From f689f50dd565d6e9233aa7f15b7e6f4c8b8df879 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mar 10 2010 15:27:34 +0000 Subject: - Update to upstream --- diff --git a/.cvsignore b/.cvsignore index fdfed60..747509c 100644 --- a/.cvsignore +++ b/.cvsignore @@ -203,3 +203,4 @@ setroubleshoot-2.2.58.tar.gz serefpolicy-3.7.9.tgz serefpolicy-3.7.11.tgz serefpolicy-3.7.12.tgz +serefpolicy-3.7.13.tgz diff --git a/nsadiff b/nsadiff index b96333f..e5d977a 100755 --- a/nsadiff +++ b/nsadiff @@ -1 +1 @@ -diff --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.7.12 > /tmp/diff +diff --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.7.13 > /tmp/diff diff --git a/policy-F13.patch b/policy-F13.patch index 26d7889..82dfa5d 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -1,6 +1,6 @@ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.12/Makefile +diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.13/Makefile --- nsaserefpolicy/Makefile 2009-08-18 11:41:14.000000000 -0400 -+++ serefpolicy-3.7.12/Makefile 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/Makefile 2010-03-09 18:51:11.000000000 -0500 @@ -244,7 +244,7 @@ appdir := $(contextpath) user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) @@ -10,9 +10,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.12/ net_contexts := $(builddir)net_contexts all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.12/policy/global_tunables +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.13/policy/global_tunables --- nsaserefpolicy/policy/global_tunables 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.12/policy/global_tunables 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/global_tunables 2010-03-09 18:51:11.000000000 -0500 @@ -61,15 +61,6 @@ ## @@ -48,9 +48,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref +## +gen_tunable(mmap_low_allowed, false) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-3.7.12/policy/modules/admin/acct.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-3.7.13/policy/modules/admin/acct.te --- nsaserefpolicy/policy/modules/admin/acct.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/admin/acct.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/acct.te 2010-03-09 18:51:11.000000000 -0500 @@ -43,6 +43,7 @@ fs_getattr_xattr_fs(acct_t) @@ -59,9 +59,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te corecmd_exec_bin(acct_t) corecmd_exec_shell(acct_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.7.12/policy/modules/admin/alsa.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.7.13/policy/modules/admin/alsa.if --- nsaserefpolicy/policy/modules/admin/alsa.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/admin/alsa.if 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/alsa.if 2010-03-09 18:51:11.000000000 -0500 @@ -76,6 +76,26 @@ ######################################## @@ -89,9 +89,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if ## Read alsa lib files. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.7.12/policy/modules/admin/alsa.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.7.13/policy/modules/admin/alsa.te --- nsaserefpolicy/policy/modules/admin/alsa.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/admin/alsa.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/alsa.te 2010-03-09 18:51:11.000000000 -0500 @@ -51,6 +51,8 @@ files_read_etc_files(alsa_t) files_read_usr_files(alsa_t) @@ -101,9 +101,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te auth_use_nsswitch(alsa_t) init_use_fds(alsa_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.7.12/policy/modules/admin/anaconda.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.7.13/policy/modules/admin/anaconda.te --- nsaserefpolicy/policy/modules/admin/anaconda.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/admin/anaconda.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/anaconda.te 2010-03-09 18:51:11.000000000 -0500 @@ -31,6 +31,7 @@ modutils_domtrans_insmod(anaconda_t) @@ -121,9 +121,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.7.12/policy/modules/admin/brctl.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.7.13/policy/modules/admin/brctl.te --- nsaserefpolicy/policy/modules/admin/brctl.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/admin/brctl.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/brctl.te 2010-03-09 18:51:11.000000000 -0500 @@ -21,7 +21,7 @@ allow brctl_t self:unix_dgram_socket create_socket_perms; allow brctl_t self:tcp_socket create_socket_perms; @@ -133,9 +133,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.t kernel_read_network_state(brctl_t) kernel_read_sysctl(brctl_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.7.12/policy/modules/admin/certwatch.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.7.13/policy/modules/admin/certwatch.te --- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/admin/certwatch.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/certwatch.te 2010-03-09 18:51:11.000000000 -0500 @@ -36,7 +36,7 @@ miscfiles_read_localization(certwatch_t) @@ -145,9 +145,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwat optional_policy(` apache_exec_modules(certwatch_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.if serefpolicy-3.7.12/policy/modules/admin/consoletype.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.if serefpolicy-3.7.13/policy/modules/admin/consoletype.if --- nsaserefpolicy/policy/modules/admin/consoletype.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/admin/consoletype.if 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/consoletype.if 2010-03-09 18:51:11.000000000 -0500 @@ -19,6 +19,9 @@ corecmd_search_bin($1) @@ -158,9 +158,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.7.12/policy/modules/admin/consoletype.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.7.13/policy/modules/admin/consoletype.te --- nsaserefpolicy/policy/modules/admin/consoletype.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/admin/consoletype.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/consoletype.te 2010-03-09 18:51:11.000000000 -0500 @@ -10,7 +10,6 @@ type consoletype_exec_t; application_executable_file(consoletype_exec_t) @@ -169,9 +169,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console role system_r types consoletype_t; ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.12/policy/modules/admin/firstboot.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.13/policy/modules/admin/firstboot.te --- nsaserefpolicy/policy/modules/admin/firstboot.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/admin/firstboot.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/firstboot.te 2010-03-09 18:51:11.000000000 -0500 @@ -91,8 +91,12 @@ userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) @@ -194,9 +194,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.7.12/policy/modules/admin/kismet.te ---- nsaserefpolicy/policy/modules/admin/kismet.te 2009-11-25 15:15:48.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/admin/kismet.te 2010-03-05 17:18:51.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.7.13/policy/modules/admin/kismet.te +--- nsaserefpolicy/policy/modules/admin/kismet.te 2010-03-09 15:39:06.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/kismet.te 2010-03-09 18:51:11.000000000 -0500 @@ -45,6 +45,7 @@ manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t) manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t) @@ -205,27 +205,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir }) manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t) -@@ -53,7 +54,8 @@ - - manage_dirs_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) - manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) --files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir }) -+manage_sock_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) -+files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir sock_file }) - - manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t) - manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t) -@@ -69,6 +71,7 @@ - - kernel_search_debugfs(kismet_t) - kernel_read_system_state(kismet_t) -+kernel_read_network_state(kismet_t) - - corecmd_exec_bin(kismet_t) - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.12/policy/modules/admin/logrotate.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.13/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/admin/logrotate.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/logrotate.te 2010-03-09 18:51:11.000000000 -0500 @@ -32,7 +32,7 @@ # Change ownership on log files. allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; @@ -243,7 +225,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota kernel_read_system_state(logrotate_t) kernel_read_kernel_sysctls(logrotate_t) -@@ -116,8 +117,9 @@ +@@ -108,6 +109,7 @@ + + logging_manage_all_logs(logrotate_t) + logging_send_syslog_msg(logrotate_t) ++logging_send_audit_msgs(logrotate_t) + # cjp: why is this needed? + logging_exec_all_logs(logrotate_t) + +@@ -116,8 +118,9 @@ seutil_dontaudit_read_config(logrotate_t) userdom_use_user_terminals(logrotate_t) @@ -254,7 +244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota cron_system_entry(logrotate_t, logrotate_exec_t) cron_search_spool(logrotate_t) -@@ -137,6 +139,10 @@ +@@ -137,6 +140,10 @@ ') optional_policy(` @@ -265,13 +255,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota acct_domtrans(logrotate_t) acct_manage_data(logrotate_t) acct_exec_data(logrotate_t) -@@ -149,6 +155,16 @@ +@@ -149,6 +156,14 @@ ') optional_policy(` -+ asterisk_exec(logrotate_t) -+ asterisk_stream_connect(logrotate_t) -+ asterisk_manage_lib_files(logrotate_t) ++ asterisk_domtrans(logrotate_t) +') + +optional_policy(` @@ -282,7 +270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota consoletype_exec(logrotate_t) ') -@@ -157,11 +173,15 @@ +@@ -157,11 +172,15 @@ ') optional_policy(` @@ -299,7 +287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota ') optional_policy(` -@@ -183,6 +203,15 @@ +@@ -183,6 +202,15 @@ ') optional_policy(` @@ -315,7 +303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota slrnpull_manage_spool(logrotate_t) ') -@@ -191,5 +220,9 @@ +@@ -191,5 +219,9 @@ ') optional_policy(` @@ -325,38 +313,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota +optional_policy(` varnishd_manage_log(logrotate_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.7.12/policy/modules/admin/logwatch.te ---- nsaserefpolicy/policy/modules/admin/logwatch.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/admin/logwatch.te 2010-03-05 17:18:51.000000000 -0500 -@@ -93,6 +93,13 @@ - sysnet_exec_ifconfig(logwatch_t) - - userdom_dontaudit_search_user_home_dirs(logwatch_t) -+tunable_policy(`use_nfs_home_dirs',` -+ fs_list_nfs(logwatch_t) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_list_cifs(logwatch_t) -+') - - mta_send_mail(logwatch_t) - -@@ -136,4 +143,5 @@ - - optional_policy(` - samba_read_log(logwatch_t) -+ samba_read_share_files(logwatch_t) - ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.fc serefpolicy-3.7.12/policy/modules/admin/mcelog.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.fc serefpolicy-3.7.13/policy/modules/admin/mcelog.fc --- nsaserefpolicy/policy/modules/admin/mcelog.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/admin/mcelog.fc 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/mcelog.fc 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.if serefpolicy-3.7.12/policy/modules/admin/mcelog.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.if serefpolicy-3.7.13/policy/modules/admin/mcelog.if --- nsaserefpolicy/policy/modules/admin/mcelog.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/admin/mcelog.if 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/mcelog.if 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,21 @@ + +## policy for mcelog @@ -379,9 +344,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog. + domtrans_pattern($1, mcelog_exec_t, mcelog_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.7.12/policy/modules/admin/mcelog.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.7.13/policy/modules/admin/mcelog.te --- nsaserefpolicy/policy/modules/admin/mcelog.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/admin/mcelog.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/mcelog.te 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,32 @@ + +policy_module(mcelog,1.0.0) @@ -415,9 +380,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog. +miscfiles_read_localization(mcelog_t) + +logging_send_syslog_msg(mcelog_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.7.12/policy/modules/admin/mrtg.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.7.13/policy/modules/admin/mrtg.te --- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/admin/mrtg.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/mrtg.te 2010-03-09 18:51:11.000000000 -0500 @@ -116,6 +116,7 @@ userdom_use_user_terminals(mrtg_t) userdom_dontaudit_read_user_home_content_files(mrtg_t) @@ -426,9 +391,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te netutils_domtrans_ping(mrtg_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.7.12/policy/modules/admin/netutils.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.7.13/policy/modules/admin/netutils.fc --- nsaserefpolicy/policy/modules/admin/netutils.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/admin/netutils.fc 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/netutils.fc 2010-03-09 18:51:11.000000000 -0500 @@ -9,6 +9,7 @@ /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) @@ -437,9 +402,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil /usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0) /usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.12/policy/modules/admin/netutils.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.13/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/admin/netutils.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/netutils.te 2010-03-09 18:51:11.000000000 -0500 @@ -44,6 +44,7 @@ allow netutils_t self:packet_socket create_socket_perms; allow netutils_t self:udp_socket create_socket_perms; @@ -490,17 +455,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil + term_use_all_ttys(traceroute_t) + term_use_all_ptys(traceroute_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.7.12/policy/modules/admin/prelink.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.7.13/policy/modules/admin/prelink.fc --- nsaserefpolicy/policy/modules/admin/prelink.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/admin/prelink.fc 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/prelink.fc 2010-03-09 18:51:11.000000000 -0500 @@ -1,3 +1,4 @@ +/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0) /etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.7.12/policy/modules/admin/prelink.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.7.13/policy/modules/admin/prelink.if --- nsaserefpolicy/policy/modules/admin/prelink.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/admin/prelink.if 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/prelink.if 2010-03-09 18:51:11.000000000 -0500 @@ -21,6 +21,25 @@ ######################################## @@ -541,9 +506,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink - relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) + relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.12/policy/modules/admin/prelink.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.13/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/admin/prelink.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/prelink.te 2010-03-09 18:51:11.000000000 -0500 @@ -21,8 +21,21 @@ type prelink_tmp_t; files_tmp_file(prelink_tmp_t) @@ -668,9 +633,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink +optional_policy(` + rpm_read_db(prelink_cron_system_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-3.7.12/policy/modules/admin/quota.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-3.7.13/policy/modules/admin/quota.te --- nsaserefpolicy/policy/modules/admin/quota.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/admin/quota.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/quota.te 2010-03-09 18:51:11.000000000 -0500 @@ -39,6 +39,7 @@ kernel_list_proc(quota_t) kernel_read_proc_symlinks(quota_t) @@ -679,9 +644,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.t dev_read_sysfs(quota_t) dev_getattr_all_blk_files(quota_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.12/policy/modules/admin/readahead.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.13/policy/modules/admin/readahead.te --- nsaserefpolicy/policy/modules/admin/readahead.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/admin/readahead.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/readahead.te 2010-03-09 18:51:11.000000000 -0500 @@ -52,6 +52,7 @@ files_list_non_security(readahead_t) @@ -699,9 +664,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahe fs_read_tmpfs_symlinks(readahead_t) fs_list_inotifyfs(readahead_t) fs_dontaudit_search_ramfs(readahead_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.12/policy/modules/admin/rpm.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.13/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/admin/rpm.fc 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/rpm.fc 2010-03-09 18:51:11.000000000 -0500 @@ -1,18 +1,19 @@ /bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -752,9 +717,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc # SuSE ifdef(`distro_suse', ` /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.12/policy/modules/admin/rpm.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.13/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/admin/rpm.if 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/rpm.if 2010-03-09 18:51:11.000000000 -0500 @@ -13,11 +13,36 @@ interface(`rpm_domtrans',` gen_require(` @@ -1208,9 +1173,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.12/policy/modules/admin/rpm.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.13/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/admin/rpm.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/rpm.te 2010-03-09 18:51:11.000000000 -0500 @@ -1,6 +1,8 @@ policy_module(rpm, 1.10.0) @@ -1495,40 +1460,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te optional_policy(` java_domtrans_unconfined(rpm_script_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.7.12/policy/modules/admin/shorewall.fc ---- nsaserefpolicy/policy/modules/admin/shorewall.fc 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/admin/shorewall.fc 2010-03-05 17:18:51.000000000 -0500 -@@ -10,3 +10,5 @@ - /var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) - /var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) - /var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) -+ -+/var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.12/policy/modules/admin/shorewall.te ---- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/admin/shorewall.te 2010-03-05 17:18:51.000000000 -0500 -@@ -29,6 +29,9 @@ - type shorewall_var_lib_t; - files_type(shorewall_var_lib_t) - -+type shorewall_log_t; -+logging_log_file(shorewall_log_t) -+ - ######################################## - # - # shorewall local policy -@@ -49,6 +52,10 @@ - manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) - files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file }) - -+manage_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) -+manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) -+logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir }) -+ - manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t) - manage_files_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t) - files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir }) -@@ -80,7 +87,7 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.13/policy/modules/admin/shorewall.te +--- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-03-08 14:49:44.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/shorewall.te 2010-03-09 18:51:11.000000000 -0500 +@@ -87,7 +87,7 @@ sysnet_domtrans_ifconfig(shorewall_t) @@ -1537,22 +1472,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa optional_policy(` iptables_domtrans(shorewall_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.7.12/policy/modules/admin/smoltclient.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.7.13/policy/modules/admin/smoltclient.fc --- nsaserefpolicy/policy/modules/admin/smoltclient.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/admin/smoltclient.fc 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/smoltclient.fc 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,4 @@ + +/usr/share/smolt/client/sendProfile.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0) + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.if serefpolicy-3.7.12/policy/modules/admin/smoltclient.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.if serefpolicy-3.7.13/policy/modules/admin/smoltclient.if --- nsaserefpolicy/policy/modules/admin/smoltclient.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/admin/smoltclient.if 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/smoltclient.if 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1 @@ +## The Fedora hardware profiler client -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.7.12/policy/modules/admin/smoltclient.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.7.13/policy/modules/admin/smoltclient.te --- nsaserefpolicy/policy/modules/admin/smoltclient.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/admin/smoltclient.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/smoltclient.te 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,66 @@ +policy_module(smoltclient,1.0.0) + @@ -1620,9 +1555,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltcl + rpm_exec(smoltclient_t) + rpm_read_db(smoltclient_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.12/policy/modules/admin/sudo.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.13/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/admin/sudo.if 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/sudo.if 2010-03-09 18:51:11.000000000 -0500 @@ -73,12 +73,16 @@ # Enter this derived domain from the user domain domtrans_pattern($3, sudo_exec_t, $1_sudo_t) @@ -1651,9 +1586,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files($1_sudo_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.7.12/policy/modules/admin/su.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.7.13/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/admin/su.if 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/su.if 2010-03-09 18:51:11.000000000 -0500 @@ -58,6 +58,10 @@ allow $2 $1_su_t:fifo_file rw_file_perms; allow $2 $1_su_t:process sigchld; @@ -1676,9 +1611,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s ps_process_pattern($3, $1_su_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.12/policy/modules/admin/tmpreaper.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.13/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/admin/tmpreaper.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/tmpreaper.te 2010-03-09 18:51:11.000000000 -0500 @@ -42,6 +42,7 @@ cron_system_entry(tmpreaper_t, tmpreaper_exec_t) @@ -1717,9 +1652,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap +optional_policy(` unconfined_domain(tmpreaper_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.7.12/policy/modules/admin/usermanage.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.7.13/policy/modules/admin/usermanage.if --- nsaserefpolicy/policy/modules/admin/usermanage.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/admin/usermanage.if 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/usermanage.if 2010-03-09 18:51:11.000000000 -0500 @@ -18,6 +18,10 @@ files_search_usr($1) corecmd_search_bin($1) @@ -1775,9 +1710,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman optional_policy(` nscd_run(useradd_t, $2) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.12/policy/modules/admin/usermanage.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.13/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/admin/usermanage.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/usermanage.te 2010-03-09 18:51:11.000000000 -0500 @@ -209,6 +209,7 @@ files_manage_etc_files(groupadd_t) files_relabel_etc_files(groupadd_t) @@ -1846,9 +1781,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman puppet_rw_tmp(useradd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.7.12/policy/modules/admin/vbetool.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.7.13/policy/modules/admin/vbetool.te --- nsaserefpolicy/policy/modules/admin/vbetool.te 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/admin/vbetool.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/vbetool.te 2010-03-09 18:51:11.000000000 -0500 @@ -25,7 +25,13 @@ dev_rw_xserver_misc(vbetool_t) dev_rw_mtrr(vbetool_t) @@ -1863,9 +1798,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool term_use_unallocated_ttys(vbetool_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.12/policy/modules/admin/vpn.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.13/policy/modules/admin/vpn.te --- nsaserefpolicy/policy/modules/admin/vpn.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/admin/vpn.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/vpn.te 2010-03-09 18:51:11.000000000 -0500 +@@ -31,7 +31,7 @@ + allow vpnc_t self:rawip_socket create_socket_perms; + allow vpnc_t self:unix_dgram_socket create_socket_perms; + allow vpnc_t self:unix_stream_socket create_socket_perms; +-allow vpnc_t self:tun_socket create; ++allow vpnc_t self:tun_socket { create_socket_perms }; + # cjp: this needs to be fixed + allow vpnc_t self:socket create_socket_perms; + @@ -46,6 +46,7 @@ kernel_read_system_state(vpnc_t) kernel_read_network_state(vpnc_t) @@ -1882,27 +1826,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te optional_policy(` dbus_system_bus_client(vpnc_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.te serefpolicy-3.7.12/policy/modules/apps/cdrecord.te ---- nsaserefpolicy/policy/modules/apps/cdrecord.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/cdrecord.te 2010-03-05 17:18:51.000000000 -0500 -@@ -32,6 +32,8 @@ - allow cdrecord_t self:unix_dgram_socket create_socket_perms; - allow cdrecord_t self:unix_stream_socket create_stream_socket_perms; - -+corecmd_exec_bin(cdrecord_t) -+ - # allow searching for cdrom-drive - dev_list_all_dev_nodes(cdrecord_t) - dev_read_sysfs(cdrecord_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.7.12/policy/modules/apps/chrome.fc +@@ -115,3 +117,7 @@ + networkmanager_dbus_chat(vpnc_t) + ') + ') ++ ++optional_policy(` ++ networkmanager_attach_tun_iface(vpnc_t) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.7.13/policy/modules/apps/chrome.fc --- nsaserefpolicy/policy/modules/apps/chrome.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/chrome.fc 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/chrome.fc 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.12/policy/modules/apps/chrome.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.13/policy/modules/apps/chrome.if --- nsaserefpolicy/policy/modules/apps/chrome.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/chrome.if 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/chrome.if 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,90 @@ + +## policy for chrome @@ -1994,9 +1934,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i + allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.12/policy/modules/apps/chrome.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.13/policy/modules/apps/chrome.te --- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/chrome.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/chrome.te 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,81 @@ +policy_module(chrome,1.0.0) + @@ -2079,9 +2019,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t + fs_dontaudit_append_cifs_files(chrome_sandbox_t) + fs_dontaudit_read_cifs_files(chrome_sandbox_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.7.12/policy/modules/apps/cpufreqselector.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.7.13/policy/modules/apps/cpufreqselector.te --- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/cpufreqselector.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/cpufreqselector.te 2010-03-09 18:51:11.000000000 -0500 @@ -26,7 +26,7 @@ dev_rw_sysfs(cpufreqselector_t) @@ -2091,11 +2031,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqs optional_policy(` dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.7.12/policy/modules/apps/execmem.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.7.13/policy/modules/apps/execmem.fc --- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/execmem.fc 2010-03-05 17:18:51.000000000 -0500 -@@ -0,0 +1,43 @@ ++++ serefpolicy-3.7.13/policy/modules/apps/execmem.fc 2010-03-09 19:08:08.000000000 -0500 +@@ -0,0 +1,45 @@ ++ +/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/compiz -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0) @@ -2138,9 +2080,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. + +/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0) +/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.12/policy/modules/apps/execmem.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.13/policy/modules/apps/execmem.if --- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/execmem.if 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/execmem.if 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,108 @@ +## execmem domain + @@ -2250,9 +2192,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. + + domtrans_pattern($1, execmem_exec_t, $2) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.7.12/policy/modules/apps/execmem.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.7.13/policy/modules/apps/execmem.te --- nsaserefpolicy/policy/modules/apps/execmem.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/execmem.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/execmem.te 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,11 @@ + +policy_module(execmem, 1.0.0) @@ -2265,16 +2207,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. +type execmem_exec_t alias unconfined_execmem_exec_t; +application_executable_file(execmem_exec_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.7.12/policy/modules/apps/firewallgui.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.7.13/policy/modules/apps/firewallgui.fc --- nsaserefpolicy/policy/modules/apps/firewallgui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/firewallgui.fc 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/firewallgui.fc 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,3 @@ + +/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.7.12/policy/modules/apps/firewallgui.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.7.13/policy/modules/apps/firewallgui.if --- nsaserefpolicy/policy/modules/apps/firewallgui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/firewallgui.if 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/firewallgui.if 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,23 @@ + +## policy for firewallgui @@ -2299,9 +2241,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall + allow $1 firewallgui_t:dbus send_msg; + allow firewallgui_t $1:dbus send_msg; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.12/policy/modules/apps/firewallgui.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.13/policy/modules/apps/firewallgui.te --- nsaserefpolicy/policy/modules/apps/firewallgui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/firewallgui.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/firewallgui.te 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,66 @@ + +policy_module(firewallgui,1.0.0) @@ -2369,9 +2311,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall + policykit_dbus_chat(firewallgui_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.7.12/policy/modules/apps/gitosis.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.7.13/policy/modules/apps/gitosis.if --- nsaserefpolicy/policy/modules/apps/gitosis.if 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/apps/gitosis.if 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/gitosis.if 2010-03-09 18:51:11.000000000 -0500 @@ -43,3 +43,47 @@ role $2 types gitosis_t; ') @@ -2420,9 +2362,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis. + manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) + manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.12/policy/modules/apps/gnome.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.13/policy/modules/apps/gnome.fc --- nsaserefpolicy/policy/modules/apps/gnome.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/apps/gnome.fc 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/gnome.fc 2010-03-09 18:51:11.000000000 -0500 @@ -1,8 +1,28 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) @@ -2454,9 +2396,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc + +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.12/policy/modules/apps/gnome.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.13/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/apps/gnome.if 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/gnome.if 2010-03-09 18:51:11.000000000 -0500 @@ -74,6 +74,24 @@ ######################################## @@ -2482,7 +2424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if ## manage gnome homedir content (.config) ## ## -@@ -84,10 +102,207 @@ +@@ -84,10 +102,228 @@ # interface(`gnome_manage_config',` gen_require(` @@ -2693,9 +2635,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if + + allow $1 gnome_home_type:file rw_inherited_file_perms; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.7.12/policy/modules/apps/gnome.te ++ ++######################################## ++## ++## Send and receive messages from ++## gconf system service over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_dbus_chat_gconfdefault',` ++ gen_require(` ++ type gconfdefaultsm_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 gconfdefaultsm_t:dbus send_msg; ++ allow gconfdefaultsm_t $1:dbus send_msg; ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.7.13/policy/modules/apps/gnome.te --- nsaserefpolicy/policy/modules/apps/gnome.