+
@@ -24294,7 +24373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.8.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-07-14 11:21:53.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/xserver.te 2010-07-20 10:46:11.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/xserver.te 2010-07-22 11:08:36.000000000 -0400
@@ -35,6 +35,13 @@
##
@@ -24776,7 +24855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -443,14 +605,19 @@
+@@ -443,28 +605,36 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -24796,7 +24875,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -461,10 +628,12 @@
+ # Run telinit->init to shutdown.
+ init_telinit(xdm_t)
++init_dbus_chat(xdm_t)
+
+ libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
@@ -24811,7 +24894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -473,6 +642,11 @@
+@@ -473,6 +643,11 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -24823,7 +24906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -504,11 +678,17 @@
+@@ -504,11 +679,17 @@
')
optional_policy(`
@@ -24841,7 +24924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -516,12 +696,51 @@
+@@ -516,12 +697,51 @@
')
optional_policy(`
@@ -24893,7 +24976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
hostname_exec(xdm_t)
')
-@@ -539,20 +758,63 @@
+@@ -539,20 +759,63 @@
')
optional_policy(`
@@ -24959,7 +25042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -561,7 +823,6 @@
+@@ -561,7 +824,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -24967,7 +25050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -572,6 +833,10 @@
+@@ -572,6 +834,10 @@
')
optional_policy(`
@@ -24978,7 +25061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xdm_t)
')
-@@ -596,10 +861,9 @@
+@@ -596,10 +862,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -24990,7 +25073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -611,6 +875,18 @@
+@@ -611,6 +876,18 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -25009,7 +25092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -630,12 +906,19 @@
+@@ -630,12 +907,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -25031,7 +25114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -669,7 +952,6 @@
+@@ -669,7 +953,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -25039,7 +25122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -679,9 +961,12 @@
+@@ -679,9 +962,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -25053,7 +25136,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -696,8 +981,13 @@
+@@ -696,8 +982,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -25067,7 +25150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -719,11 +1009,14 @@
+@@ -719,11 +1010,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -25082,7 +25165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -775,12 +1068,28 @@
+@@ -775,12 +1069,28 @@
')
optional_policy(`
@@ -25112,7 +25195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -804,10 +1113,10 @@
+@@ -804,10 +1114,10 @@
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -25125,7 +25208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -828,6 +1137,13 @@
+@@ -828,6 +1138,13 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -25139,7 +25222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -843,11 +1159,14 @@
+@@ -843,11 +1160,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -25156,7 +25239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -993,3 +1312,33 @@
+@@ -993,3 +1313,33 @@
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -25999,19 +26082,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
# /var
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.8.8/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2010-03-18 10:35:11.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/init.if 2010-07-20 10:46:11.000000000 -0400
-@@ -105,7 +105,9 @@
++++ serefpolicy-3.8.8/policy/modules/system/init.if 2010-07-22 12:36:46.000000000 -0400
+@@ -105,7 +105,11 @@
role system_r types $1;
- domtrans_pattern(init_t,$2,$1)
+ tunable_policy(`init_systemd',`', `
+ domtrans_pattern(init_t,$2,$1)
++ allow init_t $1:unix_stream_socket create_stream_socket_perms;
++ allow $1 init_t:unix_dgram_socket sendto;
+ ')
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
-@@ -193,8 +195,10 @@
+@@ -193,8 +197,10 @@
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
type initrc_t;
@@ -26022,7 +26107,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
typeattribute $1 daemon;
-@@ -205,6 +209,17 @@
+@@ -205,6 +211,20 @@
role system_r types $1;
domtrans_pattern(initrc_t,$2,$1)
@@ -26034,13 +26119,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+ # Handle upstart direct transition to a executable
+ domtrans_pattern(init_t,$2,$1)
+ allow init_t $1:process siginh;
-+ allow $1 init_t:unix_stream_socket connectto;
++ ')
++
++ tunable_policy(`init_systemd',`
++ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ allow $1 init_t:unix_dgram_socket sendto;
+ ')
# daemons started from init will
# inherit fds from init for the console
-@@ -285,7 +300,7 @@
