diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.12/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/apps/sandbox.te 2009-05-22 10:14:07.000000000 -0400
@@ -38,3 +38,6 @@
miscfiles_read_localization(sandbox_t)
userdom_use_user_ptys(sandbox_t)
+
+kernel_dontaudit_read_system_state(sandbox_t)
+corecmd_exec_all_executables(sandbox_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.12/policy/modules/apps/vmware.fc
--- nsaserefpolicy/policy/modules/apps/vmware.fc 2009-04-07 15:54:49.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/apps/vmware.fc 2009-05-26 08:07:56.000000000 -0400
@@ -63,6 +63,7 @@
')
/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
+/var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0)
/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0)
/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-05-22 08:57:14.000000000 -0400
@@ -5224,6 +5224,7 @@
attribute file_type;
')
+ allow $1 file_type:dir search_dir_perms;
allow $1 file_type:file { getattr read write append lock };
allow $1 file_type:fifo_file { getattr read write append ioctl lock };
allow $1 file_type:sock_file { getattr read write append ioctl lock };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.12/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-05-22 08:57:53.000000000 -0400
@@ -817,7 +817,7 @@
type proc_t;
')
- dontaudit $1 proc_t:file { getattr read };
+ dontaudit $1 proc_t:file { open getattr read };
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te 2009-05-21 15:11:07.000000000 -0400
@@ -334,6 +334,10 @@
')
optional_policy(`
+ virt_stream_connect(sysadm_t)
+')
+
+optional_policy(`
yam_run(sysadm_t, sysadm_r)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-05-22 05:49:21.000000000 -0400
@@ -52,6 +52,8 @@
init_system_domain(unconfined_execmem_t, execmem_exec_t)
role unconfined_r types unconfined_execmem_t;
typealias execmem_exec_t alias unconfined_execmem_exec_t;
+userdom_unpriv_usertype(unconfined, unconfined_execmem_t)
+userdom_manage_tmpfs_role(unconfined_r, unconfined_execmem_t)
type unconfined_notrans_t;
type unconfined_notrans_exec_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.12/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/apache.fc 2009-05-26 09:24:52.000000000 -0400
@@ -98,4 +98,6 @@
/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.12/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/cron.if 2009-05-26 08:38:15.000000000 -0400
@@ -163,27 +163,14 @@
#
interface(`cron_unconfined_role',`
gen_require(`
- type unconfined_cronjob_t, admin_crontab_t, crontab_tmp_t, crontab_exec_t;
+ type unconfined_cronjob_t;
')
- role $1 types { unconfined_cronjob_t admin_crontab_t };
+ role $1 types unconfined_cronjob_t;
# cronjob shows up in user ps
ps_process_pattern($2, unconfined_cronjob_t)
- # Transition from the user domain to the derived domain.
- domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
-
- # crontab shows up in user ps
- ps_process_pattern($2, admin_crontab_t)
- allow $2 admin_crontab_t:process signal;
-
- # Run helper programs as the user domain
- #corecmd_bin_domtrans(admin_crontab_t, $2)
- #corecmd_shell_domtrans(admin_crontab_t, $2)
- corecmd_exec_bin(admin_crontab_t)
- corecmd_exec_shell(admin_crontab_t)
-
optional_policy(`
gen_require(`
class dbus send_msg;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.12/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/devicekit.te 2009-05-21 12:57:07.000000000 -0400
@@ -55,7 +55,7 @@
#
# DeviceKit-Power local policy
#
-allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice };
+allow devicekit_power_t self:capability { dac_override sys_ptrace sys_tty_config sys_nice };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.12/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/pyzor.fc 2009-05-21 08:32:24.000000000 -0400
@@ -3,6 +3,8 @@
HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.12/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.fc 2009-05-21 08:31:58.000000000 -0400
@@ -1,3 +1,4 @@
+/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-05-21 12:58:18.000000000 -0400
@@ -183,6 +183,7 @@
seutil_read_default_contexts(virtd_t)
term_getattr_pty_fs(virtd_t)
+term_use_generic_ptys(virtd_t)
term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -323,9 +324,13 @@
userdom_read_all_users_state(svirt_t)
append_files_pattern(svirt_t, virt_log_t, virt_log_t)
+append_files_pattern(svirt_t, virt_var_lib_t, virt_var_lib_t)
allow svirt_t self:udp_socket create_socket_perms;
+corecmd_exec_bin(svirt_t)
+corecmd_exec_shell(svirt_t)
+
corenet_udp_sendrecv_generic_if(svirt_t)
corenet_udp_sendrecv_generic_node(svirt_t)
corenet_udp_sendrecv_all_ports(svirt_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-05-26 08:17:11.000000000 -0400
@@ -538,6 +538,7 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
+userdom_manage_user_tmp_dirs(xdm_t)
userdom_manage_user_tmp_sockets(xdm_t)
userdom_manage_tmpfs_role(system_r, xdm_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.12/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/authlogin.if 2009-05-26 08:43:32.000000000 -0400
@@ -77,6 +77,8 @@
# for SSP/ProPolice
dev_read_urand($1)
+ # for encrypted homedir
+ dev_read_sysfs($1)
# for fingerprint readers
dev_rw_input_dev($1)
dev_rw_generic_usb_dev($1)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.12/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/init.fc 2009-05-26 09:15:52.000000000 -0400
@@ -6,6 +6,8 @@
/etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
/etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/sysconfig/network-scripts/ifup-ipsec -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
/etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/ipsec.te 2009-05-26 09:17:39.000000000 -0400
@@ -348,6 +348,7 @@
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
+init_read_script_tmp_files(setkey_t)
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)