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/apps/gnome.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/gnome.te 2010-03-09 18:51:11.000000000 -0500 @@ -7,18 +7,33 @@ # @@ -2844,18 +2807,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te + policykit_read_lib(gnomesystemmm_t) + policykit_read_reload(gnomesystemmm_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.7.12/policy/modules/apps/gpg.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.7.13/policy/modules/apps/gpg.fc --- nsaserefpolicy/policy/modules/apps/gpg.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/apps/gpg.fc 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/gpg.fc 2010-03-09 18:51:11.000000000 -0500 @@ -1,4 +1,5 @@ HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) +/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.7.12/policy/modules/apps/gpg.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.7.13/policy/modules/apps/gpg.if --- nsaserefpolicy/policy/modules/apps/gpg.if 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/apps/gpg.if 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/gpg.if 2010-03-09 18:51:11.000000000 -0500 @@ -52,11 +52,8 @@ ifdef(`hide_broken_symptoms',` @@ -2869,9 +2832,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s ') ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.12/policy/modules/apps/gpg.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.13/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/gpg.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/gpg.te 2010-03-09 18:51:11.000000000 -0500 @@ -20,6 +20,7 @@ typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t }; application_domain(gpg_t, gpg_exec_t) @@ -2897,7 +2860,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s allow gpg_t self:process { signal setrlimit getcap setcap setpgid }; allow gpg_t self:fifo_file rw_fifo_file_perms; -@@ -130,10 +132,10 @@ +@@ -112,6 +114,7 @@ + # sign/encrypt user files + userdom_manage_user_tmp_files(gpg_t) + userdom_manage_user_home_content_files(gpg_t) ++userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) + + mta_write_config(gpg_t) + +@@ -130,10 +133,10 @@ xserver_rw_xdm_pipes(gpg_t) ') @@ -2912,9 +2883,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s ######################################## # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.7.12/policy/modules/apps/java.fc +@@ -184,6 +187,7 @@ + # + # GPG agent local policy + # ++domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) + + # rlimit: gpg-agent wants to prevent coredumps + allow gpg_agent_t self:process setrlimit; +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.7.13/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/java.fc 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/java.fc 2010-03-09 18:51:11.000000000 -0500 @@ -9,6 +9,7 @@ # # /usr @@ -2934,9 +2913,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc + +/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.7.12/policy/modules/apps/java.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.7.13/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/java.if 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/java.if 2010-03-09 18:51:11.000000000 -0500 @@ -72,6 +72,7 @@ domain_interactive_fd($1_java_t) @@ -2962,9 +2941,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.12/policy/modules/apps/java.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.13/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/java.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/java.te 2010-03-09 18:51:11.000000000 -0500 @@ -147,6 +147,14 @@ init_dbus_chat_script(unconfined_java_t) @@ -2980,21 +2959,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te + rpm_domtrans(unconfined_java_t) + ') ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.7.12/policy/modules/apps/kdumpgui.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.7.13/policy/modules/apps/kdumpgui.fc --- nsaserefpolicy/policy/modules/apps/kdumpgui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/kdumpgui.fc 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/kdumpgui.fc 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/share/system-config-kdump/system-config-kdump-backend.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.7.12/policy/modules/apps/kdumpgui.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.7.13/policy/modules/apps/kdumpgui.if --- nsaserefpolicy/policy/modules/apps/kdumpgui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/kdumpgui.if 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/kdumpgui.if 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,2 @@ +## system-config-kdump policy + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.12/policy/modules/apps/kdumpgui.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.13/policy/modules/apps/kdumpgui.te --- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/kdumpgui.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/kdumpgui.te 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,68 @@ +policy_module(kdumpgui,1.0.0) + @@ -3064,15 +3043,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui +optional_policy(` + policykit_dbus_chat(kdumpgui_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.7.12/policy/modules/apps/livecd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.7.13/policy/modules/apps/livecd.fc --- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/livecd.fc 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/livecd.fc 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.7.12/policy/modules/apps/livecd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.7.13/policy/modules/apps/livecd.if --- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/livecd.if 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/livecd.if 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,52 @@ + +## policy for livecd @@ -3126,9 +3105,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.i + usermanage_run_chfn(livecd_t, $2) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.7.12/policy/modules/apps/livecd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.7.13/policy/modules/apps/livecd.te --- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/livecd.te 2010-03-05 17:18:51.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/livecd.te 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,27 @@ +policy_module(livecd, 1.0.0) + @@ -3157,9 +3136,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.t + +seutil_domtrans_setfiles_mac(livecd_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.if serefpolicy-3.7.12/policy/modules/apps/loadkeys.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.if serefpolicy-3.7.13/policy/modules/apps/loadkeys.if --- nsaserefpolicy/policy/modules/apps/loadkeys.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/apps/loadkeys.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/loadkeys.if 2010-03-09 18:51:11.000000000 -0500 @@ -17,6 +17,9 @@ corecmd_search_bin($1) @@ -3170,9 +3149,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.7.12/policy/modules/apps/loadkeys.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.7.13/policy/modules/apps/loadkeys.te --- nsaserefpolicy/policy/modules/apps/loadkeys.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/apps/loadkeys.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/loadkeys.te 2010-03-09 18:51:11.000000000 -0500 @@ -40,8 +40,12 @@ miscfiles_read_localization(loadkeys_t) @@ -3187,9 +3166,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys +ifdef(`hide_broken_symptoms',` + dev_dontaudit_rw_lvm_control(loadkeys_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.12/policy/modules/apps/mono.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.13/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/mono.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/mono.if 2010-03-09 18:51:11.000000000 -0500 @@ -40,10 +40,10 @@ domain_interactive_fd($1_mono_t) application_type($1_mono_t) @@ -3202,9 +3181,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; domtrans_pattern($3, mono_exec_t, $1_mono_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.7.12/policy/modules/apps/mozilla.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.7.13/policy/modules/apps/mozilla.fc --- nsaserefpolicy/policy/modules/apps/mozilla.fc 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/apps/mozilla.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/mozilla.fc 2010-03-09 18:51:11.000000000 -0500 @@ -1,6 +1,7 @@ HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) @@ -3221,9 +3200,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. /usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.7.12/policy/modules/apps/mozilla.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.7.13/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/mozilla.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/mozilla.if 2010-03-09 18:51:11.000000000 -0500 @@ -48,6 +48,12 @@ mozilla_dbus_chat($2) @@ -3269,9 +3248,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. + allow $1 mozilla_home_t:file execmod; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.12/policy/modules/apps/mozilla.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.13/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/mozilla.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/mozilla.te 2010-03-09 18:51:11.000000000 -0500 @@ -91,6 +91,7 @@ corenet_raw_sendrecv_generic_node(mozilla_t) corenet_tcp_sendrecv_http_port(mozilla_t) @@ -3330,9 +3309,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. +optional_policy(` thunderbird_domtrans(mozilla_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.7.12/policy/modules/apps/nsplugin.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.7.13/policy/modules/apps/nsplugin.fc --- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/nsplugin.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/nsplugin.fc 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,10 @@ +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) @@ -3344,9 +3323,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) +/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0) +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.12/policy/modules/apps/nsplugin.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.13/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/nsplugin.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/nsplugin.if 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,355 @@ + +## policy for nsplugin @@ -3703,9 +3682,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + allow $1 nsplugin_t:sem rw_sem_perms; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.12/policy/modules/apps/nsplugin.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.13/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/nsplugin.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/nsplugin.te 2010-03-10 09:44:06.000000000 -0500 @@ -0,0 +1,296 @@ + +policy_module(nsplugin, 1.0.0) @@ -4003,16 +3982,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.7.12/policy/modules/apps/openoffice.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.7.13/policy/modules/apps/openoffice.fc --- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/openoffice.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/openoffice.fc 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,3 @@ +/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) +/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.7.12/policy/modules/apps/openoffice.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.7.13/policy/modules/apps/openoffice.if --- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/openoffice.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/openoffice.if 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,92 @@ +## Openoffice + @@ -4106,9 +4085,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi + xserver_common_x_domain_template($1, $1_openoffice_t) + ') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.7.12/policy/modules/apps/openoffice.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.7.13/policy/modules/apps/openoffice.te --- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/openoffice.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/openoffice.te 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,11 @@ + +policy_module(openoffice, 1.0.0) @@ -4121,9 +4100,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi +type openoffice_t; +type openoffice_exec_t; +application_domain(openoffice_t, openoffice_exec_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.7.12/policy/modules/apps/podsleuth.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.7.13/policy/modules/apps/podsleuth.te --- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/podsleuth.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/podsleuth.te 2010-03-09 18:51:11.000000000 -0500 @@ -50,6 +50,7 @@ fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file }) @@ -4147,9 +4126,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut optional_policy(` dbus_system_bus_client(podsleuth_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.7.12/policy/modules/apps/ptchown.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.7.13/policy/modules/apps/ptchown.if --- nsaserefpolicy/policy/modules/apps/ptchown.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/apps/ptchown.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/ptchown.if 2010-03-09 18:51:11.000000000 -0500 @@ -18,3 +18,27 @@ domtrans_pattern($1, ptchown_exec_t, ptchown_t) ') @@ -4178,9 +4157,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown. + ptchown_domtrans($1) + role $2 types ptchown_t; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.te serefpolicy-3.7.12/policy/modules/apps/ptchown.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.te serefpolicy-3.7.13/policy/modules/apps/ptchown.te --- nsaserefpolicy/policy/modules/apps/ptchown.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/ptchown.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/ptchown.te 2010-03-09 18:51:11.000000000 -0500 @@ -24,6 +24,7 @@ fs_rw_anon_inodefs_files(ptchown_t) @@ -4189,9 +4168,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown. term_setattr_all_ptys(ptchown_t) term_use_generic_ptys(ptchown_t) term_use_ptmx(ptchown_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.7.12/policy/modules/apps/pulseaudio.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.7.13/policy/modules/apps/pulseaudio.fc --- nsaserefpolicy/policy/modules/apps/pulseaudio.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/apps/pulseaudio.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/pulseaudio.fc 2010-03-09 18:51:11.000000000 -0500 @@ -1 +1,9 @@ +HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) +HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0) @@ -4202,9 +4181,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud + /usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.12/policy/modules/apps/pulseaudio.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.13/policy/modules/apps/pulseaudio.if --- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/apps/pulseaudio.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/pulseaudio.if 2010-03-09 18:51:11.000000000 -0500 @@ -29,7 +29,7 @@ ps_process_pattern($2, pulseaudio_t) @@ -4308,9 +4287,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud - allow $1 pulseaudio_t:unix_stream_socket connectto; + stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.12/policy/modules/apps/pulseaudio.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.13/policy/modules/apps/pulseaudio.te --- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/pulseaudio.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/pulseaudio.te 2010-03-09 18:51:11.000000000 -0500 @@ -8,24 +8,52 @@ type pulseaudio_t; @@ -4399,9 +4378,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud + xserver_read_xdm_pid(pulseaudio_t) + xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.12/policy/modules/apps/qemu.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.13/policy/modules/apps/qemu.if --- nsaserefpolicy/policy/modules/apps/qemu.if 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/qemu.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/qemu.if 2010-03-09 18:51:11.000000000 -0500 @@ -127,12 +127,14 @@ template(`qemu_role',` gen_require(` @@ -4490,9 +4469,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.12/policy/modules/apps/qemu.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.13/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/qemu.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/qemu.te 2010-03-09 18:51:11.000000000 -0500 @@ -50,6 +50,8 @@ # # qemu local policy @@ -4523,20 +4502,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te allow unconfined_qemu_t self:process { execstack execmem }; + allow unconfined_qemu_t qemu_exec_t:file execmod; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.7.12/policy/modules/apps/sambagui.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.7.13/policy/modules/apps/sambagui.fc --- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/sambagui.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/sambagui.fc 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1 @@ +/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.7.12/policy/modules/apps/sambagui.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.7.13/policy/modules/apps/sambagui.if --- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/sambagui.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/sambagui.if 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,2 @@ +## system-config-samba policy + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.12/policy/modules/apps/sambagui.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.13/policy/modules/apps/sambagui.te --- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/sambagui.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/sambagui.te 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,66 @@ +policy_module(sambagui,1.0.0) + @@ -4604,14 +4583,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui +optional_policy(` + policykit_dbus_chat(sambagui_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.12/policy/modules/apps/sandbox.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.13/policy/modules/apps/sandbox.fc --- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/sandbox.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/sandbox.fc 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1 @@ +# No types are sandbox_exec_t -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.12/policy/modules/apps/sandbox.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.13/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/sandbox.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/sandbox.if 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,248 @@ + +## policy for sandbox @@ -4861,9 +4840,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + + allow $1 sandbox_file_type:dir list_dir_perms; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.12/policy/modules/apps/sandbox.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.13/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/sandbox.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/sandbox.te 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,365 @@ +policy_module(sandbox,1.0.0) +dbus_stub() @@ -5230,9 +5209,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +optional_policy(` + hal_dbus_chat(sandbox_net_client_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.7.12/policy/modules/apps/screen.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.7.13/policy/modules/apps/screen.if --- nsaserefpolicy/policy/modules/apps/screen.if 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/screen.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/screen.if 2010-03-09 18:51:11.000000000 -0500 @@ -141,6 +141,7 @@ userdom_create_user_pty($1_screen_t) userdom_user_home_domtrans($1_screen_t, $3) @@ -5241,9 +5220,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.i tunable_policy(`use_samba_home_dirs',` fs_cifs_domtrans($1_screen_t, $3) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.12/policy/modules/apps/seunshare.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.13/policy/modules/apps/seunshare.if --- nsaserefpolicy/policy/modules/apps/seunshare.if 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/seunshare.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/seunshare.if 2010-03-09 18:51:11.000000000 -0500 @@ -2,59 +2,14 @@ ######################################## @@ -5341,9 +5320,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar + dontaudit $1_seunshare_t $3:socket_class_set { read write }; + ') ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.12/policy/modules/apps/seunshare.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.13/policy/modules/apps/seunshare.te --- nsaserefpolicy/policy/modules/apps/seunshare.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/seunshare.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/seunshare.te 2010-03-09 18:51:11.000000000 -0500 @@ -6,40 +6,39 @@ # Declarations # @@ -5402,9 +5381,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar + mozilla_dontaudit_manage_user_home_files(seunshare_domain) ') ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.7.12/policy/modules/apps/slocate.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.7.13/policy/modules/apps/slocate.te --- nsaserefpolicy/policy/modules/apps/slocate.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/apps/slocate.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/slocate.te 2010-03-09 18:51:11.000000000 -0500 @@ -30,6 +30,7 @@ manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t) @@ -5421,9 +5400,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate. # getpwnam auth_use_nsswitch(locate_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.7.12/policy/modules/apps/vmware.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.7.13/policy/modules/apps/vmware.if --- nsaserefpolicy/policy/modules/apps/vmware.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/apps/vmware.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/vmware.if 2010-03-09 18:51:11.000000000 -0500 @@ -84,3 +84,22 @@ logging_search_logs($1) append_files_pattern($1, vmware_log_t, vmware_log_t) @@ -5447,9 +5426,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.i + can_exec($1, vmware_host_exec_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.12/policy/modules/apps/vmware.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.13/policy/modules/apps/vmware.te --- nsaserefpolicy/policy/modules/apps/vmware.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/vmware.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/vmware.te 2010-03-10 09:53:01.000000000 -0500 @@ -29,6 +29,10 @@ type vmware_host_exec_t; init_daemon_domain(vmware_host_t, vmware_host_exec_t) @@ -5461,21 +5440,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t type vmware_host_pid_t alias vmware_var_run_t; files_pid_file(vmware_host_pid_t) -@@ -80,6 +84,11 @@ +@@ -79,6 +83,12 @@ + # cjp: the ro and rw files should be split up manage_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t) - ++manage_lnk_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t) ++ +manage_dirs_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t) +manage_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t) +manage_sock_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t) +files_tmp_filetrans(vmware_host_t, vmware_host_tmp_t, { file dir }) -+ + manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t) manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t) - files_pid_filetrans(vmware_host_t, vmware_var_run_t, { file sock_file }) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.7.12/policy/modules/apps/wine.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.7.13/policy/modules/apps/wine.if --- nsaserefpolicy/policy/modules/apps/wine.if 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/wine.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/wine.if 2010-03-09 18:51:11.000000000 -0500 @@ -35,6 +35,8 @@ role $1 types wine_t; @@ -5501,9 +5481,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if optional_policy(` xserver_role($1_r, $1_wine_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.7.12/policy/modules/apps/wine.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.7.13/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/apps/wine.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/wine.te 2010-03-09 18:51:11.000000000 -0500 @@ -1,6 +1,14 @@ policy_module(wine, 1.6.1) @@ -5534,9 +5514,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te files_execmod_all_files(wine_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.7.12/policy/modules/apps/wm.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.7.13/policy/modules/apps/wm.if --- nsaserefpolicy/policy/modules/apps/wm.if 2009-07-27 18:11:17.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/apps/wm.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/apps/wm.if 2010-03-09 18:51:11.000000000 -0500 @@ -30,6 +30,7 @@ template(`wm_role_template',` gen_require(` @@ -5586,9 +5566,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.12/policy/modules/kernel/corecommands.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.13/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-03-05 17:14:56.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/kernel/corecommands.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/kernel/corecommands.fc 2010-03-09 18:51:11.000000000 -0500 @@ -147,6 +147,9 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -5621,9 +5601,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco +/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) + +/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.12/policy/modules/kernel/corecommands.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.13/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2010-03-05 17:14:56.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/kernel/corecommands.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/kernel/corecommands.if 2010-03-09 18:51:11.000000000 -0500 @@ -931,6 +931,7 @@ read_lnk_files_pattern($1, bin_t, bin_t) @@ -5640,9 +5620,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.12/policy/modules/kernel/corenetwork.te.in ---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-03-05 17:14:56.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/kernel/corenetwork.te.in 2010-03-07 10:13:31.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.13/policy/modules/kernel/corenetwork.te.in +--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-03-08 14:49:44.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/kernel/corenetwork.te.in 2010-03-09 18:51:11.000000000 -0500 @@ -65,6 +65,7 @@ type server_packet_t, packet_type, server_packet_type; @@ -5670,22 +5650,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) -@@ -109,13 +114,13 @@ - network_port(howl, tcp,5335,s0, udp,5353,s0) - network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) - network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port --network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010) # 8118 is for privoxy -+network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy - network_port(i18n_input, tcp,9010,s0) - network_port(imaze, tcp,5323,s0, udp,5323,s0) - network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) - network_port(innd, tcp,119,s0) - network_port(ipmi, udp,623,s0, udp,664,s0) --network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,20, udp,8610-8614,s0) -+network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0) - network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) - network_port(ircd, tcp,6667,s0) - network_port(isakmp, udp,500,s0) @@ -131,12 +136,14 @@ network_port(ktalkd, udp,517,s0, udp,518,s0) network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) @@ -5744,19 +5708,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict network_port(swat, tcp,901,s0) network_port(syslogd, udp,514,s0) -@@ -200,7 +217,8 @@ +@@ -200,7 +217,7 @@ network_port(varnishd, tcp,6081,s0, tcp,6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) -network_port(vnc, tcp,5900,s0) -+# Reserve 100 ports for vnc/virt machines -+network_port(vnc, tcp,5901-5999,s0) ++network_port(vnc, tcp,5900-5999,s0) network_port(wccp, udp,2048,s0) network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 ) network_port(xdmcp, udp,177,s0, tcp,177,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.12/policy/modules/kernel/devices.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.13/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-03-05 10:46:32.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/kernel/devices.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/kernel/devices.fc 2010-03-09 18:51:11.000000000 -0500 @@ -108,6 +108,7 @@ /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) /dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) @@ -5765,9 +5728,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.12/policy/modules/kernel/devices.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.13/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2010-03-05 10:46:32.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/kernel/devices.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/kernel/devices.if 2010-03-09 18:51:11.000000000 -0500 @@ -934,6 +934,42 @@ ######################################## @@ -5836,9 +5799,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Mount a usbfs filesystem. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.12/policy/modules/kernel/devices.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.13/policy/modules/kernel/devices.te --- nsaserefpolicy/policy/modules/kernel/devices.te 2010-03-05 10:46:32.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/kernel/devices.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/kernel/devices.te 2010-03-09 18:51:11.000000000 -0500 @@ -239,6 +239,12 @@ dev_node(usb_device_t) @@ -5859,9 +5822,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device -allow devices_unconfined_type device_node:{ blk_file chr_file } *; +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; allow devices_unconfined_type mtrr_device_t:file *; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.12/policy/modules/kernel/domain.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.13/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/kernel/domain.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/kernel/domain.if 2010-03-09 18:51:11.000000000 -0500 +@@ -611,7 +611,7 @@ + + ######################################## + ## +-## Get the attributes of all domains of all domains. ++## Get the attributes of all domains. + ## + ## + ## +@@ -630,7 +630,7 @@ + + ######################################## + ## +-## Get the attributes of all domains of all domains. ++## Dontaudit geting the attributes of all domains. + ## + ## + ## @@ -831,6 +831,42 @@ ######################################## @@ -6063,9 +6044,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain + + dontaudit $1 domain:socket_class_set { read write }; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.12/policy/modules/kernel/domain.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.13/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/kernel/domain.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/kernel/domain.te 2010-03-09 18:51:11.000000000 -0500 @@ -5,6 +5,21 @@ # # Declarations @@ -6234,9 +6215,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain + userdom_relabelto_user_home_dirs(polydomain) + userdom_relabelto_user_home_files(polydomain) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.12/policy/modules/kernel/files.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.13/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/kernel/files.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/kernel/files.fc 2010-03-09 18:51:11.000000000 -0500 @@ -18,6 +18,7 @@ /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0) /halt -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -6308,9 +6289,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) /var/lib/nfs/rpc_pipefs(/.*)? <> -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.12/policy/modules/kernel/files.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.13/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/kernel/files.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/kernel/files.if 2010-03-09 18:51:11.000000000 -0500 @@ -1053,10 +1053,8 @@ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -6876,7 +6857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. +## +## +# -+interface(`files_manage_root',` ++interface(`files_manage_root_files',` + gen_require(` + type root_t; + ') @@ -7067,9 +7048,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + dontaudit $1 file_type:file rw_inherited_file_perms; + dontaudit $1 file_type:lnk_file { read }; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.12/policy/modules/kernel/files.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.13/policy/modules/kernel/files.te --- nsaserefpolicy/policy/modules/kernel/files.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/kernel/files.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/kernel/files.te 2010-03-09 18:51:11.000000000 -0500 @@ -12,6 +12,7 @@ attribute mountpoint; attribute pidfile; @@ -7102,9 +7083,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.12/policy/modules/kernel/filesystem.