+@@ -285,7 +305,7 @@
type initrc_t;
')
@@ -26049,7 +26137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
ifdef(`enable_mcs',`
range_transition initrc_t $2:process $3;
-@@ -336,8 +351,10 @@
+@@ -336,8 +356,10 @@
#
interface(`init_system_domain',`
gen_require(`
@@ -26060,7 +26148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
application_domain($1,$2)
-@@ -345,6 +362,17 @@
+@@ -345,6 +367,17 @@
role system_r types $1;
domtrans_pattern(initrc_t,$2,$1)
@@ -26072,13 +26160,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+ # Handle upstart/systemd direct transition to a executable
+ domtrans_pattern(init_t,$2,$1)
+ allow init_t $1:process siginh;
-+ allow $1 init_t:unix_stream_socket connectto;
++ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ allow $1 init_t:unix_dgram_socket sendto;
+ ')
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
-@@ -353,6 +381,37 @@
+@@ -353,6 +386,37 @@
kernel_dontaudit_use_fds($1)
')
')
@@ -26116,7 +26204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -669,12 +728,14 @@
+@@ -669,12 +733,14 @@
type initctl_t;
')
@@ -26132,7 +26220,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
gen_require(`
type init_t;
')
-@@ -682,6 +743,8 @@
+@@ -682,6 +748,8 @@
# upstart uses a datagram socket instead of initctl pipe
allow $1 self:unix_dgram_socket create_socket_perms;
allow $1 init_t:unix_dgram_socket sendto;
@@ -26141,7 +26229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
')
-@@ -754,18 +817,19 @@
+@@ -754,18 +822,19 @@
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -26165,7 +26253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
')
-@@ -781,23 +845,45 @@
+@@ -781,23 +850,45 @@
#
interface(`init_domtrans_script',`
gen_require(`
@@ -26215,7 +26303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
## Execute a init script in a specified domain.
##
##
-@@ -849,8 +935,10 @@
+@@ -849,8 +940,10 @@
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -26226,7 +26314,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
-@@ -1637,7 +1725,7 @@
+@@ -1338,6 +1431,27 @@
+ ########################################
+ ##
+ ## Send and receive messages from
++## init over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_dbus_chat',`
++ gen_require(`
++ type init_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 init_t:dbus send_msg;
++ allow init_t $1:dbus send_msg;
++')
++
++########################################
++##
++## Send and receive messages from
+ ## init scripts over dbus.
+ ##
+ ##
+@@ -1637,7 +1751,7 @@
type initrc_var_run_t;
')
@@ -26235,7 +26351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -1712,3 +1800,94 @@
+@@ -1712,3 +1826,94 @@
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -26332,7 +26448,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.8.8/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-07-14 11:21:53.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-07-20 11:30:55.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-07-22 12:34:15.000000000 -0400
@@ -16,6 +16,27 @@
##
gen_tunable(init_upstart, false)
@@ -26444,7 +26560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -185,15 +216,58 @@
+@@ -185,15 +216,61 @@
sysadm_shell_domtrans(init_t)
')
@@ -26452,6 +26568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+modutils_domtrans_insmod(init_t)
+
+tunable_policy(`init_systemd',`
++ allow init_t self:process { setsockcreate setfscreate };
+ allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+ # Until systemd is fixed
@@ -26475,6 +26592,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+ fs_read_cgroup_files(init_t)
+ fs_write_cgroup_files(init_t)
+
++ selinux_compute_create_context(init_t)
++
+ init_read_script_state(init_t)
+')
+
@@ -26503,7 +26622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
nscd_socket_use(init_t)
')
-@@ -211,7 +285,7 @@
+@@ -211,7 +288,7 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -26512,7 +26631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -240,6 +314,7 @@
+@@ -240,6 +317,7 @@
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -26520,7 +26639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -257,11 +332,22 @@
+@@ -257,11 +335,22 @@
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -26543,7 +26662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corecmd_exec_all_executables(initrc_t)
-@@ -297,11 +383,13 @@
+@@ -297,11 +386,13 @@
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -26557,7 +26676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -320,8 +408,10 @@
+@@ -320,8 +411,10 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -26569,7 +26688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -337,6 +427,8 @@
+@@ -337,6 +430,8 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -26578,7 +26697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_delete_cgroup_dirs(initrc_t)
fs_list_cgroup_dirs(initrc_t)
-@@ -350,6 +442,8 @@
+@@ -350,6 +445,8 @@
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -26587,7 +26706,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -362,6 +456,7 @@