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.13/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/kernel/filesystem.if 2010-03-07 08:32:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/kernel/filesystem.if 2010-03-09 18:51:11.000000000 -0500 @@ -929,7 +929,7 @@ type cifs_t; ') @@ -7177,10 +7158,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Search inotifyfs filesystem. ## ## -@@ -1672,6 +1721,24 @@ +@@ -1668,6 +1717,25 @@ + ') - ######################################## - ## + allow $1 inotifyfs_t:dir list_dir_perms; ++ fs_read_anon_inodefs_files($1) ++') ++ ++######################################## ++## +## Dontaudit List inotifyfs filesystem. +## +## @@ -7195,14 +7181,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy + ') + + dontaudit $1 inotifyfs_t:dir list_dir_perms; -+') -+ -+######################################## -+## - ## Mount an iso9660 filesystem, which - ## is usually used on CDs. - ## -@@ -2070,7 +2137,7 @@ + ') + + ######################################## +@@ -2070,7 +2138,7 @@ type nfs_t; ') @@ -7211,7 +7193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -2092,6 +2159,25 @@ +@@ -2092,6 +2160,25 @@ read_lnk_files_pattern($1, nfs_t, nfs_t) ') @@ -7237,7 +7219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ######################################### ## ## Read named sockets on a NFS filesystem. -@@ -3481,6 +3567,24 @@ +@@ -3481,6 +3568,24 @@ ######################################## ## @@ -7262,7 +7244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Read and write generic tmpfs files. ## ## -@@ -3707,6 +3811,24 @@ +@@ -3707,6 +3812,24 @@ ######################################## ## @@ -7287,7 +7269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Mount a XENFS filesystem. ## ## -@@ -4216,3 +4338,214 @@ +@@ -4216,3 +4339,214 @@ relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs) ') @@ -7502,9 +7484,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy + dontaudit $1 filesystem_type:file rw_inherited_file_perms; + dontaudit $1 filesystem_type:lnk_file { read }; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.12/policy/modules/kernel/filesystem.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.13/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/kernel/filesystem.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/kernel/filesystem.te 2010-03-09 18:51:11.000000000 -0500 @@ -29,6 +29,7 @@ fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0); fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0); @@ -7562,9 +7544,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy # # nfs_t is the default type for NFS file systems -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.12/policy/modules/kernel/kernel.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.13/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/kernel/kernel.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/kernel/kernel.if 2010-03-09 18:51:11.000000000 -0500 @@ -144,6 +144,24 @@ ######################################## @@ -7698,9 +7680,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel + + allow $1 kernel_t:unix_stream_socket connectto; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.12/policy/modules/kernel/kernel.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.13/policy/modules/kernel/kernel.te --- nsaserefpolicy/policy/modules/kernel/kernel.te 2010-03-04 08:02:45.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/kernel/kernel.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/kernel/kernel.te 2010-03-09 18:51:11.000000000 -0500 @@ -64,6 +64,15 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) @@ -7775,9 +7757,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ######################################## # # Unlabeled process local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.12/policy/modules/kernel/selinux.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.13/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/kernel/selinux.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/kernel/selinux.if 2010-03-09 18:51:11.000000000 -0500 @@ -40,7 +40,7 @@ # because of this statement, any module which @@ -7835,9 +7817,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu + fs_type($1) + mls_trusted_object($1) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.12/policy/modules/kernel/terminal.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.13/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/kernel/terminal.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/kernel/terminal.if 2010-03-09 18:51:11.000000000 -0500 @@ -292,9 +292,11 @@ interface(`term_dontaudit_use_console',` gen_require(` @@ -7878,9 +7860,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.7.12/policy/modules/roles/auditadm.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.7.13/policy/modules/roles/auditadm.te --- nsaserefpolicy/policy/modules/roles/auditadm.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/roles/auditadm.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/roles/auditadm.te 2010-03-09 18:51:11.000000000 -0500 @@ -33,6 +33,8 @@ seutil_run_runinit(auditadm_t, auditadm_r) seutil_read_bin_policy(auditadm_t) @@ -7890,25 +7872,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditad optional_policy(` consoletype_exec(auditadm_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.12/policy/modules/roles/guest.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.13/policy/modules/roles/guest.te --- nsaserefpolicy/policy/modules/roles/guest.te 2010-03-05 17:14:56.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/roles/guest.te 2010-03-05 17:18:52.000000000 -0500 -@@ -1,5 +1,5 @@ - --policy_module(guest, 1.0.1) -+policy_module(guest, 1.0.0) - - ######################################## - # ++++ serefpolicy-3.7.13/policy/modules/roles/guest.te 2010-03-09 18:51:11.000000000 -0500 @@ -23,4 +23,4 @@ mono_role_template(guest, guest_r, guest_t) ') -#gen_user(guest_u,, guest_r, s0, s0) +gen_user(guest_u, user, guest_r, s0, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.12/policy/modules/roles/staff.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.13/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2010-02-17 14:07:02.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/roles/staff.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/roles/staff.te 2010-03-09 18:51:11.000000000 -0500 @@ -10,11 +10,26 @@ userdom_unpriv_user_template(staff) @@ -8084,9 +8059,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t +optional_policy(` + virt_stream_connect(staff_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.12/policy/modules/roles/sysadm.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.13/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-02-17 10:37:39.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/roles/sysadm.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/roles/sysadm.te 2010-03-09 18:51:11.000000000 -0500 @@ -15,7 +15,7 @@ role sysadm_r; @@ -8438,9 +8413,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. + +init_script_role_transition(sysadm_r) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.7.12/policy/modules/roles/unconfineduser.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.7.13/policy/modules/roles/unconfineduser.fc --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/roles/unconfineduser.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/roles/unconfineduser.fc 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,10 @@ +# Add programs here which should not be confined by SELinux +# e.g.: @@ -8452,9 +8427,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + +/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0) +/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.12/policy/modules/roles/unconfineduser.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.13/policy/modules/roles/unconfineduser.if --- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/roles/unconfineduser.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/roles/unconfineduser.if 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,667 @@ +## Unconfiend user role + @@ -9123,9 +9098,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + + allow $1 unconfined_r; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.12/policy/modules/roles/unconfineduser.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.13/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/roles/unconfineduser.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/roles/unconfineduser.te 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,433 @@ +policy_module(unconfineduser, 1.0.0) + @@ -9560,9 +9535,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.12/policy/modules/roles/unprivuser.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.13/policy/modules/roles/unprivuser.te --- nsaserefpolicy/policy/modules/roles/unprivuser.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/roles/unprivuser.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/roles/unprivuser.te 2010-03-09 18:51:11.000000000 -0500 @@ -13,6 +13,7 @@ userdom_unpriv_user_template(user) @@ -9606,9 +9581,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu +optional_policy(` + setroubleshoot_dontaudit_stream_connect(user_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.12/policy/modules/roles/xguest.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.13/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/roles/xguest.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/roles/xguest.te 2010-03-09 18:51:11.000000000 -0500 @@ -15,7 +15,7 @@ ## @@ -9725,9 +9700,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. -#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.12/policy/modules/services/abrt.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.13/policy/modules/services/abrt.fc --- nsaserefpolicy/policy/modules/services/abrt.fc 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/abrt.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/abrt.fc 2010-03-09 18:51:11.000000000 -0500 @@ -1,11 +1,17 @@ /etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) /etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) @@ -9747,9 +9722,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt /var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) /var/run/abrt\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) +/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.12/policy/modules/services/abrt.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.13/policy/modules/services/abrt.if --- nsaserefpolicy/policy/modules/services/abrt.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/abrt.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/abrt.if 2010-03-09 18:51:11.000000000 -0500 @@ -19,6 +19,28 @@ domtrans_pattern($1, abrt_exec_t, abrt_t) ') @@ -9914,9 +9889,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt ##################################### ## ## All of the rules required to administrate -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.12/policy/modules/services/abrt.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.13/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/abrt.te 2010-03-07 08:57:09.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/abrt.te 2010-03-10 10:19:23.000000000 -0500 @@ -33,12 +33,24 @@ type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -9964,7 +9939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir }) kernel_read_ring_buffer(abrt_t) -@@ -75,25 +90,39 @@ +@@ -75,25 +90,40 @@ corecmd_exec_bin(abrt_t) corecmd_exec_shell(abrt_t) @@ -10007,11 +9982,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt +fs_read_fusefs_files(abrt_t) +fs_read_noxattr_fs_files(abrt_t) +fs_read_nfs_files(abrt_t) ++fs_read_nfs_symlinks(abrt_t) +fs_search_all(abrt_t) sysnet_read_config(abrt_t) -@@ -103,22 +132,98 @@ +@@ -103,22 +133,98 @@ miscfiles_read_certs(abrt_t) miscfiles_read_localization(abrt_t) @@ -10117,9 +10093,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt + dev_dontaudit_write_all_blk_files(abrt_helper_t) + fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.7.12/policy/modules/services/afs.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.7.13/policy/modules/services/afs.if --- nsaserefpolicy/policy/modules/services/afs.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/afs.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/afs.if 2010-03-09 18:51:11.000000000 -0500 @@ -94,7 +94,7 @@ # interface(`afs_admin',` @@ -10129,9 +10105,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs. ') allow $1 afs_t:process { ptrace signal_perms getattr }; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.7.12/policy/modules/services/afs.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.7.13/policy/modules/services/afs.te --- nsaserefpolicy/policy/modules/services/afs.te 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/afs.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/afs.te 2010-03-09 18:51:11.000000000 -0500 @@ -71,8 +71,8 @@ # afs client local policy # @@ -10152,18 +10128,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs. ######################################## # # AFS bossserver local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.7.12/policy/modules/services/aiccu.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.7.13/policy/modules/services/aiccu.fc --- nsaserefpolicy/policy/modules/services/aiccu.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/aiccu.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/aiccu.fc 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,5 @@ + +/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0) + +/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0) +/var/run/aiccu.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.7.12/policy/modules/services/aiccu.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.7.13/policy/modules/services/aiccu.if --- nsaserefpolicy/policy/modules/services/aiccu.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/aiccu.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/aiccu.if 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,119 @@ + +## policy for aiccu @@ -10284,9 +10260,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc + aiccu_manage_var_run($1) + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.7.12/policy/modules/services/aiccu.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.7.13/policy/modules/services/aiccu.te --- nsaserefpolicy/policy/modules/services/aiccu.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/aiccu.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/aiccu.te 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,41 @@ +policy_module(aiccu,1.0.0) + @@ -10329,9 +10305,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc +manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) +manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) +files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir }) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.12/policy/modules/services/aisexec.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.13/policy/modules/services/aisexec.fc --- nsaserefpolicy/policy/modules/services/aisexec.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/aisexec.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/aisexec.fc 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,10 @@ + +/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:aisexec_initrc_exec_t,s0) @@ -10343,9 +10319,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise +/var/log/cluster/aisexec\.log -- gen_context(system_u:object_r:aisexec_var_log_t,s0) + +/var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.7.12/policy/modules/services/aisexec.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.7.13/policy/modules/services/aisexec.if --- nsaserefpolicy/policy/modules/services/aisexec.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/aisexec.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/aisexec.if 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,106 @@ +## SELinux policy for Aisexec Cluster Engine + @@ -10453,9 +10429,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise + + admin_pattern($1, aisexec_tmpfs_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.12/policy/modules/services/aisexec.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.13/policy/modules/services/aisexec.te --- nsaserefpolicy/policy/modules/services/aisexec.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/aisexec.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/aisexec.te 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,115 @@ + +policy_module(aisexec,1.0.0) @@ -10572,9 +10548,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise + groupd_rw_semaphores(aisexec_t) + groupd_rw_shm(aisexec_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-3.7.12/policy/modules/services/amavis.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-3.7.13/policy/modules/services/amavis.if --- nsaserefpolicy/policy/modules/services/amavis.if 2010-03-04 11:17:25.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/amavis.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/amavis.if 2010-03-09 18:51:11.000000000 -0500 @@ -18,30 +18,11 @@ type amavis_t, amavis_exec_t; ') @@ -10622,9 +10598,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav domain_system_change_exemption($1) role_transition $2 amavis_initrc_exec_t system_r; allow $2 system_r; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.7.12/policy/modules/services/amavis.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.7.13/policy/modules/services/amavis.te --- nsaserefpolicy/policy/modules/services/amavis.te 2010-03-04 11:17:25.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/amavis.te 2010-03-06 10:17:14.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/amavis.te 2010-03-09 18:51:11.000000000 -0500 @@ -1,5 +1,5 @@ -policy_module(amavis, 1.10.2) @@ -10646,9 +10622,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav sysnet_dns_name_resolve(amavis_t) sysnet_use_ldap(amavis_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.12/policy/modules/services/apache.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.13/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/apache.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/apache.fc 2010-03-09 18:51:11.000000000 -0500 @@ -2,12 +2,19 @@ /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) @@ -10776,9 +10752,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.12/policy/modules/services/apache.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.13/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/apache.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/apache.if 2010-03-09 18:51:11.000000000 -0500 @@ -13,21 +13,17 @@ # template(`apache_content_template',` @@ -11487,9 +11463,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + dontaudit $1 httpd_t:unix_dgram_socket { read write }; + dontaudit $1 httpd_t:unix_stream_socket { read write }; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.12/policy/modules/services/apache.te ---- nsaserefpolicy/policy/modules/services/apache.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/apache.te 2010-03-05 17:18:52.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.13/policy/modules/services/apache.te +--- nsaserefpolicy/policy/modules/services/apache.te 2010-03-09 19:04:58.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/apache.te 2010-03-09 18:51:11.000000000 -0500 @@ -19,6 +19,8 @@ # Declarations # @@ -11547,21 +11523,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Allow HTTPD scripts and modules to connect to databases over the network. ##

## -@@ -87,6 +110,13 @@ +@@ -87,10 +110,10 @@ ## ##

+-## Allow httpd to manage modify performance limits +## Allow httpd to read user content -+##

-+## -+gen_tunable(httpd_read_user_content, false) -+ -+## -+##

- ## Allow HTTPD to run SSI executables in the same domain as system CGI scripts. ##

## -@@ -94,6 +124,13 @@ +-gen_tunable(httpd_manage_limits, false) ++gen_tunable(httpd_read_user_content, false) + + ## + ##

+@@ -101,6 +124,13 @@ ## ##

@@ -11575,7 +11550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Unify HTTPD to communicate with the terminal. ## Needed for entering the passphrase for certificates at ## the terminal. -@@ -108,6 +145,36 @@ +@@ -115,6 +145,36 @@ ## gen_tunable(httpd_unified, false) @@ -11612,7 +11587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac attribute httpdcontent; attribute httpd_user_content_type; -@@ -140,6 +207,9 @@ +@@ -147,6 +207,9 @@ domain_entry_file(httpd_helper_t, httpd_helper_exec_t) role system_r types httpd_helper_t; @@ -11622,7 +11597,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac type httpd_lock_t; files_lock_file(httpd_lock_t) -@@ -180,6 +250,10 @@ +@@ -187,6 +250,10 @@ # setup the system domain for system CGI scripts apache_content_template(sys) @@ -11633,7 +11608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -187,28 +261,28 @@ +@@ -194,28 +261,28 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) @@ -11675,7 +11650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # for apache2 memory mapped files type httpd_var_lib_t; -@@ -230,7 +304,7 @@ +@@ -237,7 +304,7 @@ # Apache server local policy # @@ -11684,7 +11659,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac dontaudit httpd_t self:capability { net_admin sys_tty_config }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; -@@ -249,6 +323,7 @@ +@@ -256,6 +323,7 @@ manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) @@ -11692,7 +11667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -272,6 +347,7 @@ +@@ -279,6 +347,7 @@ allow httpd_t httpd_modules_t:dir list_dir_perms; mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -11700,7 +11675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac apache_domtrans_rotatelogs(httpd_t) # Apache-httpd needs to be able to send signals to the log rotate procs. -@@ -283,9 +359,9 @@ +@@ -290,9 +359,9 @@ allow httpd_t httpd_suexec_exec_t:file read_file_perms; @@ -11713,7 +11688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -301,9 +377,11 @@ +@@ -308,9 +377,11 @@ manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) @@ -11726,7 +11701,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) -@@ -312,18 +390,21 @@ +@@ -319,18 +390,21 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -11753,7 +11728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_sendrecv_http_server_packets(httpd_t) # Signal self for shutdown corenet_tcp_connect_http_port(httpd_t) -@@ -335,15 +416,15 @@ +@@ -342,15 +416,15 @@ fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -11772,7 +11747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) -@@ -358,6 +439,10 @@ +@@ -365,6 +439,10 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -11783,7 +11758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac libs_read_lib_files(httpd_t) -@@ -372,18 +457,33 @@ +@@ -379,18 +457,33 @@ userdom_use_unpriv_users_fds(httpd_t) @@ -11804,7 +11779,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +## +gen_tunable(allow_httpd_mod_auth_pam, false) + -+tunable_policy(`allow_httpd_mod_auth_pam',` + tunable_policy(`allow_httpd_mod_auth_pam',` +- auth_domtrans_chk_passwd(httpd_t) + auth_domtrans_chkpwd(httpd_t) +') + @@ -11815,13 +11791,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +## +gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false) +optional_policy(` - tunable_policy(`allow_httpd_mod_auth_pam',` -- auth_domtrans_chk_passwd(httpd_t) ++tunable_policy(`allow_httpd_mod_auth_pam',` + samba_domtrans_winbind_helper(httpd_t) ') ') -@@ -391,32 +491,71 @@ +@@ -398,32 +491,71 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -11898,7 +11873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -424,11 +563,23 @@ +@@ -431,14 +563,21 @@ fs_read_nfs_symlinks(httpd_t) ') @@ -11913,16 +11888,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac fs_read_cifs_symlinks(httpd_t) ') +-tunable_policy(`httpd_manage_limits',` +- allow httpd_t self:capability sys_resource; +- allow httpd_t self:process setrlimit; +tunable_policy(`httpd_use_cifs',` + fs_manage_cifs_dirs(httpd_t) + fs_manage_cifs_files(httpd_t) + fs_manage_cifs_symlinks(httpd_t) -+') -+ + ') + tunable_policy(`httpd_ssi_exec',` - corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) - allow httpd_sys_script_t httpd_t:fd use; -@@ -451,7 +602,18 @@ +@@ -463,7 +602,18 @@ ') optional_policy(` @@ -11941,7 +11917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -463,8 +625,24 @@ +@@ -475,8 +625,24 @@ ') optional_policy(` @@ -11968,7 +11944,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -472,22 +650,19 @@ +@@ -484,22 +650,19 @@ mailman_domtrans_cgi(httpd_t) # should have separate types for public and private archives mailman_search_data(httpd_t) @@ -11994,7 +11970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -498,12 +673,23 @@ +@@ -510,12 +673,23 @@ ') optional_policy(` @@ -12018,7 +11994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -512,6 +698,11 @@ +@@ -524,6 +698,11 @@ ') optional_policy(` @@ -12030,7 +12006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -539,6 +730,23 @@ +@@ -551,6 +730,23 @@ userdom_use_user_terminals(httpd_helper_t) @@ -12054,7 +12030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -568,20 +776,32 @@ +@@ -580,20 +776,32 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -12093,7 +12069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -599,23 +819,24 @@ +@@ -611,23 +819,24 @@ append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) @@ -12122,7 +12098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -628,6 +849,7 @@ +@@ -640,6 +849,7 @@ logging_send_syslog_msg(httpd_suexec_t) miscfiles_read_localization(httpd_suexec_t) @@ -12130,7 +12106,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; -@@ -635,22 +857,31 @@ +@@ -647,22 +857,31 @@ corenet_all_recvfrom_unlabeled(httpd_suexec_t) corenet_all_recvfrom_netlabel(httpd_suexec_t) @@ -12169,7 +12145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -676,16 +907,16 @@ +@@ -688,16 +907,16 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -12190,7 +12166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac dontaudit httpd_sys_script_t httpd_config_t:dir search; -@@ -700,15 +931,29 @@ +@@ -712,15 +931,29 @@ files_search_var_lib(httpd_sys_script_t) files_search_spool(httpd_sys_script_t) @@ -12222,7 +12198,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -716,6 +961,35 @@ +@@ -728,6 +961,35 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -12258,7 +12234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -728,6 +1002,10 @@ +@@ -740,6 +1002,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -12269,7 +12245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -739,6 +1017,8 @@ +@@ -751,6 +1017,8 @@ # httpd_rotatelogs local policy # @@ -12278,7 +12254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -758,11 +1038,88 @@ +@@ -770,11 +1038,88 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -12298,12 +12274,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + userdom_search_user_home_content(httpd_t) + userdom_search_user_home_content(httpd_suexec_t) + userdom_search_user_home_content(httpd_user_script_t) - ') ++') + +tunable_policy(`httpd_read_user_content',` + userdom_read_user_home_content_files(httpd_user_script_t) + userdom_read_user_home_content_files(httpd_suexec_t) -+') + ') + +tunable_policy(`httpd_read_user_content && httpd_builtin_scripting',` + userdom_read_user_home_content_files(httpd_t) @@ -12370,168 +12346,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +typealias httpd_sys_script_t alias httpd_fastcgi_script_t; +typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.7.12/policy/modules/services/apcupsd.if ---- nsaserefpolicy/policy/modules/services/apcupsd.if 2010-03-04 11:17:25.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/apcupsd.if 2010-03-05 17:18:52.000000000 -0500 -@@ -15,30 +15,11 @@ - type apcupsd_t, apcupsd_exec_t; - ') - -- corecmd_search_bin($1) - domtrans_pattern($1, apcupsd_exec_t, apcupsd_t) - ') - - ######################################## - ##

--## Execute apcupsd server in the apcupsd domain. --## --## --## --## Domain allowed access. --## --## --# --interface(`apcupsd_initrc_domtrans',` -- gen_require(` -- type apcupsd_initrc_exec_t; -- ') -- -- init_labeled_script_domtrans($1, apcupsd_initrc_exec_t) --') -- --######################################## --## - ## Read apcupsd PID files. - ## - ## -@@ -113,11 +94,6 @@ - type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t; - ') - -- optional_policy(` -- apache_search_sys_content($1) -- ') -- -- files_search_var($1) - domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t) - ') - -@@ -142,14 +118,13 @@ - gen_require(` - type apcupsd_t, apcupsd_tmp_t; - type apcupsd_log_t, apcupsd_lock_t; -- type apcupsd_var_run_t; -- type apcupsd_initrc_exec_t; -+ type apcupsd_var_run_t, apcupsd_initrc_exec_t; - ') - - allow $1 apcupsd_t:process { ptrace signal_perms }; - ps_process_pattern($1, apcupsd_t) - -- apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t) -+ init_labeled_script_domtrans($1, apcupsd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 apcupsd_initrc_exec_t system_r; - allow $2 system_r; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.7.12/policy/modules/services/apcupsd.te ---- nsaserefpolicy/policy/modules/services/apcupsd.te 2010-03-04 11:17:25.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/apcupsd.te 2010-03-05 17:18:52.000000000 -0500 -@@ -1,5 +1,5 @@ - --policy_module(apcupsd, 1.6.1) -+policy_module(apcupsd, 1.6.0) - - ######################################## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.7.12/policy/modules/services/apm.te ---- nsaserefpolicy/policy/modules/services/apm.te 2010-03-04 11:17:25.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/apm.te 2010-03-05 17:18:52.000000000 -0500 -@@ -1,5 +1,5 @@ - --policy_module(apm, 1.10.2) -+policy_module(apm, 1.10.1) - - ######################################## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.if serefpolicy-3.7.12/policy/modules/services/arpwatch.if ---- nsaserefpolicy/policy/modules/services/arpwatch.if 2010-03-04 11:17:25.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/arpwatch.if 2010-03-05 17:18:52.000000000 -0500 -@@ -2,24 +2,6 @@ - - ######################################## - ## --## Execute arpwatch server in the arpwatch domain. --## --## --## --## Domain allowed access. --## --## --# --interface(`arpwatch_initrc_domtrans',` -- gen_require(` -- type arpwatch_initrc_exec_t; -- ') -- -- init_labeled_script_domtrans($1, arpwatch_initrc_exec_t) --') -- --######################################## --## - ## Search arpwatch's data file directories. - ## - ## -@@ -33,7 +15,6 @@ - type arpwatch_data_t; - ') - -- files_search_var_lib($1) - allow $1 arpwatch_data_t:dir search_dir_perms; - ') - -@@ -52,7 +33,6 @@ - type arpwatch_data_t; - ') - -- files_search_var_lib($1) - manage_files_pattern($1, arpwatch_data_t, arpwatch_data_t) - ') - -@@ -71,7 +51,6 @@ - type arpwatch_tmp_t; - ') - -- files_search_tmp($1) - allow $1 arpwatch_tmp_t:file rw_file_perms; - ') - -@@ -90,7 +69,6 @@ - type arpwatch_tmp_t; - ') - -- files_search_tmp($1) - allow $1 arpwatch_tmp_t:file manage_file_perms; - ') - -@@ -140,7 +118,7 @@ - allow $1 arpwatch_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, arpwatch_t) - -- arpwatch_initrc_domtrans($1) -+ init_labeled_script_domtrans($1, arpwatch_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 arpwatch_initrc_exec_t system_r; - allow $2 system_r; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.12/policy/modules/services/arpwatch.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.13/policy/modules/services/arpwatch.te --- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-03-04 11:17:25.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/arpwatch.te 2010-03-05 17:18:52.000000000 -0500 -@@ -1,5 +1,5 @@ - --policy_module(arpwatch, 1.8.1) -+policy_module(arpwatch, 1.8.0) - - ######################################## - # ++++ serefpolicy-3.7.13/policy/modules/services/arpwatch.te 2010-03-09 18:51:11.000000000 -0500 @@ -34,6 +34,7 @@ allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms }; allow arpwatch_t self:udp_socket create_socket_perms; @@ -12557,90 +12374,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw fs_getattr_all_fs(arpwatch_t) fs_search_auto_mountpoints(arpwatch_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.12/policy/modules/services/asterisk.if ---- nsaserefpolicy/policy/modules/services/asterisk.if 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/asterisk.if 2010-03-05 17:18:52.000000000 -0500 -@@ -2,8 +2,28 @@ - - ##################################### - ## --## Connect to asterisk over a unix domain --## stream socket. -+## Connect to asterisk over a unix domain -+## stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`asterisk_stream_connect',` -+ gen_require(` -+ type asterisk_t, asterisk_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete -+## asterisk lib files. - ## - ## - ## -@@ -11,18 +31,18 @@ - ## - ## - # --interface(`asterisk_stream_connect',` -+interface(`asterisk_manage_lib_files',` - gen_require(` -- type asterisk_t, asterisk_var_run_t; -+ type asterisk_var_lib_t; - ') - -- files_search_pids($1) -- stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t) -+ manage_files_pattern($1, asterisk_var_lib_t, asterisk_var_lib_t) -+ files_search_var_lib($1) - ') - - ######################################## - ## --## All of the rules required to administrate -+## All of the rules required to administrate - ## an asterisk environment - ## - ## -@@ -71,3 +91,22 @@ - files_list_pids($1) - admin_pattern($1, asterisk_var_run_t) - ') -+ -+ -+###################################### -+## -+## Execute asterisk -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`asterisk_exec',` -+ gen_require(` -+ type asterisk_exec_t; -+ ') -+ -+ can_exec($1, asterisk_exec_t) -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.12/policy/modules/services/asterisk.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.13/policy/modules/services/asterisk.te --- nsaserefpolicy/policy/modules/services/asterisk.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/asterisk.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/asterisk.te 2010-03-09 18:51:11.000000000 -0500 @@ -40,12 +40,13 @@ # @@ -12741,18 +12477,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste + udev_read_db(asterisk_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.7.12/policy/modules/services/avahi.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.7.13/policy/modules/services/avahi.fc --- nsaserefpolicy/policy/modules/services/avahi.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/avahi.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/avahi.fc 2010-03-09 18:51:11.000000000 -0500 @@ -6,4 +6,4 @@ /var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0) -/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0) +/var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.12/policy/modules/services/avahi.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.13/policy/modules/services/avahi.te --- nsaserefpolicy/policy/modules/services/avahi.te 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/avahi.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/avahi.te 2010-03-09 18:51:11.000000000 -0500 @@ -24,7 +24,7 @@ # Local policy # @@ -12797,9 +12533,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah userdom_dontaudit_use_unpriv_user_fds(avahi_t) userdom_dontaudit_search_user_home_dirs(avahi_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.12/policy/modules/services/bind.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.13/policy/modules/services/bind.if --- nsaserefpolicy/policy/modules/services/bind.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/bind.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/bind.if 2010-03-09 18:51:11.000000000 -0500 @@ -253,7 +253,7 @@ ######################################## @@ -12844,9 +12580,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind domain_system_change_exemption($1) role_transition $2 named_initrc_exec_t system_r; allow $2 system_r; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.7.12/policy/modules/services/bind.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.7.13/policy/modules/services/bind.te --- nsaserefpolicy/policy/modules/services/bind.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/bind.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/bind.te 2010-03-09 18:51:11.000000000 -0500 @@ -142,11 +142,11 @@ logging_send_syslog_msg(named_t) @@ -12861,9 +12597,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind userdom_dontaudit_use_unpriv_user_fds(named_t) userdom_dontaudit_search_user_home_dirs(named_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.7.12/policy/modules/services/bluetooth.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.7.13/policy/modules/services/bluetooth.te --- nsaserefpolicy/policy/modules/services/bluetooth.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/bluetooth.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/bluetooth.te 2010-03-09 18:51:11.000000000 -0500 @@ -96,6 +96,7 @@ kernel_read_system_state(bluetooth_t) kernel_read_network_state(bluetooth_t) @@ -12872,9 +12608,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue corenet_all_recvfrom_unlabeled(bluetooth_t) corenet_all_recvfrom_netlabel(bluetooth_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.7.12/policy/modules/services/cachefilesd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.7.13/policy/modules/services/cachefilesd.fc --- nsaserefpolicy/policy/modules/services/cachefilesd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/cachefilesd.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/cachefilesd.fc 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,28 @@ +############################################################################### +# @@ -12904,9 +12640,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach +/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0) + +/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.7.12/policy/modules/services/cachefilesd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.7.13/policy/modules/services/cachefilesd.if --- nsaserefpolicy/policy/modules/services/cachefilesd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/cachefilesd.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/cachefilesd.if 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,41 @@ +############################################################################### +# @@ -12949,9 +12685,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach + allow cachefilesd_t $1:fifo_file rw_file_perms; + allow cachefilesd_t $1:process sigchld; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.7.12/policy/modules/services/cachefilesd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.7.13/policy/modules/services/cachefilesd.te --- nsaserefpolicy/policy/modules/services/cachefilesd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/cachefilesd.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/cachefilesd.te 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,146 @@ +############################################################################### +# @@ -13099,9 +12835,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach +fs_getattr_xattr_fs(cachefiles_kernel_t) + +dev_search_sysfs(cachefiles_kernel_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.12/policy/modules/services/ccs.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.13/policy/modules/services/ccs.te --- nsaserefpolicy/policy/modules/services/ccs.te 2010-02-16 14:58:22.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/ccs.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/ccs.te 2010-03-09 18:51:11.000000000 -0500 @@ -114,5 +114,10 @@ ') @@ -13113,9 +12849,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs. +optional_policy(` unconfined_use_fds(ccs_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.7.12/policy/modules/services/certmaster.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.7.13/policy/modules/services/certmaster.fc --- nsaserefpolicy/policy/modules/services/certmaster.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/certmaster.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/certmaster.fc 2010-03-09 18:51:11.000000000 -0500 @@ -3,5 +3,6 @@ /usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0) @@ -13123,9 +12859,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert +/var/lib/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_lib_t,s0) /var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0) /var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.fc serefpolicy-3.7.12/policy/modules/services/certmonger.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.fc serefpolicy-3.7.13/policy/modules/services/certmonger.fc --- nsaserefpolicy/policy/modules/services/certmonger.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/certmonger.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/certmonger.fc 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,6 @@ +/etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0) + @@ -13133,9 +12869,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert + +/var/run/certmonger.pid -- gen_context(system_u:object_r:certmonger_var_run_t,s0) +/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.7.12/policy/modules/services/certmonger.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.7.13/policy/modules/services/certmonger.if --- nsaserefpolicy/policy/modules/services/certmonger.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/certmonger.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/certmonger.if 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,217 @@ + +## Certificate status monitor and PKI enrollment client @@ -13354,9 +13090,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert + files_search_pids($1) + admin_pattern($1, cermonger_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.12/policy/modules/services/certmonger.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.13/policy/modules/services/certmonger.te --- nsaserefpolicy/policy/modules/services/certmonger.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/certmonger.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/certmonger.te 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,74 @@ +policy_module(certmonger,1.0.0) + @@ -13432,9 +13168,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert +optional_policy(` + unconfined_dbus_send(certmonger_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.12/policy/modules/services/cgroup.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.13/policy/modules/services/cgroup.fc --- nsaserefpolicy/policy/modules/services/cgroup.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/cgroup.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/cgroup.fc 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t, s0) +/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t, s0) @@ -13443,9 +13179,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro +/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfigparser_exec_t, s0) + +/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.12/policy/modules/services/cgroup.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.13/policy/modules/services/cgroup.if --- nsaserefpolicy/policy/modules/services/cgroup.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/cgroup.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/cgroup.if 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,35 @@ +## Control group rules engine daemon. +## @@ -13482,9 +13218,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro + stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.12/policy/modules/services/cgroup.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.13/policy/modules/services/cgroup.te --- nsaserefpolicy/policy/modules/services/cgroup.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/cgroup.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/cgroup.te 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,87 @@ +policy_module(cgroup, 1.0.0) + @@ -13573,18 +13309,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro +# /mnt/cgroups/cpu +kernel_list_unlabeled(cgconfigparser_t) +kernel_read_system_state(cgconfigparser_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.7.12/policy/modules/services/chronyd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.7.13/policy/modules/services/chronyd.fc --- nsaserefpolicy/policy/modules/services/chronyd.fc 2010-02-16 14:58:22.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/chronyd.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/chronyd.fc 2010-03-09 18:51:11.000000000 -0500 @@ -1,3 +1,5 @@ +/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0) + /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.12/policy/modules/services/chronyd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.13/policy/modules/services/chronyd.if --- nsaserefpolicy/policy/modules/services/chronyd.if 2010-02-16 14:58:22.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/chronyd.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/chronyd.if 2010-03-09 18:51:11.000000000 -0500 @@ -77,7 +77,7 @@ gen_require(` type chronyd_t, chronyd_var_log_t; @@ -13603,9 +13339,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro logging_search_logs($1) admin_pattern($1, chronyd_var_log_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.12/policy/modules/services/chronyd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.13/policy/modules/services/chronyd.te --- nsaserefpolicy/policy/modules/services/chronyd.te 2010-02-16 14:58:22.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/chronyd.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/chronyd.te 2010-03-09 18:51:11.000000000 -0500 @@ -13,6 +13,9 @@ type chronyd_initrc_exec_t; init_script_file(chronyd_initrc_exec_t) @@ -13654,9 +13390,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro +optional_policy(` + gpsd_rw_shm(chronyd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.12/policy/modules/services/clamav.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.13/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/clamav.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/clamav.te 2010-03-09 18:51:11.000000000 -0500 @@ -57,6 +57,7 @@ # @@ -13680,17 +13416,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam optional_policy(` cron_system_entry(freshclam_t, freshclam_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.12/policy/modules/services/clogd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.13/policy/modules/services/clogd.fc --- nsaserefpolicy/policy/modules/services/clogd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/clogd.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/clogd.fc 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,4 @@ + +/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0) + +/var/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.12/policy/modules/services/clogd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.13/policy/modules/services/clogd.if --- nsaserefpolicy/policy/modules/services/clogd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/clogd.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/clogd.if 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,82 @@ +## clogd - clustered mirror log server + @@ -13774,9 +13510,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog + fs_search_tmpfs($1) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.7.12/policy/modules/services/clogd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.7.13/policy/modules/services/clogd.te --- nsaserefpolicy/policy/modules/services/clogd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/clogd.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/clogd.te 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,65 @@ + +policy_module(clogd,1.0.0) @@ -13843,9 +13579,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.12/policy/modules/services/cobbler.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.13/policy/modules/services/cobbler.if --- nsaserefpolicy/policy/modules/services/cobbler.if 2010-03-05 10:46:32.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/cobbler.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/cobbler.if 2010-03-09 18:51:11.000000000 -0500 @@ -173,9 +173,11 @@ files_list_var_lib($1) admin_pattern($1, cobbler_var_lib_t) @@ -13859,9 +13595,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb cobblerd_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 cobblerd_initrc_exec_t system_r; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.12/policy/modules/services/cobbler.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.13/policy/modules/services/cobbler.te --- nsaserefpolicy/policy/modules/services/cobbler.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/cobbler.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/cobbler.te 2010-03-09 18:51:11.000000000 -0500 @@ -40,6 +40,7 @@ allow cobblerd_t self:fifo_file rw_fifo_file_perms; allow cobblerd_t self:tcp_socket create_stream_socket_perms; @@ -13892,9 +13628,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb +apache_content_template(cobbler) +manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) +manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.12/policy/modules/services/consolekit.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.13/policy/modules/services/consolekit.fc --- nsaserefpolicy/policy/modules/services/consolekit.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/consolekit.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/consolekit.fc 2010-03-09 18:51:11.000000000 -0500 @@ -2,4 +2,5 @@ /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) @@ -13902,9 +13638,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons -/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0) + +/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.12/policy/modules/services/consolekit.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.13/policy/modules/services/consolekit.if --- nsaserefpolicy/policy/modules/services/consolekit.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/consolekit.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/consolekit.if 2010-03-09 18:51:11.000000000 -0500 @@ -57,3 +57,42 @@ read_files_pattern($1, consolekit_log_t, consolekit_log_t) files_search_pids($1) @@ -13948,9 +13684,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons + read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.12/policy/modules/services/consolekit.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.13/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/consolekit.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/consolekit.te 2010-03-09 18:51:11.000000000 -0500 @@ -16,12 +16,15 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -14036,9 +13772,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons + unconfined_ptrace(consolekit_t) unconfined_stream_connect(consolekit_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.7.12/policy/modules/services/corosync.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.7.13/policy/modules/services/corosync.fc --- nsaserefpolicy/policy/modules/services/corosync.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/corosync.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/corosync.fc 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,14 @@ + +/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0) @@ -14054,9 +13790,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro +/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0) +/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.12/policy/modules/services/corosync.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.13/policy/modules/services/corosync.if --- nsaserefpolicy/policy/modules/services/corosync.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/corosync.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/corosync.if 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,108 @@ +## SELinux policy for Corosync Cluster Engine + @@ -14166,9 +13902,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.12/policy/modules/services/corosync.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.13/policy/modules/services/corosync.te --- nsaserefpolicy/policy/modules/services/corosync.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/corosync.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/corosync.te 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,115 @@ + +policy_module(corosync,1.0.0) @@ -14285,9 +14021,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro +optional_policy(` + rgmanager_manage_tmpfs_files(corosync_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.12/policy/modules/services/cron.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.13/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/cron.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/cron.fc 2010-03-09 18:51:11.000000000 -0500 @@ -14,7 +14,7 @@ /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) @@ -14305,9 +14041,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron +/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) + +/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.12/policy/modules/services/cron.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.13/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/cron.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/cron.if 2010-03-09 18:51:11.000000000 -0500 @@ -12,6 +12,10 @@ ## # @@ -14458,9 +14194,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron + + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.12/policy/modules/services/cron.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.13/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/cron.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/cron.te 2010-03-09 18:51:11.000000000 -0500 @@ -38,8 +38,10 @@ type cron_var_lib_t; files_type(cron_var_lib_t) @@ -14738,9 +14474,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron unconfined_domain(system_cronjob_t) userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.12/policy/modules/services/cups.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.13/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/cups.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/cups.fc 2010-03-09 18:51:11.000000000 -0500 @@ -13,10 +13,14 @@ /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) @@ -14787,9 +14523,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.12/policy/modules/services/cups.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.13/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/cups.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/cups.te 2010-03-09 18:51:11.000000000 -0500 @@ -23,6 +23,9 @@ type cupsd_initrc_exec_t; init_script_file(cupsd_initrc_exec_t) @@ -15039,9 +14775,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups dev_read_sysfs(hplip_t) dev_rw_printer(hplip_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.7.12/policy/modules/services/cvs.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.7.13/policy/modules/services/cvs.te --- nsaserefpolicy/policy/modules/services/cvs.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/cvs.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/cvs.te 2010-03-09 18:51:11.000000000 -0500 @@ -93,6 +93,7 @@ auth_can_read_shadow_passwords(cvs_t) tunable_policy(`allow_cvs_read_shadow',` @@ -15056,9 +14792,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs. manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) + files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.12/policy/modules/services/cyrus.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.13/policy/modules/services/cyrus.te --- nsaserefpolicy/policy/modules/services/cyrus.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/cyrus.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/cyrus.te 2010-03-09 18:51:11.000000000 -0500 @@ -75,6 +75,7 @@ corenet_tcp_bind_mail_port(cyrus_t) corenet_tcp_bind_lmtp_port(cyrus_t) @@ -15075,9 +14811,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru snmp_read_snmp_var_lib_files(cyrus_t) snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) snmp_stream_connect(cyrus_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.12/policy/modules/services/dbus.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.13/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/dbus.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/dbus.if 2010-03-09 18:51:11.000000000 -0500 @@ -42,8 +42,10 @@ gen_require(` class dbus { send_msg acquire_svc }; @@ -15213,9 +14949,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.12/policy/modules/services/dbus.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.13/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/dbus.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/dbus.te 2010-03-09 18:51:11.000000000 -0500 @@ -86,6 +86,7 @@ dev_read_sysfs(system_dbusd_t) @@ -15274,9 +15010,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + xserver_rw_xdm_pipes(session_bus_type) + xserver_append_xdm_home_files(session_bus_type) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.7.12/policy/modules/services/dcc.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.7.13/policy/modules/services/dcc.te --- nsaserefpolicy/policy/modules/services/dcc.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/dcc.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/dcc.te 2010-03-09 18:51:11.000000000 -0500 @@ -81,7 +81,7 @@ # dcc daemon controller local policy # @@ -15286,9 +15022,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. allow cdcc_t self:unix_dgram_socket create_socket_perms; allow cdcc_t self:udp_socket create_socket_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.fc serefpolicy-3.7.12/policy/modules/services/denyhosts.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.fc serefpolicy-3.7.13/policy/modules/services/denyhosts.fc --- nsaserefpolicy/policy/modules/services/denyhosts.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/denyhosts.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/denyhosts.fc 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/denyhosts -- gen_context(system_u:object_r:denyhosts_initrc_exec_t, s0) + @@ -15297,9 +15033,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny +/var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t, s0) +/var/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t, s0) +/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.12/policy/modules/services/denyhosts.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.13/policy/modules/services/denyhosts.if --- nsaserefpolicy/policy/modules/services/denyhosts.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/denyhosts.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/denyhosts.if 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,90 @@ +## Deny Hosts. +## @@ -15391,9 +15127,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny + ps_process_pattern($1, denyhosts_t) + read_lnk_files_pattern($1, denyhosts_t, denyhosts_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.12/policy/modules/services/denyhosts.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.13/policy/modules/services/denyhosts.te --- nsaserefpolicy/policy/modules/services/denyhosts.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/denyhosts.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/denyhosts.te 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,72 @@ + +policy_module(denyhosts, 1.0.0) @@ -15467,9 +15203,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny +optional_policy(` + cron_system_entry(denyhosts_t, denyhosts_exec_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.12/policy/modules/services/devicekit.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.13/policy/modules/services/devicekit.fc --- nsaserefpolicy/policy/modules/services/devicekit.fc 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/devicekit.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/devicekit.fc 2010-03-09 18:51:11.000000000 -0500 @@ -1,8 +1,12 @@ /usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) /usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) @@ -15484,9 +15220,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi -/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.12/policy/modules/services/devicekit.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.13/policy/modules/services/devicekit.if --- nsaserefpolicy/policy/modules/services/devicekit.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/devicekit.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/devicekit.if 2010-03-09 18:51:11.000000000 -0500 @@ -139,6 +139,26 @@ ######################################## @@ -15523,9 +15259,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi ') allow $1 devicekit_t:process { ptrace signal_perms getattr }; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.12/policy/modules/services/devicekit.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.13/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/devicekit.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/devicekit.te 2010-03-09 18:51:11.000000000 -0500 @@ -42,6 +42,8 @@ files_read_etc_files(devicekit_t) @@ -15743,9 +15479,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi +optional_policy(` vbetool_domtrans(devicekit_power_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.7.12/policy/modules/services/dhcp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.7.13/policy/modules/services/dhcp.te --- nsaserefpolicy/policy/modules/services/dhcp.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/dhcp.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/dhcp.te 2010-03-09 18:51:11.000000000 -0500 @@ -112,6 +112,10 @@ ') @@ -15757,9 +15493,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp dbus_system_bus_client(dhcpd_t) dbus_connect_system_bus(dhcpd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.7.12/policy/modules/services/djbdns.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.7.13/policy/modules/services/djbdns.if --- nsaserefpolicy/policy/modules/services/djbdns.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/djbdns.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/djbdns.if 2010-03-09 18:51:11.000000000 -0500 @@ -26,6 +26,8 @@ daemontools_read_svc(djbdns_$1_t) @@ -15809,9 +15545,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd + + allow $1 djbdns_tinydn_t:key link; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.7.12/policy/modules/services/djbdns.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.7.13/policy/modules/services/djbdns.te --- nsaserefpolicy/policy/modules/services/djbdns.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/djbdns.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/djbdns.te 2010-03-09 18:51:11.000000000 -0500 @@ -42,3 +42,11 @@ files_search_var(djbdns_axfrdns_t) @@ -15824,9 +15560,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd + +init_dontaudit_use_script_fds(djbdns_tinydns_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.12/policy/modules/services/dnsmasq.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.13/policy/modules/services/dnsmasq.fc --- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/dnsmasq.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/dnsmasq.fc 2010-03-09 18:51:11.000000000 -0500 @@ -6,5 +6,7 @@ /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) /var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) @@ -15835,9 +15571,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm + /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.7.12/policy/modules/services/dnsmasq.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.7.13/policy/modules/services/dnsmasq.if --- nsaserefpolicy/policy/modules/services/dnsmasq.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/dnsmasq.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/dnsmasq.if 2010-03-09 18:51:11.000000000 -0500 @@ -111,7 +111,7 @@ type dnsmasq_etc_t; ') @@ -15856,9 +15592,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm files_search_etc($1) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.12/policy/modules/services/dnsmasq.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.13/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/dnsmasq.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/dnsmasq.te 2010-03-09 18:51:11.000000000 -0500 @@ -19,6 +19,9 @@ type dnsmasq_lease_t; files_type(dnsmasq_lease_t) @@ -15914,9 +15650,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm seutil_sigchld_newrole(dnsmasq_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.7.12/policy/modules/services/dovecot.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.7.13/policy/modules/services/dovecot.fc --- nsaserefpolicy/policy/modules/services/dovecot.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/dovecot.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/dovecot.fc 2010-03-09 18:51:11.000000000 -0500 @@ -34,6 +34,7 @@ /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) @@ -15925,9 +15661,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove /var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.12/policy/modules/services/dovecot.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.13/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/dovecot.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/dovecot.te 2010-03-09 18:51:11.000000000 -0500 @@ -73,14 +73,21 @@ can_exec(dovecot_t, dovecot_exec_t) @@ -16045,29 +15781,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove fs_manage_cifs_files(dovecot_t) fs_manage_cifs_symlinks(dovecot_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.7.12/policy/modules/services/exim.te ---- nsaserefpolicy/policy/modules/services/exim.te 2010-03-04 11:17:25.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/exim.te 2010-03-05 17:18:52.000000000 -0500 -@@ -1,5 +1,5 @@ - --policy_module(exim, 1.4.2) -+policy_module(exim, 1.4.1) - - ######################################## - # -@@ -192,9 +192,6 @@ - ') - - optional_policy(` -- # https://bugzilla.redhat.com/show_bug.cgi?id=512710 -- # uses sendmail for outgoing mail and exim -- # for incoming mail - sendmail_manage_tmp_files(exim_t) - ') - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.12/policy/modules/services/fail2ban.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.13/policy/modules/services/fail2ban.if --- nsaserefpolicy/policy/modules/services/fail2ban.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/fail2ban.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/fail2ban.if 2010-03-09 18:51:11.000000000 -0500 @@ -98,6 +98,46 @@ allow $1 fail2ban_var_run_t:file read_file_perms; ') @@ -16137,9 +15853,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail + + allow $1 fail2ban_t:unix_stream_socket { getattr read write ioctl }; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.7.12/policy/modules/services/fetchmail.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.7.13/policy/modules/services/fetchmail.te --- nsaserefpolicy/policy/modules/services/fetchmail.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/fetchmail.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/fetchmail.te 2010-03-09 18:51:11.000000000 -0500 @@ -48,6 +48,7 @@ kernel_dontaudit_read_system_state(fetchmail_t) @@ -16148,9 +15864,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetc corenet_all_recvfrom_unlabeled(fetchmail_t) corenet_all_recvfrom_netlabel(fetchmail_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.12/policy/modules/services/fprintd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.13/policy/modules/services/fprintd.te --- nsaserefpolicy/policy/modules/services/fprintd.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/fprintd.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/fprintd.te 2010-03-09 18:51:11.000000000 -0500 @@ -55,4 +55,6 @@ policykit_read_lib(fprintd_t) policykit_dbus_chat(fprintd_t) @@ -16158,9 +15874,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fpri + policykit_dbus_chat_auth(fprintd_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.7.12/policy/modules/services/ftp.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.7.13/policy/modules/services/ftp.fc --- nsaserefpolicy/policy/modules/services/ftp.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/ftp.