+@@ -362,6 +459,7 @@
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -26595,7 +26714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
selinux_get_enforce_mode(initrc_t)
-@@ -393,13 +488,14 @@
+@@ -393,13 +491,14 @@
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -26611,7 +26730,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -472,7 +568,7 @@
+@@ -472,7 +571,7 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -26620,7 +26739,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -518,6 +614,19 @@
+@@ -518,6 +617,19 @@
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -26640,7 +26759,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -525,10 +634,17 @@
+@@ -525,10 +637,17 @@
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -26658,7 +26777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -543,6 +659,35 @@
+@@ -543,6 +662,35 @@
')
')
@@ -26694,7 +26813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -555,6 +700,8 @@
+@@ -555,6 +703,8 @@
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -26703,7 +26822,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -571,6 +718,7 @@
+@@ -571,6 +721,7 @@
optional_policy(`
cgroup_stream_connect(initrc_t)
@@ -26711,7 +26830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -583,6 +731,11 @@
+@@ -583,6 +734,11 @@
')
optional_policy(`
@@ -26723,7 +26842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -599,6 +752,7 @@
+@@ -599,6 +755,7 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -26731,7 +26850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -700,7 +854,12 @@
+@@ -700,7 +857,12 @@
')
optional_policy(`
@@ -26744,7 +26863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -723,6 +882,10 @@
+@@ -723,6 +885,10 @@
')
optional_policy(`
@@ -26755,7 +26874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -765,8 +928,6 @@
+@@ -765,8 +931,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -26764,7 +26883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -779,10 +940,12 @@
+@@ -779,10 +943,12 @@
squid_manage_logs(initrc_t)
')
@@ -26777,7 +26896,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -804,11 +967,19 @@
+@@ -804,11 +970,19 @@
')
optional_policy(`
@@ -26798,7 +26917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -818,6 +989,25 @@
+@@ -818,6 +992,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -26824,7 +26943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -843,3 +1033,55 @@
+@@ -843,3 +1036,55 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -27294,14 +27413,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
domain_dontaudit_read_all_domains_state(iscsid_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.8.8/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-03-23 11:19:40.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/libraries.fc 2010-07-20 10:46:11.000000000 -0400
-@@ -131,13 +131,13 @@
++++ serefpolicy-3.8.8/policy/modules/system/libraries.fc 2010-07-22 10:09:46.000000000 -0400
+@@ -129,15 +129,13 @@
+ /usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib64/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib64/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib64/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib64/vlc/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/vlc/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -27311,7 +27433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -151,6 +151,7 @@
+@@ -151,6 +149,7 @@
/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -27319,7 +27441,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -208,6 +209,7 @@
+@@ -208,6 +207,7 @@
/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -27327,7 +27449,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -247,6 +249,7 @@
+@@ -247,6 +247,7 @@
/usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -27335,7 +27457,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
-@@ -302,13 +305,8 @@
+@@ -302,13 +303,8 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -27351,7 +27473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
') dnl end distro_redhat
#
-@@ -319,14 +317,149 @@
+@@ -319,14 +315,149 @@
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -30054,7 +30176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.8.8/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-07-14 11:21:53.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.te 2010-07-20 11:09:02.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.te 2010-07-22 11:06:36.000000000 -0400
@@ -5,6 +5,13 @@
# Declarations
#
@@ -30100,7 +30222,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
sysnet_manage_config(dhcpc_t)
files_etc_filetrans(dhcpc_t, net_conf_t, file)
-@@ -110,6 +125,7 @@
+@@ -105,11 +120,14 @@
+ corenet_tcp_connect_all_ports(dhcpc_t)
+ corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
+ corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
++corenet_dontaudit_udp_bind_all_reserved_ports(dhcpc_t)
++corenet_udp_bind_all_unreserved_ports(dhcpc_t)
+
+ dev_read_sysfs(dhcpc_t)
# for SSP:
dev_read_urand(dhcpc_t)