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/ftp.fc 2010-03-09 18:51:11.000000000 -0500 @@ -22,7 +22,7 @@ # # /var @@ -16170,9 +15886,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. /var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.7.12/policy/modules/services/ftp.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.7.13/policy/modules/services/ftp.if --- nsaserefpolicy/policy/modules/services/ftp.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/ftp.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/ftp.if 2010-03-09 18:51:11.000000000 -0500 @@ -115,6 +115,44 @@ role $2 types ftpdctl_t; ') @@ -16218,9 +15934,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. ######################################## ## ## All of the rules required to administrate -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.12/policy/modules/services/ftp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.13/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/ftp.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/ftp.te 2010-03-09 18:51:11.000000000 -0500 @@ -41,11 +41,51 @@ ## @@ -16469,9 +16185,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. + fs_read_nfs_files(sftpd_t) + fs_read_nfs_symlinks(ftpd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.12/policy/modules/services/git.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.13/policy/modules/services/git.fc --- nsaserefpolicy/policy/modules/services/git.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/git.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/git.fc 2010-03-09 18:51:11.000000000 -0500 @@ -1,3 +1,16 @@ -/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0) -/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) @@ -16492,9 +16208,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. + +/var/lib/git(/.*)? gen_context(system_u:object_r:git_system_content_t, s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.12/policy/modules/services/git.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.13/policy/modules/services/git.if --- nsaserefpolicy/policy/modules/services/git.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/git.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/git.if 2010-03-09 18:51:11.000000000 -0500 @@ -1 +1,535 @@ -## GIT revision control system +## Git - Fast Version Control System. @@ -17032,9 +16748,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. + userdom_search_user_home_dirs($1) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.12/policy/modules/services/git.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.13/policy/modules/services/git.te --- nsaserefpolicy/policy/modules/services/git.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/git.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/git.te 2010-03-09 18:51:11.000000000 -0500 @@ -1,9 +1,182 @@ -policy_module(git, 1.0) @@ -17221,9 +16937,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. -apache_content_template(git) +#git_role_template(git_shell) +#gen_user(git_shell_u, user, git_shell_r, s0, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.12/policy/modules/services/gpsd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.13/policy/modules/services/gpsd.te --- nsaserefpolicy/policy/modules/services/gpsd.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/gpsd.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/gpsd.te 2010-03-09 18:51:11.000000000 -0500 @@ -25,7 +25,7 @@ # gpsd local policy # @@ -17233,9 +16949,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd allow gpsd_t self:process setsched; allow gpsd_t self:shm create_shm_perms; allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto }; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.12/policy/modules/services/hal.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.13/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/hal.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/hal.te 2010-03-09 18:51:11.000000000 -0500 @@ -55,6 +55,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -17348,9 +17064,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. ######################################## # # Local hald dccm policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl.te serefpolicy-3.7.12/policy/modules/services/howl.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl.te serefpolicy-3.7.13/policy/modules/services/howl.te --- nsaserefpolicy/policy/modules/services/howl.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/howl.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/howl.te 2010-03-09 18:51:11.000000000 -0500 @@ -30,7 +30,7 @@ kernel_read_network_state(howl_t) @@ -17360,9 +17076,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl kernel_list_proc(howl_t) kernel_read_proc_symlinks(howl_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.fc serefpolicy-3.7.12/policy/modules/services/icecast.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.fc serefpolicy-3.7.13/policy/modules/services/icecast.fc --- nsaserefpolicy/policy/modules/services/icecast.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/icecast.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/icecast.fc 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/icecast -- gen_context(system_u:object_r:icecast_initrc_exec_t,s0) + @@ -17371,9 +17087,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec +/var/log/icecast(/.*)? gen_context(system_u:object_r:icecast_log_t,s0) + +/var/run/icecast(/.*)? gen_context(system_u:object_r:icecast_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.if serefpolicy-3.7.12/policy/modules/services/icecast.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.if serefpolicy-3.7.13/policy/modules/services/icecast.if --- nsaserefpolicy/policy/modules/services/icecast.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/icecast.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/icecast.if 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,199 @@ + +## ShoutCast compatible streaming media server @@ -17574,9 +17290,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec + icecast_manage_log($1) + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.7.12/policy/modules/services/icecast.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.7.13/policy/modules/services/icecast.te --- nsaserefpolicy/policy/modules/services/icecast.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/icecast.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/icecast.te 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,59 @@ +policy_module(icecast,1.0.0) + @@ -17637,9 +17353,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec +optional_policy(` + rtkit_daemon_system_domain(icecast_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.7.12/policy/modules/services/inn.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.7.13/policy/modules/services/inn.te --- nsaserefpolicy/policy/modules/services/inn.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/inn.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/inn.te 2010-03-09 18:51:11.000000000 -0500 @@ -106,6 +106,7 @@ userdom_dontaudit_use_unpriv_user_fds(innd_t) @@ -17648,9 +17364,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn. mta_send_mail(innd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.12/policy/modules/services/kerberos.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.13/policy/modules/services/kerberos.if --- nsaserefpolicy/policy/modules/services/kerberos.if 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/kerberos.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/kerberos.if 2010-03-09 18:51:11.000000000 -0500 @@ -74,7 +74,7 @@ ') @@ -17671,9 +17387,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb tunable_policy(`allow_kerberos',` allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.12/policy/modules/services/kerberos.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.13/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/kerberos.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/kerberos.te 2010-03-09 18:51:11.000000000 -0500 @@ -112,6 +112,7 @@ kernel_read_kernel_sysctls(kadmind_t) @@ -17691,18 +17407,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb allow kpropd_t krb5_keytab_t:file read_file_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.7.12/policy/modules/services/ksmtuned.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.7.13/policy/modules/services/ksmtuned.fc --- nsaserefpolicy/policy/modules/services/ksmtuned.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/ksmtuned.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/ksmtuned.fc 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,5 @@ +/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0) + +/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0) + +/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.7.12/policy/modules/services/ksmtuned.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.7.13/policy/modules/services/ksmtuned.if --- nsaserefpolicy/policy/modules/services/ksmtuned.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/ksmtuned.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/ksmtuned.if 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,76 @@ + +## policy for Kernel Samepage Merging (KSM) Tuning Daemon @@ -17780,9 +17496,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt + allow $2 system_r; + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.7.12/policy/modules/services/ksmtuned.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.7.13/policy/modules/services/ksmtuned.te --- nsaserefpolicy/policy/modules/services/ksmtuned.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/ksmtuned.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/ksmtuned.te 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,44 @@ +policy_module(ksmtuned,1.0.0) + @@ -17828,9 +17544,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt +files_read_etc_files(ksmtuned_t) + +miscfiles_read_localization(ksmtuned_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.7.12/policy/modules/services/ldap.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.7.13/policy/modules/services/ldap.fc --- nsaserefpolicy/policy/modules/services/ldap.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/ldap.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/ldap.fc 2010-03-09 18:51:11.000000000 -0500 @@ -1,5 +1,7 @@ /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) @@ -17844,9 +17560,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) +#/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.7.12/policy/modules/services/ldap.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.7.13/policy/modules/services/ldap.if --- nsaserefpolicy/policy/modules/services/ldap.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/ldap.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/ldap.if 2010-03-09 18:51:11.000000000 -0500 @@ -1,5 +1,43 @@ ## OpenLDAP directory server @@ -17891,9 +17607,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap ######################################## ## ## Read the contents of the OpenLDAP -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.7.12/policy/modules/services/ldap.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.7.13/policy/modules/services/ldap.te --- nsaserefpolicy/policy/modules/services/ldap.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/ldap.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/ldap.te 2010-03-09 18:51:11.000000000 -0500 @@ -28,9 +28,15 @@ type slapd_replog_t; files_type(slapd_replog_t) @@ -17928,9 +17644,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) files_pid_filetrans(slapd_t, slapd_var_run_t, { file sock_file }) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.12/policy/modules/services/lircd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.13/policy/modules/services/lircd.te --- nsaserefpolicy/policy/modules/services/lircd.te 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/lircd.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/lircd.te 2010-03-09 18:51:11.000000000 -0500 @@ -24,8 +24,11 @@ # lircd local policy # @@ -17979,9 +17695,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc + +sysnet_dns_name_resolve(lircd_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.7.12/policy/modules/services/mailman.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.7.13/policy/modules/services/mailman.fc --- nsaserefpolicy/policy/modules/services/mailman.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/mailman.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/mailman.fc 2010-03-09 18:51:11.000000000 -0500 @@ -1,4 +1,4 @@ -/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib(64)?/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) @@ -18003,9 +17719,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail /var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.7.12/policy/modules/services/memcached.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.7.13/policy/modules/services/memcached.te --- nsaserefpolicy/policy/modules/services/memcached.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/memcached.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/memcached.te 2010-03-09 18:51:11.000000000 -0500 @@ -22,9 +22,12 @@ # @@ -18036,9 +17752,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memc +term_dontaudit_use_all_ptys(memcached_t) +term_dontaudit_use_all_ttys(memcached_t) +term_dontaudit_use_console(memcached_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.12/policy/modules/services/modemmanager.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.13/policy/modules/services/modemmanager.te --- nsaserefpolicy/policy/modules/services/modemmanager.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/modemmanager.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/modemmanager.te 2010-03-09 18:51:11.000000000 -0500 @@ -16,8 +16,8 @@ # # ModemManager local policy @@ -18058,9 +17774,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mode term_use_unallocated_ttys(modemmanager_t) miscfiles_read_localization(modemmanager_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.12/policy/modules/services/mta.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.13/policy/modules/services/mta.fc --- nsaserefpolicy/policy/modules/services/mta.fc 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/mta.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/mta.fc 2010-03-09 18:51:11.000000000 -0500 @@ -13,6 +13,8 @@ /usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) @@ -18070,9 +17786,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.12/policy/modules/services/mta.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.13/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/mta.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/mta.if 2010-03-09 18:51:11.000000000 -0500 @@ -220,6 +220,25 @@ application_executable_file($1) ') @@ -18188,9 +17904,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## Read the mail queue. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.12/policy/modules/services/mta.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.13/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/mta.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/mta.te 2010-03-09 18:51:11.000000000 -0500 @@ -63,6 +63,9 @@ can_exec(system_mail_t, mta_exec_type) @@ -18264,9 +17980,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t) read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.12/policy/modules/services/munin.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.13/policy/modules/services/munin.fc --- nsaserefpolicy/policy/modules/services/munin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/munin.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/munin.fc 2010-03-09 18:51:11.000000000 -0500 @@ -9,3 +9,6 @@ /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) /var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) @@ -18274,9 +17990,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni +/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) +/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.12/policy/modules/services/munin.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.13/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/munin.te 2010-03-06 10:17:33.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/munin.te 2010-03-09 18:51:11.000000000 -0500 @@ -33,7 +33,7 @@ # Local policy # @@ -18327,9 +18043,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.7.12/policy/modules/services/mysql.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.7.13/policy/modules/services/mysql.if --- nsaserefpolicy/policy/modules/services/mysql.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/mysql.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/mysql.if 2010-03-09 18:51:11.000000000 -0500 @@ -1,5 +1,43 @@ ## Policy for MySQL @@ -18374,9 +18090,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq ######################################## ## ## Send a generic signal to MySQL. -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.12/policy/modules/services/mysql.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.13/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/mysql.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/mysql.te 2010-03-09 18:51:11.000000000 -0500 @@ -1,6 +1,13 @@ policy_module(mysql, 1.11.2) @@ -18449,9 +18165,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq mysql_read_config(mysqld_safe_t) mysql_search_pid_files(mysqld_safe_t) mysql_write_log(mysqld_safe_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.12/policy/modules/services/nagios.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.13/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/nagios.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/nagios.fc 2010-03-09 18:51:11.000000000 -0500 @@ -1,16 +1,89 @@ /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) /etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) @@ -18547,9 +18263,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi + +# unconfined plugins +/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.12/policy/modules/services/nagios.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.13/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/nagios.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/nagios.if 2010-03-09 18:51:11.000000000 -0500 @@ -64,8 +64,8 @@ ######################################## @@ -18713,9 +18429,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi + + admin_pattern($1, nrpe_etc_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.12/policy/modules/services/nagios.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.13/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/nagios.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/nagios.te 2010-03-09 18:51:11.000000000 -0500 @@ -6,17 +6,23 @@ # Declarations # @@ -19100,9 +18816,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +optional_policy(` + init_read_utmp(nagios_system_plugin_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.7.12/policy/modules/services/networkmanager.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.7.13/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/networkmanager.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/networkmanager.fc 2010-03-09 18:51:11.000000000 -0500 @@ -1,12 +1,32 @@ +/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0) +/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) @@ -19136,9 +18852,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.12/policy/modules/services/networkmanager.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.13/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/networkmanager.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/networkmanager.if 2010-03-09 18:51:11.000000000 -0500 @@ -118,6 +118,24 @@ ######################################## @@ -19164,7 +18880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ## Read NetworkManager PID files. ## ## -@@ -134,3 +152,50 @@ +@@ -134,3 +152,71 @@ files_search_pids($1) allow $1 NetworkManager_var_run_t:file read_file_perms; ') @@ -19215,9 +18931,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw + role $2 types NetworkManager_t; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.12/policy/modules/services/networkmanager.te ++ ++####################################### ++## ++## Allow caller to relabel tun_socket ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`networkmanager_attach_tun_iface',` ++ gen_require(` ++ type NetworkManager_t; ++ ') ++ ++ allow $1 NetworkManager_t:tun_socket relabelfrom; ++ allow $1 self:tun_socket relabelto; ++') ++ ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.13/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/networkmanager.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/networkmanager.te 2010-03-09 18:51:11.000000000 -0500 @@ -19,6 +19,9 @@ type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) @@ -19461,9 +19198,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.7.12/policy/modules/services/nis.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.7.13/policy/modules/services/nis.fc --- nsaserefpolicy/policy/modules/services/nis.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/nis.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/nis.fc 2010-03-09 18:51:11.000000000 -0500 @@ -1,4 +1,7 @@ - +/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) @@ -19482,9 +19219,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. +/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0) +/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0) +/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.7.12/policy/modules/services/nis.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.7.13/policy/modules/services/nis.if --- nsaserefpolicy/policy/modules/services/nis.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/nis.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/nis.if 2010-03-09 18:51:11.000000000 -0500 @@ -28,7 +28,7 @@ type var_yp_t; ') @@ -19602,9 +19339,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. + nis_domtrans_ypbind($1) + role $2 types ypbind_t; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.7.12/policy/modules/services/nis.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.7.13/policy/modules/services/nis.te --- nsaserefpolicy/policy/modules/services/nis.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/nis.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/nis.te 2010-03-09 18:51:11.000000000 -0500 @@ -13,6 +13,9 @@ type ypbind_exec_t; init_daemon_domain(ypbind_t, ypbind_exec_t) @@ -19676,9 +19413,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. corenet_tcp_bind_all_rpc_ports(ypxfr_t) corenet_udp_bind_all_rpc_ports(ypxfr_t) corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.7.12/policy/modules/services/nscd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.7.13/policy/modules/services/nscd.if --- nsaserefpolicy/policy/modules/services/nscd.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/nscd.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/nscd.if 2010-03-09 18:51:11.000000000 -0500 @@ -121,6 +121,24 @@ ######################################## @@ -19713,9 +19450,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.7.12/policy/modules/services/nscd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.7.13/policy/modules/services/nscd.te --- nsaserefpolicy/policy/modules/services/nscd.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/nscd.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/nscd.te 2010-03-09 18:51:11.000000000 -0500 @@ -1,10 +1,17 @@ -policy_module(nscd, 1.10.0) @@ -19760,9 +19497,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd +optional_policy(` + unconfined_dontaudit_rw_packet_sockets(nscd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.fc serefpolicy-3.7.12/policy/modules/services/ntop.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.fc serefpolicy-3.7.13/policy/modules/services/ntop.fc --- nsaserefpolicy/policy/modules/services/ntop.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/ntop.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/ntop.fc 2010-03-09 18:51:11.000000000 -0500 @@ -1,7 +1,6 @@ /etc/ntop(/.*)? gen_context(system_u:object_r:ntop_etc_t,s0) @@ -19771,9 +19508,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop /var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0) /var/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.7.12/policy/modules/services/ntop.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.7.13/policy/modules/services/ntop.te --- nsaserefpolicy/policy/modules/services/ntop.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/ntop.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/ntop.te 2010-03-09 18:51:11.000000000 -0500 @@ -11,12 +11,12 @@ init_daemon_domain(ntop_t, ntop_exec_t) application_domain(ntop_t, ntop_exec_t) @@ -19864,9 +19601,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop seutil_sigchld_newrole(ntop_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.7.12/policy/modules/services/ntp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.7.13/policy/modules/services/ntp.te --- nsaserefpolicy/policy/modules/services/ntp.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/ntp.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/ntp.te 2010-03-09 18:51:11.000000000 -0500 @@ -100,6 +100,8 @@ fs_getattr_all_fs(ntpd_t) @@ -19876,9 +19613,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. term_use_ptmx(ntpd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.12/policy/modules/services/nut.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.13/policy/modules/services/nut.te --- nsaserefpolicy/policy/modules/services/nut.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/nut.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/nut.te 2010-03-09 18:51:11.000000000 -0500 @@ -29,7 +29,8 @@ # Local policy for upsd # @@ -19921,9 +19658,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut. + + sysnet_dns_name_resolve(httpd_nutups_cgi_script_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.7.12/policy/modules/services/nx.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.7.13/policy/modules/services/nx.fc --- nsaserefpolicy/policy/modules/services/nx.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/nx.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/nx.fc 2010-03-09 18:51:11.000000000 -0500 @@ -1,7 +1,15 @@ /opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) @@ -19942,9 +19679,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.f +/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) + /usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.7.12/policy/modules/services/nx.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.7.13/policy/modules/services/nx.if --- nsaserefpolicy/policy/modules/services/nx.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/nx.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/nx.if 2010-03-09 18:51:11.000000000 -0500 @@ -17,3 +17,70 @@ spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t) @@ -20016,9 +19753,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.i + + filetrans_pattern($1, nx_server_var_lib_t, $2, $3) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.7.12/policy/modules/services/nx.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.7.13/policy/modules/services/nx.te --- nsaserefpolicy/policy/modules/services/nx.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/nx.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/nx.te 2010-03-09 18:51:11.000000000 -0500 @@ -25,6 +25,12 @@ type nx_server_var_run_t; files_pid_file(nx_server_var_run_t) @@ -20053,9 +19790,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.t kernel_read_system_state(nx_server_t) kernel_read_kernel_sysctls(nx_server_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.12/policy/modules/services/oddjob.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.13/policy/modules/services/oddjob.if --- nsaserefpolicy/policy/modules/services/oddjob.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/oddjob.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/oddjob.if 2010-03-09 18:51:11.000000000 -0500 @@ -44,6 +44,7 @@ ') @@ -20064,9 +19801,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.7.12/policy/modules/services/oddjob.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.7.13/policy/modules/services/oddjob.te --- nsaserefpolicy/policy/modules/services/oddjob.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/oddjob.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/oddjob.te 2010-03-09 18:51:11.000000000 -0500 @@ -100,8 +100,7 @@ # Add/remove user home directories @@ -20078,9 +19815,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj +userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) +userdom_manage_user_home_content(oddjob_mkhomedir_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.12/policy/modules/services/openvpn.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.13/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/openvpn.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/openvpn.te 2010-03-09 18:51:11.000000000 -0500 @@ -41,7 +41,7 @@ # openvpn local policy # @@ -20116,9 +19853,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open sysnet_etc_filetrans_config(openvpn_t) userdom_use_user_terminals(openvpn_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.7.12/policy/modules/services/pcscd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.7.13/policy/modules/services/pcscd.if --- nsaserefpolicy/policy/modules/services/pcscd.if 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/pcscd.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/pcscd.if 2010-03-09 18:51:11.000000000 -0500 @@ -39,6 +39,44 @@ ######################################## @@ -20164,9 +19901,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcsc ## Connect to pcscd over an unix stream socket. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.12/policy/modules/services/pegasus.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.13/policy/modules/services/pegasus.te --- nsaserefpolicy/policy/modules/services/pegasus.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/pegasus.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/pegasus.te 2010-03-09 18:51:11.000000000 -0500 @@ -30,7 +30,7 @@ # Local policy # @@ -20238,9 +19975,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega + xen_stream_connect(pegasus_t) + xen_stream_connect_xenstore(pegasus_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.fc serefpolicy-3.7.12/policy/modules/services/plymouthd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.fc serefpolicy-3.7.13/policy/modules/services/plymouthd.fc --- nsaserefpolicy/policy/modules/services/plymouthd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/plymouthd.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/plymouthd.fc 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,9 @@ +/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t, s0) + @@ -20251,9 +19988,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym +/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t, s0) + +/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.if serefpolicy-3.7.12/policy/modules/services/plymouthd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.if serefpolicy-3.7.13/policy/modules/services/plymouthd.if --- nsaserefpolicy/policy/modules/services/plymouthd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/plymouthd.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/plymouthd.if 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,322 @@ +## policy for plymouthd + @@ -20577,9 +20314,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym + + allow $1 plymouthd_t:unix_stream_socket connectto; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.7.12/policy/modules/services/plymouthd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.7.13/policy/modules/services/plymouthd.te --- nsaserefpolicy/policy/modules/services/plymouthd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/plymouthd.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/plymouthd.te 2010-03-09 18:51:11.000000000 -0500 @@ -0,0 +1,105 @@ +policy_module(plymouthd, 1.0.0) + @@ -20608,7 +20345,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym + +type plymouth_t; +type plymouth_exec_t; -+init_daemon_domain(plymouth_t, plymouth_exec_t) ++application_domain(plymouth_t, plymouth_exec_t) + +######################################## +# @@ -20686,9 +20423,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym + hal_dontaudit_rw_pipes(plymouth_t) +') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.7.12/policy/modules/services/policykit.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.7.13/policy/modules/services/policykit.fc --- nsaserefpolicy/policy/modules/services/policykit.fc 2009-08-18 11:41:14.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/policykit.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/policykit.fc 2010-03-09 18:51:11.000000000 -0500 @@ -6,10 +6,13 @@ /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) /usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) @@ -20704,9 +20441,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli /var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) /var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.7.12/policy/modules/services/policykit.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.7.13/policy/modules/services/policykit.if --- nsaserefpolicy/policy/modules/services/policykit.if 2009-08-18 18:39:50.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/policykit.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/policykit.if 2010-03-09 18:51:11.000000000 -0500 @@ -17,12 +17,37 @@ class dbus send_msg; ') @@ -20803,9 +20540,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli + + allow $1 policykit_auth_t:process signal; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.12/policy/modules/services/policykit.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.13/policy/modules/services/policykit.te --- nsaserefpolicy/policy/modules/services/policykit.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/policykit.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/policykit.te 2010-03-09 18:51:11.000000000 -0500 @@ -36,11 +36,12 @@ # policykit local policy # @@ -20967,9 +20704,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.7.12/policy/modules/services/portreserve.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.7.13/policy/modules/services/portreserve.te --- nsaserefpolicy/policy/modules/services/portreserve.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/portreserve.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/portreserve.te 2010-03-09 18:51:11.000000000 -0500 @@ -21,6 +21,7 @@ # Portreserve local policy # @@ -20987,9 +20724,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port corenet_all_recvfrom_unlabeled(portreserve_t) corenet_all_recvfrom_netlabel(portreserve_t) corenet_tcp_bind_generic_node(portreserve_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.12/policy/modules/services/postfix.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.13/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/postfix.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/postfix.fc 2010-03-09 18:51:11.000000000 -0500 @@ -29,12 +29,10 @@ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) @@ -21003,9 +20740,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.12/policy/modules/services/postfix.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.13/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/postfix.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/postfix.if 2010-03-09 18:51:11.000000000 -0500 @@ -46,6 +46,7 @@ allow postfix_$1_t postfix_etc_t:dir list_dir_perms; @@ -21300,9 +21037,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + role $2 types postfix_postdrop_t; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.12/policy/modules/services/postfix.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.13/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/postfix.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/postfix.te 2010-03-09 18:51:11.000000000 -0500 @@ -6,6 +6,15 @@ # Declarations # @@ -21703,9 +21440,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +userdom_manage_user_home_content(postfix_virtual_t) +userdom_home_filetrans_user_home_dir(postfix_virtual_t) +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.7.12/policy/modules/services/postgresql.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.7.13/policy/modules/services/postgresql.fc --- nsaserefpolicy/policy/modules/services/postgresql.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/postgresql.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/postgresql.fc 2010-03-09 18:51:11.000000000 -0500 @@ -3,6 +3,7 @@ # /etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0) @@ -21732,9 +21469,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) + +/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.7.12/policy/modules/services/postgresql.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.7.13/policy/modules/services/postgresql.if --- nsaserefpolicy/policy/modules/services/postgresql.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/postgresql.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/postgresql.if 2010-03-09 18:51:11.000000000 -0500 @@ -125,6 +125,23 @@ typeattribute $1 sepgsql_table_type; ') @@ -21759,9 +21496,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## ## ## Marks as a SE-PostgreSQL system table/column/tuple object type -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.12/policy/modules/services/postgresql.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.13/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/postgresql.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/postgresql.te 2010-03-09 18:51:11.000000000 -0500 @@ -150,6 +150,7 @@ dontaudit postgresql_t self:capability { sys_tty_config sys_admin }; allow postgresql_t self:process signal_perms; @@ -21796,9 +21533,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post miscfiles_read_localization(postgresql_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.7.12/policy/modules/services/ppp.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.7.13/policy/modules/services/ppp.fc --- nsaserefpolicy/policy/modules/services/ppp.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/ppp.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/ppp.fc 2010-03-09 18:51:11.000000000 -0500 @@ -3,6 +3,7 @@ # /etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) @@ -21807,9 +21544,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. /etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0) /etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) /etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.12/policy/modules/services/ppp.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.13/policy/modules/services/ppp.if --- nsaserefpolicy/policy/modules/services/ppp.if 2010-01-18 15:04:31.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/ppp.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/ppp.if 2010-03-09 18:51:13.000000000 -0500 @@ -182,6 +182,10 @@ ppp_domtrans($1) role $2 types pppd_t; @@ -21821,9 +21558,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.7.12/policy/modules/services/ppp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.7.13/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2010-01-18 15:04:31.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/ppp.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/ppp.te 2010-03-09 18:51:13.000000000 -0500 @@ -71,9 +71,9 @@ # PPPD Local policy # @@ -21861,9 +21598,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. optional_policy(` consoletype_exec(pppd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.7.12/policy/modules/services/prelude.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.7.13/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/prelude.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/prelude.te 2010-03-09 18:51:13.000000000 -0500 @@ -90,6 +90,7 @@ corenet_tcp_bind_prelude_port(prelude_t) corenet_tcp_connect_prelude_port(prelude_t) @@ -21881,9 +21618,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel fs_rw_anon_inodefs_files(prelude_lml_t) auth_use_nsswitch(prelude_lml_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.12/policy/modules/services/procmail.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.13/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/procmail.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/procmail.te 2010-03-09 18:51:13.000000000 -0500 @@ -22,7 +22,7 @@ # Local policy # @@ -21931,9 +21668,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.12/policy/modules/services/pyzor.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.13/policy/modules/services/pyzor.fc --- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/pyzor.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/pyzor.fc 2010-03-09 18:51:13.000000000 -0500 @@ -1,6 +1,10 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) +/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) @@ -21945,9 +21682,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.7.12/policy/modules/services/pyzor.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.7.13/policy/modules/services/pyzor.if --- nsaserefpolicy/policy/modules/services/pyzor.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/pyzor.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/pyzor.if 2010-03-09 18:51:13.000000000 -0500 @@ -88,3 +88,50 @@ corecmd_search_bin($1) can_exec($1, pyzor_exec_t) @@ -21999,9 +21736,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.7.12/policy/modules/services/pyzor.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.7.13/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/pyzor.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/pyzor.te 2010-03-09 18:51:13.000000000 -0500 @@ -6,6 +6,38 @@ # Declarations # @@ -22066,9 +21803,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo userdom_dontaudit_search_user_home_dirs(pyzor_t) optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.7.12/policy/modules/services/radvd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.7.13/policy/modules/services/radvd.te --- nsaserefpolicy/policy/modules/services/radvd.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/radvd.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/radvd.te 2010-03-09 18:51:13.000000000 -0500 @@ -22,9 +22,9 @@ # # Local policy @@ -22104,17 +21841,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radv seutil_sigchld_newrole(radvd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.12/policy/modules/services/razor.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.13/policy/modules/services/razor.fc --- nsaserefpolicy/policy/modules/services/razor.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/razor.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/razor.fc 2010-03-09 18:51:13.000000000 -0500 @@ -1,3 +1,4 @@ +/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.7.12/policy/modules/services/razor.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.7.13/policy/modules/services/razor.if --- nsaserefpolicy/policy/modules/services/razor.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/razor.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/razor.if 2010-03-09 18:51:13.000000000 -0500 @@ -157,3 +157,45 @@ domtrans_pattern($1, razor_exec_t, razor_t) @@ -22161,9 +21898,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo + read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.7.12/policy/modules/services/razor.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.7.13/policy/modules/services/razor.te --- nsaserefpolicy/policy/modules/services/razor.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/razor.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/razor.te 2010-03-09 18:51:13.000000000 -0500 @@ -6,6 +6,32 @@ # Declarations # @@ -22215,9 +21952,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo +') + ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.if serefpolicy-3.7.12/policy/modules/services/rdisc.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.if serefpolicy-3.7.13/policy/modules/services/rdisc.if --- nsaserefpolicy/policy/modules/services/rdisc.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/rdisc.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/rdisc.if 2010-03-09 18:51:13.000000000 -0500 @@ -1 +1,20 @@ ## Network router discovery daemon + @@ -22239,9 +21976,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdis + corecmd_search_bin($1) + can_exec($1,rdisc_exec_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.12/policy/modules/services/rgmanager.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.13/policy/modules/services/rgmanager.fc --- nsaserefpolicy/policy/modules/services/rgmanager.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/rgmanager.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/rgmanager.fc 2010-03-09 18:51:13.000000000 -0500 @@ -0,0 +1,8 @@ + +/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) @@ -22251,9 +21988,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) + +/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.12/policy/modules/services/rgmanager.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.13/policy/modules/services/rgmanager.if --- nsaserefpolicy/policy/modules/services/rgmanager.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/rgmanager.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/rgmanager.if 2010-03-09 18:51:13.000000000 -0500 @@ -0,0 +1,98 @@ +## SELinux policy for rgmanager + @@ -22353,9 +22090,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma + manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t) + manage_lnk_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.12/policy/modules/services/rgmanager.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.13/policy/modules/services/rgmanager.te --- nsaserefpolicy/policy/modules/services/rgmanager.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/rgmanager.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/rgmanager.te 2010-03-09 18:51:13.000000000 -0500 @@ -0,0 +1,223 @@ + +policy_module(rgmanager,1.0.0) @@ -22580,9 +22317,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +optional_policy(` + xen_domtrans_xm(rgmanager_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.12/policy/modules/services/rhcs.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.13/policy/modules/services/rhcs.fc --- nsaserefpolicy/policy/modules/services/rhcs.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/rhcs.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/rhcs.fc 2010-03-09 18:51:13.000000000 -0500 @@ -0,0 +1,23 @@ +/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) +/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0) @@ -22607,9 +22344,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) +/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.12/policy/modules/services/rhcs.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.13/policy/modules/services/rhcs.if --- nsaserefpolicy/policy/modules/services/rhcs.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/rhcs.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/rhcs.if 2010-03-09 18:51:13.000000000 -0500 @@ -0,0 +1,424 @@ +## SELinux policy for RHCS - Red Hat Cluster Suite + @@ -23035,9 +22772,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.12/policy/modules/services/rhcs.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.13/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/rhcs.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/rhcs.te 2010-03-09 18:51:13.000000000 -0500 @@ -0,0 +1,248 @@ + +policy_module(rhcs,1.1.0) @@ -23287,9 +23024,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +optional_policy(` + corosync_stream_connect(cluster_domain) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.12/policy/modules/services/ricci.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.13/policy/modules/services/ricci.te --- nsaserefpolicy/policy/modules/services/ricci.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/ricci.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/ricci.te 2010-03-09 18:51:13.000000000 -0500 @@ -194,10 +194,13 @@ # ricci_modcluster local policy # @@ -23399,9 +23136,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc ccs_stream_connect(ricci_modstorage_t) ccs_read_config(ricci_modstorage_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.7.12/policy/modules/services/rpc.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.7.13/policy/modules/services/rpc.fc --- nsaserefpolicy/policy/modules/services/rpc.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/rpc.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/rpc.fc 2010-03-09 18:51:13.000000000 -0500 @@ -1,6 +1,10 @@ # # /etc @@ -23413,9 +23150,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. /etc/exports -- gen_context(system_u:object_r:exports_t,s0) # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.12/policy/modules/services/rpc.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.13/policy/modules/services/rpc.if --- nsaserefpolicy/policy/modules/services/rpc.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/rpc.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/rpc.if 2010-03-09 18:51:13.000000000 -0500 @@ -54,7 +54,7 @@ allow $1_t self:unix_dgram_socket create_socket_perms; allow $1_t self:unix_stream_socket create_stream_socket_perms; @@ -23509,9 +23246,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) + allow $1 var_lib_nfs_t:file { relabelfrom relabelto }; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.12/policy/modules/services/rpc.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.13/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/rpc.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/rpc.te 2010-03-09 18:51:13.000000000 -0500 @@ -8,7 +8,7 @@ ## @@ -23646,9 +23383,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.7.12/policy/modules/services/rsync.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.7.13/policy/modules/services/rsync.if --- nsaserefpolicy/policy/modules/services/rsync.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/rsync.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/rsync.if 2010-03-09 18:51:13.000000000 -0500 @@ -119,7 +119,7 @@ type rsync_etc_t; ') @@ -23666,9 +23403,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn + write_files_pattern($1, rsync_etc_t, rsync_etc_t) files_search_etc($1) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.7.12/policy/modules/services/rsync.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.7.13/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/rsync.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/rsync.te 2010-03-09 18:51:13.000000000 -0500 @@ -8,6 +8,13 @@ ## @@ -23720,9 +23457,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn +') + auth_can_read_shadow_passwords(rsync_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.7.12/policy/modules/services/rtkit.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.7.13/policy/modules/services/rtkit.if --- nsaserefpolicy/policy/modules/services/rtkit.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/rtkit.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/rtkit.if 2010-03-09 18:51:13.000000000 -0500 @@ -38,3 +38,23 @@ allow $1 rtkit_daemon_t:dbus send_msg; allow rtkit_daemon_t $1:dbus send_msg; @@ -23747,9 +23484,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki + allow rtkit_daemon_t $1:process { getsched setsched }; + rtkit_daemon_dbus_chat($1) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.7.12/policy/modules/services/rtkit.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.7.13/policy/modules/services/rtkit.te --- nsaserefpolicy/policy/modules/services/rtkit.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/rtkit.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/rtkit.te 2010-03-09 18:51:13.000000000 -0500 @@ -17,9 +17,11 @@ allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace }; @@ -23771,9 +23508,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki optional_policy(` policykit_dbus_chat(rtkit_daemon_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.12/policy/modules/services/samba.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.13/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/samba.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/samba.fc 2010-03-09 18:51:13.000000000 -0500 @@ -51,3 +51,7 @@ /var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) @@ -23782,9 +23519,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +ifndef(`enable_mls',` +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.12/policy/modules/services/samba.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.13/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/samba.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/samba.if 2010-03-09 18:51:13.000000000 -0500 @@ -62,6 +62,25 @@ ######################################## @@ -23998,9 +23735,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb admin_pattern($1, winbind_var_run_t) + admin_pattern($1, samba_unconfined_script_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.12/policy/modules/services/samba.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.13/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/samba.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/samba.te 2010-03-09 18:51:13.000000000 -0500 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -24320,9 +24057,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +',` + can_exec(smbd_t, samba_unconfined_script_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.12/policy/modules/services/sasl.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.13/policy/modules/services/sasl.te --- nsaserefpolicy/policy/modules/services/sasl.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/sasl.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/sasl.te 2010-03-09 18:51:13.000000000 -0500 @@ -31,7 +31,7 @@ # Local policy # @@ -24385,9 +24122,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl seutil_sigchld_newrole(saslauthd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.12/policy/modules/services/sendmail.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.13/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/sendmail.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/sendmail.if 2010-03-09 18:51:13.000000000 -0500 @@ -277,3 +277,22 @@ sendmail_domtrans_unconfined($1) role $2 types unconfined_sendmail_t; @@ -24411,9 +24148,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send + domtrans_pattern($1, sendmail_exec_t, unconfined_sendmail_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.12/policy/modules/services/sendmail.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.13/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/sendmail.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/sendmail.te 2010-03-09 18:51:13.000000000 -0500 @@ -30,7 +30,7 @@ # @@ -24492,18 +24229,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send + unconfined_domain_noaudit(unconfined_sendmail_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.7.12/policy/modules/services/setroubleshoot.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.7.13/policy/modules/services/setroubleshoot.fc --- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/setroubleshoot.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/setroubleshoot.fc 2010-03-09 18:51:13.000000000 -0500 @@ -5,3 +5,5 @@ /var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) /var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) + +/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.12/policy/modules/services/setroubleshoot.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.13/policy/modules/services/setroubleshoot.if --- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/setroubleshoot.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/setroubleshoot.if 2010-03-09 18:51:13.000000000 -0500 @@ -16,8 +16,8 @@ ') @@ -24641,9 +24378,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr + files_list_pids($1) + admin_pattern($1, setroubleshoot_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.12/policy/modules/services/setroubleshoot.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.13/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/setroubleshoot.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/setroubleshoot.te 2010-03-09 18:51:13.000000000 -0500 @@ -22,13 +22,19 @@ type setroubleshoot_var_run_t; files_pid_file(setroubleshoot_var_run_t) @@ -24789,9 +24526,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr + policykit_dbus_chat(setroubleshoot_fixit_t) + userdom_read_all_users_state(setroubleshoot_fixit_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.fc serefpolicy-3.7.12/policy/modules/services/smokeping.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.fc serefpolicy-3.7.13/policy/modules/services/smokeping.fc --- nsaserefpolicy/policy/modules/services/smokeping.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/smokeping.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/smokeping.fc 2010-03-09 18:51:13.000000000 -0500 @@ -0,0 +1,12 @@ + +/etc/rc\.d/init\.d/smokeping -- gen_context(system_u:object_r:smokeping_initrc_exec_t,s0) @@ -24805,9 +24542,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok +/var/run/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_run_t,s0) + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.if serefpolicy-3.7.12/policy/modules/services/smokeping.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.if serefpolicy-3.7.13/policy/modules/services/smokeping.if --- nsaserefpolicy/policy/modules/services/smokeping.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/smokeping.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/smokeping.if 2010-03-09 18:51:13.000000000 -0500 @@ -0,0 +1,193 @@ + +## policy for smokeping @@ -25002,9 +24739,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok + smokeping_manage_var_lib($1) + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.te serefpolicy-3.7.12/policy/modules/services/smokeping.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.te serefpolicy-3.7.13/policy/modules/services/smokeping.te --- nsaserefpolicy/policy/modules/services/smokeping.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/smokeping.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/smokeping.te 2010-03-09 18:51:13.000000000 -0500 @@ -0,0 +1,81 @@ + +policy_module(smokeping,1.0.0) @@ -25087,9 +24824,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok + + sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.12/policy/modules/services/snmp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.13/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/snmp.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/snmp.te 2010-03-09 18:51:13.000000000 -0500 @@ -25,7 +25,7 @@ # # Local policy @@ -25099,9 +24836,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp dontaudit snmpd_t self:capability { sys_module sys_tty_config }; allow snmpd_t self:process { signal_perms getsched setsched }; allow snmpd_t self:fifo_file rw_fifo_file_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.12/policy/modules/services/snort.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.13/policy/modules/services/snort.te --- nsaserefpolicy/policy/modules/services/snort.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/snort.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/snort.te 2010-03-09 18:51:13.000000000 -0500 @@ -37,6 +37,7 @@ allow snort_t self:tcp_socket create_stream_socket_perms; allow snort_t self:udp_socket create_socket_perms; @@ -25135,9 +24872,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor domain_use_interactive_fds(snort_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.12/policy/modules/services/spamassassin.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.13/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/spamassassin.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/spamassassin.fc 2010-03-09 18:51:13.000000000 -0500 @@ -1,15 +1,26 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) @@ -25167,9 +24904,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.12/policy/modules/services/spamassassin.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.13/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/spamassassin.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/spamassassin.if 2010-03-09 18:51:13.000000000 -0500 @@ -111,6 +111,45 @@ ') @@ -25296,9 +25033,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + files_list_pids($1) + admin_pattern($1, spamd_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.12/policy/modules/services/spamassassin.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.13/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/spamassassin.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/spamassassin.te 2010-03-09 18:51:13.000000000 -0500 @@ -20,6 +20,35 @@ ## gen_tunable(spamd_enable_home_dirs, true) @@ -25604,9 +25341,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +optional_policy(` udev_read_db(spamd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.12/policy/modules/services/squid.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.13/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/squid.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/squid.te 2010-03-09 18:51:13.000000000 -0500 @@ -67,7 +67,9 @@ can_exec(squid_t, squid_exec_t) @@ -25635,18 +25372,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi -#squid requires the following when run in diskd mode, the recommended setting -allow squid_t tmpfs_t:file { read write }; -') dnl end TODO -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.12/policy/modules/services/ssh.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.13/policy/modules/services/ssh.fc --- nsaserefpolicy/policy/modules/services/ssh.fc 2010-01-18 15:04:31.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/ssh.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/ssh.fc 2010-03-09 18:51:13.000000000 -0500 @@ -14,3 +14,5 @@ /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) + +/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.12/policy/modules/services/ssh.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.13/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/ssh.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/ssh.if 2010-03-09 18:51:13.000000000 -0500 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -25814,9 +25551,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ####################################### ## ## Delete from the ssh temp files. -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.12/policy/modules/services/ssh.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.13/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/ssh.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/ssh.te 2010-03-09 18:51:13.000000000 -0500 @@ -114,6 +114,7 @@ manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) @@ -25949,9 +25686,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ifdef(`TODO',` tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.7.12/policy/modules/services/sssd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.7.13/policy/modules/services/sssd.fc --- nsaserefpolicy/policy/modules/services/sssd.fc 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/sssd.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/sssd.fc 2010-03-09 18:51:13.000000000 -0500 @@ -4,6 +4,8 @@ /var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) @@ -25961,9 +25698,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd /var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) /var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.12/policy/modules/services/sssd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.13/policy/modules/services/sssd.if --- nsaserefpolicy/policy/modules/services/sssd.if 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/sssd.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/sssd.if 2010-03-09 18:51:13.000000000 -0500 @@ -38,6 +38,25 @@ ######################################## @@ -26042,9 +25779,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd + + admin_pattern($1, sssd_public_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.12/policy/modules/services/sssd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.13/policy/modules/services/sssd.te --- nsaserefpolicy/policy/modules/services/sssd.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/sssd.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/sssd.te 2010-03-09 18:51:13.000000000 -0500 @@ -13,6 +13,9 @@ type sssd_initrc_exec_t; init_script_file(sssd_initrc_exec_t) @@ -26099,9 +25836,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd optional_policy(` dbus_system_bus_client(sssd_t) dbus_connect_system_bus(sssd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.12/policy/modules/services/sysstat.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.13/policy/modules/services/sysstat.te --- nsaserefpolicy/policy/modules/services/sysstat.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/sysstat.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/sysstat.te 2010-03-09 18:51:13.000000000 -0500 @@ -19,14 +19,15 @@ # Local policy # @@ -26120,9 +25857,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/syss logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir }) # get info from /proc -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.7.12/policy/modules/services/telnet.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.7.13/policy/modules/services/telnet.te --- nsaserefpolicy/policy/modules/services/telnet.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/telnet.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/telnet.te 2010-03-09 18:51:13.000000000 -0500 @@ -85,6 +85,7 @@ remotelogin_domtrans(telnetd_t) @@ -26131,9 +25868,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln optional_policy(` kerberos_keytab_template(telnetd, telnetd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.7.12/policy/modules/services/tftp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.7.13/policy/modules/services/tftp.te --- nsaserefpolicy/policy/modules/services/tftp.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/tftp.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/tftp.te 2010-03-09 18:51:13.000000000 -0500 @@ -50,9 +50,8 @@ manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t) files_pid_filetrans(tftpd_t, tftpd_var_run_t, file) @@ -26145,45 +25882,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp corenet_all_recvfrom_unlabeled(tftpd_t) corenet_all_recvfrom_netlabel(tftpd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.if serefpolicy-3.7.12/policy/modules/services/tgtd.if ---- nsaserefpolicy/policy/modules/services/tgtd.if 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/tgtd.if 2010-03-05 17:18:52.000000000 -0500 -@@ -9,3 +9,20 @@ - ##