@@ -30108,7 +30237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
domain_use_interactive_fds(dhcpc_t)
domain_dontaudit_read_all_domains_state(dhcpc_t)
-@@ -155,6 +171,10 @@
+@@ -155,6 +173,10 @@
')
optional_policy(`
@@ -30119,7 +30248,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
init_dbus_chat_script(dhcpc_t)
dbus_system_bus_client(dhcpc_t)
-@@ -171,6 +191,8 @@
+@@ -171,6 +193,8 @@
optional_policy(`
hal_dontaudit_rw_dgram_sockets(dhcpc_t)
@@ -30128,7 +30257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
optional_policy(`
-@@ -192,6 +214,13 @@
+@@ -192,6 +216,13 @@
')
optional_policy(`
@@ -30142,7 +30271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
nis_read_ypbind_pid(dhcpc_t)
')
-@@ -213,6 +242,7 @@
+@@ -213,6 +244,7 @@
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -30150,7 +30279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
optional_policy(`
-@@ -276,8 +306,11 @@
+@@ -276,8 +308,11 @@
domain_use_interactive_fds(ifconfig_t)
@@ -30162,7 +30291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -305,6 +338,8 @@
+@@ -305,6 +340,8 @@
seutil_use_runinit_fds(ifconfig_t)
@@ -30171,7 +30300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
userdom_use_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
-@@ -327,6 +362,8 @@
+@@ -327,6 +364,8 @@
optional_policy(`
hal_dontaudit_rw_pipes(ifconfig_t)
hal_dontaudit_rw_dgram_sockets(ifconfig_t)
@@ -30180,7 +30309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
optional_policy(`
-@@ -334,6 +371,10 @@
+@@ -334,6 +373,10 @@
')
optional_policy(`
@@ -30191,7 +30320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
nis_use_ypbind(ifconfig_t)
')
-@@ -355,3 +396,9 @@
+@@ -355,3 +398,9 @@
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -31045,7 +31174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.gvfs(/.*)? <>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.8.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-07-14 11:21:53.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/userdomain.if 2010-07-20 10:46:11.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/userdomain.if 2010-07-21 13:12:24.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -31931,7 +32060,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -826,12 +958,35 @@
+@@ -826,6 +958,9 @@
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -31941,33 +32070,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##############################
#
# Local policy
- #
-
- optional_policy(`
-+ dbus_role_template($1, $1_r, $1_usertype)
-+ dbus_system_bus_client($1_usertype)
-+ allow $1_usertype $1_usertype:dbus send_msg;
-+
-+ optional_policy(`
-+ abrt_dbus_chat($1_usertype)
-+ abrt_run_helper($1_usertype, $1_r)
-+ ')
-+
-+ optional_policy(`
-+ consolekit_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ cups_dbus_chat($1_usertype)
-+ cups_dbus_chat_config($1_usertype)
-+ ')
-+ ')
-+
-+ optional_policy(`
- loadkeys_run($1_t,$1_r)
- ')
- ')
-@@ -867,45 +1022,83 @@
+@@ -867,45 +1002,103 @@
#
auth_role($1_r, $1_t)
@@ -32021,21 +32124,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
- dbus_role_template($1, $1_r, $1_t)
- dbus_system_bus_client($1_t)
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
-+ ')
++ dbus_role_template($1, $1_r, $1_usertype)
++ dbus_system_bus_client($1_usertype)
++ allow $1_usertype $1_usertype:dbus send_msg;
++
++ optional_policy(`
++ abrt_dbus_chat($1_usertype)
++ abrt_run_helper($1_usertype, $1_r)
++ ')
-- optional_policy(`
+ optional_policy(`
- consolekit_dbus_chat($1_t)
-- ')
-+ optional_policy(`
-+ fprintd_dbus_chat($1_t)
-+ ')
++ consolekit_dbus_chat($1_usertype)
+ ')
-- optional_policy(`
+ optional_policy(`
- cups_dbus_chat($1_t)
-- ')
++ cups_dbus_chat($1_usertype)
++ cups_dbus_chat_config($1_usertype)
+ ')
++
++ optional_policy(`
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
++ ')
++
++ optional_policy(`
++ fprintd_dbus_chat($1_t)
++ ')
++ ')
++
+ optional_policy(`
+ openoffice_role_template($1, $1_r, $1_usertype)
+ ')
@@ -32152,13 +32271,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
+ optional_policy(`
+ execmem_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+- # Run pppd in pppd_t by default for user
+ optional_policy(`
+- ppp_run_cond($1_t,$1_r)
+ java_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- setroubleshoot_stream_connect($1_t)
+ mono_role_template($1, $1_r, $1_t)
+ ')
+
@@ -32168,17 +32290,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
- ')
-
-- # Run pppd in pppd_t by default for user
- optional_policy(`
-- ppp_run_cond($1_t,$1_r)
++ ')
++
++ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
- ')
-
++ ')
++
+ # Run pppd in pppd_t by default for user
- optional_policy(`
-- setroubleshoot_stream_connect($1_t)
++ optional_policy(`
+ ppp_run_cond($1_t, $1_r)
')
')
@@ -32368,76 +32487,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1638,26 +1919,27 @@
+@@ -1638,6 +1919,25 @@
########################################
##
--## Do not audit attempts to set the
--## attributes of user home files.