- ## - -+##################################### -+## -+## Allow read and write access to tgtd semaphores. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`tgtd_rw_semaphores',` -+ gen_require(` -+ type tgtd_t; -+ ') -+ -+ allow $1 tgtd_t:sem { rw_sem_perms }; -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.7.12/policy/modules/services/tgtd.te ---- nsaserefpolicy/policy/modules/services/tgtd.te 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/tgtd.te 2010-03-05 17:18:52.000000000 -0500 -@@ -60,7 +60,7 @@ - - files_read_etc_files(tgtd_t) - --storage_getattr_fixed_disk_dev(tgtd_t) -+storage_manage_fixed_disk(tgtd_t) - - logging_send_syslog_msg(tgtd_t) - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.12/policy/modules/services/tor.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.13/policy/modules/services/tor.te --- nsaserefpolicy/policy/modules/services/tor.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/tor.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/tor.te 2010-03-09 18:51:13.000000000 -0500 @@ -6,6 +6,14 @@ # Declarations # @@ -26215,9 +25916,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor. +tunable_policy(`tor_bind_all_unreserved_ports', ` + corenet_tcp_bind_all_unreserved_ports(tor_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.fc serefpolicy-3.7.12/policy/modules/services/tuned.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.fc serefpolicy-3.7.13/policy/modules/services/tuned.fc --- nsaserefpolicy/policy/modules/services/tuned.fc 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/tuned.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/tuned.fc 2010-03-09 18:51:13.000000000 -0500 @@ -2,4 +2,7 @@ /usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0) @@ -26226,9 +25927,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune +/var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0) + /var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.7.12/policy/modules/services/tuned.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.7.13/policy/modules/services/tuned.te --- nsaserefpolicy/policy/modules/services/tuned.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/tuned.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/tuned.te 2010-03-09 18:51:13.000000000 -0500 @@ -13,6 +13,9 @@ type tuned_initrc_exec_t; init_script_file(tuned_initrc_exec_t) @@ -26282,9 +25983,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune # to allow network interface tuning optional_policy(` sysnet_domtrans_ifconfig(tuned_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.7.12/policy/modules/services/ucspitcp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.7.13/policy/modules/services/ucspitcp.te --- nsaserefpolicy/policy/modules/services/ucspitcp.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/ucspitcp.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/ucspitcp.te 2010-03-09 18:51:13.000000000 -0500 @@ -92,3 +92,8 @@ daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t) daemontools_read_svc(ucspitcp_t) @@ -26294,17 +25995,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucsp + daemontools_sigchld_run(ucspitcp_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.12/policy/modules/services/usbmuxd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.13/policy/modules/services/usbmuxd.fc --- nsaserefpolicy/policy/modules/services/usbmuxd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/usbmuxd.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/usbmuxd.fc 2010-03-09 18:51:13.000000000 -0500 @@ -0,0 +1,4 @@ + +/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0) + +/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.if serefpolicy-3.7.12/policy/modules/services/usbmuxd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.if serefpolicy-3.7.13/policy/modules/services/usbmuxd.if --- nsaserefpolicy/policy/modules/services/usbmuxd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/usbmuxd.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/usbmuxd.if 2010-03-09 18:51:13.000000000 -0500 @@ -0,0 +1,39 @@ +## Daemon for communicating with Apple's iPod Touch and iPhone + @@ -26345,10 +26046,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm + files_search_pids($1) + stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.7.12/policy/modules/services/usbmuxd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.7.13/policy/modules/services/usbmuxd.te --- nsaserefpolicy/policy/modules/services/usbmuxd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/usbmuxd.te 2010-03-05 17:18:52.000000000 -0500 -@@ -0,0 +1,48 @@ ++++ serefpolicy-3.7.13/policy/modules/services/usbmuxd.te 2010-03-09 18:51:13.000000000 -0500 +@@ -0,0 +1,50 @@ +policy_module(usbmuxd,1.0.0) + +######################################## @@ -26372,7 +26073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm +# + +allow usbmuxd_t self:capability { kill setgid setuid }; -+allow usbmuxd_t self:process { fork }; ++allow usbmuxd_t self:process { fork signal signull }; + +# Init script handling +domain_use_interactive_fds(usbmuxd_t) @@ -26386,8 +26087,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm +manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) +files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file }) + ++kernel_read_kernel_sysctls(usbmuxd_t) +kernel_read_system_state(usbmuxd_t) + ++dev_read_sysfs(usbmuxd_t) +dev_rw_generic_usb_dev(usbmuxd_t) + +files_read_etc_files(usbmuxd_t) @@ -26397,9 +26100,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm +auth_use_nsswitch(usbmuxd_t) + +logging_send_syslog_msg(usbmuxd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.12/policy/modules/services/uucp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.13/policy/modules/services/uucp.te --- nsaserefpolicy/policy/modules/services/uucp.te 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/uucp.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/uucp.te 2010-03-09 18:51:13.000000000 -0500 @@ -90,6 +90,7 @@ fs_getattr_xattr_fs(uucpd_t) @@ -26417,9 +26120,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp optional_policy(` cron_system_entry(uucpd_t, uucpd_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.fc serefpolicy-3.7.12/policy/modules/services/vhostmd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.fc serefpolicy-3.7.13/policy/modules/services/vhostmd.fc --- nsaserefpolicy/policy/modules/services/vhostmd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/vhostmd.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/vhostmd.fc 2010-03-09 18:51:13.000000000 -0500 @@ -0,0 +1,6 @@ + +/usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0) @@ -26427,9 +26130,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos +/etc/rc.d/init.d/vhostmd -- gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0) +/var/run/vhostmd.pid -- gen_context(system_u:object_r:vhostmd_var_run_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.7.12/policy/modules/services/vhostmd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.7.13/policy/modules/services/vhostmd.if --- nsaserefpolicy/policy/modules/services/vhostmd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/vhostmd.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/vhostmd.if 2010-03-09 18:51:13.000000000 -0500 @@ -0,0 +1,228 @@ + +## policy for vhostmd @@ -26659,9 +26362,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos + vhostmd_manage_var_run($1) + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.7.12/policy/modules/services/vhostmd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.7.13/policy/modules/services/vhostmd.te --- nsaserefpolicy/policy/modules/services/vhostmd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/vhostmd.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/vhostmd.te 2010-03-09 18:51:13.000000000 -0500 @@ -0,0 +1,84 @@ + +policy_module(vhostmd,1.0.0) @@ -26747,9 +26450,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos + xen_stream_connect_xenstore(vhostmd_t) + xen_stream_connect_xm(vhostmd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.12/policy/modules/services/virt.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.13/policy/modules/services/virt.fc --- nsaserefpolicy/policy/modules/services/virt.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/virt.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/virt.fc 2010-03-09 18:51:13.000000000 -0500 @@ -8,6 +8,10 @@ /etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) /etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) @@ -26761,9 +26464,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) /var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.12/policy/modules/services/virt.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.13/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/virt.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/virt.if 2010-03-09 18:51:13.000000000 -0500 @@ -22,6 +22,11 @@ domain_type($1_t) role system_r types $1_t; @@ -26837,9 +26540,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt + ptchown_run(svirt_t, $2) + ') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.12/policy/modules/services/virt.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.13/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/virt.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/virt.te 2010-03-09 18:51:13.000000000 -0500 @@ -15,6 +15,13 @@ ## @@ -27030,9 +26733,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt auth_use_nsswitch(virt_domain) logging_send_syslog_msg(virt_domain) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.7.12/policy/modules/services/w3c.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.7.13/policy/modules/services/w3c.te --- nsaserefpolicy/policy/modules/services/w3c.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/w3c.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/w3c.te 2010-03-09 18:51:13.000000000 -0500 @@ -8,11 +8,18 @@ apache_content_template(w3c_validator) @@ -27052,9 +26755,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c. corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.12/policy/modules/services/xserver.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.13/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/xserver.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/xserver.fc 2010-03-09 18:51:13.000000000 -0500 @@ -3,12 +3,21 @@ # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) @@ -27162,9 +26865,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +/var/lib/pqsql/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.12/policy/modules/services/xserver.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.13/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/xserver.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/xserver.if 2010-03-09 18:51:13.000000000 -0500 @@ -19,7 +19,7 @@ interface(`xserver_restricted_role',` gen_require(` @@ -27663,9 +27366,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.12/policy/modules/services/xserver.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.13/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/services/xserver.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/xserver.te 2010-03-10 09:11:20.000000000 -0500 @@ -36,6 +36,13 @@ ## @@ -27963,10 +27666,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -334,24 +425,42 @@ +@@ -332,26 +423,45 @@ + + manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) ++manage_lnk_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) - files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) +-files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) ++files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file lnk_file }) +relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) +relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) @@ -28010,7 +27717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t xserver_t:unix_stream_socket connectto; allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms; -@@ -359,10 +468,13 @@ +@@ -359,10 +469,13 @@ # transition to the xdm xserver domtrans_pattern(xdm_t, xserver_exec_t, xserver_t) @@ -28024,7 +27731,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -371,10 +483,14 @@ +@@ -371,10 +484,14 @@ delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -28040,7 +27747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state(xdm_t) kernel_read_kernel_sysctls(xdm_t) -@@ -394,11 +510,13 @@ +@@ -394,11 +511,13 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -28054,7 +27761,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -406,6 +524,7 @@ +@@ -406,6 +525,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -28062,7 +27769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -414,18 +533,21 @@ +@@ -414,18 +534,21 @@ dev_getattr_misc_dev(xdm_t) dev_setattr_misc_dev(xdm_t) dev_dontaudit_rw_misc(xdm_t) @@ -28087,7 +27794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -436,9 +558,15 @@ +@@ -436,9 +559,15 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -28103,7 +27810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -447,14 +575,18 @@ +@@ -447,14 +576,18 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -28122,7 +27829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -465,10 +597,12 @@ +@@ -465,10 +598,12 @@ logging_read_generic_logs(xdm_t) @@ -28137,7 +27844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -477,6 +611,11 @@ +@@ -477,6 +612,11 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -28149,7 +27856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -509,10 +648,12 @@ +@@ -509,10 +649,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -28162,7 +27869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -520,12 +661,49 @@ +@@ -520,12 +662,49 @@ ') optional_policy(` @@ -28212,7 +27919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser hostname_exec(xdm_t) ') -@@ -543,9 +721,43 @@ +@@ -543,9 +722,43 @@ ') optional_policy(` @@ -28256,7 +27963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` seutil_sigchld_newrole(xdm_t) ') -@@ -555,8 +767,9 @@ +@@ -555,8 +768,9 @@ ') optional_policy(` @@ -28268,7 +27975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -565,7 +778,6 @@ +@@ -565,7 +779,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -28276,7 +27983,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -576,6 +788,10 @@ +@@ -576,6 +789,10 @@ ') optional_policy(` @@ -28287,7 +27994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xfs_stream_connect(xdm_t) ') -@@ -600,10 +816,9 @@ +@@ -600,10 +817,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -28299,7 +28006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -615,6 +830,18 @@ +@@ -615,6 +831,18 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -28318,7 +28025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -634,12 +861,19 @@ +@@ -634,12 +862,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -28340,7 +28047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -673,7 +907,6 @@ +@@ -673,7 +908,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -28348,7 +28055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -683,9 +916,12 @@ +@@ -683,9 +917,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -28362,7 +28069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -700,8 +936,13 @@ +@@ -700,8 +937,13 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -28376,7 +28083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -723,11 +964,14 @@ +@@ -723,11 +965,14 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -28391,7 +28098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -779,12 +1023,24 @@ +@@ -779,12 +1024,24 @@ ') optional_policy(` @@ -28417,7 +28124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser unconfined_domtrans(xserver_t) ') -@@ -811,7 +1067,7 @@ +@@ -811,7 +1068,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -28426,7 +28133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -832,9 +1088,14 @@ +@@ -832,9 +1089,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -28441,7 +28148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -849,11 +1110,14 @@ +@@ -849,11 +1111,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -28458,7 +28165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -999,3 +1263,33 @@ +@@ -999,3 +1264,33 @@ allow xserver_unconfined_type xextension_type:x_extension *; allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -28492,9 +28199,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +tunable_policy(`use_samba_home_dirs',` + fs_append_cifs_files(xdmhomewriter) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.7.12/policy/modules/services/zebra.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.7.13/policy/modules/services/zebra.if --- nsaserefpolicy/policy/modules/services/zebra.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/services/zebra.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/zebra.if 2010-03-09 18:51:13.000000000 -0500 @@ -24,6 +24,26 @@ ######################################## @@ -28522,9 +28229,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr ## All of the rules required to administrate ## an zebra environment ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.12/policy/modules/system/application.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.13/policy/modules/system/application.te --- nsaserefpolicy/policy/modules/system/application.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/application.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/application.te 2010-03-09 18:51:13.000000000 -0500 @@ -7,6 +7,17 @@ # Executables to be run by user attribute application_exec_type; @@ -28543,9 +28250,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic optional_policy(` ssh_sigchld(application_domain_type) ssh_rw_stream_sockets(application_domain_type) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.12/policy/modules/system/authlogin.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.13/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/system/authlogin.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/authlogin.fc 2010-03-09 18:51:13.000000000 -0500 @@ -7,12 +7,10 @@ /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) @@ -28570,9 +28277,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.12/policy/modules/system/authlogin.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.13/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/authlogin.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/authlogin.if 2010-03-09 18:51:13.000000000 -0500 @@ -40,17 +40,76 @@ ## ## @@ -28897,9 +28604,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.12/policy/modules/system/authlogin.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.13/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/authlogin.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/authlogin.te 2010-03-09 18:51:13.000000000 -0500 @@ -103,8 +103,10 @@ fs_dontaudit_getattr_xattr_fs(chkpwd_t) @@ -28930,9 +28637,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ######################################## # # PAM local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.7.12/policy/modules/system/daemontools.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.7.13/policy/modules/system/daemontools.if --- nsaserefpolicy/policy/modules/system/daemontools.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/system/daemontools.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/daemontools.if 2010-03-09 18:51:13.000000000 -0500 @@ -71,6 +71,32 @@ domtrans_pattern($1, svc_start_exec_t, svc_start_t) ') @@ -29013,9 +28720,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon + + allow $1 svc_run_t:process sigchld; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.7.12/policy/modules/system/daemontools.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.7.13/policy/modules/system/daemontools.te --- nsaserefpolicy/policy/modules/system/daemontools.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/system/daemontools.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/daemontools.te 2010-03-09 18:51:13.000000000 -0500 @@ -39,7 +39,10 @@ # multilog creates /service/*/log/status manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t) @@ -29088,19 +28795,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon + daemontools_domtrans_run(svc_start_t) daemontools_manage_svc(svc_start_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.7.12/policy/modules/system/fstools.fc ---- nsaserefpolicy/policy/modules/system/fstools.fc 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/fstools.fc 2010-03-05 17:18:52.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.7.13/policy/modules/system/fstools.fc +--- nsaserefpolicy/policy/modules/system/fstools.fc 2010-03-09 15:39:06.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/fstools.fc 2010-03-09 18:51:13.000000000 -0500 @@ -1,4 +1,3 @@ -/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -19,10 +18,10 @@ - /sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -23,7 +22,6 @@ /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -29108,17 +28811,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -40,6 +39,7 @@ - /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - -+/usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) - - /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.12/policy/modules/system/fstools.te ---- nsaserefpolicy/policy/modules/system/fstools.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/fstools.te 2010-03-05 17:18:52.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.13/policy/modules/system/fstools.te +--- nsaserefpolicy/policy/modules/system/fstools.te 2010-03-09 15:39:06.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/fstools.te 2010-03-09 18:51:13.000000000 -0500 @@ -118,6 +118,8 @@ fs_search_tmpfs(fsadm_t) fs_getattr_tmpfs_dirs(fsadm_t) @@ -29128,19 +28823,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool # Recreate /mnt/cdrom. files_manage_mnt_dirs(fsadm_t) # for tune2fs -@@ -148,8 +150,7 @@ +@@ -148,7 +150,7 @@ seutil_read_config(fsadm_t) -userdom_use_user_terminals(fsadm_t) --userdom_use_unpriv_users_fds(fsadm_t) +term_use_all_terms(fsadm_t) ifdef(`distro_redhat',` optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.7.12/policy/modules/system/getty.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.7.13/policy/modules/system/getty.te --- nsaserefpolicy/policy/modules/system/getty.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/getty.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/getty.te 2010-03-09 18:51:13.000000000 -0500 @@ -56,11 +56,10 @@ manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t) files_pid_filetrans(getty_t, getty_var_run_t, file) @@ -29156,9 +28850,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty. dev_read_sysfs(getty_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.7.12/policy/modules/system/hostname.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.7.13/policy/modules/system/hostname.te --- nsaserefpolicy/policy/modules/system/hostname.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/hostname.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/hostname.te 2010-03-09 18:51:13.000000000 -0500 @@ -27,15 +27,18 @@ dev_read_sysfs(hostname_t) @@ -29178,19 +28872,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna fs_dontaudit_use_tmpfs_chr_dev(hostname_t) term_dontaudit_use_console(hostname_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.7.12/policy/modules/system/hotplug.te ---- nsaserefpolicy/policy/modules/system/hotplug.te 2010-03-04 11:17:25.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/hotplug.te 2010-03-05 17:18:52.000000000 -0500 -@@ -1,5 +1,5 @@ - --policy_module(hotplug, 1.12.1) -+policy_module(hotplug, 1.12.0) - - ######################################## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.12/policy/modules/system/init.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.13/policy/modules/system/init.fc --- nsaserefpolicy/policy/modules/system/init.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/system/init.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/init.fc 2010-03-09 18:51:13.000000000 -0500 @@ -4,10 +4,10 @@ /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -29214,9 +28898,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f # # /var -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.12/policy/modules/system/init.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.13/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/init.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/init.if 2010-03-09 18:51:13.000000000 -0500 @@ -193,8 +193,10 @@ gen_require(` attribute direct_run_init, direct_init, direct_init_entry; @@ -29543,9 +29227,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + init_dontaudit_use_script_fds($1) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.12/policy/modules/system/init.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.13/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/init.te 2010-03-07 08:32:09.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/init.te 2010-03-09 18:51:13.000000000 -0500 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart, false) @@ -29943,7 +29627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t + +# system-config-services causes avc messages that should be dontaudited +tunable_policy(`allow_daemons_dump_core',` -+ files_manage_root(daemon) ++ files_manage_root_files(daemon) +') + +optional_policy(` @@ -30151,9 +29835,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t +optional_policy(` + fail2ban_read_lib_files(daemon) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.7.12/policy/modules/system/ipsec.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.7.13/policy/modules/system/ipsec.fc --- nsaserefpolicy/policy/modules/system/ipsec.fc 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/ipsec.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/ipsec.fc 2010-03-09 18:51:13.000000000 -0500 @@ -37,6 +37,8 @@ /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) @@ -30164,9 +29848,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. +/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) -/var/run/racoon.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.12/policy/modules/system/ipsec.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.13/policy/modules/system/ipsec.if --- nsaserefpolicy/policy/modules/system/ipsec.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/ipsec.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/ipsec.if 2010-03-09 18:51:13.000000000 -0500 @@ -39,6 +39,25 @@ ######################################## @@ -30193,9 +29877,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. ## Get the attributes of an IPSEC key socket. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.12/policy/modules/system/ipsec.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.13/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/ipsec.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/ipsec.te 2010-03-09 18:51:13.000000000 -0500 @@ -29,9 +29,15 @@ type ipsec_key_file_t; files_type(ipsec_key_file_t) @@ -30242,20 +29926,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. kernel_read_kernel_sysctls(ipsec_t) kernel_list_proc(ipsec_t) -@@ -171,8 +183,10 @@ +@@ -171,8 +183,9 @@ # ipsec_mgmt Local policy # -allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search }; -allow ipsec_mgmt_t self:process { signal setrlimit }; -+allow ipsec_mgmt_t self:process setsched; +allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice }; +dontaudit ipsec_mgmt_t self:capability sys_tty_config; -+allow ipsec_mgmt_t self:process { getsched ptrace setrlimit signal }; ++allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal }; allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; -@@ -182,6 +196,13 @@ +@@ -182,6 +195,13 @@ allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) @@ -30269,7 +29952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) -@@ -209,7 +230,6 @@ +@@ -209,7 +229,6 @@ # whack needs to connect to pluto stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t) @@ -30277,7 +29960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t) allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read; -@@ -247,8 +267,10 @@ +@@ -247,8 +266,10 @@ files_read_etc_files(ipsec_mgmt_t) files_exec_etc_files(ipsec_mgmt_t) files_read_etc_runtime_files(ipsec_mgmt_t) @@ -30288,7 +29971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) -@@ -259,6 +281,7 @@ +@@ -259,6 +280,7 @@ init_use_script_ptys(ipsec_mgmt_t) init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) @@ -30296,7 +29979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. logging_send_syslog_msg(ipsec_mgmt_t) -@@ -323,6 +346,7 @@ +@@ -323,6 +345,7 @@ kernel_read_system_state(racoon_t) kernel_read_network_state(racoon_t) @@ -30304,7 +29987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) -@@ -362,6 +386,8 @@ +@@ -362,6 +385,8 @@ sysnet_exec_ifconfig(racoon_t) @@ -30313,7 +29996,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -380,12 +406,15 @@ +@@ -380,12 +405,15 @@ read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) @@ -30329,14 +30012,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. # allow setkey to set the context for ipsec SAs and policy. ipsec_setcontext_default_spd(setkey_t) -@@ -397,3 +426,4 @@ +@@ -397,3 +425,4 @@ seutil_read_config(setkey_t) userdom_use_user_terminals(setkey_t) +userdom_read_user_tmp_files(setkey_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.12/policy/modules/system/iptables.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.13/policy/modules/system/iptables.fc --- nsaserefpolicy/policy/modules/system/iptables.fc 2010-02-12 16:41:05.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/iptables.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/iptables.fc 2010-03-09 18:51:13.000000000 -0500 @@ -1,6 +1,4 @@ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) @@ -30344,9 +30027,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl /sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.12/policy/modules/system/iptables.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.13/policy/modules/system/iptables.if --- nsaserefpolicy/policy/modules/system/iptables.if 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/iptables.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/iptables.if 2010-03-09 18:51:13.000000000 -0500 @@ -17,6 +17,10 @@ corecmd_search_bin($1) @@ -30358,9 +30041,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.12/policy/modules/system/iptables.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.13/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/iptables.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/iptables.te 2010-03-09 18:51:13.000000000 -0500 @@ -14,9 +14,6 @@ type iptables_initrc_exec_t; init_script_file(iptables_initrc_exec_t) @@ -30434,92 +30117,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl udev_read_db(iptables_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.7.12/policy/modules/system/iscsi.fc ---- nsaserefpolicy/policy/modules/system/iscsi.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/system/iscsi.fc 2010-03-05 17:18:52.000000000 -0500 -@@ -1,5 +1,9 @@ - /sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) -+/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) - - /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0) - /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0) -+ -+/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0) -+ - /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.7.12/policy/modules/system/iscsi.te ---- nsaserefpolicy/policy/modules/system/iscsi.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/iscsi.te 2010-03-05 17:18:52.000000000 -0500 -@@ -14,6 +14,9 @@ - type iscsi_lock_t; - files_lock_file(iscsi_lock_t) - -+type iscsi_log_t; -+logging_log_file(iscsi_log_t) -+ - type iscsi_tmp_t; - files_tmp_file(iscsi_tmp_t) - -@@ -36,15 +39,21 @@ - allow iscsid_t self:sem create_sem_perms; - allow iscsid_t self:shm create_shm_perms; - allow iscsid_t self:netlink_socket create_socket_perms; -+allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms; - allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms; - allow iscsid_t self:tcp_socket create_stream_socket_perms; - -+can_exec(iscsid_t, iscsid_exec_t) -+ - manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t) - files_lock_filetrans(iscsid_t, iscsi_lock_t, file) - --allow iscsid_t iscsi_tmp_t:dir manage_dir_perms; --allow iscsid_t iscsi_tmp_t:file manage_file_perms; --fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, file ) -+manage_files_pattern(iscsid_t, iscsi_log_t, iscsi_log_t) -+logging_log_filetrans(iscsid_t, iscsi_log_t, file) -+ -+manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) -+manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) -+fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file } ) - - allow iscsid_t iscsi_var_lib_t:dir list_dir_perms; - read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) -@@ -54,8 +63,8 @@ - manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t) - files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) - -+kernel_read_network_state(iscsid_t) - kernel_read_system_state(iscsid_t) --kernel_search_debugfs(iscsid_t) - - corenet_all_recvfrom_unlabeled(iscsid_t) - corenet_all_recvfrom_netlabel(iscsid_t) -@@ -67,13 +76,21 @@ - corenet_tcp_connect_isns_port(iscsid_t) - - dev_rw_sysfs(iscsid_t) -+dev_rw_userio_dev(iscsid_t) - - domain_use_interactive_fds(iscsid_t) -+domain_dontaudit_read_all_domains_state(iscsid_t) - - files_read_etc_files(iscsid_t) - -+init_stream_connect_script(iscsid_t) -+ - logging_send_syslog_msg(iscsid_t) - - auth_use_nsswitch(iscsid_t) - - miscfiles_read_localization(iscsid_t) -+ -+optional_policy(` -+ tgtd_rw_semaphores(iscsid_t) -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.12/policy/modules/system/libraries.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.13/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/system/libraries.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/libraries.fc 2010-03-09 18:51:13.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -30880,9 +30480,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/usr/lib(64)?/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.12/policy/modules/system/libraries.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.13/policy/modules/system/libraries.if --- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/system/libraries.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/libraries.if 2010-03-10 09:40:07.000000000 -0500 @@ -17,6 +17,7 @@ corecmd_search_bin($1) @@ -30909,9 +30509,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar allow $1 lib_t:dir list_dir_perms; read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.7.12/policy/modules/system/libraries.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.7.13/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/libraries.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/libraries.te 2010-03-09 18:51:13.000000000 -0500 @@ -58,11 +58,11 @@ # ldconfig local policy # @@ -30984,9 +30584,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +optional_policy(` + unconfined_domain(ldconfig_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.12/policy/modules/system/locallogin.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.13/policy/modules/system/locallogin.te --- nsaserefpolicy/policy/modules/system/locallogin.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/locallogin.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/locallogin.te 2010-03-09 18:51:13.000000000 -0500 @@ -33,9 +33,8 @@ # Local login local policy # @@ -31087,9 +30687,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall -optional_policy(` - nscd_socket_use(sulogin_t) -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.12/policy/modules/system/logging.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.13/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/system/logging.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/logging.fc 2010-03-09 18:51:13.000000000 -0500 @@ -17,6 +17,10 @@ /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) @@ -31129,9 +30729,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.12/policy/modules/system/logging.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.13/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/logging.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/logging.if 2010-03-09 18:51:13.000000000 -0500 @@ -96,6 +96,20 @@ ######################################## @@ -31191,9 +30791,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.12/policy/modules/system/logging.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.13/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/logging.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/logging.te 2010-03-09 18:51:13.000000000 -0500 @@ -101,6 +101,7 @@ kernel_read_kernel_sysctls(auditctl_t) @@ -31336,9 +30936,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin udev_read_db(syslogd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.7.12/policy/modules/system/lvm.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.7.13/policy/modules/system/lvm.fc --- nsaserefpolicy/policy/modules/system/lvm.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/system/lvm.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/lvm.fc 2010-03-09 18:51:13.000000000 -0500 @@ -28,6 +28,7 @@ # /lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) @@ -31347,9 +30947,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc # # /sbin -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.12/policy/modules/system/lvm.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.13/policy/modules/system/lvm.if --- nsaserefpolicy/policy/modules/system/lvm.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/lvm.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/lvm.if 2010-03-09 18:51:13.000000000 -0500 @@ -34,7 +34,7 @@ type lvm_exec_t; ') @@ -31359,9 +30959,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if can_exec($1, lvm_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.12/policy/modules/system/lvm.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.13/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/lvm.te 2010-03-07 08:47:06.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/lvm.te 2010-03-09 18:51:13.000000000 -0500 @@ -142,6 +142,11 @@ ') @@ -31421,144 +31021,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te bootloader_rw_tmp_files(lvm_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.7.12/policy/modules/system/miscfiles.fc ---- nsaserefpolicy/policy/modules/system/miscfiles.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/miscfiles.fc 2010-03-05 17:18:52.000000000 -0500 -@@ -42,6 +42,7 @@ - /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0) - - /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) -+/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) - /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) - /usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) - /usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0) -@@ -70,13 +71,15 @@ - - /var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) - --/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_t,s0) -+/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0) - /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) - /var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0) - --/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) - /var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) - -+/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) -+ -+/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) - /var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) - - ifdef(`distro_debian',` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.12/policy/modules/system/miscfiles.if ---- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/miscfiles.if 2010-03-05 17:18:52.000000000 -0500 -@@ -73,7 +73,8 @@ - # - interface(`miscfiles_read_fonts',` - gen_require(` -- type fonts_t; -+ type fonts_t, fonts_cache_t; -+ - ') - - # cjp: fonts can be in either of these dirs -@@ -83,6 +84,10 @@ - allow $1 fonts_t:dir list_dir_perms; - read_files_pattern($1, fonts_t, fonts_t) - read_lnk_files_pattern($1, fonts_t, fonts_t) -+ -+ allow $1 fonts_cache_t:dir list_dir_perms; -+ read_files_pattern($1, fonts_cache_t, fonts_cache_t) -+ read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t) - ') - - ######################################## -@@ -167,6 +172,68 @@ - manage_dirs_pattern($1, fonts_t, fonts_t) - manage_files_pattern($1, fonts_t, fonts_t) - manage_lnk_files_pattern($1, fonts_t, fonts_t) -+ miscfiles_manage_fonts_cache($1) -+') -+ -+######################################## -+## -+## Set the attributes on a fonts cache directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`miscfiles_setattr_fonts_cache_dirs',` -+ gen_require(` -+ type fonts_cache_t; -+ ') -+ -+ allow $1 fonts_cache_t:dir setattr; -+') -+ -+######################################## -+## -+## Dontaudit attempts to set the attributes on a fonts cache directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`miscfiles_dontaudit_setattr_fonts_cache_dirs',` -+ gen_require(` -+ type fonts_cache_t; -+ ') -+ -+ allow $1 fonts_cache_t:dir setattr; -+') -+ -+######################################## -+## -+## Create, read, write, and delete fonts cache. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`miscfiles_manage_fonts_cache',` -+ gen_require(` -+ type fonts_cache_t; -+ ') -+ -+ files_search_var($1) -+ -+ manage_dirs_pattern($1, fonts_cache_t, fonts_cache_t) -+ manage_files_pattern($1, fonts_cache_t, fonts_cache_t) -+ manage_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t) - ') - - ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.7.12/policy/modules/system/miscfiles.te ---- nsaserefpolicy/policy/modules/system/miscfiles.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/miscfiles.te 2010-03-05 17:18:52.000000000 -0500 -@@ -19,6 +19,9 @@ - type fonts_t; - files_type(fonts_t) - -+type fonts_cache_t; -+files_type(fonts_cache_t) -+ - # - # type for /usr/share/hwdata - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.12/policy/modules/system/modutils.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.13/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/modutils.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/modutils.te 2010-03-09 18:51:13.000000000 -0500 @@ -19,6 +19,7 @@ type insmod_exec_t; application_domain(insmod_t, insmod_exec_t) @@ -31664,9 +31129,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.7.12/policy/modules/system/mount.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.7.13/policy/modules/system/mount.fc --- nsaserefpolicy/policy/modules/system/mount.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/system/mount.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/mount.fc 2010-03-09 18:51:13.000000000 -0500 @@ -1,4 +1,10 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) @@ -31679,9 +31144,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. -/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) +/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.12/policy/modules/system/mount.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.13/policy/modules/system/mount.if --- nsaserefpolicy/policy/modules/system/mount.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/system/mount.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/mount.if 2010-03-09 18:51:13.000000000 -0500 @@ -16,6 +16,14 @@ ') @@ -31706,7 +31171,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. optional_policy(` samba_run_smbmount($1, $2) ') -@@ -84,9 +94,11 @@ +@@ -51,6 +61,35 @@ + + ######################################## + ## ++## Execute fusermount in the mount domain, and ++## allow the specified role the mount domain, ++## and use the caller's terminal. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++## ++## ++## The role to be allowed the mount domain. ++## ++## ++## ++# ++interface(`mount_run_fusermount',` ++ gen_require(` ++ type mount_t; ++ ') ++ ++ mount_domtrans_fusermount($1) ++ role $2 types mount_t; ++ ++ fstools_run(mount_t, $2) ++') ++ ++######################################## ++## + ## Execute mount in the caller domain. + ## + ## +@@ -84,9 +123,11 @@ interface(`mount_signal',` gen_require(` type mount_t; @@ -31718,7 +31219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') ######################################## -@@ -177,3 +189,100 @@ +@@ -177,3 +218,100 @@ mount_domtrans_unconfined($1) role $2 types unconfined_mount_t; ') @@ -31819,9 +31320,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. + mount_domtrans_showmount($1) + role $2 types showmount_t; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.12/policy/modules/system/mount.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.13/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/system/mount.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/mount.te 2010-03-09 18:51:13.000000000 -0500 @@ -18,8 +18,15 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -32096,9 +31597,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +sysnet_dns_name_resolve(showmount_t) + +userdom_use_user_terminals(showmount_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.7.12/policy/modules/system/raid.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.7.13/policy/modules/system/raid.te --- nsaserefpolicy/policy/modules/system/raid.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/raid.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/raid.te 2010-03-09 18:51:13.000000000 -0500 @@ -51,11 +51,13 @@ dev_dontaudit_getattr_generic_chr_files(mdadm_t) dev_dontaudit_getattr_generic_blk_files(mdadm_t) @@ -32113,9 +31614,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t fs_search_auto_mountpoints(mdadm_t) fs_dontaudit_list_tmpfs(mdadm_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.7.12/policy/modules/system/selinuxutil.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.7.13/policy/modules/system/selinuxutil.fc --- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/system/selinuxutil.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/selinuxutil.fc 2010-03-09 18:51:13.000000000 -0500 @@ -6,13 +6,13 @@ /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) @@ -32155,9 +31656,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.12/policy/modules/system/selinuxutil.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.13/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/selinuxutil.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/selinuxutil.if 2010-03-09 18:51:13.000000000 -0500 @@ -361,6 +361,27 @@ ######################################## @@ -32534,9 +32035,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + hotplug_use_fds($1) +') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.12/policy/modules/system/selinuxutil.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.13/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/selinuxutil.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/selinuxutil.te 2010-03-09 18:51:13.000000000 -0500 @@ -23,6 +23,9 @@ type selinux_config_t; files_type(selinux_config_t) @@ -32921,9 +32422,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu - hotplug_use_fds(setfiles_t) + unconfined_domain(setfiles_mac_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.12/policy/modules/system/sysnetwork.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.13/policy/modules/system/sysnetwork.fc --- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/sysnetwork.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/sysnetwork.fc 2010-03-09 18:51:13.000000000 -0500 @@ -13,6 +13,9 @@ /etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) @@ -32957,9 +32458,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.12/policy/modules/system/sysnetwork.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.13/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/sysnetwork.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/sysnetwork.if 2010-03-09 18:51:13.000000000 -0500 @@ -43,6 +43,41 @@ sysnet_domtrans_dhcpc($1) @@ -33163,9 +32664,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet + + role_transition $1 dhcpc_exec_t system_r; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.12/policy/modules/system/sysnetwork.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.13/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/sysnetwork.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/sysnetwork.te 2010-03-09 18:51:13.000000000 -0500 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpc_t, dhcpc_exec_t) role system_r types dhcpc_t; @@ -33378,9 +32879,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet + hal_dontaudit_rw_pipes(ifconfig_t) + hal_dontaudit_rw_dgram_sockets(ifconfig_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.12/policy/modules/system/udev.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.13/policy/modules/system/udev.if --- nsaserefpolicy/policy/modules/system/udev.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/udev.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/udev.if 2010-03-09 18:51:13.000000000 -0500 @@ -192,6 +192,7 @@ dev_list_all_dev_nodes($1) @@ -33389,9 +32890,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.12/policy/modules/system/udev.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.13/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/udev.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/udev.te 2010-03-09 18:51:13.000000000 -0500 @@ -50,6 +50,7 @@ allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -33451,9 +32952,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t kernel_write_xen_state(udev_t) kernel_read_xen_state(udev_t) xen_manage_log(udev_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.7.12/policy/modules/system/unconfined.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.7.13/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/unconfined.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/unconfined.fc 2010-03-09 18:51:13.000000000 -0500 @@ -1,15 +1 @@ # Add programs here which should not be confined by SELinux -# e.g.: @@ -33470,9 +32971,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf -ifdef(`distro_gentoo',` -/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.12/policy/modules/system/unconfined.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.13/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/unconfined.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/unconfined.if 2010-03-09 18:51:13.000000000 -0500 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -33967,9 +33468,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf - - allow $1 unconfined_t:dbus acquire_svc; -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.7.12/policy/modules/system/unconfined.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.7.13/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/unconfined.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/unconfined.te 2010-03-09 18:51:13.000000000 -0500 @@ -5,227 +5,5 @@ # # Declarations @@ -34199,9 +33700,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf - hal_dbus_chat(unconfined_execmem_t) - ') -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.12/policy/modules/system/userdomain.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.13/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/modules/system/userdomain.fc 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/userdomain.fc 2010-03-09 18:51:13.000000000 -0500 @@ -1,4 +1,11 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) @@ -34215,9 +33716,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.gvfs(/.*)? <> -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.12/policy/modules/system/userdomain.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.13/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/userdomain.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/userdomain.if 2010-03-09 18:51:13.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -34669,7 +34170,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # -@@ -508,182 +526,213 @@ +@@ -508,182 +526,217 @@ # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -34800,44 +34301,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - # Allow graphical boot to check battery lifespan - apm_stream_connect($1_t) + canna_stream_connect($1_usertype) - ') - - optional_policy(` -- canna_stream_connect($1_t) ++ ') ++ ++ optional_policy(` + chrome_role($1_r, $1_usertype) - ') - - optional_policy(` -- dbus_system_bus_client($1_t) ++ ') ++ ++ optional_policy(` + dbus_system_bus_client($1_usertype) + + allow $1_usertype $1_usertype:dbus send_msg; - - optional_policy(` -- bluetooth_dbus_chat($1_t) ++ ++ optional_policy(` + avahi_dbus_chat($1_usertype) + ') + + optional_policy(` + bluetooth_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- canna_stream_connect($1_t) + consolekit_dbus_chat($1_usertype) + consolekit_read_log($1_usertype) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- dbus_system_bus_client($1_t) + devicekit_dbus_chat($1_usertype) + devicekit_dbus_chat_power($1_usertype) + devicekit_dbus_chat_disk($1_usertype) ++ ') + + optional_policy(` +- bluetooth_dbus_chat($1_t) ++ evolution_dbus_chat($1_usertype) ++ evolution_alarm_dbus_chat($1_usertype) ') optional_policy(` - evolution_dbus_chat($1_t) - evolution_alarm_dbus_chat($1_t) -+ evolution_dbus_chat($1_usertype) -+ evolution_alarm_dbus_chat($1_usertype) ++ gnome_dbus_chat_gconfdefault($1_usertype) ') optional_policy(` @@ -34882,21 +34387,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` - modutils_read_module_config($1_t) + modutils_read_module_config($1_usertype) -+ ') -+ -+ optional_policy(` -+ mta_rw_spool($1_usertype) -+ mta_manage_queue($1_usertype) ') optional_policy(` - mta_rw_spool($1_t) -+ nsplugin_role($1_r, $1_usertype) ++ mta_rw_spool($1_usertype) ++ mta_manage_queue($1_usertype) ') optional_policy(` - tunable_policy(`allow_user_mysql_connect',` - mysql_stream_connect($1_t) ++ nsplugin_role($1_r, $1_usertype) ++ ') ++ ++ optional_policy(` + tunable_policy(`allow_user_postgresql_connect',` + postgresql_stream_connect($1_usertype) ') @@ -34956,18 +34461,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -711,13 +760,26 @@ +@@ -711,13 +764,26 @@ userdom_base_user_template($1) - userdom_manage_home_role($1_r, $1_t) + userdom_manage_home_role($1_r, $1_usertype) -+ -+ userdom_manage_tmp_role($1_r, $1_usertype) -+ userdom_manage_tmpfs_role($1_r, $1_usertype) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) ++ userdom_manage_tmp_role($1_r, $1_usertype) ++ userdom_manage_tmpfs_role($1_r, $1_usertype) + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) + ifelse(`$1',`unconfined',`',` + gen_tunable(allow_$1_exec_content, true) + @@ -34978,9 +34485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') - -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) ++ + tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') @@ -34988,7 +34493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_change_password_template($1) -@@ -735,70 +797,72 @@ +@@ -735,70 +801,72 @@ allow $1_t self:context contains; @@ -35094,7 +34599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -826,6 +890,8 @@ +@@ -826,6 +894,8 @@ ') userdom_login_user_template($1) @@ -35103,7 +34608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) -@@ -836,6 +902,26 @@ +@@ -836,6 +906,26 @@ # optional_policy(` @@ -35130,7 +34635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo loadkeys_run($1_t,$1_r) ') ') -@@ -865,51 +951,83 @@ +@@ -865,51 +955,83 @@ userdom_restricted_user_template($1) @@ -35144,11 +34649,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo auth_role($1_r, $1_t) - auth_search_pam_console_data($1_t) + auth_search_pam_console_data($1_usertype) ++ ++ xserver_role($1_r, $1_t) - dev_read_sound($1_t) - dev_write_sound($1_t) -+ xserver_role($1_r, $1_t) -+ + dev_read_sound($1_usertype) + dev_write_sound($1_usertype) # gnome keyring wants to read this. @@ -35179,12 +34684,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + seutil_exec_restorecond($1_t) + seutil_read_file_contexts($1_t) + seutil_read_default_contexts($1_t) - -- xserver_restricted_role($1_r, $1_t) ++ + optional_policy(` + alsa_read_rw_config($1_usertype) + ') -+ + +- xserver_restricted_role($1_r, $1_t) + optional_policy(` + apache_role($1_r, $1_usertype) + ') @@ -35227,7 +34732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -943,8 +1061,8 @@ +@@ -943,8 +1065,8 @@ # Declarations # @@ -35237,7 +34742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_common_user_template($1) ############################## -@@ -953,54 +1071,73 @@ +@@ -953,54 +1075,73 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -35320,7 +34825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + ') + + optional_policy(` -+ mount_run($1_t, $1_r) ++ mount_run_fusermount($1_t, $1_r) + ') + + optional_policy(` @@ -35340,7 +34845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1036,7 +1173,7 @@ +@@ -1036,7 +1177,7 @@ template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -35349,7 +34854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ############################## -@@ -1045,8 +1182,7 @@ +@@ -1045,8 +1186,7 @@ # # Inherit rules for ordinary users. @@ -35359,7 +34864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1071,6 +1207,9 @@ +@@ -1071,6 +1211,9 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -35369,7 +34874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1085,6 +1224,7 @@ +@@ -1085,6 +1228,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -35377,7 +34882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1092,8 +1232,6 @@ +@@ -1092,8 +1236,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -35386,7 +34891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1120,12 +1258,11 @@ +@@ -1120,12 +1262,11 @@ files_exec_usr_src_files($1_t) fs_getattr_all_fs($1_t) @@ -35401,7 +34906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo term_use_all_terms($1_t) auth_getattr_shadow($1_t) -@@ -1148,20 +1285,6 @@ +@@ -1148,20 +1289,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -35422,7 +34927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` postgresql_unconfined($1_t) ') -@@ -1207,6 +1330,8 @@ +@@ -1207,6 +1334,8 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -35431,7 +34936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1272,11 +1397,15 @@ +@@ -1272,11 +1401,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -35447,7 +34952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1313,7 +1442,7 @@ +@@ -1313,7 +1446,7 @@ type user_devpts_t; ') @@ -35456,7 +34961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1387,26 +1516,19 @@ +@@ -1387,26 +1520,19 @@ ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -35486,7 +34991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # interface(`userdom_dontaudit_search_user_home_dirs',` gen_require(` -@@ -1433,6 +1555,14 @@ +@@ -1433,6 +1559,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -35501,7 +35006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1448,9 +1578,11 @@ +@@ -1448,9 +1582,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -35513,7 +35018,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1507,6 +1639,42 @@ +@@ -1507,6 +1643,42 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -35556,7 +35061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ######################################## ## ## Create directories in the home dir root with -@@ -1581,11 +1749,14 @@ +@@ -1581,11 +1753,14 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -35572,7 +35077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -1593,18 +1764,18 @@ +@@ -1593,18 +1768,18 @@ ## ## # @@ -35596,7 +35101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -1612,18 +1783,17 @@ +@@ -1612,18 +1787,17 @@ ## ## # @@ -35619,7 +35124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -1631,12 +1801,12 @@ +@@ -1631,12 +1805,12 @@ ## ## # @@ -35634,7 +35139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1655,7 +1825,7 @@ +@@ -1655,7 +1829,7 @@ type user_home_t; ') @@ -35643,7 +35148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1692,6 +1862,7 @@ +@@ -1692,6 +1866,7 @@ type user_home_dir_t, user_home_t; ') @@ -35651,7 +35156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1708,11 +1879,14 @@ +@@ -1708,11 +1883,14 @@ # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -35669,7 +35174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1730,7 +1904,7 @@ +@@ -1730,7 +1908,7 @@ type user_home_t; ') @@ -35678,7 +35183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1748,7 +1922,7 @@ +@@ -1748,7 +1926,7 @@ type user_home_t; ') @@ -35687,7 +35192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1819,19 +1993,32 @@ +@@ -1819,19 +1997,32 @@ # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -35727,7 +35232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1849,7 +2036,7 @@ +@@ -1849,7 +2040,7 @@ type user_home_t; ') @@ -35736,7 +35241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1866,6 +2053,7 @@ +@@ -1866,6 +2057,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -35744,7 +35249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2077,7 +2265,7 @@ +@@ -2077,7 +2269,7 @@ type user_tmp_t; ') @@ -35753,7 +35258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($1) ') -@@ -2102,7 +2290,7 @@ +@@ -2102,7 +2294,7 @@ ######################################## ## @@ -35762,7 +35267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## temporary directories. ## ## -@@ -2111,17 +2299,17 @@ +@@ -2111,17 +2303,17 @@ ## ## # @@ -35783,7 +35288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## temporary directories. ## ## -@@ -2130,18 +2318,37 @@ +@@ -2130,12 +2322,31 @@ ## ## # @@ -35795,12 +35300,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - dontaudit $1 user_tmp_t:dir manage_dir_perms; + dontaudit $1 user_tmp_t:dir list_dir_perms; - ') - - ######################################## - ## --## Read user temporary files. --## ++') ++ ++######################################## ++## +## Do not audit attempts to manage users +## temporary directories. +## @@ -35816,16 +35319,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + ') + + dontaudit $1 user_tmp_t:dir manage_dir_perms; -+') -+ -+######################################## -+## -+## Read user temporary files. -+## - ## - ## - ## Domain allowed access. -@@ -2193,7 +2400,7 @@ + ') + + ######################################## +@@ -2193,7 +2404,7 @@ type user_tmp_t; ') @@ -35834,7 +35331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2218,6 +2425,25 @@ +@@ -2218,6 +2429,25 @@ ######################################## ## @@ -35860,7 +35357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Do not audit attempts to manage users ## temporary files. ## -@@ -2298,6 +2524,46 @@ +@@ -2298,6 +2528,46 @@ ######################################## ## ## Create, read, write, and delete user @@ -35907,7 +35404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## temporary symbolic links. ## ## -@@ -2413,7 +2679,7 @@ +@@ -2413,7 +2683,7 @@ ######################################## ## @@ -35916,7 +35413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -2421,19 +2687,21 @@ +@@ -2421,19 +2691,21 @@ ## ## # @@ -35942,7 +35439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -2441,15 +2709,14 @@ +@@ -2441,15 +2713,14 @@ ## ## # @@ -35962,7 +35459,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2467,7 +2734,7 @@ +@@ -2467,7 +2738,7 @@ type user_tty_device_t; ') @@ -35971,7 +35468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2485,7 +2752,7 @@ +@@ -2485,7 +2756,7 @@ type user_tty_device_t; ') @@ -35980,7 +35477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2503,7 +2770,7 @@ +@@ -2503,7 +2774,7 @@ type user_tty_device_t; ') @@ -35989,7 +35486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2521,7 +2788,7 @@ +@@ -2521,7 +2792,7 @@ type user_tty_device_t; ') @@ -35998,7 +35495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2787,7 +3054,7 @@ +@@ -2787,7 +3058,7 @@ domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -36007,7 +35504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow unpriv_userdomain $1:process sigchld; ') -@@ -2803,11 +3070,33 @@ +@@ -2803,11 +3074,33 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -36043,7 +35540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2848,23 +3137,14 @@ +@@ -2848,23 +3141,14 @@ ######################################## ## @@ -36070,7 +35567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # interface(`userdom_dontaudit_use_unpriv_user_fds',` gen_require(` -@@ -2931,6 +3211,25 @@ +@@ -2931,6 +3215,25 @@ ######################################## ## @@ -36096,7 +35593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Write all users files in /tmp ## ## -@@ -2944,7 +3243,43 @@ +@@ -2944,7 +3247,43 @@ type user_tmp_t; ') @@ -36141,7 +35638,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2981,6 +3316,7 @@ +@@ -2981,6 +3320,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -36149,7 +35646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_search_proc($1) ') -@@ -3111,3 +3447,674 @@ +@@ -3111,3 +3451,674 @@ allow $1 userdomain:dbus send_msg; ') @@ -36824,9 +36321,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + dontaudit $1 admin_home_t:file getattr; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.12/policy/modules/system/userdomain.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.13/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/userdomain.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/userdomain.te 2010-03-09 18:51:13.000000000 -0500 @@ -8,13 +8,6 @@ ## @@ -36915,9 +36412,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +') + +allow userdomain userdomain:process signull; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.7.12/policy/modules/system/xen.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.7.13/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/xen.if 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/xen.if 2010-03-09 18:51:13.000000000 -0500 @@ -180,6 +180,25 @@ ######################################## @@ -36954,9 +36451,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if + typeattribute $1 xm_transition_domain; domtrans_pattern($1, xm_exec_t, xm_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.12/policy/modules/system/xen.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.13/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.12/policy/modules/system/xen.te 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/system/xen.te 2010-03-09 18:51:13.000000000 -0500 @@ -5,6 +5,7 @@ # # Declarations @@ -37056,9 +36553,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te #Should have a boolean wrapping these fs_list_auto_mountpoints(xend_t) files_search_mnt(xend_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.7.12/policy/support/misc_patterns.spt +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.7.13/policy/support/misc_patterns.spt --- nsaserefpolicy/policy/support/misc_patterns.spt 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.12/policy/support/misc_patterns.spt 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/support/misc_patterns.spt 2010-03-09 18:51:13.000000000 -0500 @@ -15,7 +15,7 @@ domain_transition_pattern($1,$2,$3) @@ -37077,9 +36574,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns allow $3 $1:process sigchld; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.12/policy/support/obj_perm_sets.spt +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.13/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-03-04 11:44:07.000000000 -0500 -+++ serefpolicy-3.7.12/policy/support/obj_perm_sets.spt 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/support/obj_perm_sets.spt 2010-03-09 18:51:13.000000000 -0500 @@ -28,7 +28,7 @@ # # All socket classes. @@ -37170,9 +36667,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets +define(`all_dbus_perms', `{ acquire_svc send_msg } ') +define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ') +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.12/policy/users +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.13/policy/users --- nsaserefpolicy/policy/users 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.12/policy/users 2010-03-05 17:18:52.000000000 -0500 ++++ serefpolicy-3.7.13/policy/users 2010-03-09 18:51:13.000000000 -0500 @@ -6,7 +6,7 @@ # # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) diff --git a/selinux-policy.spec b/selinux-policy.spec index 68294da..540adc8 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ %define CHECKPOLICYVER 2.0.21-1 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.7.12 +Version: 3.7.13 Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base @@ -466,9 +466,11 @@ exit 0 %endif %changelog -* Thu Mar 4 2010 Dan Walsh 3.7.12-1 +* Tue Mar 9 2010 Dan Walsh 3.7.13-1 - Update to upstream +* Thu Mar 4 2010 Dan Walsh 3.7.12-1 +- Update to upstream * Thu Mar 4 2010 Dan Walsh 3.7.11-1 - Update to upstream - These are merges of my patches diff --git a/sources b/sources index 72def95..7979a58 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 4c7d323036f1662a06a7a4f2a7da57a5 config.tgz -c284968623d7634e4ce08e803d599dd7 serefpolicy-3.7.12.tgz +384318cbf208033c62ef3a21bdfdd8c7 serefpolicy-3.7.13.tgz