+## Set the attributes of user home files.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`userdom_dontaudit_setattr_user_home_content_files',`
-+interface(`userdom_setattr_user_home_content_files',`
- gen_require(`
- type user_home_t;
- ')
-
-- dontaudit $1 user_home_t:file setattr_file_perms;
-+ allow $1 user_home_t:file setattr;
- ')
-
- ########################################
- ##
--## Mmap user home files.
-+## Do not audit attempts to set the
-+## attributes of user home files.
- ##
- ##
- ##
-@@ -1665,13 +1947,31 @@
- ##
- ##
- #
--interface(`userdom_mmap_user_home_content_files',`
-+interface(`userdom_dontaudit_setattr_user_home_content_files',`
- gen_require(`
-- type user_home_dir_t, user_home_t;
-+ type user_home_t;
- ')
-
-- mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-- files_search_home($1)
-+ dontaudit $1 user_home_t:file setattr_file_perms;
-+')
-+
-+########################################
-+##
-+## Mmap user home files.
+##
+##
+##
+## Domain allowed access.
+##
+##
++##
+#
-+interface(`userdom_mmap_user_home_content_files',`
++interface(`userdom_setattr_user_home_content_files',`
+ gen_require(`
-+ type user_home_dir_t, user_home_t;
++ type user_home_t;
+ ')
+
-+ mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-+ files_search_home($1)
- ')
-
- ########################################
-@@ -1689,12 +1989,32 @@
++ allow $1 user_home_t:file setattr;
++')
++
++########################################
++##
+ ## Do not audit attempts to set the
+ ## attributes of user home files.
+ ##
+@@ -1689,13 +1989,14 @@
type user_home_dir_t, user_home_t;
')
@@ -32448,7 +32524,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
##
+-## Do not audit attempts to read user home files.
+## Do not audit attempts to getattr user home files.
+ ##
+ ##
+ ##
+@@ -1703,18 +2004,40 @@
+ ##
+ ##
+ #
+-interface(`userdom_dontaudit_read_user_home_content_files',`
++interface(`userdom_dontaudit_getattr_user_home_content',`
+ gen_require(`
+- type user_home_t;
++ attribute user_home_type;
+ ')
+
+- dontaudit $1 user_home_t:dir list_dir_perms;
+- dontaudit $1 user_home_t:file read_file_perms;
++ dontaudit $1 user_home_type:dir getattr;
++ dontaudit $1 user_home_type:file getattr;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to append user home files.
++## Do not audit attempts to read user home files.
+##
+##
+##
@@ -32456,38 +32557,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+##
+##
+#
-+interface(`userdom_dontaudit_getattr_user_home_content',`
++interface(`userdom_dontaudit_read_user_home_content_files',`
+ gen_require(`
+ attribute user_home_type;
++ type user_home_dir_t;
+ ')
+
-+ dontaudit $1 user_home_type:dir getattr;
-+ dontaudit $1 user_home_type:file getattr;
++ dontaudit $1 user_home_dir_t:dir list_dir_perms;
++ dontaudit $1 user_home_type:dir list_dir_perms;
++ dontaudit $1 user_home_type:file read_file_perms;
++ dontaudit $1 user_home_type:lnk_file read_lnk_file_perms;
+')
+
+########################################
+##
- ## Do not audit attempts to read user home files.
++## Do not audit attempts to append user home files.
##
##
-@@ -1705,11 +2025,14 @@
- #
- interface(`userdom_dontaudit_read_user_home_content_files',`
- gen_require(`
-- type user_home_t;
-+ attribute user_home_type;
-+ type user_home_dir_t;
- ')
-
-- dontaudit $1 user_home_t:dir list_dir_perms;
-- dontaudit $1 user_home_t:file read_file_perms;
-+ dontaudit $1 user_home_dir_t:dir list_dir_perms;
-+ dontaudit $1 user_home_type:dir list_dir_perms;
-+ dontaudit $1 user_home_type:file read_file_perms;
-+ dontaudit $1 user_home_type:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
+ ##
@@ -1799,8 +2122,7 @@
type user_home_dir_t, user_home_t;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f0a0637..4cd1bc8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.8.8
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,9 @@ exit 0
%endif
%changelog
+* Thu Jul 22 2010 Dan Walsh 3.8.8-3
+- Allow systemd to setsockcon on sockets to immitate other services
+
* Wed Jul 21 2010 Dan Walsh 3.8.8-2
- Remove debugfs label